Archived - Audit of the Access to Information Process

Archived information

Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Prepared by
Internal Audit and Evaluation
Department of Finance Canada

Approved by the Deputy Minister of Finance on the recommendation of the
Audit and Evaluation Committee on May 29, 2012

Table of Contents

Executive Summary
Background
Audit Objective and Scope
Approach, Assurance Statement and Auditing Standards Employed
Conclusion
Findings by Audit Criteria
Recommendations and Management Action Plan

Appendices

Appendix A: File Review
Appendix B: List of Department of Finance Canada Employees Interviewed
Appendix C: Key Reference Documents Consulted
Appendix D: Members of the Audit Team

Executive Summary 

The Access to Information Act gives Canadian citizens, permanent residents, and any person or corporation present in Canada the right to access records that are under the control of a federal government institution. The Access to Information and Privacy (ATIP) Division is responsible for administering the Access to Information Act for the Department of Finance Canada.

The objective of the audit was to assess management practices related to the access to information (ATI) process and to identify opportunities for improvement.

The audit concluded that the Department’s management practices related to the ATI process support compliance with the Access to Information Act and that processes and systems in place to respond to ATI requests are generally effective.

In addition, it is worth noting the following:

  • The governance framework supports compliance with the Access to Information Act, and the Department had a high on-time ATI request response rate of 90% on average in fiscal years 2008–09, 2009–10 and 2010–11.
  • Information related to access to information is appropriately communicated to external stakeholders.

Opportunities for improvement were identified. The audit recommends (1) that information about the ATI process, guidelines and procedures, including roles and responsibilities, be updated and communicated to all departmental staff through the Department’s intranet site; and (2) that administrative controls for processing ATI requests be improved.

Background 

The audit of the ATI process was approved as part of the Department of Finance Canada’s three-year risk-based audit plan, tabled at the departmental Audit and Evaluation Committee meeting on March 1, 2011.

This is the first internal audit of the ATI process conducted by the Department.

The Access to Information Act came into force on July 1, 1983. It gives Canadian citizens, permanent residents, and any person or corporation present in Canada a right to access records that are under the control of a federal government institution. The Treasury Board oversees the administration of the Access to Information Act and issues policies, directives and guidelines to government institutions regarding the Act.

The Minister of Finance has ultimate responsibility for the administration of the Access to Information Act for the Department. The Director, ATIP Division, has been delegated the authority by the Minister to exercise, within the Department of Finance, powers, duties and functions conferred upon the head of the institution under the Access to Information Act and has overall operational responsibility for the administration of the Act.

At the Department of Finance Canada, the ATIP Division is part of the Law Branch. The Division has about 13 full-time employees and funding of approximately $1 million.

As a centralized operation, the ATIP Division:

  • Has a key role in the timely processing of requests under the legislation;
  • Conducts and responds to interdepartmental consultations;
  • Handles complaints lodged with the Information Commissioner of Canada; and
  • Responds to informal inquiries.

ATIP Division staff also provide advice and guidance to departmental officials on matters related to the Access to Information Act. All departmental employees are required under the Act to make every reasonable effort to assist requesters, respond accurately and completely, and provide timely access in the format requested.

Audit Objective and Scope

Objective

The audit objective was to assess management practices related to the ATI process and to identify opportunities for improvement.

Scope

The audit scope included activities under the Department’s responsibility that are related to access to information from January 2010 to the end of February 2012. These activities included the following:

  • Compliance with the Access to Information Act;
  • The extent to which management practices, policies and controls lead to effective and efficient operations; and
  • The relationship between the ATIP Division within the Law Branch and other branches with respect to the administration of the Access to Information Act.

The scope did not include the following:

  • The Privacy Act, since the Department receives very few privacy requests; and
  • Corporate information management, since this is managed separately from the ATIP Division and the ATI process.

Approach, Assurance Statement and Auditing Standards Employed

The audit was conducted in accordance with Treasury Board policy, directives and standards on internal audit and the procedures used to meet the professional standards of the Institute of Internal Auditors. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that the audit’s objective is achieved. During the audit, appropriate procedures were followed and sufficient evidence was obtained to support the accuracy of findings and the overall audit opinion presented in this report. The opinion is based on a comparison of the conditions, as they existed at the time of the audit, against the audit criteria identified in this report, which were accepted by management. The opinion is applicable only to the entity examined, and the evidence gathered was sufficient to provide senior management with proof of the opinion derived from the internal audit.

Audit procedures included, but were not limited to, interviews, observations, a review of supporting documentation, and analytical reviews. The audit criteria used to develop the required audit tests were based on the following:

  • The Access to Information Act and the Access to Information Regulations;
  • The Treasury Board Policy on Access to Information, Directive on the Administration of the Access to Information Act and Access to Information Guidelines—General;
  • Relevant elements of the Office of the Comptroller General’s Audit Criteria Related to the Management Accountability Framework; and
  • Good management practices such as outlined in the Report on the TBS Study of Best Practices for Access to Information Requests Subject to Particular Processing.

In total, 29 individuals were interviewed (a list of interviewees is provided in Appendix B). The audit team also conducted a review and analysis of applicable authorities and policies, including a file review of 24 requests for information (refer to Appendix A for details). In addition, relevant documents were obtained and reviewed (the list of key documents consulted is provided in Appendix C). Finally, several departments were contacted for the purpose of comparing and identifying best practices.

For the purpose of this report, the term “generally compliant” is the highest rating that can be given when determining the level of compliance.

The audit approach allowed for the audit results to be communicated in a manner that enabled management to review and provide feedback on the findings and conclusions before they were finalized.

Conclusion 

The audit concluded that the Department’s management practices related to the ATI process support compliance with the Access to Information Act and that processes and systems in place to respond to ATI requests are generally effective.

In addition, it is worth noting the following:

  • The governance framework supports compliance with the Access to Information Act, and the Department had a high on-time ATI request response rate of 90% on average in fiscal years 2008–09, 2009–10 and 2010–11.
  • Information related to access to information is appropriately communicated to external stakeholders.

Opportunities for improvement were identified. The audit recommends (1) that information about the ATI process, guidelines and procedures, including roles and responsibilities, be updated and communicated to all departmental staff through the Department’s intranet site; and (2) that administrative controls for the processing of ATI requests be improved.

Findings by Audit Criteria  

The following presents the assessment of risk exposure identified in the audit. Risk exposure for each audit criteria is categorized as high, medium or low.

The rankings correspond to the potential risk exposure that auditors believe may have an impact on the achievement of Department objectives and indicates the priority that management should give to the recommendations.

The assessment summarizes the audit observations based on the factual evidence gathered and analyzed during the audit. Issues based on these assessments, along with potential causes, impacts, management initiatives and recommendations, are summarized in the “Recommendations and Management Action Plan” section.

Findings by Audit Criteria
Criterion Risk Exposure Assessment
1.0 Compliance with the Access to Information Act

The governance framework supports compliance with the Access to Information Act.

Low

The governance framework supports compliance with the Access to Information Act.

The Director, ATIP Division, has been designated the authority by the Minister through a Designation Order to exercise, within the Department of Finance, powers, duties and functions under the Access to Information Act and has overall operational responsibility for its administration. The audit team found that the Director, ATIP Division, generally complied with the powers, duties and functions delegated to her in accordance with the Act.

The audit team conducted a file review of a sample of completed ATI requests for fiscal year 2010–11 (see Appendix A for further details). Based on the file review, the audit team found that proper authority was delegated and applied during the process. As required, the Director, ATIP Division, exercised her authority to release or withhold information for all files. 

Compliance with the Access to Information Act and its related policies and guidelines requires responding to ATI requests within legislated timelines. The audit team found that the Department met this requirement, with a high on‑time ATI response rate of 90% on average in fiscal years 2008–09, 2009–10 and 2010–11.

2.0 Communication of Information on the ATI Process

Appropriate information related to the ATI process is communicated to external and internal stakeholders.

Low

Information related to the ATI process is appropriately communicated to external stakeholders. However, there are opportunities for improvement in how information related to the ATI process is communicated internally to departmental staff.

Communication to External Stakeholders

The Department’s Internet site provides information on the ATI process as well as related tools and reports to external stakeholders (i.e., Canadians, the Office of the Information Commissioner of Canada, the Treasury Board of Canada Secretariat and Parliament).

To assist applicants, and in compliance with the Treasury Board’s Policy on Access to Information, the Department’s Internet site provides information and tools on the ATI process.

The audit found that the ATIP Division complied with annual reporting requirements to Parliament and reporting requirements to the Treasury Board of Canada Secretariat. For example, the Department of Finance Canada Annual Report to Parliament on the Administration of the Access to Information Act was accurately completed and, as required by the Secretariat, summaries of completed ATI requests are posted on the Department’s Internet site on a monthly basis. The audit team noted that the ATIP Division proactively responded to the Secretariat’s new reporting requirements and began posting its closed ATI requests on the Department’s Internet site in July 2011, five months prior to the Secretariat’s deadline.

Communication to Internal Stakeholders

The Department’s intranet site (ATI web page) provides information about the ATI process, guidelines and procedures to departmental staff.

Although information on the ATI process is available on the Department’s intranet, at the time of the audit, some information on the ATI web page was unclear, and some of the content had not been updated. For instance:

  • The Guidelines for Branch Review, which explains the ATI process to departmental staff, did not clearly define the roles and responsibilities of the branches and the ATIP Division.
  • Recently clarified ATI procedures for the Department (dated November 2011) were not available on the ATI web page.
As a result, the audit recommends that the ATIP Director communicate clear and up-to-date information about the ATI process, guidelines and procedures, including roles and responsibilities, to departmental staff through the Department’s intranet site.
3.0 Processing of ATI Requests

There are effective processes and systems to respond to ATI requests.

Low

Generally, there are effective processes and systems to respond to ATI requests; however, there are opportunities for improvement with respect to administrative controls.

It is important that the ATIP Division, in collaboration with the branches, carry out the ATI process in a complete, accurate and timely manner. In this regard, the audit assessed the extent to which the ATIP Division established effective processes and systems to respond to ATI requests as well as documenting deliberations and decisions made concerning each request received under the Access to Information Act.

During interviews, it was found that a breakdown involving internal and external stakeholders occurred in April 2010 with respect to information having being accidentally divulged. Following this incident, an additional control in the form of a routing slip was implemented to ensure that senior management signs off on all information release packages.

With the intent to provide assurance on the appropriateness of the process, the audit team conducted a file review of a sample of 24 completed ATI requests for fiscal year 2010–11 (see Appendix A for further detail). The file review assessed administrative controls pertaining to the processing of ATI requests to determine whether required reviews and approvals had occurred prior to information being released or withheld.

Our file review found that administrative controls had been generally well applied and that ATI requests had been appropriately processed. The “routing slip” mentioned previously was completed and on file for all files reviewed, thus reducing the likelihood of a reoccurrence of such a breakdown.

However, there is an opportunity for improvement in the consistent application of the Department’s Checklist for File Review, which is a form completed by the ATIP analyst and team leader to ensure that the required ATI process steps have been carried out. The audit found that the use of the checklist was limited to complex files; staff in the ATIP Division did not think it was needed for simpler, lower-risk files because they found it time-consuming to fill out.

Inconsistent application of the Checklist for File Review increases the risk that required procedures to appropriately process ATI requests are not followed.

The audit also reviewed a key guideline known as the Fee Assessment Form, which is completed by departmental staff to provide the ATIP Division with an estimate of the time to search for and retrieve the information required to respond to more time-consuming ATI requests. The form is an important tool because it helps determine the fees to be charged to the requester based on the time and number of pages required for the response. This information is also used in the Department’s reports to the Treasury Board of Canada Secretariat and to Parliament and is important in justifying the search time in the event of a complaint or investigation.

The audit found that the form was unclear and difficult to use and as such was an additional burden on the branches. The impact includes risks that the branches:

  • Do not complete the form when it is required because it is too complicated; or
  • Devote unnecessary effort to alternative methods of estimating search and retrieval times.

From our review of best practices in other departments, we identified a form that is clearer and more user-friendly and that could be used by the Department to prepare its retrieval search time and fee estimates.

As a result of these findings, it is recommended that the ATIP Director ensure that the Checklist for File Review is consistently used for every file. It is also recommended that the form used to estimate retrieval search times be revised and updated to improve its clarity and user-friendliness.

4.0 Information System for the ATI Process

The software (AccessPro) used by the ATIP Division for processing ATI requests is reliable.

Low

The software (AccessPro) used by the ATIP Division for processing ATI requests is generally reliable.

The audit team conducted interviews with the ATIP Division and information management and information technology (IM-IT) staff and reviewed various sources of information, including outputs of the system, to assess the reliability of the software used by the ATIP Division for processing ATI requests.

The ATIP Division, along with a significant number of federal departments, uses AccessPro, a specialized software for processing ATI requests. It is important that AccessPro operates effectively in order for ATIP Division staff to perform their duties in a timely and efficient manner. AccessPro produces three outputs:

  • Information to be released to the requester;
  • Reports for senior management on the status of requests; and
  • Statistics in support of the Department’s Annual Report to Parliament on the Administration of the Access to Information Act.

At the time of the audit, there were minor problems with how AccessPro processed ATI requests. For example, a feature of the software that calculates ATI request due dates did not always function properly. As a result, incorrect due dates were generated and had to be corrected by ATIP analysts, which could affect the timeliness of ATI requests if left unchecked.

Furthermore, the previous version of AccessPro did not allow for reports to be generated in such a way as to meet the Treasury Board of Canada Secretariat’s new reporting requirements for the 2011–12 year-end. As such, there was concern that the ATIP analysts would have had to manually compile the statistics for the 2011–12 report.

As of spring 2012, a new version of AccessPro (2.5) was released and is being tested. Upon completion of the testing phase, it will be installed on the ATIP Division’s computers. It is anticipated that the new version of AccessPro (2.5) will address the previous technical problems with AccessPro and allow for year-end reports to be generated that conform to the Secretariat’s new reporting requirements.

In line with good practices, the ATIP Division has established an internal IT committee that includes a member of the IM-IT team. This member is responsible for liaising between the IM‑IT Directorate and the ATIP Division to ensure ongoing and effective support for AccessPro.

Recommendations and Management Action Plan 

The following presents the key opportunities for improvement that were identified by the audit. The impact of observations and the audit’s recommendations are also presented. When applicable, relevant management initiatives already underway are included.For eachrecommendation, management has provided the following:

  • An action plan that addresses the recommendation;
  • The position responsible for implementing the action plan; and
  • The target date for completion.

1. Communicate Clear and Up-to-Date Information to all Departmental Staff Via the Intranet Site

Observations and Impact

Clear and up-to-date information ensures that departmental staff have the knowledge required to carry out their duties and responsibilities in responding to ATI requests efficiently.

The audit assessed communication of information via the Department’s intranet site regarding the ATI process, guidelines and procedures. At the time of the audit, some information on the Department’s ATI web page was unclear, and some of the content had not been updated. For instance:

  • The Guidelines for Branch Review, which explains the ATI process to departmental staff, did not clearly define the roles and responsibilities of the branches and the ATIP Division.
  • Recently clarified ATI procedures for the Department (dated November 2011) were not available on the ATI web page.

Clear and up-to-date information in the form of procedures and guidelines, including roles and responsibilities, ensures that all parties are aware of and properly carry out their responsibilities. Unclear and outdated information increases the risk that the Department will not appropriately respond to ATI requests within legislated time frames.

Recommendation

It is recommended that the Director, ATIP, communicate clear and up-to-date information about the ATI process, guidelines and procedures, including roles and responsibilities, to all departmental staff through the Department’s intranet site.

Management Response

The ATIP Division agrees with the recommendation and will revise or update the information concerning ATIP and the ATI process on the Finance intranet site. This will be undertaken by the Director, ATIP Division, by December 31, 2012.

2. Improve Administrative Controls

Observations and Impact

Effective administrative processes and controls are important to assist the ATIP Division in responding to ATI requests in an accurate and timely manner.

The audit team examined whether the Checklist for File Review was properly completed and on file. The audit found that the use of the checklist was limited to complex files because staff of the ATIP Division did not think it was needed for less complex files and was time-consuming to complete. Inconsistent application of the checklist increases the risk that required procedures to appropriately process ATI requests are not followed.

The audit found that a key guideline known as the Fee Assessment Form was unclear, difficult to use and was an additional burden on the branches. The effect of using an unclear form is an increased risk that branches will not complete the form when it is required, or devote unnecessary effort to alternative methods of estimating search and retrieval times.

The audit team reviewed best practices in other departments and identified a form that is clearer and user-friendly and could be used by the Department to estimate its retrieval search time and related fees.

Recommendation

It is recommended that the Director, ATIP:

a) Ensure that the Checklist for File Review is consistently used for every file.

b) Revise the form used to estimate retrieval search times to improve its clarity and user-friendliness.

Management Response

The ATIP Division agrees with the recommendation. For recommendation (a), the Division will use the checklist for non-routine files. For routine files, the Division will include the checklist, using “n/a” (not applicable) for the elements that do not apply to the actions required on those files. What constitutes a routine file will be defined and communicated to the analysts and team leaders. This will be undertaken by the Director, ATIP Division, by September 30, 2012. For recommendation (b), the Director, ATIP Division, will ensure that the fee form is revised by December 31, 2012.

Appendix A: File Review 

The audit team performed a file review of closed access to information (ATI) requests processed by the Department of Finance Canada’s ATIP Division. A random sample of 24 files was drawn from a total population of 379 closed requests processed in fiscal year 2010–11. The purpose of the file review was to assess key controls and determine whether the sampled requests were appropriately processed as follows:

  • Whether proper authority was delegated and applied during the ATI process (relates to Criteria 1.0, Compliance with the Access to Information Act).
  • Whether the ATIP Division had proper guidelines and procedures in place and implemented when processing ATI requests (relates to Criteria 3.0, Processing of ATI Requests).

In order to achieve the review’s purpose, 15 questions were developed to assess key controls in the form of reviews and approvals and to determine whether the appropriate documentation was on file to demonstrate adherence to the guidelines and procedures. Following is a summary of the key findings from the 15 questions:

  • A file was opened and the appropriate fee was assessed in 100% of the cases (a copy of a cheque, a cash blotter, and a letter confirming receipt of the fee were on file).
  • A retrieval email was sent to branches in 96% (23 of 24) of the cases (a standard email giving due date, instructions and text of the request).
  • The Director, ATIP, signed off on 100% (19 of 19) of the cases as required. For the remaining 5 cases, the Director’s sign-off was not required because the files were either abandoned by the applicant or deemed as being unable to process.
  • The routing slip was present in 100% of the files.
  • The Checklist for File Review was fully completed in 20% (5 of 24) of the cases. It was either not on file or incomplete in 80% (19 of 24) of the cases.
  • The summary request report (also known as the closing report) was on file in 100% (23 of 23) of the cases. There was one case where the file was deemed as being unable to process; therefore, this report was not required (the purpose of the closing report is to summarize key events related to each file).

Appendix B: List of Department of Finance Canada Employees Interviewed

  • Director, ATIP Division, Law Branch
  • Team leaders, ATIP Division, Law Branch
  • Analysts, ATIP Division, Law Branch
  • Advisors, ATIP Division, Law Branch
  • Officer, ATIP Division, Law Branch
  • Assistant, ATIP Division, Law Branch
  • Manager, Corporate Information Services, Corporate Services Branch
  • Chief, Strategic Coordination, Sales Tax Division, Tax Policy Branch
  • Senior Coordination Officer, Personal Income Tax Division, Tax Policy Branch
  • Counsel, General Legal Services, Law Branch
  • Communications Strategist, Communications Policy and Strategy Division, Communications and Consultations Branch
  • Director, Sectoral Policy Analysis, Economic Development and Corporate Finance Branch
  • Chief, IT Planning and Architecture, Corporate Services Branch
  • Director, Business Management, Law Branch
  • Chief, Aboriginal Policy, Social Policy, Federal-Provincial Relations and Social Policy Branch
  • Senior Director, Corporate Planning, Corporate Services Branch
  • Departmental Secretary, Deputy Minister’s Office
  • Senior Tax Policy Officer, Intergovernmental Tax Policy, Tax Policy Branch
  • Director, Financial Institutions, Financial Sector Policy Branch
  • Statistical Analyst, Federal Provincial Relations, Federal-Provincial Relations and Social Policy Branch
  • Director, Macroeconomic Policy Analysis, Economic Development and Corporate Finance Branch
  • ADM, Economic and Fiscal Policy, Economic and Fiscal Policy Branch
  • Senior Officer, International Trade Policy, International Trade and Finance Branch

Appendix C: Key Reference Documents Consulted 

Legislation

  • Access to Information Act
  • Access to Information Regulations

Reports

  • Department of Finance Canada Annual Report to Parliament on the Administration of the Access to Information Act 2009–2010
  • Department of Finance Canada Annual Report to Parliament on the Administration of the Access to Information Act 2010–2011

Guidelines

  • Treasury Board Policy on Access to Information
  • Treasury Board Directive on the Administration of the Access to Information Act
  • Treasury Board of Canada Secretariat Criteria for Posting Summaries of Completed ATI Requests
  • Treasury Board of Canada Secretariat Right of Access—Access to Information and Privacy
  • Treasury Board of Canada Secretariat Access to Information Guidelines—General (archived)
  • Treasury Board of Canada Secretariat Guide for Posting Summaries of Completed Access to Information Requests

Other Documents

  • Department of Finance Canada Info Source 2010
  • Department of Finance Canada Designation Order Under the Access to Information Act
  • Report on the TBS Study of Best Practices for Access to Information Requests Subject to Particular Processing

Documents Specific to the Department of Finance Canada

  • Management Accountability Framework—Effectiveness of Information Management Results for 2010–11 and 2011–12
  • Department of Finance Canada Corporate Risk Profile (June 2011, January 2012)
  • Department of Finance Canada Integrated Business Plan 2011–2012
  • Department of Finance Canada, Law Branch, Integrated Business Plan 2011–2012
  • Department of Finance Canada, Law Branch, Risk Register―June 2011

Appendix D: Members of the Audit Team 

  • Christian Kratchanov, MBA, CIA, CMC, Chief Audit and Evaluation Executive
  • Ora Tsang, CIA, CGAP, Audit Manager, Internal Audit and Evaluation
  • Rim Ben Saad, B.Admin, B.Comm, Senior Financial Auditor, Internal Audit and Evaluation
  • Daniel Steeves, MPA, Senior Auditor, Internal Audit and Evaluation