2008 Legislative Session: Fourth Session, 38th Parliament

SELECT STANDING COMMITTEE ON PUBLIC ACCOUNTS

MINUTES AND HANSARD

MINUTES SELECT STANDING COMMITTEE ON PUBLIC ACCOUNTS

Wednesday, November 19, 2008

3 p.m.

Douglas Fir Committee Room

Parliament Buildings, Victoria, B.C.

Present: Rob Fleming, MLA (Chair); Rick Thorpe, MLA (Deputy Chair); Harry Bains, MLA; Randy Hawes, MLA; Olga Ilich, MLA; Bruce Ralston, MLA; Claude Richmond, MLA; John Rustad, MLA; Bob Simpson, MLA; Ralph Sultan, MLA; Claire Trevena, MLA; John Yap, MLA

Others Present: Cheryl Wenezenki-Yolland, Comptroller General; John Doyle, Auditor General; Josie Schofield, Committee Research Analyst

1. The Committee considered the Auditor General’s report entitled Managing Government’s Payment Processing (Report No. 4, 2008/09)

2. Resolved, that the Committee endorse the recommendations contained in the Auditor General’s report entitled Managing Government’s Payment Processing; and recognizes the progress being made by the Provincial Treasury and the Ministry of Labour and Citizens’ Services and that no further action be taken at this time.

3. The Committee considered the Auditor General’s report entitled Office of the Auditor General: Financial Statement Audit Coverage Plan.

4. Resolved, that the Committee endorse the recommendations contained in the Auditor General’s Financial Statement Audit Coverage Plan for Fiscal Years 2008/2009 through 2010/2011.

5. The Committee adjourned at 4:59 p.m. to the call of the Chair.

The following electronic version is for informational purposes only.

The printed version remains the official version.

REPORT OF PROCEEDINGS
(Hansard)

select standing committee on
Public Accounts

Wednesday, November 19, 2008

Issue No. 22

ISSN 1499-4259

[ Page 441 ]

WEDNESDAY, NOVEMBER 19, 2008

The committee met at 3:04 p.m.

[R. Fleming in the chair.]

R. Fleming (Chair): Good afternoon, committee. We'll begin in a minute. We have the agenda before us, but before we begin, I would like to welcome one of our newer committee members, Olga Ilich, here today to be with us. It's nice to see you.

O. Ilich: Thanks.

Interjection.

R. Fleming (Chair): Claude Richmond was here last time. He has a perfect attendance record. I was just welcoming Olga for her first meeting for Public Accounts. You stand corrected.

Members, we have two items on the agenda before us today. The first item is "Managing Government's Payment Processing." I see the Auditor General is booting that up. In a moment they have a presentation to begin that item. And then we will deliberate on "Financial Statement Audit Coverage Plan" for the upcoming fiscal year.

[1505]

I would ask for a motion to approve the agenda, unless there are any additions or changes.

Meeting agenda approved.

R. Fleming (Chair): Auditor General, I will welcome you and ask you, Mr. Doyle, to introduce report No. 4 from 2008-2009 and begin our meeting this afternoon.

Auditor General Report:
Managing Government's Payment Processing

J. Doyle: Thank you, Chair. Good afternoon. Good afternoon, Deputy Chair and Members. Each year, government makes millions of payments totalling tens of billions of dollars to many thousands of suppliers and employees. The public expects that these payments should be sent to the right parties in the right amounts and in a timely way. Two years ago my office issued a report on government's accounting system, and satisfactory progress on the recommendations was published quite recently.

The report under consideration today is an extension into how well the processes work rather than just the controls framework. It's a small report, but it's a major block of work. We could have presented it as six different reports but resisted the temptation and brought it down to one main report, although you'll be realizing that a lot of the information that we shared with management is not for public presentation, because the information controlled within them is sensitive.

The bar is set very high for the protection of taxpayers' moneys, especially when the use of technology is in place — hence the need to not only deal with these issues promptly, as you will hear soon from the government side, but also to make sure that the systems that are in place are above reproach.

You may recall my observations at a previous meeting about the ripple effect of the recommendations from one report flowing into other areas, and this is another example. I would expect all CIOs to test if any aspect of this work relates to their own organizations and take any action that they may deem necessary, particularly those generic aspects like segregation, control, access, logical controls and so on.

With me today from my office are two members of the team: Bill Gilhooly, assistant Auditor General, who leads one of the financial audit portfolios and who has overall responsibility for all IT audits; and Faye Fletcher, an IT audit director, who actually led the audit team that carried out this work. I'll now turn it over to Bill to provide you with a brief overview of the audit.

B. Gilhooly: Thank you very much, and good afternoon, Members. I'm going to cover four parts in my presentation. One is just some background information; second is what we looked at to give you some context of what can go wrong in these environments; third is what we found, including the main themes and what the risks are there; and overall, what it means in terms of our conclusions.

As John said, each year government makes millions of payments that total billions of dollars to many thousands of suppliers and employees. Last fiscal year there was over $30 billion paid out by government. This was distributed to suppliers' employees by issuing over 3½ million electronic fund transfers and over 900,000 cheques.

As John said, to reiterate, the public expects that these payments are sent to the right parties in the right amounts and in a timely way. To make all of this work, government relies heavily on information technology to process these payments and expects this environment to be well controlled so payments don't go missing along the way through error or through fraud.

There are some common risks in processing EFT and cheque payments such as loss due to clerical errors, hardware and software failures, or the risk that someone will intentionally alter a payment transaction to misdirect or misappropriate funds.

There are a few other risks too, such as cheques may be undeliverable or unclaimed. The bank may reject some types of transactions such as if there's invalid bank account information or late action to stop or
[ Page 442 ]
recall payments. These issues create risks of missing or late payments, or returned or recalled items not being promptly handled.

This diagram is on page 17 of your report. Please don't be alarmed by all the shapes and arrows. I'll take you through it. It basically shows the four main parts of government that process all the payments, and it also shows a view of the flows of this payment information as it goes through the system.

[1510]

Basically, the payment data flows from the top left-hand corner, from the corporate accounting system, through to B.C. Mail Plus for the processing of paper cheque payments or through to provincial treasury and out to the banks for electronic payments. In the bottom right-hand corner you'll see there's also an important reconciliation process between the payment files and what's been paid.

So in our audits we looked at the manual and automated controls over this payment data as it passed through each one of these stages and subsystems through the whole process.

To get our audit done, we organized our work around eight basic business areas. You can see that they are highlighted by the notations A to H on this diagram. On the very top of the diagram you'll see that there are three overarching audit areas that we looked at. One was the maintenance and administration of access. The second was how government handled its backup of payment, programs and files, and the third was business continuity planning, both within each one of those boxes and how it was integrated overall.

Within each one of the boxes, the audit areas we looked at were in the corporate accounting services area at the top. The generation of payment and bank reconciliation files is one separate area. Also in the corporate accounting services area in the bottom right quadrant we looked in detail at the reconciliation of the payments to the general ledger.

In the top right-hand quadrant you'll see, at B.C. Mail Plus, we looked in detail at the processing processes and how they look after the printing-cheque process. And in the bottom left corner you'll see that there are two main components to that part of the audit — at cash and banking at provincial treasury, which was the processing and release of the EFT payments to the banking system as well as the processes they used to manage the status of payments.

You might want to stay on that page if you want to be able to refer to things later on, or it might be useful for asking questions.

So what did we find? Well, to start with I wanted to emphasize that, overall, our conclusion was that there were adequate controls in place to manage the risks to government's payment processing. However, we did find some common themes across all the business areas that we examined. In each one of those eight business areas we did find instances where controls needed to be strengthened.

As John indicated, we provided management with a detailed management report for each of the key business areas — I believe there are six in total — and in total across all the business areas we had 85 recommendations. But for the purposes of the public report, we are just focusing on the key findings and recommendation themes.

As you can see on this slide, they are grouped into five main areas: management review, access, segregation of duties, monitoring activities, and policies and procedures. You might note, if you were here for the report we did on the corrections network a few weeks ago, there are some similar themes there — in what we found here and what we found in the corrections network.

I'd now like to give you a brief overview of the significant findings in each one of these five theme areas.

In the first theme we found that there wasn't adequate management review in some areas such as manual logs for recording changes to MVS programs, which is in the mainframe environment, and for recording changes to correct processing problems. What's the risk here? Well, the risk is that changes may not have appropriate authorization, or changes could be an indication of other problems such as inadequate program testing prior to moving programs back into live production areas.

We also found there wasn't adequate management review to ensure bank payment information from ministries matched that received from the bank. The risk there is that payments may not be complete or valid.

On the second theme, we found that some access was inappropriate. This creates the risk of unauthorized changes to payment information. Access was not always granted on a need-to-have basis. We also noted that there was a large number of root or superusers that were identified in the UNIX operating system environment. This root access gives access to everything in that environment. Although government did cut the number of users in half, we believe the need for access for the remaining users should be reviewed.

Also, we found that access for print operators at B.C. Mail Plus exceeded their job requirements, which gave them the capability to change payment information. Also, access by some support staff exceeded their job requirements. We also found that banking and cash management staff could access payment transactions outside the AFT and cheque applications, and in some cases, the level of access granted allowed them to change payment information.

The third theme — and again this was an issue we found in the CORNET audit — was that incompatible duties were not always segregated, which creates a risk of inappropriate changes going undetected. We found that there was no segregation between development, test
[ Page 443 ]
and production responsibilities in the mainframe MVS environment. In the UNIX environment, the developers had access to the production environment.

[1515]

We also noted that those responsible for administering and monitoring security in the MVS environment were also responsible for production activities, and best practice is for security administrators to only have read access to production.

The fourth theme. We also found that in some areas there was little or no monitoring — for example, for the activities of users with root access; changes to some high-risk programs; changes for payment files; and activities of high-risk users, especially those with incompatible responsibilities. The profiles protecting programs and data files were not flagged to record activity that resulted in updating the data.

The final theme we had was that we found that some policies and procedures were outdated. For example, certain guidance for processing EFT payments, controlling the movement of blank cheque stock, making changes to programs in the MVS environment and processing stop-payments and returns was not kept up to date.

Why is this important? Well, policies and procedures need to be up to date to provide current guidance to staff and would also help to ensure a smoother recovery in the case of a business disaster scenario. They should also reflect what an organization's current manual controls are over their systems.

What's the bottom line to all these findings? We believe there is the potential for someone to inappropriately make changes or to add to payment information, and these changes or additional payments could remain undetected for a period of time. However, it's important to note that there are compensating controls, both automated and manual, that would likely detect such changes, although they may not always be on a timely basis.

One example I could give you. Control totals are important controls. Throughout the process there are control totals that control the flow. You would expect them to match throughout the whole process so that if a payment had been added or an amount changed, the control totals would pick that up, assuming that someone didn't have access to the control totals themselves and change them.

In conclusion, as I mentioned earlier, we did have 85 recommendations in our detailed management reports, but we have focused only on the key findings for this report that was in the public domain. There were 34 key recommendations made in the detailed part of this report, which have been grouped under these five themes I just talked about and which you can find on page 7 in the executive summary. During our audit clearance process, management had addressed or was in the process of addressing many of our findings and recommendations.

That concludes our presentation.

R. Fleming (Chair): Thank you, Bill.

Auditor General, do you have anything to add to the presentation at this time?

J. Doyle: Not at this time, Chair.

R. Fleming (Chair): Then I would ask the assistant deputy minister from the provincial treasury to come forward and set up their presentation. Then we'll have questions from members for the Auditor General and for ministry staff.

Mr. Hopkins, if you're ready to begin, we'll have your response to the audit findings.

J. Hopkins: Good afternoon, committee members. Thank you for the opportunity to respond to the Office of the Auditor General's report on the government managing of the payment process.

In order to do that, I've assembled a team of manager experts in the area, each representing the agencies that make up the government payment process and as identified by Bill just a moment ago.

On my right directly are Alison Gunn, senior manager of banking, cash management in provincial treasury; Nashater Sanghera, executive director of corporate accounting system; and Vern Burkhardt, executive director of procurement and supply services, responsible for B.C. Mail Plus.

[1520]

My name is Jim Hopkins. I'm the ADM of provincial treasury, and my responsibility is with respect to banking, cash management. I'll present an overall response, and we as a team would welcome any questions that you may have after that presentation.

At the outset, all three agencies welcome this review by the Office of the Auditor General, and we congratulate them on the diligence that they paid to what is actually a fairly complex process. We congratulate them also on the recommendations that have come forward.

There are two big takeaways — important takeaways — for government, I believe. One of them is that we take assurance from the overall conclusion that the Auditor General has concluded that there are adequate controls for managing the risks related to the payment processing system. We are also pleased that we have also got a package of recommendations that will enable us to move forward and, in fact, strengthen the system.

As the result of the audit — as Bill mentioned, even during the audit— we were beavering away and actually starting implementation on a number of the recommendations. During the actual audit itself and following, we've now implemented 71 of the 85 detailed recommendations that comprise the report. The balance of those recommendations will be implemented, and our expectation is that the system will even be stronger as a result.
[ Page 444 ]

For the remaining recommendations, by March 31, 2009, they will either be implemented, or a plan will have been finalized for implementation based on further evaluation and review.

With respect to the specific recommendations for the Auditor General, I've organized our comments by the five themes that the Auditor General identified in his report.

The first theme in the report. "Management should increase regular reviews of key system-generated reports and transaction and access audit reports." Many of these recommendations have been dealt with, and they really fall into the bucket of providing a clearer audit trail. We are agreed that that was lacking, and we are now increasing management reviews and documenting the same so that there is evidence of those reviews having taken place.

The second theme that emerged from the recommendations from the Office of the Auditor General. "Inappropriate access levels should be removed and access should be regularly reviewed to make sure individual access is compatible with the user's responsibilities." We have reviewed and modified accesses and are in the process of putting more monitoring systems in place, as you can see by the examples cited in this slide. For a specific example, the provincial treasury conducted a system security review in the summer as a result of the report, and now access to the mainframe for production data and production systems is limited only to managers.

The third theme that came out of the report was the recommendation: "To minimize risks arising from the lack of appropriate segregation of duties, user activities should be evaluated and reassigned where necessary." We have improved monitoring and assigned duties to address segregation. We are in the process of putting more monitoring systems in place. That for us is probably the most obvious answer so that we can quickly build capacity and be better able to ensure that access to the systems is monitored on a routine basis. The ability to just add staff — unless it's really an imperative — is not an option that is readily available to us.

The fourth theme that emerged from the recommendations. "Access activity reports should be regularly reviewed, especially for support staff with advanced access to programs and data and for updates to high-risk data and program files." In addition to better documenting the existing reviews that we do, we have increased the frequency of scheduled reviews by management.

[1525]

The fifth and final theme. "Policies and procedures should be updated to ensure that guidance given staff remains current." Here, updating and continuing to monitor and ensuring that documentation is current is an ongoing undertaking. Highlights since the release of the report have been…. The CAS maintenance process manuals have been updated. B.C. Mail Plus has updated its policy and procedures manual.

As a matter of course, provincial treasury attends meetings of the senior financial officers at least three times a year in order to ensure that current policy changes to process are understood by our clients.

The Office of the Auditor General also made important recommendations respecting business continuity planning. In the event of a business interruption, government has designated banking and cash management of provincial treasury as well as CAS and B.C. Mail Plus as mission-critical activities. The key message here is that CAS, banking and cash management, and B.C. Mail Plus should jointly develop and maintain business continuity plans that will satisfy the minimum processing and printing requirements to enable critical payments to continue in the event of a disaster.

Each of the agencies has their own business continuity plan, and each tests that plan. There was a reference to banking and cash management not having done so. We have just completed a testing of our plan last October. So as I say, each does test their plan. The plans are there in response to a local area disaster, so if the buildings, these entities —provincial treasury, CAS, B.C. Mail Plus — went down, then there is an answer to that sort of situation.

We as a group, the three agencies, will build a joint plan and test it in '09-10. Indeed, CAS and B.C. Mail Plus in two weeks' time will be undertaking a joint B.C.-planned test of their plan.

In summary, again we take assurance that the Office of the Auditor General has confirmed that there are adequate controls to manage the risk related to the payment processing system. We're grateful for the recommendations that have been put to us. I think they're good. In the large measure we're accepting of all of them, and as I say, we've implemented the lion's share of them to date. There's still some work to do going into the '09-10 fiscal year.

With that, I'll stop and am pleased to take any questions we can answer.

R. Fleming (Chair): I thank you for that.

Members, I've had a couple of hands go up, so we'll go straight into questions.

C. Trevena: Thank you very much for the audit and presentation. One thing begs the question. With the audit, it talked about the possibility of inappropriate access and the capability to change payments. Has there been any instance where there has been inappropriate access or payments have been changed with different…?

J. Hopkins: I expected that question. It's a very fair question, and I can say that as far as we're aware, as a
[ Page 445 ]
collective group with some history in these organizations, that has never occurred.

C. Trevena: And the Office of the Auditor General didn't find any such actions having taken place?

J. Doyle: No, we didn't detect that.

R. Fleming (Chair): He said that they did not find that — just that the risk was there.

J. Yap: That was actually my question, Claire.

But I do have a question for the Auditor General. You have done a comprehensive study of a very complex system, and I commend you for getting it all into one booklet and not six that you could have. But there were some findings, and it sounds like government is addressing them on a proactive basis. Overall, I'm hearing that you found that controls were in place. Is that correct?

[1530]

J. Doyle: Yes, generally we're satisfied with the level of controls, including the compensating controls. We were concerned with issues of timeliness of detection, and they are being addressed. We take a great deal of comfort about the fact that so many of the recommendations have now been implemented. Although we will go back and have a look again, and possibly a different type of audit next time.

We'll look at different aspects. For example, we might look to see if there has been any tampering or adjustments. It's a different focus. It's a more precise, forensic type of audit at sometime in the future. But for the moment, we're confident that the work that's been done means that the controls are adequate.

B. Ralston: Did this study include a study of government credit card payments?

J. Doyle: It was not in the scope of the audit.

B. Ralston: And any particular reason for that?

J. Doyle: I suppose that whenever we start these processes, we need to be clear on the scope that we're going to move into. It was a huge audit, anyway, with what we did. If there's a sense that a review of credit card transactions needs to be looked at, then it's something we can take on board as a work that we can do at sometime in the future.

B. Ralston: Well, I think it has been the subject of debate in the Legislature on a number of occasions, so I certainly think it's a live issue. Anyway, I'll leave it to you.

B. Simpson: I have a process procedural question, because in this case we did get some recommendations that didn't see the light of day for security reasons. I'm just curious where the public oversight comes in those kinds of situations — where the Auditor General looks at something and has to keep some of the recommendations between the government agencies involved — because Public Accounts is the public oversight of whether or not the government is responding appropriately.

So just as a new member of this committee, I'm trying to understand where those recommendations go that don't see the light of day and what the public oversight function is on those.

R. Fleming (Chair): I wonder if Mr. Doyle would describe how he works for senior management on those kinds of internal recommendations.

J. Doyle: We've got several approaches when we detect issues that are sensitive in nature. The one that we have adopted and will continue to adopt into the future is where we will sit and work with management, particularly CIAs in the examples I'm thinking of at the moment, so that they can address issues in a timely fashion, as and when they come up. So we have this continuous communication process.

One consequence of that process is that sometimes the audit reports are delayed in their publication because we need to close the door before everyone realizes it's open, basically. However, we'll always report what we find.

If the committee is particularly interested in the details of the 85 recommendations, then the only thing I can suggest is an in-camera session to go through the fine detail of all of those.

What we've tried to do without hiding anything is stream them into themes so that rather than the very, very detailed recommendation which we've made to the agencies concerned, we put them into a broad aspect of the changes and then allow the committee to rely upon the assertions made by the government or the various agencies to actually deal with them properly.

In the CORNET report that we did a few weeks back, it was a similar sort of process. There were a large number of recommendations, and it was not appropriate to release details of them until the door had been firmly closed, bolted and welded shut. So we've adopted that approach. There's another one in the pipeline where we're looking at those kinds of issues, and we're waiting until the response has been worked through before we actually document and present publicly the findings that we've made.

B. Simpson: That's helpful. I just was curious about whether or not you've got the right to do something in camera, because this is supposed to be a secure meeting, as well, if we do go in camera. I don't think we need to
[ Page 446 ]
have a meeting with all 85 recommendations, though. I can see the looks on the other side there.

[1535]

One quick question — a question to Mr. Hopkins. You had stated at one point that adding staff is really not an option for us. I was curious about that, as to whether some of the system issues here are a result of realignment of staff resources or staff cuts, or whether other human resources may be necessary.

I wonder if you could clarify that statement about that not being an option. Is that a technical issue where the appropriate staff is not available, or is it a budgetary issue? And is more staff necessary to keep this continuous improvement ongoing?

J. Hopkins: Well, I think in the context of segregation of duties, you know, very easily one could affect segregation of duty by just adding staff. That would be sort of an easy response. It's not necessarily the only response that we should be looking at.

There is effective monitoring software, for example, in the case of CAS, speaking of them maybe for a moment as an example. They're looking at using monitoring software, starting a project in March of '09 to add capacity so that they're going to be able to address some of the issues that the Auditor General has cited here.

If there was a critical issue, and there just was not a nice system solution, we would of course not be shy in bringing that to the attention of our bosses and ensuring that they are understanding the risks that are borne there. But I don't think we've landed at that spot at this point.

B. Simpson: Just so I'm clear. The comment about staff was really about the issue that it would be easy to address some of the segregation issues just by simply dividing it between personnel, and that would require adding staff. You're looking at alternate solutions to that, which might be software-oriented. It was only explicitly with that issue of segregation of responsibilities.

J. Hopkins: Right. And there is technology there. Nashater could talk to that probably.

N. Sanghera: In five of the recommendations made to CAS, we are actually looking at alternate actions which would involve either technology or other means — maybe process changes and so forth. So we're looking for the most efficient and effective way of implementing these changes. Then as a last resort, we always have the option of adding staff if needed.

J. Rustad: Thank you for the report. I've just got a question with regards to the business continuation planning. With the utilization of off-sites, is any of that activity done outside of Canada?

J. Hopkins: We have no recovery site outside of Canada with the passage of the Patriot Act in 2006. Up to that date…. Actually, just before the passage of that statute in 2005 the off-site for the mainframe — the recovery site for the mainframe — was in Philadelphia and had been there since early 1980s. But with the pending imminent passage of the Patriot Act, that recovery site was moved to a location in Mississauga, Ontario, and has been there since 2005.

J. Rustad: Interesting. Okay, thanks very much.

O. Ilich: This is a bit of a sense of déjà vu for me, because part of this was my ministry, obviously, when the audit was going on. I can tell you that we took the audit very seriously, and we welcomed the audit, because it was part of our mandate of continuous improvement in our processes to deal with the business of government.

You have talked about the number of recommendations that have already been implemented. And the others will be done? I think that was one of the things that we were finding was very important — that we deal with the Auditor's recommendations right away and that we continue to do improvement all along the way. So can you just tell me about that a bit?

J. Hopkins: Well, that is definitely our undertaking to do. There are 14 of the 85 recommendations that we've identified as remaining to be done, and they'll either be addressed by implementation by the end of this fiscal '08-09, or if they're recommendations that fall in the category of requiring more evaluation and review, we'll have a plan to address that recommendation by March '09. I would expect to have everything rounded up and done — all the recommendations — by '09-10.

O. Ilich: Okay. One further question. You continue to work with the auditors on how you're implementing those recommendations so that they're happy with what you're doing?

[1540]

J. Hopkins: Sure. We're more than happy to share our progress with the Auditor General in terms of how we progress.

J. Doyle: We're going to do a follow-up on this particular report, which will be published on the first of April. No, make it the 31st of March next year — first of April might not be a good day. It will detail progress against all 85 recommendations. We'll then determine whether or not we need to do any further work in regard to any of them. But so far we're quite confident that that will probably be the last time that we would need to review this particular report, and we'll move on to others.
[ Page 447 ]

R. Hawes: Actually, John, I do have a question for you. This is not a vexatious question. It's a curiosity one. The independent officers and the payments made on their behalf. Do they follow through the same stream, or are they made in the offices, directly, of the independent officers of the Legislature? How does the invoicing and payment of invoices through their offices take place?

J. Doyle: I've just asked one of my staff the question.

All the independent officers go through this system.

R. Hawes: There's no compromise to their independence by having that flow-through?

J. Doyle: It's something I'm looking at, at the moment.

R. Hawes: Okay.

Interjection.

R. Fleming (Chair): We all learned something.

Any other questions, Members, for any of the witnesses? If not, then we have recommendations before us in the report and….

R. Hawes: I move that we accept the report of the Auditor and the response of the ministry.

R. Fleming (Chair): The motion is to endorse the report and the response. Any discussion, Members?

Motion approved.

R. Fleming (Chair): Thank you again to our witnesses from the treasury and from Labour and Citizens' Services for being here.

We will just wait for a moment and then begin the financial statement audit coverage plan presentation.

[1545-1550]

R. Fleming (Chair): We're waiting on some documents being copied, but I think we're in good shape for presentation from the Auditor General of the audit coverage plan, the slide presentation. I'll ask John Doyle to begin and for Bill to present.

Auditor General Financial Statement
Audit Coverage Plan

J. Doyle: This is the largest audit undertaken in B.C. and involves the work of many firms as well as my office. Last year's coverage plan was based on the work started by my predecessors. I adopted a steady-as-you-go, with a slight increase in the number of entities audited directly by my office.

During the last year I have reviewed what would be required for the coming cycle. My review revealed no substantive reasons to change significantly the approach for the coming year, albeit that some new organizations have been added. This is not surprising, as the criteria for selection and the assessment of risk should result in a similar outcome.

The coverage plan is lining up with the new international auditing standards for large organizations that have significant subsidiary interests as well as consideration of the special issues that are generated by the public sector organizations.

In developing the plan, I also considered a number of other issues that I wish to share with you. The private sector audit community delivers an important number of services within the GRE — the government reporting entity — and needs to consider any special requirements I may have during the conduct of their work.

My staff conduct reviews on a random basis, and I would expect to engage with each firm in a constructive manner during the next cycle to ensure that there is adequate coverage and clarity of expectations.

The control environment within the GRE will be the subject of an additional review as part of this year's audit process. We will be looking at IT controls, internal controls, financial management governance and internal audit. A summary of the management letter issues and how they are being addressed will feature in an ancillary report to be published in September 2009 following issuance of the opinion.

Work on the issues generated during the 2007-2008 audit are expected to be addressed by the end of 2008, and any outstanding issues will form the basis of a special report to be issued at the end of March, along with any major issues regarding control frameworks that have been detected up to that time.

Following our presentation, I will be able to respond to any questions that you may have.

With me today from my office are Bill Gilhooly again, assistant Auditor General. He leads one of the two financial audit portfolios and has specific responsibility for the audit of the summary financial statements. Also with us today is Jason Reid. Jason is a senior director and part of the senior team leading financial audits.

I'll now turn over to Bill to provide you with an overview of the plan.

B. Gilhooly: Hopefully, everyone has brought copies of the report with them. I'm going to be referring to it today, and I think the handouts are just coming around now.

This meeting is just to give you a briefing on our proposed coverage plan and answer any questions you might have, as John said. I'm going to assume that most of you are fairly familiar with the contents of the plan, because it doesn't change much year to year. But for the
[ Page 448 ]
benefit of the four or five new members, we'll provide a little bit of detail to help you.

[1555]

Approval of the plan is required under section 10(6) of the Auditor General Act, and it basically drives the whole appointment process across the system. However, I want to emphasize that it's not an approval of the plan costs, because that of course is for the Finance and Government Services Committee.

It's a three-year rolling plan, and it's done under the same time frame as our funding proposal and that of government's fiscal plan. We need to look three to five years out in our audit rotations for when contracts are coming due with private sector auditors. Our focus is mostly on the 2009-2010 fiscal year, which is the upcoming audit cycle for next year.

This is the sixth plan we've submitted to the Public Accounts Committee since our act was changed in 2003.

As you may know, this plan is a subset of our larger financial plan and estimate of resources that we'll be presenting, I believe, in a week or two. Our aim here is to build a plan that provides the Auditor General with the right depth and breadth of knowledge and understanding of the business of government and the significant issues.

As you'll see, our coverage will increase slightly in certain sectors this year. We're coming into the years of the plan where historically it has been minimal. This is to better align us with evolving audit standards and practices in other jurisdictions.

When our act was drafted, it contemplated a rotational approach to doing audits, especially for sectors with like-type organizations. Five-year limitations on audits were also introduced back in the 2000-2003 period, when audit independence was a bit rocky in the profession with things like Enron going on. However, the audit business itself, including our office, settled on senior partner rotations instead of firm rotations, so our act is a little bit out of sync with current practice.

Today we're seeking your approval for four things, which you can see on the slide are: the proposed plan that you can see in appendix A of the plan; also, for the Auditor General to continue as the direct auditor for 14 entities where our term has exceeded five years; for the Auditor General to continue as the direct auditor for two entities outside the government reporting entity; and for the Auditor General to continue to administer the auditor appointment process. These recommendations are restated on page 2 of your plan.

Like all plans, this one is also built on a number of assumptions. One of the most significant ones is that we must ensure we meet professional standards. That's why we ensure we have a good representation of entities across all sectors of government. On the other hand, we don't need to audit 100 percent of them to be able to form an opinion on the summary financial statements.

Obviously, if the number of entities changes or as standards change — and they only seem to increase — then the assumptions around the scope of the plan would change as well. For example, there were several new Crowns created this year, and one was merged with another.

Also, as you may know, ministries are excluded from the plan because we already audit 100 percent of these included in the consolidated revenue fund. So they're not included.

Essentially, we design our involvement on three levels of audit participation for the 151 organizations in the reporting entity. First, we have a low or limited involvement, where we don't do any fieldwork, and we just do a selective review of other auditors' files. That's for about 108 organizations for next year.

Next we have an oversight or moderate level of involvement, where we do review other auditors' plans as well as their audit files and attend a number of audit committee meetings. That's for about 18 organizations next year.

The final one is our direct or high-level involvement, where we conduct the audits directly, either with our own staff or with contracted firms. For next year that will be 25 organizations.

We have found for the last five or six years that this approach has served us pretty well, ensuring sufficient appropriate audit coverage across the reporting entity.

Of course, there are other considerations we make in determining appropriate levels of audit coverage. For example, we don't need to audit every school or college to have confidence about the audit risks and knowledge we need to have about the issues in that part of the education system. By directly auditing a sample of them and having lesser involvement in the others, we can achieve our objective for purposes of the summary statement opinion.

Of course, we need to move through similar-type entities over time to make sure our sample stays representative of those groups. For dissimilar or unique entities, like Crown corporations, we also apply a risk-based process with higher levels of coverage in areas of higher significance or risk.

Another important consideration we have is based on capacity. We need to make sure that we have enough direct audits to get the detailed knowledge and understanding of government that is not gained from oversight alone.

Finally, as a certified articling office, we strive to ensure that we have enough direct audits to provide the depth and breadth of experience that these students need to obtain their professional accounting designations.

[1600]

Turning now to the detailed plan. This is a table, which you can find on page 6 of your plan, that summarizes our planned coverage for the next three years for these 151
[ Page 449 ]
organizations covered by the plan. Essentially, it's just a rollup of the detail plan that you can find in appendix A. It is essentially the same plan as last year, adding the 2011 and 2012 year onto it, plus certain plan changes which I'll mention.

The first column shows the types of entities, and the second column shows the number of entities in each type. The remainder of the table shows our plan coverage by fiscal year and level of involvement. For example, in 2009-2010 we plan to have a limited involvement in 11 of the 16 colleges and have oversight involvement in three of them and audit two directly.

As you can see from the totals, our levels of involvement don't change much significantly between levels of involvement and year. There is a small increase in the number of direct audits and oversight in the education sector, however. Also, our highest level of involvement is still in the Crown corporation group with six oversight and 16 direct audits out of 41 entities for fiscal 2009 and 2010.

The implementation of the plan, like all plans, can change. As in prior years, we've highlighted significant changes to the plan for you to bring to your attention. So in the health sector, for the Fraser Health Authority we increased our involvement from limited to oversight coverage beginning 2008-2009. More details of these changes you can find in appendix B on page 25.

There are a few other changes that have happened as well. One is for the Pacific carbon trust. That's a newly formed Crown corporation which we're going to be auditing directly, as well as for the Transportation Investment Corporation. Both of these were making elections under section 10(4) of our act to become the auditors of these organizations for at least the first three years of their existence.

Each year, under section 10(7) of the act, we consult with the organizations that are impacted by changes to the plan. We consult with board members, usually audit committee chairs or equivalent as well as senior management. We use a combination of meetings and telephone inquiries. All the organizations included in the plan that are impacted understand their proposed audit coverage for the three years of the plan.

We also advise all impacted organizations, where there are changes within the plan after it's approved by this committee, of the final decision. All the impacted organizations we've consulted with are aware and understand our proposed audit coverage.

As far as implications to the office budget, there is negligible impact on this year's budget from coverage plan changes, as well as in the out-years of the plan, but there is a risk to bring to your attention that could affect the office budget. It's from the adoption of international financial reporting standards in Canada, which comes into effect for fiscal years beginning on or after January 1, 2011.

These reporting standards will be applicable for some Crown corporations at the transition date. However, it's still really unclear what and when the impact of the transition will be, both to central government and government not-for-profit organizations.

Finally, since our act was passed, a few things have got out of sync as well. As came up in discussions with prior year plans, there are potential legislative conflicts between the Auditor General Act and the School Act due to not all consequential amendments being made when the act was passed in 2003.

This had created some confusion over who appoints the auditors for school districts, for example, when the Auditor General is to be appointed. At the request of government, we consulted with Ministry of Education officials on potential changes to the School Act that would have eliminated these issues. We also worked with the comptroller general's office on a few other needed consequential amendments related to the Auditor General Act, which are still pending.

So that concludes my presentation of the plan, and we'd be happy to take in questions from members now.

R. Fleming (Chair): Great. Thank you, Bill.

R. Sultan: I see you have wound up on the question: does the five-year term limit still make sense in today's environment? You did refer to the impetus for imposing this limit for an audit assignment, being the various scams associated with Enron and Arthur Andersen — what was it? — only five years ago.

[1605]

I wouldn't believe human nature has really changed that much in five years, and although we haven't had a scandal of that type, we certainly have enough other tumult in the financial sector to suggest there are lots of issues of measurement in accounting still very present. I would ask you to explain further why you think the requirements should be waived with respect to, I believe, 13 of the 14 government organizations, so that you could continue on.

The reasons you give in your table strike me as being a bit thin. It gives your students an opportunity for more diverse training, and it does — certainly I would have to agree — allow you greater knowledge and familiarity with the entity being audited.

But I would argue that familiarity, comfort and even friendship are the enemy of a rigorous audit in the long term. In fact, a certain amount of discomfort, fresh eyes and asking what might at first glance be the dumb question might be key to keeping discipline in the audited entity, because they don't know quite what to expect. They're going to be prepared for everything and be on their toes; whereas if it's the same faces doing the same thing that have been there for ten years or so, I would think things get rather relaxed. Anyhow, I think that's an opposing argument that can be made, and I wonder
[ Page 450 ]
if you could explain further why you think the five-year rule should now be relaxed.

J. Doyle: Thank you for the question. It's not just now that the five-year rule is being relaxed. It's been relaxed each year for a number of years, and there are a couple of very good reasons why it should be so.

Before I address them, I don't know of any provincial Auditor that's ever had the problems that Arthur Andersen had, and I suppose to draw a line between their behaviour in Enron and some of the other notable private sector disasters is perhaps drawing a bit of long bow. In fact, usually the view is that provincial Auditors or their equivalents do too much work rather than not enough work. The issue is more how provincial Auditors can refine the way that they conduct their work so that it isn't so tedious or detailed as it is at the moment, or is perceived to be.

Each one of these…. The five-year rotation was built into the legislation, as I understand it, because that was the default that was being strongly discussed by the profession at the time, and it was considered at the time to be very good practice to be able to say that the province was in line with the profession.

The profession has actually stepped back from that position and moved into a situation where partner rotation is a much better idea than firm rotation. Firm rotation, if it was brought into a private sector organization, would actually cost those private sector organizations a significant sum of money more than their audit process does at the moment, mainly because as you first move into a new audit situation, it costs a lot of money to set yourself up and to make sure that you've got the adequate skills, that you've done the risk assessment and so on.

So the profession moved to a situation where, as long as there was substantial change in the principal actors in the process, then that was an acceptable…. As long as there was great and strong independence, then that was acceptable.

I would argue that within my office we have my position, but we also have a number of assistant Auditors General who are partner-level within a firm and that, although they don't actually sign the opinion, they will rotate over time so that we don't have the same "partners" conducting audits on an ongoing or inappropriate basis. We also, in regard to the audit teams…. I would love to have stability in my audit teams, but I would still change the people within each team certainly less than every five years but, as an absolute maximum, at least every five years.

[1610]

We've never…. Actually, I'm trying to think of an example where any of my team's staff, in this country or in Australia, have ever been regarded as cozying up to the client, but I can't think of one. However, I can say that a good, strong, robust, professional exchange is a feature of many, many of our reviews. We have plenty of feedback that demonstrates that that is valued by the agencies concerned and is of real use to them.

I think that without mentioning any names of organizations, we have seen reluctant auditees that over a period of time have become great fans of the office, simply because of the quality of what we were doing and how we were going about our business. There were never issues around independence or familiarity or anything else. It was just a strong process.

In fact, I don't think we got Christmas cards from this particular organization for the first couple of years of the audit. I don't think we get them now either, but we definitely weren't going to get one in those first couple of years.

So I'd like to put to bed, to put to one side, any thought that somehow the magical five years make a great deal of difference to our independence. I don't think it does. I would point out that all the ministries within government are not subject to this five-year rule, and the Auditor General and his staff will conduct those audits for a very, very long period of time — until such time as legislation is significantly shifted or changed.

I think the principle is well established that an audit team, as long as it refreshes its staff within that team and as long as it's applying due process and practice and remaining independent, can continue to deliver good quality audit services that are relevant and appropriate and independent of the agency concerned, without undue familiarity building up.

I would say that there are large numbers of ex-OAG employees out there in the public service at the moment. It seems that every time my team goes somewhere, they bump into somebody else that they know. I think it's a natural part of what we do — particularly as professionals, as chartered accountants — that we can distinguish between our professional life and also the fact that we can smile and say hello and have a cup of coffee with someone.

The organizations that we're looking at here, some of them…. You picked out one issue, which was variety for students, and therefore, because we're a trainer of chartered accounting students, we need variety and what have you. That's true, but it isn't the only reason that we go about that. I think for two years running I've had a look at that and wondered whether or not we should include that as a rationale for actually doing work.

I've looked at all of these, and it's clear to me that each one of them in some way contributes to my understanding of how we can actually form a view of the consolidated financial statements but also look within each silo within the public sector and gain a view regarding controls and reporting capabilities.

Some of these are linked to ministries, and it seems to be unreasonable to decouple them when we're already doing the audit for the ministry and we can't pass that on. Others are large and substantial, and they require a depth of knowledge and experience that maybe, in my
[ Page 451 ]
view, some private sector audit suppliers don't or can't provide in the way that I would require for the conduct of the work and the issuance of the opinion.

I actually feel quite comfortable with looking at all of these. Around the world you will normally find that the model that's been adopted in British Columbia, where some is done by private sector and some is done by the Auditor General…. It's quite normal that that model exists, but what you normally find is that the Auditor General signs the opinions for all the work. Therefore, the issue should more be around the other way. Conduct of the work by private sector organizations reduces their risk, reduces the cost to the public purse but also means that we have the overview that we need.

So I actually don't see a major problem with it. It's in the legislation, so we must deal with it each year. But I hope you're going to accept that by doing this work, we're actually improving the quality of the overall coverage, and we're making sure that the work that is undertaken in support of the opinion is adequate.

[1615]

Having said that, I am looking at every area and every audit that we do to see where we can engage the private sector auditors to conduct work, whether it be by direct contract from us or work conducted by them, to ensure that we build a strong and robust private sector audit function so that we can rely upon that to fill the gaps that currently exist.

The gaps — meaning we simply can't get enough people together at that point of time to conduct the audits over the four or five months where they have to be done. That work has to be spread out somehow, and the only way to do that is if you…. The alternative would be to get 300 auditors, and I'm not sure that's ever going to happen. I'm not sure you're ever going to accept that that's a reasonable way to go.

R. Sultan: Well, if I could just have one follow-up, Auditor General.

Every year at this time the question of the overall resources made available to the Auditor General's function becomes an issue, of course. Would you not agree that by yielding certain assignments to the private sector, it frees up resources that you can deploy elsewhere and subject the entire government to the full sweep of your undoubted competence and insight?

J. Doyle: Releasing work wouldn't change the cost to the public sector. In fact, if anything, it would slightly increase the cost to the public sector. So if you're looking at it from my perspective, as an office — yes. If I were to release an audit, it would mean I wouldn't need those resources or I could redeploy them elsewhere. However, it wouldn't reduce the cost overall, because the agency that I release would then have to pay someone else to do the work that I'm doing at the moment.

We could look at it from the whole of the audit universe perspective — by that, I mean the whole of B.C. — and what that would do would actually be, I think, to increase costs. I think with me you've got an opportunity to actually look at how we do this work and actually drive costs down to a reasonable level. I will be quite prepared to measure my performance or my office's performance against any of the other firms in regard to the audit fees that they charge, to make sure that the work that's actually done is value for money.

So I would actually argue the other way. I think it would probably be cheaper, and if we could reduce the risk for audit firms and bring the work in, then the total cost would probably drop for the whole of the public sector. It's sort of the other way around.

B. Ralston: I had a couple of questions just about historical coverage, and I don’t know whether this is the appropriate time to ask them, but I'm going to try.

On the University of British Columbia, which is set out on page 20, the historical coverage has been oversight, and you propose continuing that. I raised an issue with your office about $125 million of asset-backed commercial paper held by the university that was frozen, and I believe your response was that that may be something that you would deal with in the course of your relationship with the University of British Columbia. So is that something that would be caught by the oversight function alone, or would it require something more intensive in the proposed coverage?

J. Doyle: If there was a diminution in the value of any assets held by any agency, then that would be reflected in their annual report and would be in their financial statements with an appropriate note to explain the reason for the diminution in value and how that was addressed or dealt with by the university.

We would make sure that the university's auditors were aware of those issues — in fact, we did do that process — and we would expect to make sure that that was properly and adequately disclosed in their financial statements, which from memory it was.

Our oversight was…. I remember your letter. I remember also that we wrote back and said that whilst we weren't going to conduct work ourselves in that, we were going to see what the impact was across the system. And we did take the opportunity to go and speak with the auditors of the university. Also, we had a special note to make sure that we check that disclosure in that particular area was adequate.

B. Ralston: One further question, if I might.

The Private Career Training Institution Agency — there has been no historical coverage, and there is none proposed in the future. Can you explain that decision?

It's on page 23.
[ Page 452 ]

J. Doyle: One of the factors…. I mean, we could always do it. The issue is just building it into our program. If there's not a particular reason to do it…. It is a quite small organization, and it just hasn't come up onto our radar screen in the way that an organization that was perhaps much larger or had particular risks….

That would be it, really. There is no particular reason why we wouldn't go in there, other than that it hasn't been identified as something that is critical to our mission.

[1620]

O. Ilich: You've alluded to what I'm about to ask. I'm going to ask you a question about the relationship between the fees that you charge and the fees that are charged by private audit firms that do work under your auspices or for the organization.

So, for instance, when you're not doing the audit or you're not doing it directly but you have an oversight, there is a private sector organization that is doing the audit — right?

J. Doyle: That's correct.

O. Ilich: And sometimes they're working directly for you, but sometimes they're working directly for the organization.

J. Doyle: That's right.

O. Ilich: Okay. How do those relate? Do you have any idea of how much in total is being spent on auditing? How much of that work do you do, and how much do others do?

J. Doyle: Yes.

O. Ilich: Can you tell me, or is that not allowed?

I'm just curious, because there is obviously a lot of independent auditing still going on from other organizations.

J. Doyle: Yeah. Now we're talking about external audits. So the word "auditing" means a lot of things.

O. Ilich: Yeah. External audit.

J. Doyle: So we're just talking about external audits.

At the moment for the financial audit of the summary financial statements, which is Bill's area and also Russ Jones's area, the other assistant Auditor General, the total cost per year…. I've got to break it down between the whole of my office. Just bear with me one second; I want to make sure I get the right figure.

It's about $5 million for financial audit. The amount that's being paid in total to private sector firms is $4.8 million.

O. Ilich: So most of it.

J. Doyle: Well, 50-50.

O. Ilich: Oh, sorry. I thought of the five, it was….

J. Doyle: No, no — two different amounts.

So if you like, the audit universe is…

O. Ilich: Is almost ten.

J. Doyle: …just about $10 million. Now, that doesn't include control reviews, the IT work that you saw discussed earlier on today. It doesn't include performance audits and so on.

O. Ilich: Is that about on track with what it's been in the past?

J. Doyle: I don't think anyone has ever looked at that figure before, until I asked for it.

We've known what our costs have been, but we've never actually gone out and found out what the private sector was until I asked the question.

R. Hawes: Back to the five-year rotation. For those entities that are low involvement or moderate involvement or oversight, are you following to ensure then that the outside auditing firms are rotating senior partners or that the firms themselves are being rotated every five years?

J. Doyle: I don't think we've actually done any work to make sure that they have rotated, but it's the standard that they must adhere to under the Institute of Chartered Accountants auditing standards. So they must do that, but we haven't actually checked to see whether they do.

Because we're engaged with a lot of these, we actually can see the turnover of partners over time, so that we see it happening.

Each private sector firm writes to each agency every year and explains that it's in full compliance with the institute's requirements, and therefore we would expect that to be dealt with in that way. I have seen movement and turnover as it goes along.

There was another part of your question that I've forgotten.

[1625]

R. Hawes: No, that's pretty much what…. That was it.

H. Bains: There are some institutions listed on page 14 through the next few pages where the Auditor General has listed as either oversight, direct or…. Yeah. Then for the coming years…. For example, Langara College, for the year of 2010-11 and the year after that, you're not involved there anymore. There are a number of others
[ Page 453 ]
as well. Is it their decision, or is it a decision made by the Auditor General's office to get out of some of those institutions, and if that's the case, what's the reason?

J. Doyle: Okay. It's my decision. We've got a good history of going into organizations and conducting audits, providing value-added — which is not always recognized in the first couple of years but is certainly recognized year 3, 4 and 5 — and moving out and leaving the organization to a private sector auditor. We then go to a different organization within the same sector to basically add value-add again but also to expand our knowledge of the sector.

We've got a history in some school districts where we were not welcomed, but now we are. We've got references from one school district to others because of the quality of the work that we've done.

So it's not always adversarial. It is actually a cooperative-type process, but it's always at arm's length. There comes a point…. In this particular one, we moved out of Langara, and we're starting to move up to Camosun. We're just moving to a different area within the sector, and we know that there are quality private sector auditors available who can fill what we're leaving and then we can take over in a different area. So there's movement going on. It's very healthy to turn that process.

H. Bains: So by doing that, you are leaving some, and you are taking on some others. When you look at all of them, what are the financial implications to your office?

J. Doyle: We actually redo the audit plan every year. So what we do is look at the availability of skills, talents, hours and so on every year to see how many we've got. We do that as a separate exercise to what we think we need to do, but at some point, we need to merge the two together to make sure that we've got enough.

So it's not a question that we'll drop this one and then find one of equal size somewhere else. There is actually a disconnect between the two processes. What we would seek to do is say, "This is what we've got," which is one — the supply side of the argument — and then we would say: "What is it we actually need, based on our understanding of all the organizations we think we must audit?"

Now, when we've got too much resources — which I think is something that has never happened…. No, it's never happened. But if we had too much resources, then I suppose we've got the choice of either reducing our capability within the office or taking on some other work. But typically, what we have is just about…. We're in a splash zone of about the right amount each time. Therefore, we're looking at where to best deploy the resources we've got within the new risk structure that we have.

I'm looking at some of the audits that we do at the moment that are very large to see whether or not we can move those over to the private sector. I'm also looking at other aspects that we do — for example, looking at our KPI work against the B.C. reporting principles to see if private sector firms are willing to get engaged in that and provide those services directly to different organizations. Then we can go to other organizations that perhaps would benefit better from the input and the value-added that we can give them from the public sector perspective and actually start to build capacity within the whole system.

There will be an element of that in future iterations of this particular plan, where we've made the call to move out and get the private sector auditors to come in to do some work.

[1630]

One of the questions I was asked earlier from Randy which I didn't…. I've forgotten the other part of it, but now I've remembered. But it's still relevant to your question. Just because we only have limited overview, or the space is blank, doesn't mean we don't go and visit to find out what's going on. Quite the reverse.

We will take input from a whole array of different areas, and we will go along and we will review their working papers. That's like an internal audit on an external audit, in which you go in and see whether or not the evidence is there to actually form the opinion that was actually formed. If we're not satisfied, I have provisions within the legislation to require further work to be done, or I will do that work myself, and it may very well be that I could come up with a different conclusion than the private sector auditor has come up with.

Now, that has not happened yet, and I hope it never will happen, because we're all working to the same set of standards. But it is something where we can go along and make sure that the work that has been undertaken — not necessarily on our behalf, but on the behalf of the particular agency — is up to the public sector standard that we expect it to be.

We do have — I can't go through it in detail; it is confidential — issues with firms from time to time, and we sit down and we discuss that with them to make sure that they're resolved properly.

R. Fleming (Chair): I just had a couple of questions for the Auditor General on the coverage plan. One was regarding B.C. Transit, which I see your office has had what you describe as a moderate level of audit involvement with over the past three fiscal years, including this one, and you're proposing to step that up next year to directly audit them at a higher level of engagement in your office.

I'm just wondering. You described to a member who asked you a question a few minutes ago that normally on the rotation, your office anticipates that it will be stepping down and reducing involvement. In this case with B.C. Transit — which isn't a large Crown corporation; I think it's $60 million or $70 million a year — you're proposing to increase the amount of direct attention and audit work being done on that corporation.
[ Page 454 ]

J. Doyle: Sorry, I was just checking to make sure that my answer was going to be the right one. It's always a good idea.

This particular agency is going to move into large capital works over the next period of time. We have a focus at the moment of looking at the impact of capital investment on the way that organizations operate, and we felt it appropriate at this time to go in and have a look and see what exactly they were doing.

Oversight. You're quite right in observing that normally we spend some time in an agency, and then we move out. What we're doing in this particular case is we've spent some time in oversight, and now we're moving up. There may be other examples of that in the plan. There's nothing sinister or anything about it. It was just that the risk that we assessed for this particular agency elevated because of its capital program, and therefore we decided that we would need to have a look at it in a different way than we had in the past.

R. Fleming (Chair): Okay. That's the amount of debt being supported, and some of the capital projects are increasing.

Pacific carbon trust, which is the new Crown entity that you noted in this report, in this plan…. You propose immediately to become the direct auditor to oversee the next four fiscal years, at least, of that agency.

Just going to your rationale of coverage selection, where you've said — perhaps, I think, you would probably give this the most weight — that you have a risk-based selection process. I'm just wondering why this new organization, which doesn't have a track record yet, has been seen presumably as a high-risk Crown organization. And if you could just share any details as to why your office made that identification and what you propose to be doing as their direct auditor.

[1635]

J. Doyle: I'm not sure that it's a high-risk organization. It's a new organization, but I'll allow Bill to explain the full detail.

B. Gilhooly: We've almost always, by default, picked up new organizations that are created by government just because we find that there tend to be more issues in the startup years. We believe that we need to be there, to be on the ground understanding what those issues are.

In this case, it's a brand-new type of organization, and there are accounting and measurement issues that will be very unique in government and across Canada and anywhere that they set up any type of organizations like this. We wanted to be on the ground so that our staff could also get up to speed to understand what the complications are with these types of organizations, especially the measurement issues around carbon trading and offset trading. We're not expecting it to be a big organization initially, but we wanted to be there if it gets to be building to a larger organization.

As well, there'll be some knock-on effects into the public accounts. We want to be able to have the understanding, from auditing that Crown, of the disclosures that will be in there each year as a result of these transactions that government intends to make in the private sector for these offsets.

R. Fleming (Chair): Just one other non-governmental reporting entity that just doesn't seem to make it, although I've asked your office about it in previous years because it does have a history with government. That is the B.C. Safety Authority. Again, there just doesn't seem to be any oversight or audit coverage by your office for that organization.

They have quite a wide mandate. They're mandatory, so consumers at various points of purchasing services have to deal with them. Yet they don't seem to have any accountability to the public through an audit record from your office.

B. Gilhooly: If I can answer that question. Perhaps the comptroller might be interested as well. When new organizations are set up like this, government does an assessment of whether, according to the Public Sector Accounting Board's standards, those organizations should be included in the reporting entity or not.

When that organization was created several years ago, the comptroller's office's assessment was that it didn't meet the criteria for control under those standards. We agreed with that assessment as well.

We've just checked every year since then, just to make sure that nothing significant has changed with the board's structure or control that would have us change our opinion. My understanding is that they still have a financial statement audit, a GAAP-based audit, done, and I believe that that information is public. Beyond that, our office hasn't had any other involvement with that organization.

R. Thorpe (Deputy Chair): John, in your opening comments you made specific reference to the private sector playing a key role. By making that statement and listening to some of the answers, it just makes me…. Do you see a change in how the private sector works with your office in discharging its responsibilities?

J. Doyle: No, I don't see a major change on the horizon, but I would still like to fine-tune the way that we interact with the private sector — for example, some major firms that have worked very hard to build up expertise and skills in certain industry areas. I'm not always enthusiastic when my office comes along and says, "Well, we'd like to take over that particular audit for the next three years or so," but I haven't detected any major tension.
[ Page 455 ]

I meet regularly with the managing partners of the firms. I make the effort to go to the local offices to make sure that I know the people in each one, and so do my staff.

I think there is an issue around how we can work better together — how the new standards are going to mean that the costs for private firms and for ourselves are going to increase into the future, particularly if IFRS is in place, but also looking at controls, because the changed auditing standards mean a slightly different way of appraising risk within an organization and the work that you undertake.

[1640]

I'm looking forward to a long and successful engagement with them, and I will repeat: I think that they're an important part of the audit universe, as long as they conduct audits in a way that's suitable for the public sector and do not just deploy the techniques that may be suitable for the private sector. The public sector is different.

R. Thorpe (Deputy Chair): Thanks, John. In this plan…. Obviously we don't get to drill down into the details of how the plan's going to work and how it’s going to be implemented. Are there any major organizational changes or organizational thrusts that we should know about that are in this plan that have not been in previous plans?

J. Doyle: You mean internal to my office?

R. Thorpe (Deputy Chair): Yes — how your office is going to discharge the audits it's going to do. Do you foresee in the new ones you're taking on or proposing to take on…? Are there any organizational changes within the Auditor General's office and any change in thrust, so one area is more important than another area?

J. Doyle: Yes. We're going through a process within the office of remarshalling our resources and streamlining our processes. Let me first talk about the cost pressures that are there. Any change to standards, any change to the way that the reporting is done or the way the auditing is done means you've got to build people up to be able to carry out that work satisfactorily. That takes training, development and attention to detail. That costs.

If…of costing a lot in respect to auditors, the costs go up, probably too far, and then they come down as the activity becomes mainstreamed. That spike I hope to hold within my existing budget arrangements by relooking and revisiting the way that we actually undertake our work over the next period of time.

If I were to put it into perspective, the office has got to rethink the way it does business over the next couple of cycles to make sure that we have adequate resources to do the job that we have to do. I think I've mentioned in this forum, but I've also mentioned in other forums, the fact that two-thirds of my senior staff are going to retire within the next five years. As a consequence, I'm looking at how I develop the new group of auditors. How can I grow them and bring them forward? To take an auditor just graduated from university right the way through to a manager or a senior management position takes about eight to ten years. I've got some in the process already, but I've still got more that need to be brought through.

I can't just bring people in from outside and put them into an audit. It's a technical area of activity, and it would take a year or so to train them. So I've got to build capacity within the office, and in doing so, it means I've basically got to restructure almost everything that we do as we go forward — and, all at the same time, meeting the standards and the requirements. And we are reviewed just as frequently as any agency in the public sector in regard to what we do, how we do it and how much it costs.

So it's a big period of change for me, and what I'm assuming at the moment is that I can acquire a number of essential resources within the next reasonable period of time. If I can't acquire them, then I will not be able to deliver this plan. But I think I can acquire them, and if that is correct, then we will have adequate resources — not too many but not too few; hopefully not too few — to conduct this work to the required standard.

Now, at the moment I've got a good deal of commitment from amongst my staff to work the extra hours during the busy period and everything else, and that will continue into the future as long as they know that we're doing the right thing to provide the training, the technical expertise and the other opportunities.

But all of that takes planning and time and effort, and one of the issues that I noticed in the Australian context when there was a change into the international accounting standards — and also the international auditing standards, where both were implemented at the same time — was that it was very easy for staff to become disinterested in what was going on, because they were simply overworked.

[1645]

So I've got a difficult juggling act to make sure that we've got the right people in the right place at the right time, and that we're not asking too much of them. Now, that involves just changing or looking at everything that's within the office.

R. Thorpe (Deputy Chair): I wish you well with the development of your plan, but it is a three-year rolling plan. You have given the indications here that the budget approach you're going to take is the same budget that you had put forward before for the new current year that's coming up. Of course, you always have the opportunity to look at that on a rolling basis, and I think that's one of the positive things of the rolling basis.
[ Page 456 ]

Let me just ask a couple of questions though, because your approvals are that you want to continue to audit two entities outside the reporting entity. Let me ask what I think might be the easiest one first. The provincial employees community services fund. Why is that important for the Auditor General to do? Is it just a community service project, or…? Okay. If that's the answer, that's the answer.

J. Doyle: For the purposes of the tape, I was nodding my head. Yes, it's a freebie. We do that because we're independent.

R. Thorpe (Deputy Chair): It's a good community service. It's the right thing to do.

J. Doyle: Exactly.

R. Thorpe (Deputy Chair): Good. The other one is WorkSafe B.C. It's my understanding that this audit has been done by the Auditors General for some 15 years, so it certainly is out of the five-year time frame. Given the importance you've placed on the private sector and other comments, why is it important for the Auditor General to continue to do this audit?

J. Doyle: First of all, it's a fully funded audit in that we charge WorkSafe — WCBC — a fee. That fee doesn't actually come to the office. It goes straight into the government bank account. So we recover all costs that are associated with the provision of those services each year.

There are two aspects of the work that we undertake. The first is an annual audit, like an external financial audit. The second is a review of the reporting under the B.C. reporting principles. Both have been fantastic opportunities to build up skills and capacities within the office in regard to looking at an audit. To actually move now into a position where we would be saying we wish to withdraw from that process would actually take some planning and discussions with the agency concerned.

They are very keen to keep us for a list of reasons. They haven't shared those reasons with me, other than that we're fantastic, but there are probably other issues….

Interjection.

J. Doyle: I've never received a Christmas card from them, but I'm sure they do send a Christmas card.

R. Thorpe (Deputy Chair): You probably will after this question.

J. Doyle: To disengage couldn't be done quickly. What we want to do is to see how we can move forward. If we've got the resources to do it, it is an audit that I would like to keep because it just provides fantastic training opportunity at no cost to the public purse. If you like, it allows us to have access to a large organization doing things that are great training.

The other side of it is an area where I'd like to see development by private sector auditors looking at the auditing or providing assurance for performance reporting under the B.C. reporting principles. Again, that's an area where it's possible that we could find alternative methods to deliver those services.

I'll just ask Bill if he wants to add anything to that.

B. Gilhooly: Thanks, John. I guess one thing we look at, too, is that this entity…. There's a very high public interest here, so we believe there's value in our office having that independent view. As John said, we've done that audit for many years, and one of the benefits, for staff development also, is that because it has December year-end, it's off-cycled to the staff load that we have for the rest of the year, so we can fit that work in during the off cycle. So those are some of the benefits.

We do have a very good professional working relationship with the organization. We hold them out sometimes as a leader in accountability reporting. We still maintain our arm's-length relationship, but we believe that they're actually managing for results, and I think that their report shows that. So we're happy to be involved with it from an audit perspective as well.

[1650]

J. Doyle: I think that aspect of off-cycle work is actually critical. Financial auditors have a huge workload between February and June. So what do you do with them during the rest of the year? Now, we've found ways where we can put them into conducting work on controls appraisal, IT audits and everything else, but we also need some off-cycle audits to undertake as well so that we're actually not just having staff at one period but are actually able to utilize their skills and resources across the whole 12-month period. So it's a critical aspect of having that off-cycle work to being able to develop capability within the office.

R. Thorpe (Deputy Chair): With respect to that audit, you said that it's fully funded. Do you charge marketplace rates for that?

J. Doyle: According to the agency, we do.

R. Thorpe (Deputy Chair): But do we verify that with the marketplace that we are?

J. Doyle: We haven't done it in a formal way, but what we do do is we review the hours that we do and the charge-out rates, and those charge-out rates are market rate.
[ Page 457 ]

R. Thorpe (Deputy Chair): Okay. So again, as you move to implement your plan, this gives you some flexibility, but this could also — if you needed it, based on whatever happens out there — be an area for resources to make changes for the implementation of the plan, however it may unfold in years 2, 3 and 4 — whatever they are.

J. Doyle: That's correct. It gives me some room in case of any inability to attract and hold the right level of resources into the future. I have some flexibility around how I can actually deal with that.

R. Thorpe (Deputy Chair): At the urging of the Chair, I have one more question. Bill talked about consultation with those that you interface with and impact with. So you've got a couple of new Crowns coming on board, or you're proposing — the Pacific carbon trust and…. What was the other one?

H. Bains: Transportation.

R. Thorpe (Deputy Chair): Thank you. The transportation entity. So would you have engaged in consultation with the comptroller general and the comptroller general's office on those, as you included them in the plan process?

J. Doyle: We have contacts with the comptroller general's office on an ongoing basis. Members of my staff, people that are in Bill's teams meet regularly with staff of the comptroller general to talk about the global audit, the summary financial statements audit, and as part of that, we've identified those agencies as being ones that we would be seeking to audit over the next period of time. We've done that.

R. Thorpe (Deputy Chair): So the comptroller general has been consulted on these issues as we move forward.

J. Doyle: On those two particular issues, we've discussed it with…. I don't know if Cheryl was at the office or certainly in the meeting. But certainly they've been mentioned as being ones that we were going to be looking at.

R. Thorpe (Deputy Chair): Okay. Because I think it's important for all of us to make sure that your office and Cheryl's office at the highest levels — the leadership — that you continue to build a working relationship. Who knows? You may get a Christmas card from their office too.

J. Doyle: Looking forward to it.

R. Thorpe (Deputy Chair): I think it's important, because in your report you do highlight that consultation is an important thrust of how you operate, especially when you have new, leading-edge things coming on-stream that you have mentioned, Bill. It's obviously very appropriate at the highest levels that we have that consultation.

B. Ralston: A quick question on page 24. You mention other organizations, and you include offices of the Legislature, and then there's a note: "The offices consulting with certain offices of the Legislature concerning potential future audit involvement by the Auditor General. This would increase the transparency and accountability over funds expended by these organizations." You say: "These consultations are in a preliminary stage only."

Are the discussions or the consultations at the point where you can reveal which offices of the Legislature you're referring to, and what would be the purpose in engaging in this work?

[1655]

J. Doyle: The purpose of engaging in the work is, I suppose, the same principle that's deployed within the Auditor General's Act, which is that we should be accountable and transparent in our consumption of public resources. So, for example, my office produces an annual report. It's got financials in it, it's got performance indicators in it, and it goes against the service plan. We felt that that was a good place to move from for all independent officers. So we've asked the question: would you like us to provide these services?

At the moment they're included within the consolidated financial statements. We've received a good response — not the enthusiastic, "Yes, come and audit us straightaway; we're dying for you to arrive," but something along the lines of: "Yes, it's important that we have accountability." Therefore, can we work through a process where they step up to a situation where they can produce financial information and it to have a level of assurance that's provided by an audit opinion?

So we're just applying to these offices the same standard that we have had applied to us by the legislation.

B. Ralston: One further question, if I may. I believe at some point recently you produced a report looking at the operation of the Legislature generally. Is there any proposal to apply those same standards to — I think the committee is referred to as the LAMC — the Legislative Management Committee?

J. Doyle: We are discussing with the Clerk how we can contribute to his accountability and the level of assurance that he can demonstrate.

B. Ralston: So that would include LAMC, then?

J. Doyle: Yes.

R. Fleming (Chair): Okay, thank you, Members. I don't have anyone else on the speakers list, so the recom-
[ Page 458 ]
mendations on the audit coverage plan are on page 2. I'd look for a mover.

R. Hawes: I would move the four recommendations that are on page 2 and would note, in moving them, that I take great pleasure in the fact that the Auditor seems to have said that as he comes to the Finance Committee, he wouldn't be needing to seek additional funds this year in the budget to operate his plan. I take great pleasure in that.

R. Fleming (Chair): I'm sure that as the Chair of that committee, you do.

R. Hawes: I've got a feeling the Deputy Chair might too.

R. Fleming (Chair): That will be on the Hansard for that committee to read.

R. Hawes: I would move the four recommendations.

R. Fleming (Chair): Thank you very much, Randy. Discussion on that motion?

Motion approved.

R. Fleming (Chair): Seeing no other business, unless members wish to raise items now, I will look for a motion to adjourn.

Just a slight agenda change. An upcoming meeting, Monday, November 24, which is our next meeting, was originally scheduled from eight to 9:30. Seeing that we don't need further deliberations on the item we've just approved, I would recommend that the meeting be from 8:30 to 9:30.

Interjections.

R. Fleming (Chair): We still have an item of business there, which is on performance reporting. But we don't have to revisit this item. With that slight amendment to the next agenda of this committee, the motion to adjourn has been moved.

Thank you to all members, and thank you to Mr. Doyle and staff from the Auditor General office.

The committee adjourned at 4:59 p.m.

[ Return to: Public Accounts Committee Home Page ]

Hansard Services publishes transcripts both in print and on the Internet.
Chamber debates are broadcast on television and webcast on the Internet.
Question Period podcasts are available on the Internet.

Copyright © 2008: British Columbia Hansard Services, Victoria, British Columbia, Canada