The committee met at 8:32 a.m.

[S. Bond in the chair.]

S. Bond (Chair): Good morning. We’re going to get started. I know that several of our colleagues are on their way, but we have a fairly full agenda today, and we don’t want to keep all of you waiting, either, for the rest of the morning. Welcome.

The first report that we’re going to be receiving this morning and having a discussion about is the consideration of the Office of the Auditor General’s report entitled The B.C. Government’s Internal Directory Account Management. It was released in August of 2019. The great news for the committee and my colleagues is we’re all working hard, and we’re catching up. It’s fantastic. I don’t think we have much of a backlog of reports anymore. Much appreciate your hard work. And today will help us move along that list.

We want to welcome the Auditor General this morning and her staff that are with her. She’ll be working her way through these reports, presenting, and then we will work through the presentations from representatives of government that are here.

We also want to recognize the comptroller general, who’s here this morning. We thank you for your attendance, as always.

With that, we’ll start. We’ll have the presentation from the Auditor General and her team. The response will then be provided. Just a reminder that if you are speaking, we need to make sure that you’re introduced so that your name is on the Hansard record. If whoever the lead presenter is could introduce their colleagues, that would be most helpful.

With that, we’ll welcome Carol Bellringer, our current Auditor General, to make her opening remarks.

Consideration of
Auditor General Reports

The B.C. Government’s Internal
Directory Account Management

C. Bellringer: Thank you so much, Madam Chair. As always, a pleasure to be at the committee.

Depending on your schedule for the rest of the year, this might be my last meeting, so I thought I’d just add a little bit of extra thanks to the committee. As you recall, when there was a change in the committee membership, I was thinking it was really working very well, and as always, I worry how you’re going to keep up the momentum. But certainly, under your leadership, Madam Chair, and yours, Madam Co-Chair, the committee has been extraordinarily good. You all do your homework, and it is very much appreciated.

[8:35 a.m.]

Our reports coming to this committee is an important part of the work that the Auditor General’s office does, and knowing that there’s an interest in them and that it really is truly making a difference in the performance of government operations makes all of the work meaningful to all the staff at the office. It is something that’s even very difficult to express, because the importance is just beyond words.

I mentioned to you just before we started that I have to be on the road around ten o’clock. I have to do a presentation for the Fraser Valley Chartered Professional Accountants on anti–money laundering at noon today, so I’ll be here till ten, and then the rest of the two reports will be carried by…. Again, as usual, our practice of…. The Deputy Auditors General will cover the two reports on the agenda. For the first one, on IDIR, Cornell Dover will walk you through what the report is about, and he’ll introduce the audit team. The second report, on the school district, will be led by Deputy Auditor General Sheila Dodds. I may be gone before that one starts.

S. Bond (Chair): First of all, I think, on behalf of the committee, we did speak last time we met about the great work that you have done, Carol, but considering that this may be our last meeting — although we’re not sure; we may well have one more — we don’t want to miss the opportunity to express our gratitude on behalf of the people of British Columbia for the work that you’ve done. We wish you incredible success in whatever the next phase of your life looks like. We know it’ll be interesting, and we appreciate your service here in British Columbia.

It’s been a real pleasure to work with you. I know that Mitzi and I have appreciated your open door, your willingness to talk to us about the best process for British Columbia. We very, very much have appreciated that. Certainly, on behalf of the committee, we thank you for your service.

It’s probably a good opportunity to let people know that there will very shortly be two processes underway. One is certainly well underway, and that is the process to appoint an interim Auditor General when Carol’s departure date — not her term, we know that her term would have been much longer — is effective. There is a process currently underway to look to appoint an interim Auditor General. There has been a convener assigned, and members, to a committee to hire a permanent replacement. It will be a challenging job for all of us.

Once again, thank you, Carol. We wish you nothing but the best in your future.

With that, we’ll move on with the first report and any comments that you would like to share about the report.

C. Bellringer: I’ll immediately now pass this on to Cornell Dover.

C. Dover: Good morning, Madam Chair and committee members. Thank you for inviting us to present our report on the B.C. government’s internal directory account management, often referred to as IDIR account services. With me today is David Lau, the engagement leader for the audit.

Government collects and stores a lot of sensitive and personal information that is required to provide services for people in British Columbia. Therefore, controlling access to government systems is fundamental to ensuring only authorized individuals can access government’s on-line resources and information. IDIR is the main service for authenticating users that use these government systems. It is the first line of defence against unauthorized access to government resources, because all it takes is one poorly managed user account to potentially compromise government systems.

In this audit, we looked at the Ministries of Citizen Services; Finance, including its related branches and agencies; Health, Attorney General; and Forests, Lands, Natural Resource Operations and Rural Development. Before I turn it over to David to provide you with an overview of the audit and its findings, I would like to thank the five ministries and their agencies for their cooperation during the course of this audit and especially acknowledge the help and assistance provided by staff. It was greatly appreciated.

D. Lau: Thank you, Carol and Cornell.

Good morning, Madam Chair and committee members. Today we’re here to present an overview of our report on whether five selected ministries and their related branches and agencies have designed and implemented key controls for protecting government information and information assets from unauthorized access. The key controls are outlined in the B.C. government document called Information Security Standard.

[8:40 a.m.]

Overall, we found that the office of the chief information officer, or the OCIO for short, has designed key controls for protecting government information and information assets from unauthorized access, as identified in government security standards. Although the selected entities have implemented some of the controls identified by the OCIO, there were instances where key controls had not been implemented. While we weren’t looking for improper use of accounts or security breaches that could result from mismanaged accounts, there is a risk of unauthorized access to some government systems when organizations don’t follow the OCIO’s key controls as stated in the government security standards.

Every government employee and contractor must have a username and password to log in to government systems. Government’s internal directory — or IDIR, as it is often commonly referred to — is a system that authenticates each user’s identity to ensure it is legitimate, and it allows them to log in to government systems. To provide services for people in British Columbia, government collects and electronically stores a lot of sensitive and personal information. Therefore, controlling access to government systems is fundamental to ensuring only authorized individuals can access government’s on-line resources and information.

The IDIR service is the first line of defence against unauthorized access to government’s resources. All it takes is one poorly managed user account to potentially compromise government systems. The OCIO has overall responsibility for administering the IDIR system, whereas each ministry and government organization manages its users’ IDIR accounts. We found a lack of understanding regarding the role of the OCIO versus individual government organizations as to the responsibility for maintaining the central records of IDIR accounts. The OCIO needs to remind ministries of their responsibilities as defined in government’s information security standards.

Some government employees have significant abilities when accessing within government systems. For example, a system administrator often has the ability to create or alter IDIR accounts for their organization’s users. We found that these users’ activities are not being reviewed consistently to ensure appropriate use of the powerful account.

We also noted that the number of active user accounts did not match the number of government employees, and the discrepancy has grown over the years. That said, there may be good reasons for the discrepancy. For example, there are non-human IDIR accounts for systems or devices, such as printers, for talking to one another. As well, some employees have multiple responsibilities and, therefore, have multiple accounts, such as one account for regular duties and a second account for when they need to perform a sensitive task.

Finally, employee and account information are stored in two separate databases. The OCIO has responsibility for the IDIR system, but the Public Service Agency holds and maintains the list of current government employees. As such, one of our seven recommendations is that OCIO and the Public Service Agency compare the two lists to ensure accuracy of the IDIR accounts. We are pleased that in early 2018, the OCIO began cleaning out dormant accounts. This was a good first step. We recommend that OCIO expand the scope of its account cleanup to include such things as accounts with non-expiring passwords.

In conclusion, we made seven recommendations to the OCIO to ensure that ministries and other government organizations are designing and implementing the key controls for protecting government information and information assets from unauthorized access, as outlined in government’s information security standard. A strong coordination and commitment to key controls and the management of IDIR user accounts between the OCIO and across ministries is fundamental to controlling access. That’s our summary and concludes our presentation of the audit of the B.C. government’s internal directory account management.

S. Bond (Chair): Thank you very much, David and Cornell. We appreciate the overview.

Now I believe…. Jill, are you going to be the lead?

We want to just recognize that Jill Kot is the deputy minister of Ministry of Citizens’ Services, and we really appreciate it when a deputy minister takes the time to be here at Public Accounts. We are starting to see more of that, and it’s very much appreciated by the committee. It’s a sign that the ministry takes the report seriously, and we’re very appreciative of that.

Committee members have all had copies of your presentation in advance.

With that, we’d welcome you to make your remarks this morning.

[8:45 a.m.]

J. Kot: Thank you, Madam Chair.

Good morning, Madam Chair, committee members and officials from the Auditor General’s office. I am Jill Kot. I’m the deputy minister of the Ministry of Citizens’ Services, and I can assure you that it wouldn’t even have crossed my mind not to come this morning. It’s a very important meeting for us.

Joining me from Citizens’ Services we have CJ Ritchie, who’s the government chief information officer. We have Ian Donaldson, who’s the assistant deputy minister in the ministry, the office of the chief information officer, and Gary Perkins, who is the chief information security officer for government.

We also have ministry chief information officers and their staff from each of the profiled ministries. This includes: from the Ministry of Health, Corrie Barclay; from the Ministry of Finance, H.B. Teo; from the Public Service Agency, Ian Hennem; from the Ministry of Forests, Lands, Natural Resource Operations and Rural Development, Denise Rossander; and from the Ministry of Attorney General, Craig Randle.

I’d like to begin by thanking the Auditor General and her staff for their audit and their report, as well as the commitment to improving information technology security within the government of British Columbia. I’d also like to thank the Chair and this committee for giving us the opportunity today to respond and to give an update on our progress.

As this report has indicated, Citizens’ Services is responsible for providing services to government ministries, including establishing cross-government standards for information technology and security. Individual ministries are responsible to abide by those standards and policies and to manage the accounts of their own employees and contractors.

This audit and the work of the OAG has been very helpful to us in determining where we’re meeting our standards and where we can improve our performance. It has also validated some of the areas where we’re already focusing and has really provided a catalyst to engage other ministries which are not part of this audit.

I want to state unambiguously that the government of British Columbia and specifically the office of the chief information officer takes privacy and security of personal information very seriously. We appreciate the Auditor General’s acknowledging the positive steps we’re taking and helping to validate our current course of action to increase security in the area of authentication and access control. We also recognize there’s room for improvement, and we’re committed to addressing the identified gaps. That includes my own ministry, the Ministry of Citizens’ Services, which was one of the ministries that was audited.

With respect to the findings and the recommendations identified by the audit, the OCIO accepts all of the recommendations of the OAG. The recommendations are reasonable and are well aligned with the direction of the government identity program. The OCIO has already engaged each of the audited ministries, developed project plans, and we’re well underway executing on our plans. We’ve already made progress on remediating the items identified in the audit report, and these changes will definitely strengthen government’s internal directory account management.

With respect to timelines, we expect to have all recommendations completed by December 2020, which includes implementation in all ministries, not just those ministries that were part of this audit.

Key findings. The findings themselves are appropriate, and we have moved to address them immediately, as I’ve stated. We accept each of the recommendations, which are summarized in the slides in front of you. The OCIO will work with all ministries to ensure the recommendations are addressed in full. As stated, the OCIO was responsible for setting the policies and standards and for communicating and ensuring the awareness of these policies.

We will be ramping up information and training materials for ministries and using a variety of tools to increase compliance. Ministries are responsible for creating user accounts, assigning privileges to accounts, removing those accounts, reviewing them, and the associated ministry training of employees that fulfill these duties. We at the OCIO will be strengthening our support to the ministries and taking a more active role in their compliance to support this work.

What does that look like? I just want to turn now to what we will do to move forward with these recommendations. First off, I want to confirm that we do have existing controls in place to prevent unauthorized use of user accounts. These safety measures have been in place for many years and have allowed the IDIR service to operate safely and reliably. We’re going to ensure this continues well into the future.

[8:50 a.m.]

Passwords for IDIR accounts are required to be strong. Users are required to use unique passwords, change them regularly and are locked out if there are multiple attempts with incorrect passwords. As for the unused IDIR accounts that were identified, each of the accounts was disabled and unavailable for use, although we do acknowledge that there was cleanup required, and we will continue to be doing that cleanup.

When employees leave government, a ministry is required to recover their devices, such as laptop computers, phones and employee badge. Ministries are also required to submit a request to have the IDIR account removed. Going forward, we’re building automation into this process so that once an employee is no longer active in the employee database, the account will be disabled, consistent with the recommendation of this audit.

This work started before the audit was published, and the report empowered the OCIO to ensure the actions are completed. In addition, the OCIO supports ministries with the monitoring and usage of IDIR accounts and provides regular reports of unused accounts. We have already increased and improved the reports that we provide.

As well, we’re moving to using Public Service Agency data to identify and deactivate accounts that no longer have active employees associated with them. This is a process that we’ve implemented since the audit. We’ll be adding enhanced multi-factor authentication features to the IDIR service that will also increase security. In partnership with ministries across government, the OCIO has improved the situation over the last two years and is making progress on enacting the recommendations published in this report.

In summary, I’d like to close by again thanking the Auditor General and her staff for the extensive effort they put into the internal directory account management audit and for their continued commitment to improving information and security for the province. We found them easy to work with, and it was a very…. I’d say it was a good experience for us. We acknowledge the areas for improvement and have made progress in addressing the recommendations.

We will implement all the recommendations by the end of December 2020. Some ministries that are part of this audit will have completed their work sooner, including my ministry, which will be done by March 31 of 2020, but the complete plan will be done by December of 2020 for all of government. Once our plans are implemented, we know this will take an ongoing, sustained effort to ensure ongoing compliance and a commitment to continuous improvement.

Thank you again, Madam Chair, and thanks to this committee for the opportunity to provide this update.

S. Bond (Chair): Thank you very much for those comments. I assume that ministries will just respond if there are specific issues related to their particular place in the audit.

With that, what will happen is that members simply begin to ask questions, and you’re more than welcome to have whoever you would choose to respond or reply. That will be the process that we’ll engage in.

We’re going to start with Jane.

J. Thornthwaite: I have a question about phones. What happens to the phones when I either leave or I need a new phone? What happens to them?

G. Perkins: It depends on the circumstances under which they were lost, whether they were stolen or they’re no longer usable. We have two things. In the case that there is risk associated with them, we have a remote-wipe capability. So as soon as it’s no longer in your possession, we’ll issue a remote wipe, in addition to the fact that it’s already an encrypted device. Now, if it’s no longer of use to you, we have an existing reverse-logistic process where we dispose of it securely through our asset investment recovery service.

J. Thornthwaite: I don’t know if this is related, but this phone is a government phone, and I have a friend of mine who…. If I text her off of my phone, some other name comes up. It’s obviously not mine, and she doesn’t know who this person is, this other named person. I’m wondering if there was something in the phone beforehand that was connected to another person.

G. Perkins: I’ll answer this one as well.

There are two possibilities in that case. One is that there is an entry in her phone, and there’s another one that there’s an entry in the telephone directory, like Telus or the provider’s directory itself. It’s not likely that it is due to any resident data left on your phone, but individual cases need to be investigated.

[8:55 a.m.]

J. Thornthwaite: We made sure that it was not on her end. In either case, I was really interested about that, about what happens to…. You identified some of the scenarios — that somebody is immediately fired or removed of their duties or somebody loses their phone. Obviously, that would be a significant risk of access to data. That’s probably the number one fear that everybody in this room has, losing their phone.

I just wanted to reiterate that if there are different numbers of people to accounts and there’s no reconciliation of that…. It reminds me of MSP numbers. Don’t we have a whole bunch more people that have got MSP cards than we actually have individuals in the province? That’s weird too.

I guess my final question is: how is that going to be rectified? Or is it being rectified?

J. Kot: We are doing a reconciliation right now with the employee data. That’s the activity that we’ve undertaken to identify where there are a different number of employees versus the number of IDIRs. In some cases, it’s reasonable. We can account for it where people legitimately have two or more IDIRs. But the work that we’re doing is to actually be able to reconcile and account all of the IDIR assignments. That’s the work we’re undertaking.

S. Bond (Chair): Cornell, did you want to respond?

C. Dover: Yeah. I’d just like to add one other thing. We did an audit a while back on mobile devices, and in that audit, we listed ten tips for securing your mobile device. That would be a good resource to go back to and have a look at those ten tips to secure your devices.

J. Thornthwaite: Madam Chair, can I just follow up on that?

S. Bond (Chair): Go ahead.

J. Thornthwaite: Can we get a copy of that?

C. Dover: Absolutely.

J. Thornthwaite: Okay. I think it would be a good refresher for all of us — I would say probably all of us — and it would be very much appreciated. Thank you.

K. Ryan-Lloyd (Acting Clerk of the Legislative Assem­bly): If I might, good morning, Members. I wanted to advise that we can certainly send a copy of the previous audit report to all committee members.

With respect to questions about your particular device, Jane, I would just add that if it is a device that was issued by the Legislative Assembly, then our IT department may be able to assist, and I would be happy to connect with you after the meeting.

S. Bond (Chair): Thank you, Kate.

J. Yap: A question in regard to the non-human IDIR accounts. It sounds ominous, but I’m sure there’s a good technical reason why there are non-human IDIR accounts. My question is: are there vulnerabilities with these non-human accounts? Could a human take advantage of an IDIR account that’s supposed to be non-human?

J. Kot: Maybe I’ll make a general comment about what the non-human accounts are, why they’re used, and then I’ll ask Gary to speak on the vulnerabilities.

These are accounts that are assigned for machine-to-machine purposes. For example, it might be assigned to a printer — some printers or devices that connect. Or when some of our systems are interacting with other systems, like our financial system interacts with our payroll system, there needs to be authorized access, and that is done by an account that’s assigned. That’s how that transaction occurs.

By their nature, they’re a fairly…. We have to monitor them separately, and they often don’t have expiring passwords on them. So that’s one of the vulnerabilities with them right there. That’s why we monitor them closely.

Maybe I’ll turn it over to Gary to add to that.

G. Perkins: You did a good job of covering it. There are additional controls in place, so encryption in transit and at rest, but the audit did identify things like non-expiring passwords. We force each of our users to change their passwords on a regular basis. If we did that with business or system accounts, then systems in government would be interrupted. So they have non-expiring passwords where they have to be changed manually.

But as you say, if someone were to use these accounts, that wouldn’t be something that is good, so we have additional controls in place, including monitoring to determine if that’s happening. And as soon as we become aware of that, we act.

[9:00 a.m.]

J. Yap: Just a quick follow-up on that. The monitoring is done automatically by the machine, or is it a human that is monitoring it?

G. Perkins: In the security operations area, it’s not by the individuals themselves. We can’t have them monitoring themselves. We do this as a central function within the OCIO. We have what’s called a security information and event management system that ingests all the logs independently, looks for any kinds of anomalies and triggers those to a security analyst to follow up on.

J. Yap: In your experience, or the experience of the ministry, what percentage of those incidents have led to issues being raised and a security breach uncovered?

G. Perkins: In recent memory, the ones that I can recall, each one of the ones that have been identified is a false positive. It looked like something suspicious, but it was not when we investigated further. So I’m not aware of any incidents that have been caused by mismanagement of IDIR accounts leading to jeopardizing system accounts.

J. Yap: Would a human who has knowledge and access be able to use a non-human account — like send an email or something like that?

G. Perkins: That’s why we have policies and standards in place, to prevent against that kind of thing. Then we also have education awareness, where we make it clear to them that they’re not to be doing this. Then we have the compliance and enforcement that comes in, as well as the monitoring, that alerts us to the use of this. So as soon as we become aware of that, we would act.

S. Bond (Chair): But it is possible.

G. Perkins: Yes, it’s possible. If you imagine that there is an individual who had to turn up that system in the first place — so they know what the credentials were at one point — they could use it. But again, we have systems in place to monitor for that.

J. Yap: To the auditors: was this something that was covered in the audit, to see if any non-human IDIR accounts were abused?

D. Lau: We did not look at the non-human accounts. It was outside of scope. We just looked at human accounts, just to make sure that everyone is following the standards and controls specified by the OCIO.

J. Yap: One more question. In regards to non-expiring passwords, is it only the non-human IDIRs that have non-expiring passwords? Every human IDIR has to….

D. Lau: That’s right. What we did is, when we got the database from the office, we segregated the non-human accounts, and we just looked at the human accounts. We did some data analysis and found out there are quite a few, compared with the PSA’s employee database…. We found that there were a lot of employees that were terminated, but their accounts were still active sometimes. Sometimes the account was supposed to have an expire password but it’s continued — still active at the time.

Although the statistics that we found in the report are quite small, even compared to almost 30,000 accounts and so on, it only takes the one bad account that will compromise everything.

J. Yap: This is, obviously, very topical for a lot of British Columbians — the whole concept of security of our information systems. My understanding is this audit covered specifically these ministries and the ministry responsible for the information system. Has the Auditor General considered having a look beyond core government — so Crown corporations and others that also have information that needs to be properly managed on behalf of British Columbians?

C. Dover: We currently don’t have it in our audit coverage plan, which we published, looking forward for three years. It’s something that we would consider a little bit farther on than that. Right now we have a few other IT areas that we want to focus on in the next three years.

S. Bond (Chair): Next up is Ralph. I know you’re here today despite not feeling particularly well. We appreciate that.

R. Sultan: Just to get some idea of the magnitudes we’re talking about here. How many IDIR accounts, of all categories, active and inactive, are extant about right now, roughly?

G. Perkins: Sorry, I didn’t hear your full question.

R. Sultan: I’m trying to get some fix on the order of magnitude. So my question is: how many IDIR accounts are there?

G. Perkins: In excess of 50,000.

[9:05 a.m.]

R. Sultan: Of those, how many are essentially inactive, as best you can judge?

G. Perkins: That would depend on the definition of inactive. In the case where the inactive accounts were found here, each one of those accounts would have been disabled. They are automatically locked out for not having changed their passwords.

We are completely caught up from all of the accounts that were found over the course of this audit. The only ones that would happen now are ones for employees who have recently left. They would be caught up and cleaned up. So negligible would be the number now.

R. Sultan: Would you find in active use today what might be called orphan accounts? You can’t trace them. They’re in there, they’re active, but nobody is quite sure who these people are.

G. Perkins: Again, that’s where our security information and event management system would come into play. It is constantly monitoring the activities of users and non-users alike to identify any kinds of anomalies. As soon as those are surfaced, we act on those. We investigate and act on them.

This is where some of the recommendations and the findings that we’ve accepted from the audit are going to help — for example, especially the one where we are to work with PSA to disable accounts for employees that are no longer active in the HR system. They really have no place maintaining an account in our system. We’re really grateful for the cooperation and collaboration with PSA — to get that access to that data and leverage that to disable these accounts. I think that that is going to be the number one control that prevents any additional anomalies being found.

R. Sultan: I recall you mentioning the number of IDIR accounts was significantly greater than the number of employees of government, and the gap was increasing. Is that true?

G. Perkins: That was mentioned in the audit. That’s correct.

There are several kinds of competing trends here. One is the number of these systems which require IDIR accounts. When systems talk to systems…. Although it does sound ominous, it’s actually a more secure way of doing business when we remove the humans from the picture. On the other hand, the number of leftover accounts that are from inactive employees, as we’ve just talked about, is at an all-time low. It’s negligible.

We also have accounts in our systems for the broader public sector and clients outside of government. One of the things that contributes to the mismatch of employees between the database and our IDIR is that our IDIR accounts are not solely limited to B.C. government employees. As identified in the audit, we have contractors. Then we also have broader public sector entities that we provide services for.

That’s one of the reasons…. In fact, I would view it very positively that more and more people are using our services. Therefore, more and more people have accounts.

R. Sultan: One of the slides referred to privileged IDIR. What’s that?

G. Perkins: Fantastic question. Thank you. This is one that is sure to confuse folks that don’t regularly do this work.

Effectively, it would be anybody that has additional access over the average employee. So if somebody has administrator access to their laptop or to another system, that would be a privileged user account. As accurately stated in the audit, if you were going to monitor some accounts, those ones are more important to be monitored. That’s why we’ve turned that up.

R. Sultan: You said the auditor was not looking for breaches of security. But what is your general impression of the frequency of that occurring? It would be hard to believe that it never happens. Do you have any sense of the order of magnitude of the issue?

G. Perkins: I’ll answer that one as well, then.

It is true that no organization, globally, is immune to attack. We need to, first, understand that. Across the globe, you can hardly open up a newspaper these days without reading about some organization.

My heart goes out right now to the government of Nunavut. Their government is off line due to a ransomware attack, and they’re unable to provide services to citizens. They have reached out for help on these, and we’re in a position to be able to do that when we’re not actively affected.

You are correct. From time to time, we have security incidents. Some of them range from a single-user-affecting issue to something that looks more sophisticated. We have a team in place that investigates and gets to the bottom of every one of these. Where we find a situation such as personally identifiable information that has been jeopardized, then we involve the privacy team, and notifications would go out, as necessary.

[9:10 a.m.]

We’re very fortunate in the B.C. government. Because we have been investing in both people and the systems, the technology, we’ve had a very, very small number of incidents, which we jump on very, very quickly and act on. The other ones — we’ve been able to prevent them, sometimes while they’re underway.

To give you an example of this…. You asked for the number of events. It is very, very small. A typical example would be one where somebody’s username and password have fallen into the wrong hands. They’ve used that system to log into email, and they instantly send thousands of spam email messages to government employees. Instantly we’re on top of that and shut that account down. But it is quite rare.

R. Sultan: I would guess that the health information system, the taxation rolls and the land title system, just to think of three probably very large databases…. That’s not part of your world. Or is it?

J. Kot: In the OCIO, we provide centralized policies and standards and the tools to assist ministries. For instance, the health information systems…. We have the representatives from the Ministry of Health here. A lot of that work also works in the health authorities themselves.

We provide the policies and standards. The ministries are obliged to follow those, and we work with them to ensure their compliance. So there is a connection, for sure. But the individual decisions about who gets access to a health system — made by the Ministry of Health.

S. Bond (Chair): Ralph, there are representatives here from those three that you actually just mentioned. So if you did have a specific question, they’re more than able to respond.

R. Sultan: Well, it’s obviously a very sensitive issue. I’d be very interested in hearing directly from the Health officials on how well they are securing the data.

S. Bond (Chair): Sure. Just come up to the table and introduce yourselves and perhaps give us a bit of an overview in terms of the protection of the information. As MLA Sultan points out, it’s a pretty important database that’s under the Ministry of Health.

C. Barclay: Good morning. I’m Corrie Barclay, the ADM for the health sector IMIT.

J. Aitken: I’m Jeff Aitken, executive director for the IT services branch in the Ministry of Health.

C. Barclay: I’m going to just pass to Jeff to give a quick overview of the health information systems that actually are accessed through our IDIR accounts.

J. Aitken: It’s actually a fairly short answer because there really aren’t…. The IDIR accounts that we did…. The focus of the audit is really about the Ministry of Health getting access to corporate applications and services.

Our collaboration tools are email services, things that Citizens’ Services and the OCIO provide for us. Most of our health information comes into the Ministry of Health through our health insurance programs, for MSP and for PharmaCare. It’s contained in other applications and databases, which are secured with multiple other credentials and act as a provision, through other processes and through other teams, beyond what Citizens’ Services and the OCIO provide.

It’s not possible to access personal health information with just your IDIR account, in short.

R. Sultan: Well, we have had representations from Vancouver Coastal Health Authority — I’m speaking of my own little world on the North Shore — where they describe, with a degree of pride and enthusiasm, their health information system goals and ambitions. They’re a little short on the accomplishment side, but we assume they are significant as well.

I asked the question: “So do you mean that my medical records, when I go and see Dr. Wayne Smith, my GP, will be on that centralized system eventually, as designed?” They said: “Oh, yes.” I thought to myself: “Well, lots of luck with Wayne.”

This seems to be the global ambition of the Health Ministry — to centralize all medical records for all three million or four million or five million…. Or however many people we have living in British Columbia right now.

[9:15 a.m.]

Does that fall within your domain? Does it raise — I’m sure it must — all sorts of security issues?

C. Barclay: I can take a crack at that.

Right now each health authority is accountable for managing their own identity access management program. The Ministry of Health is very interested in an enterprise-wide, a health sector–wide, authentication program. So we’re working with health authorities right now on a strategy and an approach. We’re looking at the services card, because that has a high level of authentication, and moving providers and, eventually, citizens on to that level of authentication.

R. Sultan: I guess a final question, Chair.

We’re talking gov systems here, not Leg. systems, I presume. Of course, we frequently have these fisticuffs in question period about use or non-use of the Leg. system. I guess I’m confusing gov and Leg. here to some degree in my own mind.

Again, that’s a separate world, I guess, that you folks have nothing to do with?

J. Kot: That’s correct. These are gov systems that we’re talking about. The Leg. systems are handled separately.

R. Sultan: Well, who’s worrying about Leg.?

M. Dean (Deputy Chair): Kate.

K. Ryan-Lloyd (Acting Clerk): That would be me.

S. Bond (Chair): Look to your right.

K. Ryan-Lloyd (Acting Clerk): Yes. Thank you.

We do have a Legislative Assembly information technology branch that helps manage members’ technology needs, including all mobile devices. With respect to any questions with respect to security of those devices or other practices, I’d be happy to follow up with members.

S. Bond (Chair): If the committee can just indulge me. I usually wait till the end, but since Ralph’s brought this up…. As we listened to this conversation, it is just a very layered system where there are a series of expectations and standards, which is what the audit points out. For example, we have people on the Legislative Assembly side. We have people in Health making decisions. We have all kinds of people all over the place.

I think it’s an important point, to build on Ralph’s, that it is hard at times to have confidence when there are so many layers of decision-making built in. For example, we just heard from Health that now it’s even one layer down, where it’s health authorities that have responsibility for how they manage their systems.

Is there a sense of general oversight, a place where all of these things interact? If you just listen and you follow the questions that Jane and John and Ralph have asked and Kate’s responded to, we have all kinds of people making decisions about the security of people’s personal information. Who is the keeper of the overarching standard that ministries, agencies — whoever — are expected to follow?

C. Ritchie: I can answer that, Madam Chair. As the government chief information officer and the office of the CIO, there is an overarching role and responsibility for the government chief information officer to provide standards and policy and framework that guides the work of information management and information technology, not only for core government but for broader public sector. More broadly than that, I work with my colleagues across Canada to think about how we think about the interoperability between jurisdictions.

There is an overarching layer and framework to how all of these things get connected and the policies and standards about what “good” looks like. As technology evolves and as we contemplate a public sector that wants to embrace and use modern tools for service delivery for our citizens, the OCIO and this role, in the government chief information officer, are responsible for ensuring that there is a clear path forward and a framework of rules and policies and standards and guidelines that all of the public sector will adhere to.

S. Bond (Chair): So absent an audit by the Auditor General, who monitors on a regular basis? The audit points out there is inconsistency in ministries. We have five here today, and I’m sure there were different levels, as the audit points out, of compliance. In fact, it says that there are non-compliant ministries, and we’re working to fix all of that.

For example, in the case of Health, who monitors the health authorities? You set the framework, which is encouraging, but who then is responsible for monitoring the compliance side of the equation?

[9:20 a.m.]

C. Ritchie: Thank you for the question. There are compliance roles within the OCIO. You’ve heard from the chief security officer this morning, who has an overarching role and responsibility for security. There are other compliance roles, as well, in the OCIO as pertain to privacy and information management. There are a number of places in the OCIO that monitor on a regular basis where we have vulnerabilities in the system and are actively watching for those.

S. Bond (Chair): So in the case of health, is the Health Ministry, then, ultimately responsible for the health authorities — monitoring, feeding that information up? Or is it the chief information officer’s office?

C. Ritchie: I think there is a role for Health in that, for sure. I’ll let Health answer that portion. But we are also called upon, in the OCIO, to provide advice and support and compliance if there’s something like a privacy incident or a security breach or something like that. But we do work hand in glove with the ministries, and the ministries definitely have a role in providing oversight to those health authorities.

S. Bond (Chair): Is every ministry, then, responsible for looking for security breaches across their ministries or agencies?

G. Perkins: With security in government, we are responsible for monitoring for core government and agencies. Because the health authorities are not on our network, we don’t specifically monitor for theirs, but it’s really important for everybody to understand that security is everyone’s responsibility. So it’s critically important, as identified in the audit, that these groups understand the roles and responsibilities and who is responsible for what. My understanding would be that the health authorities are responsible for the security of their information, but again, I will defer to Health to speak to that.

C. Barclay: I would just echo that. Each health authority is accountable for ensuring that they meet the standards and the policies set out by the government CIO. We do have a chief privacy officer in the ministry, and we have a governance where she meets with all the privacy officers within the health authorities, and they’re continually sharing best practices and ensuring that all those policies are being met.

S. Bond (Chair): Jane, to this issue or others? We have a lineup here.

J. Thornthwaite: It was specific to Health, but….

S. Bond (Chair): Okay. We can come back to that. Health can just stay at the table. Thanks for letting me interject. Ralph often prompts further dialogue about these issues.

B. Ma: It was touched on a little bit earlier, but I was picking up on when Jane was talking about her government phone, and I just want to make sure that it’s clear on the record. MLA phones are LASS phones, which are Legislature phones. They have the separate security protocol, separate encryption protocol, separate end-of-life processes, and so forth. It’s totally separate from IDIR, which is the government phones. Some MLAs who have government roles will have both a LASS phone and LASS account, LASS security protocols, and so forth on their phone, and those with government roles may also have a government phone, government device, IDIR account, and so forth, to be clear.

Jane’s phone is probably a LASS phone, in which case, if you needed help with the security protocols and that, that would be the IT over at the Legislature. I think Ralph picked up on it as well. It gets confusing, for sure. I know that one of the challenges with having so many systems, as you identified, Chair, is that with every single one having a different security protocol, interoperability becomes really challenging.

I know that when I first started, for instance, I was trying to get my IDIR calendar and my LASS calendar on the same phone, and that’s not possible because one device can only take one encryption protocol and one security protocol, and they couldn’t work together, which is frustrating as a user. But at the same time, I understand the potential value that having multiple systems provides, as well, part of it being that security breaches are isolated from each other.

It’s not ideal, but at the same time, if everything’s on the same system, I can imagine a security breach kind of just reverberating through the entire system, and everything connected to it could potentially be at risk.

Is what I’m describing accurate of what’s happening here between those systems?

[9:25 a.m.]

J. Kot: Thank you very much. You’ve done a good job of describing the legislative phones and those who have government roles. That’s really helpful, and it’s likely that that was the situation.

Maybe I’ll just ask Ian to talk a little bit to the second part of the question in terms of when an event happens, how it gets contained.

Or is that better for you, Gary?

G. Perkins: Certainly. What you’ve spoken to as having different roles and having them segregated is not just to contain the impact of breaches. It’s just to contain the data from co-mingling and things like that, and making it easier for users. I get that it’s a little frustrating when they have to have two different systems, but as you say, there are often very good reasons behind that. It is true that if you did have the systems separate and the data separate, then one incident in one place wouldn’t as easily carry over to the other.

M. Dean (Deputy Chair): I just had a couple of questions for the Auditor General team.

Recommendation 4 asks for ministries to ensure that they develop and document ministry-specific procedures for the renewal of IDIR user accounts that have terminated.

I’m just wondering why there isn’t a kind of right time frame put into that recommendation. Or is there an assumption that the procedures would contain a time frame? If so, have you provided any advice to the ministries about what a reasonable time frame would look like?

To say something has to happen is fine, because someone can always turn around and say: “Well, I was about to do it.” I think it would be helpful for the ministries to know that if you’re coming back to re-evaluate whether that recommendation has been met…. Will there be some expectation around time frames being included in that?

D. Lau: I’m not quite understanding that with recommendation No. 4 there — that there’s a time frame.

C. Dover: I’ll start, and David, you can fill in.

When we issued the recommendation, we didn’t specifically state a time frame on that. One of the things that the ministry would need to work with is working with a number of…. Sorry. The OCIO is working with a number of different ministries, and it would take some time to make sure that each one of them were complying.

We weren’t just talking about the five that we audited but all the rest of the ministries as well. I think in the action plan is where the ministry had worked out what their expected timeline would be to be able to accomplish this, so we never put our expected timeline into the recommendation.

M. Dean (Deputy Chair): I understand in the action plan that they’re putting timelines for completing actions. I’d like to see that, in the ministries’ procedures that they’re going to make sure they’ve got, they have imposed timelines. So when you’re going to terminate a user, you don’t want to leave a…. If someone has left a ministry and you have a procedure that says that therefore we have to terminate their IDIR account and the timeline is within six months, well, that isn’t tight security. There would need to be a timeline that says “within 72 hours” or something that’s reasonable for the ministry but also meets the standards that I expect are being set in terms of security.

C. Dover: Sorry. I misunderstood your question. I thought you were talking about the implementation of the recommendation.

S. Bond (Chair): No. I think the question is: why wasn’t there a recommendation that made a specific suggestion about how quickly the cleanup needs to take place when a person is either leaving or is on leave. So just to press the point that it needs to be more instantaneous than….

D. Lau: We’re trying not to make specific recommendations. Really, we leave it to the ministry to make their professional judgment, the kind of risk that they would like to accept. Of course, the sooner the better once an employee has left, and the account should be disabled immediately. But there are a lot of reasons to leave it open for a few days or a few months because employees may not technically leave the organization. They could be still, maybe….

Let’s say, for instance, if I retire tomorrow, I still have vacation time, and I’m still considered an employee of the government. They may leave my account open but limit my access to something like my benefits — you know, payroll benefits, those kinds of things.

[9:30 a.m.]

We did not make that specific recommendation, because every ministry’s situation is a little bit different. In the Crown audit, the health authorities were having the same situation. Some of them left their accounts active for over a year, but they have good reasons for it.

S. Bond (Chair): Ian, did you want to say something, or were you just…?

I. Donaldson: Yes, please.

We’ve been working with the Auditor General on the timelines, and we’ve communicated rough timelines of when things will be done. For example, when an employee’s status changes from active to a different state, the PSA is committed to letting us know immediately, electronically, and we will immediately disable that account. So it will be in very short order there.

In addition to that, we have processes that we have already implemented to remove an account that has been disabled after a period of time. That has happened since the audit.

In addition to that, with the 30-plus organizations that we will have to work with, there’s a role for us to work with them to document procedures. The Auditor General has asked us to do that, and we have set a deadline of December 31, 2020, to complete that with all the organizations that we work with.

M. Dean (Deputy Chair): Thank you. That’s a bit more reassuring. I just don’t want us to come back in five years’ time with another audit or a follow-up audit and find that ministries haven’t set standards around timelines for actions that they’re expected to take.

It leads on to my next question, which is about recommendation 5. I’m just wondering how the Auditor General’s office would expect to audit ministries complying with recommendation 5. What kind of documentation would you be expecting ministries to create to demonstrate that they are in compliance with that recommendation?

D. Lau: No. 5 is getting to privileged accounts, the powerful accounts, and so on. It’s just that we noted that…. When we are doing a financial audit, we also look at user accounts. We also, specifically, look at privileged accounts, which are more powerful accounts, and so on.

During that audit, we want to make sure that privileged accounts are being monitored on a consistent basis. But with this audit, we looked at the five ministries, and some did, and some didn’t, so we felt that it is important for the ministries to consistently review these more powerful accounts on a regular basis. That’s all.

M. Dean (Deputy Chair): Sorry. I understand all of that. So some ministries did, and some ministries didn’t. Where was the documentation that showed you the ministries that did? Just having a process in place…. It’s easy to point to procedure and say: “Yes, I have this procedure.” But how is it demonstrated to an external person coming in and evaluating? How does this translate into action? Where are the records that…? That’s how we can audit these things. There needs to be documentation to show: this was how we fulfilled this procedure.

D. Lau: What we did is we sent out questionnaires and asked the ministry to respond to us and show us the documentation of how they monitor those accounts. When they provided information, some of them very clearly had been monitoring. Some of them were not clearly identifying them — that they had been monitored. Sometimes they may say that they did, but there’s no evidence. We like to see them document clearly that they have reviewed those accounts.

The information they provided to us…. Some were very clearly documented; some weren’t. But as the auditors, we always like to see written evidence.

M. Dean (Deputy Chair): The ministries who weren’t compliant — have they been given some guidance about (1) how to do it and (2) how to document it?

D. Lau: I don’t know whether it is specific guidance, but it definitely is in the standard that it requires them to do so. Yeah.

[9:35 a.m.]

S. Bond (Chair): Maybe that’s a question, then, for the office of the chief information officer. The question is: related to recommendation 5, how will it be monitored so that there is an improvement in monitoring those privileged accounts, and how will ministries be held accountable?

C. Ritchie: Thank you, Madam Chair. I can state that starting the 29th of October, each ministry now receives regular reports that identify things like numbers of privileged accounts, for example, as well as things like how many contractors, non-expiring passwords and inactive accounts they have that they will need to verify. The OCIO is now working with ministries to apply roles and responsibilities, update their policies and procedures, develop and document specific ministry procedures and establish formal training. We’ll be monitoring the use of those reports, as well as the use of privileged users.

Going forward, the OCIO will be taking a more active role in ensuring there’s compliance with ministries following these procedures.

J. Thornthwaite: My question is just an interest question to the Ministry of Health.

One of the issues that came up a lot when I was Chair of the Select Standing Committee on Children and Youth and we were making recommendations to governments on how to improve the services for sharing information…. One of the things that is devastating, with regards to issues to do with personal health, is if a victim or a vulnerable person has to tell their story once, twice, three times, four times, five times, six times to whoever they come in contact with.

One of the recommendations that we put forward was a more centralized information system so that whoever came in contact with that individual actually had the background and didn’t ask the same questions. I know this happens a lot.

Appreciating what you said about the whole security issue and that it’s maybe not so good to have everybody on the same wavelength…. I’m just wondering if there has been any talk within the ministry about specific…. An example was that psychiatrists can’t even…. If they punch something in, in their system in their offices, they can’t even access their own records of themselves in the hospital. They can’t even access their own records. This was a significant problem for them, for obvious reasons, with the same little child right in front of them, depending on where that little child was.

I’m wondering if you could comment on that.

C. Barclay: I can start, and maybe Jeff can add. That is definitely a significant priority at the Ministry of Health and with the health sector — that longitudinal record and authorized access to information.

We have a number of initiatives underway to address that. We’ve established…. We call it interoperability standards for systems so that they can share information. We’re promoting those and working with the health authority systems to adopt those standards and monitor their conformance to those. We’re also looking at authorized access through what we call our CareConnect viewers — so providing providers authorized access to more health information for those patients.

That’s one of the challenges of our health system, certainly: the fragmentation of our information — first getting it digital, off paper, and then getting it shared to the authorized providers.

J. Thornthwaite: Yeah, because one of the issues that we also heard was between health authorities. So you happen to be in Vancouver, and you go to the VGH, but you actually live in Surrey, and all your records are in Surrey, or whatever. It became a real issue, in this particular case that we were talking about, for child and youth mental health.

I’m glad that it’s on your radar. Obviously, I personally would be interested in how that was going along.

J. Aitken: It absolutely is a huge priority for us. If you think about the system, it is fairly fragmented. The progress that’s been made has been focused on — at least individually — in a health authority, implementing new modern clinical information systems there and getting physicians, just within that health authority, to access the data about the patients that are entering into those health systems.

[9:40 a.m.]

After that, a lot of focus is about cross-health authority information-sharing — as Corrie mentioned, CareConnect. Health authorities are starting to put key clinical encounter information into one location and making it accessible to care providers. That’s a positive step forward.

The next thing is around community physician access. How do you allow those family doctors and specialists in the community to access this information? That’s where a lot of the standards that we need to develop to support that kind of interoperability come into play.

Vancouver Coastal is taking a leadership role in deploying CareConnect, which had previously just been used in an acute care setting, to allow community physicians now to access that information. The future would be to also allow community physicians, if they had a care summary…. If a patient has presented in emergency, we want the ability for that emergency room doctor to put out a query to say: “Is there anything about this patient that I need to know to deliver the best care to them?” That’s the capability we’re trying to implement now, but that will probably be a year or two down the road.

R. Glumac: I want to get back to something that Bowinn was talking about. We are one government. We have people in the roles of government in non-government roles, but we are one entity. If I was starting a company and there were two specific, very different kinds of roles, but they shared a lot of common attributes, I would not create two different ways of doing things, I don’t think, unless there was a real difference in the two ways that necessitated that.

I want to understand why we have two different systems. Is it because of just inefficiency of government — that there are two silos, and everyone did their thing differently? Or was there actually a conscious choice to do this? It does seem counterintuitive in a lot of ways. It seems inefficient in a lot of ways. It doesn’t serve, I think, the people in the system that have both roles. So I would like to understand, if anyone could touch upon it: was this a conscious choice, and why?

C. Bellringer: Just as a bit of a background — it’s not going to be reassuring — there aren’t two systems; there are 150, give or take. Every Crown organization, every school district, every hospital…. You could go through the whole list of everything that makes up government. Each one is going to have its own system.

Assuming the two being within core…. Core government has a single system, in effect, and the Leg. Assembly, as a different branch of the structure, has its own system, which would legitimately be the case because it’s not part of government and has to be separated out just in terms of the privilege of the assembly.

As a background comment, I often have reflected…. This is not just recently; this is over many, many years. I am actually often surprised by the extent to which practices in general are very different within a Crown organization than from within a ministry. At the end of the day, it’s the same taxpayer, the same user, the same citizen of the province.

I would love to see more consistency right across the board in every aspect of every government operation — to say: “If it’s good enough for this organization, it should be good enough for that one.” But practically speaking, it is very difficult to do. Philosophically, I certainly don’t see the differential quite often. But anyway….

Sorry, that was just my last chance to sort of remind everybody that 80 percent of operations are now occurring outside of core. So when we have good, strong controls that are defensible and keep people out of political discussions because the core is strong, make sure that all the agencies within the ministry control are equally as strong.

[9:45 a.m.]

S. Bond (Chair): Just before Rick continues, I think that’s an excellent summary of the concern we’re expressing here. It’s exactly that — that you can have all the highest standards in the world, but if there is a lack of consistency in how they’re applied…. We have just a multitude of different systems here. Everybody has their own IT person. They have their own security person. They have their own standards. They have their own practices. That is not something that gives us a lot of confidence, as Rick is pointing out. So I think we appreciate the way the Auditor has captured that.

Did anyone else want to respond to Rick’s question before he continues?

J. Kot: Maybe I’ll just make the comment. I mean, we have laws and things that would prevent us from going there, so there would be a legislative reform that would have to happen. My one kind of immediate in-my-world example I’d use would be the Freedom of Information and Protection of Privacy Act, which applies to government organizations, but it applies differently. There is but one example. In fact, the systems part is probably easier than some of the legislative things that would need to be addressed.

In the core government, though, yes, there are multiple systems. I think we’ve got a very effective way in core government of working together. I will say, in B.C., there are some core components that we have that are enterprise solutions, such as our services card, such as the fact that we’ve had a single financial system for 20 years. We have a single payroll system in government, and the federal government is still struggling to put in a single payroll system. We’ve had that for more than 20 years.

So I think, although it seems like a lot, there are some of those core components that are used consistently across government that actually put us in very good stead. In speaking with other jurisdictions, many of them are completely in envy of some of the things that we have in government.

S. Bond (Chair): I think that’s good context.

R. Glumac: I completely understand there’s a difference in freedom-of-information requirements and things like that. But the systems that we use have a set of features, and you can utilize certain features of them or not utilize certain features of them. You could use the same system for government and non-government people.

The problem, like what was discussed earlier around…. All our Crown corporations and every other entity has a whole different way of doing things. It’s definitely a very big issue, I think. But what’s different about people in our role, for example, as MLAs, is we are both of those things sometimes. We are sometimes a minister, and we are also an MLA. As Bowinn mentioned, because we are both and there is no connection between the two at all, it makes things difficult. We need to look at calendars in the same place, things like that.

It seems unnecessarily difficult. And I don’t know that there’s anything…. I’m just trying to understand. You say that there are changes in laws that would be required and all that, but can’t we use the same kind of system and use features of it in one case and not use features of it in another case? Use the same system but a different database for government and a different database for non-government — so they don’t connect to each other, but it’s the same system.

The people that work in government and the people that work in non-government are familiar with both systems. They can go between the roles, even if they don’t cover both. Their knowledge is transferrable. Everyone doing different things and having different skill sets just does not seem to be very efficient. That’s my question. Is there anything that’s actually preventing us from using the same system, acknowledging the fact that they have to be used in different ways for different roles?

I. Donaldson: I apologize in advance if I speak anything technical. Underpinning both systems is the same system. We have the ability to federate systems, and we do it fairly often with some of our partners.

[9:50 a.m.]

If there are different security protocols in one system versus another, that may limit us the degree of interoperability that we can have. In particular, the IDIR service and the service that is used in the Legislative Assembly are fundamentally the same underpinning ones. Recently we did things such as federating our networks so that when someone goes into the Legislature, you can get government Wi-Fi, and things like that.

We are moving in that direction. There are various degrees of what you can do, depending on the security protocols and the degree of interoperability that is desired.

K. Ryan-Lloyd (Acting Clerk): Members may know that the Legislative Assembly currently budgets for and provides, manages and supports members in terms of their Legislative Assembly devices, whether it is a laptop or devices in your constituency office, including telecommunications. On a four-year cycle, in conjunction with the general election calendar, we also undertake a needs assessment — for members’ information needs. I was thinking about the opportunity to plan towards that in the year ahead.

I appreciate very much the perspective of members and the need to have a seamless system of supports. Bowinn’s example about the calendar is a very good and tangible example for us to keep in mind when we do technical planning for the needs of the new parliament. We tend to involve members from each caucus in those discussions. I really very much welcome your input and thoughts, and we’ll keep everyone apprised of progress in that area.

Currently the network systems are quite distinct, as has been discussed here. Of course, we have our own domain name. We have our own network administration, hardware and software protocols, etc., but we would strive very much to meet or exceed the standards that have been set by core government in this and all areas of management.

Approaching the new parliament, I would like to be able to ensure that members, regardless of where they access these services, through Legislative Assembly devices, have the same level of support and user experience regardless of whether or not you’re accessing those in your constituency or in Victoria within caucus offices.

That is a goal. That is the vision. We haven’t yet made it device-neutral. I know some members have been using Apple products, for example, and others have been retaining the PC model. As we go forward, that is the vision. We’d be very happy to work with members to make sure that we can improve those services in the new parliament.

S. Bond (Chair): Thanks to Bowinn and Rick for bringing those forward. I think that it will be helpful to continue that dialogue with the Clerk, as that work is done. I think that’s another good outcome.

Ralph, over to you.

R. Sultan: A final question for the Auditor General.

The action plan and progress assessment for the implementation of the audit recommendations from the Auditor General pertaining to the internal directory account management audit released in August of 2019 — under recommendations 2, 3, 4 and 5, which concern such things as documentation, training, investigating procedures, IDIR user cleanup, and so on — refers, in each of those four boxes, to non-compliant ministries. Now, that’s a provocative statement. I presume it would not refer to non-compliant ministries if they didn’t exist.

My question is: appreciating the sensitivities that may be involved but also recognizing this may be the last kick at the can for you, are there some flagrantly non-compliant ministries that you could identify for the benefit of this committee?

C. Bellringer: I’ll actually reference page 15. We did decide to provide a chart that outlined, with all of the areas we looked at, how each of the ministries we audited specifically, and their agencies, fared on each criteria. In the recommendation, we referenced non-compliant, but it’s everyone in that chart. Where there’s a no, it becomes a non-compliant ministry. It’s different by criteria. We didn’t keep repeating which ministries we are talking about.

[9:55 a.m.]

You need to go through the chart. Everywhere there’s a no, they’re not complying with that particular criteria. That would be something we would expect the monitoring to cover off — to make sure that that gets corrected.

Does that help?

R. Sultan: Well, just glancing at the table, it would seem that Finance has more noes than anybody else. Is that an accurate impression?

C. Bellringer: They also have more categories. Right away they will have more noes because there are five areas within Finance, in contrast to the others. But every ministry has a no somewhere. We didn’t balance it out and say: “Four noes make it really bad, and two noes make it not too bad.” Every no is bad, so every ministry has something to do to correct that, and the oversight over all of it is important.

R. Sultan: I interpret your response as saying that we have a challenge to pull up our socks across the board.

C. Bellringer: Those are for the ones we did the audit on. I have just as much of a concern right across the board. And I did hear a reference. Both within our recommendation, we’re saying…. I mean, there’s a direct mapping for you to say, “Here are some we’ve already looked at,” to go see if it gets corrected. For the ones we haven’t audited, there’s still work required to ensure that they, too, are not non-compliant.

So that would take a different…. I mean, when I say easy, it’s fairly easy to go through each no and then go back to the ministry and say: “Okay. We know what the audit criteria were. Have you done it or not?” It’s less simple to go through the other remaining ministries and do something without….

I mean, this takes a lot of time to do an audit at this level of detail, so we don’t expect the Ministry of Citizens’ Services to have the same amount of time multiplied by all those various other areas. So they will have to put a process in place to gain assurance, which they’ve identified that they’re doing.

R. Sultan: Thank you, Auditor General.

S. Bond (Chair): Just as a result of looking at that chart, because I’m sure others of us had questions, maybe we could ask the Finance representative to just give us a sense of the timelines for dealing with the list of noes that are related to Finance. Obviously, having been selected as one of the five because of the significance of the database…. Thank you to the Health representatives. We appreciate that.

Perhaps we can have H.B. here give us some assurance that those noes are being dealt with and perhaps a sense of the timeline for working on the noes.

H. Teo: Thank you, Madam Chair, members and members of the Auditor General’s staff. I’m H.B. Teo, the chief information officer for the Ministry of Finance.

I want to acknowledge and thank the Auditor General and her staff. Certainly, it helps shine the light on the practices within our ministry, and it helps us prioritize and move to a better level of maturity in our processes and in our practices.

I want to give every assurance to the members here that we do have a plan in place. Our executive has been briefed. They are committed. We do have a team that’s focused on making deliverables and making sure that there are improvements that will be effective.

Our plan calls for completion by March of 2020, and efforts are well underway.

S. Bond (Chair): Ralph, did you have any specific questions for Finance, or does that give you some sense of comfort that by March, they should be on track?

R. Sultan: It’s more of a nuance, perhaps. I’m trying to come to grips with what it is about Finance that stands out. I mean, why does it have so many boxes, for starters? Was that a whim of the Auditor General, or was there some logical reason that you seem to have been picked out for special categorization?

H. Teo: Yeah. I think it’s reflective of our lines of business and the fact that there are quite critical systems that a number of our branches manage — for example, in maintaining the general ledger for government and making supply payments as well as banking and cash management and debt-management functions. Those are critical for government, and there are dedicated teams that are focused on making sure that the systems are secure, stable and reliable.

[10:00 a.m.]

We felt that it may facilitate the Auditor General’s review just to make sure that the assessment of processes and controls are tailored to individual business environments.

R. Sultan: So we get to the heart of the matter. This is where the money flows. This is cash management. This is opportunity for draining off a few million here and there, where nobody notices if you have unauthorized access. Is all of that true?

H. Teo: We want to assure members that the right controls are in place. Our staff, our team are certainly dedicated, and security and privacy protection are paramount to our operations. We are absolutely committed to making sure that there are changes and improvements. There haven’t been any breaches on record, and that’s a reflection of the fact that our staff are dedicated. We’re working quite closely with the office of the chief information officer to ensure that, again, our processes are as tight as they can be.

R. Sultan: Well, we have other institutions in society which deal with large numbers of transactions and large sums of money, and they’re called banks. Do you think your security procedures are on par with what we would find in the best-performing Canadian banks?

H. Teo: We know that we are certainly focused on making sure that within government standards, as well as to a higher standard, we meet or we exceed. That is the information security policy. We do have controls and provisions in place. For example, the Auditor General has found that there are practices that are consistent with the information security policy, including separation of duties and dedicated re­sources to make sure that accounts are well managed.

Where we are lacking is the fact that our processes may not be as formally documented as the standard requires, and that’s something that we are working towards.

J. Yap: One of my questions was what Ralph just asked, and that was….

R. Sultan: Yeah. This was John’s question, actually.

J. Yap: I could not have framed it as well as Ralph did. Thank you, Ralph.

I do have another related to information. I do understand that in core government, IDIR is the main communication and technology system. However, there are other systems out there that most people, including civil servants, will have access to. On your phone, you can access text, Messenger, personal email, WhatsApp, WeChat and many others.

I understand that in the guidelines of conduct and the oath of office of all public servants, when you’re doing business, you use government systems. We’re obliged to do that. However, we live in a world where it’s not a perfect world. From time to time, people may be rushed — or for whatever reason — and might use one of these other applications that are available, whether it’s WhatsApp, WeChat, text, Messenger or whatever.

Are we at a point now, given the diversity of opportunities for these freely available systems, for the Auditor General to do some kind of a check-in to see…? This may be more of a human resource issue, but it’s still dealing with technology and how our public service are discharging their duties. Maybe it’s more of a concept question. I know this audit was on IDIR, but in the world of systems, technology, communications, there are all these other applications that are freely available.

[10:05 a.m.]

C. Dover: Right. I mentioned earlier that we did do some work on mobile devices. I think that was about a year or 1½ years ago that we produced that report. In there, we looked at some of the specific risks with regard to the applications and the technology that can be used within those mobile devices.

It’s something that we have to be very vigilant about going forward. It’s something that will probably come back to our coverage plan as the technology changes. So the stuff that we looked at a couple of years ago…. It might be very, very different technology coming a year or two years from now, and we’ll have to go back and revisit that to see if those new risks are actually being managed by government.

As for how government is managing that, I’ll let the OCIO speak to that.

D. Lau: Can I echo, too, Cornell? You talk about different systems. That makes our job very challenging as IT auditors. Every time we walk into a university or health authority or government and so on, they have different systems. How do we audit them? I think the first thing we always look at is: do you have policies? Do you have standards? Those are the ones that really dictate how the process is dealing with different systems. Those are the core things.

That’s why, in this audit, the first thing we asked the ministries was: do you have standards and policies in place? They did. The problem is that the ministries are not interpreting consistently and also interpreting the process consistently. That’s what we found. Regarding this audit as IDIR, let’s take this building as a scenario. IDIR is really the main door coming into this building, whereas the applications like the CAS and so on are really in this room here. So if you terminate the IDIR, stopping people coming in, technically you can stop people coming into this room here.

What we found in the audit is that a lot of them terminated at the entrance to this room, but they left the main door open. That reduces the risk. Although you come in, you’re not able to come into this room here. Back to Ralph’s comments about CAS, all money going in and so on. They can come in the main door, but I think CAS and provincial treasury have very good application controls to make sure that even when you come in this door, you’re not going to come in this room here. I think that gives you some comfort, but that’s another topic to audit, application control and so on.

Also, I want to echo Cornell’s comment responding to John about if we’re going to expand our audit to audit Crowns. Although we only looked at five ministries, we’re hoping that the rest of the government will take note about these audit findings, so the broader government also. We cannot audit everybody. We don’t have the resources. But we hope to take these five ministries as an example for the rest of government to say: “Yeah, there’s something we can learn from it.”

S. Bond (Chair): All right. I just have a few last questions. We appreciate the time that everyone has taken, and I appreciate my colleagues and their lines of question. I think it’s important to put in context the fact that the audit did point out that there was good work being done and that there’s a solid foundation here. I think that’s an important thing. It’s not like we’re completely lacking a framework or follow-up. I think that’s important.

The audit also acknowledged that the cleanup work started in 2018, so there was actually an effort to begin to deal with these issues even prior to the audit being released. I think that, in and of itself, speaks quite clearly to the fact that people understand there’s more work to be done.

I just want to walk through a couple of the findings on page 23 of the report, just to make sure that we have a sense of where the action plan is headed on these pieces. One of the bullets notes that the audit found 712 IDIR account users on leave who still had enabled IDIR accounts. If you look at the breakdown by year, in 2015, there was one, and in 2018, there were 634. So something happened between 2015 and 2018.

Can someone address what’s been done to deal with people who were on leave? There was a significant jump. What is the plan to deal with that?

G. Perkins: As mentioned, the cleanup started in February 2018, where we went after inactive accounts. That would have eliminated each one of these cases that’s showing here.

[10:10 a.m.]

As you can appreciate, when we look to integrate with the PSA’s employment database, when an employee is no longer active, in that they’ve resigned or were terminated, the case to get rid of their IDIR account is quite clear. But we can’t rush to a judgement if a person is on leave. For example, if they’re on maternity or paternity leave, we still consider, from an employment perspective, that they are employees of government. They are still bound by the code of conduct and the policies and standards that apply.

I’m not in a rush to eliminate the accounts of people that just simply need to be able to access their benefits and things like that. As long as they are an active employee in government, in the employee database, and I would include on leave….

That is certainly a discussion that we’re having with the PSA. That is part of our recommendation 6, where we are working with the PSA. We’re going to start with the ones that are terminated and resigned. Those folks will have their accounts eliminated immediately; they will be disabled. Then we’re going to look at each one of the leave cases to determine, from a PSA perspective, should that person continue to have an IDIR account or not.

But yes, in each one of these cases where the person was no longer using their account, they’ve been remediated since.

S. Bond (Chair): Okay. So we’re dealing with that number. I understand the need to not rush to make that decision, but on the other hand, there are risks associated with leaving those accounts active, and the audit pointed that out very clearly. So I think it’s important that it be addressed. I get the issue that you don’t necessarily do it immediately.

Speaking to not doing it immediately, if you follow the rest of the findings, the bottom of that page points out that there were 738 accounts that hadn’t been used since 2009. I would suggest that’s certainly not rushing to cut people off. We’re talking about ten years here. Has been rectified? You’ve said that you’ve worked your way through these. Has that been dealt with?

G. Perkins: Absolutely. That is exactly the core of the clean-up exercise that began in February 2018, and each one of these has been addressed.

S. Bond (Chair): Okay. That’s great. That’s encouraging.

Back to page 15 and Ralph’s famous chart here with the noes and the partials. The line that concerned me the most was the very bottom one, where not one of the five ministries got a yes. That is: “Formally reviewing employees’ and contractors’ IDIR access rights at regular intervals to ensure their access rights are current and valid.” Not one ministry of the five that were reviewed actually does that. Has that changed? Is there now an expectation that not just these five ministries but every ministry in government does a regular review to make sure that their users are current?

J. Kot: I’ll take that one. From the OCIO’s point of view, we actually have developed reports now that help with that process. It’s one of the areas, in my view, where we hadn’t provided all the necessary tools to do a really good job of that. We own that. We have started that process in terms of providing reports.

Certainly, the ministries that were part of this audit are very aware and working on it. The work that we need to do going forward is to work with the ministries that haven’t been part of this review — working with them in terms of laying out what the expectations are, providing the reports to them and ensuring that they’re following up.

So yes, there’s absolutely an expectation. That would be part of the scope that we expect to have completed by December 2020.

S. Bond (Chair): Okay. Just two final points. One of the key messages from the audit is the fact that there is a lack of understanding regarding who does what and who is responsible for what. I think CJ addressed that in some of her remarks — that there is a more intentional effort to make sure ministries know what they’re responsible for.

The overarching responsibility…. Obviously, the chief information office has that responsibility. But because there are so many, as it was described, systems and users and all kinds of things, it is essential that people understand who is responsible for what. Joint accountability means no accountability, and when you look at the chart, that’s what has happened in some of these situations. People aren’t sure who is supposed to be doing what.

[10:15 a.m.]

Is there an intentional strategy now for making sure that ministries — all of them; not just the five that are here today — understand what their job is? You’ve noted that there have been new tools put in place to hold them accountable. Could you just assure us that the main effort here is to have people understand what their job is and then the follow-up to make sure they’re doing that?

J. Kot: I’ll ask CJ to speak to this, because I’ve spoken to her directly about this: what is the plan to make that happen for sure?

C. Ritchie: Yes, our plan includes documenting the roles and responsibilities, documenting procedures, providing formal training and then providing the tools and the follow-up to do the compliance exercise. The OCIO is taking a very active role in that. So the answer to your question is yes.

S. Bond (Chair): I think that’s the key message. You can hear it from all of my colleagues. We have a framework. The issue is: how does that translate to the people who actually have to put that in place to protect and to ensure the integrity of the system? We have a chart that shows that….

It’s no one’s fault. It’s just that an audit has pointed out that we have five ministries that are, in essence, non-compliant, which would mean that, very likely, that extends across government. It doesn’t mean that there are not processes and policies and procedures in place. It’s just that they’re not being documented or monitored in a way that at least the Auditor General thinks is necessary.

I think we were all pleased to hear that you’ve expanded that thinking to not just five ministries, that it will work its way across government. Is that fair to say — that this is a template for looking at a cross-government approach?

C. Ritchie: Yes, our plan includes not only the five ministries that were included in this audit but an additional 15 ministries and 13 agencies.

I mentioned before the training. Just for a point of clarity, that is mandatory training, so it won’t be optional. Like the privacy training and other training that the OCIO provides, the training with regard to the IDIR account management will be mandatory for all ministries and agencies.

S. Bond (Chair): Thank you for that, Jill and CJ.

I guess my last comment is just that, you know, we had five ministries that were audited. I think that for the committee’s benefit, it would be very good, in the action plan, that we have a sense…. We’ve heard now from Finance that their goal is to reach their targets by March of 2020. I think it would be important for us to know what the timelines are for all five ministries.

We can either have that sent back to us as an additional page or added to the action plan. The only way we’re going to see this change is if there are timelines and accountability that extend down into the ministries. It would be good for us to know what the plans are for each of the five ministries in terms of meeting a timeline. Would it be possible to have a sense of that?

J. Kot: All of the representatives here today have a plan and a timeline. We could ask them to speak to it today if you’d like, or we could provide it afterwards.

S. Bond (Chair): I think providing it afterwards is fine.

J. Kot: Okay. We will.

S. Bond (Chair): We can add it to…. It will just be one of the follow-up items of the committee. We appreciate the fact that they’re here today and the fact they have a plan, but I think, from our perspective, our goal is to make sure that the follow-up…. We know the ministry and the office of the chief information officer have taken this very seriously, and we appreciate that. We just want to make sure that that translates down to seeing a formal timeline that we can hold ministries accountable to. I know you will be, and we will be, as well, as a committee.

Are there any other comments from my colleagues?

We thank you very much for your time, for the answers that have been provided. Thank you to the Auditor General’s staff for their work.

With that, we’ll do a quick shift. We’re going to be moving on to a second report, so we’ll take just a five-minute break while we make that change.

The committee recessed from 10:18 a.m. to 10:34 a.m.

[S. Bond in the chair.]

S. Bond (Chair): We are now going to consider a report that was presented in August 2019. It’s consideration of the Office of the Auditor General’s report Executive Expenses at School District 36.

[10:35 a.m.]

This morning we’re going to have Deputy Auditor General Sheila Dodds, who will make, I assume, some opening remarks about the report. We’ll introduce the staff who are here to present, and then we will have the Ministry of Education and the school district provide a response before the questions come from the committee.

With that, we’re going to turn it over to Sheila for her opening comments.

Executive Expenses at
School District 36

S. Dodds: Thank you, Madam Chair, and good morning. Good morning, committee members. Thank you for the opportunity to present the summary of the audit report on executive expenses at Surrey school district 36.

I am not accompanied by any of the audit team members here today for a variety of reasons, including a retirement, a departure — somebody went to join the Ministry of Finance — and some prior commitments.

In this audit, we looked at employer-paid executive expenses for 11 senior staff in the school district. Specifically, we looked to see whether expenses that the school district paid on behalf of executives complied with district policies and followed the spirit and intent of government core policy. This is our second audit of school district executive expenses, and in May 2018, we reported on a similar audit of executive expenses for school district 61 in Victoria.

Overall, we found that school district 36 is doing a reasonable job managing the payment of executive expenses. Its financial records were complete and accurate, and its public disclosures of executive expenses required by the Financial Information Act were also complete. While payments were appropriate, we did find two deviations from government’s expectations. The first was that the district is taking on financial risk for some executive expenses, and the second was that the business rationale for some of the expenses wasn’t always clear.

The first deviation, as I mentioned, is taking on financial risk for some executive expenses. School districts establish their own expense policies, but they’re also required to follow the spirit and intent of government’s Core Policy and Procedures Manual. That core policy states, and typical practice is, that employees should be paying for their travel expenses first on a personal credit card or an employer-issued travel card and then get reimbursed by the organization.

Instead of using a travel card or a personal credit card, district employees are given a corporate purchasing card to use for their work-related expenses, and employees regularly charge travel and meal expenses on these purchasing cards. The district is responsible for directly paying any of the expenses incurred on the purchasing cards, including any travel. This was the same practice that we saw at school district 61 last year.

Another difference between the school district’s policies and government’s core policy that we identified relates to per diems. A provincial employee travelling on business for a full day — there are rates for groups 1, 2 and 3 — can claim up to $51.50 a day for meals and incidentals. With school district 36 policies, that per-diem amount is $75 a day.

The core policy contains guidance about the time of day that employees must be away from their place of work in order to qualify for these per diems, and currently the school district’s policies do not include any such guidance.

The second deviation from government’s expectations was that the business rationale for some executive expenses wasn’t always clear. For example, we found that expenses for meals provided during meetings didn’t always include an explanation about why the meeting was held during the meal time, the purpose of the meeting or the meeting attendees. While school district 36 policies did not specifically require explanations, this is a requirement under government’s core policy, and it would help to ensure that district-paid meals are appropriate and supported. This type of detail would allow the district to analyze that type of meal expense over time.

In this report, we provided the school district with two recommendations to strengthen its policies and management of employer-paid expenses. One of the recommendations was around aligning its policies more closely to government’s core policy, and the second was around ensuring enforcement of its own existing policy requirements for employees.

On behalf of the audit team, I just wanted to thank the school district for their time and their support and cooperation during this audit. That concludes our presentation.

S. Bond (Chair): Thank you very much, Sheila. Especially since you don’t have a member of the audit team with you, we appreciate your summary of the work that’s been done.

[10:40 a.m.]

With that, we’ll turn it over. We are very appreciative, once again, of having the deputy minister. We’re two for two today, and I think that’s a really important shift that we’re seeing in who’s attending the Public Accounts meetings on behalf of ministries.

Carl, if you could pass that along, it’s much appreciated by the committee.

We do have the deputy minister, Scott MacDonald, with us, who will, I think, do a presentation on behalf of the Education Ministry. Then we will hear from representatives of school district 36.

Scott, over to you.

S. MacDonald: Great. Thank you. Pleased to be here today to provide our context here around this audit, which, of course, is the second audit which we’ve done with different school districts. Pleased to talk about this one in particular, so thanks for the invitation to be here.

Also joining me today, as you know: Jordan Tinney, superintendent of schools for school district 36 in Surrey, and Greg Frank, secretary-treasurer. Welcome, and thanks for joining us here today.

I will provide a short overview of the report. I’ve got a few slides I’ll run through with regards to that. I will also talk about the steps that we are taking, inside the ministry, to ensure that all school districts can benefit from the findings of this report and the report previously tabled last year. I will leave it for Jordan and Greg to speak to some of the more detailed work that’s happening in the district, which they’re doing in response to the reports’ findings and recommendations, so that will follow.

The other part of this, as I’m sure the committee is well aware of, is the dual responsibilities in our school system and the role that the ministry has versus school districts. It’s certainly important to understand that we provide a much broader context in the public school system of the whole education sector. It’ll be, really, up to the school district’s efforts around the specific management practices that they implement within that context and within that broader provincial framework.

If I can kind of move to the slides now, I’ll just run through very quickly some of the things. We’ve obviously talked about the purpose of the audit and some of the specific recommendations that we’ve seen around this — but certainly around employer, executive expenses around being able to comply with the school district policies; I think the theme you’ll hear today is being consistent with our government core policies that we have provincially — and then the overview of the recommendations.

I’ll spin this really very quickly and do the recommendations, the key findings that kind of came out as we’re doing this kind of stuff. I think that what’s found here and what we’re seeing is that, generally, we’re consistent with government core policy manuals. So I don’t think there’s anything that’s way out of line here. I think there are a couple of opportunities to make some enhancements. I think the first one here is that there’s an opportunity for the school district to more closely align its policies with our core policy manuals in the province. That’s pretty clear as we look at these things.

There are specific areas — be it employer-paid food for meetings, per-diem rates, time frames and use of purchasing cards, as examples — that came up. Then an opportunity, I think, for the school district to enforce its own policy requirements and their own process. I’ll let the district speak to those as they go through. The last piece that comes up is just the reporting that happens in the context of our Financial Administration Act and making sure that the entire broader public sector is compliant with those requirements we have provincially in that important act.

The responses around this. I think you’ve heard from the school district that submitted a response inside the report that they agree with the findings. They’re going to work to implement those recommendations, including the notion around purchase cards and managing the risk. I understand they’ve established an internal audit committee to work through some of these types of things, and the ministry also makes a commitment to ensure that we’re supporting the school district as they implement those things.

We at the ministry are also working across school boards and the school trustees association, school business officials. These are some of our stakeholder and partner groups that we work with provincially and finding ways in which we can share this information and ensure that the other 58 school districts around the province benefit from this work.

Specifically around some of the actions that we’ve done in response to this, things we’ve done immediately. I have a regular bulletin that I send out to all school districts. We’ve included information about this to all of them, a reminder that a government provincial purchasing card program is available to them and other things they can do around managing this thing in different ways.

Looking ahead, we are in the process now of creating a provincial policy framework. This framework would, of course, align with our core provincial policies and procedures, and it would clarify the financial planning, the reporting requirements for all school districts, with an overarching focus around greater transparency of all financial information.

We’ll also be clear with the provincial expectations that the funds issued to boards need to be prioritized around services to students, clearly, first and foremost; that we have transparent reporting of budgets and the decisions and also the reporting of the actual spending; and expectations around budget processes, including a role for local partners to provide input into some of those kinds of processes as we go forward.

[10:45 a.m.]

The other part of this. We’ll be coming up with a guidebook, as well, that will have some templates, some best practices around financial reporting and management. We’re joined here by Surrey today, which is our largest school district in the province, but I’m also very mindful that we have a very wide range of school districts, some as small as 154 students, in the province. Without the infrastructure…. They benefit from Surrey. I think there’s an obligation on the ministry to provide some of those guidelines, those templates, that we can use and provide to some of those smaller districts so they’re not proverbially reinventing the wheel to be compliant with our policy structures.

All this work is underway. We’re doing it in conjunction with school district staff and their new financial management advisory committee. I think I’ll leave it there, as we go, and I’ll hand it over now to the school district to provide their perspective on the findings of this report and talk about some of their next steps.

S. Bond (Chair): Thank you very much, Scott. We appreciate that. I understand we have the superintendent of the Surrey school district with us.

We very much appreciate you being with us today, Jordan. As you begin your presentation, if you wouldn’t mind introducing yourself and also your colleague, who is the secretary-treasurer, I believe, for the district. We just need your names on the record for Hansard. Welcome, this morning, and thank you for taking the time to be with us.

J. Tinney: Thank you, Madam Chair and members of the committee. I am Jordan Tinney, superintendent in Surrey school district, and this is my colleague, Greg Frank, secretary-treasurer. We come here today as the two senior staff members of the school district. For myself, I was previously in Vancouver school district and Comox Valley and, before that, Saanich school district. My colleague Greg has been in Burnaby and Nanaimo as well as in the private sector.

With that, Madam Chair and members of the committee, we’re pleased to be here today to speak with you about the report from the Office of the Auditor General and our policies and practices. We’re also pleased that the summary statement at the introduction of the report….

In the summary statement from the Office of the Auditor General, it reports that the expenses in the school district are well managed. I want you to know that we take pride in many of the aspects of the school district, most importantly around full disclosure. We believe that public transparency and accountability is important and that full disclosure is an important part of that.

While we have strong practices and procedures, there’s clearly room for improvement. We accept the recommendations, and we want to speak with you today about how those recommendations are realized, both in the short term and in the long term. We also acknowledge that the two expenses — for a dinner and an airport limousine service…. We want to provide assurances that not only were those items captured by our processes but that they were indeed reimbursed as part of our processes. We take very seriously the comment about the level of risk associated with the use of purchasing cards, and we’ll talk in our presentation, as well as other items that we will highlight.

We’re very proud of our school district and our district leadership team. Together we manage a budget of close to three-quarters of a billion dollars across 150 sites in the school district. We are, as you know probably so very well, a growing district. We currently have 14 capital projects underway. We’ve got a highly experienced board of education and a strong and collaborative governance structure, and we work very well. We are growing at the rate of about 100 students every month. That’s two large elementary schools a year. We’ll certainly have 75,000 students by next September, which makes us 50 percent larger than Vancouver.

With that, I’m going to turn the floor over to our secretary-treasurer, Greg Frank, who will walk you through the rest of our presentation.

G. Frank: We do have the report here, and I’m going to assume that I’m talking to it in the right order. We welcome the chance to be here to actually speak to the audit specifically.

I apologize. I think some of the front end of our presentation covers materials that others have covered. We did think it was important, however, that we do include everything in the school district’s report, so I do apologize in advance if we’re repeating some items.

As the superintendent indicated, we were pleased to see that the key finding included a statement that the district is doing a reasonable job in terms of managing our payment of expenses and that our financial records were both complete and accurate and our public disclosure of the expenses met all of the requirements of the Freedom of Information Act.

[10:50 a.m.]

We do want to acknowledge, though, as well that the key findings did include some areas of improvements required. The first that we’re highlighting here is that the expenses perhaps were not adequately supported in all cases. I think the main focus is that meals provided during meetings did not always include an explanation of why the meeting was being held at this time. I gather, in some cases, that the purpose and attendees were also not identified. As was highlighted earlier, the school district policies don’t specifically require that level of detail, but the intent is that it should require that.

The key findings also included the reference to the purchasing cards. The indication is that the school district is taking on financial risk for some employees’ expenses for their use of purchasing cards.

We very much value, I think, the work that the Auditor General’s office has done in this area, because it has had us go back and relook at the entire purchasing card area, beyond just our executive expenses, in the area of risk management. As was indicated, the Core Policy and Procedures Manual does require government employees to pay for travel expenses in advance and then have them reimbursed after the fact. We are required to follow the spirit and intent of that. However, as indicated, as well, school districts can establish their own policies regarding expenses.

The specific recommendations. Recommendation 1: align the school district policies with the Treasury Board’s Core Policy and Procedures Manual. The focus areas are in employer-paid food for meetings, maximum per-diem rates and eligible time frames, and the use of a purchasing card for travel and individual business expenses.

Recommendation 2: enforce school district 36 policy requirements for employees when making expense claims — specifically, claimant should consistently document details and the business purpose for activities’ underlying expense claims as well as the business rationale for holding it over mealtimes.

The school district’s response. As the assistant deputy minister referenced, we are responding and accepting the recommendations.

First of all, we want to thank the Auditor General’s office for the time that they have put into this. We very much appreciate their efforts, their audit and the recommendations coming out of it. We do appreciate the audit conclusion that we are doing a reasonable job and that our records are accurate and complete and have full disclosure, according to freedom of information.

We also want to emphasize that the district is committed to continually improving our controls and processes. We are committed to this, and we will be implementing changes to the policies and procedures to fully address all of the recommendations during this current fiscal year of the district.

What are we doing in response? We are currently reviewing policies and procedures and their alignment with Treasury Board’s Core Policy and Procedures Manual. The core focus of that are the issues identified in this report, but we’re actually going beyond that into other areas as well. As well, we’re reviewing our own transaction processing practices to ensure that the requirements of our policies and procedures are consistently enforced, that our documentation of details and business purpose of activities’ underlying expense claims are appropriate and that the business rationale for holding meetings during a meal time is there.

Then the use of purchasing cards with respect to business travel and meal expenses is under review. The focus of that looks carefully at the issues of risk, as it’s been identified, to determine how we can best meet those issues, in terms of the issues that have been identified.

Preliminary steps taken to date. We have, all through this process, kept our board of education informed. They are fully informed on both the audit process, as it was undergoing, as well as the results and the recommendations. I am pleased to report that the board of education has approved a plan and a draft policy to deal with the recommendations fully, as well as the draft policy around an internal audit committee, with external representation, to be in place during this school year.

[10:55 a.m.]

It is the intent, as an added item, to have this new committee also be tasked with the review of our reimbursement policies and procedures and to review our controls in this area to ensure we have consistent enforcement.

In terms of the audit committee, I can say that the board approved, conceptually, an internal audit committee to be established. It was back, I think, in April or May of this year. We have been working on policy. The board has now supported draft policy, and that draft policy is going to a public meeting next Wednesday for public information and then will come back in December for approval of the board — final approval. Then we look to be starting to populate our internal audit committee in January of next year and begin its operations.

Also on preliminary steps taken to date, as I’ve indicated before, we’ve initiated an internal review of our documentation and processing details, focusing on the audit findings. We’ve also engaged our external auditors to become involved. Our external auditors are Grant Thornton.

We have asked them specifically — and they are starting next week or the week after, in terms of their work — to review the OAG audit findings, review our processes and procedures, our standards, our policies. We’ve asked them to support us in terms of helping to identify specific recommendations at the detail level for us. We do believe it’s valuable to have our external auditors involved just for another level of independence as we sort of work through our processes to make sure that we end up with fully supportable processes from everybody’s point of view at the end of the day.

Preliminary steps taken to date. We have also initiated a review of our meal allowance rates based on an updated comparison of meal costs and comparative public sector data, including the CPPM rules. Just as background, our rates have historically been set in Surrey through a process which was last done just before I joined in 2015, where the district set its rates by going out and looking at three regular restaurants — looking at a standard meal and a 15 percent gratuity and non-alcoholic beverage — and established an expense rate based on what was believed to be a reasonable cost for meals. That was last done in 2015, so we’ll be updating that process.

But we also will be including now, probably for the first time, a comparison to the CPPM rates as well as the other public sectors. It’s interesting, when you start to drill into these things and look at the meal reimbursement rates. As was referenced, our daily maximum is $75. The Core Policy and Procedures Manual is $51.50.

But if you look at the individual rates that the Core Policy and Procedures Manual allows for breakfast, for lunch and for dinner, they very much mirror our rates in Surrey. The Core Policy and Procedures Manual is a slightly higher rate for breakfast than our policy, slightly less for the meals for lunch and dinner. If you add up the three of them under the core policy manual, they actually add up to $76 versus our $75.

The difference is the Core Policy and Procedures Manual includes a maximum for the day. So individual meal allowances can be charged, I believe, in the Core Policy and Procedures Manual consistent with what we were doing. But when we have a full-day expense together, our current policy doesn’t reduce that down to a lower number. That’s something that we do need to look critically at and respond specifically and deal with.

The last item on this page is the two exceptions. I think the superintendent referenced the steak dinner and the airport limousine. I just wanted to indicate that those have been reimbursed to the district.

Purchasing cards. We did want to provide a little more background on the purchasing cards, and not in any way to diminish the recommendation, because we do value the recommendation and there are real issues in there that we need to deal with, and we will. But we wanted to provide the committee with a bit of background on it. Part of that background is that there are — and the committee, I’m sure, knows this — some efficiencies of using purchasing cards to the employee but to the district…. That’s just a reality of the mechanism.

[11:00 a.m.]

The issues around risk are real. I believe when the district first put these in place a number of years ago and established a number of processes, they thought that they had been dealing with the risk adequately. This audit, I think, has reinforced the importance that we relook at that, but we did want to indicate what we’ve got in place currently around risk.

Currently the number of purchasing cards in this audit included the top 11 senior management team. Out of that 11, there were actually three cards in use. I apologize that the slide says two, but it’s actually three. So that option is there currently, under policy, for district senior employees to use it for this purpose. Three are currently being used out of that group.

We do have dollar limits on the cards. I believe that’s in place to help limit the exposure. We’ve also got a fairly robust process of educating the users, before they get a card, on what the purpose is, what the responsibilities are and what their personal liability is for these cards. Not only do we go through a fairly robust training program with them, we actually have each of them sign off acknowledgment of that at the end of it.

Lastly, we wanted to indicate that there is a rebate, actually, from the cards that the school district gets back, as well as — you probably know — an added rebate on those expenditures that goes back to government, because it is a joint program we’ve got in place.

What is our plan forward with purchasing cards? We will complete a full assessment of the risk as identified in the report. I think, as I indicated earlier, we plan to go beyond just the executive expenses, because we do use purchasing cards throughout the district. They are used for purposes such as senior educators purchasing learning supplies with them, facilities staff using them for buying maintenance items, etc. So there’s a number of them in the district. They in themselves create a risk in terms of the use of them at all different levels. We intend to go through and do a look at that, focusing, of course, on the audit and the executive expenses but also going beyond that to the other end of the spectrum in terms of looking at everything.

We will look at our measurements that we’ve got in place to try and minimize risk. We’ll see what opportunities there are to further enhance that. We’ll also critically look at the reality of whether we should be eliminating these altogether for executive expenses, even to the point of: should we even be eliminating them through the district because of the other risk items that are there? Or are some of those levels of risk appropriate to maintain?

That concludes our report. We’d be happy to answer any questions.

J. Tinney: If I can, maybe just one final comment.

We’ve also taken the contents of the report and met with our entire senior team around the findings of the report. I’m fortunate to be the chair of the Metro superintendents group as well, so we brought the report to all Metro superintendents at our last meeting. We went over the report, and we intend to follow up with the group again, because we’re still in process. Just to let you know the further communication we’ve had.

S. Bond (Chair): Thank you very much. We appreciate that very thorough presentation.

J. Thornthwaite: Thank you very much for your presentation. I have a question for the Auditor General first, and then I think Jordan just answered my second question.

Why target school district 36? What are the criteria for choosing a particular school district?

S. Dodds: Thank you for the question. School district 36 was selected because it is such a large school district. The first school district we looked at, school district 61, was a mid-size, medium-size school district. Surrey is, I think, the largest school district, and it’s growing, as Jordan mentioned, quite rapidly. So that was the intent there. Then the discussion on our first report was that we also wanted to look at a smaller, rural school district. So it was just really the size.

J. Thornthwaite: Can I just do a follow-up?

S. Bond (Chair): Yes, please.

[11:05 a.m.]

I understand that. So then, knowing that school district 36 was getting audited, I would assume that within the ministry or the superintendents group…. You mentioned Metro that you had a meeting with. My point is that if all the school districts in the province know that there was this audit done in Surrey, that these were the results, that there are inconsistencies with purchase cards and per diems — whether or not you can claim this, that and the other thing — I would hope that it would be a lesson for other school districts so that, ideally, there’s consistency across the board.

I know with us, with our expenses, we’re consistent across the board. I mean, obviously, we’re watched very closely in what we do as far as expenses. I’m just a little bit surprised that there seems to be so much inconsistency between school districts and whether or not, after you have accepted all of the….

You’ve done a lot of work. You’ve got an action plan to rectify things. I think that’s all great. But I guess what I’m saying is that…. Obviously, the Auditor General is not auditing every single school district, but I would hope that the knowledge and the work that you’ve done to rectify these discrepancies would be learned by other school districts so that the next audit that you do would find nothing.

That’s, basically, what my question is to the ministry.

S. Bond (Chair): Maybe before that response…. I appreciate Jane’s question. I had a similar one. The report actually uses the words that other districts are encouraged to read the report. Well, I would hope it would be more than encouragement, to Jane’s point.

Maybe you could…. I don’t know if it’s Scott that wants to address it. This is basically a template for, hopefully, improvement across the system. Is there an intentional strategy to look at this across districts?

S. MacDonald: Thanks for the question. I’ll certainly answer it. The answer is yes. There is a strategy and an intent to look at this across all 60 school districts.

I think the first comment to make is that there is a whole series of audits and other financial controls in place, well beyond just this particular process, that all districts are compliant to. We have our own internal audit process. We go in and review school districts around their compliance with provincial policy and those types of things. They all do financial audited statements each year.

What we found here is a report that says that for the most part, people are pretty consistent. We found a couple of anomalies, but there is nothing here that really stood out as a big, big challenge for us. That being said, there’s work to be done.

This report has gone out to all superintendents. I’ve sent that out myself, to everybody, along with instructions to take a look at it. I meet with all 60 superintendents three times a year. We bring them into one room, and we talk about the issues of the day. I have raised this with them in that forum as well.

Behind the superintendents, as well, is…. We have regular meetings with the school business officials. We call them ASBO. Our staff are meeting with them on a regular basis as well.

I think there’s a fair degree of confidence that there’s an awareness out there. We have an expectation that people are looking at these things and making the adjustments to ensure that they’re compliant. We’ve also given an indication that….

As we go forward, you’ll see some additional policy books and then some of our guideline documents that will be helpful in implementing these types of things across the province. We’re in the process of updating some of those things now. We’ll probably time that with the release of our preliminary operating grants in the spring, which we do each year in March. This sets the tone of the expectations going forward as the next step of improvement in the system.

J. Thornthwaite: I think that’s it for now.

S. Bond (Chair): Great. Thank you very much, Jane.

J. Yap: Both Jordan and Greg, you mentioned you’ve worked in other school districts. I’m not sure how long you’ve been at Surrey. Would you tell us that what Surrey’s practices have been are sort of what were in existence in other districts that you both have worked in?

G. Frank: It’s a good question. I can tell you, from my perception, having been in three districts, the mechanics that work inside will be different depending on volumes and these types of things, but generally, the processes aren’t all that much different.

You will have some districts…. I think provincially, out of 60 districts, you have only 42 or something that actually participate in the purchasing card process. So you may have some districts that don’t have that internally — period. Generally, their processes and their documentation are much the same.

[11:10 a.m.]

Surrey probably has a bigger investment in administrative process just because of size. There’s a little bit more specialization in terms of being able to dedicate the resources to things than what you would probably have in a very small district. I think generally the answer is yes. They’re relatively consistent, but there will be some differences by district size and other things.

J. Yap: The auditors…. As part of the audit, their findings — and they covered it in their report — noted that there was a noticeable trend of charging meals as part of meetings. I’m presuming that that’s, again, consistent with experience in other school districts — what was practised in Surrey. Is that the case?

G. Frank: It would depend. Yes, it would be more or less the same. We have a number of meetings that will go into the evening, with board meetings, etc. Quite often many districts will have dinner come in for the staff and for the trustees when they’re continuing their day, for example, through the evening hours, etc. Those types of things do happen, yes.

J. Yap: Right. I believe there’s no problem with having meals at meetings as long as there’s a business case for it or a rationale. That, I think, came through in the report.

Is that correct, Auditor?

S. Dodds: Yes, Member. What the report did…. This is similar to the Auditor General’s comment on the previous report — that we look at the policy framework for core government. Then, in this one, we’re looking beyond core government and looking to see how it compares.

The spirit and intent is a difficult concept to audit, but in terms of those meal expenses, there was clearer policy in core government. We were looking at that comparison and saying: “Well, there isn’t that specificity in this particular district.” It’s looking at the rationale, who’s attending and putting that lens on: are you looking at managing the amount of expenses spent on food over meal time? Because that’s the expectation in core government policy.

J. Yap: Right. So with these expenses, you’re not saying — I guess that’s the question — that these expenses were over the financial budget for these types of expenses. It’s simply that there was a budget. Maybe they were within the budget. But the process and the rationale need to be improved.

S. Dodds: Yes. There was nothing inappropriate in the expenses that we saw. But when you look at the practice and you look at the expectation in the core policy, it’s looking at more rigour around the process for documenting and the rationale for the expense.

J. Yap: Right. Were these assigned to individual executives or managers — the expenses? Or was it a global meal budget?

G. Frank: I believe the scope of their review included both. In some cases, it could be specific for an executive meeting that perhaps happened over a lunch hour or a dinner hour or something. In other cases, it could be a global thing where you’ve got a larger group coming in for a meeting. The Freedom of Information Act requires us, when that happens, to actually proportion it back to individuals at that meeting.

If I might just backtrack to your earlier comment about process. I think what I believe has been highlighted by the audit is that, in many cases, the district is familiar with what the events are and the documentation is there. I think where the shortcoming is being identified, from a totally third-party reviewer of it, is you need more documentation to help put what may be obvious internally…. You may need more of a description for some of these things. It’s really been reinforced, I think, that we need to expand the description parts of things.

J. Yap: All expenses for members of the Legislature are public. They’re published. This has, I guess, been in place for maybe two years now.

[11:15 a.m.]

I throw this out. Is there a thought to making public these types of expenses among public servants — I mean, we’re talking about Surrey — of school districts? Disclosure is one way of encouraging compliance, and these are taxpayer funds that are being expensed. I put that out for comment from both the Auditor and the school district.

S. Dodds: The expenses that are paid to employees of school districts, to employees that are earning over $75,000 a year, are disclosed annually as part of the statement of financial information under the Financial Information Act. All broader public sector entities — school districts, health authorities, colleges, universities — have a requirement to make those disclosures annually.

J. Yap: Of their expenses?

S. Dodds: Yes. That was part of the audit: looking to see that the disclosures for the school district were complete and consistent with the financial records, which we found they were.

J. Yap: But not to the detail of how much was spent on a meal — receipts, that type of thing — which is our world, members of the Legislature. We live in a world where taxpayers, quite rightly, get excited about a $14 glass of orange juice charged to taxpayers because of that level of detail.

My last question. You mentioned both of the specific instances where, probably, the expenses shouldn’t have been charged — the steak and the limousine. I think, Jordan, you mentioned processes worked. So those reimbursements happened before the Auditor came to do the audit.

J. Tinney: It’s different for each one. In the first one, the steak dinner, it was a unique circumstance. We had documented that and had been examining it for some time. Through this process, it was just reimbursed. It was a decision made by the individual with no pressure.

On the other one, it was part of a conference. This was ground transportation as part of a conference package, which was paid for by the conference organizer. In this case, the discrepancy between the travel to and the travel from was that when the conference was undertaken, there was no opportunity to share the ground transportation to the event. Then there was an opportunity on the way back, so that was never charged. Well, to the point of the audit, it appeared on the district’s record but was paid for by the conference organizer.

J. Yap: Okay. Actually, I have one more question. The purchase cards. Having, in my past, experience as a legislator and in government, they are very convenient and can provide the discounts. As part of this review, would it be appropriate to look at supporting certain categories of expenses — if you’re buying supplies for the school district, adding to inventory of needed supplies, whatever the category? But with respect to travel and meals, keep that away from purchase cards.

Again, the life of an MLA…. I remember a time when we had purchase cards that we could use for travel, and they were charged directly to the Legislative Assembly. A former Auditor General pointed out that that’s not a good way to manage your finances. We moved away from that. So you have to pay for it with a personal credit card, which was mentioned here.

G. Frank: I can tell you that the cards…. It depends on where the cards are in the organization. We do exactly that — restrict them. For example, the card would never be valid to buy alcohol at a liquor store. It just wouldn’t work.

Different groups of them there, they do have those restrictions. That’s something we will be looking at in terms of what further restrictions we should be putting in place in these as well. But they definitely, as you say, have the ability to granulate out where they’re good for tender and where they’re not good.

B. Ma: Can you explain what happened with the limousine again? It was the conference organizer who paid for it. How did it show up in your expenses, then? Can you clarify?

J. Tinney: It was paid for with the purchase card as part of attending the conference, and then the district was reimbursed by the conference organizer for the person attending the conference. It wasn’t like the person landed and said: “Gee, I’ll take that.” It was a package deal. But it was put on a purchase card — the initial transaction.

[11:20 a.m.]

B. Ma: Right. So there wasn’t anything…. The $300 and the $150 wasn’t actually expensed to the school district. It was just going through the purchase card. Okay, I understand now.

Leaving that aside, then, recognizing that you’re doing a lot of work right now to manage the process, how do you feel about the culture of expenditures within the school district? Do you feel like…? I mean, there’s process that allows for the system to put in checks and balances, and there’s also the corporate culture. I’m wondering if you might be able to offer me a sense of what you feel the corporate culture around expenditures might be and whether or not you think it needs to be adjusted or if just process changes are appropriate.

J. Tinney: I think cultures drift over time. I don’t mean that in a good or bad way, but practice happens and practice evolves. I think they’re in Surrey, and I want to draw a little bridge to the difference between Surrey and other districts. I think that my colleague’s comment about…. In other districts, this has very much been my experience. But in Surrey, we have layers upon layers of checks and balances in place. I wonder about smaller districts that don’t have those resources to have such guidance and advice along the way. I think our culture has been good and has been tight and is scrutinized. But as the report clearly shows, you’re never perfect.

My meetings, for example, with our senior team have been reviewing the comment of: “Are we clearly documenting? Why does this meeting have to happen at this time? Who was involved? What is the business purpose?” I think what we’ve seen is that that has not been as strong as we would want. So I’ve met, for example, with all of our senior team and said: “This is what’s required for those expenditures.”

R. Sultan: I guess somebody who chances by and sees this important committee of government concerned about whether or not lunches are free in Surrey for school board members for certain types of meetings would say: “This is a $55 billion operation. Why are you worrying about the nickels and the dimes?” The answer is, of course, that if you don’t worry about the nickels and dimes, they really do add up to big money at the end of the day across all 60 school districts, across all government ministries. On and on it goes.

I think there is merit that the Auditor General has drawn our attention to relatively small items because of the larger implications should this culture — that’s a word used quite frequently this morning — be reinforced and even expanded. I think that’s the reason this is an important issue.

Having said that, I think we should also concede that, basically, in terms of the spotlight shone on Surrey school district’s control of expenses — tracking, compliance, no evidence of anybody stealing the money at all — it’s a good report card. You guys keep track of the money very well. So it seems to me the issues are not accounting — or tracking, as it were — but rather of a larger policy nature.

I recall school district — No. 1, is it, Victoria? — coming in here about — what? — a year ago.

J. Tinney: It’s 61.

R. Sultan: The Auditor General again had some…. It’s a similar report. “Well, you’re accurate, but we just question your judgment.” The answer was quite honest. “That’s your opinion, but we run our own show. Thank you very much.” And they marched out. I thought: “Well, that’s a gutsy move.” And the Auditor General herself said: “Well, at least they’re honest.” She encounters audits of many ministries. “Oh yes, we’ll change our ways. We’ll do this. That’s terrible. We shouldn’t have done that. Thank you for pointing it out.” Then they leave and just carry on as before.

So at least give school district No. 61 credit. They were honest enough to say: “Well, you know, thank you for your efforts, but frankly, they’re not relevant to our situation. We’re doing a good job, and we’re keeping track of taxpayer money. How we spend it is our concern, not yours.”

[11:25 a.m.]

I think that’s, in fact, a false culture that was displayed rather vividly — to me, at least — in the case of Victoria. But of course, their honesty is to be applauded.

I ask myself: how can these issues of, essentially, policy and culture arise? It seems to me there is, in fact — to me, at least; I could be wrong — no evidence that the ministry has a policy that it says: “We’ll pay for this, but we won’t pay for that.” In this policy vacuum, from the top, the school boards make up their own rules. That’s no surprise.

The other observation I would make is that the school boards that I’ve seen operating on the North Shore are very much civic, municipal types of institutions. They hobnob with the civic politicians. They are frequently en route to a position in civic politics, perhaps, or maybe de-escalating the other way, down.

But it’s all one big family, and the culture of that family permeates how school trustees view their responsibilities. They’re very proud of their independence. There’s always this grey area of: “Well, actually, who owns that school building?” We’re the first to say, in West Vancouver: “We bought that building. Somehow the government took it over, but if Gordon Campbell wants to sell it, we’re going to remind them that it’s not his to sell, because that’s our property.”

So you get into these vague historical feuds and “how in the hell did we get here?” There’s certainly a culture of independence at the school board level, and I think that to some degree, that has to be applauded. But it does mean they feel they have the right and the privilege of making up their policies. That’s the problem.

I think it is proper that the government of British Columbia, which in the end pays the bills for education — that’s the way we’ve decided to structure our affairs; we don’t finance our schools municipality by municipality anymore — has the right to say: “These are our rules, and I think you’d better start paying attention to them. This is how we run our affairs.”

In the years I’ve been in government, I would put the experiences I’ve had into two categories: pre-Duffy and post-Duffy. I refer to Senator Duffy, who…. You are all aware of the story of his house on P.E.I. He was, I think, hauled into court for violating government spending guidelines on his personal expenses, and the judge let him go. He said, “Well, the only problem with this case is that there are no rules. He didn’t break any rules, because there aren’t any,” and Mike Duffy got off scot-free. And I suspect that could be the case here.

What happened, though — certainly, we can speak with our acting Clerk, I suppose, on supporting the motion — was that post-Duffy, we have, as MLAs, been subject to what I would call about the most picky, detailed total-disclosure world of expenses that you could imagine. If my colleague John Yap spends $3 on a cup of coffee at Starbucks and wants to be reimbursed, he probably could be. He’ll make up some reason for it. But that chit will be photocopied and put on the Internet for his political enemies to examine and say: “What in the hell is John Yap charging $3 on the taxpayer purse? He’s not to be trusted.”

So I think exposure…. And boy, it can’t be more transparent than the system that the Clerk’s office and the Legislature have imposed on that. That impacts how we look at a more casual environment, as one would find in, say, school boards. I guess we would say: “Well, you know, if it’s good enough for us, why shouldn’t it be good enough for them?”

One suggestion would be that Kate makes available her computer program for you to use so that you can adopt complete disclosure of all the coffee chits in Surrey and say: “You have a problem with it? Look, I’m on the Internet. We’ll think about it.” That’s the world we’ve entered, for better or for worse.

[11:30 a.m.]

The last thing our school system needs is a reputation for being irresponsible with tax dollars. We have seen the virtual destruction of a high-quality public education system in the United States by populist politicians that come along and say: “Those teachers are overpaid, they’re wasting our money, and besides, we’ve got a private school down the road that’s a lot better. The people there are my kind of people, not the people who show up at the public schools.” In the process, they have destroyed one of the world’s best school systems, in my opinion, in the United States. It’s functioning, but it’s nothing like it was or should be.

This is the risk. This is picky stuff, you know — $5 for a sandwich or something at lunch — but it has big implications. I would urge you to think hard about a ministry, because without policies coming down from the ministry, it’s pretty hard to criticize a school board for doing what it is entitled to do because nobody told them they can’t. They’re in this civic culture where all sorts of stuff goes on that one might question.

That’s the only comment I have to make. I think you guys are doing a good job of keeping track of the nickels and dimes, but I think we’ve got a policy issue here.

S. Bond (Chair): Thank you for that, Ralph.

Before we end this particular presentation, I just had a couple of questions. One of them is to the Deputy Auditor General. The report on page 8 talks about a series of targeted audits related…. So we’ve obviously had Victoria, we’ve now had Surrey, and you made reference to a smaller rural district. Is there a list of where other audits will take place, similar to this one?

S. Dodds: No, we don’t have a list. The ability to do these smaller audits…. These are the CCR audits. It’s really around the capacity of audit staff that are working on financial and performance audits. I think we need to step back.

To the member’s comment, we are looking at detailed transactions, but the question really is around the disclosure under the Financial Information Act and the spirit and intent with government’s core policy. But just to see the value of going into a third district — and do we do more? We haven’t selected a district yet, and we just need to look at the value of doing that additional work again.

S. Bond (Chair): Having done two districts where we saw similar practice issues…. As Ralph points out, while some may consider that sort of picky detail, the public demands in this day and age not less transparency but more transparency. That’s why we’ve seen a move to a more rigorous place of disclosing our expenses, and that’s right, considering it’s taxpayer dollars.

Perhaps this is to Scott. Does the ministry assume, then, that there are other inconsistencies in other school districts?

S. MacDonald: I wouldn’t jump to an assumption around that, but I can make a couple of comments. Between the Victoria audit and Surrey was not a lot of time for adjustments as we go, given the school cycles and those types of things. I think we have an opportunity, as we’ve been sharing this information. You’ve heard about things like the Metro meetings and other meetings I’ve had with superintendents and meetings with secretary-treasurers. There are opportunities for me making some adjustments, so we’ll be monitoring for those adjustments as we go.

We’ve also made a commitment that we will have an increase in some of our financial policies that are coming out, and some of the guidelines that we put out to districts around this will be coming out over the year ahead. It will help continue us along this trend that has a greater sense of transparency and more accountability for some of these albeit small but important details.

S. Bond (Chair): To further Ralph’s point, having been a school trustee and a school board chair, the issue of autonomy and co-governance model is very, very critical to school trustees, and they do govern the system in partnership with the ministry. But when it comes to issues like per diem…. For example, we think about all of us living in different parts of British Columbia, but there is a per diem. So how much latitude are boards given when it comes to things like per diem?

[11:35 a.m.]

I certainly understand that perhaps in Surrey it’s more expensive to have meals than it is in Vanderhoof, but that doesn’t affect how we are governed. So is it completely within the mandate of school boards to set a per-diem rate or other expense rates, and has there been any discussion about looking at a more standardized approach to those kinds of decisions? Not trying to diminish the autonomy of school boards, etc., but just from a practical perspective in looking at the management of public funds, has there been any thought given to a more standardized approach to those expenses?

S. MacDonald: I guess that’s what the conversation today is in relation to our Core Policy and Procedures Manual, which applies to core government. It’s suggested that we have alignment and intent with that. So I guess the policy question is: does that become more prescriptive? As a ministry, do we start reaching out further into school boards and have more prescriptive requirements?

I think you’ve already raised the caution around that. Where you have locally elected trustees with local autonomy to make those decisions, at the end of the day they’re accountable for those decisions. So there’s that model we need to think about inside of that: how far do we reach in, and how much of those responsibilities do we, in essence, take away from local elected trustees?

S. Bond (Chair): I certainly acknowledge that. I think that…. You know, I’m acutely aware of the co-governance model. I’m not suggesting that that be diminished, necessarily. But I do think that what the public wants is to ensure that public dollars are going, first and foremost, to classrooms, and I think they do expect that there be some….

The audit talks about maximum per diems, for example. I would find it hard to imagine that, in the case of Surrey, where it is out of line with the core government expectations…. I think we could all admit that it would be, likely, very difficult to move that downward. Is that accurate?

S. MacDonald: It could be. I think we’ve got a little bit more work to do. I think we’re not in a position to actually understand what all 60 school districts are doing right now. I think that’s some of the work that we have underway with our team to understand some of those things. Then, when we come up with some guidelines or some other policies, what might those look like, and how prescriptive do we want to be with them? I think that’s a conversation, which this audit has sparked, that’s happening inside our ministry.

S. Bond (Chair): Perhaps the issue is more related, or in many ways related, to the lack of awareness of core government expectations. I don’t know whether it’s about being more prescriptive or, perhaps, being more informative or putting in that intentional strategy across all of the school districts — a sense that: you know what? These guidelines are in place for a reason. We would hope they would inform your decision-making rather than, perhaps, direct your decision-making.

I think our point is just that when we can assume there are differences in how those benefits and expenses are paid in districts, I think the general public would expect, so would this committee, that there be a pretty good rationale for the use of public dollars. That’s our purpose as Public Accounts.

Do we have a sense, for example, of what the range of per diems might be in districts across British Columbia — the low bar and the high end?

S. MacDonald: I don’t have that information.

S. Bond (Chair): Okay.

I think, first of all, we want to say thank you to Surrey. Obviously, there was a swift reaction, and the two anomalies were fixed. Hopefully, they were fixed before the audit came out. Were they?

J. Tinney: As answered for the member, one, the dinner reimbursement, happened during the audit. The other, the airport limousine, was prior to the audit.

S. Bond (Chair): Okay, so that’s…. Considering the number of transactions there are, it is important to note what Ralph pointed out. Obviously, there’s good work being done, but Surrey does have the infrastructure in place to be able to look at those guidelines and manage and monitor. I think it’s important to say that, and I think that we recognize that.

Any other questions from my colleagues today? All right. Thank you again for coming to Public Accounts and for bringing a thorough response. We appreciate that. Scott — a second appearance in a matter of, I think, months now. Hopefully, not too frequently. I know it takes a lot of time out of a deputy’s work to be here. And again, thank you to the Auditor General’s office, Sheila, for representing the team today.

[11:40 a.m.]

With that, we appreciate your attendance, and we’ll move on to our next item. I am cognizant of time, and we are committed to ending this meeting on time.

Action Plan Progress Assessments
on Auditor General Reports

Effectiveness of
B.C. Community Corrections

S. Bond (Chair): For the members of Public Accounts, the two items that we put on in addition to the reports today…. Mitzi and I wanted to try to bring resolution to the discussion that we had at our last meeting about whether or not there was a need to continue to have the community corrections action plan represented on the list.

As you would recall, the Auditor General had recommended that it is very likely that we could remove that report from ongoing follow-ups on their action plan. You would recall that we had testimony in front of the committee that basically walked through the rationale for the apparent lack of action on some of the recommendations. I think all of us agreed at that time that there had been a pretty good canvassing. There was a thorough explanation as to why there seemed to be a difference of opinion.

I’m wondering if we are at the place where we feel that we could agree with the Auditor General’s recommendation that the community corrections action plan may now be taken off of the list. I think we had a pretty thorough discussion about it last meeting. I’m just wanting to get a sense.

J. Thornthwaite: On that note, I did follow up with the presenters from corrections about a couple of questions I had with regard to the interim…. I think it was…. It wasn’t Elenore Arend. It was the doctor who had expressed the positive results of the Vancouver drug court as well as the Guthrie therapeutic community, with regard to their focus on mental health and addictions treatment to reduce recidivism in corrections.

I had specifically asked for an update, because they alluded that they were in the middle of studying it, and they sent me a couple of studies that were really old. I just want to say on the record that before we pass on this…. And I have followed up.

My office has followed up and requested, actually, the materials that they referenced in the committee meeting, which I didn’t get. I just wanted to say that before we pass this on, I will be pursuing that because I didn’t get my questions totally answered.

S. Bond (Chair): Okay. Well, I think that’s a legitimate concern. Perhaps what we could do, before we remove it entirely, is send a note from the committee asking, in a more formalized way, that that information be provided to the committee. That might be more helpful in trying to…. I do remember the reference that was made here.

Perhaps what we’ll do, then, if Kate or Ron can help us with that…. We’ll send a follow-up that removing it would be contingent on getting that information back at their earliest convenience.

Does that sound like it would work, Bowinn and Rick? Okay.

All right. I think we’re in general agreement — I see nods — that there’s no point in bringing them back again when we’re going to hear exactly the same story. I think there was a pretty good rationale as to why there seemed to be…. They seemed to be in a bit different place than they were when the initial audit came out. So I think it would be reasonable to take them off once we’ve done the follow-up request for that information.

COMMITTEE REQUESTS FOR INFORMATION

S. Bond (Chair): The other package that you received was just a number of items where we had requested follow-up after a report back had been done here at Public Accounts. I won’t ask you to indicate it at this moment in time because of where we are in our agenda, but I’m hoping that you can take a look at the list of things that we requested and perhaps provide us with some feedback if there are any of these follow-up items which you would like to see a further in-person presentation on.

[11:45 a.m.]

Let’s just look at one, for example. If you look at the one, family maintenance enforcement program…. The meeting that they came to was January 17. We asked the Ministry of Attorney General to provide an update on decisions about FMEP as a contracted service and, if the program continues to be contracted, for details on the procurement process and results. We may want them to come back and walk through that.

The intent of this is really to just have you review them and feed back to Mitzi and I any of the ones that you would like to see come back and do an in-person update for us.

Does that capture it, Kate, in terms of the…?

As we try to build our workplan…. As you know, there are 30 action plans that we need to work our way through. As a group, we had decided that we would like to perhaps tackle two or three of them at each meeting. I’m hoping you can take this list away and come back or feed back to us in the next week or two any of the ones you’d like to see make an in-person return. That would be a good place for us to start, I think.

We may well look toward one meeting in December to try to deal with the reports on drinking water and sheriff services. There are two we would like to try to work our way through. At that point, we may well be able to include one or two action plan items.

Ralph, did you want to make a comment?

R. Sultan: Well, I just was going to make the observation that…. Speaking for myself and, I suspect, many others on the committee, I think we’re pleased to let you and Mitzi make these judgment calls. I think the committee is being very well run. We can hardly say all points of view aren’t being respected. The hot-button issues are being brought forward. We obviously haven’t got time to do everything, nor should we even attempt to. So I say just carry on.

S. Bond (Chair): Okay. Well, I appreciate that. Maybe what we’ll do, then, is if you have one of particular interest….

I know, Rick, that you brought one up that we have on our list. I think it was biodiversity that you brought up. We need to consider what we’re doing with that one, for sure.

If you have any of particular interest, just indicate that. If not, Mitzi and I will sort out a way to systematically work our way through these and put one or two of them on each of the agendas in the future.

With that, I want to thank you all very much. It was a good meeting, lots of questions. I appreciate your interest and your hard work, as always.

With that, I’d entertain a motion to adjourn.

Thank you, John.

Motion approved.

The committee adjourned at 11:48 a.m.