The committee met at 9:05 a.m.

[M. Bernier in the chair.]

M. Bernier (Chair): Good morning, everyone. Welcome — on Wednesday, March 31 — to our Select Standing Committee on Public Accounts meeting.

I want to thank everybody for joining us today. It’s a large group. We have a couple of reports to look at, review and consider today. We have a bunch of presenters and witnesses joining us as well. I want to thank all of them for their work into these reports and recommendations, and also the ministries for attending today. We’ll get into introductions a little later on, as we get through each report.

Today we’re going to be looking at two reports. We have the IT Asset Management in B.C. Government report, and we also have the Oversight of International Education Programs in Offshore and Group 4 Schools report, which we’ll get to a little later on.

I’m going to turn things over here right away to our Auditor General, Michael Pickup, as we get into the first report.

Michael, as always, I want to thank you. I’ll let you do introductions of who’s joining and helping out today before we get into Shauna and the ministries after you run us through the reports.

Welcome, everybody, and welcome, Michael. Thank you for being here.

Consideration of
Auditor General Reports

IT Asset Management in
B.C. Government

M. Pickup: Thank you so much for that.

Before I make a few very brief opening comments, I would like to acknowledge that today I am speaking to you from the traditional territory of the Songhees, Esquimalt and Lək̓ʷəŋin̓əŋ folks. As a member of the Miawpukek Mi’kmaq band myself, on the eastern side, how I tread on these territories is very important. I try to respect that. As I walk about this lovely city each day, I take all of that in and am grateful for all of that. I did want to acknowledge that as well.

I also want to acknowledge, before moving into the re­port, that today is the International Transgender Day of Visibility as well. I certainly am working hard, both personally and professionally, to be inclusive as possible of all folks, including transgendered people. I want to acknowledge that as well — that that is today.

Now, having said that, we are here for the two chapters, as the Chair indicated. The first chapter is the IT asset man­agement. I’ll just introduce folks, perhaps, for that report first. Joining me for this is Russ Jones, Deputy Auditor General, who most of you have had a chance to meet before; David Lau, director; and René Pelletier, executive director. They’re going to be quite happy to take any questions that you may have for them as we go through this. They will do a brief presentation.

I also want to thank folks back in the office, some of whom may be listening to this and have a chance to either listen in or get a transcript. I want to thank everybody in the office, both on the audit teams directly….

A special thanks to Joji Fortin, who is not on the call but who really led a lot of this work on the IT asset management. Lots of respect for her and lots of thanks to her, as well as everybody else in the office, whether they were directly on the audit team or in other important functions, like IT and admin and all of the other functions across the office that support us auditors who do audit work. We wouldn’t be here today without those folks. I want to say a big thank you to them as well.

I’ll save introductions on the other chapter on the education until we get to that one. I want to thank the folks in the ministries. This was a big audit for us to do what we call sort of a more horizontal audit like this, where we get out into many departments and are able to put it all in one. It takes a lot of cooperation. It takes hard work on our part, but it takes a lot of cooperation from those we audit to be able to work together, to be able to pull this together in one report.

[9:10 a.m.]

What that enables us to do for you is to give you a report more quickly that covers more of government. We’re getting more government departments in here rather than just covering one. I certainly want to thank the folks that are in this meeting, who represent the various portfolios and ministries who were part of the audit.

Before I turn it over to David, who’s going to walk thro­ugh a very brief presentation focusing on Audit at a Gla­nce, I just want to remind people that one of the benefits of these audits, particularly in these cases, is that there are no disagreements here with those we audit. Everybody agrees that the report has it right, that the findings are right, that the recommendations are right.

It’d be a different situation if we were here today to try to explain to you sort of why there are differences of views, but we’re at a good starting place where there are no differences in views. While we’re working hard to provide you and all of the Legislature with this independent assurance so that you can hold government accountable, it’s also important to us that we see, in that process, that we’re providing opportunities for government to improve how they deliver government to the people of the province. I think this is…. You have two good examples of that today.

A bit of a long introduction. I do promise a fairly short…. David says it’s probably six or seven minutes to walk through the key findings of this audit. I would remind all folks on the Public Accounts Committee that we’re all getting used to each other — and new. As we move along, if you’re finding our presentation…. If you want us to focus more on something or to go into more detail as we move forward, please do provide us with that feedback. We’re more than happy to adjust, going forward, how we present the information to you.

We’re going to start with a very, very brief presentation focusing on the Audit at a Glance.

Perhaps, David, I will turn it over to you.

M. Bernier (Chair): Welcome, David. I guess it’s turned over to you.

D. Lau: Good morning, Chair, vice-Chair and committee members. I’m going to walk you through the IT asset management audit report, which was tabled in January 2021.

Each of you will have received a two-page document titled Audit at a Glance, which provides the highlights of what the audit is all about and our key findings. This is similar to the one page on pages 7 and 8 of the report.

You should note that we carried out the audit between December 2017 and June 2019. Since then, a lot has chan­ged and happened, such as the COVID pandemic, which changes the way we live and conduct our operations, for example, teleworking and conducting our operations in a virtual environment, which elevates the cybersecurity priority even more. Cybersecurity incidents worldwide continue to increase in frequency and impact, affecting organizations and individuals with service disruptions, financial loss, breach of personal identity information and loss of stakeholders’ confidence.

We all observed that the B.C. government is increasing its use of technologies to deliver services and programs. Therefore, strong cybersecurity risk management becomes even more important. Our audit examined whether the five selected B.C. government ministries are effectively managing IT assets in line with good practices as they work to protect government from cybersecurity threats. These ministries are the Ministry of Citizens’ Services, the Ministry of Finance, the Ministry of Health, the Natural Resource ministries and the Ministry of Education.

We selected these ministries because they provide es­sential services to British Columbians and the corresponding sectors represented 89 percent of the total core government IT capital spending. We focused on the office of the chief information officer’s overall responsibilities in providing guidance and policies in managing IT assets and compliance by the agencies, divisions and branches within the five selected ministries. There were 21 lines of business in total among the five ministries, and they are listed in exhibit 1 on pages 18 and 19 of the report.

[9:15 a.m.]

I would like to point out that this is not an audit of how the B.C. ministries were managing the lifecycle of IT assets. It was about how those ministries identify IT assets under their responsibility and whether they were managing them consistent with the assets’ stated importance to business objectives and their organizations’ risk strategy.

We define IT assets as data, devices, systems and facilities that enable a ministry to achieve its business purposes. According to the National Institute of Standards and Technology and the Center for Internet Security, which are responsible for setting standards for information technology and cybersecurity, identifying and managing IT assets are the foundation for effective cybersecurity risk management.

The basic message is that organizations cannot protect things they don’t know they have. We adopted the cybersecurity framework published by the National Institute of Standards and Technology for our audit criteria, which provides the basis for developing the audit purposes.

We’ve concluded that the office of the chief information officer enterprise services branch, which is part of the Ministry of Citizens’ Services, and the Ministry of Education manage IT assets in accordance with good practices that provide a foundation for building strong defenses against cybersecurity threats, with minor exceptions. The rest of the select ministries and related organizations do not manage IT assets in accordance with good practices. Exhibit 2 on page 23 of the report has a summary of the audit results of the select ministries and related organizations by audit criteria.

Overall, we found that the cybersecurity roles and res­ponsibilities were not well managed. IT asset inventories were not appropriately managed, maintained. Maps of communication and data flows were not kept as required. IT assets were not appropriately prioritized. These foundational deficiencies could hinder the ministries’ ability to develop and implement subsequent safeguards for protecting IT assets from cybersecurity threats.

We’ve made seven recommendations to the government on how to improve government IT assets in the context of cybersecurity. All these recommendations, as listed on page 12 of the report, have been accepted by the government.

In closing, Michael, in his Auditor General’s comments, has provided three key questions that people may want to consider when asking the office of the chief information officer and all the other ministries and related organizations. One, how does the government keep the cybersecurity program up to date, and how will it match up with current good practices, going forward? Two, how will the government test this cybersecurity program for effectiveness and responsiveness as the mix changes and the world continually evolves? Three, how has the government adjusted its cybersecurity program to ensure that it is effective against potentially increasing cyber threats during the ongoing COVID-19 pandemic?

This concludes my presentation. We would like to thank everyone at the selected ministries and the office of the chief information officer for their cooperation and support during this audit. Thank you, everyone, for your time.

I’m turning it back to Michael, our Auditor General.

M. Pickup: Thank you, David, for keeping to six or seven minutes on your presentation.

Chair, now I don’t know if you want to go to government for their presentation and then save any questions people might have for us. I’m not sure how you would like to do that.

M. Bernier (Chair): I appreciate that, Michael.

I think it probably works better if we get into Shauna Brouwer’s presentation with the ministry, on behalf of government, for the audit, if that’s okay with the rest of the committee. Then we’ll hold on to questions that people might have until after that.

Shauna, welcome. Thank you for being here.

S. Brouwer: Good morning. My name is Shauna Brou­wer, as you had mentioned. Good morning to the Chair, the committee members and officials from the Office of the Auditor General.

Joining me today, also from the territory of the Lək̓ʷəŋi­n̓əŋ-speaking people, known as the Songhees and Esquimalt First Nations, is the majority of my team. Today, if you’re joining us from another land, I would appreciate if you took the opportunity to reflect on that.

[9:20 a.m.]

Joining me today from Citizens’ Services is Alex Mac­Lennan, the assistant deputy minister in the office of the chief information officer, and Gary Perkins, who is the information technology officer for government. He’s our security officer.

We also have the chief information officers from a variety of ministries here with us today. Joining us from the Ministry of Finance is H.B. Teo. He’s the executive director and the chief information officer. Richard Barlow, also with Finance, is the director of information security and privacy.

Joining us from the Ministry of Health is Muriel Zemliak, the executive director of the IT services branch, and Jeff Aitken, who is the executive director of the health sector.

From the natural resource sector, we have Denise Ros­sander, who is the ADM and the CIO, and Fraser Marshall, who is the executive director of IMIT, infrastructure, governance and business strategy.

From the Ministry of Education, we have Eleanor Liddy, who is the acting ADM of services and technology, and John Chow, who is the director of technology and information privacy.

I’d also like to thank the Chair and the committee today for the opportunity to respond and to give an update on our progress. As this report has indicated, the Ministry of Citizens’ Services is responsible for providing services to government ministries, including establishing cross-government standards for information security.

Individual ministries are responsible to abide by those standards and policies and to manage inventory of assets within the ministries. This audit and the work of the OAG has been very helpful to us in determining where we are meeting our standards and where we can improve our performance. It has also validated some areas where we are already focusing and has provided a catalyst to engage other ministries that were not originally included as a part of this audit.

I want to state unambiguously that the government of British Columbia takes privacy and security of personal information very seriously, and we appreciate the Auditor General acknowledging the positive steps we’re taking to validate our current course of action to increase security in the area of asset management. We also recognize that there is room for improvement. That includes my own ministry, within Citizens’ Services.

We respect the findings and the recommendations identified in the audit, and we accept all of the recommendations initiated by the OAG. The recommendations are reasonable, factual and well aligned with the direction of government, and we’ve actually begun to engage already in executing our plans for remediation. We have an aggressive timeline, and we expect to have all of the recommendations complete by December 31. The findings themselves are appropriate, and we’ve moved to address them. We accept all the recommendations, and we’ll work with the ministries to make sure that we manage all those things in full.

We’ll be increasing information and training materials available to ministries and using a variety of tools to in­crease compliance. Ministries, as I had mentioned, are responsible for managing assets purchased or provided to ministries, for tracking the inventory of assets and for ensuring adequate documentation. Ministries are also responsible for commissioning and decommissioning the assets and ensuring employees understand their roles with regard to protecting government assets. With the OCIO, we’ll be strengthening our supports to ministries and taking a more active role in their compliance to support this important work.

I would like to turn now to how we will move forward on these important recommendations. First of all, I would like to confirm that we do have existing controls in place to track and manage the most common IT assets. This includes servers, government workstations, network elements, voice over IPs, multi-function devices, printers. These measures have been in place for many years and have protected devices, and we will ensure that that continues into the future. The OCIO will work with all ministries to remediate the gaps identified by the Auditor.

The government IT environment is sizeable, as you know, and we will track IT assets according to risk as, in addition to the financial loss, we could have an information incident. We have existing controls in place to protect devices if they’re lost — for encryption, unauthorized access for lost and stolen devices.

[9:25 a.m.]

We also have a process in place to control the allocation and recovery of devices and, last year, improved these features by launching our workstation fleet management dashboard, which also provides additional visibility to ministries on assets and will assist them with managing their desktop and laptop computers. Going forward, we’re going to review and improve processes in ministries across government to ensure any gaps in practices are remediated.

We started this work prior to the audit being published. Thank you for the work. We are going to empower the OCIO to ensure that these actions are actually completed across government and not just within the ministries that were audited.

I’d like to close by thanking the Auditor General and his staff for the extensive effort they’ve put into the IT asset management audit and for their commitment in improving security for the province. We acknowledge the areas of improvement, and we have made progress to date in ad­dressing those recommendations. As I have mentioned, we will address all of these recommendations by December of 2021.

I’d like to thank the Chair and the committee for the opportunity to provide this important update. We’re happy to take any questions that you have.

M. Bernier (Chair): Excellent. Thank you very much, Shauna.

Michael, were there any last-minute words — a follow-up, maybe, after Shauna’s presentation — that you wished to add?

M. Pickup: One quick thing I was going to say. I do want to thank the deputy for her comments. Among everything that she said, I was super pleased to also hear something that we always like to see as auditors. We can’t be everywhere and audit every department. She indicated that they are taking this to engage with other departments that weren’t part of the audit so that they can look at how they can improve as well. That’s really proactive, and I’m really pleased to see that. I thank the deputy for making that comment.

M. Bernier (Chair): Thank you, Michael.

Just looking to the committee now to start. Is there any information or question from anyone, to start with?

Well, maybe I’ll start. First, to Michael, is there any precedent on this in other jurisdictions, other provinces, that have gone through similar audits like this and have had similar findings? Or is this, maybe, a little unique from British Columbia’s standpoint? Especially since IT issues, breaches and concerns are so prevalent right now in society, you’d think this is something that’s very timely, in a lot of ways. Thanks for doing it. But is this unique or common?

M. Pickup: Yeah, sure. Maybe I will make a general comment that gives a chance to sort of inform folks of how we approach audits, and then I’ll turn it to David and René to provide additional comments.

Generally, when we approach an audit topic, one of the things we look at is auditability, which has a lot of sylla­bles but is really just a simple way of saying: “Is this something that we can audit? Is it something that people have audited before?” What we do is sort of an environmental scan to look at other legislative audit offices to say: “Who has audited this, and where? Are there things that they looked at?” That can help inform our risk, besides just looking internally to the province to say: “What are the unique risks here?”

If we’re finding things that are happening in other jurisdictions, it may help elevate something to say: “Yeah, that’s probably something we should be considering and asking some questions on.” Our audit office does a very good job of leveraging off what’s happening across the country to inform us on these decisions. Having said that, I know that in my time in Nova Scotia as Auditor General, we certainly did the cybersecurity- and IT-related things.

That’s sort of a general comment on any topic we ap­proach. Maybe, for specifics in terms of what we actually might have looked at across the country here, perhaps I’ll look to David and/or René, if they want to provide additional, beyond my general comment.

D. Lau: I can expand on what Michael just said. I’m one of the members of ISACA across Canada. Just last week at a meeting that we had, I told the committee about this report, and they were very excited. It turns out, I think, that we’re the first who have done this type of audit across Canada. They were so excited. They started asking me whether we can lend them the audit program, the objectives, and so on. Yeah, this is the first in Canada.

[9:30 a.m.]

R. Pelletier: I can add a little bit more context, Mr. Chair, on your question, really, around how common this is. Is this a unique issue in B.C.?

Just from my experience — working in the Auditor General of Alberta, with the Canadian Forces, with Del­oitte — I can tell you this is the type of thing you that would see fairly commonly in a lot of areas. The fact that they have international standards around IT asset management is really an indication that as a sector, from an information technology perspective, more guidance was needed across all different types of organizations. This is certainly not unique to the B.C. government at all.

M. Bernier (Chair): Okay, thanks for that.

I have a list of quite a few people that wish to ask questions.

We’re going to start with the vice-Chair here, Rick Glumac.

R. Glumac (Deputy Chair): Thank you for the presentations today. I kind of want to dig in a little bit and get a sense of…. A lot of these recommendations here are around inventory, data flow and things like that. How old are some of these systems that we’re using in government? Let’s start with that question.

S. Brouwer: Thank you for that question.

Alex, I’m going to turn it over to you.

A. MacLennan: Good morning. I would say there’s a wide variety of different ages around systems that would depend on which ministry you’re dealing with and which systems being managed by the OCIO you’re speaking to.

I’ll ask Gary to say in a bit more specifics, but what I would say, generally, is we are constantly evaluating systems for currency to ensure that the systems that we have in place, the devices, meet our overall security standards. We take an evidence-based, risk-based, standards-based approach. We are consistently looking to continuous im­provement identifying systems and/or tools that are out of date and then focusing our efforts on making sure that those things are brought up to date, whether that is thro­ugh patching or amending systems or upgrading those systems to new versions or new actual devices.

I’ll ask Gary if there’s anything in particular he wants to add to that.

G. Perkins: Yes. Certainly, in an environment as large and complex as ours, you can imagine that over time we’ve accrued systems such as the mainframes which can be decades old. Some of these systems are providing very critical services, so we can’t just replace them overnight.

As Alex says, we have an approach that is defence in depth. It has multiple layers of security to ensure that these assets remain protected and that no one vulnerability puts them at risk and that we have systems in place to not just prevent but also detect and respond to any issues that arise.

R. Glumac (Deputy Chair): Yeah. If we have mainframes that are decades old, isn’t that a huge cybersecurity risk in itself? How do we advance? How do we be on the front edge of the curve rather than having decades-old mainframes?

A. MacLennan: Maybe I can speak to that. You’re absolutely right. This mainframe is obviously an area of focus for us. While we do have mainframes with our old technology, that doesn’t mean that we have left them stagnant. There are different approaches to updating parts of that mainframe system that we employ on an annual basis. So we’re continuously refining that and putting things in place to make sure they’re secure.

We do have a series of projects underway across government that have been going on for a number of years, where the OCIO is working with the ministries to move older applications off of the mainframe system onto new, modern applications. Those projects have been going on over the last few years and will continue for the next couple of years. It’s definitely…. As a government, we are moving to a place where we will no longer have mainframe systems in place.

On top of that, as Gary said, we have a whole series of protections we put in place around our entire data centre infrastructure, including the mainframe. So while that technology may be older, we’re managing security both at the perimeter where everyone is accessing it and through different aspects of the network.

We’d say we’re relatively comfortable that we’re in a good position despite the age of that technology.

[9:35 a.m.]

R. Glumac (Deputy Chair): A couple more questions. I’d like to dig into that a bit more, but I’ll switch over to a different topic for now.

When we’re making decisions around the software and devices that we’re using — for example, our PCs…. The staff use PCs. Has there been an evaluation when these purchases are made? Are we looking at the prevalence of malware and attacks on PCs versus Macs, for example, and factoring that into our decisions to use PCs versus Macs? How can we, as an organization, consider that in our decisions? Is that factored in?

A. MacLennan: Yeah. I’ll speak to that initially, and Gary may want to add some more detail.

We, obviously, get our workstations through outsourced providers that deal in place with the workstation tech­nology procurement deal, where we work with IBM and ISM. As part of those deals, in the initial decision of what de­vices we’re going to be putting in place, there’s a lot of work that goes on to make sure that those devices are configured appropriately to our government environment, and then security is actually first and foremost.

As we refer to it when we are talking about devices of any type, the question of end-point security is a point of absolute focus for us, where there are continuous enhancements both to looking at the devices we’re using and their technical currency and looking at the configurations that are put in place for those devices to make sure that they are secure. And then there’s a large amount of practice and communication with public servants across government to ensure they also know appropriate behaviour when using those devices, which sometimes can be the place of most susceptibility.

I’ll ask Gary to speak further to that.

G. Perkins: I guess I would sum it up simply that any device that is mismanaged presents a risk, whether it’s a PC or a Macintosh. In this particular case, we focus on ensuring that we have the devices that best meet the needs of the staff and focus on ensuring that those security controls are in place to ensure that we’re at all times preventing, detecting, responding to cyberattacks.

R. Glumac (Deputy Chair): I’ll leave it at that for now. Thanks.

M. Bernier (Chair): Okay. Thanks, Rick.

We’re going to move along. We have quite a few questions.

N. Sharma: I just have a couple of questions. My first one. I was really curious about the standard that was used. It was the National Institute of Standards and Technology that seems to be setting the standard that we use to audit. I wanted to know: is that applied broadly, those standards, across other governments? What was the reason for choosing that one? Is that the leading one in the world? That’s my first question.

D. Lau: I can take one of these questions here. Yes, this is a national standard, and it was the best one that we found, doing our audit. They were like the guru in cybersecurity standard-setting. Also, we found that their standards also mapped to the COBIT 5, the IT standards. So it was very good, well-established standards that we found.

The other one is the Center for Internet Security. They also have similar standards, but they package it a little bit differently. There are so many standards out there. But all the standards that they packaged…. One thing that always comes on top is about IT asset management, so you really have to know what you have before you can protect yourself, before you can develop a robust risk management program and so on.

M. Pickup: Chair, could I just add to that quickly?

M. Bernier (Chair): Yeah. Thanks, Michael.

M. Pickup: Just a chance for me to explain to folks who may not be as familiar with the audit process. As you get used to us, you’ll get probably quite familiar with our audit processes.

No matter what the audit is — in this case, IT asset management or schools — in the planning of the audit, we come up with the criteria, if you will, which are, essentially, the bars we’re going to judge people against, the criteria we’re going to use to say: “Are you effectively doing something?”

[9:40 a.m.]

As part of the audit standards, we would have discussions with those that we are auditing, formal discussions, to say: “Here are the criteria we are using. What do you think of these criteria? Do you understand the criteria? Are there any disagreements around the criteria?”

We do all of that up front at the planning so we know, once we get into actually carrying out the audit and then reporting back against it…. We avoid, then, any kind of disagreement to say: “Well, you know, you’re not holding us against the right criteria. You’re not holding us against the right standards.” That doesn’t happen in audit because we front-load all of that discussion and have it in audit planning.

Thank you for the opportunity to add that in, Chair.

M. Bernier (Chair): Thanks.

Any follow-up, Niki?

N. Sharma: I just have one more question, Chair. When I was reading the report, there was a mention of a core policy document that you use that you found in the government, the Core Policy and Procedures Manual. I have two questions on that. Am I right that that manual was as of 2017 that you audited, as it stands?

My second question is: is the work of the government…? Maybe the deputy minister can answer this. Are we updating that Core Policy and Procedures Manual with all of your changes? Is that where it’s going to sit across the board for government?

A. MacLennan: Shauna, I can speak to that if you like.

S. Brouwer: I was just going to say — thank you for the question — yes, we are updating the Core Policy and Procedures Manual.

I think, Alex, you may want to add something additional to that.

A. MacLennan: Yeah. Thank you very much, Member. We are working from that manual, and we continue to work with the office of the comptroller general to update aspects of core policy as information technology advances.

On top of the core policy manual, which gives us our overall guidance, we have a series of standards and procedures and policies at an operational level that we have in place in the OCIO, all of which fall under that core policy manual. They help us guide our work and behaviour on a day-to-day basis, and also the work we do with ministries.

M. Bernier (Chair): Thanks, Alex.

Niki, are you good for now?

N. Sharma: The first part of that was the version of the document that was audited, the 2017 version…. Now is it already improved? I’m just curious about the progress of that.

A. MacLennan: There has been work underway over the last couple of years to make a significant update to the core policy manual. We’re currently working with the office of the comptroller general to release a new version.

M. Bernier (Chair): Good. Thanks. I believe, Niki, you’re good?

N. Sharma: Yep. Got it. Thank you.

M. Bernier (Chair): Okay, thanks. We’ll always come back, too, as needed, for sure.

Next up, MLA Mercier.

A. Mercier: Thank you, Chair. I just have two questions, but I’ll start with a question that I think is more for the auditors. That’s that, in the report, there’s a….

You find a difference of performance as between the Ministry of Education and the office of the chief information officer enterprise services and the other ministries audited. I’m wondering if you can just comment on that, you know, vis-à-vis if the genus of those differences is more kind of structural or performance-based. Is there anything different about the asset inventory being managed by the Ministry of Education or different about the complexity, organizationally, of the ministry that could explain that? Or is it really just a question of performance?

As a brief follow-up to that, what work is being done…? If you look at an organization like the government, which is incredibly complex, when you have a ministry that’s really a leader in performance in that sense, what is being done to ensure that the best practices from there are kind of being spread out horizontally so that the work isn’t just being implemented in siloes?

D. Lau: David here. I can try to answer this question here.

The Ministry of Education and the Ministry of Citizen’s Services’ enterprise services are a little bit better than the rest of the ministries. They were more proactive in terms of managing the IT assets, inventorying the assets. They were not perfect, but overall, I think they met most of the criteria that we’re looking for, like, for instance, the data flow, data map, those things. They were quite up to date, and they would consist of key information that is required for developing a cybersecurity program.

The other ministries, although they do have an inventory of IT assets, are just inventory. They don’t really gear for thinking about cybersecurity in that context and that type of thing.

[9:45 a.m.]

In other words, it’s not the inventory that is the difference. It’s just the way that the ministries were able to be more proactive in capturing the key information in their IT assets. Again, they were not perfect but….

A. MacLennan: Mr. Chair, may I offer a follow-up?

M. Bernier (Chair): Sorry, we just have a couple people. I think Alex was going to do a follow-up, and then Michael, if you don’t mind.

A. MacLennan: Thank you for the question. Just to add to what David was saying, I would say part of it is structural, as it regards enterprise services, which is the organization that I’m responsible for. Our entire job is to manage IT infrastructure on behalf of government. So as a result of that, when it comes to the most significant aspects of that, service management is what we do. IT asset management is part of service management. So there’s something structural there.

What I would say to the second part of the question, as well, when you alluded to best practices…. This is quite key in how we’re approaching this project. We’ve kicked off a project that involves representation from all ministries, including ourselves and Education. We think it’s a great opportunity both to share those practices that are working well with everyone across government and to find a consistency across government so that where we’re doing something well, we can easily move that across the organization and have others make that sort of good practice.

M. Bernier (Chair): Thanks, Alex.

Michael.

M. Pickup: The only thing I was going to add for Mr. Mercier is that the summary table on page 23 of the report, which really gets into the six key things we looked at by ministry…. I think, if I’m understanding your question well, part of what I’m hearing you ask is if you take a ministry like the Ministry of Health, for example, and one of the audit criteria was, “Has the Ministry maintained an inventory of information systems used in business operations that are hosted or owned by third parties?” the answer would be no, they have not.

I think what you’re getting to, if I’m understanding, is what some of the root causes would be as to why the answer to that is no. So this lays out very well, I think, as to the noes that exist — and the yeses. So perhaps that question, if I’m understanding the question well, would go to the ministry to say: “Why is it that the answer to that question is no? Is it something structural? What is the nature of the root cause?”

I think that’s how I took part of your question.

A. Mercier: Yeah, no, I think that’s fair.

I’ve got one follow-up question here. I think Alex has presaged part of the question, and he’s answered it in part. Going into page 23-24 of the audit report, after the table that Mr. Pickup there just alluded to, there’s some conversation about confusion within ministries about responsibility for keeping track of the asset inventories.

I hear you’re starting a cross-ministry project to start to look at best practices and implementing safeguards and whatnot. But I’m wondering if you can just specifically talk about what’s being done about that particular risk there, because that really seems to be a pretty deep organizational issue in that sense.

A. MacLennan: Absolutely. Thank you for the question. That is one of the areas where we actually started work prior to the audit being released, based on our earlier work with the auditors. What we are doing there is back to what I said earlier. We have actually established a table of representation across ministries, and one of the first conversations we were having was around roles and responsibilities.

We have been going back to our existing core policy, and also our standards, to review those things as a group and make sure that we have a common understanding of what those roles and responsibilities are and that we can all agree to it. We looked then to communicate that out, to make sure that all of government has access to that information and is aware of those roles and responsibilities. Then we’ll have a process for ongoing touch points with ministries to ensure that we are up to date and that, as peo­ple change and organizations shift around, everyone’s still aware of what those roles and responsibilities are.

I think the other aspect that is acknowledged in the audit and is a place where we’re looking to have a more proactive process in place in government is the fact that technology is continuously changing, and the number of things that are considered IT assets — i.e., they’re connecting to the Internet in some way — is increasing on a daily basis.

[9:50 a.m.]

I think an important part of this is that as far as our high-value assets — as I referred to before, networks, servers, devices — we’ve got good practices in place, and what we need to do is be proactive and see the new devices that are coming into the ministries and ensure that we’re aware of those and that our practices, roles and responsibilities also cover off those new things that are coming into our IT environment.

M. Bernier (Chair): Thanks, Alex.

Andrew, anything to add?

A. Mercier: No. Thank you.

M. Bernier (Chair): Okay, thank you.

We’re going to move to MLA Coulter.

D. Coulter: Yes. I have a couple of questions, but maybe I’ll just take off on Andrew’s question.

I’m looking at the lines of business that you were looking at. I’m just trying to understand, I guess, the structure of the ministry and the structure of IT management. So I see, like…. Well, other than the enterprise services division, which obviously is responsible for all of it, I see Citizens’ Services has an information management branch. Same with Finance. Health has an IT services branch. Then those three ministries have other lines of business underneath those.

Say, for Health, for instance — does the IT services branch look after all the other lines of business, like the business management office, the health information, privacy, security and legislation office, etc.? Or do each of those lines of business manage their own IT? Then, I guess, a secondary question to that would be…. Education only has one line of business here, services and technology. Is that partially why Education fared well in this audit, as opposed to the other ministries?

A. MacLennan: Maybe if I can ask Jeff Aitken to respond to the initial part of the question and then Eleanor Liddy to respond to the second part, please.

J. Aitken: Great. Good morning. It’s Jeff Aitken, from the Ministry of Health. Thanks to the committee member for the question. I think that is accurate in why the Ministry of Health was seen as being non-compliant with the Auditor’s expectations.

Each of those areas that you listed do have their own…. I’d call them small IT departments. I think what’s hap­pened over the years is that these were separate operating entities which have since been absorbed in the Ministry of Health. They’ve brought their own IT departments, who kind of look at their own infrastructure.

There is certainly a central coordination by the ministry’s IT services branch, but our weakness is that we don’t necessarily have sort of common processes and a single common inventory of all of our assets. We had them, but they were in these separate lines of business. So that’s, through our work with the OCIO, what we’re going to be working on rectifying.

M. Bernier (Chair): Thanks.

Dan, anything else?

D. Coulter: Yeah, I have one other question. I was wondering how closely the NIST cybersecurity framework…. I see here the audit method used questionnaires based on the NIST cybersecurity framework as well as the government’s Core Policy and Procedures Manual.

I was just wondering how well did the two align. Maybe this is a question for Mr. Pickup. If they weren’t in alignment, I suppose we’re updating that and putting them within alignment now?

M. Pickup: I will ask David to respond to that, please.

D. Lau: Thank you. That’s a good question.

This is an audit about…. It’s not about IT asset management; it’s about managing IT assets in the context of cybersecurity. The core policy manual and also the information security standards talk about IT assets, the managing. But they only mention IT assets without the context of cybersecurity in mind in there. That’s where we found the gap between the standards and also the manual. That’s why we said the policy has to be updated in the context of cybersecurity.

For instance, many of the ministries have inventory. When we go and ask them, they say: “Yes, we do.” But the thing is that when we look at the inventory, they were just inventories but without the key information that can warrant the ministry to take action to protect the assets. But whether they’re important enough to protect the assets — that’s where we found the gap is.

I hope I answered the question.

D. Coulter: Yes. Thank you very much.

I’m good for now. I’ll let other folks ask questions, Chair.

[9:55 a.m.]

M. Bernier (Chair): Okay, thanks, Dan.

We’re going to move on to MLA Anderson, who has a question too.

B. Anderson: Actually, I think my questions have been answered. Lots has been covered so far. I appreciate it. Thank you.

M. Bernier (Chair): Okay. We’ll move to MLA Banman, then.

B. Banman: I’ve got a couple of questions, if I may. I go to the number one: an organization can’t protect what they don’t know they have. That seems to be…. I can respect that this is an immense task — to look after all of the IT equipment. A couple of questions I have, following in there…. Does that include the oversight for Crown corporations?

M. Bernier (Chair): That’s a good question. I have to start with….

I’m not sure, Michael, if you have an answer to that. It’s likely Shauna on that.

M. Pickup: Yeah, I think the deputy might want to explain that.

S. Brouwer: No, it does not include the Crown corporations.

B. Banman: Okay. For me, I see that as a glaring issue, especially when you consider the personal data that some of these Crown corporations have and the increasing ability for government to want to — for fines, let’s say — be able to collect these….

I think it is a glaring oversight that we do not include IT management, because to me, that would be a back door for IT management. That aside, I think that’s something that I would like to see in the future be included. That is a government branch, and there’s some highly, highly sensitive information there.

The second thing I want to know so I can get a grasp, get my head around this: can you provide me, please, with the attempts of attacks that we traditionally would experience in a year? Have there been any breaches?

S. Brouwer: Gary, if you could comment on the two questions, really. If you want to expand on the Crown’s responsibility and then on some of the data that we monitor on a daily basis.

G. Perkins: Certainly. As discussed, it is really the res­ponsibility of these Crown corporations to manage those assets, typically. We’ll have to leave it up to the Office of the Auditor General if they wish to pursue additional audits with those Crown corps. They’ve done so, including recently.

With respect to the attacks, the numbers are substantial. I think we have provided previous numbers, but we have updated ones. We see, in government, 372 million unauthorized access attempts daily, or over 4,000 per second. Those are attempts; they are not successful. We’re very fortunate that we have a team of security professionals that are dedicated to preventing, detecting and responding to cyberattacks, and we are able to prevent the vast majority of these and detect them in short order before they become a breach scenario.

One example. One of the largest, broader ones across government that I can point to — this was probably the last large one that was widespread across government — was in December of 2014, when our email servers had to be shut down in order to prevent the spread of malware within our infrastructure. But we’re very fortunate because we continue to invest in this space, take it very seriously and have the layers of prevention controls to prevent this kind of thing.

B. Banman: Okay. A follow-up, if I may, Chair.

Part of what I thought I heard — and you can correct me if I’m wrong — is that one of the exposed flanks that we have is, I believe, third-party providers. Can you give me an example? I would assume that a Crown corporation would be considered a third-party provider, although I think they’re much closer than that. Can you provide me with examples of other third-party providers? Have they had any breaches which — had we been helping them better or had better oversight over them — could have been prevented?

[10:00 a.m.]

G. Perkins: Well, first I’ll respond by saying that I think, as we know, in 2021, no organization, globally, is immune to cyberattack. As you have drawn attention to, absolutely, those third-party providers provide a possible way in. We call it supply chain. It’s an area of security that we need to manage.

I think one of the most recent examples you’ve seen in the news is with respect to ICBC relying on a third party to print their cheques. They’re having to be responsible for that information. Completely independent of ICBC, that third-party organization is compromised, and that impairs their ability to provide their services.

Certainly, when we have scenarios like that, it’s really important we’re maintaining an awareness of the security position of these other organizations to the extent that they touch or have connections into our infrastructure. We do take that very seriously — ensuring that we have protections in place to protect us from them, if that answers your question.

B. Banman: It does. Thank you.

M. Starchuk: Good to see you again, Michael.

As part of the other committee that I sit on, Finance and Government Services, we got to see independent officers creating a record management system that was coordinated between the offices that are there. When I hear about a mainframe that’s decades old, I wonder if there is some sort of need, in the foreseeable future, to start coordinating these types of systems so that we have a cybersecurity system that covers all offices, whether they’re within the Legislature or independent offices.

A. MacLennan: Maybe I could provide an initial re­sponse, and then perhaps the Auditor General may want to respond as well.

What I would say is yes, there are spaces where independence definitely comes into place around systems. That doesn’t extend to best practices and following common architectures and common practices as far as building systems. So there are lots of places where there are similar endeavours going on in different arms of government where we’re going in similar directions from a technology standpoint, both as far as having good technologies and applications in place that enhance service delivery and operations but also on the cybersecurity front.

A lot of our focus is on ensuring that there are ongoing relationships between these groups — that where we’re able to leverage common platforms, we do so; and where we are unable to leverage those common platforms, we look to leverage best practices and common standards and things of that nature.

There are other aspects of our overall infrastructure that are leveraged by different Crown corporations or broader public sector entities. One example would be our data centre, where we provide that infrastructure base service to many, many organizations across government and in the broader public sector. They benefit from a centralized approach to security and development. So I think, wher­ever possible, we are looking for those opportunities to leverage those same sorts of practices for the benefit of British Columbians.

Maybe the Auditor General will want to speak more to the perspective of independent offices.

M. Pickup: Nice to see you again, as well, Mike. Thank you for that question. I will share my thoughts on it, recognizing, of course, that I don’t speak collectively on behalf of all of the independent officers.

For our office…. It’s interesting, and interesting is probably a word that includes challenging. We have part of the infrastructure of government, obviously, that we use. Sure, we’re using email, for example. That’s all through the government. That’s all of that infrastructure that we’re relying on.

If we look at our own systems here in terms of how we keep audit records, we’re not using a case management system that other independent officers may be using, for example. We are using audit software that records audit documentation to support OAG files, so fairly unique. And we have a chief information officer here within our own office as well.

[10:05 a.m.]

We meet periodically, the independent officers, as a group to talk about collective issues. I think I’m going to suggest to my colleagues that we put this on the agenda to see if there’s any sort of cross-fertilization sharing that we can do.

I have to be careful when I say this, I guess. I would particularly want to be helpful to the independent officers that may be smaller than us. We’re one of the larger ones. If you get a smaller office with less people, perhaps there is something we can be doing to help them for the unique aspects of independence and being officers.

The commitment is…. I’m going to suggest that gets on the agenda for one of our upcoming meetings and see if there’s any partnering, leveraging, we can do together as well.

M. Bernier (Chair): I saw the hand of the Deputy Auditor General too. Is there something, Russ, that you wanted to add, or was that for something I missed?

R. Jones: In terms of MLA Banman’s question around Crown corporations, as you know, we do audit a number of them. Cybersecurity risks are something that every in­ternal audit department in every Crown corporation is continuously looking at. While we haven’t done an across-the-spectrum audit, I think many of these issues that have been raised in our report here are very similar across a lot of the Crown corporations too. It’s an ongoing struggle for them to deal with all the various assets and programs they have, the same as with ministries.

M. Bernier (Chair): Thanks for that.

Back to Mike, if you have more.

M. Starchuk: Michael, when we were there with the other independent officers, we saw their records management system that was virtually considered at a critical junc­ture of changing, and the cost that was associated with all of that. When we hear the term mainframe, and the age of what it is, is there an expectation that when it comes to IT security, there’s going to be an ask coming down the road with regard to this, to get it into a generation that’s more comfortable?

M. Pickup: Great question. I think it’s one that I don’t know the answer to in terms of…. I know the answer for us, certainly. We had some asks which, thankfully, were funded in terms of some of the investment we had to do. A little bit different, though, because it wasn’t for things like our audit documentation software.

I’m not sure what is coming there in terms of what these independent officers may be asking for or may be needing. I’m assuming that has worked its way through their budget requests. I certainly, again, in the interests of being helpful, don’t mind sharing this question that comes up here with my colleagues and putting it on an agenda for a meeting there as well.

All that is to say it’s not a direct answer for your question, other than a commitment to take it back and see what I can find out.

M. Starchuk: Much along the lines…. The Deputy Chair made mention about other technologies and other equipment that’s there. This is kind of more specific with other technologies that are out there, whether or not it’s a Google or Alexa platform that’s out there where many of us, probably, on a day-to-day basis in our homes, utilize those tools to remind us, to create lists, to answer questions that we don’t have answers to by simply just…. I don’t want to scream out “Alexa, can you do this?” right now, because it’ll answer me.

When will those kinds of platforms enter themselves into the Legislature? I can tell you the amount of times that I use those devices at home or in my office are immense. I don’t need the aide or to pick up a phone or those kinds of things.

M. Bernier (Chair): That’s a good question, Mike. I’m trying to figure out who would like to respond to that. We could ask Shauna, because that’s really not an Auditor General question. If there’s anything the deputy minister could add to that, maybe.

S. Brouwer: I certainly will try. I think that question is probably best placed to the chief information officer of the Legislative Assembly.

[10:10 a.m.]

Some of those technologies, of course, are a little ways out. It’s nice that we have some of it in our homes. But we do have some challenges. I actually can’t comment on what the plans for the future are for the Legislative Assembly.

M. Bernier (Chair): No, that’s completely fair to that.

J. Tegart: I will let you know right away that IT is not my area of expertise. My question may be answered already, but as we talk about cybersecurity, [audio interrupted] one of the things that comes to an organization that has interaction with government and that we develop the A-team that has the expertise to monitor and to be right on things when we see a cyberattack.

The questions today again reflect the importance of whether it is leadership through a ministry or through government to have that A-team available to everybody who interacts with us. As taxpayers are listening in on this report, and how we’re going to become more efficient, I wonder: who is the A-team? Who is in charge of the A-team? How do we ensure that anyone who has interaction with our government systems has access to that A-team? We’re not in silos anymore.

When I think about different agencies and different of­fices asking for public dollars to do common things that the A-team could put in policy and ensure are there — is that a possibility? What are the barriers? What is the plan to move towards that sort of system? Or maybe I’m off base, and we’re not looking for that system.

M. Bernier (Chair): As soon as you said A-team, Alex looked like he wanted to jump in.

A. MacLennan: Thank you very much for the question. I’m lucky enough to be responsible for government’s overall A-team, and I would say that there are a whole bunch of other A-teams in ministries. So I can speak to your question a little bit, and maybe I will ask Gary to add some specifics.

I think it is a fantastic question. One of the things that we always talk about is that we’re all functioning in an ecosystem when we’re talking about cybersecurity. There are so many connections between organizations. So the better our security is of our partners — of local governments, of communities, of the broader public sector — the better our security is, and that is better for British Columbians writ large.

What I would say about the A-team that I’m lucky to have responsibility for, and which Gary leads, is that we have an incredibly dedicated, committed group of experts, of people who are security experts. This is their lifeblood — what they do and what they live for on a day-to-day basis.

We have put in place, over the years, fantastic tools and processes and engagement across government with those information officers in other ministries. There’s a very close network that are working together. My team is responsible for the overall policy and guidelines, and we’re continuously improving those things. We’re also responsible for helping to support the public service, broadly, to understand how to maintain the security and privacy, and we manage the systems on a daily basis, monitoring all of our infrastructure and ensuring that we’re safe.

It does go beyond that, I think. We have been acknowledged across Canada as a leader in cybersecurity as far as governments are concerned. Part of that is Gary, from my team, has taken a very active role in engaging with organizations across British Columbia to share what we know. We actually invest time in training with other organizations that may not have the resources that we have.

We have put in place tools that can be leveraged and accessed by them, and there is a close network of people, especially in the public sector information security community, so that if one thing happens, then quickly, that network is alerted. We’re hearing about things that are happening, from our partners, in real time. There’s a lot of communication going on in that regard.

It’s not to say that there aren’t always areas for improvement. We continue to focus on investing in our tools that we use in the training for our staff and in the training for public servants. It is an area of focus for us. Maybe I’ll just ask Gary if he has anything to add to that.

[10:15 a.m.]

G. Perkins: You’ve covered it very well, but I can’t waste this opportunity to speak our praises. We need to be collaborating more than ever. I think, as pointed out on this call, organizations are more connected than ever, and we’re all part of this ecosystem. It is true that we meet monthly with public sector organizations across the province, sharing information and also thought leadership, including best practices. It’s all in an effort to raise the security water level across the province and across Canada.

M. Bernier (Chair): Thanks, Alex. Thanks, Gary.

Jackie, anything else to add?

J. Tegart: Just a follow-up. It’s comforting to me, as an MLA, to know that there is an office that people phone, and that expertise is available to them. My concern, al­ways, is that we have a little bit of expertise in each ministry and that we don’t have the umbrella organization. It’s comforting to know that that A-team is there, but is it used effectively throughout the organization? Is it used effectively for those whom we’re responsible for — like Crown corps, independent offices, all the things that government is responsible for?

A. MacLennan: Perhaps I can speak to that, on your initial question. I think we are leveraged very effectively within core government. There are very strong relationships across the information security community. Actually, I think that opportunities like this audit are just putting more focus on it — in answer to that. I think there’s a consistent enhancement there.

I would say, as far as outside of core government, there’s, I think, still a lot of room for improvement, but we’re making progress. I think Gary has shown a lot of leadership — and his team has — in starting to increase the amount of engagement with those other organizations. It’s something we continue to focus on and continue to build on, but I still think that there is more opportunity in that regard. We are not sitting back, waiting for that to happen. We proactively reach out to other organizations and offer our support, services and opportunity for collaboration and information-sharing.

M. Bernier (Chair): Thank you for that.

I think Jackie is finished, so we’ll go to the vice-Chair, MLA Glumac.

R. Glumac (Deputy Chair): Thank you. Having heard all of the questions and answers. I just wanted to follow up on a couple of things.

I found it interesting that nobody could answer Mike’s question, which essentially is: how do we modernize? I think it’s a very important question, and it comes back to…. We have these decades-old mainframes, and we’re sort of patching them and trying to cover holes that are security holes, and this and that. That’s just one example. I’m sure there are many other systems and networks and servers that are old.

“How do we modernize?” is the big question I have. I see the recommendations and see that the action plan is there, where we’re going to improve our recordkeeping, basically, but that, to me, is just kind of a first step. I mean, the fact that we haven’t really been keeping good records on our efforts to minimize attacks on our technology is one thing. But how do we modernize? There’s a lot of legacy there. There are a lot of big systems. Do we have a plan? At some point, maybe it’s better, instead of patching everything up all the time, to just get to a modern system. Do we have a plan for that?

A. MacLennan: I’m happy to respond to that, if you like. I would say the answer is yes. The mainframe example is just one. There are thousands of applications and many different types of infrastructure across government.

Our office, the office of the chief information officer, is responsible for creating a vision and a strategy for government around our modernization of IT, and we’ve done a lot in that regard. We’ve actually set up a digital operating model for government in collaboration with the other ministries, which answers exactly the question that you’ve raised: how do we move to a more modern approach for government? That is work that is not just a plan. It is active on a daily basis.

[10:20 a.m.]

There are many, many examples, across all ministries, where ministries have leveraged new technologies and are moving into a space where they are adopting cloud services, where we’re using top-notch products that are pro­vided as software as a service from different organizations. We are, I think, barrelling into that world as fast as any jurisdiction in Canada and in a very planful and mindful way. It provides lots of opportunities for doing things more efficiently and for maintaining better cybersecurity.

When done well, the moves that we’re making to the cloud and to using more modern techniques for building applications not only allow us to move faster; they provide a better product, and they provide a product that we can manage more effectively in the future. So I absolutely, totally agree with you and your assertion. It is, basically, the primary focus of the office of the chief information officer — and, I would say, all of the MCIOs in government — to have a really strong modernization agenda for every­thing that we do.

I would add, as well, it’s not just in the application space. When we look to how we manage our infrastructure, which is primarily the responsibility of my team, we are always moving forward with more modernization. When we say, “Yes, we are still moving some stuff off the mainframe,” at the same time, in our data centre, we are absolutely putting in place bleeding-edge technology around how we manage that infrastructure — the same around how we manage our devices and very much about how manage our security.

I absolutely agree with the importance of that. It is certainly a focus, I think, for every witness on this call.

M. Bernier (Chair): Thanks for that. I was wondering if the deputy minister…. I saw that she might want to add something.

S. Brouwer: Certainly. I was going to add that across government, we have a deputy ministers committee that manages the digital investment board. That is a gover­nance committee of multiple deputies that decides on certain investments as well as pushing forward on the digital investment framework.

When we see business cases coming forward before they are funded, we make sure that certain modernized criteria are there and that we reproduce and reuse common components. There is a lot of governance around the invest­ments we’re making and a real focus across government on that modernization piece.

I really appreciate the question. We’re definitely spending a lot of time on that.

M. Bernier (Chair): Thank you.

Rick, anything else?

R. Glumac (Deputy Chair): No, that’s it. Thank you.

M. Bernier (Chair): Okay. I’m just going to look aro­und, then, to see if there’s anybody else on the committee that had a follow-up or another question they’d like to ask. We covered a lot there.

Seeing no further questions, maybe I will just end by thanking all of the deputy ministers, all the staff and all the different ministries who took part today, who were very open with their information and answers. Obviously, as the Auditor General said, we did not get into every ministry. But I think there are lessons to be learned, as we heard and acknowledged by Shauna, that all ministries can learn from the different outcomes and through this report of what needs to happen, going forward.

I really appreciate some of the questions, too, that we heard from the committee members here today, because it really allowed for a good discussion and for the different ministries to really think about this, going forward. Especially as, as the Deputy Chair and others said, technology is evolving and changing every day, we, as an organization, need to stay on top of that. It’s great to hear from Alex and others that the A-team is on it.

That’s good to hear, but I think it’s also important that we look at these follow-ups — that all the ministries look at how they can move forward with the recommendations in a timely manner, especially as things are changing right now. With everybody working from home, as I can see on the screen, IT and our technology is so important. I think it’s going to just continue to be — in our workplaces internally, going forward — so the security of that is going to be even more important as we move forward.

Thanks, everyone, for your questions and for all of the ministry staff who were involved with this.

[10:25 a.m.]

I think, with that, unless there are any other comments from the Auditor General, we can move forward to the second report that we have today. I’ll turn things over to the Auditor General as we get into a totally different area, talking about international education.

Thank you, everyone. We’re going to move to the second report.

Oversight of International
Education Programs in
Offshore and Group 4 Schools

M. Pickup: Thank you so much. Far be it from me not to pass up a chance to advertise as well, since we are here.

Just wanted to mention that we have work underway now on an audit of cybersecurity in the telework environ­ment. Work is underway on that. It’s funny how you…. That wasn’t a set-up with the Chair. The Chair ended with that, so I thought I would take the opportunity to mention that yes, that’s important to us, and yes, the audit is well underway.

Now, putting on a different hat: the oversight of international education programs in offshore and group 4 scho­ols. I’m happy to have two of the key members of the audit team here today with us. Sheila Dodds also happens to be the assistant Auditor General. In addition to leading that audit, she is in charge of our critical audit support services, which includes things like professional practices, legal, IT, finance and admin. All of these things Ms. Dodds is responsible for. She also led this audit. With her, joining us today, is Barbara Underhill, who is the manager of the audit.

Before turning it over to Barbara and Sheila, I want to say thank you to other folks who aren’t here with us today who participated on the audit. Again, a big genuine thanks to folks across the office from A to Z who support us in getting this work done. That’s our folks, as I said before, whether it’s our important administrative folks, our IT folks or our finance folks who find us the money when we need it to do these audits. Every single support service comes together to help us get these things done. Without all of that in addition to the audit teams, we wouldn’t be here today to be able to talk about this report.

I also want to thank the folks that we audited. A genuine thank-you for such a professional and forward-looking and positive response. I’m looking forward to hearing all the wonderful things that I know are already taking place in response to the audit. Thank you for that.

I will turn it over now, Chair, to Barbara and Sheila for a brief presentation. In keeping with the spirit, like we did the other presentations, it will be short as well.

S. Dodds: Good morning, Members, and thank you, Michael. I’m going to just let Barbara do the walk-through of the summary that we provided you.

B. Underhill: Good morning, everybody, Chair, vice-Chair and committee members. Thank you very much for your interest in our report on the oversight of international education programs in offshore and group 4 schools. For my presentation, as did David Lau, I refer you to our Audit at a Glance document, which we provided in advance of this meeting.

As you can see, we did these two audits because K-to-12 schools are a pathway for international students to B.C. post-secondary institutions. The quality of delivery of education through these schools can impact the reputation of the B.C. education system abroad. Also, offshore schools and group 4 schools enroll over 40 percent of all K-to-12 international students studying the B.C. curriculum.

Because these types of schools are governed under different legislation and operate in different jurisdictions, we conducted two parallel audits with parallel objectives. We looked to determine whether the Ministry of Education provides effective oversight of the delivery of education programs by both offshore schools and group 4 schools.

To conclude against these objectives, we looked at three areas of oversight: whether the ministry was confirming schools meet initial and ongoing certification requirements; whether the ministry is monitoring for ongoing compliance with those certification requirements; and whether the ministry is monitoring for performance at the individual school level, as well as for the schools as a whole.

Overall, we found that the Ministry of Education’s oversight of offshore and group 4 schools is effective and that there was a culture of ongoing improvement in the branch. We did find minor shortcomings and incomplete oversight of business risk for both types of schools.

[10:30 a.m.]

To address these risks, we made eight recommendations, all of which the ministry has accepted. They’ve also already started on implementing these recommendations, and we commend them for that work.

Moving to the specific findings section of our at-a-glance document, we found, on the certification side, for offshore schools that the ministry does confirm new schools meet certification requirements before being certified, particularly in the area of educational requirements.

In the area of operator responsibilities, we found the ministry could improve their oversight of business-related risks. As a result, we recommended that obtaining and as­sessing longer-term business information would help the ministry better assess schools’ long-term capacity to deliver a quality B.C. education program.

We also found that given the diverse jurisdictions in­volved in offshore schools, the ministry could do a better job of understanding the unique requirements in these regions to ensure that schools are meeting operational requirements.

With respect to compliance monitoring, we found that the ministry has a rigorous three-step process. Schools are required to report, on-site inspections take place, and the ministry follows up on compliance issues needing correction.

We did identify two areas for improvement. We recommended that better oversight of pending teacher certifications take place, as well as recognizing that the growth in the number of schools was impacting time for critical review.

With respect to performance monitoring, we found that the ministry is doing a good job of monitoring performance at the individual school level but could do a better job of assessing performance for the offshore school program as a whole.

Turning to group 4 schools, our results and findings were very similar. In the certification area, as with offshore schools, we found the ministry was doing a good job confirming schools meet certification requirements related to education in particular, but they could improve oversight of business risks in ways similar to what we recommended for offshore schools.

One additional area we identified was that the ministry could do a better job of ensuring schools are assessing language proficiency to ensure students get supports needed to be successful in B.C.

In the area of compliance monitoring, our results were very similar. The high volume of compliance documents that the ministry was required to review was challenging, and it meant that it was difficult to conduct critical reviews of all of these documents.

Finally, in the performance monitoring area for group 4 schools, as with offshore schools, we found that the ministry did a good job of monitoring performance at the individual school level. The ministry could gain valuable information by doing a better job of monitoring these schools as a distinct group of independent schools in B.C.

Thank you very much. This concludes my presentation.

M. Bernier (Chair): Thanks, Barbara.

Is there anything the Auditor General would like to add before I turn things over to Keith?

M. Pickup: No. I think that was great.

Thank you, Barbara.

M. Bernier (Chair): Okay. Thanks very much.

We’re going to be turning things over now to Keith. Assistant Deputy Minister Keith Godin is here with us today.

Keith, it’s great to see you. It’s been a while since we have seen each other, so I hope you’re doing well. I’m looking forward to hearing the presentation and hearing the response.

K. Godin: Likewise, Chair. Nice to see you.

And to the Deputy Chair and the rest of the committee, thank you for the opportunity to present today.

Just by way of introduction, as well, I want to introduce one of my colleagues, Marnie Mayhew, who, you’ll see on the screen, is executive director of independent schools and international education and is going to help me through the presentation.

I’ll say for the committee at the outset: there’s recognition that there’s going to be some repetitive information from the presentation you just heard from the Auditor General. But I do think it’s important for this committee to hear from the ministry, to affirm largely everything that was said — confirmation of where we’re at with the recommendations and next steps. We have the ability to clearly articulate our position, which is, as indicated, actually receptive of all the feedback we’ve received on these two programs.

[10:35 a.m.]

So overview. As mentioned, the audit confirmed the ministry provides effective oversight of both offshore schools and group 4 schools. For those that are unaware of what a group 4 school is, and where that terminology comes from, it’s actually defined in the Independent School Act. There are about 28 of these schools. Enrollment is approximately 1,400. These schools serve at least 50 percent international students, for-profit institutions that deliver the B.C. curriculum, and no funding is provided by the province for these schools.

The offshore schools — there are about 45 of these in several countries around the world — provide B.C. curriculum, B.C.-certified teachers. That program has been around since the late ’90s.

A second key point. The audit acknowledged the ministry’s work to continuously evolve and improve the program oversight on both accounts. And we’ll get into that a little bit more. To be clear, the ministry has fully accepted all eight audit recommendations. In fact, we’ve organized those recommendations into 13 actions, which you’ll see in our detailed action plan.

Four have already been implemented; five are in progress. And you’ll see in the action plan that a number of them will be completed very shortly into the fall. Then there are four that are planned for implementation in the future, and we’re quite confident that we can kind of achieve all of those recommendations in place as well.

Key findings. I’ll go through this relatively quickly, as I know the committee has heard this, to confirm what we heard from the audit.

That new school operators meet the established requirements before certifying them. That the ministry has a robust and documented monitoring process to confirm ongoing compliance with certification requirements. That the ministry uses reported performance data to evaluate the delivery of education programs by individual offshore and group 4 schools. That we should require more business information to assess applicant schools’ business and financial sustainability, which we’ll touch on in a moment. That we should streamline its compliance monitoring model to focus on key risks. And finally, should introduce additional requirements for offshore schools to demonstrate that local approvals meet the B.C. standards for certification.

The next two slides cover a summary of what’s in the de­tailed action plan. We have one slide that covers the offshore schools and another slide that covers the group 4 independent schools. On the offshore schools, first recommendation: expand requirements for business and financial information. We have that well underway. Schools must now submit a five-year business plan, and we’re developing that evaluation criteria to go through their growth plan and financial projections. The status — as mentioned here, partially implemented. Very shortly, in the fall, we’ll have that kind of fully in place. That aligns with our normal cycles on applications and inspections.

Secondly, provide additional evidence that local ap­provals meet B.C. standards for certification. This requirement is fully added for August 2020. We fully appreciate that feedback that was received and agree with it and have fully implemented that direction.

Next, review and update compliance monitoring model. Offshore schools must now report monthly on the status of pending teacher certifications, as one example of operations, and we’re developing business requirements for a new IM and IT platform for monitoring and making sure that it’s robust as possible. That’s partially implemented.

Finally, on the offshore school side, evaluating progress to meet stated goals of the offshore school program. That is fully planned, and we’ll have that developed throughout the summer for implementation in September 2021.

[10:40 a.m.]

On the group 4 schools, again, another four recommendations. First, requiring the schools to conduct assessments of English language ability for all new students. This is planned, as of September 2021. All these schools will be required to administer a standardized ELL test, and we’ll do that through the inspection process. As many of you probably read in the report, there’s already a fair degree of rigour with this inspection process. So we’ve added this one element.

Second, expand requirements for business and financial information. Very similar to the offshore side of things, applicants must now submit a five-year business plan and will have evaluation criteria that is similar to other schools that we oversee.

Again, similar: review and update compliance monitoring model. The group 4 schools have to use the ministry student information system or pay a higher per-student fee if they’re going to use their own system, so there’s very consistent kind of tracking and monitoring with students enrolled. And again, we’re investing in a new IMIT platform to monitor all that.

Finally, evaluate the performance of group 4 schools as a unique group of independent schools. We are developing performance tracking for these schools as a distinct cohort. A side editorial comment on that is that, with the other groups of independent schools, we do have a very rigorous inspection process where we evaluate that on a number of criteria. So combined with the criteria where we evaluate public schools, we have a lot to work from in terms of evaluation criteria for school performance.

In summary, we genuinely thank the Office of the Auditor General for its recommendations. We really valued the feedback, the insight and the third-party perspective into these programs. They made them better, and we thank them for that. To confirm, the ministry has accepted all recommendations and is fully committed to their implementation.

Thank you very much, Chair, and to the committee, for the ability for the ministry to comment.

M. Bernier (Chair): Well, thanks a lot. Sorry about that. I realized I was not on mute the whole time you were talking, Keith. Luckily, I didn’t say anything compromising your role and position in your presentation.

I’m just going to start with a few people who have questions before I get into some. I’m going to start with MLA Sharma, please.

N. Sharma: Just a general comment. It seems like a good example of an audit really coming in and giving some helpful pointers to the process that were largely accepted.

I don’t have any general questions about the report and the audit, but I have a specific one to the Auditor General, out of my curiosity. That is the recommendation about rationalizing documentation that was given, just about streamlining and figuring out exactly what you need in terms of the documentation required, and that administrative burden. My question is overall in government about that.

Do we have a process to think about rationalizing the documentation and the administrative burdens required in general? I’m curious if there’s an audit performed on that and if we actually do think about that. I’ve noticed that sometimes, in this day and age, we ask for things, forms and documents and requirements — there seems to be the question — that we actually don’t really need. That’s my question.

M. Pickup: Perhaps I will take the question, given that it is beyond the audit.

A couple of things. I think every jurisdiction is probably unique in terms of process or focus. They may put on, whether they call it red-tape-reduction or paper reduction or process reduction and how important of a strategy that is for government…. So as an auditor, we would keep an eye to that to see if it is something that government has established as a priority that we might want to audit.

For example, when I was in Nova Scotia as Auditor General, we did an audit of government strategy on red paper and process reduction because they wanted to streamline things for business and for folks, in terms of what they had to deal with, and make government more efficient. So then it was very easy for us to come along and audit that as a strategy and how well that policy was doing versus us coming along and trying to create policy, for example, around red-tape-reduction or whatever people want to call that.

[10:45 a.m.]

We will pay attention to where that is, in the government’s strategies and government priorities, to see if that is something government is trying to do and then, potentially, evaluate it as we go forward: is that something we should be auditing across government? It’s kind of a long answer, but it really does depend.

I do also want to add something that we always try to be conscious of, I think, when we do audits: we have audit criteria, we are answering audit criteria, but are we being sensible, when we make audit recommendations, that we are not adding to the potential of needless process, for example? Yes, sometimes we are suggesting process, because it is so critical, and it is to cover significant risk. But I think we also try to look for opportunities, as we did in this case, where processes in government could potentially be streamlined to make things more efficient and quicker.

We’re conscious of that. I know it’s always a potential risk for auditors to be accused, if you will, saying: “Oh, you’re adding to process; you’re adding to government.” So we do keep that in mind as we do this work.

Now, in British Columbia, is that a priority of government? I don’t know the answer to that. If any of my colleagues, the deputy or Sheila or Barbara, know the answer to that — broadly, across government, if there’s a strat­egy…. I’m still settling in here. It hasn’t come across in any of the discussions I’ve had, but that’s not to say it isn’t a formal strategy.

Anybody know? Russ, Sheila or Barbara?

S. Dodds: I’m not aware of a particular strategy right now. I know that several years ago there was a red-tape-reduction initiative within government, but I’m not aware of anything in particular right now, and it has not come up in any of the audits that I’ve been aware of.

M. Pickup: Thank you.

Russ, do you know of anything?

R. Jones: No, Michael. Similar to Sheila…. A number of years ago there was an initiative put into play, but I’m not aware of any that’s currently underway.

M. Bernier (Chair): Thank you.

Niki, anything else that you wish? Okay.

I’ll move to MLA Mercier, then.

A. Mercier: I just have one or two questions. I will just start with a question for the Auditor General and your office, and a follow-up for the ministry, on recommendation No. 2, about collecting information in compliance with local regulations and laws in the host jurisdiction, for offshore schools.

My question for the Auditor-General’s office is: is the method proposed by the recommendation — which is, I guess, to ask the proponent or the target of regulation, which would be the offshore school, to provide the information to the ministry — the most effective way to do that? I understand that there’s likely an eye to reducing the administrative burden, but it seemed to me that that could be open for some abuse by bad or errant actors. As well, there’s a fixed number of jurisdictions within which offshore schools that are licensed by British Columbia operate. Would it not be possible, at maybe a broader and more objective level, to gather that information?

Then I had a follow-up there for the ministry. I’m just looking at the response from the auditee on page 20, “Recommendation 2 Response — Accepted.” I was just looking at the wording of that. “The ministry is committed to reviewing this recommendation while continuing to recognize and respect local business and cultural practices.” I’m just wondering if someone from the ministry can unpack what they mean by “respect local business and cultural practices” as a kind of qualifier to implementing that and give an update on where they are in the implementation of that recommendation.

I know I saw on the slide…. I think it said “fully implemented” — to make sure offshore certification meets B.C. standards. But my reading of this recommendation is that it goes quite a bit further than that. I’m wondering if we can kind of get an update on where the ministry is with this — if it’s still in the review phase of it, in terms of operationalizing it — and on what the plan is going forward.

[10:50 a.m.]

M. Pickup: Sure. I think we got the first part of that. Perhaps I will turn to Sheila and Barbara to talk about, in many ways, what the spirit and intent is, I think, behind recommendation 2 that we have.

S. Dodds: Thank you, Michael.

The challenge we saw with the audit…. It’s one thing to be complying with the local laws and regulations where the school is operating. It might not just be country. It could be local to the local area. It was quite different than looking at the alignment of what those local requirements were and if they were enough to meet the expectations of the Ministry of Education.

The recommendation is identifying that the school op­erator is in the best position to be able to provide the information around those local laws so that the ministry has enough understanding of what those local laws and requirements are, can read them because they’re translated and then be able to assess whether it’s sufficient to be able to meet what their expectations are for the operations of that school.

Barbara, did you have anything you’d like to add there?

B. Underhill: No. In general, I think you covered it, Sheila.

I will say it is actually extremely complex. So it is appropriate that the schools provide this information, because there’s a multitude of schools — as the ministry pointed out, 45 different schools, different jurisdictions. Even though many of those schools might be in China, each local region might have different regulations.

It can be very complex when they’re looking at the ministries concerned about, let’s say for example, fire safety. What are the regulations in that jurisdiction for fire safety inspection? How often do they occur? Those sorts of things can vary from one region to the next. Understanding those and what happens in those local jurisdictions so that the ministry can effectively monitor whether the school is needing those requirements is complex. That’s why it is necessary to rely on local operators for that information.

M. Bernier (Chair): Keith, I think you could probably add in now.

K. Godin: I think my colleague Marnie Mayhew, who’s much closer to program delivery, inspection process and all the folks that we have on the ground internationally, can add some commentary to that response.

M. Mayhew: Hello, members of the committee. I think I would just start by saying that as you can see in the recommendation itself, there is sort of a sub-focus, if you will, on the translation piece and then some broader observations about just ensuring that the ministry has a good line of sight and understanding of any local regulatory approvals or requirements.

In terms of the translation piece, we have very clear language in our certification agreements. I’ll read it to you verbatim. The agreement requires that any document or report required to be submitted to the province must be in English or be accompanied by a version that is translated into English at a standard of translation acceptable to the province.

There have been some cases historically, and the audit commented on this, where some documentation that has been submitted by owners has not always included complete, thorough translations. That, in turn, in some isolated cases, may have impeded an inspector’s ability to fully understand that document’s contents. We have reinforced, with all of our school owners and operators, that fulsome translations are an absolute requirement. That was introduced at the beginning of our inspection cycle last fall, in response to the audit conclusions.

Beyond the translation piece, through discussions with Barbara and the audit team and Sheila, we really honed in on three distinct instances where there could be some concern about whether or not we have enough of a line of sight on local requirements. Those are listed, actually, in the detailed action plan, those three scenarios.

[10:55 a.m.]

They basically have to do with ensuring that, No. 1, the ministry requires schools…. If there is an instance where, in local jurisdictions, teacher certification requirements are different than what they might be in B.C., those need to be explicitly spelled out, documented and translated.

The second scenario has to do with criminal record checks. In some foreign jurisdictions, criminal record checks for teachers are actually done as part of the teacher certification process or, for foreign teachers, they’re completed as part of their residency permit applications. So again, we’ve made it very explicit now that that needs to be documented and fully translated if the criminal record check is done as part of a larger process.

Then the final scenario has to do with building safety and food safety, because a lot of these schools operate with cafeterias, for example. Again, recognizing the plethora of different regulatory regimes across the globe, we’ve made it explicit to all of our schools that they need to address, in writing to us, fully translated, what their local permit processes are. In some jurisdictions, they may need to have their building permits renewed every two years, and in other jurisdictions, it may be every five years. So they need to explicitly address that in their documentation to us. That has all been added to our requirements.

Keith, I’m not sure you wanted to add anything further.

K. Godin: No, thank you. That answers the member’s question.

M. Bernier (Chair): Okay. Andrew, any other questions right now?

A. Mercier: I do, yeah. I’d just like to thank Marnie for that very fulsome unpacking of that. That definitely helps me to understand how that’s being operationalized and, ultimately, will help, I think, with what the primary goal is: to make sure that students in the care of the B.C. education system, even if on a licensing basis, are still top priority.

Barbara, I thought that you made a really excellent point, especially for folks or members of the public listening, that policies in a unitary state like China can often be as diffuse or complex across regions, or more so, than in our federal system.

One other question came out at me from reading the report, and it came up in a couple of different ways. I’ll ask this of Mr. Pickup and his office. There were references to gaps in records and some historical issues with recordkeeping that — I won’t use the word “hampered” — at points seemed to present a problem for the audit itself.

Just coming out of this whole conversation in our previous report that we looked at here today on IT and the difficulty in reforming historical systems within a complex entity like government…. I guess what I’d like to get a sense of, from this audit and just more generally from your work, is the scope of the problem with record management and whether or not that was kind of unique to this department and what the kinds of causes of it were — if that’s a broader issue in the ministry or if that’s something broader within government that needs to be addressed.

M. Pickup: Thank you for the question. To talk about this audit, perhaps I will look to Sheila and Barbara to expand on this.

S. Dodds: I think one of the unique things with this audit is that we went back decades to look at records, be­cause we were looking at records around the time that the schools were actually applying for that initial certification. I think a credit to the ministry is that there was documentation from almost 30 years ago.

We did not provide a recommendation around administration of documents because it had improved over time. So you’re dealing with quite a lengthy passage of time. The ministry had been proactive in developing different systems. But I would say that they are document-intensive files, and they cover many, many years with the regular certification and the regular monitoring process. It is an area that has been significantly improved.

Maybe, Barbara, did you have anything you wanted to add to that?

B. Underhill: Yes, I mean, everything Sheila said is correct. There were two elements: the historical element that we went back many, many years, and then also just the sheer number of documents that needed to be recorded. We did not find an issue, in general, with the records management activities of the ministry.

[11:00 a.m.]

For example, on the historical level, if you think about going back 30 years, a lot of records were paper-based, and then they had to be, basically, turned into electronically based documents. Turning records from a paper base to an electronic base resulted in batch loads of PDFs, enormous PDFs where it was very difficult to track back.

The ministry, in fact, did have a huge number of documents going back a long, long way. So we were able to see clearly that they were in fact doing the work, even though there were gaps in the documents. As I say, there was continuous improvement. The key area in this is just the sheer multitude of documents and, again, going back to that recommendation around streamlining to help the ministry focus in on those documents that are truly important.

M. Bernier (Chair): Thanks, Barb.

Andrew, anything else?

A. Mercier: No more questions. I just want to thank everybody for very clear and comprehensive responses.

D. Coulter: I, too, would like to thank everyone for their good responses. Some of my questions have been answered.

I maybe have some simpler questions here. Could I get some examples of group 4 schools? What one looks like and maybe a name of one? I don’t know. What does a group 4 school exactly look like?

M. Bernier (Chair): I’ll let Keith answer that. I won’t.

K. Godin: Yeah, I can start with that. I think Marnie can probably provide a couple of specific examples.

A lot of these kinds of schools — again, looking at the definitional criteria to provide B.C. curriculum; there’s no provincial funding — have to have at least 50 percent international students. That’s really the business that they cater to. There are a lot in Metro Vancouver that serve the international student population. Part of their business platform is to attract, obviously, secondary students in K to 12 and then kind of facilitate their entry into post-secondary institutions.

Marnie, I don’t know if there are a couple of names that we could cite for the member’s benefit.

M. Mayhew: I’m just asking my team to provide me with a couple of names, Keith. I’ll have those very shortly. Sorry. I don’t have them off the top of my head.

As Keith mentioned, there are 28 in total. But he’s quite correct. They’re mostly located in the Lower Mainland. I will provide a couple of names in very short order.

D. Coulter: Okay. I’ve got a couple more questions anyway. You can just do this by nodding. I assume “translate compliance documents” just applies to translating them to English. We’re not translating them into a standardized form that we use.

M. Mayhew: That’s correct.

D. Coulter: And then the criminal check. I’m wondering what this looks like. Obviously, it’s very complex in different countries, but here we do a vulnerable sector check for staff. What would that look like in another country, and do we have a sort of standardized process that we follow?

M. Mayhew: Just to be clear, when we talk about “we,” we the B.C. Ministry of Education are not conducting those criminal record checks. I just wanted to clarify that. What we require is confirmation that they have been done.

In the case of offshore schools, I would say the majority of teachers that are teaching in B.C. offshore schools are B.C. teachers or Canadian teachers who have been certified. They are required to be certified, as Keith mentioned, by our certification branch here in B.C. However, some offshore schools do also recruit teachers from other countries outside of Canada, and that is permitted. Those teachers, again, must go through the B.C. certification process, but because of the variety of source countries that teachers may be drawn from or recruited from, the criminal record check process can obviously vary depending on where they have been residing.

[11:05 a.m.]

I wish I could give you a simple sort of answer to that, but it really does depend on the circumstances of the tea­cher. But ultimately, the quality assurance piece on that for us is that regardless of where a teacher is from, they must go through the certification process here in B.C., and they must be able to provide a criminal record check that meets the requirements of the jurisdiction in which they are teaching.

D. Coulter: Okay. That raises another question for me.

The teachers regulation branch have to be part of that, I guess. As a school trustee, I used to get emails all the time. I was the chair of the school board, and I used to get emails all the time about teachers and the teachers regulation branch and different actions that were being taken against teachers for not following the rules.

Now, I’m just wondering: does the regulation branch, then, deal with any kinds of things that would happen in a school overseas?

M. Mayhew: Yes. That’s correct. In fact, they’re required. It’s part of our certification agreements with each of these schools, that if there’s, for example, any allegation made around inappropriate conduct on the part of a teacher, or a discipline issue, the school is required to report that.

D. Coulter: Okay. I see the former Education Minister nodding his head there.

K. Godin: If I may, just while we are waiting for the response on the specific names for the member. Hopefully, for some helpful context on the group 4 schools. The overall numbers of enrolment are just shy of 1,400, so it’s not a big presence. I mean, we have almost 2,000 schools in the province. So having about 28 schools and an enrolment of 1,400, which is down, obviously, over the last year, from normal numbers…. Just for situational context.

M. Mayhew: I can just respond to the former question. My team has just provided me, promptly, with this. This is just sort of five or six names, if anyone’s interested, of current group 4 schools.

In no particular order, Alexander Academy, Fountainview Academy, Maple Leaf–KPU, Century High School, Columbia College and LaSalle. That’s just half a dozen examples.

M. Bernier (Chair): Perfect. Thanks for that. I think that definitely answered Dan’s question and gives us some examples for it.

J. Tegart: Just a couple of questions. They’re included at the end of the two-page document that we received.

The bonding requirements for group 4 schools. As a school trustee, it’s pretty devastating when a school that services international students finds itself going out of business. It makes headlines. It’s an incredible situation for the students, for the staff and also, probably, for the business owner.

Could you talk a little bit about the bonding requirements for group 4 schools and whether they’re sufficient to protect the staff and the students who are attending that school?

M. Mayhew: Keith, would you like me to respond to that?

K. Godin: Yes. I know you have been very close to that question.

M. Mayhew: Thank you for the question. I’ll try to keep this reasonably high level, in the interests of time, but also, as everyone will appreciate, this is quite a technical area. I also want to answer the question, so I’ll try to provide an appropriate level of supporting detail.

I would just start by saying that…. This is noted, actually, in our detailed action plan. This is, I think, important context for all members. Certification decisions under the Independent School Act are not contingent on a school applicant demonstrating financial viability. In that sense, we don’t have a legislative lever available to us to sort of say “no” right out of the gate, based on that criterion alone.

[11:10 a.m.]

Having said that, there have been, for this particular category of schools — independent schools, group 4 schools — bonding requirements in place to address exactly the concerns and the risks that the member has spoken of. Those requirements have actually been in place since, I believe, 1993.

There are two things, I think, that the ministry and my team, in particular, have been looking at and will continue to look at. One is our bonding policies. That really has more to do with the accountabilities required of group 4 schools. The other is around actual bonding amounts.

Over the past year, my team has been working very closely with Ministry of Finance staff in the risk management branch to develop a bonding policy that will provide a lot more clarity, both for group 4 schools and for families of students who are attending these schools. That policy is very close to being completed. It will be released in a matter of the next few months, and it will provide more clarity about the requirements on the part of the school.

In terms of the bonding amount itself, in order to change that and the rules around the bonding amounts, that would require a legislative change. That’s something that we are certainly looking at, but it’s a longer-term consideration. In essence — this is where it gets very technical — the rules that have been in place since 1993 are that in the first year of operation, group 4 schools are required to maintain a minimum bond of $100,000. It gets a little more technical, but that’s essentially the requirement.

Then it changes in the second year. In the second year of operation, schools are required to provide a bond that is no less than $100,000, and that is equal to 75 percent of fees collected over a particular period of time from the previous school year. As I said, that was introduced a long time ago — 1993. Part of what we’re considering is whether or not that $100,000 is sufficient and provides the requisite protection for students and their families, going forward. I hope that answers the question.

M. Bernier (Chair): Thanks. Jackie, anything else, then? Was that your question? Okay.

I have a few things. A lot of my questions were answered too — it’s the fun part about going last — which is good. I will go last.

B. Banman: Chair, I’ve got a couple of questions, if I can. First off, I’m looking at some numbers in front of me — over $4.7 billion contributed to the economy and 35,000 jobs. Can you unpack that for us? Is that $4.7 billion a year, or is that in totality since this program started? Where’d that number come from?

M. Pickup: I’ll turn that to Sheila and Barbara, please.

S. Dodds: Barbara, can you elaborate on that? This was around international education overall. It was not around these specific schools, but I will let Barbara provide the details.

B. Underhill: Yes. That data came from a report that was conducted for the government. I’m not sure whether it was the Ministry of Advanced Education or the Ministry of Education. It was a consultant’s report, and it comes from the overall contributions to the B.C. economy from direct expenditures by international students in the B.C. economy. It’s actually enormous. It does include all of…. It’s things like tuition fees.

Most of this is based on post-secondary students’ economic activities, but there are lot of multiplier effects here. There are direct tuition fees. Students living in the country will purchase food, lodging. They’ll travel within B.C. They will have their family come and visit. They will buy books. They will do all sorts of things that expand the B.C. economy. That’s where that number comes from.

[11:15 a.m.]

If I remember correctly, it was in a single year. At a sin­gle year in time, that was the number that the international education service sector, in general, generated in direct economic activity in B.C.

B. Banman: Thank you for that. I was just doing the math in my head and trying to figure out how 14,000 peo­ple contributed $4.7 billion. That makes more sense. I found that number to be a little bit…. That’s why I queried it. It’s a little bit misleading. It’s not about this particular…. It’s in the totality of all foreign students. That’s very helpful.

I guess the other question that many people would ask and I don’t necessarily see in the report, unless I gla­zed over it, is: why do we do this in the first place? Why is it important for us to be monitoring this business? I think I know the answer. But I want to hear…. What’s the initial goal for why we have this program to begin with?

M. Bernier (Chair): I’m not sure if Keith wants to ans­wer it. It’s almost a political question in some ways.

B. Banman: I don’t know that it necessarily is, but it could be. Why is it important for foreign students to have access to British Columbia’s post-secondary education system?

M. Bernier (Chair): Keith, maybe I’ll help. It’s not only the access. Why do they choose British Columbia for that education?

K. Godin: I think there are a few aspects to that. I take your question as more directed to the onshore than the offshore. I think there are equally applicable questions to both programs.

On the onshore side of things, British Columbia and Can­ada, as well as lots of other western democracies, have welcomed international students for many decades for multiple reasons. One is multiculturalism. There’s exchange, two ways. We’re only measuring inflow here; there’s the outflow as well. A lot of students get international perspectives elsewhere. There is also the financial. We’ve talked about the multipliers and all that kind of stuff. The economies do benefit.

Another argument that has been raised…. I’m only speaking on behalf of the Ministry of Education, not Advanced Education per se. But I know there’s a primary conduit that’s been publicly reported on — research partnerships in that conduit. Then I think the other key thing is that connection from K-to-12 to the post-secondary system. When it comes to the offshore program, for example, 50 percent of those students enrolled in offshore attend Canadian post-secondary institutions. There’s quite a high transition rate — kids, foreign, coming in from abroad.

I could continue to elaborate on some of those key rationales, but my only other comment to add is on the offshore side of things. It was created in the late 1990s and further escalated in the 2000s. It’s relatively stable at this juncture, but I think there’s continued interest, probably, in some diversification of that program.

B. Banman: Thank you. Don’t get me wrong. I’m not being critical of the program in the first place. What I’m trying to do is…. For anyone that may be watching, it’s a natural question to assume: why would we spend time, money and resources on a program such as this?

I can tell you my experience. The other thing that has perhaps been glazed over, that I would like to see tracked, if possible, is…. I have a doctorate. There are issues with education that is received in other countries. Is it a pathway to citizenship? I would say that it probably is, and we end up with people who want to immigrate to the country.

This would be one way they can do that, because their education requirements would then be fully accepted. I was going to go on the translation, which is why the translation of this becomes so vital. For those that do wish to immigrate to Canada, it would be one of the natural pathways.

[11:20 a.m.]

Their education is actually valid when they get here, be­cause it’s accredited. I would think that would be important. Some may not wish to do that. As you said, it could be for many reasons. They may wish to understand how North America works, to be able to take advantage of that back home, let’s say, wherever they are.

Do we track whether any of these students stay, or even international students — period — end up staying in Canada, and it becomes a pathway to citizenship, and if so, do they stay in B.C.?

K. Godin: Yeah. I mean, those kinds of final-destination outcomes are difficult to track.

B. Banman: I appreciate that.

K. Godin: I think one of the things I’ll pull from is that previously, I oversaw immigration for the province, so I have seen those kinds of pathways where students, whether in K to 12 or post-secondary, are getting an establishment of a visa for learning purposes. Do you transition that into other types of immigration pathways? Yes, I’ve seen that. I can’t quote any numbers for you today.

The other quick comment — just back to a premise in your question about the kinds of resources and time and effort being spent on these programs. On the offshore program, it is entirely cost-recovered through the application and inspection fees. So there is no cost to the taxpayer for the offshore program. Similarly, for the group for independent schools, no provincial resources are deployed to those schools.

B. Anderson: I just wanted to put my two cents in to the MLA’s last question about why it’s relevant. I think on an international scale…. I’ve studied in different places. I was a high school student in Ecuador for a year. I went to a navy school while I was there and then a private school. I’ve been an exchange student in both Mexico and Hungary.

The university in Hungary…. The program that I took was certified through the University of Manchester, so the benefit of that, to me, after seeing a lot of different types of education systems, was that when a student knows they’re getting something certified in a country or a province that has a really high reputation, there’s a high value to those students. Also, the expat community, at times, if they’re living in China and they’re able to have their children educated under the British Columbia curriculum — there’s huge value to their students there.

As parents are trying to figure out how to best support their children, if they have the financial resources, placing them into an education system that is parallel to our provincial system has tremendous benefits. So you could see why both expatriates — British Columbians or other Canadians living abroad — but also just people that want high value education for their kids and have the resources to pay for it….

We have an excellent education system in British Columbia. It’s also an English system, so it’s sort of, I don’t know…. Globally, a lot of people are looking for an English system, so I think it makes a lot of sense. Because there’s full cost recovery on it, I don’t know why we wouldn’t be doing it. It benefits a lot of students, and it’s also a way for us to….

At the university I went to in Budapest, it was to bring eastern and western ideologies together after the fall of the Berlin Wall. In that sense, too, when students are getting educated in Asia — or I saw Egypt in there, or Columbia — under a British Columbian framework, they’re also understanding different ideologies from different places. Parents can find benefit in that as well. I think there are tremendous benefits for a lot of people, for us to be able to provide this.

M. Bernier (Chair): Seeing no further questions from anyone, I just wanted to ask, I guess, from a high level…. First of all, not directly attributed to the audit per se, but to Keith or to Marnie, with COVID right now, and the risk that we have facing travelling restrictions and how we see that… Who knows how that’s going to shape things? Especially what I’m concerned about, first of all, is the group 4 schools and the impact that that might have.

[11:25 a.m.]

You said there are the 1,400, approximately, students. Have you heard from any of the people who offer these programs that there is concern, maybe in the short term, around the delivery of the programs — maybe numbers of students going down, specifically around COVID? I know we’re a destination, one of the best in North America, for our onshore schools. How do we see that over the next, maybe, year or two? Have you heard anything?

K. Godin: Yes. I’ll start. Yes is an understatement, in the sense that over the past year or so, this has been a priority for our team in the ministry and for Marnie’s team, in particular.

To address your question, I’ll organize it into two sides: the offshore and the onshore. Chair, you’re right to frame it as not just the group 4, because there are lots of other international students in the public and in the independent system — typically, around the 21,000 mark. Numbers are approximately half as a result of COVID.

First point of context for the committee is, yes, 1,400 within group 4. But there are about, approximately, 12,000 total of the typical 21,000. So both public and independent sectors have been impacted, obviously, by COVID. There are a number of things that we’re giving careful consideration to in terms of broader recovery.

First, everyone is in the same boat here in terms of the movement of students around the world. I’m not going to get into geopolitics, but I think the committee’s aware of the dynamics with China and the movement of students from that jurisdiction. Jurisdictions like ours that provide high-quality international education….

There’s still a huge demand, but that demand is going to be diversified. It’s going to come from multiple other jurisdictions and not predominantly focused on China. It will come from other sources in southeast Asia and South America in particular.

I think there will be a lag effect. Every consultant’s re­port that we review indicates that demand will be renewed but that it will take some time to recover.

Second point is that it does provide us a real, valuable strategic opportunity to deliver things, maybe, a little bit differently in hybrid ways — bridging online versus in-classroom — and other connections, as I mentioned, with other jurisdictions, potentially with other post-secondary institutions in Canada. We’re looking at the delivery of this program. We’ve been given a shock. How do we adapt and react to that shock and still deliver high-quality programming — again, in the context of all other jurisdictions doing the same calculus?

On the offshore side, I would characterize this as actually much more positive. And if there is any retrenchment in parents in other jurisdictions wanting to keep their students in their jurisdiction for the time being but still wanting an international program in the B.C. Dogwood, which has tremendous international value…. We are getting a lot of applications and interest in the offshore program in particular.

The same kind of market analysis applies. In a sense, di­versification — less proportionate focus on China and looking at other jurisdictions. That is very much in play. So a fair degree of positivity. I would say measured diversification on the offshore program. Probably more of a lagged effect on the onshore, but that will impact not just group 4 but the entire public and independent sector.

M. Bernier (Chair): Thanks for that. It probably doesn’t require a follow-up answer, but this is going to be, possibly, a huge financial, budgetary hit on the public school system — especially 43 and a few others that I know in the metropolitan areas, and a few in rural B.C., who rely heavily on the international student cohort as part of fulfilling their bottom line.

[11:30 a.m.]

That is going to be interesting — probably over the short term, hopefully, only — on how that’s going to be felt and monitored. Especially with a couple of former school trustees on here, they would know that well. Anyway, that’s a little outside the audit.

Maybe you could…. My last question, I guess, is more of just an explanatory note from yourself, Keith or Marnie, for those listening. The audit covers really well the going-forward as well as the requirements. I appreciate the ministry — the work they do for our international schools and the group 4 onshore.

From the international offshore schools, specifically, maybe you can just highlight, if you can, because…. It’s not just a case of you apply and you get. Maybe just highlight the process, if you could. Some of it’s been covered off through the audit of the existing.

If somebody wants to start up an offshore school in a jurisdiction, if we’re going to outside, even…. We have a lot in the Asian market. But let’s say we’re going into the European or South American markets, into Cuba, and we want to look at an offshore international school there. The application process criteria that they must follow before they get certification…. Because again, if we’re sending our teachers there…. It’s all about safety for our children, our staff, best education possible, but the process around certification.

Then follow-up to that would be the auditing process for them to ensure that they’re compliant around inspections, specifically — visual inspections, etc., not just the documentation we’re requiring through the audit.

K. Godin: On this one, I’ll probably start, and then ask for Marnie’s support on this one as well. The situational context I’d provide on the offshore is that the program started in the late 1990s and has evolved considerably over that time. And I think, as this does pertain to the audit…. The audit concluded effective oversight.

What that was initiated in is this rigorous application pro­cess and vetting that we do, so we make sure we know who we’re getting into business with, as well as annual inspections. We can elaborate on what those criteria are and how the inspection process works, including those folks…. Not COVID-related, but typically, on the ground as well as virtual inspections and how we go through that. We do have a fair degree of confidence that we’re applying the appropriate amount of rigour to that process.

Marnie, I think the Chair and the committee might ben­efit from additional detail on that.

M. Mayhew: In essence, the application process that you were asking about is a multistep process. Oftentimes we will be approached. You know, someone comes knocking on our door. Other times — and this is what we’re trying to shift to, frankly more, as part of the diversification strategy that Keith referenced — it’s us proactively reaching out to jurisdictions and to markets where we are interested in developing relationships — frankly, now looking at it through an economic lens as part of supporting B.C.’s broader economic recovery strategy.

However someone lands at our doorstep, the first step is that they are required to submit, essentially, an expression of interest. It has a number of questions asking about the owner’s background. Do they have any experience working within the education sector? What is their vision for the school, etc.?

Based on my team’s review of that, and this is an important additional oversight that we do, we will reach out to our contacts on the ground — it’s usually trade commissioners in that jurisdiction — and ask them to do some vetting of the applicant for us. Because, of course, our view is that they’re in a better position to really be able to gather intel about a prospective owner’s track record and business experience.

They provide that input to us, and based on our review of that and the expression of interest, my team makes a recommendation to me, as the executive director, as to whether or not they think that the application should be supported in moving forward to the next step, which is a much more detailed application and interview.

[11:35 a.m.]

That interview, pre-COVID, is done in person, because we really, as Keith said, want to have a really solid understanding of who we’re potentially entering into a partnership with.

Then the final step, if they are successful in the interview process and the sort of more fulsome application submission, is an on-site inspection that I personally participate in along with the director of the offshore school program. It is only if the school successfully passes that inspection that they are issued an interim — and it’s an interim; I’ll underscore that — certification. They do not receive full certification until they have had their first full inspection in their first year of school operations.

That’s the application process, and then that is supplemented, as Keith mentioned, with annual inspections. They have historically been done in person. We shifted to doing virtual actually the year before COVID. We wanted to start to look at how we could leverage technology more efficiently and effectively. Then, of course, with COVID this year we were required to do all of our inspections virtually. Going forward, we are looking at some likely hybrid model of on-site and virtual. Those are done every year on every school.

M. Bernier (Chair): Perfect. Thank you for all that information. I think it was important — just for anybody listening, as well, and for the rest of the committee — the detailed work that’s done behind the scenes before we get into the international schools. So thank you very much for that.

Are there any other questions, then, from anyone? I see a lot of heads shaking. We covered a lot of ground there. It’s been a long morning too. Thanks Keith, thanks Marnie as well, Ministry of Education for coming in and for being so, I guess in a lot of ways, proactive with the work that you took.

Sounds like, from reading the report…. It’s a very de­tailed report. But the one thing that I took out of it was the collaboration, the work that was done prior to being audited that actually made it, I guess.… It sounds easier for the audit team. It’s probably not fair for me to say, because I know how much work goes into an audit like this, but I can tell by the responses and by the audit that there’s a lot of good work that goes on behind the scenes that a lot of people are maybe not aware. Thank the Ministry of Education for that and appreciate that.

Maybe before I move on, Michael, is there anything you wanted to do for closing before I move on to any other business from the committee?

M. Pickup: Just a quick comment, again, to thank the folks from Education. You know, a really good example, I think, of an excellent professional relationship and a positive response to our report and also a sign, as you indicated Chair, that while this report was tabled with the Legislature in January, clearly the work on the recommendations and on the findings started well before that.

The ministry would have had this long ago. We would have gone through the process, and I think their update today demonstrates that they didn’t wait until January 19 to start working on this. I think this is an ideal example of how we hope audited organizations would respond to the work we do. I want to thank them for that.

I want to thank the committee members for the questions that we had to us. As you can probably tell, all of us on this call take our work very seriously. We’re here to serve the Legislature and the people of the province. I hope you found us informative and receptive to your questions. We genuinely…. This is what we look for. This is an ideal world, when the Public Accounts Committee engages with us so quickly on the results of our work. I want to thank you all for the interest and the respect given to the teams here today.

Again, a final thank-you to everybody on this call on the teams and, again, everybody back in the office directly on the teams and indirectly who are part of the bigger team who helped us get to this. Thank you all for that. And happy last day of the fiscal year. Spoken like an accountant.

M. Bernier (Chair): Excellent. Well, we do have one or two other things on other business, but we can say goodbye, then, to the Ministry of Education, thank you very much, and to the Auditor General and his team as well.

[11:40 a.m.]

Thank you so much. That was a great meeting, a lot cov­ered, a lot of information and looking forward to our next meeting with all those involved. So thank you, Michael and team and Keith.

Canadian Council of Public Accounts
Committees Conference

M. Bernier (Chair): On other business, I’ll open it up, first of all, to the committee members, if there’s anything that anybody wanted to add to this meeting. No. I don’t see anything. The only thing I’m going to add is: time flies.

The day before yesterday, with the rest of the executive in the CCPAC, the Canadian Council of PAC Committees, I took part in that executive meeting. For the rest of this committee here, the dates that have been held are September 8 and September 9, for our annual conference. We’re going to get more information out later on that as well, but I just wanted to make sure everybody kind of flags that. There was discussion around a small fee to cover some of the keynote speakers and some of the expenses of the committee, but it’s going to be a virtual Zoom meeting again this year.

They are scheduling and planning for next year’s meeting, which is in Ottawa, to be an in-person meeting. Hopefully that’s what will happen. Of course there are a lot of things at play before the final determination of that, but that’s the planning for that. I just wanted to just highlight that for the committee: September 8 and September 9 for our annual conference.

Maybe I’ll turn it to Jennifer. Is there anything else? Jennifer, thank you very much for all your help, as always — to you and Lisa and Ron for helping with the committee. Is there anything that we need to add today? I’m seeing a headshake.

J. Arril (Clerk of Committees): Nope, nothing further to add. Thanks, Mike.

Yes. The CCPAC conference is being hosted by Alberta, as Mike mentioned, virtually. In the past, it has been in the middle of August, but last year it was held in a similar time frame as is being proposed this year, in that early part of September, which did seem to work well for members and Auditors General last year. Hopefully, members will be interested and available to participate.

M. Bernier (Chair): Thanks, Jennifer.

Thanks, staff, for all that.

Looking around and seeing no further questions, a motion to adjourn, then, from MLA Andrew Mercier.

Motion approved.

The committee adjourned at 11:42 a.m.