The committee met at 8:03 a.m.

[S. Bond in the chair.]

S. Bond (Chair): Good morning. Thank you very much to everyone for joining us at this early morning meeting. We thought it was important to keep moving through the reports that the Auditor General’s office has prepared. We do have a number that we need to work our way through. Today is a relatively light agenda. Having said that, our next meeting will be much more onerous in terms of the homework that committee members need to do.

We’ll begin this morning with looking at the Auditor General’s report that was released in January of 2019. The title of the report is the Master Supplier File Maintenance audit. We’re joined this morning by the Auditor General, Carol Bellringer, and, obviously, the comptroller general, Carl Fischer, and a number of their staff and team.

We’ll proceed as we normally do. We’ll hear opening remarks from the Office of the Auditor General. I’m assuming they will make their presentation, and then we’ll have the comptroller general respond as well.

We want to thank you for your work. With that, good morning, and we’ll ask you to begin.

Consideration of
Auditor General Reports

Master Supplier File Maintenance

C. Bellringer: Thank you so much. Good morning, Madam Chair, and committee members. Thank you for inviting us to present our report Master Supplier File Maintenance.

With me this morning on this report are Jacqueline McDonald, the engagement director, and Barbara Underhill, the engagement manager. Sheila Dodds, the Deputy Auditor General for the audit, is unfortunately unable to join us today.

Just to remind you of the…. This is another audit from the CCR group — the compliance, controls and research group — which is the same group that did the audit, if you recall, on school district 61, on the executive expenses.

[8:05 a.m.]

Effective program controls are a function of good management. Program and system controls exist to prevent problems and to identify problems when they occur so corrective action can be taken. In this audit we looked at the Ministry of Finance’s controls to maintain the master supplier file in the corporate financial system. The master supplier file is a central list or a database of all individuals and organizations that have been approved to receive payments from government.

The Ministry of Finance owns the master supplier file, so it’s responsible for the validity and accuracy of the content of the database. This is important to note because controlling the content and maintaining its accuracy lessens the probability of problems occurring, such as the potential for errors or fraud in government payments.

Overall, we found that the controls for the master supplier file weren’t adequate and didn’t do enough to ensure valid, complete and accurate supplier records. In the report, we make five recommendations to the Ministry of Finance. The last time we looked at the controls for maintaining the master supplier file was in 2006, and since then, the Ministry of Finance has made improvements to its controls. However, some key weaknesses that we identified back in 2006 still exist today. I would like to thank the staff of the Ministry of Finance for their full cooperation and assistance during our work on this report, and I’ll now turn the presentation over to Barbara Underhill, who will provide a more detailed overview of the audit findings and the recommendations.

B. Underhill: Thank you, Carol, Madam Chair and committee members. In this audit, we looked at the Ministry of Finance’s controls to maintain the master supplier file in the corporate financial system. Overall, we found that the controls for maintaining the master supplier file weren’t adequate and didn’t do enough to ensure valid, complete and accurate supplier records. Controlling the content and maintaining its accuracy lessens the probability of problems occurring, such as errors or fraud in government payments. The Ministry of Finance owns the master supplier file, so it’s responsible for the validity and accuracy of the content.

The master supplier file is a central database of all the approved companies, individuals, employees, societies or programs that government pays in exchange for the goods or services it receives. It provides grants to…. Every organization and individual in the master supplier file database is referred to as a supplier.

The last time we looked at the controls for maintaining the master supplier file was in 2006. You can find the details of that audit on our website in a report titled Audit of Government’s Corporate Accounting System: Part 2. Since then, the Ministry of Finance has made improvements to its controls. However, some key weaknesses that we identified in 2006 still exist today.

In the audit, we found that the Ministry of Finance didn’t do enough to ensure that any additions or changes to supplier records made by ministries and agencies were valid, complete and accurate. We also found that the Ministry of Finance didn’t regularly look for and remove duplicate records or follow government’s records management policy for the master supplier file, which requires the ministry to regularly flag and remove inactive and obsolete records.

As a result of the ministry not regularly identifying or purging records that aren’t being used, the number of records in the master supplier file has increased over the past decade. Of the suppliers marked as active, over 78 percent had not received any payments through the corporate financial system in the two years between December 2015 and November 2017. Failing to remove duplicate and obsolete records makes the master supplier file more difficult to use and maintain. It also increases the risk that errors or fraud could occur.

[8:10 a.m.]

During our audit, we found evidence of over 120 potential duplicate payments over a two-year period. The ministry verified that about 70 percent of these cases were payment errors. Most of these errors had already been identified and corrected. Outstanding errors were under review when we concluded our audit. Stronger controls in the master supplier file would lessen the chances of these types of errors occurring. We also found gaps in the Ministry of Finance’s guidance to users of the master supplier file.

In conclusion, we made five recommendations to the Ministry of Finance in this report, including for the ministry to conduct periodic audits of user access to the master supplier file to ensure the security of the supplier records and to establish a regular file maintenance schedule.

Thank you, Madam Chair and committee members.

S. Bond (Chair): Thank you very much, Barbara. We appreciate that. We’re going to ask for a response. I believe….

Carl, will you be providing that today?

C. Fischer: I will, Chair. Thank you.

S. Bond (Chair): All right. If you wouldn’t mind introducing your staff for the record, that would be fantastic.

C. Fischer: Certainly. Thank you, Chair. I have with me today Steve Rossander, the executive director of corporate accounting services, and Alex Kortum, the executive director of our compliance branch. While we’re getting set up, I’ll just provide an introduction.

Responsibility for the corporate financial system reverted to OCG four years ago. Since then, supplier maintenance has been one of the areas we have focused on. We focused on supplier because there was a lot of improvement that could be achieved, and though supplier or vendor management is not used by government as a key financial control, good data hygiene is essential to effective and efficient system operations.

Steve and his team at corporate accounting services have made significant improvements over the last four years, particularly in automating processes and supporting ministry staff who manage supplier information at the front counter. We’re at a place now where it was a great benefit to us to have OAG provide an independent evaluation. That helps us evaluate the effectiveness of the changes we have made and identify where we have to focus our efforts in the future. We appreciate the support of OAG in this area and accept the recommendations they have approved.

One note I’d like to make is to clarify some of the acronyms we use. CFS, or the corporate financial system, refers to the IT environment that manages government’s general ledger. CAS stands for corporate accounting services. That refers to the branch in OCG that manages and operates that IT environment.

I’ll pass it over to Steve for the next couple of slides.

S. Rossander: Thank you, Carl.

The scope of the corporate financial system is significant. For example, it supports over 32,000 users from all ministries as well as several broader public sector organizations. It processes over 30 million transactions and produces over 220,000 financial reports annually, with a 99.7 percent availability.

Supplier is one element of the corporate financial system. While it’s not the largest, we do recognize the need to focus on this significant element as an interface with our ministry stakeholders.

In terms of supplier over its lifespan…. Over time, the supplier file maintenance process has evolved. The focus of the enhancements made to this process has been to improve validity, accuracy, reliability and security of the supplier data as well as to improve the overall efficiency of the process for the government.

Prior to 2002, every ministry had their own supplier lists. In this case, ministries would fax their supplier request to corporate accounting services, who would then rekey them into what was the Walker system of the day.

With the implementation of Oracle E-Business Suite in 2002 as the government’s new corporate accounting system…. This gave us, for the first time, a singular supplier list as well as the ability to eliminate the rekeying that was going on, enabling ministries to key their own information in using an on-line form. This improved not only the data quality but also the efficiency and reduced the delays in making payments to the public.

[8:15 a.m.]

In 2007, additional data fields were added, such as the business number, to further improve data quality of the supplier file.

In 2009, we created an ability for ministries to batch-upload supplier information from their own systems, where they also have information on people they deal with. And since 2014, when CAS returned to the office of the comptroller general, we further improved the supplier file maintenance by adding additional enhancements such as a real-time supplier upload from ministry systems. We masked the SIN number to improve data security and privacy and, as well, added a B.C. Mail address validation.

I’ll now pass it back to Carl Fischer for the next slide.

C. Fischer: The result of OAG’s review was better than I had initially expected, given the size of the supplier file and the long history of supplier management — how it’s evolved from a very primitive or wide-open environment to the more functional or organized environment we have now. OAG found that there were 125 potential duplicate suppliers in a file of 881,000. Duplicates usually happen when ministry personnel make a keying error — for example, entering a space instead of a hyphen — or when clients identify themselves slightly differently than the last time they engaged with government. Something as simple as using Rob instead of Bob could result in a duplicate supplier being created.

Duplicate suppliers have not always been simple to identify. For example, it’s entirely possible to have two individuals with the same name living at the same address. For example, my father and I had the same name, and for a long time, we lived at the same address. OAG also found 108 duplicate payments to similar suppliers in a population of 4.6 million payments. Duplicate payments can happen when we have two supplier sites at the same physical address. For example, in large accounting or law firms, each partner or division is a separate supplier. They both have the same style of address and the same physical location, so it’s very easy to select one supplier site versus another.

When a payment goes to the wrong place, the issuing ministry normally gets a call from the intended recipient. The payment is identified and cancelled, and a new one is issued. While these occurrences are very small in relation to the numbers we are dealing with, our goal is always 100 percent accuracy. Good data hygiene is critical to achieving that. We do, however, recognize that as long as there is human intervention in any part of the process, there will be errors.

In recommendation 1, OAG recommended that supplier guidance be included in the core policy manual of government. That guidance has traditionally resided in procedural guidance published by corporate accounting services, which is a good way to do it, because they maintain a close relationship with all the users across government who manage suppliers and regularly provide them with updates and revisions and reach out for training on significant changes. We accept that the recommendation will include the appropriate policy-level guidance in the core policy manual and continue to maintain the web link to the CAS supplier maintenance manual to ensure that all of the information is available to users.

Alex Kortum has the next slide.

A. Kortum: Thank you, Carl.

Security of supply records is very important to government, and we continue to build on our security and access controls as our operating environment evolves. To date, we have not identified any unauthorized changes to the master supplier file. In addition to our current processes, we are committed to implement this recommendation and will implement a stand-alone exception report that will identify changes made to supplier data by unauthorized users, and enhance our testing of the supplier maintenance form by adding a test case that checks to see if unauthorized users can access the form.

C. Fischer: OAG recommends that a unique identifier is included for all supplier records. Identity management is at the core of supplier file maintenance, particularly for governments. Unlike industry applications, it can be a real challenge. When we use the term “supplier,” we are really talking about the wide range of financial counterparties that government transacts with.

[8:20 a.m.]

Some are traditional suppliers of goods and services, but a large number are organizations and citizens who pay fees, receive refunds or government transfers. It also includes employees and appointees, because government is accountable to the public for all payments made.

Some of these counterparties do not have designated identification. That can be because they may be youths or disadvantaged, or they could be from another jurisdiction or another country. Governments do not refuse services because someone does not have the right kind of ID. Another issue is that government is also subject to privacy considerations that restrict the ability to collect certain types of common ID. A social insurance number, for example, is not permissible for government to collect for these purposes.

What we will do is reinforce the need for at least one unique identifier for all supplier requests. If there is a client that needs a payment urgently and does not have ID, we will generate an exception report, so that we can work with the contact ministry to ensure that an appropriate proxy — for example, a case number — is applied to support the supplier file while still meeting the needs of clients for timely payment.

Our long-term goal is to align with the ministry implementing the B.C. service number, because the best solution is to minimize exceptions and to serve the public better by supporting and enhancing a common identifier with broad coverage to our entire client base. I don’t want to understate that this is the most significant issue we have to tackle, and it will take many years to accomplish.

Steve has the next slide.

S. Rossander: In recommendation 4, the Office of the Auditor General recommends we establish a maintenance schedules for suppliers. We accept this recommendation. In addition to the extensive maintenance that is already built into the regular operations for the corporate financial systems, we will add specific supplier file maintenance elements to ensure that it is a focus for us. For example, we will define “supplier inactivity” and implement a supplier inactivation schedule. Further, we will add queries and reports, similar to what the OAG used in this audit, to identify and take action on potential duplicate suppliers.

With respect to recommendation 5, the Office of the Auditor General recommends that the OCG adhere to the current records management schedule for supplier records. The original supplier records were set to be deleted after two years. However, since that time, we’ve discovered that deleting supplier data from the corporate financial system has significant systems impacts and does not meet our current business requirements. With this in mind, we have engaged with the government’s records management office to reassess the retention requirements for supplier records and to make recommendations for changes where necessary to support government’s business requirements.

I’ll now pass it over to Alex.

A. Kortum: Every day the government makes thousands of payments, in a complex operating environment. It is important that we have a rigorous compliance and monitoring program in place to manage our financial risks. OCG’s role is to work with ministries and central agencies to provide a corporate monitoring mechanism to improve compliance with government core policy and to strengthen the financial management framework.

The government of British Columbia’s financial management framework sets out government standards for sound financial administration and control across all ministries, consistent with the Financial Administration Act, Treasury Board directives and the Core Policy and Procedures Manual. The common and consistent understanding of the framework, based on criteria for good financial management, helps ensure that financial management roles, responsibilities and performance expectations are fully understood and achieved.

OCG’s compliance monitoring activities are performed on a monthly cycle to provide ministries with risk-based timely assurance results with actionable reporting. Compliance testing focuses on payments within the consolidated revenue fund, paid through the corporate financial system for the procurement of goods, services, construction, government transfers, corporate cards, employee travel, reimbursements and advances. OCG uses a risk-based compliance model to ensure broad risk-based coverage of ministries and programs. This approach reduces repeated sampling of low-risk high-payment-volume programs.

[8:25 a.m.]

Finally, OCG supports ministries by identifying where opportunities for improvement exist, such as areas of financial risk or internal control weakness, and enables the development of risk mitigation and response strategies across all ministries.

With that, we conclude our presentation.

S. Bond (Chair): Thank you very much. We appreciate the presentation — both presentations today. With that, we’re going to ask for questions from members.

J. Yap: Thanks to Carol and Carl for your presentations.

Certainly the payment system has come a long way since the ’90s when…. I see you had up on the slide that fax machines were in use. Of course, technology has been part of this as the demands on the system have grown over the decades.

In your findings, Carol, there were duplicate files. I think you found 120, 125. The majority of these — I think it was 70 percent — were just duplicate errors. My question is: what about the balance? Where I’m coming from is: was there any evidence of fraud or wrongdoing among that sample?

B. Underhill: No, there was no evidence of fraud or wrongdoing in the samples.

J. Yap: Following through on this, what were the dollar amounts involved, of the 120? Do you have that, or a ballpark figure?

C. Bellringer: On the duplicate payments, if you go to page 19, it’s looking for the type of error where the supplier was paid more than once for the same invoice. There were 54 of those that added up to $65,826, and 63 percent of those were errors. Then we also looked for more than one supplier with similar names paid for the same invoice and found 74 of those, and that added up to $583,230, and 73 percent of those were errors. I think that’s the only dollar value that we add up in this report.

J. Yap: Okay. And the context of this is a total payment system of $37 billion — that figure up there. In percentage terms, it’s small, so I can appreciate the perspective here.

If I may, Carl, you mentioned the SIN, or social insurance number, and I thought I heard you say that it was not…. Was it a non-acceptable form of identification? Was that what you had said?

C. Fischer: Historically, a social insurance number was used as a very good form of identification, simply because everyone, or a large proportion of our population, uses them.

Modern privacy considerations prohibit the use of collection or retention of the social insurance number unless provided for by legislation. In British Columbia, this is not a program area that provides for the collection of the social insurance number, and it is unlikely that the privacy authorities within British Columbia would ever change their mind and think that it’s good idea for government to use that.

We have similar challenges with other common forms of identification, like the B.C. driver’s licence, which, for many years, was considered a great identifier for people.

It is becoming more complicated for very good reasons. We do have to respect the privacy of the public, but we also have to find that perfect way to balance how we reliably identify people within an electronic-information environment. So it’s a bit of a challenge.

[8:30 a.m.]

To go back to your question about the amount of payments, we actually did follow-up work. We do agree that 108 of the total payments of 4.6 million, worth a value of $495,000, were issued in error. The important part there is that ministries identified and reversed those payments and then reissued them to the correct supplier.

Some of them were significant. As I mentioned before, law firms and accounting firms are the most common instance where we see duplicate payments to people. A significant proportion — I think over 50 percent — of those payments were under $100. Still a risk, but when you look at it in terms of error rate, on a dollar value, it is 0.0006 percent, which is very marginal.

J. Yap: If I could come back to the social insurance number. You had, on one slide, indicated that it is protected or masked. With the recent collection of social insurance numbers with the spec tax registration that homeowners have to do, I’ve heard from constituents who have a concern about the fact that government is now collecting social insurance numbers. Would that be covered under your program — that the masking would happen?

C. Fischer: No, they are two different programs. There’s a specific legislative provision for the collection of social insurance numbers for the taxation purposes related to the spec tax. The social insurance number was originally developed and implemented as a taxation provision for the federal government, so there is a natural alignment there, and there is a recognition that the obligation of people to participate in our voluntary tax system requires that kind of identification.

We unfortunately can’t translate that to say: “Well, that means you can use a social insurance number for all financial circumstances.” Every ministry and every program has to look at their actual requirements and privacy obligations individually and do a privacy impact assessment to see whether it’s valid or appropriate to collect, retain and use any identifier or personal information — even names, addresses, telephone numbers, email addresses.

S. Bond (Chair): Thank you, John.

Before we move to Rick, I just want to make sure you have this on the record for clarity. The overpayments were corrected, so government did not lose money. Because when you look at the one category, according to the Auditor General, it was more than half a million dollars. So that was recovered by government, and there was no loss of government funds?

C. Fischer: Yes, there was no loss resulting from supplier payment errors. In the majority of instances, the payments were reversed before they were cashed or collected. What’s very common is that our contracting relationships with law firms or IT firms or accounting firms…. I don’t want to keep picking on accountants or lawyers. Well, maybe I do. We have a very close, ongoing relationship, and when a payment gets directed to, for example, KPMG partner 1 instead of KPMG partner 2, both in the same physical location in Vancouver, the usual process is that the ministry will get a call saying: “Oh, you have this to the wrong supplier. Can we get a new cheque?”

S. Bond (Chair): I think it’s an important clarification for the taxpayers of British Columbia.

R. Glumac: I had a question about recommendation 3 and this whole conversation around personal identifiers. Was this recommendation also made in 2006, when this audit was done originally?

B. Underhill: There was a recommendation made in 2006 around updating unique personal and business identifiers. Since that time, it’s my understanding that the Ministry of Finance did do quite a bit of work in the business identifier in terms of encouraging ministries to provide a business number when they’re setting up a supplier.

[8:35 a.m.]

We did find that many suppliers did have a business number attached to them, although because this is not mandatory, many did not. Then there was the issue with the unique identifier for individuals that wouldn’t have a business number. So yes, that recommendation was made in 2006.

R. Glumac: To follow up, for businesses, why wasn’t it made mandatory?

C. Fischer: The simple reason is that the organizations we deal with — businesses or societies, trusts or other organizations — aren’t all resident in British Columbia or Canada, so we can’t have a mandatory field. For example, B.C. business number is our preferred identifier, but organizations outside British Columbia, of course, don’t have it.

While we do everything we can to encourage or support a common use, because we are government, we can’t prohibit people from engaging in government services because of their circumstance or the identification that they do have.

R. Glumac: When there’s a contract made between the government and a supplier, is that contract also stored electronically in a system across government that is uniform?

C. Fischer: Parts of them are. We don’t currently have a corporate contract management solution that creates a central repository of comprehensive contract information.

R. Glumac: In my mind, that is the way that you marry these things together in a uniform way. Like, if you have a contract, that’s the time when you assign an identifier to an individual or a business. That identifier gets associated with that contract, and there’s no way that could ever be confused with any other individual or business.

Did that ever come up as a recommendation? Is that something that government is considering doing? It seems like that would be the best way to deal with this situation.

C. Fischer: Yes, absolutely. A corporate contract management solution is a high priority right now. I’m involved with other parts of government on a steering committee to determine what we need and how best we achieve that. We’re at a place now where technology has matured to the point where we can actually have a contract management solution that we could apply universally.

One of the challenges in the past has been that the only thing worse than not having a contract management solution is to have a contract management solution that’s only partially implemented — to compromise us with partial information. It will go a long way to aligning identification.

Our ultimate goal is to do away with separate lists of identifiers for contract management and payments or other financial services and point to that single source of truth. We think that the best solution to get there is to work with the Ministry of Citizens’ Services, who are actively taking the lead on identity management through initiatives like B.C. service number for individuals and B.C. business number for organizations.

We’re also getting to a place where, hopefully, at least within Canada, there’ll be greater alignment between jurisdictions to help identify and recognize an electronic signature for organizations — not just businesses, but charities, not-for-profit societies, etc.

R. Glumac: That’s great. I know the Ministry of Citizens’ Services is also doing cutting-edge work, using blockchain to create a unique identifier for businesses. I’m glad to hear that that’s something that you guys are working towards.

S. Bond (Chair): Thanks, Rick. Those are important questions. I appreciate that.

R. Sultan: Why were not all of the Auditor General’s recommendations of 13 years ago implemented?

C. Fischer: I didn’t respond to the report 13 years ago. We have reviewed it. The reason that all of them weren’t implemented was that at the time, they were impractical or too expensive to effectively implement. There was uncertainty for things like retention periods of data. That’s been something we’re struggling with, and we’re working with the government records management office to amend the schedule for retention.

[8:40 a.m.]

Since that time, technology has changed, business processes have changed, and we’re better able to tackle some of those outstanding issues. As part of this process, Jacquie and Barb provided their assessment of the outstanding issues from 2006, and Steve has worked with his team at corporate accounting services to work them into a workplan.

We love all recommendations. Any advice that we can get to improve the efficiency of the system is positive for us. One of the challenges we do have is working all of the opportunities into our workplan that we can execute with our limited resources, so we do go through a process of prioritizing to see where we get the biggest result.

R. Sultan: So looking ahead another 13 years from today, how many of the current Auditor General’s recommendations do you feel in your heart are “impractical”?

C. Fischer: I don’t think any of them are impractical. We’ve had very good discussions during the process, and we agree that these are all things that we need to target. I think that the biggest challenge will be identity management. As much as we would like to say, “You must have this certain type of identification to get any payments from government,” I don’t think that’s realistic. I think that we will have to continue working internally, as well as with our ministry stakeholders that use supplier and the Ministry of Citizens’ Services, to keep chipping away at that challenge.

I also recognize that, whatever we do, there will always be counterparties that do not have the ID that we would love them to have. Whether they’re individuals or organizations, the nature of government is that we support all people and organizations that need the help of government, regardless of whether they happen to have a driver’s licence or a social insurance number or any other form of identity.

The challenge is: how do we deal with those circumstances? The approach that we are working towards now is to go outside of the system. We have a very effective compliance organization, which Alex leads, to get compliance support, to generate exception reports when things don’t meet norms and to determine what the best follow-up is for that relevant program or ministry or activity that generated the supplier.

For example, we do an awful lot of work with the Ministry of Children and Families and the Ministry of Social Development and Poverty Reduction because those are circumstances where there are a lot of payments out to individuals. They’re very urgent. We can’t let accounting slow down the necessary social support that people in need deserve. We have to work around their requirements. That’s challenging, but it’s also quite interesting in terms of our work.

R. Sultan: I thought the phrase you were going to introduce…. When you qualified the disbursement strategy “when” or “whether,” I thought you were going to say: “Whether entitled or not.”

Let me ask you, as a very experienced keeper of a $55 billion a year flow of taxpayer and other revenues through government…. It’s by far the largest fiscal entity in the province; it dwarfs every other one. What do you think the percentage loss rate through mistakes, errors and — this previous question asked of Barbara — fraud and wrongdoing might be, as a guesstimate?

C. Fischer: Very broadly, our research kind of reaches out to industry organizations. One we rely on quite commonly is the Institute of Finance and Management, which is a North American trade industry that conducts a lot of surveys and does a lot of work in the area of accounts payable management. That’s where payment errors are, like duplicates or sending payments to an organization when it isn’t required and losing the money.

[8:45 a.m.]

They indicate that some of the best-performing organizations in North America have duplicate payment rates of up to 3 percent. I have heard recently that the U.S. federal government has a duplicate payment rate of 4 percent. The industry norm or average is somewhere between 0.1 percent and 0.5 percent. And 0.5 percent is normally looked at as the indicator that you need to review your internal controls or do some good spring cleaning in your data.

As OAG found, our rate of duplicate payments is 0.0006 percent, so that’s really high performance, comparatively. But our obligation to the public is, I think, a bit more rigorous than industry norms, so our target is always 100 percent.

R. Sultan: Well, Carl, don’t you think the gap between your claimed 0.0006 percent and what you describe as industry norms at perhaps one-half of 1 percent, or even as high as 2 or 3 percent, is a rather startling gap? I mean, you folks should be on the lecture circuit explaining how you achieved 0.0006 percent when the rest of the world seems to struggle to get it down to be as low as, say, half of 1 percent.

C. Fischer: You know, I’m happy with where we are at. I think that the benefit that we have is that we don’t rely simply on system controls or management to monitor and govern our payment.

We do have a very effective compliance management process. Alex has about 20 people who are very keen young people, innovative, who spend all day analyzing all of the data that comes out of our corporate financial system, identifying things that fall outside of normative risk parameters and following up with ministries, in particular the chief financial officers, to identify risks that they need to follow up on.

We don’t have a big problem with duplicate payments. I think over the past four years, in particular, Steve and his team have worked on engaging with those ministry front-line staff to help them understand how their life will be better if they pay more attention to gathering the correct information.

But we do still have problems, right? As OAG pointed out, we do have 125 duplicate suppliers. That’s unfortunate. It’s a challenge, always, to identify them, but that’s something we want to improve on. And in a year and a half, we did have 108 duplicate payments that did go out. It’s not a big number, but it’s still a number, and it is $495,000.

Those are the things we want to identify. To date, we haven’t identified any loss resulting from duplicate payment errors. We actually went back through our forensic investigation files and could not find an instance where accounts payable was used to defraud or exploit a weakness in the control environment. But that doesn’t mean it can’t happen in the future.

R. Sultan: Well, let me observe that I find your confidence admirable. But I, based on my many, many years of business experience, would have to report to you and my colleagues that fraud and wrongdoing are always present, in every organization, regardless of the degree of diligence and controls in place. It’s just a fact of life.

I could cite three small case studies very quickly. Royal Bank of Canada. We had an inspection department. The bank inspectors would descend on a branch without warning, and they more than paid for themselves. The most vivid example was the bookkeeper who took all of her friends on rather expensive vacations to Paris on the weekends and covered it up rather well. She was the most helpful as they examined her books.

The second case. I was chief operating officer of an international conglomerate. The head of accounting seemed to spend most of his time in the men’s room during the day. I finally went through several levels of chain of command and fired him. After he left, the rather large number of payments made to something called KCS System was uncovered, and that was Keeping Charlie Solvent. That was his own personal bank account. I’m not sure of the extent of the defalcation, but it was perhaps half a million dollars.

[8:50 a.m.]

Third case in point. I foolishly bought a mutual fund company, and it was losing a lot of money, so I shut it down. The ladies helped me disburse the funds. They did so very accurately, it seemed to me, but realizing I had to account for this rather failed business experience, I thought I’d better teach myself some accounting and do the debits and credits of the final set of books. There was a $35,000 cash transaction that I couldn’t account for. I was audited, and the CRA fellow said: “Well, you must have taken that money yourself, Mr. Sultan. You must pay income tax on it.” I finally realized the odds were that one of these helpful ladies disbursing all of the client money had decided to take about $35,000 for themselves as a bonus on the way through.

These things happen in business. It’s not shameful to admit this. Surely, it happens to a rather significant degree in government as well. The complacency that I detect here is a bit concerning to me. I think you should have renewed diligence so that 13 years from now, whoever is sitting around this table asking you these same rude questions, you have a very transparent, honest and candid response. And 0.0006 percent strikes me as being a little bit implausible.

Thank you, Carl.

C. Fischer: I don’t suggest that we’re not subject to fraud. Fraud does occur. It occurs every year. My comment was in relation to the accounts payable process. That’s not where we have seen occurrences of fraud or loss. Fraud or loss in government is much more prevalent in the use of purchase cards, travel cards, petty cash management or front counter cash management — those places where it is relatively easy to get attracted or seduced by attractive assets.

We do have instances of fraud. We don’t go into detail publicly about where they occur or how they are perpetrated because of privacy considerations. As well, we don’t want to advertise where our vulnerabilities are.

We do have fraud awareness. We have a forensic unit, a compliance unit and an internal audit shop. We are very diligent about monitoring, assessing and identifying the risk of fraud as well as the risk of error.

The ratio of 0.006 is simply math. It’s related solely to the duplicate payments identified in this audit. I’m not suggesting those are the only errors that government’s financial management environment is subject to, but it is an indicator for us that at least we’re on the right track. Having said that, the only way to get better is to work with even more colleagues in the OAG to keep challenging ourselves to figure out how we can improve the hygiene in the processes and keep moving forward to that ultimate goal of 100 percent, even though we’re never going to get there.

S. Bond (Chair): Thank you, Ralph. I don’t know. There’s something that makes me believe you might well be one of the people 13 years from now sitting around here asking that question. It would not surprise me in the least.

Carol, you had some comments.

C. Bellringer: My term’s up in three years, so it won’t be me.

I just wanted to clarify the nature of this audit. It was only on the master supplier file processes as to how well they were being managed. Where we found the duplicates, we just ran a couple of tests. We didn’t design that to determine what the error rate was. We ran a few things to see whether or not duplicates were getting through the system, and we had our IT data analysts figure out some things we could do with the database.

I do agree that we didn’t find a large error rate from those tests, but that wasn’t the objective of this particular audit. It was to look at overall controls.

[8:55 a.m.]

I will say, again, we can provide comfort over…. There was an acceptance of the recommendations, and we did see the direction of realizing that certain things could be better done. Some of the results are — I won’t say purely by luck as opposed to design, but there are improvements available in the design to get that confidence higher. Again, in terms of fraud, we didn’t seek out what kind of fraud is occurring in the system. That wasn’t the objective of this particular audit.

S. Bond (Chair): Thank you for that clarification.

Mitzi, it’s your turn.

M. Dean (Deputy Chair): Thank you, Chair, and thank you to the comptroller general as well for making that statement of not letting accounting get in the way of making sure that people get payments when they need them. That’s really important.

I just have a couple of questions that I think the committee needs a little bit more clarity on, particularly, actually, coming back to some of the questions Ralph was asking. From the 2006 audit and recommendations that weren’t completed and weren’t addressed, how do we know that now we’re in a better position to address them and have them completed? You talked a little bit about some of the barriers after the 2006, but I don’t think that’s left us in a particularly stronger position of knowing that these recommendations are going to be completed and within the time frames, which is by the end of March next year.

C. Fischer: I think the best driver for ensuring that the committee is advised as the work progresses, the analysis is done and changes are made, is the action plan process. In 2006, there was no action plan process or follow-up report in place in terms of the committee. We’ve maintained that process in terms of our internal audit function, but the external audit…. Once you got the report and received the presentations, that was generally the last that you heard of it.

My action plan…. We have done our initial research. We identified what was positive and really identified where we want to go. We established some very firm timelines, because we want to move forward on these issues, and they are relatively contained. I think the one where we possibly will not be able to achieve our initial target date of March 31 would be identity management, but by March 31, we will have a better idea of the external factors that need to be addressed, be they privacy-related or legislative or the work of other ministries, and an idea of when they will get there.

In addition to that, as I said, we are working with OAG to follow up on the 2006 audit to see, first of all, which recommendations are still relevant and which can be achieved. I anticipate that OAG will use that information or that process to determine whether they want to do another follow-up audit on the CAS system and general controls. It has been a few years, so given the nature and the importance of the corporate financial environment, I think that would probably be something that’s on their agenda to take care of.

I see Carol making a note now. I should know not to speak.

C. Bellringer: I was going to ask the staff who it is at OAG you’re talking to, because I wasn’t aware of that — the follow-up of the 2006 report.

C. Fischer: Barb and Jackie in the meetings.

B. Underhill: As part of the audit process, we provided the information on the 2006 recommendations that we assessed as being still outstanding.

C. Fischer: I think our commitment is to keep reporting on the action plans and the follow-ups — where we get to and when we are able to achieve our objectives on those five recommendations.

M. Dean (Deputy Chair): Okay. Thanks for your clarification, because on recommendation 3, it does set a target date of the end of March next year, and you’ve said a couple of times now that you don’t think you’re going to achieve that date. So by that deadline, what I’m hearing you say now is that you’ll come up with a more detailed plan of what the problems might be and how to tackle them.

[9:00 a.m.]

C. Fischer: Oh, absolutely. I think we’ll be able to achieve our part of the puzzle, but my concern is what we will learn along the way.

M. Dean (Deputy Chair): Thank you for that.

Just one final question. You’re not asking for extra resources. I’m concerned, then: how is this going to fit into your overall workload and be given the priority and the resources that it might need.

C. Fischer: It’s always a challenge, because there are always things that we want to do and more things to do than we have resources for. Our priorities, being the comptroller’s office, are, first of all, in supporting our business environment. That means supporting the service to the public and then ensuring that there’s appropriate control and accountability so that government can continue to be accountable to the public.

Within those parameters, we have to look at all the projects on our list, what will give us the most benefit for a result, and then schedule our time accordingly.

S. Bond (Chair): I think Rick has a follow-up question.

R. Glumac: Just from the discussion and now hearing that you won’t be able to do recommendation 3 in a year, that’s kind of surprising to me. I’m trying to wrap my head around this. This system came into place in, I think you said, 2002, and in all that time, there hasn’t been a real effort to create a unique identifier for people.

I’m curious. As an interim measure, couldn’t you just go through all the records and number them from one to a million, or whatever it is, and then require that on your contract, you have to write down that identifier when you pay them? I’m reading in here that one of the ways that they create a unique identifier is to add an asterisk to a name. So one person’s name will be John Smith; another one will be John Smith*. That seems a little — I don’t know — not the best way of dealing with things. Couldn’t we just add an actual ID in the list of records we already have and use that as an interim measure, before March 31?

C. Fischer: There are two different issues there. First of all, the asterisk issue is unique supplier records — how we identify people. That’s a system feature, but it doesn’t go to identity.

The important thing about a unique identifier is that it has to relate to an authoritative source of name and address, like a driver’s licence or a social insurance number or a passport number — some external source. If we were just to add numbers to all the suppliers, we’d need some separate list to relate that to the tombstone information that we are using, or else it’s not an identifier; it’s just a list.

Each supplier currently already has a unique supplier number, and that’s what’s used in the database to identify a group and report out on those payments to individuals.

Now, we keep coming back to: “Well, it’s going to take more time.” Certainly, the first part of it, of saying, yeah, every supplier number has to have a unique identifier…. We do have a list of what kinds of identifiers, like a driver’s licence, are preferred. Or there will be an exception report. We’re all over that. That’s not a difficult change to make, and that’s our part of it.

Where I’m a little reluctant to make commitments is when we have to think about the engagement that we have to do with other ministries, because they’re the ones actually collecting the information and dealing with their constituencies. So it has to make sense to them.

The privacy officials. Any time we make a change to data that affects people’s personal information, we have to go back and work with ministry privacy authorities to make sure that we are consistent with the requirements of legislation. That can take some time because we don’t have as many resources in that area or in legal services to deal with all the unique circumstances as well.

[9:05 a.m.]

Also, our other business partners, like the Ministry of Citizens’ Services. If we have an opportunity to improve the process by creating a stronger linkage with the B.C. service number, we will do that. That’s an ultimate goal of ours, but it may take them a bit longer than a year to mature that program to a place where it becomes a valid replacement for the process we currently have.

There are just areas that we don’t know enough about now to commit, but I’m reluctant to say: “Yeah, it’s going to take five years to do that.” I would rather be held accountable for a follow-up within the current fiscal year, even if that means: “No it didn’t work out the way we intended, and we’re going to have to take more time to make this work.”

R. Glumac: A final question, just for clarity. Within the current fiscal year, what you are saying is that on the supplier number, you are going to require that efforts be made that that be a unique identifier of some kind, and if there isn’t one, there’ll be an exception report or something. That process currently isn’t in place and will be in the fiscal year?

C. Fischer: There are supplier information standards. They do require unique identifiers. What’s not in place is that follow-up process where we would identify exceptions, go back to the ministry contact and say, “Hey, you’ve entered three suppliers. They don’t have information. Can we follow up and make sure that we get the information,” or have a program-appropriate proxy like a case number that will allow us to link that back to at least internal government records.

R. Glumac: And that’ll be done by this fiscal year?

C. Fischer: Yes.

R. Glumac: Okay, thanks.

S. Bond (Chair): Thank you for that. To sort of summarize where we’re at, before we move on to our next item, I think everyone in this room feels that 2006 identified some issues and that we’re still sitting here talking about them. We recognize that context does matter. We have thousands of users and almost a million records that are active and inactive. I think what the committee is looking for is a sense of commitment to ongoing, continuous improvement. We sense a bit of…. I think being pragmatic is important here, not overpromising, but I think the committee wants to see that there is a willingness to address these recommendations in a meaningful way.

I think Rick’s last questions are entirely appropriate: what will we see within a year? I noted in my work that for each of the recommendations — at least 2, 3 and 5 in particular — the recommendations said one thing, and the response came back and said something else.

For example, the Auditor General uses the word “audit”; the response says: “We’ll review.” I don’t know if those are equitable. I don’t know, but you either audit or you don’t. Recommendation 3 says there needs to be a unique identifier. We’ve spent a lot of time because the answer was: “Where possible.” In recommendation 5, there was a difference between a specific ask…. And the answer was: “We’ll reassess and change as needed.”

Hopefully, the comptroller general can understand that we want to see a definitive plan of action that addresses the concerns that have been laid out by the Auditor General. We understand that there may be barriers, but this is an issue we’ve been talking about, apparently, since 2006.

My question is related, certainly, to what happened in 2006. Clearly, there wasn’t an action plan. We’re a committee that actually believes in those. In fact, we’re going to talk about that right now, in our next item. We’re going to continue to follow up to make sure that steps are taken.

I wanted to raise one additional issue that hadn’t been raised. I think part of this is access to information. It’s not just what’s in the database; it’s who accesses it. On page 13 of the report, there are comments about the security of the data, based on how many people use it. There are issues with privacy and making sure that we protect it, but there is also security. One of the headings of this report is: “Clear direction and security.” I would appreciate some comments on the fact that the Ministry of Finance has apparently established “segregated roles and responsibilities for those accessing the master supplier file. These have been documented and kept current.”

[9:10 a.m.]

Then: “However, because the ministry does not regularly check on who is accessing the supplier records, this security measure is not being enforced.” We have, literally, hundreds of thousands of records. The report at least questions whether or not that data is secure and if there’s enough oversight of people who actually access the data. If I’m correct, people all across ministries input data, and they access information.

Can you assure the committee today that the information that’s in these databases is secure?

C. Fischer: Yes, we can. Part of our work in responding to the audit was to respond to the recommendation that regular review of user access was incorporated. We have done that. We have developed a query as part of the response to the report. The compliance team looked at historical access records and did not find an instance, within the 1½-year test period, where unauthorized users had accessed any of the data.

CAS has also developed a test case that will help support the time of any change within the system, to specifically make sure that there are no vulnerabilities to access, or any limitation of access to authorized users.

S. Bond (Chair): All right. Well, in addition to the issues that have been raised about unique identifiers, I think security is at the top of our list. We have literally, as I said, thousands of records that need to be secure. We’ll look forward to an update on those tests and how that’s working.

Two other very quick questions. What is best practice for retaining data on systems? It was pointed out by the Auditor General that there were non-active files for two years. What is best practice? I mean, obviously, we’re seeing the number of items in the database grow exponentially. Is there a best practice? Have we looked at when we take people off the database?

C. Fischer: There are two parts to that answer. The first is that the corporate financial system is a relational database, so we’d never be in a position where we would purge or remove those records. If you remove suppliers, then you have a situation where you’ve corrupted all of those payments, so when we get public requests, or requests from government or opposition parties, for financial data going back five years, we’d be unable to respond to that.

We do need to deactivate. Deactivating is an important control. If someone has not engaged with government for a long period of time, deactivating that supplier ensures that when they come back for the next round, we have the opportunity to check that their address and details are correct or need to be updated.

Now, in determining what the appropriate time period is, the original ARCS and ORCS retention period for CAS data was two years. That seems a bit arbitrary to me. Ultimately, the best practice would be doing the analysis to determine where that sweet spot is where the length of inactivity results in the lowest number of reactivations, because any process like deactivation or reactivation does have a cost. It does have a resource cost, not just within OCG but across all those ministries that are doing the work.

That’s work that we are doing with the records management office, because they’re the experts. We think it’s a good time to work with them to review not only what the optimum time frame is — whether it’s two years, three years or five years — but also to ensure that any privacy considerations on the retention of information are accommodated in our processes.

S. Bond (Chair): Finally, the report talks about how the Auditor General found 120 situations that needed to be dealt with in terms of either overpayment or duplicates — those kinds of things. That was over a two-year period.

[9:15 a.m.]

Do we have previous years where we can actually compare? Are there measures now in place where we know whether we’re getting better? Is it regularly monitored? This report talks about a two-year period and 120. Between 2006 and then moving toward 2017, did we measure? Did we count? Are we getting better? Or is that something that will be looked at as we move forward? Is there sort of a benchmark of improvement?

C. Fischer: Historically, we haven’t had the same kind of monitoring actions. For a long time, the corporate accounting environment was the responsibility of the Ministry of Citizens’ Services — or Technology and Citizens’ Services, as it was at that time. It was actually my predecessor, working with OAG, that recommended that it was a good idea to bring CAS back into OCG, for obvious reasons — that a focus on good financial control was best achieved by including it in OCG.

We have, as we’ve said in the presentation, put a lot of focus on the supplier, amongst other areas, over the last four years — in particular, in the last 2½ years we have developed our compliance function. One of the key objectives we had was that rather than relying on the technology people in CAS to test and validate themselves, we wanted to move that function into the compliance function so that we had that capacity to support and challenge, with a degree of independence. That has been most effective for us.

The supplier has been an element of a great many of the activities they’ve undertaken. Going forward, we will be instituting reporting, specifically to identify duplicate suppliers. We always look for duplicate payments, but it’s not as easy as you would think. It’s not as easy as querying, okay, “Carl Fischer, payments for $100,” and see how many that pop up, because there are people who get regular streams of similar payments over a long period time — organizations as well.

It’s the same thing with duplicate suppliers. We do have individuals and organizations with very similar names and addresses. We can’t arbitrarily say, “Well, you can’t have two Carl Fischers at this address,” because you can have two Carl Fischers at that address, or, “No, we can only have one supplier for KPMG,” regardless of how many partners are practising in that big tower in Vancouver.

Those are challenges. Fortunately, we do have some pretty clever people, many of whom we drafted from OAG, to help us think about how we can get to risk indications that can then be followed up by those subject ministries that are responsible for the transactions. That will be an ongoing process, and we will be including those measures as indicators in our overall health-check report that tests and reports on the internal controls of government.

S. Bond (Chair): Well, thank you very much, both to the Auditor General’s office and to the comptroller general’s team. We’ll look forward eagerly to the updates that we receive over the next number of months. We appreciate the candid conversation this morning. I think that you have a sense of how important the committee believes that ongoing improvement is. As I said, I think we’ll look forward to the progress reports on the work that needs to be done. Thank you both — both offices — for the presentation.

I’m very cognizant that the sitting starts shortly. We do have one other item that we wanted to discuss this morning. This committee in particular has made it very clear that a follow-up process is essential. We want to make sure that an appearance here isn’t the end of the work, sort of checking the box, but that there is an ongoing reporting back so that we understand exactly how ministries are responding not just to the Auditor General’s reports but also to the comments of members around this table about what might have been a priority.

[9:20 a.m.]

I’m going to ask the Auditor General and her team to give us an update on the follow-up process. I’m encouraged to see that we’re going to have a list, potentially, provided to us in a month. We look forward to that.

Over to you, Carol.

Committee Follow-up Process

C. Bellringer: I’m joined by Ardice Todosichuk, who’s going to go through the presentation in a minute, and Stuart Newton, who’s sitting behind me because he doesn’t have a name tag. I want him to sit there just in case we need him. Stuart’s the Deputy Auditor General who’s working on our follow-up process, and Ardice is supporting that with all of the great work that she does.

We did have a short presentation at this committee not that long ago. We didn’t have much time that day. It’s an ongoing discussion that we really appreciate. There’s been a lot of work done over the last couple of years with the comptroller general’s office, with the Clerk’s office and with ourselves to try to put a coordinated process in place.

It’s improved significantly. There’s fine-tuning that can improve it in terms of just the administration of it, but it’s well developed. It emerged from an existing process that had been in place for a couple of years. It’s not something that’s a start-up.

There are two big buckets to the conversation. I’m just going to give you a bit of the big picture for how I look at it. One is: we do an audit, it’s delivered publicly, it’s discussed here, and it’s up to the organization that we’re auditing to make the improvements. The oversight process is a really helpful component of that. Holding them to account on that and having them produce action plans is a really valuable mechanism. It heightens awareness. We really see a dedicated effort by everybody appearing before this committee to provide you with the information that you’re looking for and that they have. So the big follow-up process is an important one.

The second bucket is where we then select a couple of those reports that we have already issued, where there are action plans in play, where we’ll go back in and do a subsequent audit of what that progress has been. In the last year, we did the follow-up audit of Evergreen and ICM, the integrated case management system.

Those are examples of where we’ll select a couple. We’re not looking at them all. We read through and talk to individuals from time to time, but it’s quite informal as to which ones we select from the full spectrum of action plans. The only time we’ll go in and be able to provide assurance to you on whether or not we agree with what they’ve provided in there is when we choose the actual audits.

When we do our planning every year, we have to balance out the extent to which we assign our time to doing those second audits and the time we spend doing new audits. So we only select a few.

Ardice will go through this. I just wanted to sort of give you the feel of what it is that we’re really concentrating on in this process and how important it is. The biggest shift that we saw from the old practice to the current action plans was a clear accountability to this committee, that the organizations we audit are not accountable to us. We don’t manage government. If they choose to ignore what we’ve said, that’s their prerogative.

I also am a person who encourages honesty in the process and being upfront about where things really are at, because it’s important for the committee to know exactly where things stand.

For the most part, I think that process is working really well. There are a few things that can be done. There are great discussions at the annual conference, where we meet with the conference of legislative auditors and the conference of Public Accounts Committees across the country. Everybody is struggling with this, and there are some quite diverse practices across the country, in terms of how follow-up is done.

[9:25 a.m.]

When you’re in that conversation, there’s a distinction between the follow-up of the audit report and the follow-up of the Public Accounts Committee report, because a lot of them do issue their own reports. Then when they say follow-up, they might be talking one or the other, so you have to kind of get clarity on: are you talking about following up the audit report, or are you talking about following up something that the Public Accounts Committee has issued?

Over to you, Ardice.

A. Todosichuk: I’ll just quickly go through the slides that were provided to you.

As Carol mentioned, the OAG and the OCG have been working together to develop an annual schedule to request and receive action plans. Those went out in January. The OCG is collecting those submissions from the various groups that have been audited, and we’ll be submitting those, all their responses, to you in May.

The other thing that we’re doing when we, as the Office of the Auditor General, are receiving those submissions is that we’re looking at them, and, as Carol mentioned, we’re conducting a risk review to see which one of those audits we may want to do a follow-up audit on. As Carol mentioned, those will be probably two to three, and they’re, again, based on the resources that we have available in the office.

The other thing that we’re doing is that we’re looking at which of these submissions can possibly be removed from this list for next year. So again, we do a risk analysis, and we’ll be providing the recommendations to the Public Accounts Committee on which ones we think should be removed from the list for the next year.

What we will be providing in May is that information, that material, to you. One of the things the PAC members may want to consider when they receive this material is whether they wish to endorse our recommendations for removal from the submission list for the following year, what reports they may want to discuss in further detail and perhaps call witnesses because there’s an interest in looking specifically at some of those audits, and if it wishes to recommend to the Office of the Auditor General progress audits that we haven’t selected but are an area of particular interest to the Public Accounts Committee.

Those are what’s going to be coming in the package in May and probably areas that you want to discuss and see what would come forward in a committee meeting possibly in June or further in the year.

S. Bond (Chair): Okay, I think you’ve responded very well. I don’t know if other members have comments, but this is exactly, I think, the kind of thing we were looking for, where you’ll bring back the list. I think it’s important for the committee to note the last bullet on the slide — that not only can the Auditor General’s office make a selection about a second audit; Public Accounts can as well. So if we were to see the progress reports and feel that one of those organizations should have another audit, we can make that recommendation to the Auditor General’s office. I really appreciate seeing that clarified here on the slide. I think we will look forward to receiving the list.

Did anyone have any comments or anything they’d like to add?

R. Glumac: Yeah. This sounds great. I’m just curious. Going forward, is the idea that…? I mean, we’re looking at 30 past auditees. But going forward, all the audits that are being done…. Are all of the ministries going to be asked to submit an action plan at that time? What will that process look like, going forward?

C. Bellringer: The list of everything that’s out there is continually changing. As things are completed by our office, they get added to the list. They are asked to provide you with an action plan at the time the report first comes to this committee. But then the annual list of…. The 30 is referring to now. It’s accumulating, and each year they’ll be asked to provide an update on that. Everything we issue gets added to that list.

The removal part is what Ardice was referring to. There are a few that…. Let’s say they’re saying everything has been implemented. They provide you with enough information where you can understand exactly what that looks like. Or they’ve got one or two outstanding recommendations that have been sitting around for a long time, and they’re explaining why they’re not doing it. You might want to just drop them from the list and not continue to keep them on there.

R. Glumac: One thought I had. I’m just curious what you think, Madam Chair, and maybe the other members. I don’t know if they do this anywhere else, but ultimately, as a committee, these reports, as you were saying….

[9:30 a.m.]

The ministries are accountable to the committee in terms of following through with this. Is there some way that we could do a letter grade or something at the end where we determine: “Okay, you guys have done a pretty good job; we give you an A” or “You’ve done a horrible job; you get a D”? That might incentivize some follow-through on some of these actions. Has anything like that ever been done? Is there any interest in maybe doing something like that?

S. Bond (Chair): I certainly am not aware of anything like that, but I’m new to this work. I don’t know about the letter grades. But I do know this: I think people do need to be incented. There should be incentive for continuing to do good work. I think we can certainly consider those kinds of steps as we get to see these. When we see the list of 30 auditees, we’re going to be able to probably separate out pretty quickly who’s done a really good job and who’s at the bottom of the list.

Everything’s on the table. I think the message to the Auditor General is that we take this very seriously. When we sit around this table and we try, in a very non-partisan kind of way, to look at how things can be improved in government, we expect people to take that seriously.

I think this is the start of the process, Rick. Those kinds of comments, as we come back and figure out what we are going to do to make sure people understand that this is not an exercise in checking the box — “You’ve been at Public Accounts; okay, you’re done….” I think those are creative ideas. I don’t know if they’d work, but we certainly should be having that kind of discussion.

I hope everyone is comfortable with the May timeline, where we will see the initial list. Then probably we’ll have to do some work in terms of prioritizing who we’d like to see back or how that meeting…. What I would suggest is that we have a designated meeting for follow-up. I think Mitzi had suggested that, a number of months ago. I hope that works. I do appreciate — I think all of us do — the Auditor General’s efforts to make sure that there’s an ongoing process here.

Any other comments before we adjourn? I’m encouraged by this; I hope committee members are. I think this particular group has taken this very seriously and wants to see ongoing and continuous improvement.

Is everyone comfortable with the recommendations that have been provided here? All right, I’ll be happy…. Mitzi and I, together, can work with the Clerk to sort out the timing and how we administratively handle the lists. I’m assuming that the auditees will be aware that they may well be making a subsequent appearance at Public Accounts to sort of explain their progress or lack thereof. That’s been conveyed to them? Okay, fantastic.

Any other items of business?

Just a reminder, then, that we do have a full day scheduled, with a large number of reports — weighty reports. The Clerk is going to work with her office to try to make sure we have the materials as quickly as possible. You would, obviously, have the reports in your hands, because they’ve been made public. Hopefully, you can start reading through some of those. We’ll try to get the PowerPoints and responses from agencies and ministries to you as quickly as we can.

With that, we’ll call for a motion to adjourn.

Motion approved.

S. Bond (Chair): The committee is adjourned.

Thank you for the work, and thank you to the Auditor General and the comptroller general.

The committee adjourned at 9:33 a.m.