The committee met at 1:05 p.m.

[R. Glumac in the chair.]

R. Glumac (Deputy Chair): My name is Rick Glumac. I am the vice-Chair of the Public Accounts Committee, and I’ll be chairing the meeting today. Unfortunately, the Chair, MLA Bernier, can’t make it today. He’s not feeling too well. We send him our thoughts, and hopefully, he can feel better soon and get back to the committee.

Today we are discussing two reports: the February 2021 report Management of Medical Device Cybersecurity at the Provincial Health Services Authority…. Then we’re going to be talking about the March 2021 report Vancouver Community College: Executive Compensation Disclosures.

Before we begin, I just want to acknowledge that I’m speaking to you today from the traditional territories of the Coast Salish peoples.

With that, I will turn it over to our Auditor General, Michael Pickup, and his team for some introductions.

Consideration of
Auditor General Reports

Management of Medical Device
Cybersecurity at the Provincial
Health Services Authority

M. Pickup: Thank you so much.

Before I begin, I would acknowledge that today I am in Victoria — the traditional territory of the Songhees, the Lək̓ʷ­əŋin̓əŋ and Esquimalt people — and appreciate this land and this air that I am living on these days and enjoying very much. I was out for an early morning walk and appreciating the rain and the joy that rain can bring to all of us eventually.

Before I introduce folks, I also pass on our best wishes to the Chair and his family during this time as well.

Joining me today…. I will stick to the medical devices for now, because I think we’re going to go through that one first. Joining me on the medical devices audit are, really, the people who did all the work.

I’m pleased to introduce the folks: Greg Morhart, the audit manager on the audit; Ada Chiang, who was the director on the audit; John Bullock, who was the senior IT audit specialist. Those folks are on this call with us. From the team also, not on the call with us, was one of our key IT audit folks, Uchenna Amaefule, as well. I want to also acknowledge him and thank him.

René Pelletier, who you’re probably getting used to, is on the call here with us today. He’s the executive director in charge of the IT audit portfolio. And Russ Jones, the Deputy Auditor General, who you’re all getting to know well, and myself as well.

We’re going to do a very quick summary of the audit, in keeping with the approach we seem to be adopting. That will allow you plenty of time to ask us questions and, more likely, probably ask questions of the organization that we audited.

I also want to express that notwithstanding the audit conclusion and the points that were raised in the audit, we had excellent cooperation from those that we were auditing — in this case, on the medical devices, the PHSA. I think a sign of that is the acceptance of the recommendations that we made. There’s no disagreement on this audit, notwithstanding the conclusion and the conclusion that we reached that they were not effectively doing this. There is no disagreement on any of that.

I’m going to, in a sec, turn it over, and I am going to take one 30-second liberty — at the risk of embarrassing her — to express my sincere appreciation to Ada Chiang. Ada will be retiring very soon from the office. She was a key a part of this audit. This is her last audit with us, and she’s had a remarkable career. I think, on behalf of just the time that I have spent here and the eight months, I have been so impressed with Ada. It’s surprising to see that much energy and drive leaving us. I certainly will miss her, as I appreciated not only her knowledge and abilities but also her approach in getting things done.

Ada, on behalf of the people in the office but also for the work that you did on behalf of people in the Legislature and the people of the province — at the risk of embarrassing you — I do want to publicly acknowledge and thank you and wish you well on the next stages of life, after you retire from the OAG as well.

On that note, I’m going to pass it over to the team.

And you’re getting a clap. See? Well deserved, Ada.

[1:10 p.m.]

A. Chiang: Thank you so much.

One point that I really want to add is it’s been amazing having the opportunity to work with the Office of the Auditor General for 36 years. I’m really, really proud of that and to be a public servant. There’s nothing more. I want to express myself, just thank you. Thank you to the office, and thank you, government.

M. Pickup: Thank you, Ada.

We’re going to do just about a five- or six-minute presentation of the key points in the audit, really focusing on the Audit at a Glance. I’m going to turn it over to the team to walk through that.

G. Morhart: Thank you, Michael.

Good afternoon, Deputy Chair and committee members. We have provided you a one-page document, Audit at a Glance. It provides a high-level summary of the management of medical device cybersecurity audit, why we did this audit, the audit objective and conclusion, and what we found.

The audit was tabled in February of 2021 and covered the period from November 2019 through May 2020. We chose to do this audit because medical devices form an integral part of hospital networks. Thousands of medical devices are used in hospitals every day and are used to help monitor and manage patient care.

Most of the devices today are digital and can be connected to mobile applications, to the Internet or to a health organization’s network. The connectivity of these medical devices enables health care professionals to quickly receive and update health information for the diagnosis, treatment and care of patients. This results in greater efficiency and better patient outcomes.

There is no question about the significant benefits that connected medical devices bring to health care. However, it is also that connectivity of these medical devices that makes them vulnerable to cyberattacks. A successful at­tack could disrupt health care and put patients at risk by preventing or delaying medical treatment. Medical devices and their networks must therefore be secure, and networked medical devices have the same security challenges as any connected computers.

For these reasons, we audited the Provincial Health Services Authority, the PHSA, and its cybersecurity practices around its medical devices. The PHSA has primary res­ponsibility for medical devices and IT security management for health authorities in the Lower Mainland. It is important that the PHSA has a security program that balances cybersecurity with patient needs. IT security and medical professionals need to work together to achieve the right balance.

We concluded that the PHSA has not been effectively managing cybersecurity risks to all its medical devices. Specifically, the PHSA has not evaluated all cybersecurity threats and their potential harm to patients, and it lacks many cybersecurity controls for its medical devices. The weaknesses identified in our audit could hinder the PHSA’s ability to detect cyberattacks targeting its networks and devices, possibly putting patients at risk.

We provided four recommendations focused on impro­ving the PHSA’s management of cybersecurity risks aro­und its medical devices, and as mentioned, the PHSA has accepted all four of our recommendations. In the report, and on the summary sheet, we provided three questions that the committee may want to ask:

(1) What oversight exists to ensure the implementation of an effective cybersecurity program for medical devices at the health authority?

(2) How are the other health authorities in B.C. protecting patients’ medical device cybersecurity risk?

(3) How well is patient information protected on medical devices?

I’d like to thank you all for your time today. I’ll turn it back over to Michael now.

M. Pickup: Thank you so much, Greg.

As we’ve said a few times, we are working to keep these presentations small and focused on the Audit at a Glance, so as to maximize the time that you have for questions and to keep the meetings running well. But always happy to take feedback as we go forward. If you want us to expand at times, when we come in — be a little more in depth at the “at a glance” — we’re more than happy to adjust as we go forward. It’s no problem at all.

As auditors, we’re always happy to talk more and more about the work we do and the audits and what they mean — particularly in IT, I noticed. The IT folks love to expand upon audit conclusions.

On that note, Deputy Chair, we would conclude our presentation and stop there.

R. Glumac (Deputy Chair): Thank you, Michael.

Thank you, Greg.

[1:15 p.m.]

I will invite Ron Quirk, executive vice-president, digital information services and innovation at PHSA, to introduce himself and his colleagues and present government’s response to the audit report.

R. Quirk: Great. Thank you, Deputy Chair, committee members and members of the OAG. My name is Ron Quirk. As Rick stated, I am the executive director of digital information and innovation for Provincial Health Services Authority, which also, within my organization, provides a shared service as well to Vancouver Coastal Health, Providence Health — as well, in some cases, from a cybersecurity perspective, Fraser Health Authority.

With me today…. I’ll have Carol introduce herself.

C. Park: I’m Carol Park, the executive director for Lo­wer Mainland biomedical engineering. With me, I have Indy Diocee, who is our cybersecurity project manager.

J. Bayne: James Bayne. I’m the director of information security for PHSA. Also with us today is our team technology officer, Bal Kang. And then on the phone from the ministry, we have Paul.

P. Shrimpton: Good afternoon. Paul Shrimpton from the Ministry of Health. I’m the chief information officer. I’d also like to extend regrets from Deputy Minister Stephen Brown, who wasn’t able to attend today.

R. Quirk: As Mr. Pickup has explained, there was an audit performed on PHSA — a rather extensive audit — that concluded that we are not evaluating all cybersecurity threats and their potential harm to patients; that we’re not effectively managing cybersecurity risks on medical devices — again, this was solely focused on medical devices for this audit; and that we lack many cybersecurity controls for medical devices.

It’s probably important to note, just at this point, that with respect to our medical devices…. You have probably seen a couple of numbers — 16,000, 18,000. It kind of grows on a daily basis. I think it’s also important to note, within that, that at any given time, we have about 12,000 of those devices connected to the network that are supported by well over 270 vendors and well over 1,000 different models. I think that’s important context in terms of just trying to understand some of the complexities around managing and updating those devices.

Four recommendations were actually made that really are set out to help PHSA focus on medical devices; to highlight some areas that we may have already considered or, potentially, not considered within the plan that we already have; and to really understand how any of those vulnerabilities may — and I underscore may — impact patient safety, patient care.

We have taken those findings very seriously. We have a number of remediations underway. In fact, as soon as we started working with Greg and his team, and Ada, we, I think very quickly, developed quite a good rapport. I ap­preciated the approach that the OAG took on this audit from the perspective of, really, partnering as a way to try to help.

As we know, cybersecurity is a growing field. It’s continually evolving. There are a lot of very smart individuals out there that are continually trying to find weaknesses within our environments, and it is something that every organization, health or otherwise, is spending a lot of time and focus on these days.

We started making improvements almost immediately back in October, as some of the things were discovered, not necessarily waiting for the final report. We feel that we’ve actually made some fairly good progress at this point and that we will have some items complete, actually, as early as May-June this year. Others will take a little bit lon­ger as they require some substantial changes to our network, which I’ll talk a little bit about. Those will be done by next September, 2022, in order for us to complete those recommendations.

[1:20 p.m.]

The key findings. I will just go into a little bit of these. The evaluation of cybersecurity threats and their potential harm to patients and to take appropriate action. It’s im­portant to note that we’ve actually had a security program in place for a number of years. We continue to grow it annually and identify areas for opportunity. We, on a regular basis, have external firms come in and assess some of our capabilities and look for areas of vulnerability to try to help us to make continuing improvements.

As such, we do have frameworks and what have you in place, and we have taken that immediate step with respect to key finding No. 1, to make sure that we have enhanced our framework, which is basically our security threat risk assessment framework, to include medical devices and the components associated with the medical devices that were actually discovered and reported in the OAG report.

My sense…. I have an overall comment that I believe the quality and the calibre of resources that did the audits were excellent and I think really honed in on some areas that perhaps we hadn’t considered immediately and helped us accelerate what would have been our plan, probably, for maybe two years out. That’s been, I think, a great advantage of having this audit done.

We are continually forming parts of different groups throughout, internationally and nationally — the Canadian cyber centre as one of them — in terms of being constantly aware of what is happening and what threats exist in the environment. Those things come in on a regular basis, just like they do in your email and pop-ups, so that we try to stay on top of it.

We have established quite a good program provincially that allows us to share information with our counterparts in the other health authorities, and through James’s effort, for an example, making sure that he reaches out to his pe­ers on a regular basis. We have shared the findings of this report, as an example, with those health authorities so that they may review and assess and make any improvements where they may have similar vulnerabilities.

The idea of identifying all hardware and software. We actually felt pretty good about this, going into the audit. We said: “Well, we’ve got a great inventory system.” Biomedical themselves have extended that system across the province, and really, what the audit showed us is that while we’ve got an inventory system, it is lacking in some of the fields, some of the areas and things which we should be tracking a little bit better. So we’ve definitely already taken steps to improve that.

In terms of…. It was an interesting finding. We know what’s on our network. We didn’t necessarily know what’s on our network and shouldn’t be on our network — so really focusing on additional automation so that if a rogue device somehow gets onto our network, we can immediately detect it, isolate it and shut it down. That type of finding, for us, is really looking at software that will automatically do that on its own. So we are already researching that. We’ve already shortlisted to some solutions and are moving to make sure that we have that capability in place.

Monitoring the systems. We actually have a security op­erations centre, for the most part, already. Honestly, we weren’t looking at medical devices — 16,000 to 18,000 devices, trying to keep those patched on a regular basis and in a timely manner. It’s proving difficult for us to do that. Certainly this report has highlighted some of the areas that we can focus on immediately, those that might bring the highest risk to the potential loss of data or the potential access of some of those systems, which would then make it possible to impact patient care, depending on the device that it’s connecting to.

We’ve taken immediate steps to increase our monitoring capabilities with respect to that system. As well, you can see these actually tied together by doing some more en­hanced evaluation and by having some more automation on our network to do the monitoring.

Within No. 3, there’s a subtle but very important finding, which is that we need to protect our medical devices on what we call our own segment. Our network right now allows us to do some segmentation, but it wouldn’t be easy for us to, say, take all of these medical devices that could be throughout the Lower Mainland and put a wrapper aro­und them so that we can make sure that nothing else gets access to those devices and we would have greater control over it.

[1:25 p.m.]

That’s going to require upgrades, infrastructure changes, not only within PHSA but beyond. That’s actually the one item that will take us up to September.

The control of the administrative access to the systems and devices on the network…. We’ve worked with the biomed department to look at these thousand different models and 270 vendors. The important note here is that these devices themselves have really only started to mature over time with respect to access control. There are certain limitations that we have in terms of what we can change and what we can do without compromising the device itself.

We are looking into all of those devices and trying to come up with a single approach across the board as to how we can potentially manage access to those devices. It’s certainly limited in terms of who can go in and do updates. That’s all managed primarily through the biomed department. We’ll be looking at two-factor authentication to the best we can, which is something I have and something I know, meaning that we have limited access to people. There are definitely tools, software and otherwise, that would allow us to improve the overall security posture of our medical devices with respect to administrative access.

I can tell you that as soon as the audit was mentioned and was going to occur, I provided an update to our CEO, David Byers. I provided an update to the PHSA board chair as well as provided some communication to Fraser Health as well as Vancouver Coastal that the audit was occurring. The biomed as well, from an IT perspective, is a Lower Mainland service, so we had to make sure that those health authorities were well aware that this was happening.

I now have a complete plan in place. We have a team we put together that is dealing with these recommendations. I have the pleasure of providing an update to our finance and audit committee every two months on this matter — that’s up to the board of directors — as well as providing updates to the ministry and to the executive team within PHSA itself.

There is substantial awareness around the findings. I am fully accountable and take that very seriously — making sure that these improvements are in place. I’ll also say that a lot of the recommendations from the OAG will help us improve our overall security posture, not just with respect to medical devices. As we make some of these changes, the aforementioned segmentation that we’re going to do on our network will actually allow us to do that in other areas as well.

We appreciate, really, shining the light on some of those things and allowing them to raise from a priority capacity perspective as well as a funding perspective within PHSA and the other health authorities.

In general, we will look to increase some of our automation that exists already within our security team, the configuration management systems and processes. This is something we do on a regular basis. However, we are hard­ening those processes, if you will. The vulnerability and rogue detection device was a great recommendation. It wasn’t initially on our list for a period of time, but that has now moved forward.

The zoning that I mentioned is definitely going to make some improvements. That’s going to take us out to the September ’22, roughly, time frame. It’s not a flip of the switch. As soon as we get that software in place, as soon as we are able to start putting some wrappers, if you will, around the medical devices, we will see improvements. But it won’t be fully implemented until September ’22.

We’ve already made great strides towards our monitoring within our centre, but really, we need to modernize some of the tools that we have to help us do more proactive, if you will, event monitoring and remediation.

Multi-factor authentication, I’ve mentioned. We’ve actually put together an audit and compliance program. That’s a multidisciplinary team that is actually looking at, and helps us set, standards and set priorities in terms of the areas that we will approach over the coming year to make sure that any of our security program and the capabilities that we have are immediately extended to those.

[1:30 p.m.]

Like I said, lots of, I think, great findings and recommendations that came out of this. I often put in quotes “awareness.” I think if you read a lot about cybersecurity, it’s really about creating awareness throughout your organization.

We have an awareness program that we have created throughout PHSA, Vancouver Coastal and Providence Health as well as Fraser. We have Cyber Thief Sam — that’s our mascot — and we are, on a regular basis, putting out communications and media associated with that to make sure that we have good password hygiene, that we’re not sharing passwords, to really raise the profile on ransomware and other types of attacks that we know will happen.

We’ve often said — and I advised the board of directors on this — that it’s not if but when. So you can have the best security hygiene program, but you need to have, as well, an equally good incident response process that you go through. That means understanding on a regular basis: where are those vulnerabilities, what happens when, and how are we going to respond?

We have retainers in place for that very capability, where we don’t have the expertise in-house. We can’t actually re­tain that expertise based on…. A lot of these folks are very well paid, and rightly so. It makes it very difficult for us, as health authorities, often, to hire and retain that type of talent. We have a great talent base.

We were actually just talking about COVID and how COVID has actually changed how we think about cybersecurity. James, of course, lives and breathes this every day in his role. We’ve been fortunate to be able to, very quickly, move to a remote workforce while maintaining a lot of the security standards. By and large, our security team has remained healthy and safe and continues to do the good work, including making sure the execution of this plan is well underway as well as protecting the rest of the assets and the data, ultimately, to make sure that our patients are safe and healthy.

With that, I will be happy to take any questions. I think that’s pretty much the summary I just went through as well. I would like to finally, just once again, thank the Auditor General. The amazing talent that you brought forward….

Ada, congratulations. I actually didn’t know that you were retiring, but I wish you the best and thank you for your constant diligence, if you will — I won’t say nagging — with respect to making sure that we had everything for you that we could. It was a great exercise.

R. Glumac (Deputy Chair): All right. Well, thank you very much, Ron, for the presentation.

Thank you, Michael.

I’ll also note that Carl Fischer is with us today, the comptroller general.

I’ll open it up now to questions from members.

A. Mercier: We had an audit come to us last month on IT asset management in the B.C. government that highlighted a similar issue across a selection of ministries, be­ing a problem with hardware asset management and keeping an inventory of the hardware. One of the things we heard from the office of the chief information officer was that they were working on a team-based approach across government to ensure horizontal learning and systemization and sharing of best practices as they go to implement systems to rectify those issues.

I am just wondering if that’s occurring, with respect, here. Maybe Paul Shrimpton, as the chief information officer for the Ministry of Health, can talk to that: if there’s involvement of the office of the chief information officer, which was found in that audit to be exemplary in their management of their asset inventory, and what’s occurring around there.

P. Shrimpton: Sure. I’d be happy to start, and perhaps James or Ron could also add in as well.

We do work very closely with the office of the chief information officer and with regards to everything that’s been done with that audit, which focuses on core government. So the initial work there is really focusing on the assets and audit inventories for all the ministry systems, but everything we learn from that — including the technology that’s being implemented, the processes — we share with the health authorities as well.

[1:35 p.m.]

Wherever there is an opportunity for us to share tooling, to extend the standards, lessons learned, we do that on a regular basis. One of the things that we’ve established with all the health authorities, including PHSA, is we do have a digital information security committee that meets every month. We use that committee to share a lot of our findings, to develop workplans, to do our risk assessments, to look at our overall security posture of the health system and look at opportunities for continuous improvement.

The focus of that work out of the OCIO, chief inform­ation officer, is on core government first, but again, we look for every opportunity we can to share with the health authorities.

J. Bayne: I’d just like to add that we do collaborate quite constantly with the OCIO — in particular, Gary Perkins’ office. Every month we have a security leadership meeting, where we share lessons learned from all across public sector. While our networks are separate, and the technology stack is not the same as core government, we do leverage the best practices and try and move lockstep with government.

R. Glumac (Deputy Chair): All right. Thank you. I don’t see any other questions.

With that, I want to thank everyone and thank the Of­fice of the Auditor General for the great report.

Thank you, everyone at the PHSA, for moving forward so quickly on these recommendations. It’s good to see.

With that, we're going to move on to agenda item No. 2.

I think we’ll take a really quick recess. Maybe just a two-minute recess. We’ll reconvene.

The committee recessed from 1:37 p.m. to 1:42 p.m.

[R. Glumac in the chair.]

R. Glumac (Deputy Chair): I invite Michael to introduce his team and to present this report to the committee.

Vancouver Community College:
Executive Compensation
Disclosures Audit

M. Pickup: Thank you so much for that.

Joining me today is Jacquie McDonald, who very much led this work and is the director on financial management and controls. We’ll be walking through that. As well, joining us today is Stuart Newton, the assistant Auditor General on the financial audit portfolio. Jacquie works with Stuart and with Russ Jones, whom you know as well, the Deputy Auditor General. Not joining us today, but people that were a critical part of the team and able to get this done, were Ken Ryan-Lloyd, Hilary Wilson and Stephen Abercrombie as well. I want to thank all of those folks for their participation on this audit.

Just before I quickly turn it over to Jacquie, who’s going to walk through the Audit at a Glance, I also want to thank those in the office whom you don’t get to see on a week-to-week basis or on a Public Accounts Committee meeting basis, which may be week to week, whom you don’t see regularly. Those are our administrative professionals. Really, this would not be possible if it were not for them helping us. Last week we got to celebrate Admin Professionals Day on the 28th and to thank them, but I want to publicly thank them as well, and to acknowledge all that they do. You never get to see them.

Likewise, our own folks here — who are in communications, who are in IT, finance and admin, and HR — are all critical to us being able to report that, but they never get to interact with you folks. I do want to thank all of those folks who stand behind us, publicly, and to acknowledge them with you as well.

I’m going to turn it over to Jacquie to walk through the Audit at a Glance. I will say — maybe I speak too plainly and too clearly — and as I said to the organization, when I met with them at the end of this audit, this is pretty much as good as it gets in the world of audit. The results were very, very positive. There were a few things they could fix, but that doesn’t mean that there aren’t good questions to ask or things that aren’t important. Certainly, it’s a reminder that we do audits based on things that are important, key areas.

[1:45 p.m.]

You just saw an audit presented on the medical devices, where the conclusion was “not effectively managing.” If we get into an area and the conclusion is going to be positive, like this one here on Vancouver Community College, we don’t throw it out the window because we only want to report negative things. We still finish these reports, and they are important to do as well.

Today is a good example of that. As I said to the team, that is not a failure on anybody’s part in terms of selecting audits or the audits we do. That’s a sign of the system working well: of sticking to things that are important to do, reporting the results to the people in the Legislature and then — as in the case of the medical devices that we just saw — hopefully, making improvements to how government programs and services are delivered, through the work that we do. Primarily, our focus is to report to you and, in the process, to make improvements in government.

After that long introduction, I’m going to turn it over to Jacquie and ask her to walk through the Audit at a Glance. I want to thank, again, the folks at Vancouver Community College as well. I had a chance to meet with them at the end of this audit. A very professional organization, focused on our results and great to work with. Absolutely no problems to carry out this audit, which is a great thing.

J. McDonald: Can everybody hear me?

R. Glumac (Deputy Chair): No, your sound is very choppy, and we don’t see you either.

J. McDonald: I will disconnect and try to reconnect.

M. Pickup: I’d like to say that if this is the worst thing that happens all week, that’s not so bad.

R. Glumac (Deputy Chair): This gives you an opportunity to tell us some stories about Nova Scotia, if you like.

M. Pickup: Oh, being from Nova Scotia, I could tell you all kinds of stories.

R. Glumac (Deputy Chair): It’s all on the public record, if you’d like to share.

M. Pickup: Yeah. My favourite audit story from probably 30-plus years ago, back before the Internet, I remember, was going to a location in northern New Brunswick to do an audit, where there was five of us going there.

We arrived, and we were going to spend two weeks in northern New Brunswick. We went to pick up the rental car, and the person at the rental agency brought me out to this pickup truck. I said: “What is this for?” It would hold two people, and we were five.

She said: “Well, I had the rental here for two weeks, and it says next to it ‘pick up.’ So we drove two hours into Moncton to get you a pickup truck.”

I said: “That’s my last name — Pickup.” They had put my last name next to it, lost part of the fact that it was my last name and drove all the way from Bathurst in northern New Brunswick into Moncton to get this pickup truck.

R. Glumac (Deputy Chair): Did you guys just pile in the back of the truck?

M. Pickup: That probably would have been fun. It was February in northern New Brunswick, and I think the day we arrived it was minus 38. So probably no.

They did find us a car. I felt bad after they had driven all the way into Moncton to get this truck, thinking we really wanted a truck.

R. Glumac (Deputy Chair): That is amazing.

M. Pickup: That’s one of the downsides of having the last name Pickup.

R. Glumac (Deputy Chair): Yeah, I could see that. You would have to be careful with that when you’re renting vehicles.

M. Pickup: Maybe, Stuart, we will give Jacquie another minute. Then if that doesn’t work….

[1:50 p.m.]

S. Newton: Yeah, I’ve got the presentation pulled up. If it doesn’t come in, in a minute, I’ll just walk through, and then that gives her more time.

I’ll just get started, and then she can pick up.

Good afternoon, Vice-Chair and committee members. I’m pleased to brief you on the highlights of the Financial Information Act and Public Sector Employers Act disclosures for Vancouver Community College — executive compensation disclosures, disclosure requirements through both those pieces of legislation, enhanced transparency and accountability in the public sector.

Our objectives for this audit were to determine if Vancouver Community College’s executive compensation disclosures complied with the requirements of the FIA, Financial Information Act, and the Public Sector Employers Act for the three fiscal years 2017-18, ’18-19 and ’19-20. We were pleased to conclude that in all material respects, VCC’s disclosures complied with the two acts for these three fiscal years.

As Michael has mentioned, it’s quite positive. We’re not saying that we were expecting either, but given audit work regularly is usually something, this was a very positive conclusion, with some minor recommendations.

As for improvements, we saw that VCC’s systems and processes for preparing the FIA expense disclosures could be stronger. In most cases — any organization — if you were to look at a process, it can always be improved.

We recommended they evaluate to reduce the risks to complete an accurate FIA expense reporting and to make the process more efficient. We also recommended they prepare guidance for staff to follow when they produce disclosures and to have supervisors formally document their review of disclosure materials. These important internal controls strengthen efficient and effective internal operations and professional accountability.

In conclusion… I know Jacquie would, for sure, say this. I’ve had minimal interactions with Ajay and Jamie, but I’d really like to thank them and their colleagues at VCC who helped us with this audit. We conducted this audit at a distance, which is challenging, in unprecedented times, with all of the connectivity challenges the situation presented, and we greatly appreciated their patience and cooperation. I want to thank them very much.

That’s the end of our presentation.

R. Glumac (Deputy Chair): Excellent. Thank you very much, Stuart, for filling in on that.

Now we will go to Kevin Brewster, the assistant deputy minister of the Ministry of Advanced Education and Skills Training to introduce his colleagues and present government’s response to the audit report.

K. Brewster: Thank you. I’d like to introduce Ajay Patel, who is the president of Vancouver Community College, and Jamie Choi, who is the vice-president of finance for the same organization. Given that they were the ones who completed the presentation today that you see on screen, I’ll turn it over to Ajay to walk you through the presentation, if that’s okay.

A. Patel: Thank you very much, Kevin.

Good afternoon, everybody, members of the committee.

I do want to begin by acknowledging that I am speaking to you from our VCC Broadway campus, which is on the traditional and unceded territory of the Musqueam, Squamish and Tsleil-Waututh people, who have been stewards of our land since time immemorial.

It’s a privilege to be speaking to all of you today. We do have a PowerPoint here, and it might reflect some of the things that Stuart has mentioned. But before I begin, I also want to take the opportunity to introduce my colleague, Jamie Choi, who is our chief financial officer. She and her team conducted most of this audit.

Certainly, to the Office of the Auditor General, Mr. Pickup, you and your staff, Jacquie, Stuart, Russ…. They’ve all been amazing in dealing with it. The OAG has been our auditor for a number of years, and this other audit that we’ve done with them was a pleasure to conduct.

[1:55 p.m.]

Obviously, we’re always looking at opportunities to im­prove. We are pleased with the audit findings, but we also want to continue to make ongoing improvements, and we will take these recommendations and move forward with them.

I won’t go through all the details that Stuart has already covered off. The audit objective was really just to determine our annual renumeration expense disclosures for the executives and compliance with both SOFI and FIA as well as with the PSEA. We were really pleased and happy to hear that we complied with all of those recommendations for both organizations and also took under advisement some of the recommendations that were provided.

The key finding we have reported back to our board of governors and our finance and audit committee and senior staff is that we did meet all the public reporting requirements. Obviously, this is important from our board’s perspective so that they are taking their fiduciary role — oversight of a public institution — seriously and that we have controls and mechanisms and reporting requirements in place for that. As well, the availability of those disclosures — being available publicly — ensures transparency for the province of British Columbia and its citizens. We’re really happy about that.

Obviously, there were some areas we think we can work on. Our expense reporting is not perfectly designed, so we will be working on that. I will go through some of those recommendations we did receive from the audit. There were recommendations 1 and 2, which I’ll talk to in a second. Then there were some internal control weaknesses that we can probably tighten up a little bit, which will ensure better reporting and a higher integrity of information that’s provided through the audit.

These were the recommendations from the Office of the Auditor General. We’ve taken them all to heart and have plans around each of them. What I’m going to do is go through each one of these recommendations and just give you a brief synopsis of what VCC intends to do and how our reporting will work. Then after that, I’m certainly happy to answer any questions. Each of these recommendations will show up individually in the slides with a bit of an action plan.

The first recommendation was to evaluate our approach in preparing the expenses for the FIA disclosures and identify any reporting gaps. One of the things that Jamie and her team will do is….

We will review all of our general ledger accounts that have been used for our corporate card programs and identify any additional accounts that need to be added for the FIA disclosures. We will review and modify those to ensure completeness. There will be a final sign-off by Jamie and an information to the finance and audit committee, and then there will be ongoing modifications as necessary after the implementation. We believe that this will allow for us to better prepare the expenses for FIA as well as ensure that things are coded appropriately.

For many of you, if you know…. The FIA and the PSEA disclosure calculations are slightly different. The PSEA one is done on an accrual basis, and the FIA one is done based on cash accounting principles. So we do get some discrepancies and potential errors. We’re going to identify those and be able to rationalize those and provide appropriate documentation.

We prepare our PSEA disclosure in May and the FIA disclosure in September. Once the FIA disclosure is complete, probably around mid-September, we will do a final reconciliation and identify all the variances between the renumerations, with appropriate rationale or statements, by the end of September, which will then need to be approved by Jamie and again would go to our finance and audit committee. In the detailed report, in one of the appendices — C, I believe — it identifies what the differences are between the two reporting mechanisms. Based on that, we will appropriately provide that information.

This now relates to some of the internal actions we will take. We need to do a better job of documenting our ap­proaches for FIA and PSEA disclosure and develop guidance and procedures for the staff. We had initially been following the guidelines that government has, and it was noted that we should develop more detailed procedures for staff and appropriate training. We’re going to aim to do that by the end of this calendar year. That will be able to provide additional guidance for staff so that they understand the expected outcomes of the audits.

[2:00 p.m.]

Obviously, we need to provide training on any new procedures that may emerge from that, continue to refine and monitor the progress, and try and have a final draft of those disclosure procedures and guidelines for the senior team and for approval for the CFO. We’ll do that in the middle of fall. Then, obviously, there will be the ongoing monitoring of that. Again, this will be reported through our finance and audit committee as an update.

Currently our confirmations are generally done by e­mails. It was suggested that we have a better method of confirming in writing that the supervisors have reviewed the support for each of those disclosures. What we will be implementing is more of a checklist format. It’s to avoid the emails back and forth. That will provide appropriate supporting documentation as well as the checklist — alm­ost like you have a front-page checklist, with the appropriate documents as appendixes or attachments for each of these disclosures.

These approved checklists for the FIA disclosure will be submitted to the Ministry of Advanced Education and Skills Training by September 30 and will be made available to auditors and anybody else that requires that. Again, we will report this process to the finance and audit committee.

This is just a summary of our overall response to the audit. We certainly accepted all the recommendations of the Office of the Auditor General, and we believe we have identified a comprehensive plan to implement the recommendations that have been made to ensure that we are better at doing our disclosures. You have our commitment, both Jamie’s and mine, that these will be in place by December 2021 and that the reporting will be done to the finance and audit committee appropriately, as per our bylaws and policies.

We also want to thank the OAG for reminding us of the importance of transparency related to both of these disclosures, and I think it lends itself to a strong audit.

Finally, I just want to acknowledge and thank Mr. Pick­up and his team for the audit opportunity. These findings will continue to support us as we continue to strengthen our internal control functions and ensure that the public confidence in our public post-secondary systems is there.

With that, that concludes our presentation. I will turn it back over to you, Deputy Chair.

R. Glumac (Deputy Chair): Thank you, Ajay, and thank you, Stuart, for your presentations. It seems like a fairly straightforward report. I don’t see any questions from any members. Oh, I see one hand going up manually — MLA Tegart.

J. Tegart: I just have a couple of questions. They’re questions that are included in the Audit at a Glance. I often look for how many reports that we ask for that, perhaps, duplicate information.

The purpose of having both FIA and PSEA reporting…. Could someone share with me why there are two reports and how different they are?

K. Brewster: I’m not an accountant, nor am I a legis­lative expert, but I’ll make a shot at it.

The FIA was introduced before the PSEA. From my understanding and from what I have read, the FIA is more comprehensive, looking at government employees overall and employees reporting into the government reporting entity — Carl, please correct me where I’m wrong here — whereas the PSEA focuses on executives, on the CEO and a few of the executives in decision-making authority within each organization and provides more detail about those.

They’re a little bit different, but one is intended to capture a broader range, whereas one is a little bit tighter-range, focusing on executive compensation.

J. Tegart: Just a follow-up, if I could, Mr. Chair.

R. Glumac (Deputy Chair): Sure, go ahead.

J. Tegart: As I read through the audit, my thought always is: as we add more legislation, do we look at what we’ve done in the past and wonder how many times we duplicate reports and provide opportunities for people to report out with the same purpose?

[2:05 p.m.]

If the purpose is to be transparent and report out compensation, then we have an act that is from 1985. Then we require people, again, to report out six months later on a different act. I wonder, from the audit group: do you ever make a recommendation to government that perhaps government needs to review the two acts and look at whether there needs to be updates or a combination or some way that we’re not requesting people to do a number of processes for very similar information?

M. Pickup: I think, Deputy Chair, that question was coming to me.

MLA Tegart, I think you were asking me that.

J. Tegart: Yes.

M. Pickup: It’s an interesting question, and it is one we exercise a lot of caution around, partially because we are auditing the administration of these policies, the administration of what government has put in place. We are very careful. It will come up the odd time, perhaps, to review legislation, if something comes up in an audit where an organization says: “We may need to review legislation to look at that.” It may come up in an audit in that way.

We are careful to direct, to say: “Perhaps you only need one policy here” or “Perhaps these policies are duplicating.” I think part of why we raise it is to increase the dis­cussion and increase, at the MLA level, the knowledge around this. I think the point that you’re raising is probably always a relevant point — to say, “As times change, what process is in place to review legislation?” and to say: “Okay, does this still make sense? We have these two….”

Even what’s in there…. If you look at dollar amounts that are in there, for example — not that they’re insignificant — that would have been more significant some time ago, just with inflation, than they are today, what is the process to get that updated?

This is not any sort of a backhanded approach to say government should go and change legislation. I think we raise it so that the members realize, for example, why we looked at these two acts. Why did we look at the administration of both of these? It’s because both of them exist. I think it’s probably a healthy discussion, then, if you consider it, to say: “Okay, do we want to change anything here? Do we want to ask questions of government as to what process might exist to look at these? Do they want to look at it?”

Perhaps Mr. Fischer has something to add, as well, on background or purposes or even processes for doing legislative reviews. I hope I’ve answered your question while really trying to stress the importance of us, as auditors, being very careful how far we get into that territory.

C. Fischer: I would echo that, Michael. As public servants, we are all here to implement the policy direction of legislators — that’s you — through legislation or program direction.

We do have two acts, but those two acts are oriented to­wards specific different purposes, even though they appear to intersect. The Financial Information Act was originally drafted in 1983. The amounts and requirements are up­dated periodically — the last one being 2002. Staff in my office actually do a survey every two or three years across the country to find out what everyone else is doing, and we consistently remain in the middle ground. There are some people with higher thresholds and some with lower.

The PSEA is a very different act. That is an act oriented towards giving direction to public sector employers about things like staffing and hiring and compensation. As part of a government initiative — I want to say in the late 2000s — to provide some updated policy direction to Crowns, there was an extensive Crown review. Changes included a reporting requirement for the top five earners within each Crown agency to be reported.

[2:10 p.m.]

At the time, we did a lot of work to find ways to har­monize or bring things together. But in the end, government chose to have two separate reporting regimes. In the future, there may very well be opportunities. Part of our job is to review, assess and recommend different policy options that government could adopt to move in a different direction. But that also requires this piece to become a priority for the Legislature when, over the past few years, we have no end of policy or legislative opportunities to pursue.

We will continue supporting both the agencies that have to report and those stakeholders who receive the information and hopefully find a way where we can continue to improve, as Michael suggested.

R. Glumac (Deputy Chair): Thank you. Just to quickly follow up on this question, is there significant overlap in the work, or is it distinct? I know there are two periods of reporting throughout the year, but is there a requirement to redo the work on the second one?

A. Patel: Maybe I can answer a little bit of that. We use similar information to do both reports, but the reporting requirements are different in each one of them, and I think that’s probably the best way for me to describe it. It’s two different reports, but it’s using the same information. It’s how we present that information.

R. Glumac (Deputy Chair): Hmm. Okay.

I think we have a question from MLA Mercier.

A. Mercier: I’ll just start by commending Mr. Patel on coming through this process relatively unscathed, which is a testament to, I think, strong administration going on there.

I have two very straightforward questions. One is…. In the audit, the OAG notes that VCC also lacks a formal process for documenting supervisory review of staff work before board approval. Ajay, I believe that’s something that you touched on in your statement there.

I’m wondering if someone can just speak to any governance implications for the governors on the board of governors that may arise in terms of discharging their obligations to the college as a consequence of that, if there are any.

My second question is: in the auditee’s response…. I think I know what the OAG is likely to say, but in the aud­itee’s response, they flag that the risk for a minor misstatement in expenses of employees is low, in their view. I’m wondering if the OAG agrees with that assessment.

M. Pickup: Deputy Chair, do you want us to answer the audit part? Then perhaps VCC wants to comment a bit on the governance aspects of it as well.

S. Newton: I can respond.

R. Glumac (Deputy Chair): Go ahead.

S. Newton: The difference being low or minor really de­pends on the nature of the error and the significance of the error.

If the error is above a material amount and it’s heading in a beneficial way, so underreporting salaries, then especially with specific thresholds that are required for reporting purposes, where organizations have to ensure staff are under a certain rate, especially at the higher levels of compensation, a minor error is still over the limit. It may be possible for an organization to consistently overpay, not report and then just say: “Well, it’s an error, because our processes aren’t solid and good as far as an internal control perspective is concerned.”

While an error might be minor, it might be major in that it hides a limit — exceeding a limit. I’m not suggesting anything about VCC or any particular organization, as well, but it really depends on the circumstances around the difference.

[2:15 p.m.]

The other part is if you’re going between cash and accrual, there can be a swing in compensation. If you mistake that, you can purposely mistake taking a smaller amount and then just say: “Well, we didn’t quite get it right. We must have flipped the two.”

That’s where a minor error really…. If you get away from the number and look at which direction it goes and how it can or can’t potentially benefit an organization, that’s more the driver. So the tighter you can be on checks on balances to make sure that’s correct, you eliminate the ability for somebody to take an inadvertent error that might be beneficial and imply, just as I was doing, that it put you in a better place on purpose.

Just some minor tweaks to be able to be clearer eliminates peoples ability to make assumptions about why the error occurred and why it is a benefit. Does that help with your answer?

R. Glumac (Deputy Chair): Would anyone else like to chime in on the other question?

A. Patel: I can certainly start, and then ask Jamie if she has anything to add to that.

With respect to the board of governors, there are a number of mechanisms in place, I think, to ensure the fiduciary responsibilities are not compromised. First and foremost, obviously, is the audit itself, and the number of controls that the independent audit individuals have, with respect to looking at various transactions.

The finance and audit committee also gets to have an in-camera session with the auditors, without senior staff there, so they can highlight any issues or any concerns that they might have. Then there’s the appropriate documentation, through the management letter that occurs. That’s more of a formal follow-up, with respect to the audit.

As well, at VCC, anything that is delegated as an authority to senior management is done through policy of the board of governors. Those are always checked against the audits as well, and appropriate controls are put in place. If there are any issues around that, those are flagged as well.

Hopefully, that answers some of your questions, Mr. Mercier.

R. Glumac (Deputy Chair): Thank you very much.

Does anybody else have any other questions?

Yes, Jamie.

J. Choi: Mr. Chair, can I ask…? Just what Mr. Stuart Newton mentioned, that the recommendation is about expense reporting, not the remuneration. It’s mostly in our credit card reporting that we extract particular related expenses. The recommendation was to review other ac­counts, to make sure that nothing is…. It’s slightly, a little, different from remuneration and expense reporting.

R. Glumac (Deputy Chair): Thank you for that clarification.

Thank you, again, everyone. I don’t see any other questions on this report. Excellent reports on both accounts. We’ve had a very efficient meeting today, and that’s always good. Sometimes we take a little longer to dig into questions and sometimes a little shorter.

I want to thank everyone today and just ask if there’s any other business anyone has. Not seeing any hands.

Our committee will be meeting again on Wednesday at 9 a.m. to consider two more reports. With that, I invite a member to move adjournment of the meeting.

Moved by MLA Mercier, seconded by MLA Sharma.

Motion approved.

The committee adjourned at 2:18 p.m.