Archived - Audit of Access to Information - Systems and Processes
Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Internal Audit and Evaluation
Department of Finance Canada
Approved by the Deputy Minister of Finance Canada on the recommendation of the
Audit and Evaluation Committee on May 26, 2015
Table of Contents
The Access to Information (ATI) Act gives Canadian citizens, permanent residents, or any person or corporation in Canada a right to access information that is contained in government records. ATI requests are expected to be processed within 30 calendar days, although time extensions are allowed should the Department need to consult outside stakeholders. Extensions are also allowed if the volume of records involved would interfere unreasonably with the Department’s operations.
Departments are expected to have systems and processes in place to manage ATI requests so that information is released in line with the established timeframes, while ensuring that the proper exemptions and exclusions under the ATI Act are applied.
The audit objective was to provide reasonable assurance on the effectiveness of departmental processes and reliability of the information systems and related activities used to process access to information requests.
The audit concluded that the Department has effective and reliable information systems and activities for processing access to information requests. While the audit noted recent improvements in the review process, further opportunities exist to reduce the time required to retrieve requested information, and to streamline the process to review release packages.
The Audit of Access to Information - Systems and Processes is part of the Department’s 2014-17 Internal Audit Plan, which was approved by the Deputy Minister at the departmental Audit and Evaluation Committee meeting on May 26, 2014.
The Access to Information (ATI) Act came into force on July 1, 1983. It gives Canadian citizens, permanent residents, or any person or corporation in Canada a right to access information that is contained in government records. ATI requests are expected to be processed within 30 calendar days, however time extensions are allowed should the Department need to consult outside stakeholders. Extensions are also allowed if the volume of records involved would interfere unreasonably with the Department’s operations.
In government institutions, deputy heads are responsible for the effective management of the ATI Act and may decide to delegate these responsibilities to one or more officials of the institution. In the Department, the following officials have been delegated the authority to release information requested under the ATI Act:
- The Associate Deputy Ministers;
- Assistant Deputy Ministers for three branches (Communications and Consultations (C&C), Corporate Services (CSB) and Law);
- The General Counsel and Executive Director (Law Branch); and
- Director, Access to Information and Privacy (ATIP) Division.
The ATIP Division within Law Branch administers the ATI Act for the Department. The Division is a key player in the timely processing of requests under the legislation, conducting interdepartmental consultations, handling complaints lodged with the Information Commissioner, and responding to informal inquiries. The Division staff also provides advice and guidance to departmental officials on matters related to the Act. All departmental employees are required under the Act to make every reasonable effort to assist requesters, regardless of their identity, and to respond accurately and completely and provide timely access in the format requested.
The current process starts when the ATIP Division receives the request and clarifies the details with the requestor if needed. ATIP Division notifies the appropriate departmental branches who retrieve the relevant records and identify sensitive information. ATIP Division reviews the records and the branch recommendations for exemption or exclusion, and consultations are undertaken with outside parties if necessary. Once completed a proposed release package is sent for review first by C&C Branch followed by Law Branch. Certain complex release packages may be subject to additional approval steps. The reviews help ensure that information is disclosed in accordance with the legislation.
During the 30 month period ending December 31, 2014, the Department processed 1302 ATI requests. Additional ATI information is available in the Department’s Annual Report to Parliament on the administration of the ATI Act for 2013-14 and 2012-13.
Audit Objective and Scope
The audit objective was to provide reasonable assurance on the effectiveness and reliability of the information systems and related activities used to process ATI requests.
The audit scope originally included completed ATI requests as well as ATI systems and processes in the Department between July 1, 2012 and June 30, 2014.
The audit found improvements in processing performance towards the end of the original scope; additional data analysis was performed on completed ATI requests between July 1, 2014 and December 31, 2014 to observe whether these trends continued.
The scope did not include:
- Roles and activities of external stakeholders, such as the Office of the Information Commissioner and the Privy Council Office, on access to information requests.
- Requests received under the Privacy Act, since the Department receives very few privacy requests.
Statement of Conformance and Audit Approach
Statement of Conformance
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.
The audit was planned and performed so as to obtain reasonable assurance that the audit objective was achieved. During the audit, appropriate procedures were followed and sufficient evidence was obtained to support the accuracy of findings and the overall audit opinion presented in this report. The findings are based on a comparison of the conditions, as they existed at the time of the audit, with the audit criteria identified in this report, which were accepted by management. The opinion applies only to the entity examined.
Audit procedures included, but were not limited to, interviews, review of supporting documentation, walkthroughs, detailed examination of a judgmentally selected sample of 30 complex ATI files and a random sample of 188 pages from ATI release packages. This audit performed data analytics using ATI processing activity and operational data from the Department’s AccessPro system using the software Audit Command Language (ACL).
About thirty individuals (listed in Appendix A) were interviewed for this audit. These individuals were consulted on one or more criteria, and with different levels of depth, depending on their role in the ATI process. The audit team also conducted a review and analysis of applicable authorities and policies, as well as financial and non-financial documents from various relevant sources. A list of key information reviewed is provided in Appendix B. For the purpose of comparing and identifying best practices, the audit team collected information from several other government departments.
The audit approach allowed for the audit findings to be communicated so as to enable management to review and provide feedback on the findings and conclusions before they were finalized.
The audit concluded that the Department has effective and reliable information systems and activities for processing access to information requests.
While the audit noted recent improvements in the review process, further opportunities exist to reduce the time required to retrieve requested information, and to streamline the process to review release packages.
Findings by Audit Criteria
This section summarizes the audit observations based on the factual evidence gathered and analyzed during the audit. Based on these assessments, issues and themes along with potential causes, impacts, management initiatives and recommendations are summarized in the “Recommendation and Management Action Plan” section.
Taking into consideration audit findings and mitigating controls in place in relation to the audit criteria, the audit team has categorized the residual risk exposure for each audit criterion as high, medium or low.
These risk ranking levels correspond to residual risk exposure, which auditors believe may influence organizational objectives. The risk levels also take into consideration the levels of resources required to successfully implement corrective actions. The following describes the standards used to establish the residual risk exposure:
|Criterion||Residual Risk Exposure||Assessment|
|1. Process Effectiveness|
|The Department has an effective process in place in the branches to manage access to information requests in compliance with applicable policies and delegated authorities.||Low||The Department has an effective process in place to manage information requests in compliance with requirements. However, opportunities for further improvement exist at the branch retrieval stage and the release stage of the process.
The Department’s ATI process is expected to allow information to be released to requestors in line with the established timeframes, while ensuring that the proper exemptions and exclusions are applied.
To determine the effectiveness of this process, the audit team examined data for all requests closed between July 2012 and December 2014. The audit team also tested a sample of 30 complex ATI request files closed between July 2012 and June 2014. This data analysis, supported by interviews, allowed the auditors to determine which parts of the process contributed to ensuring packages were released in a timely manner and identify areas for improvement.
Branch retrieval of information and identification of sensitive information for exemption or exclusion
According to the current process in place, upon receipt of a request from ATIP Division, departmental branches are expected to complete their retrieval of information and identify sensitive information for protection within two weeks. The audit team’s analysis of closed requests found that several branches were facing challenges in meeting this two week standard. When internal timeframes are not met there is an increased risk that the Department may not comply with legislated timeframes. A benchmarking exercise across select government departments found that other organizations provide their branches less than two weeks for this activity. The audit recommends all branches adopt retrieval practices that are timely.
One division in a branch was found to have considerably improved its performance and was able to complete its retrieval activity, on average, in half the expected time. Examples of best practices that were noted included:
Review and sign-offs of information packages prior to release
Following receipt of the information from the branches, consultation with outside parties (if applicable) and ATIP Division’s own review, most release packages are submitted to C&C Branch for review and then to Law Branch for additional review.
The audit found that all approvals at all stages in the process were performed by those with delegated authority. The audit team also noted significant improvements to the review process had occurred during the period audited, for example:
|2. System Reliability|
|The Department uses a reliable software system for the purpose of processing access to information requests.||Low||The Department’s Access to Information software system is reliable.
The Department uses AccessPro software to track the redaction of excluded and exempted information, manage the time taken by the various stakeholders involved in processing requests, and, report on departmental and stakeholder performance in processing timeliness.
The audit team analyzed AccessPro data for all closed requests between July 2012 and December 2014 and validated a sample of 30 complex request files against this data. The audit team also tested a sample of 188 randomly selected pages from partially released requests to determine if the software redaction functionality operated as intended.
The audit team found that the data emanating from AccessPro was reliable. All key AccessPro data used for reporting purposes from the sample of 30 files was corroborated with information found in the hard copy files. The audit team also found that the software redaction functionality is reliable. Individuals responsible for using AccessPro indicated that they had no issues with the redaction function since the software was updated in October 2013. The audit team’s testing found that all 188 pages examined in the software matched the hard copy files.
Recommendations and Management Action Plan
The following section summarizes the audit findings based on their causes, highlights their impact and presents the audit recommendations with the corresponding timeframes. The implementation timeframes are assigned as follows:
- Short term: implementation of the audit recommendation is expected within 6 months from the approval of the audit report;
- Medium term: implementation of the audit recommendation is expected within 6 to 12 months from the approval of the audit report; and
- Long term: implementation of the audit recommendation is expected to take more than 12 months from the approval of the audit report.
When applicable, relevant management initiatives already underway are included. For each recommendation, management has provided the following:
- An action plan that addresses the recommendation;
- The position responsible for implementing the action plan; and
- The target date for completion.
Adopt Good Retrieval Practices and Streamline Reviews
The ATI Act requires that requested information be provided within 30 days, plus allowable extensions, while ensuring that the appropriate exemptions and exclusions are applied.
The audit examined the ATI process and noted that several branches were facing challenges in meeting the two week standard timeframe for branch retrieval.
Furthermore, the audit noted that the Law Branch's review of release packages was adding time to the overall process and not deemed necessary.
When the timeframes set by the Department are not met, or additional review time is needed, there is a risk that the Department may not comply with legislated timeframes. Adopting good information retrieval practices and streamlining the review process may allow more time to apply the proper exclusions and exemptions and help reduce the time required to release the information to the requestor.
Appendix A – List of Employees Interviewed
Department of Finance Canada
Consultations and Communications Branch
- Communications Strategist, Communications Strategy and Parliamentary Affairs
- Director, Communications Strategy and Parliamentary Affairs
Corporate Services Branch
- Chief, IT Security, Information Management and Technology Directorate
- Analyst, Information Management and Technology Directorate
- Senior Developer Analyst, Information Management and Technology Directorate
- Correspondence Officer, Assistant Deputy Minister’s Office
Deputy Minister’s Office
- Chief of Staff
Economic Development and Corporate Finance Branch
- Administrative Assistant, Microeconomic Policy Analysis Division
Economic and Fiscal Policy Branch
- A/Executive Assistant, Assistant Deputy Minister’s Office
Federal-Provincial Relations and Social Policy Branch
- Executive Assistant, Assistant Deputy Minister’s Office
- Statistical Analyst, Federal Provincial Relations Division
Financial Sector Policy Branch
- Administrative Assistant, Assistant Deputy Minister’s Office
International Trade and Finance Branch
- Admin Assistant, International Trade and Finance Branch
- Assistant Deputy Minister
- General Counsel, General Legal Services
- Counsel, General Legal Services
- Counsel, General Legal Services
- Director of ATIP Division
- previous Director of ATIP Division
- Executive Assistant to the Assistant Deputy Minister
- Team Leader, ATIP Division
- Team Leader, ATIP Division
- Officer, ATIP Division
Tax Policy Branch
- Administrative Coordinator, Sales Tax Division
- Chief, Branch Coordination, Personal Income Tax Division
Aboriginal Affairs and Northern Development Canada
- Team Leader, Access to Information and Privacy Directorate
- Team Leader, Access to Information and Privacy
Public Service Commission
- Director of ATIP Division
Treasury Board of Canada Secretariat
- Senior ATIP Analyst, Strategic Communications and Ministerial Affairs
Appendix B – Key Information Reviewed
Legislation, Policies and Guidelines
- Access to Information Act
- Access to Information Regulations
- TB Policy on Access to Information
- TB Directive on the Administration of the Access to Information Act
- TBS Criteria for Posting Summaries of Completed ATI Requests
- TBS Right of Access - Access to Information and Privacy
- TB Guidelines Access to Information – General
- TBS Guide for Posting Summaries of Completed ATI Requests
- Department of Finance Canada Annual Report to Parliament on the Administration of the Access to Information Act 2012-2013
- Department of Finance Canada Annual Report to Parliament on the Administration of the Access to Information Act 2011-2012
- Department of Finance Designation Order under the Access to Information Act
- Report on the TBS Study of Best Practices for Access to Information Requests
- AccessPro – data related to closed requests for the period July 1, 2012 to June 30, 2014 and July 1, 2014 to December 31, 2014
Appendix C – Best Practices for Branch ATI Retrievals
Administrative Personnel or Others
- Easy access to a well-organized repository of previously requested information.
- Easy access to a repository of information likely to be requested.
- Provision of a brief document on branch level guidance (e.g. “cheat sheet”) summarizing how to apply frequently used exemptions and exclusions.
- Individual responsible for processing the branch requests quickly confirms with the authors of the requested information the proposed release package (e.g. same day).
Authors / Officers
- Classify information when it is being created (e.g. Protected A, Secret, etc.).
- Apply exemptions and exclusions to information likely to be requested as it is being created.
- Timely disposal of transitory records and records no longer required.
- Well organized email accounts with small amounts of information.
Appendix D – Members of the Audit Team
- Zahra La Fargue, B.Comm, Developmental Auditor
- Chantale Dumornay, BAA, Auditor
- Dan Steeves, MPA, CIA, Senior Auditor
- Dan Maloley, B.Comm, CPA, CMA, CIA, Audit Manager
- Abdillahi Roble, MBA, CPA, CGA, CIA, CRMA, Director, Internal Audit Operations and Practice Management
- Christian Kratchanov, MBA, CIA, CMC, CRMA, Chief Audit Executive and Head of Evaluation