Public Accounts — Issue No. 10 — Monday, March 5, 2007 (HTML)

2007 Legislative Session: Third Session, 38th Parliament
SELECT STANDING COMMITTEE ON PUBLIC ACCOUNTS
MINUTES AND HANSARD

Present: Rob Fleming, MLA (Chair); Joan McIntyre, MLA (Deputy Chair); Harry Bains, MLA; Iain Black, MLA; Guy Gentner, MLA; Randy Hawes, MLA; Mary Polak, MLA; Bruce Ralston, MLA; John Rustad, MLA; Ralph Sultan, MLA; Diane Thorne, MLA; John Yap, MLA

REPORT OF PROCEEDINGS
(Hansard)

SELECT STANDING COMMITTEE ON
PUBLIC ACCOUNTS



CONTENTS

		Page

Election of Chair and Deputy Chair		229

Election of Subcommittee on Agenda and Procedure		229

Election of Auditor General Subcommittee		229

Auditor General Reports: Audit of the Government's Corporate Accounting System, Parts 1 and 2		229
	A. van Iersel
	E. Price
	B. Gilhooly
	C. Wenezenki-Yolland
	J. Kot
	S. Newton

Auditor General Report: Province of British Columbia Audit Committees: Doing the Right Things		244
	A. van Iersel
	B. Gilhooly
	M. Gaston
	L. Wanamaker
	C. Wenezenki-Yolland
	M. Harrington

Advertising for Auditor General		255

Other Business		255

Chair:	* Rob Fleming (Victoria-Hillside NDP)
Deputy Chair:	* Joan McIntyre (West Vancouver–Garibaldi L)
Members:	* Iain Black (Port Moody–Westwood L) * Randy Hawes (Maple Ridge–Mission L) * Mary Polak (Langley L) * John Rustad (Prince George–Omineca L) * Ralph Sultan (West Vancouver–Capilano L) * John Yap (Richmond-Steveston L) * Harry Bains (Surrey-Newton NDP) * Guy Gentner (Delta North NDP) * Bruce Ralston (Surrey-Whalley NDP) * Diane Thorne (Coquitlam-Maillardville NDP) * denotes member present

Witnesses:

Faye Fletcher (Office of the Auditor General)
Malcolm Gaston (Office of the Auditor General)
Bill Gilhooly (Office of the Auditor General)
Pam Hamilton (Office of the Auditor General)
Molly Harrington (Crown Agencies Secretariat)
Jill Kot (Ministry of Labour and Citizens' Services)
Stuart Newton (Office of the Comptroller General)
Richard Poutney (Ministry of Labour and Citizens' Services)
Errol Price (Deputy Auditor General)
Carol Robinson (Ministry of Labour and Citizens' Services)
Arn van Iersel (Acting Auditor General)
Lori Wanamaker (Deputy Minister of Labour and Citizens' Services)
Cheryl Wenezenki-Yolland (Comptroller General)

C. James (Clerk Assistant and Clerk of Committees): This being the first meeting of the Select Standing Committee on Public Accounts for the third session of the 38th parliament and there not being a Chair, I call for nominations for Chair.

C. James (Clerk of Committees): Any further nominations? Further nominations? Seeing no further nominations, I presume you accept the nomination. That being the case, I'll put the question.

R. Fleming (Chair): Thank you very much. We'll just carry on. I would open nominations for the election of the Deputy Chair.

R. Fleming (Chair): Any further nominations? Any further nominations? Seeing none, then, do you accept?

R. Fleming (Chair): Thank you, Joan. I will declare Joan McIntyre Deputy Chair of the committee.

R. Fleming (Chair): Really. I thought I called it three times there. You're going to have to wait till next year, Bruce.

R. Fleming (Chair): The next item is the election of the subcommittee on agenda and procedure. Typically, that is the Deputy Chair, myself, the comptroller general, the Auditor General and the Clerk of Committees. I have a motion to that effect.

R. Fleming (Chair): The next item is around the search committee that, prior to the dissolution of the last Public Accounts Committee, the Deputy Chair and I had begun. This will merely formalize that committee as well.

What I would propose to do is, at the agreement between the Deputy Chair and myself…. We have agreed that a subcommittee of perhaps five of this committee be struck, that it would be proportionate to government and opposition members and that the members of the subcommittee be selected by the Deputy Chair and me.

R. Fleming (Chair): Okay, now we're into the business of receiving reports in the meeting. I'd like to call the acting Auditor General to introduce his team and begin his presentation. This first item, of course, is two reports combined as one item, so you have those reports in front of you.

Auditor General Reports:
Audit of the Government's Corporate
Accounting System, Parts 1 and 2

A. van Iersel: Good morning Chair, Deputy Chair and committee Members, and congratulations this morning on your appointment and the creation of the committees.

Before we discuss the two CAS reports just mentioned, I'd like to quickly note that we released our 2007-2008 service plan last week. You should have received one in your office. If you have not, we'd be happy to provide you with another one as soon as possible.

The plan was prepared under section 19 of the Auditor General Act. It is consistent with the financial statement audit and coverage plan that was reviewed in December by this committee and also with the business and financial plan that went to the Finance and Government Services Committee just shortly after that, also in December.

The plan builds on the many initiatives that the office has initiated in regards to what we refer to as Vision 2011, our five-year vision. It reflects input of legislators such as yourselves. It's consistent with what you saw in the business and financial plan. It provides a summary of our proposed audit activity. It is illustrative in the sense that it's dependent on our ability to attract the staff that we're currently attempting to, to do all the required work, and also changing priorities in regards to what we believe we should look at as an independent office.

You'll notice in that document, again, that there's a three-year representation of audit work over and above the financial statement work we do. One of the most significant changes, if you've had an opportunity to read the report, is the changes to our performance measures. We've significantly reduced the number of measures, but we believe that while reducing them, they actually provide a better picture of what the office is doing, and it allows us to better assess our performance over time.

While the service plan is not normally part of the discussions here, I would, at any point you feel appropriate, answer any question, perhaps at another time, regarding that particular plan. Before I go to the reports, I would like to thank the Finance and Government Services Committee and also this committee for your continued support and, in particular, for the financial increase that was provided, which will be very useful to our office as we engage in fulfilling the promise of that plan.

If I may, then, Chair, Deputy Chair and members, turn to the two CAS reports. With me today are Mr. Errol Price, Deputy Auditor General; Mr. Bill Gilhooly, assistant Auditor General; Ms. Faye Fletcher, director; and Ms. Pam Hamilton, IT specialist — all from our office and who had a significant role in this particular piece of work. Other members of the audit team for these two reports were Ms. Joji Fortin, who's not with us, but we do have in our gallery Ms. Ada Chiang and Mr. David Lau, all professional accountants working on their certified information systems auditor designation.

If I may, I would like to also open up with a bit of a significant achievement for the local ISACA chapter — Information Systems Audit and Control Association — of Victoria. Recently it was recognized as being named the best small chapter in the world. ISACA is an important tool here in Victoria in promoting strong information technology governance, security and audit. And I'm very pleased to note that the staff I have just mentioned — including Ada and David, who are in the room today — were a key part of that chapter's success. I thought that was quite an accomplishment.

Today our office is providing its assessment of the government corporate accounting system, more easily referred to as CAS, through two reports. The part 1 report was issued in June of 2005 and presented the office's finding on controls over the governance of CAS, the CAS operating system and its central database.

The part 2 report, more recently, was issued just this past December 2006. It covers the office's audit of the CAS application software in the areas of administration of security over the accounting software as well as controls over two significant components of the accounting software: the general ledger model and the purchasing–accounts payable module.

As your acting Auditor General, I was not part of the office at the time of part 1 and specifically chose not to participate in part 2, which was already underway when I arrived in June of 2006. Mr. Errol Price, who had overall responsibility for the part 2 audit for our office and who released the report, will now more formally introduce the office's presentation of these two reports.

I, of course, am more than pleased to answer any questions that may be directed to me over the course of this particular presentation.

As you'll hear in the following presentation, the corporate accounting system, CAS, is the central accounting and financial reporting system for the government of B.C. It's a very large and complex system. Every computing system, especially one as large as CAS, faces many risks. The only way to minimize these risks and to maximize the likelihood of detecting problems, should they occur, is through a strong control environment.

Because of its importance, it is critical that this system be audited periodically to ensure that it's working properly. In addition, the new auditing standards that you've heard about from us in recent meetings require us to document and evaluate controls over major systems. The two reports being discussed today together represent a large multi-year audit of this complex system. We did the work in chunks, due to the size and complexity of the audit and to work around management's busy schedules.

In the part 1 report, which focused on the UNIX operating system and the Oracle database, we indicated that we found the control environment to be generally well managed. In the part 2 report, which focused on the Oracle Financials application, we concluded that the processing controls within the system were adequate for producing complete, accurate and timely financial information. But we also concluded that some controls in supporting business processes were weak, thereby increasing the risk of incorrect or fraudulent payments.

The two reports contain a number of recommendations as to how government could further improve the control environment. As you'll hear later from government's representatives, government is indicating that pretty well all of our recommendations from both reports have either been addressed or are in the process of being addressed.

The part 1 report was completed under the overall direction of the former Auditor General, Wayne Strelioff. The work leading to the part 2 report was started off under Mr. Strelioff's leadership, and then I took over that responsibility when he left office. However, the work on both reports was carried out by the same team, under the leadership of Bill Gilhooly.

As Arn mentioned, both Faye and Pam, at the table here with us, have their certified information systems auditor designation, and other members of the team are at various stages of attaining their CISA designation. This sought-after designation requires passing a rigorous exam, plus over 4,000 hours of practical experience in a variety of information technology audit areas, so we're fortunate to have built up such expertise on our staff.

I'll now hand over to Bill to run you through the presentation. In the presentation we'll cover both reports, but we have tried to keep the presentation at a fairly high level.

B. Gilhooly: Thanks, Errol, and good morning, Members. As Errol said, this was a large multi-year audit of the system. In fact, this is the largest IT audit we've ever done in our office since the extensive work we did leading up to the Y2K event in 2000. It's really seven distinct audits divided into two reports.

We're keeping this presentation to a fairly high level, and we assume most of you have had a chance to

at least look at the reports today. What we're trying to do is strive to make a very complex and technical subject matter a little more digestible for you. Hopefully, we'll accomplish that today.

I'll start with a little background. CAS is the central accounting system for all of government, and it was implemented in April of 2001. It allows access for about 24,000 government workers in hundreds of offices across B.C. It's a mission-critical system that annually records billions of dollars in revenue and expense transactions, processes payments to suppliers and provides information to develop budgets, make decisions and prepare government's financial statements. About seven million transactions are processed annually. It's certainly considered one of the largest and most significant accounting systems in the province, by anyone's measure.

Oracle Financials is an enterprise resource planning software application, or ERP. An ERP integrates departments and functions across an organization by taking common financial activities — like purchasing, receiving, accounts payable and payments — and processing all related transactions on one single computer system. In the past, organizations typically had at least three separate systems: one to handle purchasing, one to handle payables and one to record payments.

These ERP systems have many benefits, including entering data only once, on-line real-time processing and systemwide reporting. But with the adoption of an ERP comes new risks, such as a single point of failure, because all financial information and processing is now within one system rather than several. It's like putting all your eggs in one basket, so you need to watch the basket.

If problems are not dealt with quickly, disruption to daily business processes can happen because of the reliance on on-line real-time information. Therefore, strong control over the CAS computer environment is critical to address these risks and ensure that all transactions are complete, accurate and valid; that processing is available; and that processing capacity is sufficient to meet current and future demands.

The need for strong control is especially important for large, distributed computer environments like CAS. Just like any other accounting system, incorrect entries in CAS as a result of undetected human error or unauthorized system access could lead to incorrect or unauthorized payments. In addition — again, like any system — maintenance issues or insufficient processing capacity could result in staff not being able to access CAS and in disruptions to payments to government suppliers and employees.

There are inherent risks in any computer system, and a strong control environment can lessen these risks to an acceptable level. It's management's responsibility to see that controls, both computerized and manual, are in place and that they're operating properly.

Conceptually, the CAS computing environment can be divided into two parts: the general computing environment and the application environment. Controls in the general computing environment — this includes the Oracle database, the UNIX operating system and the shared government network — must be adequate to ensure that the system is reliable, secure and available for processing. They are referred to as IT general controls.

Second are the controls in the application environment. That includes the Oracle Financials accounting software. It must be adequate to ensure that only authorized data is recorded and processed correctly to produce valid results.

IT governance controls include organizational controls such as structures, policies and procedures, which cover the entire computing environment. The adequacy of IT general, application and governance controls directly affects the reliability and integrity of government's accounting services and its financial reporting.

As Errol mentioned, we conducted a series of audits spanning several years. In June 2005 we issued part 1 of the CAS report, covering our work done on the UNIX operating system, the Oracle database that stores all the past transactions and balances, and IT governance controls. In December 2006 we issued part 2, which covered the Oracle Financials application. We did not, however, look at the controls around the shared government network.

These two reports cover our findings from seven individual audits, covering these following areas: the UNIX operating system; the Oracle database; IT governance, as I just mentioned; security administration; the general ledger; purchasing and accounts payable; and supplier maintenance. These audits were based on criteria that are set out in the information technology guidelines issued by the Canadian Institute of Chartered Accountants, as well as guidance specifically developed for the audit of Oracle applications and IT governance guidance issued by the IT governance institute.

We took a risk-based approach, identifying significant risks and then determining what key controls were in place and, finally, testing these controls to determine the adequacy of their design and effectiveness. Our testing involved interviews, observations, reviews of documentation, and extractions and testing of data using audit software tools.

In the next few slides I'll give you a brief overview of what we concluded for the first report and then cover report 2. Overall, we concluded that the UNIX operating system, the Oracle database and IT governance control environments were well managed.

We made 14 recommendations in our report which would further strengthen these control environments. They call for improvements to policies and processes to enhance CAS governance, management of UNIX passwords, monitoring access to information in the database and, finally, managing and monitoring firewall access. These recommendations can be found in appendix A on page 49 of report 1.

In its response government indicated that it had acted on most recommendations. We were also encouraged that government indicated on page 79 of the second report that all recommendations have been addressed

The first section in this first report covers governance of the system. Effective IT governance is the responsibility of management at all levels. It also depicts the attitude of management towards control. An important part of system governance is risk management, including the development and communication of policies and procedures that are necessary to mitigate identified risks. It's always better to manage potential problems than to deal with them after they occur.

Systems have often been described as organic in nature, implying that they need regular care and feeding. CAS is no different. It's a complex, dynamic environment where changes in enhancements are ongoing. Having an effective governance structure in place is an important ingredient to help manage changes and the associated risks. That's part of the reason we focused on IT governance early on.

As shown in this diagram, at a corporate level there are many players in the governance of the system, which includes setting its strategic direction. At the program level, corporate accounting services and common IT services, which are now known as workplace technology solutions, have responsibility for the operation of CAS. As you can see, there's a separation of the governance of a system and its operation service delivery, and this is consequent with government's overall direction.

Overall, we found that senior management has adequate processes in place to ensure that IT strategy for CAS is aligned with its business goals and that of government. We also found that the CAS-IT environment is managed in a way that ensures a continuous and effective delivery of services. In our assessment of controls in the UNIX operating system and the Oracle database environments, we found that many of the necessary controls over the operating environment were in place.

However, we did identify some control deficiencies that could jeopardize the integrity and reliability of the information stored in the database. For example, we found that support staff had unlimited access with their user IDs in order to manage the UNIX operating systems in the production, test, development and the data warehouse environments. However, they were using the same passwords for their user IDs on all servers. Therefore, if the password on the test server, for example, was exposed, it would also expose the password to the production server.

There was also no monitoring of the activity of the database administrators and certain support staff who have full access to all the data. This means that inappropriate activity, such as changing a bank account number or the payment amount of the database, could go undetected.

There were also insufficient controls in place in the firewalls to appropriately restrict entry. What is a firewall? A firewall is a set of software rules that ensure that only authorized IP addresses are allowed in and only certain types of services or functions are allowed to be used. Allowing more access than what's necessary creates a risk that if there was a security weakness on any server, an unauthorized person may get in that would otherwise be stopped at the firewall.

Just to bring us back to the scope diagram referred to earlier, we just talked about the dark purple boxes at the bottom. Now we're going to talk about the control issues we encountered during our second report — that is, the boxes at the top — which is the Oracle Financials application.

Oracle Financials is the application software that runs the corporate accounting system. It's a modular system that integrates various financial activities and processes all related transactions through the general ledger module. Transactions are entered in one of the Oracle Financials' modules — such as fixed assets, purchasing, payables or receivables — and then are transferred to the general ledger. Transactions can also be entered into the general ledger directly or imported from a ministry subsystem.

Our audit of the CAS Oracle Financials application focused on four main areas. The first was security administration, and that focus was to ensure that only those authorized can gain access to the system and that those authorizations are monitored.

The second was purchasing and accounts payable, and that also includes iProcurement, which is an on-line purchasing module. The focus there is to ensure that the levels of approval have been properly set up and that the system controls and business processes support the approval process.

The third area is the general ledger, which includes journal entries and financial reporting. The focus there is to ensure that all information entered into the general ledger is valid, complete and accurate and that the chart of accounts correctly maps how this information should be used to produce accurate and complete financial information.

The final focus area was in maintenance of supplier information. The focus there is to ensure that additions and changes to supplier information are valid, complete, accurate and timely and that supplier information is reviewed and monitored.

Overall, just as in the first report, we concluded that control procedures to ensure that the financial information is processed completely, accurately and on a timely basis were generally adequate. However, we did identify control weaknesses that could create a risk of incorrect or fraudulent payments. There were 52 recommendations made in our part 2 report covering the four main focus areas I just discussed. They can be found starting on page 103 of appendix B.

There are 11 key recommendations that are outlined on page 6 of the report. They focus on strengthening controls to ensure the ongoing maintenance of appropriate CAS access; on the integrity of changes made to the chart of accounts; that only authorized and valid changes are made to supplier information such as bank accounts and addresses; that financial schedules

supporting payments to suppliers are complete; that purchases of goods and services are properly authorized; and, finally, that purchase transactions are adequately monitored for possible errors or fraud. As in the findings in our first report, we are pleased that government has acted on most of them.

Now I'll provide you a bit more detail about what we found in each of the four areas of focus. The first is security administration. It's about controlling access to ensure that only those authorized can gain it to CAS. Their level of access is assigned on a need-to-have basis only — that is, it satisfies the job requirements. It's sort of like having an office building, and everyone has a set of keys to the front door, but everyone in the building can only access certain parts of the building on a business-needs basis only. For example, only very few people would have access to the vault room or to certain key, specialized areas.

The ongoing monitoring of access authorization ensures that access assignments remain current. In general, security over government's accounting system is well-managed, but there are several areas where controls over access could be improved. For example, we found that there were many instances of incorrect access to the system because users had changed ministries, job functions or job statuses without their access rights being adjusted accordingly.

The problem is a consequence of both a lack of timely communications by the ministries to CAS support staff who update the system information and a lack of regular monitoring by CAS support staff to promote compliance. We were concerned because incorrect access could jeopardize the integrity of the system over time. That is to say, users with incorrect access could possibly inappropriately change or add supplier information or, perhaps, change or add purchase transactions.

We also looked at the setup and maintenance of the chart of accounts and the controls over journal processing and financial reporting. Overall, controls were in place and working effectively, although we found that chart data was not properly monitored to ensure that it was correct and remained current. We were concerned because incorrect chart coding could result in inaccurate financial reporting.

The third area we looked at was the setup and maintenance of government suppliers. Information on over 260,000 suppliers is kept in the database. This information is important because it's used to direct payments to addresses or bank accounts of suppliers when processing accounts-payable transactions. We were not satisfied that management had adequate controls in place to manage some risks, such as paying incorrect or fraudulent suppliers or excluding supplier payments from supporting financial schedules. We found that controls to prevent payments from being directed to incorrect or fraudulent suppliers were inadequate.

Government also requires that total amounts paid to each supplier who received more than a threshold amount of $225,000 for the year be reported as supplementary information to the public accounts. Due to the method used for processing certain types of payments, some payments may not be included in this supplementary information.

The final area we looked at in the second report was the process of initiating and approving purchases and payments. Again, access controls are important here because, if not in place, there is a risk of unauthorized payments being made.

We found that access controls for the purchasing and accounts payable modules were, for the most part, appropriate. However, we found several areas where control could be improved. For example, there was a risk that cheque payments could be redirected to unauthorized addresses and that unauthorized purchases could go undetected due to insufficient monitoring.

Well, that concludes my high-level overview of our two reports on the audit of the corporate accounting system. We'd be happy to take questions that you have now or defer until after government's representatives have provided you with their comments.

R. Fleming (Chair): Committee, questions now, or would you like to hear from the government and have a question period after that?

Okay, we'll give the government representatives here with us today a moment to set up their presentation.

Good morning, everyone. Cheryl, would you like to introduce our presenters this morning from the ministry?

C. Wenezenki-Yolland: I will be taking the lead on the presentation this morning on behalf of the Ministry of Finance. Supporting me, I have the director of our financial management branch, Stuart Newton. From the Ministry of Labour and Citizens' Services we have Richard Poutney, who is the assistant deputy minister of common business services, and Jill Kot, who is the executive director of the corporate accounting system.

I would like to start by thanking the Auditor General's office for the work they have done on the two corporate accounting system reports. These reports represent a considerable amount of work that cover a time frame of approximately five years, so it is quite an undertaking to maintain that work over that time frame.

The Auditor's independent review and recommendations have been very valuable for us in identifying opportunities to enhance our financial control framework and, specifically, those controls related to the security of the corporate accounting system.

Both the Ministries of Labour and Citizens' Services and of Finance play key roles in ensuring the provision and maintenance of a sound financial management system; producing accurate, reliable and timely financial statements for government; and providing information in support of the sound operation of government's business functions.

As we had provided a joint response to the Auditor General — and that has been incorporated into the reports before you — we are here today to provide you with our joint presentation.

The Ministry of Finance is responsible for providing financial policy and the governance framework for government and is committed to ensuring accountability and transparency in our financial reporting.

The Ministry of Labour and Citizens' Services joins us in this responsibility by providing a broad range of internal corporate services to government, including governance and the provision of secure technology infrastructure for government and — of primary concern today — the provision and maintenance of the corporate accounting system application, known as CAS.

Our presentation will follow a similar format to the presentation provided to you by the Auditor General. We will provide a little bit of context so that you understand how we make decisions and why we do the things we do. We will give you a status report on parts 1 and 2, and tell you what our next steps are. Then we'd be happy to answer any questions you might have.

Part of setting the context for you is to lay out some of the key functions and roles in relation to the provision of the corporate accounting system. As the Auditor General has already identified, a strong financial control environment is important for ensuring the effective delivery of government programs.

The B.C. government has a strong financial control framework in place, which stems from legislation and is expanded through policy. It includes systems and manual controls, an employee standard of conduct as well as monitoring and reporting by ministries, and the central post-payment review and internal audit.

We also appreciate the work done by the Auditor General as part of that ongoing improvement and enhancement of that control framework. As you can imagine, providing one corporate accounting system across approximately 27 organizations and 24,000 users can be extremely challenging and requires considerable coordination, communication, training and a clear understanding of roles and responsibilities.

Briefly, the office of the comptroller general is responsible for the overall quality and integrity of the government's financial management and procurement control systems, while the government's CIO sets the direction and standards for information management and information technology. All policies are approved by Treasury Board.

The ministry's senior financial officers also have a key responsibility in this framework. They have a functional reporting relationship to me and are key partners in the governance and financial control framework.

The senior financial officers have a mandate to enforce and maintain policy within ministries, to provide for ministry- and program-specific policy procedures and financial reports, and to ensure that risk-and-controls reviews for any ministry financial-related systems and processes are complete — that they have adequately considered the risks and applied appropriate mitigations. The ministry CIOs have a functional reporting relationship to the government CIO and have a similar mandate related to IM/IT and security standards.

The expense authorities within the ministries and program areas have overall responsibility and are accountable for the authority of their specific expenditures. This authority is delegated from the deputy minister of the ministries down through the various levels of the organization.

We also engage in our governance framework a number of senior advisory groups, and part of this is also how we communicate, share information and ensure the ongoing improvement and strengthening of our financial control framework.

That's the senior financial officers council, which is a committee chaired by me and attended by all senior financial officers of the ministries; the ADMs of corporate services, which is a committee that has all of the ministries' executive financial officers in attendance as well as the government CIO, Treasury Board staff and the Public Service Agency. The deputy ministers' shared services board of directors is also part of that framework.

It's quite extensive, and at the operational level we have a number of committees that we also use for sharing information, such as the audits provided by the Auditor General, and for identifying ways that we will continue to improve and strengthen that framework.

Corporate accounting services provide a critical piece of the provincial government's financial infrastructure, which is the financial system and associated services. CAS is responsible for ensuring the system meets the needs of government and meets the governance standards, legislation policies that the governing body — such as me, the government CIO and Treasury Board — define for them.

Workplace technology services provide the underlying information technology infrastructure. All of these parties have to work together to ensure that it works effectively. As you can imagine, that's quite a task, but we do seem to be doing well, and we are providing a best practice.

Our platform is an enterprise resource planning system, and we have chosen this method as it is acknowledged as a best practice in industry. It supports the view of government as a single organization and employer. It supports the business of government by providing common sources of information, a single secure repository of financial information — as we like to say, a single source of the truth.

It allows for the development and enhancement of corporate standards and business processes reporting policy, resulting in corporate consistency, accuracy, trust and confidence in the information. It reduces risks. It is more cost-effective and reduces the complexity of integrating multiple technologies and vendors. That's some of the context.

Now to provide some context around the time frames, because the two reports do span quite a considerable time, this chart — I hope you can see it in

your presentations, because I can't read it up there — basically shows where we have come from with the implementation of our Oracle financial system, where we had multiple ministry systems in 1998. We gradually migrated to the corporate accounting system over a number of years. It was very thought-out and intentional, and we're happy with the success so far.

There are a number of things that have happened in the time frame you can see on the chart, when the first audit began with the Auditor General's office in March of…. I believe it's 2002. I can't read it; it's cut off on my time frame.

There were also some other significant things that occurred. Of significant note is a fundamental change in our financial management structure where we moved to expense authority as the source of pre-approving payments, as opposed to a post-approving of payments. That is quite substantial in relation to some of the recommendations made by the Auditor General's report.

You can see where the CAS part 2 report began and we had a significant implementation of i-procurement in 2004. We also have had a number of upgrades within the Oracle financial systems, with the most recent upgrade being June of 2006.

One of the reasons I wanted to show you this time frame is to show to you that we are continuously learning and improving the control system and the corporate accounting system. We haven't just put it in place and then waited for the Auditor General to do the report and come with some recommendations.

We really are a learning organization, and we learn from what is going on in the broader community, across the world — from the vendors that we work with, from the ministries, from the experiences that we have with the system. We learn from our internal audit reports, our post-payment review office, and we learn from the Auditor General's reports. All of these things are considered as we continue to enhance and strengthen the financial system of government.

The Auditor General's part 1 report focuses predominantly on the technology and the corporate accounting system. As the report indicated, through a combination of governance controls and system controls, security and process problems can be prevented — and detected, if they do occur. Overall, the Auditor General found the control environment of the corporate accounting system to be well-managed, and we are very appreciative of that finding.

Of the 14 recommendations contained in part 1, six were directed at the technology governance. Corporate accounting services took the lead and has implemented — I'd like to say, and I probably say it on the next slide, too — all of the recommendations proposed by the Auditor General's report. They have even exceeded the recommendations proposed by the Auditor General's report, particularly in the areas related to firewalls.

Corporate accounting systems governance framework was strengthened by integrating its business planning processes with the ministry's planning processes. This is consistent with the movement you've seen across government to strengthen service planning, IMT planning, HR planning.

They implemented a quality management plan, which included project checkpoints and deliverables. It also requires a regular review and updating of policies and procedures to provide current and accurate information to users. The policies and procedures for maintenance and tracking of changes were solidified and communicated.

The business continuity plan for CAS is tested regularly. They communicate on a regular basis with the broader financial community in regard to this testing, and all the key roles for all staff have been formalized and are well known and understood.

In the case of the system itself, the Oracle UNIX lives within the overall government IT environment. CAS has initiated the automated auditing function for access controls so that they can tell what access has been changed and monitor that, and has worked with the government and ministry CIO and workplace technology solutions to strengthen access security to the UNIX system.

Of specific note was the participation of CAS in the government's security enhancement project, as I mentioned earlier, to affect the strengthening around firewalls and passwords. As I said, CAS has led this and has implemented all recommendations.

Part 2 of the corporate accounting system audit was received in December. Regardless, I think it's important to note that of the 50-odd recommendations made by the Auditor General, 21 of the recommendations are already complete. The remaining recommendations are either in progress or being assessed for feasibility.

As I mentioned earlier, we are absolutely committed to ensuring the ongoing strengthening of the financial control framework and take these recommendations quite seriously.

The report, for us, was an excellent opportunity to have a comprehensive review of the payment process from end to end. It was the first complete review of purchasing since we had implemented i-procurement and the new control framework within Oracle financial systems. It provided many assurances to us as well as many opportunities to continue to strengthen that.

As the Auditor General noted, proper control procedures were in place and were being followed to ensure the financial information was processed completely, accurately and on a timely basis.

As I said, government has taken action. Specifically, the Auditor General identified 11 key recommendations. We have taken specific action in regard to all of these and look forward to the continuing strengthening of our framework.

The four areas of focus that we saw within the Auditor General's report. I'm not going to go through all of the 52 recommendations and what we specifically did because, as you know, we would be here for a very long time if I did that. I would just be telling you how seriously we take all of those recommendations.

The primary area focused on by the Auditor General was the security administration. Security over access to

the system is a key control, and ministries play an important role in ensuring that access profiles in CAS are accurate and appropriate to meet the business requirements.

The recommendations by the Auditor General in this area are appreciated. In working with OCG and with the ministries, CAS has substantially completed all of the recommendations in regard to the timely updating of access profiles. The remaining recommendations are in progress.

This area of the report, coupled with the recommendations that we addressed in part 1, should give users and stakeholders comfort that we take this seriously and that the integrity of the information in the system is protected.

Of key note is that there is now a relationship between the payroll information…. It is the first area of notice if there is a change in employee status.

One of the items discussed here was the concern around the timely notification of a change in employee status and that the access controls had not necessarily been updated in a timely way. CAS now has a daily report that does a comparison between the payroll data and the CAS access controls, which is reviewed to ensure that these are maintained on a regular basis. They are also working with ministry security officers to ensure that they also understand the implications and understand their responsibilities in this regard.

Another area of concern raised by the Auditor General was in relation to general ledger's controls. We take these extremely seriously, particularly in my office. I want to ensure that your public accounts and financial statements are accurate. As they have said, they are accurate and timely.

However, we have acted on the recommendations. We have formalized the existing monitoring by documenting these. One of the primary concerns was the fact that while there was monitoring going on, it wasn't necessarily documented. This has now been formalized and documented.

There has been communication with ministry senior financial officers with regard to their roles and responsibilities in relation to monitoring, verifying, carrying out year-end reconciliations and ensuring that chart-of-account data is updated and maintained on a timely basis.

Ministry requirements have been incorporated into the ministries' representation letters that I receive at the end of every year and are signed off by the ministries' senior financial officers, acknowledging that they have carried out these activities. The Office of the Comptroller General has undertaken considerable communications in this regard. We actually put on an additional year-end orientation this year, which covered off all the areas of concern and risk and was attended by all ministry senior financial officers.

This information has also been shared at an operating level with the council we have, which is known as FOAC, or the financial officers advisory committee, so that we can get the information down to a lower level in the organization.

Another area of concern raised by the Auditor General is the supplier maintenance controls. Under supplier maintenance controls, we are intending to deal with the majority of these issues under primarily two specific projects that have been initiated. One of them, specifically by CAS, was actually initiated in June of 2006 related to supplier maintenance.

They have since updated that project charter to incorporate the additional recommendations identified by the Auditor General. The primary purpose of the project will be to improve existing supplier information, to improve ongoing supplier information maintenance, and to provide consistent and robust ministry and central agency procedures for supplier maintenance.

Also of primary concern to the Auditor General's office were the policies and procedures related to the bank accounts. I think, given the concerns raised in relation to fraud, it's important that we address those here. In the seven-year period of time — a fraud of the nature described by the Auditor General's office…. We have had one attempt at this type of fraud. It was detected, and it failed.

The fraud at that time was a new type of fraud that was being targeted at banks. We learned from that and immediately revised and adjusted our processes to ensure that could not happen. It was also communicated through our broad community about what had occurred there.

I don't want to go into the details around those types of controls because I know this is all public. I don't think we need to give people ideas about how they can come and defraud government. But I do want to assure you that we take that extremely seriously. I think putting it in context is important. There has been one attempt. It was detected, and it failed.

We have taken the recommendations of the Auditor General seriously in this regard. There has been communication around bank account information and responsibilities with two ministries in regards to updating bank account information.

In addition, CAS receives or has a report that they produce and send to provincial treasury when any changes in bank account information occur in their supplier, and any anomalies are followed up immediately by provincial treasury. There is also a requirement for ministries to have third-party verification of any changes to bank account information. So I think that we are doing really very well in regard to the Auditor General's concerns.

Another area of concern raised by the Auditor General was in relation to our block suppliers and our generic suppliers — the concern being that in having these two supplier arrangements, we are not disclosing all of the supplier details in the supplier listing that comes with the public accounts.

In the case of generic supplier codes, those have not been allowed since we implemented the Oracle financial systems. They are a legacy that is a hangover from when we had our old financial systems, but they are

not allowed to have any more. CAS has taken on a role of reviewing and ensuring that these are shut down once they are detected so we can ensure that we have a transparent and complete accounting in our supplier information.

In regard to the block suppliers project, these…. Unfortunately, we do have a business need for block suppliers. However, we are undertaking a project, and even as I'm sitting here speaking to you, I know that the number of block suppliers is reducing. When I had the last report earlier last week, we had reduced them by 35 percent. I now understand they are reduced by 43 percent — so again, providing for more transparency in information.

But there are reasons for having them. Primarily, we need them in situations where you need to protect confidentiality and personal information, and there are programs in government where we may need to pay people. The identity of those individuals we would not necessarily want disclosed within a supplier listing, given the nature of the payments.

The Auditor General also recommended that OCG take the lead on initially responding and effectively communicating to the ministry the risks of potential fraud in procurement, accounts payable transactions and how to detect these. We agree with that, and we have initiated that communication. We are currently working with the financial officers' advisory council to determine how we can incorporate this type of information into the training for all expense authorities.

In conclusion, the office of the comptroller general and corporate accounting system will continue to work closely with the ministries to ensure that the recommendations of the Auditor General's report are addressed and want to assure you that we take the integrity and security of our financial management system very seriously. You have a number of strong professionals who will ensure that continues to happen.

We will also continue to ensure the operation and the governance are on the same page and will continue to work together through our collaborative networks to deliver you a sound financial system.

R. Fleming (Chair): I want to thank the comptroller general for the presentation. We'll have members ask questions in a moment, and those questions can be directed at either the Office of the Auditor General or the people with us today from the Ministry of Finance.

If I could ask witnesses who haven't spoken on the record yet to introduce yourselves, if the question is being directed to you. Otherwise, Arn and Cheryl can field those questions.

J. Yap: I want to thank the acting Auditor General and his team and the comptroller general for your presentations.

It's great to hear that, from the sounds of it, we have a system that's working well and has recommendations to make it even better, and that government has embraced these recommendations, working to make the system even better, even stronger.

We've all heard, I'm sure, of situations in other jurisdictions where frauds were perpetrated against other governments. My question is for Cheryl, I guess. What monitoring do you do to keep abreast of these types of frauds which have been successful in other jurisdictions? What steps would you take with our current system so we are actually protected against such frauds?

C. Wenezenki-Yolland: We have a significant network across Canada in relation to how we share information across the jurisdictions. I am a member of the comptrollers general council of Canada, which includes representation from all provinces as well as the federal government. We have regular meetings to share information. We have intranets where we post issues that we see arising or concerns that we have, to alert each other to emerging issues. This is not just in relation to fraud and occurrences that we would be seeing; it's in relation to any financial management matters. But that is certainly one avenue.

In addition to my network, I also work with other members in government, such as the deputy minister of provincial treasury who is responsible for the Bank of Canada, who also has a team who does monitoring of what is occurring. He's in communications regularly with the banking institutions and organizations on what is occurring there. We have avenues to share that information. In addition, we work directly with corporate accounting services. We have a shared role in the steering committee in relation to the corporate accounting system, where we also share that information.

So we do monitor in many ways to ensure that we are aware of what is changing in the environment. It isn't just myself. It could also be the government CIO who is responsible for the broader technology infrastructure, who also has a team of individuals that are charged with the responsibility of staying abreast of what's occurring in the environment and what's emerging as new technology and new practices. I talked to you a bit in my presentation about these networks where we share information, we talk about solutions, and we talk about the issues and the challenges that are very critical to us in ensuring that we are able to actually deal with those issues.

If a specific issue arises, we look at that specific issue in relation to our environment, in our context. We determine what the potential risks are to us, if it truly does pose a risk. If it's an immediate risk, we will get a communication out through our network of senior financial officers or our security officers immediately. Then we will also look to see how we can revise or adjust our approach, our policy or our systems in the future to ensure that that can be prevented.

J. Yap: That's good. The sharing, if it's something that comes to the attention of the CIO's office or your office, will happen on an ongoing basis. That is what we're hearing? Good.

On a more micro level, I'm hearing that there were some concerns about access levels, access codes for

individuals. When you have so many people involved — 24,000 people with access…. I'm presuming this range of access level is from the most access on down to very little access.

In the sort of daily life of a huge organization, as government is, people may be away. There may be instances when you need to temporarily provide an access level. I know this is a very micro question, but what is the system to ensure that if someone is given a higher level of access than they really should have, because of a circumstance in that department…? How do we make sure that it goes back to the proper level?

C. Wenezenki-Yolland: I will let Jill Kot, my colleague, answer that question. She's the better expert for that level of detail.

J. Kot: The security access is determined by the ministries, and they are responsible for identifying what the requirements are of particular positions. We advise them on appropriate levels of access for certain roles. We in CAS do the actual setting up of the access levels. For instance, Cheryl talked about expense authority. We have the ability to allow a delegated expense authority for certain periods of time when someone, for instance, is on holiday. If an expense authority goes away on holiday, they can actually go into the system and designate who their alternate is during the time that they'll be away. How that works is that they put a time frame with an end date. When that end date comes, the system will then automatically revert back to the previous expense authority.

J. Yap: Who determines if the individual that's being designated is appropriate?

J. Kot: That is the responsibility of the ministries to determine what the appropriate level of access is. In the area of expense authority, that is delegated from the deputy minister of each ministry.

J. Yap: So for example, if I had a certain level that I was allowed to have and you were not at the same…. Let's say that both of us were at the same level, and I'm designating you to be my replacement. How does the system know that it is an appropriate delegation?

J. Kot: Well, the appropriateness of the delegation is the responsibility of the ministries. We advise them on what are appropriate authorizations to give. The system cannot detect whether the persons themselves are the appropriate persons. That is the responsibility of the ministry to be able to determine that.

We do monitor the access, though, and we advise on appropriate combinations of access. We have a security officer within our office who works very closely with the security administrators within the ministries to make sure they're well aware and educated on what are appropriate delegations and combinations of access.

H. Bains: I, too, would like to thank the acting Auditor General and the team for doing the presentation, and the government staff for their presentation. I have two lines of questioning. I'll start with this one.

I'm looking at this part 2, page 25. There's a concern shown here. They found that, in many cases, the individuals are no longer working for the government. It goes on to say that the same problem was identified in 2004, when the single sign-in process was implemented and a few thousand users' rights were removed.

So my question is: if it was identified in 2004 and we identified that as a problem that still exists, did we not put in any permanent safeguards, which would automatically kick in once these processes are needed to remove those individuals who may not be working for the government any longer? So can you just…? The explanation — it was identified in 2004 and still exists during this study.

J. Kot: Certainly. At the time that it was initially identified…. The problem itself is when people change jobs or when they leave government. Just to be clear, when somebody leaves government, though, they will not be able to get access into the system, because the system is protected by the government network. At the time that it was originally identified, though, the technology was not available to be able to do as elegant a solution as we can do now.

There have been some advances, where we can now take information out of the payroll system and are able to marry up that with the information in the financial system to look for anomalies. We're in a better position now, just because of advances in the system. As Cheryl indicated, both our system and the payroll system have been advancing over the years, so basically we're taking an opportunity now that was unavailable at the time.

H. Bains: Do we have that technology available or implemented in the system now that it will automatically detect and correct as we go ahead, or do we still have to rely on individuals watching and removing those individuals?

J. Kot: Basically, what the system does now is that it will identify the case where someone has left government or changed a job and it doesn't match up with the financial system.

We monitor those on a daily basis. We report those to the ministry security administrators. We do not automatically remove their access. It's not an automated process, because there are some instances where there's a requirement for a person to actually determine whether or not it's an appropriate circumstance.

No, it's not automated. The detection is automated. The action that's taken is a manual intervention.

Maybe I could go to the acting Auditor General: are you satisfied with the answer given? Would that deal with the issue that was identified?

A. van Iersel: I think this is an improvement. But as you just heard, it's still a manual one which, if I understand the answer correctly, means that there's no one necessarily guaranteeing that the ministry would act on the information. We'd have to make certain through CAS or the office of the comptroller general that there was indeed some monitoring of this to make sure the correct application was made.

It's not a perfect system. It does in the end, as I hear, rely on a manual intervention on behalf of the ministry — so some further improvement yet.

H. Bains: I'll move on to the presentation part. I think it's page 8. These are the four different ways that you have divided them up to deal with those recommendations. Some of them on this page show as ongoing, but I didn't notice them on the screen. The ongoing part is missing and does not say "complete" there either.

Do I take it, because "ongoing" was missing there — for example, the second line under "Communicated to the ministry staff" shows ongoing, but it's missing there — that that part is completed, or is it still ongoing? What's the explanation for having that part missing?

H. Bains: If you look under "Security administration" at the top, there's "Communicated to the ministry staff." What I'm looking at here, which seems to be a copy of the same presentation, shows "ongoing" at the end of that line.

My question, looking at this, would be: "ongoing" means you have completed that recommendation, but this is the type of work that continues to be ongoing on a…. But it's missing out there. That's what I'm saying. Does that mean it's completed?

C. Wenezenki-Yolland: This has been communicated. It is completed. However, it does require ongoing monitoring and ongoing communication to ensure that it continues. As Jill said, some of these security processes still require a manual process. So to ensure that happens, we continue to communicate and re-emphasize the importance of these issues through ongoing communication.

H. Bains: Again, at the bottom under "Purchasing and accounts payable," it also shows "ongoing."

C. Wenezenki-Yolland: That is ongoing. Right now we are working with the financial officers' advisory community in regard to what type of training or enhancements to the training materials we would include in the expense authorities. So it is actually happening. They're not necessarily meeting while I'm sitting here, but they are meeting and discussing this issue now in order to determine how best to approach it.

H. Bains: I guess that when I'm looking at "ongoing" — I understand that part — do we put a percentage of that item? What percent is it completed, and how far are we ahead into having that be completed? Is there a time target placed on this to have it completed?

C. Wenezenki-Yolland: At this point, we have assigned primary responsibility for all of the recommendations in the Auditor General's report. We have implemented and completed 21 of the 50 recommendations. The balance of the recommendations do have time frames for completion. We are expecting that we will have them completed by the end of the fiscal year. If that is not feasible, then we will have plans for how to move forward.

R. Fleming (Chair): I have another member who wishes to ask questions. Oh, he is out of the room. I would like to ask a question then, if I may, of either the comptroller general or the Auditor General's staff.

The three concerns that were outlined in the part 2 report around electronic procurement: the potential of delivery of goods to an unauthorized address, the potential redirection of cheques to a fraudulent mailing address and the potential procurement from inappropriate suppliers. I suppose my question is: where is that on the time line for changes and implementation of the recommendations?

Also, I just wonder on the procurement question, in particular, why the requisitions are allowed to be prepared in advance, before an award is made, and whether it's feasible to close off that risk by changing that practice entirely. Or is this something that needs to happen just as a matter of business practice in government, because I imagine you're talking about procurements both large and extremely small?

C. Wenezenki-Yolland: I will direct that question to Stuart Newton, director for our financial management branch.

S. Newton: I'm just going to understand the question. You were talking about cheques potentially being redirected to another person. I just want to take it in parts, because there were several parts to your question.

R. Fleming (Chair): Okay. Yeah. It's the three major concerns that are outlined on page 74 of the report around electronic procurement. So the concern was that addresses can be changed on a one-time basis later for both cheques and delivery of hard goods — durable goods, I guess.

S. Newton: I'll take that one first. For delivery of goods, a person making a requisition to purchase something has a location attached to their identity. If I'm in a district office somewhere and I want some materials, it will default to my office.

A number of times the work that's being done may be several miles down the road from the particular office that the goods are being delivered to. So I, as an expenditure authority, have the ability, once the requisition is created, to have those goods delivered to an alternate location further down the road — so that is an ability.

There's seen to be a risk because I could then send them to some other place. But we also have a requirement in our control framework that a qualified receiver…. An individual would receive those goods and then report back into our financial system that those goods were received. The Auditor General's office has indicated that there is a risk here, that with that one-time change the goods may go somewhere else.

We have communicated clearly to the ministries through our financial officer advisory committee that the qualified receiver is going to need to be able to receive that and record it into the system. Financial staff are aware that that's a risk, but it's also a business functionality that is needed.

Just one other piece, as well, which I forgot, is that transactions of this nature are also reviewed by our corporate compliance and controls monitoring branch. So if the expenditure had been authorized and there isn't a qualified receiver or the qualified receiver ends up being the same person who authorized the expenditure, which is a risk, we have a regular review of payments on a statistical basis that would catch something like that and bring that up as well. So we would be aware of that being an ongoing problem, if it was.

R. Fleming (Chair): Just on the one about the potential for inappropriate suppliers — where you can prepare the requisition with no company name and then you can fill that in later after the order is in process and it doesn't have to be approved again.

S. Newton: The expenditure authority is the person who has the authority to say: "I need good X" — whatever it may be. Let's say a computer. They have set a very specific limit as to: "I only want to pay X for my computer. This is all I'm going to pay for it." That's approved in the system now.

We can have a specialty role called a buyer, who can then go out and, through a variety of processes, source the appropriate goods using an appropriate procurement process. Then the goods can be received. The goods, when they come back, are received by a qualified receiver who ensures that what we received is what I wanted. As well, when the goods are received and the invoice comes in, the invoice is matched to what we received and what I wanted, and then it's paid.

So we have another individual, other than the expenditure authority, who is allowed to go purchase. They are accountable for following government's procurement practices as well, appropriately. That is a needed functionality in the system — to allow a specialty role of a buyer to be able to conduct that piece. I've already approved the transaction. I'm happy if I get my computer at my rate. I will get information back from a qualified receiver that we did indeed get what I wanted, and we will have payment being asked for by the supplier that will match up what was delivered as well as what was requested. So we feel there is control across that gap.

There is a risk that I, as the expenditure authority, have not ensured that a proper procurement process has taken place, but there are other individuals in government who will do that. They are still bound by policy. We believe that's a needed functionality, especially for specialty-type procurements like JSRFPs — joint solution procurement processes that we've been using for some of the larger projects that have been done.

R. Fleming (Chair): That brings up an issue from a report last year that was released. I think it found that something like half of procurements didn't follow the rules. Is there a way to use the technology to remind or require and get sign-off, I suppose, electronically, that the procurement steps have been taken?

C. Wenezenki-Yolland: I'll direct that to Jill Kot, because you want to know, just to clarify, if there is an automated process in the system to do that?

R. Fleming (Chair): I suspect there isn't, because in half of all procurement cases last year, they were done out of compliance with the rules. So I'm wondering if that is something that could be implemented to improve compliance. Maybe Ms. Kot understands what I'm getting at.

J. Kot: Yeah, I do. There is a way to automate it. I'll just give you a little bit of background. When we implemented the iProcurement module, which is the Internet buying process, we actually did build a connection through to the B.C. Bid system, as well, which is the government's electronic tendering system. That's the method by which tenders go out for solicitation. What we have within the system is the ability to record the method of procurement. That's a required field within the system especially to meet the requirements for the agreement on internal trade — the reporting requirements that are done through the office of the comptroller general.

From that perspective, the system is able — and the users are required — to record the method of procurement that they used. It cannot enforce the method of procurement, but what it does do is report on the method of procurement.

G. Gentner: First, to the comptroller general. This is sort of off base. You'll have to excuse me, but I lost my T4 slip. Can you send me another one? Thanks. I had to clear that. I didn't have an opportunity….

Very quickly, on the unauthorized changes made to an operating system, I don't quite understand what the protocols are that are in place to determine what is authorized.

J. Kot: I'm wondering if you could describe which particular recommendation you're speaking to. That would help.

G. Gentner: Referring almost to the beginning of part 1 — from the Auditor General himself, I believe — it was mentioned in the report. I seem to have lost it here. Maybe if I can come back and try and find it again.

R. Fleming (Chair): Okay, dig quickly. We don't have anyone on the speakers list at the moment, so we may finish this agenda item ahead of time.

B. Ralston: My question is to the acting Auditor General. There were some instances in the report — I think it was in the Oracle system — where the firewall was down for periods of time. I'm wondering about the solutions that have been suggested and implemented. Do you consider those effective in dealing with the problem or not?

A. van Iersel: Thank you, Member, for the question. What we would do in this case, as in other cases, is that we would like to look at the ministry's action plan and the specifics behind that and follow it up in an appropriate time in terms of: do they, in our opinion, address it?

We very much appreciate today that the ministries here, both Finance and Labour and Citizens' Services, have agreed with our recommendations and that they are taking action on all of them. In regards to whether all the various elements of those actions are sufficient, that's something we would need to take away and have a look at.

Because of the importance of this particular system in regards to the number of payments and so forth, this is, in my view, a candidate for follow-up within a reasonable period of time, as we do with such audits.

I can't tell you today if all the actions…. We haven't seen all the actions, and some are still being defined. We would very much like to see the action plan and then make a further assessment.

B. Ralston: It seems to me that the concern about the firewall…. There was more of a sense of urgency to that. There were several instances in the report where the firewall was down for hours at a time. Obviously, that provides access to the system in many ways. By your answer I'm not sure that that sense of urgency…. Maybe that's just the way in which you've answered the question. I don't get that same sense of urgency about that problem.

What immediate steps have been taken to verify that the action taken by the ministry at least addresses that problem?

A. van Iersel: As you heard me say, Member, we haven't taken steps just yet. We need to see the ministry's plans and the specific actions. We would very much, then, follow up. In regard to the 11 critical recommendations, that would of course be our first priority. So we will do this more quickly for those items that in our view are significant risks to the system.

R. Fleming (Chair): Maybe someone from the Ministry of Finance would like to deal with the firewall issue or address that concern.

J. Kot: Certainly. I'll just take a couple of minutes, if you don't mind, and just walk through what the security system is — how we protect the financial system.

The financial system is protected by several layers of security to prevent unauthorized access. This includes physical as well as system security. The first level of security is the government network. This protects the financial system from the open Internet. That's the firewall that was under discussion.

The second level is a CAS firewall that further restricts access to the subset of the government network that should reach CAS. This excludes schools, pharmacies and other organizations which do not access CAS. We log and review access through this firewall on a daily basis. This was not in effect at the time of the audit. We also turn off unnecessary features and functions to tighten security.

The next level of security is user access. This is the user ID and password that we were speaking about, which is required to gain access to the system. User ID is the method through which authorization is granted to permit users to access functions appropriate to their job. We maintain appropriate patch levels in all systems to ensure no known weaknesses could be taken advantage of by a hacker.

In the case of the firewall, what we have done is maintain redundant restriction rules directly on our servers, and we push those out to the government network, so they actually exist in multiple places. We now have a hardware firewall, which is much stronger than a software firewall. This provides redundancy. In the event of any one of those areas failing there is a fail-

I can talk specifically about the event that occurred, if you want, or I could just leave it at that.

J. Kot: Okay. The firewall was the specific issue that was identified within the audit. As I said, the system is protected by several layers of security. One of these layers is a firewall whose purpose is to restrict network traffic.

In 2004 there was an incident where the CAS detected this firewall was not running for 15 hours. The root cause was human error. There were some rules that were changed on the firewall that were unauthorized. Once it was detected by Crown agencies secretariat, it was corrected, and procedures were strengthened to prevent further occurrences. No residual damage was done.

At the time of the exposure we followed all appropriate security policies. We notified the chief information officer's office, the office of the comptroller general, and a full review was undertaken to determine if any files were changed, added or deleted. They were not.

During the audit in 2005, CAS reported to the Office of the Auditor General that this incident had occurred. Subsequently, we have introduced strengthened security on the network, as I indicated, with redundant restrictions to allow protection in the event of a failure.

I. Black: As one who's spent his career in technology and most recently developing banking software, which has a thing or two to say when it comes to concerns of security and access to data, I wanted to make an observation, and then I have a question for you.

First of all, as you can see, we've got two reports that have been produced. The challenge you have is that any time you do an audit of any kind, whether it's financial or process-based or IT-based, in this case, you're dealing with a snapshot in time. The snapshot in time in this case is actually over several months, which makes it a very complex topic around which one has to wrap the mind in terms of trying to derive meaning and then significance from it. I'd make that observation number 1.

Within that, of course, over the several months or actually a couple of years there, you've got a rate of change in technology that, as we all know, is very, very difficult to keep up with. So within that context and the complex environment that you're in with many departments and ministries involved, my first observation is that the responsiveness to the two reports is, in my opinion, really impressive. Well done on that score.

The question I have for you, however, pertains to the role of the chief information officer of the government. Within the area of security and data security and within the evolving mandate that exists there, plus your response to the Auditor General's reports to date, my question is: what role will the CIO have going forward? And how will we feel that presence, if you will, within the next report that comes out of the Auditor General's office on this topic?

J. Kot: Yes, we're very well aware of the evolving role of the government chief information officer. We work very closely with him, even within our ministry. He is one of the people who we brief through our executive steering committee. We're a member of his council, the Advisory Council on Information Management, which I believe is going to be evolving into a different kind of an organization. We're very involved in working with him on that.

I suppose I see myself as the provider of the financial system. We're a government standard, and he's very aware of that and supportive of that government standard. We keep him briefed on all of our initiatives. We report to him on projects upcoming. We give him our capital plan for the year, for instance.

As his role is changing, we are being more closely aligned with him certainly. As a matter of fact, I met with him on Friday to advise him on what we're doing.

I know his role is changing and actually see that as a very positive step for the province. It's positive from my point of view, as well, because I'm a service provider, and he is then providing the governance for me.

Beyond that, I think that I would see myself getting even more sort of involved in some of the plans that he's got underway. One thing I should mention is the information resource management plan process that government goes through annually where we do our IM-IT plans. He is the sponsor for that, and we are required to present our plans for review with him. Certainly, it's a very, very strong relationship.

I. Black: Okay. I mean, the responses that you've given to a lot of the Auditor General's office concerns were very strong. Some of the more detailed stuff you've done recently — the use of hardware, firewalls and the redundancy built within that — that's best-of-breed kind of stuff.

Very, very strong responses. Is that a standard that you're conforming to that you are setting or is that set by the CIO?

J. Kot: Those security standards are set by the government chief information officer's office. We have a security officer within our organization who is also receiving the security designation that was alluded to by the Auditor General's office. As well, our director of technology operations is receiving that same security designation.

Those two individuals work under the umbrella direction that's set by the government's CIO in terms of security. So they sit on the councils that are run by the government security office. There's a very strong connection from that perspective.

I. Black: Okay. My last question would be the follow-up that you're doing. You mentioned a few times the security databases that you're checking on a daily basis. As you well know, there has to be that balance between the automating of security processes and the human interaction within it. You never want an environment that's completely automated, in my opinion, because if you remove that human judgment, that's where you fall into challenge and into trouble.

Are you finding, with the complexity of the systems, that you are able to keep up or that this is an area that's going to have to get more attention in the future, both from a resource standpoint and the disparate types of government systems that are now in place?

J. Kot: Well, it is a challenge. It requires resourcing, and it requires focus. It's where you put your priorities. Certainly, we recognize it's a very important area, so we have redirected resources towards that activity.

J. Kot: It's a big system. The idea is that because we are spread across government, we spread our costs across a very wide base. I'm not finding that it's hugely resource-intensive, especially as we're able to automate some things. It really helps out.

R. Fleming (Chair): We have ten minutes left scheduled on this item and two more members who wish to ask questions. I'll just ask them to respect each other's time.

D. Thorne: I won't be very long. I'm not nearly as technical as Mr. Black, so my question will be quite simple. It's very general. I'm curious as much as anything else. For the acting Auditor General or somebody from that department.

Over the weekend when I was reading through these two parts, quite a few of the recommendations in the first part seemed like…. There were comments like, "We won't follow up right now," or "We'll put that off until later," because of the new systems that were being put in. I'm assuming, even though I'm not very technical, that it would have been counterproductive to study something that was then going to change or something like that.

So then when I was reading the second part, there were so many recommendations — like 52 recommendations, a lot more than in the first one. I'm just wondering, I guess, a couple of things. Is that a lot of recommendations? If it is, is that indicative at all that the system we've put in didn't work out to be quite as effective as we'd hoped it would be and that there are still quite a few things that have to be looked into and changed? Or would you normally have that many recommendations anyway, even without a new system?

A. van Iersel: I think I'll ask Mr. Gilhooly and Mr. Price to deal with that.

B. Gilhooly: On your first point, you're right. We were auditing a moving target over five years. For instance, by the time we finished the audit of the UNIX operating system a year hence, new things had been put in place, which made it difficult for us.

We did have to make some decisions on whether to go back and re-audit certain areas and then publish them in a follow-on report. That also speaks to the fact that, as I said earlier, we did seven audits. We were trying to decide: should we issue seven reports? One report? If we waited to the very end to issue the report, some of the information would have been stale-dated by perhaps three or four years. So we did make some judgments on that.

The number of recommendations between the two reports isn't necessarily indicative of the quality of the systems or how they're being managed. They're more a question of the quantum of work that was involved. There was much more work that went into the auditing of the Oracle environment, and the control and objectives that we were auditing against were much more detailed. It's just as likely we'd find more recommendations. Although you'll note in the report that, of the 52, there are a number of key ones that we thought were more critical, and the rest weren't…. I wouldn't say lower priority but were less urgent to deal with.

Again, we were quite pleased at how quick and proactive government was throughout all this work. They acted on our recommendations before we'd actually issued the reports. It just shows that their attitude to security…. We've certainly seen an improvement of that over the last three or four years. They've taken it much more seriously and put more resources in play to recognize that security is a cost of business that can't be skimped on.

A. van Iersel: Maybe another comment from myself, having some experience with ERP systems. One thing I'd like to convey to the members is that a system as large as this needs continuous monitoring and continuous attention to all the various aspects of the two audit reports that we did. It is constantly being changed. It's sort of like accounting policy. Some people think it's rather static. But in reality, the system is always evolving, whether it be the introduction of…expenses or other components.

Each time you introduce a piece of software like that, that requires you to go back and see, in regards to the control framework, what implications it has. And

even where you believe your system is working well, the practices and terms of other jurisdictions, the software and its various control regimes that are put in place, you can learn from others.

I really want to leave the impression that this, as has already been said, is a point in time, but going forward, our office and the office of the comptroller general will need to be ever-vigilant to make sure that the standard — which we think is a reasonably good standard, particularly if all the recommendations are followed — will be kept.

D. Thorne: You always have to stay one step ahead of all the bad guys, right? I mean, making it really simple, you know?

R. Sultan: Since, as has been described this morning, in a sense, we have all our eggs in one basket with this corporate accounting system, I'd like to hear the opinion of the acting Auditor General on the capacity of this system to regenerate itself in the face of some possible major seismic event or fire or flood or terrorism.

A. van Iersel: As was alluded to by the comptroller general, the backup of the system is tested. The details, I think, would more appropriately come from Ms. Jill Kot. I could ask her to respond.

J. Kot: Certainly. We have an annual business continuity planning exercise that we undertake. It's got three components to it. The idea behind it is to test our ability to bring up the system in the event of a disaster — especially a critical piece of the system, which is the making of payments. What we've done is identified those areas that would be most important to bring up, and we've prioritized those.

So, we have three components to our business continuity planning. We do a mainframe hot-site recovery. This tests our ability to regenerate the part of the system that runs on the mainframe environment — this is not the Oracle environment — the mainframe environment at workplace technology services. Our last test involved the Ministry of Health, and that test was run in July of 2006.

The next component that we do is a disaster recovery plan. This is an actual bringing up of the Oracle financials environment at an alternate site. Our last test of that was in November 2006, so we've just completed that. Basically that does verify our ability to bring up the system at an alternate site in the case of a disaster.

That alternate site is located in the lower mainland, and one of the things that we are very interested in doing is coming up with an alternate site that's not within a earthquake or a seismic zone. So, we are working with workplace technology services, which is our service provider to provide that environment, to look for an alternate location, probably further up the province. That is an activity we're undertaking this year.

The third piece that we do on an annual basis is what we call a tabletop exercise. We bring people together who would be involved in the case of a disaster, the management team in particular, and we have a surprise scenario.

We did that just recently, in February 2007. The surprise scenario that was brought forward was a flood in our office. There were simulated pictures and everything. We talked through what we would do in the event of a flood. So a flood, which may seem to be a relatively minor incident, could have significant impact on our ability to run the system. We talked about: did we know our roles and responsibilities? Did we have our contact lists up to date? Did we have an alternate location where we could run the operation?

So it's like a role-playing exercise. It's very valuable in thinking through all of the nuances of bringing up an environment in an alternate location. It sometimes identifies things like when somebody has changed their phone number and you haven't got their latest phone number. So that's a very valuable exercise that we do. We do all of those three things on an annual basis. Does that answer your question?

R. Fleming (Chair): Thank you, and I want to thank all the witnesses and members for their questions. We have come to the end of this agenda item. I would ask for a motion on CAS reports 1 and 2.

J. McIntyre (Deputy Chair): I'd like to move that we accept the recommendations contained in the audit of government's corporate accounting systems, both parts 1 and 2. But I'd also like to recognize the efforts that the government has made in addressing these recommendations as part of the motion.

R. Fleming (Chair): I would suggest a two- to three-minute break while our witnesses get settled for the next item of business.

Auditor General Report:
Province of British Columbia Audit
Committees: Doing the Right Things

R. Fleming (Chair): Okay, Members, if we could take our seats, we'll call the committee back to business and move on to item 7 on our agenda, which is report 4 from 2006, Audit Committees: Doing the Right Things.

Our presentation will be from the Office of the Auditor General. We have a new guest from that office,

A. van Iersel: I will, Chair, Deputy Chair and Members. I have a few opening remarks.

Before I do that, though, in addition to our own report I have brought with us some additional material that was available through KPMG. We don't have a special relationship with them, but they are one of the organizations that stays on top of good governance practices and does an annual update. That was the blue document you'll get. Here again, if you're really interested in the subject in terms of what is considered to be good governance practices when it comes to audit committees, this tells you what they are and also what the practices are in other cases.

The yellow document there that you will be getting is from the province of Manitoba. Not only is this a topical issue in regards to our own jurisdiction but in other audit offices. In this case, the province of Manitoba looked at it as well and are talking about the same kinds of requirements. In my view this is a continuing legacy — the issues of the past and how accountants and governance specialists are strengthening procedures and practices over time.

This now is our second major subject matter for discussion, the discussion of audit committees. As has already been noted, Mr. Bill Gilhooly remains with me in regard to addressing this, and Malcolm Gaston, who is the audit director for this particular audit. Other members of the audit team I'd like to acknowledge are Kathryn Day and Ms. Heidi St. Denis, who were also part of the review.

Today through this report, Doing the Right Things, we are reporting on an assessment of audit committee practices within a number of selected organizations. Audit committees are a critical ingredient to the proper governance of any organization.

The audit work was done under section 10(8) of the Auditor General Act, which authorizes my office to assess the financial statement audit process for government organizations and trust funds. The audit focused on the current state of audit committee practices within selected organizations to provide an overview of the health of the financial statement audit process. Our sample initially included 40 organizations but was subsequently revised down to a number of 33. They included Crown corporations and other organizations as well as organizations within the SUCH sector — that again being schools, universities, colleges and health authorities. These organizations are listed in appendix C to the report, or page 51.

I am pleased to report that with respect to section 10(8) of the Auditor General Act we did not find any significant issues with the audit committee practices in relation to the oversight of the external audit process. These processes are generally strong.

We also assessed audit committee practices as they apply to audit committee mandate and process, audit committee composition, financial systems and information, oversight of the internal audit process and whistle-blowing policies. Here we found many examples of good practice, including written mandates that required financial expertise in committee membership and conflict-of-interest guidance — e.g., in Crown corporations. We believe much of the advance in recent years is due to the efforts of the Crown agencies secretariat and the board resourcing and development office.

The audit did identify, however, a number of areas for potential improvement, although none of these were seen as a significant risk with respect to the assessment of financial statement audit processes. Examples of improvements that we believe could be made are: frequency of meetings, makeup of audit committee members, a requirement for all audit committee members to be independent, assurances provided by management on financial and reporting systems to the committee, availability of internal audit services and formal adoption of whistle-blower policies and practices.

From our work we had two recommendations. First, that the board resourcing and development office guidelines continue to be revised and fully updated to meet best practices of the day — e.g., whistle-blower, again — and have that reflected; second, that compliance with these guidelines be required of all government organizations within the government reporting entity, which includes, again, the schools, universities, colleges and health authorities.

The results of our assessment indicate that our committee practices are generally strong in relation to the external audit oversight process. There are, however, as already noted, opportunities for improvement in other related financial oversight responsibilities. We will use the information we have gathered to further plan our future audit coverage plans for organizations within the government entity.

I'd like to thank the ministries, Crowns and other organizations that cooperated with us in this assessment. This concludes my introductory comments, so I would now like to ask Mr. Gilhooly and Mr. Gaston to take you through the details in our slide presentation.

After that, if the committee agrees, we could then hear from the government representatives who are here with us today and then deal with questions.

Chair, Deputy Chair and Members, I'd now ask Bill and Malcolm to lead us through the presentation.

The central element in holding any organization accountable for its performance is the independent audit of its financial statements. You've heard us talk before about how corporate scandals have changed our audit practices in terms of the due diligence that we have to do. It's a higher bar for everyone.

A key response by regulators has also been to strengthen the role of audit committees to focus more on corporate governance, accountability and control. Also, as you know, the summary financial statements

of the province are large and complex with about 150 organizations included in them. This complexity, and the need to provide you, the Public Accounts Committee, with an overview of the financial statement audit process, was addressed in the drafting of section 10(8) of the new Auditor General Act.

So just like how an audit committee would receive reports on the health of the processes related to the organizations it oversees, so too do we provide reports like this to you to help you get a sense of the health of the overall process that underlies the summary financial statements.

We had two objectives in carrying out this work. One was to provide an overview of the financial statement audit process by assessing audit committee practices; and the second, as Arn said, was to inform our future audit coverage plan. As you remember, back in December, we discussed this financial statement coverage plan, and the entities that we examined closely overlay that plan, which of course is what we rely on in gaining our information to sign off on the public accounts.

So this morning we're going to cover the organizations that we included in our assessment, what we hope to find in terms of audit committee practices, what our assessment involved, as well as the results of our assessment and what those results mean.

I'm going to turn it over to Malcolm now, who will walk you through the details of the report. But first, since Malcolm hasn't addressed this committee before, I thought I'd just tell you a little bit about his background.

He moved to Canada from Scotland a few years ago, where he worked at the National Audit Office in London and Edinburgh as well as for Audit Scotland and spent some time in the private sector with PricewaterhouseCoopers and KPMG. He's also the CFO for the Scottish Qualifications Authority. Since joining our office, he led our most recently published annual assessment of government performance reporting, and he currently leads a mix of financial statement and performance audits.

So now I'd like to turn it over to Malcolm, who is going to walk you through our report in a little more detail.

In terms of who we assessed, section 10(8) of the act, as Arn has already mentioned, specifically refers to government organizations and trust funds. So that covers Crowns, school boards, health authorities, colleges, universities.

The term "government organization," however, specifically excludes ministries. So ministries are not included within this assessment. The 40 organizations that we included are detailed at appendix C on page 51 of the report. When you look at that, it becomes apparent that this is not a representative sample of each sector that's included within government. It reflects, as Bill has already mentioned, our financial statement audit coverage plan. So the organizations that were selected are a reflection of that plan.

The organizations we assessed have a variety of governance models. The most common one probably being a board of directors, such as you would find in Crowns. We also have boards of governors in the education sectors, and school boards have elected trustees. But regardless of the governance structure, what we are looking for is best practice.

The Auditor General doesn't audit all of the organizations. And recognizing this, of the 40 organizations that were selected, 20 are audited by the Office of the Auditor General and 20 by private firms.

What were we looking for? In relation to the external audit process — the key focus of our work; the area addressed by section 10(8) — we wanted to see evidence of a strong relationship between the external auditor and the audit committee. This would typically be demonstrated by the areas on the slide. So the audit committee would be involved in discussing with the external auditor the plan for the annual audit. They would discuss the auditor's findings and recommendations.

Typically, at the end of each audit cycle there would be an in-camera meeting between the external auditor and the audit committee. The audit committee would have a key role in the appointment of the auditor and in ensuring the continuing independence of the auditor.

Now, in relation to this area, it's important to highlight that all external auditors are governed by auditing and reporting standards, and these are issued by the Canadian Institute of Chartered Accountants. They are required to comply with these standards, so it's fair to say that in this area we would expect to see high standards in place.

In relation to the other areas of responsibility, audit committees are not just responsible for looking at financial statements. I don't propose to go through each of these in detail, but in our report, where we address each of these areas, we have outlined at the start of each area the sort of things that we would be looking for. I would like to stress that where we outline best practice, this is based on authoritative sources for both the public and the private sectors.

Our assessment criteria are detailed on page 47 in appendix B. These were developed from two key sources — one, which details the requirements for listed companies in Canada, is from the CICA; the other is our very own province's corporate governance guidelines for public sector organizations, issued by BRDO. The criteria were communicated to each of the organizations, typically to the board and audit committee chairs, and we assessed the returns made by each of these organizations. Once we had completed our assessment, the results of our assessment were communicated back to each organization, typically to the audit committee chair.

Our findings have been collated, and you can find these at appendix E on page 55 of the report. They've been collated by sector. There are a couple of reasons that we didn't identify individual organizations. First

of all, this was not an audit of the effectiveness of individual audit committees. The second reason was that we wanted to encourage organizations to see this as a learning process, as a means to improve practices, so we did communicate from the outset that we would not be identifying individual results within our report.

What did we find? As Arn has already said, on the main focus of our assessment, audit committees' oversight of the external audit process, we picked up some minor issues, but we found that practices are generally strong in this area. In relation to other key audit committee areas of responsibility, results were mixed. On page 25 we've summarized areas of good practice identified but also where we see opportunities for improvement. Again, the opportunities for improvement are provided in a bit more detail at appendix E on page 55.

What does this mean? As Arn has already reported, under section 10(8) of the Auditor General Act, we can report to you that our assessment did not find any significant issues and indicates that audit committee practices in relation to oversight of the external audit process are generally sound.

Our findings in the other areas relate to important audit committee responsibilities. We will take these into account, along with many other factors that we look at, in deciding which organizations we should be looking at — where we should be targeting our audit resources in the future. This will be reflected in future financial statement audit coverage plans presented to this committee.

Rather than produce a lengthy list of specific recommendations, we felt it would be more valuable to provide a small number of recommendations to strengthen audit committee practices across the provincial public sector.

In relation to our first recommendation, government itself in the guidelines recognizes that what is considered to be best practice is always changing. The guidelines are seen as evolutionary in nature, so our first recommendation is really just to highlight the need for regular updating of the guidelines and maybe to suggest that this is an opportune moment to do that.

Our second recommendation, however, addresses what we see as two significant gaps with the current guidelines. The first is that not all government organizations are covered by the guidance, and the most significant exception here is that of school districts, who individually can be responsible for up to $500 million worth of annual expenditure and who collectively, as a sector, are responsible for in excess of $5 billion of annual expenditure.

The second point related to this recommendation is that even those organizations covered by the guidelines are not required to comply with them. So our view is that all government organizations should be covered by the guidelines and be required to comply with them. We feel this would greatly strengthen audit committee practices and, therefore, the standard of governance across the provincial sector.

That concludes our presentation. As Arn said, we'd be pleased to take any questions you might have — maybe once the government team have made their response to this report. We would ask that the committee endorse our recommendations on page 26 of the report.

R. Fleming (Chair): Thank you, Malcolm. We will do that. We will ask the folks from the government who are going to be acting as witnesses to this report this morning to come forward and make their presentation. Then we'll move on to members' questions.

L. Wanamaker: Good morning. We'd like to thank the committee for this opportunity to present on the Auditor General's report on audit committees in British Columbia on behalf of the Ministries of Labour and Citizens' Services and of Finance. Our presentation will provide some background on British Columbia's existing audit committee guidelines as well as our response to the Auditor General's recommendations.

Both the Ministries of Labour and Citizens' Services and of Finance play an important role in providing corporate support for Crown agency governance. Labour and Citizens' Services has responsibility for the board resourcing and development office, which supports the board appointment and development process as well as providing guidelines for best practices in governance. The Ministry of Finance has responsibility for the Crown agencies secretariat, which provides strategic oversight for Crown corporations.

The board resourcing and development office's best-practices guidelines were issued in February of 2005 and have been very well received across the country. The audit committee portion of those guidelines was reviewed by the Office of the Auditor General's staff and reflected best-practice standards of the day. When released, the guidelines were well received by the Auditor General.

Government is committed to keeping pace with emerging best practices, and the guidelines explicitly state that they are evolutionary in nature and will be reviewed and updated from time to time in response to new developments in the art of good governance.

The quality of these guidelines is evidenced by the fact that they were used by the Office of the Auditor General in establishing assessment criteria for Doing the Right Things. Accordingly, the guidelines are consistent with the Office of the Auditor General criteria for the review, with the exception of the inclusion of whistle-blower practices. This is a recent development in practice, and one which we will consider to include in revisions to the document.

I would also like to highlight, as the Auditor General does in its review, that the fieldwork conducted by the Office of the Auditor General was completed prior to April 2006. That was the date that Crown agencies were asked to comply with these guidelines.

Government is very pleased that the Office of the Auditor General overall found audit committees were

discharging their duties well in relation to the oversight of the external audit process and that the Office of the Auditor General found no recommendations are required in this regard. We are also pleased that the office of the Auditor General noted the advances in the standard of public sector governance in British Columbia, which is due in part to the work of the board resourcing and development office and the Crown agencies secretariat.

The findings of the Auditor General with regard to audit committee practices are very useful for government and Crown agencies. The findings of good practice with regard to audit committee mandates, meeting calendars, composition, conflict-of-interest provisions and the review of risk and control frameworks provides some assurance to the government. And opportunities for improvement provide very useful guidance for future Crown agency board development.

With respect to our specific response to the recommendations, the first recommendation is related to the revision of governance guidelines. Government has committed that these guidelines will be updated as best-practice standards evolve. We are currently in the process of updating the guidelines and will fully consider the opportunities for improvement noted by the Auditor General in their audit.

The previous guidelines were developed in consultation with the Office of the Auditor General and considered best practices developed in other jurisdictions, security regulations and guidance in the private sector. Future considerations will also include guidance from the Canadian Institute of Chartered Accountants and acknowledged experts in the field as well as the documents that were distributed here this morning.

We agree with the majority of the Office of the Auditor General's good-practice advice, but have a different interpretation of best practice with regard to the independence of audit committee members. We do not agree with the Auditor General that the appointment of senior public servants from ministries to the board or committee of a Crown agency creates irreconcilable independence issues and find no explanation for this perspective in either best-practice literature or in the report.

We are committed to a merit-based approach, and appointments from time to time may consider public servants based on both the merit principle but also the unique skills and abilities that these individuals could bring to a board.

With respect to recommendation 2 that all government organizations be required to comply with these guidelines, government will consider the Auditor General's recommendation to expand application of the guidelines. Guidelines currently apply to a wide range of government organizations including the SUCH sector. We have prioritized application based on significance and materiality, focusing first on Crown corporations, health authorities, colleges and universities.

We will consider the Auditor General's recommendation to extend the guidelines to school boards of trustees and smaller organizations, but given this involves 100-plus organizations that have limited capacity, we recognize that this will necessarily be a very resource-intensive process. As we refresh our guidelines, we will consider ways to support smaller organizations to move in this direction while balancing their capacity.

We are also committed to ensuring that organizations adopt best practices and that there is ongoing support to these organizations. The guidelines based on best practice are meant to be just that — guidelines that allow organizations to adopt their practices based on their particular circumstances.

Government wanted to avoid a prescriptive approach, resulting in simply compliance checklists and no thought given to the audit process or the audit committee process. As well, the guidelines apply to organizations that vary significantly. The difference between a commercial Crown corporation such as B.C. Hydro, which is structured in a public corporation form, and a university, with a traditional bicameral board structure, are significant and need to be accommodated within our guidelines.

Meaningful adoption by organizations depends upon clear understanding of the benefits of compliance. To that end, we continue to sponsor events to educate and train board members. Later this month the Office of the Auditor General is presenting the findings of this report to the Crown corporations' biannual meeting, and we're providing ongoing support to Crown agencies to meet the guidelines.

In closing, I would like to acknowledge the work done by the Officer of the Auditor General. Their work has provided us with independent validation of where we are now and strong recommendations for improving our governance guidelines. I would also like to thank the Public Accounts Committee for allowing us to make this presentation.

R. Fleming (Chair): Thank you very much, Ms Wanamaker. I'll just introduce the other witnesses that are with you. We have Molly Harrington, who is the CEO and ADM for the Crown agencies secretariat, and Carol Robinson, who is with the board resourcing and development office. Welcome this morning.

Members will have an opportunity now to ask questions of both government and Auditor General witnesses. Speaker's list is open.

B. Ralston: If I could begin first with some recommendations about including whistle-blower guidelines on page 34, whistle-blower policy. The response from Ms. Wanamaker was that that will be considered.

I'm wondering what elements of the recommendation you're going to consider, how that consideration will take place and what would be the time line for a decision. Just give a sense of your thinking on that recommendation.

L. Wanamaker: Certainly. We've just begun the process of updating the guidelines, and we're looking very carefully at this. There are other…. I'll ask the

comptroller general to actually speak to the changes in the Financial Information Act which deal with whistle-blower provisions. We are building this into our workplan and should have a better answer for the member once we've actually completed that workplan.

C. Wenezenki-Yolland: Actually, what we have in core government within the Financial Administration Act — just to correct the name of the act — is the obligation to report. That does apply to all ministries. In that context, I would expect that if we were looking to extend something to the Crowns, there would be that requirement. There is, however, within the context of the Crowns, that they will follow the essence of the core policies of government, in which case they are obligated to report known instances of misappropriations, frauds, etc. It is solidified in the FAA for ministries.

B. Ralston: Different topic: the response of the acting Auditor General and his staff to the comment by Ms. Wanamaker, where she didn't agree specifically with your concerns about senior public servants sitting on audit committees and the independence issues that might arise out of that. I think she was fairly categorical in rejecting what you said, so I'm wondering if you have a comment on that.

A. van Iersel: It's our view, as stated in the report, that best practice calls for audit committee members to be independent. I guess this would be where we agree to disagree in the sense that we feel that independence means true independence — that you're not a member of government or any other potential conflicts.

It really boils down to the question of: what hat do you wear when you come to the audit committee? We think the best hat to wear is one of independence in regards to the various things that you are on an audit committee to ensure happen. We're not saying that civil servants aren't well-motivated and don't have the capacity, but best practice really means pure independence, in our mind.

B. Ralston: One more. Not a follow-up. There's an appendix to the report, which is the Interior Health Authority terms of reference for the Audit and Finance Committee. I gather that this is there as an appendix as an example of best practice.

In particular, I wanted just to have a comment from the acting Auditor General and his staff on the policies and procedures for the review and approval of CEO expenses on page 65. I take it from reading this that a written policy — an approval, personally, by the chair of the board — is the appropriate avenue along with all the other guidelines that are set out here. Is that correct?

A. van Iersel: Yes, this is intended as an example of the kind of practice we would like to see. In regards to the specifics on page 65, I'm going to ask Mr. Bill Gilhooly to respond.

B. Gilhooly: If I may, this example is not meant to be an exhaustive list. It didn't mean, though, that we actually took any particular part here and did any audit work, especially on that part. To have clear guidance around that policy, we think, is a good thing to put in, but we didn't actually assess whether that was well-written or well-prescribed guidance for that particular topic.

B. Ralston: Given the qualifications you've just expressed, is there a prescription — preferred or recommended terms of reference, particularly for this policy and procedure — that you would recommend to the committee and to the public?

B. Gilhooly: In general terms I think that transparency is paramount in these things; that if organizations publish these policies, they'll have some sense that there are no hidden agendas essentially; and that whatever is drafted also has to be with the government's financial framework, as well, for reasonableness. I believe that the government has a process. They may want to speak to the process. They have to, through one of their agencies, manage and monitor CEO remuneration and expenses.

M. Harrington: There are two statutes that relate to CEO remuneration and disclosure. The first is the Financial Information Act. Agencies that are scheduled under that act have to report on any supplier expenditures over $25,000 as well as any employee remuneration over $75,000.

As well, under the Public Service Employers Act, agencies that are covered under that act — which is the majority, if not all of these agencies…. I can't speak to the exact detail of that, but I believe it's all of these agencies. The Crown boards of directors have to be prepared to release information for employee remuneration, including the chief executive officer, over $125,000 a year.

J. Yap: Thank you for the presentations. As the acting Auditor General has said, you'll agree to disagree about senior civil servants sitting on audit committees. In the audit, in the review, were there any instances where you found senior civil servants sitting on the audit committees where, from your review of the minutes or discussions, there were any concerns with the decisions made by those audit committees?

M. Gaston: No. I can confirm from the work we carried out that there were no specific instances noted where we had any particular concerns about the….

J. Yap: So you were approaching this from the point of view, from the theoretical framework, that audit committee membership should appear to be or should be independent from the entity as opposed to any specific concerns that you came across in your review.

M. Gaston: Yes, we were really comparing the practices that we found for individual audit committees against what we had found to be considered best practice. What we've put down in relation to independence is…. What we picked up from guidance has been what is considered to be best practice in that area.

J. Yap: Our practice here in British Columbia — how does it compare with other jurisdictions, say across Canada, with Crown agencies or any other government entities, as far as audit committees go?

B. Gilhooly: I can certainly speak to Alberta. A few years before we published this report, they did a very similar report — I guess you'd say we did a very similar report to them — where they looked at audit committee practices and found them to be relatively strong.

In other jurisdictions, I don't know if they've carried out that much, other than Manitoba. I believe you have a copy of their best-practice guide. It's based on work they've done. I believe the Crown agencies secretariat does keep tabs on other governance in other jurisdictions and might be able to speak to what the flavour is of audit committee practice out there.

M. Harrington: We regularly network and work with our national counterparts in the other provincial jurisdictions and in the federal government. Actually, this morning in a discussion with those other jurisdictions, B.C. was identified as the gold standard. So our practices and guidelines have certainly been well received and replicated in many other jurisdictions and taken as an example of good practice.

J. Yap: On the matter of audit committee membership, are we similar to other jurisdictions where there are audit committees where senior civil servants might be on the audit committee?

M. Harrington: I couldn't attest to the exact composition of the audit committees of the agencies in the other jurisdictions, but my sense is that the standards in British Columbia are as high or higher.

R. Sultan: I'd like to ask the Auditor General to comment further on these very interesting statements on page 30 of the report concerning governance arrangements in the post-secondary education sector. The report you have submitted describes instances where the governing bylaws exempt appointments to internal audit committees of post-secondary institutions from being deemed to be in conflict-of-interest situations.

I presume you're talking about governing bylaws of the institutions themselves, who have taken it on themselves to declare that somehow they're special and different and that this is not in fact a conflict of interest. Is that correct?

R. Sultan: Well, it strikes me as extraordinary. We know that these institutions pride themselves on their collegial approach to management and governance, but I think, given the huge sums of taxpayer money being expended in the post-secondary education sector….

These institutions have grown far beyond the ivory tower on the hill, governing itself, to become major institutions of society accountable to lots of people, including the taxpayers. I would urge the government in its response, as it tries to incorporate your advice, to pay particular attention to pointing out to these institutions that it's just not acceptable.

A. van Iersel: Member, from our office's point of view, that's the reason we made the recommendation that the very good guidance that's now available to other organizations be applied in these cases. It would be my summation that some of this particular structure has been inherited from the past and needs to be reassessed relative to what would today be considered best practices.

Here again, that's something we are encouraging government to do — to try and see in what ways the board resource and development office guidelines can be further extended — because I think these particular situations that you've referred to on this page of the report present a problem in regards to the independence question.

R. Fleming (Chair): I'd actually like to follow up on that with maybe a government comment on it. The Office of the Auditor General only selected three community colleges, for example, and in all three cases they found there were no internal audit functions in place, nor did any of the three community colleges have a process to review the quality and accuracy of financial information. In fact, it seems that those three colleges were written up for several other problematic areas, including this business about the audit committee composition.

In two cases, it was the opinion of the Office of the Auditor General that it included members who couldn't be considered independent. I'm wondering if you have a comment on that.

L. Wanamaker: I'd like to comment on the evolutionary nature of the guidelines and what we're doing in British Columbia. Given that these guidelines were actually released in February of 2005, we were a bit ahead of other jurisdictions in producing guidelines.

Clearly, the expectation of audit committees and the expectations around best practices have moved since that time. We're clearly looking at other agencies and how to bring those other agencies under the guidelines in a way that addresses just this type of situation that's highlighted in the audit report. So I would expect that our new version of guidelines will get to the heart

of these issues and start to bring these agencies more in alignment with best practices.

R. Fleming (Chair): Maybe a question just on the issue that other members have commented on, around the senior civil servants serving on audit committees. This would be, maybe, for a witness from the Office of the Auditor General.

Is there a private sector analogy where there'd be similar senior management sitting on this kind of committee that would be considered a bad practice? Or perhaps the analogy would be where a major shareholder, for example, in a company would be sitting on this. I'm just wondering….

The government witnesses suggested they didn't know where this recommendation came from. They hadn't seen it in other best-practice guidelines, yet it's in your report. If you could comment, please.

M. Gaston: The origin of the observation is really around what's considered to be independence. I think it's on page 28 of the report. In the first paragraph under "Independence," we give a sort of high-level definition of what independence would be considered, and we didn't feel that having a senior public servant from a sponsoring ministry on the audit committee was consistent with that.

It was more comparing best practice to a specific case that we were looking at. It may be fairly unique in the public sector. I can't think immediately of a private sector comparator.

R. Fleming (Chair): So the danger in some cases is that that senior civil servant might have a personal interest in seeing things reported in a good light. Is that what you're getting at? Is that the potential conflict?

M. Gaston: I think I would come back to Arn's earlier comment about how many hats someone is wearing. So if somebody is wearing two or more hats at an audit committee meeting, then they're not truly independent. It could be argued that a senior public servant from a sponsoring ministry is there as an audit committee member but also as a senior public servant from a ministry that has a very close accountability relationship with that organization.

A. van Iersel: Yes, Chair, if I may. Here again we provide you with a number of documents. I just went into one of them to refresh myself. Here again I'm not saying this is the be-all and end-all of everything. But if you were to look at the Manitoba document, a companion office of our own in regards to function, 3.1.2 on page 6 talks about having "independent, financially literate members." It talks about an independent board member as one "who is not an employee of the organization, does not discharge any management or executive functions, is not affiliated with the organization or its management in any way, and does not have any significant transactions with the organization which would benefit their private interest." So there's one possible definition of independence.

They talk about the majority of the members should be independent. We really wouldn't want to see anyone being put in a position of, "Well, what hat are you wearing today?" or: "Are you perceived to be providing advice that is inconsistent with a truly independent member?" Here again, we think the best governance comes from a fully functioning audit committee that is made up of all independent members who are there for their professional expertise — be it accountants, auditors or others — without any possible perception or direct conflict.

B. Ralston: To reiterate what has just been said in this document that's been provided — the KPMG one, Shaping the Canadian Audit Committee Agenda. On page 8 the comment is: "Audit committee independence is the cornerstone of the committee's effectiveness, particularly when overseeing a company's financial reporting integrity and evaluating areas where judgments and decisions are significant."

There's a long list of potentially related parties who are not permitted on audit committees. They recommend that they be independent directors. Certainly, the standard in private sector companies has been set very high. I think that's the concern that's being expressed, which I would share.

R. Fleming (Chair): That was more of a comment, but if any of the witnesses want to have a final word on that…. If not, we will….

A. van Iersel: I guess the one thing that I would really like to leave with the committee is to acknowledge the work of the Crown agencies secretariat and the board resourcing and development office. Here again, I would not want to leave this meeting with the impression that a lot of good work has not happened. It has.

The question now moving forward is: how can you further apply those guidelines? How can you build those guidelines into best practice? So it's not that we're feeling there hasn't been a lot of work done; we do feel that. We just want to see it used to the fullest in regard to the government reporting entity for the purposes that those boards are there to serve. That's what I wanted to say.

R. Fleming (Chair): Great. Well, thank you very much to all of the witnesses today. We will entertain a motion on the two recommendations, I believe, on page 26 of the report.

J. McIntyre (Deputy Chair): I just wanted to ask a question. I was hoping that we might hear a government response, maybe from Ms. Wanamaker.

J. McIntyre (Deputy Chair): It's about the issue of independence. It's sort of gone back and forth, and I understood or thought I heard that the next set of guidelines would incorporate and sort of be moving toward some of these. Do you mind? Just to sort of help clarify here, I guess: what's your thought and position on this whole issue of independence?

L. Wanamaker: Certainly. I'll start, and Ms. Harrington will provide some further clarification. It's our position that any representative appointed to an audit committee has specific responsibilities to the agency and to the audit committee in particular. The roles and responsibilities of audit committee members are articulated, and the responsibilities are to the good governance of that agency. When you're sitting on the board, there are no other responsibilities for you to consider.

In the case of senior public servants, who may from time to time be asked to participate in audit committees, those appointments are made by merit. They are made based on the qualifications of the individual being asked to sit on the audit committee, and they bring, generally, a specific skill or ability to that committee.

The Auditor General made an important point earlier around sponsoring ministry. My comments were related to audit committees in general and not specifically to senior public servants who are members of a sponsoring ministry per se — the senior public servants who have the knowledge, skills and abilities to contribute positively to audit committees. We do not believe, in these situations, there is any issue of independence.

J. McIntyre (Deputy Chair): Just a follow-up. Presumably they would be appointed not from a sponsoring ministry but by virtue of their skills and what they could bring to this particular board or agency, so there would be a rationale and a reason for their appointment.

L. Wanamaker: That's correct. Any appointment would be based on merit and based on the knowledge, skills and abilities of the participant.

R. Fleming (Chair): Thank you, Members. We'll entertain a motion on the recommendations of the report, page 26 — on the recommendations and the endorsement of the report.

R. Hawes: I'm sorry. I had to be out of the room, and I missed a bunch of the discussion, but I did hear the remarks of both before the questions. One of the concerns I had, then, was around what the government did point out, which sounded logical to me, with respect to civil servants and their independence, and their concerns with the Auditor's recommendation.

Also, there may be some situations where an audit committee might not be the right answer for a variety of reasons. So I do have some concerns with a blanket recommendation that disregards the government's comments that I do think are quite legitimate in some circumstances.

I'm not sure how that would be framed in a motion or how the concern could be put forward. I would support, in general, the recommendation, but I would like it noted somehow that the government's concerns need to be addressed. If they can be addressed somehow within the motion, I'd be even happier.

R. Fleming (Chair): Well, I would just note to members that in both the recommendations, there's no reference to civil servants or any tests of what defines independence. It refers to best practices, and I don't think there was any disagreement between either set of witnesses this morning on the language that's used in either recommendation, if that gives the member any comfort.

R. Hawes: It seemed to me, Mr. Chair, that in adopting the full scope of the recommendations, some of the components that make up that recommendation, which would include not having civil servants on audit committees and also that every single entity must have an audit committee…. That was included in the general overall best-practices recommendation. By adopting that, we're paying no regard to the concerns that the government has mentioned, which I think are legitimate concerns. That's where my concern is.

M. Polak: I suspect that part of the difference here is desired outcomes versus recommended methods for implementation. I'm making it as a comment, and I guess a question to the point being made between yourself and the member for Maple Ridge–Mission.

By endorsing the recommendations — you're quite right that neither one makes any mention of the specific issue in play, with respect to the involvement of senior administration — is there an implication that one is then endorsing the specific methods for implementation that would take us to the outcomes which, I would agree, seem to be meeting with approval and acceptance from both bodies in front of us? But there is this difference of opinion with respect to the method of implementation.

What exactly are we voting on if we're endorsing the recommendations? Are we including in that an implication that we endorse the method that would be chosen to achieve that?

R. Fleming (Chair): The motion as it would read would endorse the two recommendations on page 26, and it would accept or receive the contents of the report, including the government response. So discussion is

discussion. I would say that where you have two perspectives, it wouldn't comment on that.

M. Polak: So it wouldn't be inferred from that that we were endorsing one or the other position with respect to how to get there. It would still be a reflection of our endorsement with respect to the outcomes that are outlined?

R. Fleming (Chair): As I said, it would receive the report and all its contents with the discussion around those items, and it would endorse the specific two recommendations that are on page 26. So yes, your interpretation, as I've discussed it with the Clerk, is correct.

J. McIntyre (Deputy Chair): I share some of the same reservations — and I guess in a way I'm still not exactly clear — because I think we have to be leery about being overly prescriptive. I absolutely agree that the good work of the Office of the Auditor General has shown that we have ideals and things that we want to move towards and aspire to, like the issues surrounding independence and the need for audit committees and the important role they play. I think we all would agree on all of that.

I just think, as actually the member for Maple Ridge–Pitt Meadows pointed out, that there are situations where…

It's important that we're not overly prescriptive, is my real point. And to say that point 2, the second recommendation, is absolutely mandatory…. I just have reservations here. Again, I guess I'm searching for the same thing.

Can we modify the motion or recognize that these are ideals that we're moving to, but give the government some flexibility in moving towards it? That's what I would like to see.

R. Fleming (Chair): Okay. I might direct members' attention to the government-provided PowerPoint presentation, because it does deal with the response to the recommendation specifically. It seems to be in full agreement with them as I read it. The commitment is there to in fact implement both recommendations.

R. Hawes: Just a point of order. I'm not sure that it's your place to interpret, because I heard clearly what the government said. They clearly stated what the reservations were and where they didn't quite agree. The government said what they said in their response, and it isn't quite accurately reflected in what you just said.

R. Fleming (Chair): I'm just trying to clarify what people are voting on, Mr. Hawes. We have a motion on the floor. There have been no proposed amendments to it, so maybe if members don't have any other questions on it, we'll proceed to a vote.

H. Bains: I just want to make my point clear here. There is a report, and there are two recommendations within it. The motion is clearly to accept the report and adopt those two recommendations. There's nothing else in it. I think either we are accepting those recommendations, or we are defeating those recommendations. That's the way they should be read.

M. Polak: I think, too, it's important to recognize that the recommendation is around the maintenance of independence with respect to audit committees. The other question where there was disagreement that arose was with respect to how one may achieve that. As was described through the Auditor General, practices around not just audit committees but accounting practices, etc., evolve over time. Certainly, the lens through which these are viewed is likely to do that as well.

I'm satisfied if we are on record dealing with the recommendations, accepting the fact, as you said, that there is this discussion ongoing, and there's a commitment on the part of government to achieve an acceptable level of independence, albeit there may exist disagreement with respect to those definitions. It's outlined. It's there, and it's in front of us.

J. McIntyre (Deputy Chair): I'm sitting here seeing whether or not you make a friendly motion and just rephrase these. I agree that's the motion on the floor. I'm prepared to support this in the spirit in which the recommendations are meant, but I still think it should be noted that some of us had genuine concerns about either the timetable or how you move to those ideals. I think that should be duly noted here.

I guess we're really debating how to do that. I don't know if I look to the Clerk for some advice.

C. James (Clerk of Committees): There are several options open to members here. One is, of course, to have a motion to either endorse the recommendations or not; or to endorse the recommendations and other material related that's included in the Auditor's report, including the government's response and some recognition of it; or to adjourn matter on this topic.

R. Hawes: Could the Clerk explain option 2, as he stated it. What would a motion like that look like?

C. James (Clerk of Committees): The motion is entirely in the hands of the members. In terms of a recommendation that would endorse the recommendations contained in the Auditor General's report on the subject, you could also say that not only does the committee endorse the recommendations on this subject but also appreciates the comments made by the government on this matter — or words to that effect.

R. Fleming (Chair): Okay, committee, we have a motion endorsing the report. We need to be moving on here.

R. Hawes: I'd like to move a friendly amendment, and that be that we add the phrase the Clerk just outlined.

R. Fleming (Chair): I hope that was clear for Hansard: to endorse the recommendations of the report and note the discussion and government response within that report. I may have cluttered that up a bit, but….

H. Bains: I would like to speak against that amendment, if that's what they call the amendment. I would be voting against the amendment, because I don't think that's the intent of that report. The report is clear. Then there was a discussion back and forth from the government and from Auditor General. Both answered, I guess to each other, about those concerns.

Everything is there. I don't think there's any need to make further amendments to it. We are adopting the report. We are adopting the two recommendations. That's where it should be.

R. Hawes: I'd like to speak to the amendment, then. Maybe the Clerk can provide some clarity. We will be making a recommendation to the Legislative Assembly which basically says that the Legislative Assembly should adopt all of these recommendations. If we do, then really what the Legislative Assembly is saying is — without noting what the government's concerns are — that you should just proceed with this in its entirety.

The government has already stated that they have some concerns with that. I have some concern about not recognizing those, because in future I'm sure what's going to happen is that there will be circumstances, for example, where an audit committee really isn't necessary and isn't advisable in some entity. Yet the Legislative Assembly would have passed something saying that the government should always do that.

The government, at the end of the day, has the right to make decisions. But frankly, I would not like to see that come back at some time — saying that the government isn't complying fully because they've stated the circumstances up front under which it might not be advisable. So I don't want to be saying to the Legislative Assembly, "Just adopt this holus-bolus," because the government does have concerns that I think are legitimate. I think this committee should recognize that those concerns are legitimate.

R. Fleming (Chair): I'm not sure if that was a question for the Clerk as much as speaking in favour of the amendment.

R. Hawes: What I want the Clerk to do is just acknowledge that this isn't just: "We accept this, and that's the end of it." It goes to the Legislative Assembly to adopt. If the Legislative Assembly adopts it, we then have recommendations completely endorsed by the Legislative Assembly.

R. Fleming (Chair): Excuse me. I've got a speakers list. Is there anything to confirm?

C. James (Clerk of Committees): I don't think there is, other than that Mr. Hawes is correct.

R. Fleming (Chair): You're correct about the procedure. I saw Mr. Black and then the Deputy Chair.

I. Black: I think the problem area that I see is this. You're correct. Hansard reflects the fact that we've had some back-and-forth dialogue take place — more so from our witnesses than from us, quite frankly. The concern is that the motion in its original format essentially has this body called the Public Accounts Committee, for lack of a better phrase, choosing a side in terms of the view on a fairly complex issue which the government has presented.

There are some other considerations that aren't necessarily contained within the Auditor General's point of view on this. By going forward with the motion as it is currently worded, it basically says, "Well, we are picking the answer we like better," in a matter which we are conversationally now saying is not quite as cut and dried as that. I'm not as inclined to say that it has to be as cut and dried as what you've just said, because I think that does not reflect the differing points of view in a very complex area.

J. McIntyre (Deputy Chair): I agree with the former two speakers. I'll repeat my view. I think that we can't be overly prescriptive. This says: "mandatory, all agencies and organizations." There are situations with organizations winding down or starting up. I mean, there's a whole variation. There are probably some instances where school districts and school boards are very tiny.

It's just not a one-size-fits-all thing. I agree. The discussion has clearly shown that there's some back-and-forth and that there's some difference of opinion or that some flexibility is required.

We all agree on the spirit of moving towards the ideal and best practices. We've already heard that we're

the gold standard in the country on this. I mean, we're sort of getting into a-little-bit-silly territory. I don't see why this moderate version of endorsing the recommendations — but mindful of government's response — and giving government some flexibility in moving towards these things is not a happy compromise here that we can all agree on.

R. Fleming (Chair): I'm going to proceed to the vote on the motion as amended.

People are going to have to propose amendments that are in writing for my benefit and for the benefit of Hansard. But it basically endorses the report, the recommendations, and notes the government response. And I'm sorry, but Mr. Hawes will have to clarify his amendment.

R. Hawes: I guess it would be that we accept the recommendations of the Auditor General, noting that the government has outlined where some exceptions may be necessary.

R. Fleming (Chair): We're on to item 8. Again, thanks to the acting Auditor General. Several committee members were telling me just this morning that they don't have enough to read, so these additional four reports you provided are greatly appreciated.

We will have, very briefly, an update on advertising for the Auditor General from Craig James.

C. James (Clerk of Committees): Very briefly, the committee has placed ads in all the daily newspapers across the province and in selected dailies across the country. The deadline for receipt of applications is this coming Friday.

R. Fleming (Chair): Item 9. I bring to the committee's attention one item, and that is the written responses from the Ministry of Health regarding some questions on the Pharmacare report from several members at the last committee meeting. So that will be circulated in hard copy for you. Please get a copy before you leave this morning. That takes us to the end of the meeting.

Hansard Services publishes transcripts both in print and on the Internet.
Chamber debates are broadcast on television and webcast on the Internet.
Question Period podcasts are available on the Internet.

REPORT OF PROCEEDINGS (Hansard)

SELECT STANDING COMMITTEE ON PUBLIC ACCOUNTS

REPORT OF PROCEEDINGS
(Hansard)

SELECT STANDING COMMITTEE ON
PUBLIC ACCOUNTS