2.0 About the Audit

2.0 About the Audit

2.1 Audit Objectives and Scope

Since 2011, a high percentage of access requests and privacy requests have not been completed in accordance within the legislated 30-calendar-day time limit. In 2016-17, access to information requests had an on-time completion rate of 60% while privacy requests met the deadline 68% of the time.

The objectives of the audit were the following:

  • To assess the adequacy and effectiveness of policies, practices, and management controls to support departmental compliance with legislation as it pertains to the processing of access to information and privacy requests.
  • To confirm turnaround times and identify opportunities to improve efficiency of the processing of access to information and privacy requests.

Scope

The scope of the audit included the practices in place for the processing of access to information (ATI) requests and privacy requests received by the department between April 1, 2016 and March 31, 2017.

The following elements were excluded from the audit:

  • The accuracy and completeness of information provided in response to access to information and privacy requests;
  • Access to information and privacy requests directed to the Audit and Evaluation Division;
  • Access to information and privacy requests directed to the Office of the Veterans Ombudsman; and
  • Privacy protection activities and controls, including IT security.

The privacy protection activities excluded above will be assessed for potential future audit work as part of the annual risk-based audit planning process.

2.2 Methodology

The audit findings and conclusions contained in this report are based on sufficient and appropriate audit evidence gathered in accordance with procedures that meet the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing as supported by the results of the quality assurance and improvement program. The opinions expressed in this report are based on conditions as they existed at the time of the audit and apply only to the entity examined.

Table 1 – Description of Audit Methodologies
Methodology Purpose
Interviews Interviews were conducted with 16 liaison officers or their backup and 14 managers/staff involved in or responsible for ATIP processing in order to determine the adequacy of internal controls, clarity of roles and responsibilities, appropriateness of training, and to identify areas of efficiency.
Direct Observation Direct observation of the processing of requests in the Access to Information and Privacy Unit was conducted in order to gain an understanding of the process.
Documentation Review Policies and procedures, reports and other documentation were reviewed in order to map the ATIP process and to determine the adequacy of internal controls.
File Review File reviews were conducted on randomly selected, representative samples of access to information requests (53) and privacy requests (62) were conducted to determine compliance with policies and procedures and to calculate turnaround times. The samples were sufficient to provide 95% confidence with a 4% margin of error.
Data Analysis An analysis of data reports was conducted to gain an understanding of the audit entity and to identify efficiency improvements.