The committee met at 7 p.m.

[P. Milobar in the chair.]

P. Milobar (Chair): Good evening, everyone. I will call the meeting of the Public Accounts to order.

First up we have consideration of the Office of the Auditor General audit report Board Oversight of Cybersecurity Risk Management at Vancouver Island University.

I will turn it over to the AG. We will hear from them and then VIU, and then we’ll have questions.

Consideration of
Auditor General Reports

Board Oversight of
Cybersecurity Risk Management
at Vancouver Island University

M. Pickup: Thank you, Chair.

I will begin by acknowledging with both joy and respect that at the Office of the Auditor General, we conduct our work on Coast Salish territories.

I would like to take a personal moment to say thank you to Indigenous people, both past and present, for allowing me to work and enjoy these lands now known as Vic­toria. I am grateful to be a visitor on these traditional Coast Salish territories of the lək̓ʷəŋən-speaking people.

As I go about my day-to-day living, I work to remind myself that, indeed, I am a visitor and to reflect on what it must be like for Indigenous people to have so many of us visiting here on these lands. As Canada’s first and only Indigenous Auditor General and a Status Indian member myself of the Miawpukek First Nation, I say thank you to Indigenous people here for all that you are sharing with us on the Pacific coast.

We’re here to provide insight into our report today, titled Board Oversight of Cybersecurity Risk Management at Vancouver Island University. Cyberattacks, as we all know, unfortunately, are on the rise. Ransomware, data breaches and other threats can affect individuals, organizations and critical infrastructure. It’s a major challenge to protect information systems and data from such cyber attacks.

Cybersecurity attacks can lead to unauthorized access to sensitive information and damage to an institution’s reputation. B.C. universities, of course, depend on information technology, whether for technology-based learning or for managing the personal information of students, faculty and staff. To protect personal information and to reduce the risk of service disruptions, university managers should assess and develop strategies to mitigate cybersecurity risks.

University boards, of course, play a critical role in overseeing these processes. They are a line of defence to protect the university and play a key role in improving management’s evaluation of and response to ever-changing cybersecurity threats. The Vancouver Island University board of governors, like other university boards, is responsible for overseeing cybersecurity risk management and holding management accountable for its delivery.

We selected VIU because it is a similar size to many other universities in British Columbia. VIU has 12,000 students, along with 1,500 faculty and staff. Each of them shares personal data with VIU.

I had the chance, by the way, last Thursday to spend the afternoon with the accounting students and faculty at VIU for a Q-and-A period and very much enjoyed the session. I have to say it was a wonderful experience. The welcoming was quite enjoyable.

It’s vital for VIU to do everything it can to protect their information and the IT systems that are so important to how the university functions. Our audit team has to provide a constructive insight, I believe, on this topic in the report, and we will be sharing that with you tonight.

Before thanking the team, I would also like to share something very positive. I have heard directly and indirectly from other organizations across the province throughout the government reporting entity that they are looking at this report. They are examining their own practices as a result of this audit of VIU. They are using it to look for opportunities to improve how they manage cybersecurity risk.

[7:05 p.m.]

As the Auditor General of British Columbia, I want to say that is a good thing. This is the kind of wider impact that we hoped to see, because we can’t be everywhere, and we can’t audit every organization.

I would like to thank our audit team, starting on my left with Laura Hatt, assistant Auditor General of the entire performance audit portfolio; René Pelletier, executive director; Greg Morhart, director; and Tommy Chung, performance auditor, who I think is over my right or left or both shoulders, depending on how I’m sitting.

Before the team starts the presentation, which will be very soon, just a quick moment to acknowledge that Wednesday, November 8 is Indigenous Veterans Day. Of course, the military service of First Nations, Inuit and Métis in Canada has deep roots. It’s good, I think, to specifically recognize and remember their sacrifices.

As I prepare to take time to reflect on November 11 for all those who have served and fought for our freedom, on November 8 I’m also going to take some time to reflect on the service of Indigenous people as well. From my own views, having had a grandfather that served five years overseas as part of the Cape Breton Highlanders…. It is certainly something I had the opportunity to grow up learning about in listening to him.

Now, Greg, over to you.

G. Morhart: Good evening, Chair and committee members. Thank you for your interest in our report Board Oversight of Cybersecurity Risk Management at Vancouver Island University, which was tabled on August 1, 2023. I’ll be walking you through the information in the Audit at a Glance, which provides a summary of the report, including the key findings.

Our audit assessed whether Vancouver Island University’s board of governors provided oversight of the university’s cybersecurity risk management practices. We concluded that the board of governors had not provided oversight of the university’s cybersecurity risk management practices, and we made four recommendations to improve policy, board training and development, and the oversight of cybersecurity risk mitigation and responses. We are pleased to note that VIU has accepted these recommendations.

I will now provide a summary of the three main findings from our audit.

We looked at whether the board of governors had documented roles and responsibilities for overseeing cybersecurity risk management and had current policies in place. We found that the board had documented its responsibilities for overseeing cybersecurity risk management through policy and in its terms of reference. However, we found that the university hadn’t updated its risk management policy and was not in compliance with its own timeline for this review.

We also looked at whether the board was overseeing the president’s role in managing cybersecurity risk and found that they had approved and reviewed the president’s goals and self-assessment of that progress.

Secondly, we looked to see if there was an orientation program for new board members that covers the board’s responsibilities for oversight of cybersecurity risk management. We also examined whether the board of governors has an annual development program that includes training and updates on cybersecurity risk management.

We found the orientation program provided to all new board members included general information about enterprise risk management but didn’t provide guidance on how the board of governors should provide this oversight. We also found that the board of governors did not have an annual development program to provide board members with updates on cybersecurity risk or changes to the board’s roles in providing oversight of cybersecurity risk management.

Finally, we looked to see if the VIU board of governors reviewed the university cybersecurity risk management framework and regularly looked at management’s assessment, mitigation and documented responses to cybersecurity risk. We found that the university has developed an enterprise risk management framework, including processes to identify and rank cybersecurity risks and the mitigation strategies. However, for most of the 2022-2023 fiscal year, the board of governors had not reviewed management’s evaluation and responses to cybersecurity risks, which include its compliance with legal and regulatory requirements.

I would like to extend our appreciation to the team at Vancouver Island University for their support and cooperation throughout this audit. Thank you.

I’d like to turn it back over to Michael.

M. Pickup: Thank you, Greg.

I would like to now draw your attention to the bottom of the Audit at a Glance for the questions you may wish to consider asking. What are government’s expectations regarding board oversight of cybersecurity risk management? What are post-secondary boards doing to ensure they effectively oversee cybersecurity risk management? How are post-secondary boards evaluating whether cybersecurity risk is adequately managed?

[7:10 p.m.]

I hope that provides members with a relatively brief overview of our report. Of course, as always, we’ll be more than happy to take your questions and comments on the report.

Thank you, Chair.

P. Milobar (Chair): Great. Thank you so much.

We’ll just hold questions till we run through everyone.

Carl, do you have anything to add from the comptroller general’s side of the world?

C. Fischer: The only other comment that I would have is that cyber is important to all organizations in the government reporting entity. Every board, every committee that I work with is always keenly interested in the ever-evolving world of cyber risk. I’m sure that in your boards, in your experience, you know exactly what I’m talking about.

I think that’s very good that people are interested and aware, but I also get the sense that the world of cyber is evolving so quickly that it’s very, very difficult for boards, in particular, to feel like they are on top of the latest situation they have to guard against.

I think the recommendations are great to help boards understand or shape their focus so that they are paying attention to cyber at the right level and, most importantly for me, coordinating with management staff within the organization, teams and collaborators across the sector that are defending against cyber, and the ministry and the ministry’s coordination with the chief information officer and other parts of government that are providing that support.

Whatever we do for cyber, it always seems that we can only expect to defend against the last attack. The way to defend against the next attack is to make sure that we have a multi-layered defence and that people know who’s involved, what their responsibilities are and how they can work together to provide the best response.

P. Milobar (Chair): Okay, great.

I noticed I misspoke at the beginning. We have a presentation from VIU and the ministry. I’m not really too hung up on who would like to go first.

B. Plecas: Thank you all very much. I’m Bobbi Plecas. I’m the deputy minister at the Ministry of Post-Secondary Education and Future Skills.

Like the Auditor General, I’d like to acknowledge that we’re meeting here tonight on the traditional territory of the lək̓ʷəŋən-speaking people. I give my thanks to them for welcoming my family and I to live, work and play on this beautiful territory.

We have some team members with us. Representing the Ministry of Post-Secondary Education and Future Skills is Jason Butler. Jason is our executive financial officer and the assistant deputy minister responsible for finance, technology and management services. We also have Kashi Tanaka. Kashi is our executive director of post-secondary finance.

From Vancouver Island University, we have joining us the board chair, Manley McLachlan; we have Dr. Deborah Saucier, the president and vice-chancellor; we have Emily Huner, the vice-president, finance and administration; and William Boyte, the general counsel and university secretary. I’m very appreciative that you’ve come from Nanaimo to be with us today. Thank you very much.

We’d like to thank the OAG and the OAG team for the work that you did and helping us shape our work across the post-secondary system. I think our intention will be to share some of the delivery of our response.

I’m going to turn it over to my colleague, Deb.

D. Saucier: Thank you.

Aah siem nu si yé yu. Aah siem Songhees mulstimuxw. Aah siem Esquimalt mulstimuxw. Aah siem Saanich mulstimuxw. Aah siem xwulmuxw mulstimuxw. Aah siem Miawpukek mustimuxw. Aah siem shsi’em mustimuxw. En thu pe sîpihko pihêsiw iskwew, Deb Saucier in English. En thu munu utl’ Henri Saucier and Marilyn Turanich. Tu ni cun utl’ Saskatoon, Saskatchewan.

[Ah my respected friends, relatives. Ah respected Songhees people. Ah respected Esquimalt people. Ah respected Saanich people. Ah respected Indigenous Peoples. Ah respected Miawpukek person. Ah respected leaders, dignitaries. I am Blue Thunderbird Woman, Deborah Saucier in English. I am the child of Henri Saucier and Marilyn Turanich. I am from Saskatoon, Saskatchewan.]

[Hul’q’umi’num and Cree/Michif text and translation provided by D. Saucier.]

I am a member of the Métis Nation of Alberta.

I would like to acknowledge not only the Snuneymuxw, Quw’utsun’, Tla’amin, Snaw-naw-as and Qualicum Nations where VIU operates but also the lək̓ʷəŋən-speaking peoples here for the use of their land for us to conduct our business here today.

As you heard, we’ve got some of my team with us. I just have a short slide presentation that I’ll walk the committee through, and then, following my presentation, I’ll hand it back to my colleague, the deputy. She will be able to provide additional comments on behalf of the ministry.

[7:15 p.m.]

P. Milobar (Chair): If I could just get clarification, we have two presentations. One is entitled From the Ministry, and one is entitled From VIU. We just need to know which one you’re starting with.

D. Saucier: VIU.

P. Milobar (Chair): VIU. Okay.

We all have it on our places.

D. Saucier: Okay. Good, good. I didn’t know when to start. I can see our MLA there, and I can see some stuff, but I couldn’t see that. My apologies.

The Office of the Auditor General, the OAG, examined Vancouver Island University’s, VIU’s, board of governors’ oversight of the university’s cybersecurity risk management practices. The audit period was April 1, 2022, to March 31, 2023, and involved senior executive and representatives from VIU’s board of governors, including our board chair, who is here with us this evening.

The OAG made four recommendations in relation to how VIU’s board of governors could improve oversight of the risk of cybersecurity. As you heard from our colleagues across the way, VIU accepted all four recommendations and has moved to implement all. VIU is on track to have all recommendations implemented by December 31, 2023.

The first recommendation of the audit report was that VIU ensure that governance and policy documents defining roles and responsibilities for cybersecurity risk management are reviewed and approved as scheduled.

We have already taken a number of actions to operationalize this recommendation, including updating VIU’s enterprise risk management policy, which was approved by the board of governors in April of 2023. This policy ensures that existing and emerging risks are identified and managed within an acceptable risk tolerance and establishes a risk management framework for managing and reporting on risk identification and mitigation to VIU’s board of governors.

While we’d already identified cybersecurity as a risk to report on, given the significance of this issue across the post-secondary sector, cybersecurity will continue to be identified as a significant risk under this framework.

Under this new policy framework, our board will receive ongoing reports from my senior team on the risk of cybersecurity, which we are reporting as one of our most significant risks. These reports will include how this risk is being continually managed at VIU.

The second recommendation of the audit report was that VIU create an annual development program and ensure board members receive annual training on cybersecurity risk management to support them in their oversight role.

Again, we are well on our way to completing our response to this recommendation. Steps taken include adding the creation of an annual board development program to VIU’s governance and policy committee, which is our board’s current standing committee responsible for overseeing board education and development. The committee has already met on this issue, and we expect a recommendation for the annual development plan for our governors to be recommended for approval at our next board meeting in December 2023.

In addition to formalizing our plans for annual board development, we also convened an orientation session in August of 2023 for all board members where they were provided an orientation on our enterprise risk management framework, and specifically, how cybersecurity fits into this framework.

The third recommendation of the audit report was that VIU update its board orientation program to include information on the roles and responsibilities for oversight of cybersecurity risk management. I talked a bit about this in my last slide but wanted to advise this committee on other actions taken by VIU, including that VIU’s university secretary, at the request of myself and VIU’s board chair, has completely overhauled the board orientation program to include more information on cybersecurity risk management.

This overhauled orientation program — which now includes detailed briefings from VIU’s chief financial officer, chief information officer and our director of enterprise risk management — helps our board understand how VIU is managing cybersecurity risks.

As noted in the previous slide, this new orientation was kicked off for all board members in August and the corresponding materials from it are archived for all board members to access at their convenience.

We have also added this annual August orientation meeting for board members to its annual board schedule. Historically, orientation was only offered to new or incoming board members. However, we are now making this an annual refresher for all board of governors’ members.

The fourth recommendation of the audit report was that VIU review cybersecurity risk mitigation strategies throughout the year. Steps taken on this front include that VIU’s board has been engaged in updating VIU’s entire enterprise risk management, or ERM, framework, which is now based on the ISO 31000 risk management guidelines.

[7:20 p.m.]

This work was completed with the approval of VIU’s enterprise risk management policy in April of 2023, which I mentioned previously.

As part of the modernized ERM framework, VIU’s board annually reviews how VIU’s senior management has assessed and is managing risk, including the risk of cybersecurity. The new ERM framework also ensures VIU’s board receives ERM updates on risk and mitigation strategies twice annually. These biannual ERM updates have been included as standing items on the board work plan, going forward.

As also mentioned earlier, cybersecurity is categorized as a top risk in VIU’s ERM register, meaning that VIU’s board will receive regular updates on cybersecurity specifically as routine ERM annual updates.

In summary, our board of governors has greatly benefited from the focused review and findings of the OAG’s audit and has fully accepted all of the OAG’s recommendations per the OAG’s report of August 2023. Each of the OAG’s recommendations has been implemented or is in the process of being implemented. We anticipate having all recommendations implemented by December 31, 2023.

Finally, I want to express, on behalf of VIU’s board, our appreciation to the Office of the Auditor General for their audit findings, which come at a very timely time for our organization as well as our sector. As I hope will appear obvious from my comments this evening, VIU’s board of governors has taken these recommendations to heart and is fully expecting to use its participation in this audit and the resulting audit findings to enhance our board’s oversight of VIU’s cybersecurity risk management practices.

Thank you, Mr. Chair and committee members, for your time today. I would be happy to take questions or cede the floor to my colleague Deputy Plecas to provide the ministry’s comments.

HÍSW̱ḴE SIÁM.

P. Milobar (Chair): Thank you.

I think we’ll hear from Ms. Plecas first, and then we’ll deal with all the questions.

It usually overlaps between all three of you and who would like to answer.

B. Plecas: Thank you very much. I only have two slides.

In anticipation of some of the questions that the Auditor General posed, offered for you to ask us, I thought we would talk about just a couple of dimensions of the work that we’ve been doing at the ministry to support cybersecurity across the broader public sector.

The first is BCNET. BCNET is a Crown corporation that was established many years ago which has responsibility for providing networking, information technology and cybersecurity support. The thinking behind BCNET is that our institutions — we have 25 of them, and they are all part of BCNET — range from the University of British Columbia, which has 75,000 employees, to Northern Lights College, which has fewer students than some of the large urban high schools.

With such a diverse group of public post-secondary institutions, the benefit of collaborating on these very complex issues like cybersecurity is obvious. We fund them, and the system funds them.

BCNET is such a good business that some of the broader public sector has also chosen to join BCNET. That includes the Provincial Health Services Authority, the B.C. Cancer Agency and others.

Our first line of defence is to work collaboratively together, to have one expert that can support all of us and to ensure that our entire system is accessing the expertise that BCNET offers. The second line of defence is what we’ve been doing here in the ministry.

I’ll start first, perhaps, with CABRO. CABRO is the Crown agencies and board resourcing office. They are responsible for the appointments to all of government’s agencies, boards and commissions. Part of CABRO’s mandate is to ensure support and informed boards across the public sector, including risk management training.

This year’s mandate letter that we sent out to all of the public institutions provided specific direction to them to prioritize maintaining effective cybersecurity policies and practices. You will be aware that in our governance model, we can set these as objectives and then ask them to account to us. It is the responsibility of the institutions to implement.

Last April we held a board governance workshop — the second, and now an annual event. COVID got in the way in the middle. All the institutions were there. Board members and board chairs from all the institutions were there. We had specific, focused conversation on cybersecurity risk management.

[7:25 p.m.]

Perhaps lastly, BCNET sponsored a very interesting half day at the Wosk Centre in Vancouver. There were 120 attendees. Sixteen of our 25 board chairs were there. Twenty other board members were there. All of the public post-secondary institutions were represented at a very senior executive level or at a board level. They spent the entire day focused on cybersecurity and sharing best practices and sharing support for one another around cybersecurity practices.

With that, I’ll turn it back to the Chair.

Thank you, Chair. I’m happy to accept any questions.

P. Milobar (Chair): Great. Thank you.

Any questions from the committee?

R. Merrifield: I have three, so I’ll just take turns and rotate through.

A quick question, and I’m not sure which of you this would be directed to, perhaps the Auditor General. Why was the board audited and not the executive of VIU?

M. Pickup: Probably to do that answer justice and let them walk through, I’ll pass it to the team. They can talk about how we develop criteria and how we scope to get to that level and then pick the bar, if you will, as to what we’ll actually look at.

R. Pelletier: Good evening.

Cybersecurity is one of the things that’s already been mentioned. It really does require a defence in-depth approach. In the past, we have looked at management’s activities for cybersecurity that…. We did an audit at B.C. Hydro, looking at security of control systems. We’ve done audits at the OCIO.

We wanted to take a look a little bit higher, to look at: what is that whole chain of responsibility for cybersecurity? One of the areas we hadn’t really focused on in the past is around boards. We thought a post-secondary would be a good institution to look at. There are resources available for them. It was really around: what is that connection between the board and management?

We think that they’re all important, but this was one area where we hadn’t really looked at in the past.

Laura, do you want to add anything to that?

M. Pickup: Maybe I will just give you another example to complement what René has said.

Sometimes we will get in, and we’ll look at a very technical issue. Like, when I first came here, we did cybersecurity over medical devices at PHSA. So, you know, not a governance audit but very much into the detail at that level.

I think it’s important, over a period of time, to look at the various levels and parts that are, say, levels of defence or have an aspect to play. That’s not to suggest any one part we look at is the most important or minimizes anything else that anybody else does or any…. It’s all in total, if you will.

We’re trying to be everywhere and look at all different aspects so that people can leverage. When I talked earlier about organizations and institutions looking at the results of this audit, it was likewise with the medical devices, with the hydro, with other cybersecurity audits we did as well.

D. Routley: Recommendation No. 3 — one of the responses was detailed briefings. I wonder if you could describe what those briefings look like, how you derive benefit from them and how you judge the comprehension of the people who are receiving a briefing.

It seems like, at least in my case, human error is the always chief among the failings of any technology anywhere near me. I’m wondering how you’re able to ensure that people are coming up to the level of comprehension required.

P. Milobar (Chair): Did you get most of that?

D. Saucier: MLA Routley, if I understand correctly, your question was: how did we develop briefing materials, and how did we ensure that the board understood it? Is that…? Okay.

Well, our briefing materials go through details around our enterprise risk management schedule.

[7:30 p.m.]

We walk through items and ensure that the board agrees with management’s assessment of risk therein. We take time to talk about mitigation strategies.

As well, as the deputy mentioned, at the orientation on cybersecurity put on by BCNET, all of the committee chairs of the board were at that meeting. They also were given detailed briefings at that point about questions to ask us about that. Actually, we are working on developing a presentation at our next board meeting in December regarding a series of questions we’ve received from our audit and finance chair, for instance.

Again, we spent a lot of time doing background material, making sure that people understood the level to which we assess the risk as well as the mitigation strategies, and then we’ve also provided additional training to ensure that the board annually is improving its competence in this area.

S. Chant: I’m just interested in BCNET. Does it reach out to establishments, or do they reach in to BCNET? Like, if there’s somebody that’s wanting to utilize BCNET or would be appropriate for BCNET, does BCNET reach out to them or do they reach in or is it a combo?

B. Plecas: BCNET is long established. If you’re working in the broader public sector, you’ve probably heard of it. It’s been around for a really long time. It started with networking and trying to make sure that all of our broader public sector had access to good connectivity.

Whether they reach out or someone reaches in, I’m not sure I could answer more broadly. But the broader public sector is welcome to work with BCNET on their services. Again, I would be hard pressed to think that there isn’t anybody in our broader public sector who works in technology who wouldn’t be aware of BCNET.

R. Merrifield: I just want to start off with this question. I find the response by VIU just absolutely commendable. I want to laud the activation and the quickness with which the recommendations were beginning to be implemented and implemented and also the outcomes-based checks and balances that were put in place — just really commendable.

In my area, Okanagan College has recently had one of these cyberattacks, so very firsthand kind of feels on how that can impact an organization of such magnitude. I just wanted to start off with that.

My next question, actually, was to follow off with MLA Chant’s, and that was on BCNET. Was the board of VIU already working with BCNET, and does BCNET…? Would they have sort of an education program that could be implemented by the board of VIU?

D. Saucier: We were working with BCNET already and utilizing a number of their cybersecurity resources as well as other networking resources and materials that they provide for us as a member of the consortium.

As I mentioned in my presentation, all chairs of our standing committees took part in the day-long cybersecurity forum hosted by BCNET, as well as most members of my senior team. That was an amazingly informative session that allowed me to actually deepen my understanding as well, as well as to ensure that we continue that educational piece.

I work very closely with the president of BCNET to try and help deliver additional educational resources and develop them so that they will help our sector as a whole.

R. Merrifield: Fantastic. Thank you.

P. Milobar (Chair): And something else here? No?

Any other questions?

R. Leonard: Nice to see you all, and nice to see a real positive outcome coming out of this report. A question I have….

[7:35 p.m.]

I don’t know what an ISO 31000 risk management guideline is, but I’m curious about what kind of level of risk we’re talking about with that standard and what kind of cost implications there have been in trying to achieve the best that you can.

D. Saucier: Without getting too deep into the details of the ISO standard, it’s an internationally recognized standard for risk management. It has a prescribed series of questions and rankings that you assess any risk that the organization may pose. In that process, we ask all senior managers to complete the ranking system, and then we get together as a management team and assess why there are variations.

It turns out that, perhaps, I assess risk at a higher level than others. So it allows us to actually get together as a group and understand that: I believe that this is a high risk in the red zone or a low risk in the green zone, and why. And we then are able to do that.

We then take that register — it has a heat map from green to red — and we make sure that we then walk our board through all of those risks and ensure that they also agree with us that in fact we have mitigation strategies in place as well as that they agree with our assessment of that risk.

I forget the second part of your question. I apologize.

R. Leonard: Costs?

D. Saucier: Oh, the cost. We have a full-time enterprise risk manager who does this work for us. That would be his salary. I don’t believe, but I would defer to Emily, that there’s a cost for using this particular strategy for risk.

The cost for running our enterprise risk management system this way is the cost of the individuals who do the collation and ensuring that we are applying the framework appropriately.

P. Milobar (Chair): Any other questions?

M. Pickup: Just a supplementary response going through my head, thinking of the cybersecurity audits we did. Another one came to mind. We looked at cybersecurity over teleworking, remote working, early on in the pandemic because it was such a big issue and such a change as well. I think we really are, by design, trying to be everywhere.

The other thing I was just going to remind folks is on any audit that we do…. If you look at pages 19 and 20 of the report, that’s where we lay out the audit criteria. At the beginning of the audit, when these audits start at the planning stage, we spend a lot of time working with the organizations that we’re auditing to say: “Here are the things that we’re going to look at.” We get acknowledgment, and we have discussion. “Do you think this is fair? What do you think?” There’s a lot of back and forth.

Probably one-third of the time that goes into an audit is this front end. It’s going through this planning. So it’s not a surprise when we come and do the work. They don’t say to us: “We didn’t think you were going to look at that. We don’t think that’s what you should look at.” We’ve had that discussion. All of that is at the front end, and then we go about gathering the evidence.

The other thing I was going to say is that from an Auditor General’s perspective, this is absolutely the kind of response that we want to see. Primarily, obviously, our job is to provide the assembly, the B.C. Legislature, with an assurance report. But we all hope positive change results. When we see responses like this, we’re very happy to see these things happening and happening quickly. We were just talking beforehand, and I said that we’ll be back to follow up to see that these things are actually happening.

I guess the last thing I would say on this is when we were at the Canadian Council of Legislative Auditors and the Canadian Council of Public Accounts Committees meeting this past summer in Whitehorse, this was one of the discussions, cybersecurity.

We had quite a presentation, which I found elected folks really…. I wouldn’t say enjoyed. I don’t know if “enjoyed” is the right word when we’re on cybersecurity — a bit frightened at the topic. This is partially why you see me and my colleagues from across the country continuing to do massive amounts of work in areas like cybersecurity.

I just wanted to add that and say thank you.

P. Milobar (Chair): Great. Well, thanks so much.

We’ll take a brief recess, and that way people that I have presented don’t need to tough it out for the next report. We’ll come back in just a few minutes.

The committee recessed from 7:39 p.m. to 7:43 p.m.

P. Milobar (Chair): We’ll bring the meeting back to order here.

We have one more agenda item, and that’s consideration of the Auditor General report Annual Follow-up Report: Status of Performance Audit Recommendations (2019–​2021) from July of 2023.

I will turn it back over to Michael.

Status of Performance Audit
Recommendations (2019–2021)

M. Pickup: Thank you so much. We’re now on to report 2 of the evening, our annual follow-up report, Status of Performance Audit Recommendations. I have to say that it is very exciting to be here talking about this report. It’s quite an accomplishment, I believe.

Tonight we’re taking a look back and checking progress on audit recommendations that government accepted and committed to act on. This may be a good time to remind people that my office’s audits of government programs and services often, of course, include recommendations for improvement, which organizations, obviously, have the right to choose to accept or not to accept.

We do recognize how valuable it is for elected members, like this committee, to know if auditees have implemented the recommendations, which they generally always agree to, in a timely way. This information can help MLAs hold government accountable for improving provincial programs and services. This report gives MLAs a new tool to monitor the status of past performance audit recommendations.

As some members may recall, this is a direct response to a request that you made to our office in 2021. That’s why I said that it’s so exciting to be here and to see this product come to completion.

Our audit team, I think, has provided a great report here. It provides assurance on progress reports that entities submitted on 18 separate performance audits published between 2019 and 2021. These covered a total of 112 recommendations.

[7:45 p.m.]

I want to thank all the entities that were involved in this report — not with us tonight, of course. But my thanks extends to them for their cooperation during this. The collaboration we had with all of these groups was very much appreciated. We navigated what is a new approach, and I think we have laid the foundation for the years to come now with a strong product.

I’d like to recognize the team members who made this possible: Laura Hatt, assistant Auditor General, who runs the performance audit practice of the office; and Laura Pierce, next to her, executive director of performance audit, who very much led this product.

Maybe now, Laura Pierce, I will pass it over to you. You can walk through the annual follow-up report for members.

L. Pierce: Sure. Thank you, Michael.

Good evening, Chair and committee members.

Thank you, again, for your interest in our reports, including the annual follow-up report that we tabled on July 25. This report is a first for our office. As Michael noted, we’re quite proud of it. It reflects a new approach to how we follow up on past performance audit recommendations and did come about as a direct result of the discussion that the Public Accounts Committee initiated in June of 2021, when we were asked to provide assurance on the status of recommendations.

In previous years, you may recall that entities would submit an action plan and progress assessment, or an APPA, as they were fondly referred to, where they reported the status of each recommendation as well as a description of actions planned and taken and targeted timelines.This new follow-up replaces that process.

Under the APPA model, our office provided no assurance on these assessments. Entities would continue to submit an APPA until the committee advised them otherwise. By 2021, there were 35 APPAs in the queue, with some dating back to audits from 2013.

Our annual follow-up report is designed to be straightforward and to provide the committee with a new focus tool to monitor the status of past performance audit recommendations. Before I turn to the results of our first review, I thought I’d provide a very brief overview of our new process and how to navigate the report.

The new follow-up process kicked off in the fall of last year when we asked entities to prepare a progress report that confirmed whether the recommendation was complete or not complete as of November 30, 2022. If the recommendations were not complete, we asked entities to note whether they plan to complete them or not. We also asked entities to provide a brief summary to support their assessment of the recommendation.

Once we received the progress reports, we reviewed them to assess whether they faithfully represented the entity’s progress, meaning they were relevant, reliable and understandable. This involved meeting with staff, reviewing key documents and carrying out additional procedures, where needed. We discussed the results of our work with each entity, which resulted in some entities adjusting their progress report.

The public report compiles the results of this work and can be thought of in two parts. The first is a summary piece where we describe our approach and summarize the results of the reviews. This is reflected on pages 4 and 5 of the report. The second part includes all the individual progress reports that entities have prepared organized by the year that the original audit was published. These can be found starting on page 6.

Because our audits covered multiple entities, where responsibility was diffused amongst various deputy ministers, CEOs and other heads of organizations, we coordinated with the Premier’s office on this report, which is different from the APPA process, where we coordinated with the office of the comptroller general.

Our first follow-up report, which we’re here to talk about today, covers a lot of ground, as Michael noted in his opening address. We looked at 112 recommendations from 18 performance audit reports that were published between 2019 and 2021. In each report, we found that the entity had faithfully represented their progress.

The progress reports that entities prepared show that as of November 30, 2022, government had completed 42 percent of the 112 recommendations. Of those recommendations that were not complete, entities expressed support for implementing all but one. This one recommendation is from the audit of the detection and response to cybersecurity threats on B.C. Hydro’s industrial control systems. You can find B.C. Hydro’s rationale on page 16 of our report.

The progress reports also showed that even where recommendations were not complete, entities reported making some progress to complete them. However, more work was needed to achieve full completion. Some of the recommendations are more complex than others and will take more time to complete, such as those that require extensive consultation or broad system changes.

[7:50 p.m.]

Before I turn it back to Michael for his final comments, I’d like to highlight that this is an annual process that we will run every year. We plan to add new audit reports each year. For this next report, there will be six audits from 2022 that will be added.

Given that this was our first year, we spent time setting up our processes and ensuring that those we audited were aware of the change. Next year we anticipate an expedited process. In fact, we’ve already sent out requests to entities for progress reports that will be included in next year’s follow-up report, which we plan to publish in May. Our faster timeline will reduce the time from when we receive the initial progress report to the final publication and, therefore, increase the currency of the reported information.

To conclude, I would like to reiterate what Michael noted in his opening comments and extend our thanks to all the entities that were involved in this work. It was a new process, and we saw lots of collaboration from the entities that we worked with to build a common understanding around the work.

I will now turn it back to Michael.

M. Pickup: Thank you, Laura Pierce.

This is quite a change for our office to have this report — and a good change. This will be now a yearly thing, and we will be back every year to do this. As Laura said, I’m super happy that they’re already being able to advance this by two months this year. We’ll take it from there and see where we go from there after advancing it this coming year.

Ultimately, of course, this comes down, I think, to governments following through and improving government programs and services. We make the recommendations. We don’t own the responses. The responses are what government indicates that they are going to do — their promises, their commitments. We just come back to see: “Did you do what you said you were going to do, and are you reporting that?” That’s something that can benefit everyone in the province.

For me, that is the number two question I get as Auditor General. The first question is: how do you pick the audits you do? The second question is: what happens after, and does anybody ever do anything with the recommendations that you make? This really does answer that question in very tangible ways. Of course, there’s a lot in that document. It’s like 18 separate reports all in one. There is a lot, but it’s easy to follow through the Report at a Glance and to zero in on areas that may be of particular interest.

For the next steps and what gets done with this, I think that’s really up to the Public Accounts Committee. I’m happy to take questions if you want to know what typically might happen — when we did this in Nova Scotia, and what the experience there was. I’m happy to take those questions as well.

Then, of course, I draw your attention to the bottom of the report. What positive organizational changes come out of this? What challenges might organizations face in implementing the recommendations? Really, it is in implementing their responses to the recommendations. We make a recommendation; they make the response. What might be done to support more timely implementation of the recommendations?

Maybe I will leave it at that. I’m happy to take questions, comments, feedback. This is our first time through with this report, so I’m happy to listen.

P. Milobar (Chair): Great. Well, thank you for that.

Maybe I’ll kick things off. Just so the committee is aware, a reminder: if you have questions for the Auditor General and his team around this and if there are more detailed questions that we have for any of these particular audits, we still have the ability to ask for that ministry or section to come back and present here and provide more in-depth Q and A for the committee. Although it’s a new process, that side of the process hasn’t been removed from our duties, in trying to be that oversight.

To that end, I’m a little taken by surprise, frankly — the first I would have heard of it was tonight — with the new process that has removed the comptroller general out of the equation and put the Premier’s office into the thick of things. We would have had to be coordinating deputy ministers and ministries all those other years with APPAs.

[7:55 p.m.]

The whole purpose, I understand, of Public Accounts Committee — this is the only committee where opposition actually chairs it, despite not having the majority of seats — is to provide that public assurance and oversight as to what’s going on in government in terms of these audits and government in general. The comptroller general plays a big part in that. Obviously, the Auditor General plays a large part in that as well.

There wasn’t discussion at this committee that I’m aware of, all the way moving forward, that we would have been removing the comptroller general and inserting in his place the Premier’s office, which is arguably the most politicized office in British Columbia, regardless of who’s in the Premier’s office. I’m talking about process here.

I don’t see how that meshes with everything else we were trying to do with streamlining. So I need a bit of clarification or understanding as to how that is seen to be more open and transparent and not seen, frankly, as political interference with the Premier’s office versus a comptroller general.

M. Pickup: To start, let me say that I think we caused some confusion there by our statement in terms of involvement with the Premier’s office. Let me explain in detail, from the start through to the finish, as to what that actually means. My two friends here are both lawyers. Anything I say that needs correcting will be corrected and adjusted as we go.

Ultimately, the ones we dealt with on this weren’t the comptroller genera or the Premier’s office. They were the people we audited. Those were the people we were dealing with in terms of them preparing the progress reports and then us reviewing and the back-and-forth with them.

At the outset, the comptroller general was clear with us. The accountability, the responsibility, for these audits is not with us. It’s with the people you audited, which makes sense. We’re auditing the Department of Health; we’re auditing whatever the entity is we’re auditing. Those are the people who were preparing the performance, preparing the update, and where they were. Those were the ones we were reviewing with.

The comptroller general removed themselves from that and didn’t have a role to play. They weren’t clearing, if you will, with the individual departments and organizations we audit. There was also no back-and-forth with the Premier’s office. We weren’t auditing them. We weren’t clearing anything with them.

When we talk about them having a role: at the end of all these audits, I offer to meet with somebody when the report is done. I always offer to meet with the minister to say: “Okay, this is your ministry. Would you like to meet to go over the report? The report is written. We’re not going to change anything, but do you have any questions about it? Do you have any questions for me?”

That wasn’t the comptroller general at the end. Because it was 18 separate reports, the person I sat down with at the end of it would be the Premier, to say: “You have questions on this for me? The thing is ready. Do you have anything you want to ask about this?” That was the person who would be responsible, not the comptroller general.

Anything you want to correct there?

L. Hatt: No, that’s exactly right. I think that we did speak to the comptroller general and the Deputy Minister of Finance as we were developing the process. They were very clear that the accountability for each of the progress reports was with each individual deputy minister or the CEO, but when we compiled those reports, our legislation requires that we embargo the report seven days prior to it being published with the minister responsible.

In this case, that would be the Office of the Premier, because they had overall responsibility for all the entities that were in the compilation report. So it wasn’t a matter of coordinating or adjusting. It was a matter of whom do we embargo this report with? Who has that overall responsibility for each of the entities that were included in the progress report?

The comptroller’s office and the Deputy Minister of Finance were very clear with us that they did not have any accountability for coordinating this follow-up process. If we were to do it the way that we were suggesting, under our audit standards — which require us to have a responsible party, a report user and ourselves as the practitioner — the responsible party was not the comptroller’s office. It was each individual deputy minister.

That is why the embargoed report, compiled after we had done all the progress reports, and we provided our final opinions for each of those progress reports back to each ministry, the overall compilation went up to the Office of the Premier, as per our legislation.

[8:00 p.m.]

J. Tegart: When the proposal was put to this committee, was that clearly pointed out to the committee, that the Premier’s office would be the office that the report was delivered to?

L. Hatt: No. Our understanding at the time was that we were to coordinate through the comptroller’s office. Then, in discussions with the comptroller’s office, it became clear that that was not the appropriate avenue to do so.

P. Milobar (Chair): Any other questions on the overall report or any of the groups or anything?

R. Merrifield: As you were going through, were there any assessments made as to the differences between the different agencies, whether it’s a Crown or a ministry? Were there any through lines or findings or generalities in terms of the differences between those that did implement and those that didn’t implement?

L. Hatt: No. I think that one of the challenges, and I think Michael pointed out, is that we’re kind of all over the place with many different topics. That results in quite a varied number of recommendations.

Some of the recommendations do require significant work, such as engaging with Indigenous people or big, large system changes. Then others are more simple, like tonight, the cybersecurity governance audit, where we asked to implement a training program. That’s a much simpler recommendation than, say, a large system change.

Yeah, it was difficult to pull any major trends together. I think, as Laura pointed out, even though the completion rate isn’t high, you can see that a lot of the organizations are close to completion in many cases as well.

Then there are some that haven’t done very much at all. I think that’s the opportunity that we wanted to give to you, as members of this committee, to say: are there some that we want to follow up on, where we’re not seeing progress? We hope that clarity will help.

M. Pickup: Chair, can I just add one quick thing?

These are 18 separate reports. I just want to put that out there. But having said that, I’m through each of these in detail. Ask my team members here. I’m a practitioner. I’m involved in all these.

One of the things that I’m doing is that I step outside, and I say: “Okay. Do I see a common theme in all the responses?” I’ll tell you one that I thought that we were going to get. “COVID put us behind. COVID put us behind.” That wasn’t a common theme in the responses. So when I did that stand-back and looked at them all in totality, I can’t say there are two or three reasons that run across all of the things, which can make the job harder for anybody doing oversight to say: “Why aren’t these things done?”

On the other hand, you didn’t get sort of the knee-jerk reaction, if you will, to say: put it on COVID.

I get it. There’s a lot there.

R. Leonard: I see it’s a big undertaking. I know, in doing that, it has made our job simpler. So I appreciate that.

One of the things that I saw was in things that were not complete. In the ministry’s descriptions of where they were at, a lot of the time, I kind of was scratching my head, thinking: “Well, it sounds kind of complete, except for the fact that some of the things, these are big system changes.” It’s almost like an attrition to get through to the end.

I almost wanted to have a gauge about how far into completion they were, because if it was me, I would have said: “Well, that looks kind of complete to me.” So there’s that piece. I don’t know if there’s a way of reporting on that in a different way that would make sense to the public.

When you read something like, “it’s not 100 percent, not complete,” but then, when you read the report, you’re kind of wondering: what’s going on? Is there a way to better reflect that?

[8:05 p.m.]

M. Pickup: I don’t know. Maybe it’s one of the upsides or downsides — I’m not sure — of working for 35 years, but I’ve seen it done every way.

When I worked at the OAG of Canada, we would do something like: let’s have five categories. Let’s have complete. Let’s have nearly complete. Let’s have significantly complete. Let’s have not…. And sure, we had preciseness, but it made it very difficult to get that work done. All of a sudden, something might take 18 months, when you look at here how a relatively short period of time we got this done.

Laura Pierce was talking about…. We’ve already started for the coming year. We’re going to be done by May. We’re shortening up this. If you start to make it too complicated, then you get into this: “Well, it’s not significantly complete. It’s substantially. No, it’s kind….” Then you go back and forth.

The other thing I will say, if somebody says to me, well, we’re nearly complete…. We’re doing this every year, then you’ll be complete next year. It’s really just a matter of time.

The other thing I want to do, I think, is give credit to those that we’re auditing to say: “Thank you for being honest.” Let’s not play a game here of starting with complete. I respect people who say: “You know what? We have more left to do. We’re not complete.” I think that’s probably reflected in what one could argue are relatively low numbers from where people probably want to be, but I give some people credit for saying not complete if they’re not complete.

The other thing is, I guess if you’re going to just start with complete, they know we’re reviewing this stuff and want to see all the evidence, so do you really want to have that back-and-forth for a month?

Long answer to a short question.

L. Pierce: One thing I would just add is in this current template that we’re using for next year’s report, we did add for each of the recommendations a planned completion date so that readers could get a sense of just how far off full completion is. You’ll see that reflected in next year’s report.

R. Leonard: Okay, thanks. That’ll be helpful.

R. Merrifield: Ms. Pierce, you just answered one of my questions, which was: do the recommendations have timelines? So I’ll go back a little bit and just say: did the original recommendations have timelines, or is it just the reporting that will now have a timeline associated with it?

L. Pierce: The original recommendations do have timelines. When an entity comes forward to present to your committee, they still put together an action plan. My understanding is they still have planned timelines, targets for completion, within those action plans, but as we know, things do change, so the progress report is an opportunity for them to update the committee on where they’re at, so that would change.

But yeah, the original ones do have planned completion dates in there.

M. Pickup: My hope, Chair, to that question is…. This is a hope. I saw it happening tonight in a good way. The responses to our recommendations — we don’t audit them. We don’t pre-clear them. We don’t….

Say what you want in those responses. The entities own those responses. You can see clearly when those responses are not tangible, when they don’t have dates in them. That’s not up to us. It’s their responses. They own them. But it’s a great question at the committee to say: “Okay, why do your responses not have timelines? Why do they not have tangible things? Why do they not have outcomes?”

I think in general, during my 3½ years here, I think I’ve seen more of a move to have tangible responses in the responses to the recommendations with timelines, and I think we saw some of that tonight with VIU.

J. Tegart: Thank you very much. I’m sure this is a lot of work as we set out towards a journey of firsts. But I’m looking at 2019, and one of the things this report does is it makes us very accountable to the public and to ask the questions of why we would have zero percent completion on oversight of contracted services for children and youth in care, when we look at some of the issues that we’ve seen in the last little while.

I would assume that it would be appropriate for this committee to ask for that ministry to come forward and explain where they’re at and why. Explain not only to the committee, but to the public.

[8:10 p.m.]

Same with the…. I looked at the protection of drinking water, which is an incredibly important thing in the province. When I looked at the numbers, I have to say there were a number of them that I was surprised.

When you look at the recommendations…. I think we have a very important job on accountability, and this report gives us a very clear picture of some of the work that this committee needs to do. So thank you. I know the first time around is a tough one, and we improve as we go. I certainly respect the amount of work that this report was, but I thank you for the clarity for this committee to move forward in accountability.

M. Pickup: Thank you for that, particularly the two folks here next to me who really did all the work in combination with other people.

I think that certainly was my experience in Nova Scotia. The Public Accounts Committee then decided, based on this report, who might we want to call in? This is just an observation, not a suggestion.

There, it was often easy for the committee because the government itself had a stated public objective that 80 percent of all recommendations should be complete within two years. So then the Public Accounts Committee might say, if you don’t make that 80 percent, we’re calling you in, and you’re coming in to explain what has happened.

Did it make for busy public accounts meetings with lots of people in and out and everything else? Yeah. But also, as I said before, to the credit of the public service, when I arrived in Nova Scotia as AG, the completion rate within two years was 50 percent. When I left, it was 75.

P. Milobar (Chair): I think for ease for the committee’s sake, given this is our first time through, we don’t need to necessarily engage the Auditor General in the various ones we want to call back.

We can have that under deliberations but go back and forth with the Auditor General and questions around the existing report in front of us. Then we’ll dive into those other ones because we’re all kind of feeling our way on this first time through, as Michael pointed out in the first time.

Any other actual questions on the report?

R. Leonard: I do have a comment. One of the things that I’ve noticed with the reports is that either the parameters of the timeline or the timing of the reporting — there are some real lags there, and so much can happen in between times. I’m wondering just how we can reconcile that in terms of understanding what we’re really looking at.

M. Pickup: Yeah. I’m smiling because we’ve had this discussion lots internally, and certainly that’s why we’re working now to pull it back. This year we were July, and this coming year we will be May, The sooner we can make that without anybody falling off the chair over here, the earlier and quicker we can get that done, the less of the time goes by.

Laura mentioned earlier that we now have the call letters out to get the stuff in right now. So we’ll get that back. We’ll go through the fairness process, the review process and the back and forth and be ready for May.

Realistically, when I was in Nova Scotia and we got good at this, April was the best we could do. So get the stuff in in November, because there’s clearance and all that process, and be ready for April.

We’re always going to have some period of time, but completely agree with you — the shorter we can make that period of time the better.

R. Leonard: The more relevant the reports will be.

M. Pickup: Absolutely. Yeah.

L. Hatt: I would just add to that because it’s structured in a way that each of the individual progress reports that we get back are between different entities, and the accountability is one-to-one from our office to them, and then to compile it all.

[8:15 p.m.]

So it’s like 18 different reports that then just get compiled into the one and the process to do that and to be fair and to make sure that we are talking to those organizations and we can get to an agreement on the progress that they’re made does take some time.

I do think the value of this work over what we had been doing before with the APPA process is that we did get an opportunity to talk to the organization and improve how they wrote something, so it was more clear for the committee and more precise, and having that opportunity to have back-and-forth and really getting them to adjust their progress report before it’s finalized. Although it does take a little bit more time, I think it was really worth that time in the end.

R. Merrifield: I’ll just echo what my colleague MLA Tegart has stated. I can understand — and to your point, Ms. Hatt — that the body of work is incredibly extensive. I just want to celebrate that and laud that. I would call this report an A-plus. I absolutely love the format and love the simplicity, and I loved being able to do the deep dive and to look at those recommendations.

I would, however, say, having been an only three-year MLA here and having come from the private sector and sat on dozens of boards in the past, that seeing this, these are failing grades. In terms of the overall completion, when I’m looking at recommendations that were made four years ago, if that was on a publicly traded company and an auditor had actually done those recommendations, that would be horrific to see. Honestly, in the private sector, these would be jobs lost, having not put these recommendations into place.

My colleague’s already drawn attention to the children and youth in care. I mean, I don’t even want to talk about it because I’ll get too emotional.

But for executive expenses at school district 36, we’re looking at a zero percent completion rate four years later. Let’s say three years later, because we want to give them the benefit of the doubt in terms of when the report was complete. These are horrible.

So for me, I guess my last question is…. I will go on the record by saying yes, we need to bring some of these back in front of us and ask these very difficult questions and have conversations as to why they were unable to…. We’ll start at the zero percents, and then we’ll go up from there. But in looking at this, we’ve got five out of 18 that even have a passing grade, at 65 percent. I’m very concerned about that.

My question is actually to the Auditor General, and that is: what does this committee need to do to increase the enforcement, as it were, of the Office of the Auditor General? Is it that we need to increase the amount of, and I know it’s not legislative change, what these completions need to look like? Is it to put those time frames on it, in terms of all the recommendations? Then anyone who does not comply with 80 percent….

Your lessons learned, I guess, the best practices from Nova Scotia in terms of what was implemented to actually see that increase from 50 percent to 75.

Sorry. Rant done.

M. Pickup: I’m going to attempt to answer all of that. If I don’t, come back to me, because I’m not trying to avoid any of it. It’s just I may not be keeping it all in my head.

Firstly, I would go back to…. I’m not going to turn this into a big thing, but there’s a reason why we don’t have percentage of completion of recommendations as a measure of our performance, because it’s not a measure of our performance. We have no control over these recommendations getting implemented. What we have control over is how good we write recommendations and whether they get agreed to, and 99.999 percent of recommendations get agreed to.

The question of whether these things get done really does, as you suggest, lie with the organizations that we are auditing to say: why are they getting done? Why are they not getting done?

If we go to the Nova Scotia example and why I think things improved so much there, yes, I absolutely gave credit…. I took zero credit for it. The office took zero credit. I think the credit went to the people in the public service who agreed with the recommendations. It’s all the reason to get them done.

[8:20 p.m.]

I also believe part of it was, as part of the system of scrutiny and oversight, the Public Accounts Committee. When the Public Accounts Committee was calling people in to explain where they were and explain the completion rates, recognizing they have an objective of 80 percent within two years, that gave some room for….

Not everything is going to get completed within that time, but I think the…. I hate to say the word “pressure,” but I think the scrutiny by the Public Accounts Committee of the performance of government in getting these recommendations done was part of the push to see things completed more quickly.

My practical perspective on it is: if we’re doing high-risk areas, if we’re doing important audits, if we’re doing things everybody agrees should get done, if people agree with the recommendations, if people write the responses, then isn’t it important to get the stuff done? And how long…? Having said all that, I recognize fully that some of these things are complicated and will take some time.

I would also…. I would say this in Nova Scotia: if an organization thinks it’s going take five years to get a recommendation complete, say that. Say you think it’s going take five years and be on the record for that, or if you learn it’s going to take that time.

The other thing is…. If it is true that these things, in some cases, are nearly complete, we should see the flow-through in next year’s report where a bunch of these things start showing up as complete.

The other thing I would say…. How do I put this in a nice way? I think one of the impressions that I certainly had in Nova Scotia, having worked there for six years…. The oversight of the completion of recommendations was something that was important to the whole system. Okay? That’s how people managed. This is something people paid attention to — these dashboards — or something that was important. To the extent that this can become a normal part of operations, it’s great.

Oh, I know what my other point was now.

Why do we do this work? We do it for you. We do it for elected people. We do it for the Legislature. If you choose to hold government accountable for the results that we give you, then that’s us doing our part. It is really then up to you. It’s not about us.

I’m remembering parts of these questions as we go through. I don’t think it’s up to…. It’s not about us getting more resources or us getting a different mandate. I think, frankly, we’ve done our job. We brought it to you. We gave you assurance that these numbers are right. We gave you the story. What you do or do not want to do with it is really on you. That’s why I’m not here saying: “Please do this; please do that.”

I know my place. My place is to bring you the work and answer your questions. It’s not to tell you what to do.

Maybe on the last part of that, because… People will say to me: “Well, Auditor General, you hold government accountable.” I say: “Well, actually, I don’t. I give a tool to elected members for them to decide how they want to hold government accountable with those tools that I provide. It’s not for me to directly hold government accountable.”

That was a long answer. Did I address all the questions?

R. Merrifield: Yeah, absolutely. That speaks directly to my point.

I think that this report is actually the apex. I commend you and the office and everyone who had a role in completing this, because it gives such a great snapshot of where things are at and a great tool for us then to drill down and perhaps get the answers that we’ve referenced. That is, “Oh, yeah. It says zero percent, but we’re actually 25, or we’re actually 50,” which might be the case.

I think we need to have those answers. I appreciate just the reflection, because I do think that part of what you were alluding to is just a shift in culture. Is the culture right now that 40 percent is okay? That zero percent is okay? Or is the culture that no, 100 percent is where we need to be?

That, I think, comes through that scrutiny that you mentioned and giving the tool to the elected officials to actually provide that scrutiny further. Thank you.

S. Chant: I’m trying to make sure that I’m on the same page as everybody else is, and in 70 pages, that’s always fun.

What I’m understanding is that when a recommendation is made, when you go back to ask the entity for a progress report, they’ve either completed it or they haven’t. They could be 75 percent complete. It could be 75 percent complete, but it’s not complete.

[8:25 p.m.]

As an example, some of these things that we are seeing that are supposedly 100 percent not complete…. They could be 75 percent complete on each of the recommendations, but they haven’t completed any of them fully. Am I capturing that correctly?

L. Hatt: Yes, that’s correct.

S. Chant: Okay. So that allows a little more balance here. It’s not that binary. It’s got nuances in it, but we have to be aware of those. Thank you.

P. Milobar (Chair): On that, though, just to make sure…. It’s got nuance, but the only way we find out on that nuance is by calling them back here to ask them those questions, right?

S. Chant: If we look at some of the summaries, we’ll see that work is being done. If we look at the reports themselves and read the summaries, we’ll see what work is being done and reported. But you’re right. It doesn’t tell us whether they’re 75 percent there or 90 percent there, etc.

M. Pickup: It may just be a statement of the obvious, but I just remind folks, as well, that when we’re into 2019…. The first year is 2019. We did this work in 2022 and reported in 2023. I hate to say time is ticking by here, but time is kind of ticking by here.

If I just give that…. I’m not suggesting this is a good example, but I’m just saying it is an example. When I refer to Nova Scotia, which had that 80 percent complete role, that was 80 percent complete-complete — not maybe, nearly complete; complete-complete — within that two years post-audit. If you’re into 2019, we’re now a good three-plus years out here.

If you look at that executive expense one, which was zero and is three-plus years out…. Okay. Probably a good question to ask, but….

Maybe that was just a statement of the obvious.

S. Chant: I certainly understand that.

P. Milobar (Chair): Okay. Great. Thank you so much. We’ll have a few deliberations.

M. Pickup: Can I say one more quick thing?

I forgot, so maybe I’ll just kind of go on the record to say…. I forgot while he was here, but the comptroller general, I think, told me beforehand that this was his last PAC meeting.

P. Milobar (Chair): Oh, I didn’t realize that.

M. Pickup: He’s retiring in January. I forgot to thank him.

Comptroller general, if you’re listening, thank you for your work with us as well.

If I could give one more thank you. This is a little bit of a personal one. This month — I want to thank CPA Canada — I’m on the cover of the CPA Canada magazine. I owe the biggest thank you to my colleagues, the ones that are with me and everybody else. I wouldn’t be there if it wasn’t for their success and for the people we audit. Thank you to elected folks, as well, who have made this a good 3½ years.

P. Milobar (Chair): Thank you so much. Congratulations on the magazine cover.

I had heard Carl was retiring, but I didn’t realize it was so soon. I thought it was one of those more future-looking retirements. I feel a little bad now, too, that we didn’t thank him as a committee. We’ll get something to him.

Well, thanks again. We will discuss, as a committee, the various ones that we may want to bring back or not.

We’ll just take, maybe, a quick minute’s break here. The Auditor General doesn’t want to stick around.

The committee recessed from 8:28 p.m. to 8:31 p.m.

[P. Milobar in the chair.]

Follow-up on Implementation
of Recommendations in
Auditor General Reports

P. Milobar (Chair): Okay. We will get started again.

Recognizing that this is our first time working through this list with this process, I’m going to suggest a process here that we kind of offer up names of entities that we might want to see come and report back on their progress or lack thereof, and if there’s something that is…. We’ll keep a running list going if there’s general consensus on the names.

If there’s something that’s really contentious as an individual one-off, we can have a kind of individual, one-name vote. But if it’s like we’re giving and taking on a few of them, then we might as well just move those as a block, if that makes sense.

I don’t know how, otherwise, to get through a committee of nine with 18 different entities that are worth a discussion, possibly, in a timely fashion.

S. Chant: I suggest we don’t invite back the ones that are complete, that are at 100 percent, okay? That knocks some off the list, so we don’t have to talk about them.

P. Milobar (Chair): I think we’re good with that.

J. Rice (Deputy Chair): Just a process question. Should these deliberations be in camera, or is this acceptable to do publicly? I feel like my intuition says in camera.

P. Milobar (Chair): No. My understanding is it’s open. These are all public reports, and we’re just debating whether to bring them back, to Susie’s earlier point, to find out from them, “Are you at 75 percent of the recommendation, or are you at zero percent?” type of thing?

R. Merrifield: I would recommend that we start at 50 percent as a cutoff. Anyone below 50 percent — we look at bringing them up, just bringing them back in rotation, starting with the oldest, going to the newest.

J. Rice (Deputy Chair): Sorry. Can you say that again very slowly?

R. Merrifield: Anything under 50 percent complete — I would recommend we just bring those back and start at the oldest, like the 2019, and then move through them to the 2021.

P. Milobar (Chair): We’ll just have a little discussion before we get….

S. Chandra Herbert: I think I can understand that. I guess the only thing that I wonder about…. Maybe I would ask the Chair and vice-Chair to consider it. If it’s 50 percent and under, sometimes — and I haven’t reviewed every single one of these reports in detail, I must admit — there’ll be very clearly where the government says: “We do not plan on following this recommendation for this reason.”

There’s only one like that? Okay. Okay. Well then, hey, I’m not talking about anything useful, so I’ll be quiet.

R. Leonard: My only problem with going with that straight-line 50 percent is that some organizations had a lot of recommendations, like 11, and another one has two. So the percentages kind of are skewed about that.

Like the B.C. Hydro one. There are only three.

P. Milobar (Chair): Yeah.

Renee, if I could just clarify. If we use Access to Emergency Health Services, just because that’s 50-50, is that what you consider above or below the 50 percent?

No, I’m serious. Because the next one is at 45.

R. Merrifield: I was starting with just anything below 50 percent.

P. Milobar (Chair): So 45 or lower?

[8:35 p.m.]

R. Merrifield: Well, zero to 49 percent.

I would just say that I tried to draw through lines. It’s one of the reasons that I had the question of the Auditor General, because I was trying to look through to see: okay, are these more system-wide recommendations that aren’t able to be implemented? Is it a time constraint? Is it the number and the sheer volume of them?

That’s why I asked for that insight, even, because I could not find the actual through lines. So that’s why I’m saying let’s draw a line at 49 percent and below and just have them come in and discuss it with us.

P. Milobar (Chair): Okay. The way I count it, with the ones that are below 50 percent…. If you remove B.C. Hydro — because as Jennifer pointed out to me, we’d already called them back once, and they’re saying they’re not going to do it — we’d be down to eight out of the 18 that may be recalled back.

So that would be B.C. Oil and Gas Commission’s Management of Non-Operating Oil and Gas Sites, Oversight of Contracted Services for Children and Youth in Care, Protection of Drinking Water, Executive Expenses at School District 36. Those are all from 2019.

Management of Forest Service Roads. That would be 2020.

Management of Medical Device Cybersecurity at the Provincial Health Services Authority, Management of the Conservation Lands Program, Oversight of Dam Safety in British Columbia and Ensuring Long-distance Ground Transportation in Northern B.C.

That would be it.

S. Chant: I would suggest that bringing in Management of Medical Device Cybersecurity at the Provincial Health Services Authority at this point might be not particularly productive, because I suspect that, like some of the other stuff that we were talking about related to cybersecurity, that is a really large project and that they’re progressing along with it.

I don’t think they’re going to be able to tell us anything that’s particularly going to be useful in our deliberations, but that’s just my perception of that particular line.

P. Milobar (Chair): I can always live with that.

J. Tegart: I’m quite comfortable with the Chair and vice-Chair taking a look at it and perhaps recommending to us, but I also don’t want anyone who is outside the 49 percent to think that 50 percent is good enough. I say we start with the 49 percent, and as we do our work, I’m certainly not content with a 50 percent completion and an expectation that if we do have the stuff, we’re good.

I’m happy to start with the information here on the report, but I don’t want anyone to think that 50 percent is good enough.

J. Rice (Deputy Chair): I agree. I don’t want anyone to think 50 percent is acceptable. When I go through the summaries, I feel like we could eliminate some that have a low score, let’s say, based on the fact that I know that we have put in legislation or that we are addressing that. I know that MCFD has certainly progressed on some of those things, so we could….

Not that I want to give anyone, get them off the hook, but I can just tell, because there are many years since 2019, 2020. I can tell that they have progressed. There are things I don’t know. I feel like if that’s kind of what MLA Tegart is suggesting, we could figure that out and come back. Anyways, that’s just one idea. Open to all the others.

P. Milobar (Chair): I guess, on something like that, given the seriousness of it…. I don’t know that they’ve made progress. I mean, we’ve had other reports come out from the child and youth representative say the exact opposite. So I don’t see the harm in asking them to come to the committee, and if they’ve made progress, then they can answer that.

[8:40 p.m.]

If I had to choose between that or the one that Susie pointed out, that’s to me a much more serious prov­ince­wide implication and, if nothing else, provides a broader insight to the public. I think there’s a lot of good with that.

I’m going to try thinking maybe we start with half a dozen and just cut it off at that. We can always reserve the right on the other 12, once we get through those six, but I’ll try to cobble together based on things I’ve been hearing and see if everyone agrees with that.

R. Merrifield: I was just going to say the whole point of a bipartisan committee of this nature is so that we all are on the same page and all given the same information. I would prefer that we create the criteria and then call all of those within the criteria just to give a report on their progress.

S. Chant: I like the idea of taking the first half-dozen because I suspect by then, we’re going to be onto the next report and then the next report coming out from the Auditor General’s office. Maybe not. Maybe we’re more efficient than that.

However, by then, he may have more information that we can use to work forward from then. Just thinking that we get some done, and then when the next report comes in, we see where the update is with that report as well. Integrate that.

R. Leonard: In the previous process, this APPA, which I don’t really have any experience with…. Were we calling back every agency that had not done 100 percent complete, or how was that — just throw up our hands because it was so chaotic?

P. Milobar (Chair): I’ll let this Jennifer answer that because I was here on the very tail end.

J. Arril (Clerk of Committees): The Auditor General’s office spoke about it a bit. Similar to this process on an annual basis, each audited organization would submit an update on their progress. Those updates came directly to the committee as well as to the Office of the Auditor General. They continued to provide updates, even if they were self-assessing as complete. There was no assurance done on them, though. That’s the difference with this report. It’s that the Auditor General is now doing assurance.

Because the progress reports were being submitted every year, as I think Laura Pierce noted, they just kept stacking up. At one point, there were, I want to say, over 35, and the progress reports were about five or six pages each. There were just reams and reams of information. The committee would consider and take a look and, from time to time, call back organizations to follow up or seek additional information in writing. That also happened.

I think the last follow-up meeting occurred in February of this year, where a number of organizations appeared before the committee.

J. Tegart: Just talking about timelines, I think that we have a really important job to do to role model that we don’t let these languish now that we have the report, that we’re not talking next summer to get through six organizations.

As Michael talked today, I think he gave us lots of information in regards to an effective committee and what the role of the committee is. As we feel our way through and learn, I’m quite willing to spend a day listening to reports and questioning and talking and showing that this is important work to us and we are willing to make sure that we’re timely and the word is going to get out that the Public Accounts Committee is calling people in.

[8:45 p.m.]

S. Chant: Yes, I hear what you say. I wonder what happens when we talk about the last presentation to the committee in February of the old system. What happened after those organizations came in and talked? What is the next step? They come in. They offer…. We ask questions, they talk to us, they give their précis of the immediate situation, and then what?

P. Milobar (Chair): They are supposed to go away and complete the work. Then if we feel they haven’t completed the work, we bring them back. That’s why to those ones that have been out there since 2013, that potentially could have been coming back every single year, we finally said: “You know what? Maybe we just need to move on with relevant, more modern recommendations for how the organization of government is now structured.”

That’s the trigger point. We’re supposed to be that group that sends a signal to them: “If you keep ignoring these, we’re not going away. You don’t get to just ignore recommendations.” That’s why this change so that the Auditor General will go back in and do a more in-depth of where they are at and verify what’s going on with the recommendations or not and provide the summary you see with us. But if we want more detail than what they’ve provided, we still have that purview to keep compelling them to come back.

S. Chandra Herbert: I’m not sure exactly what process we’re debating now, but I think that below 50 percent was sensible. I’m okay, myself, with the Chair and vice-Chair being able to look at the reports and come up with what makes sense in terms of timelines. Obviously, I think the sooner you can get at these things, generally the better. There’s also a lot of material here, and then there are continuing Auditor General reports.

I don’t want to be too arbitrary about it, but thinking of my colleague across the way’s point, it is hard to draw a through line of which should be in and which should be out. But I do trust the judgment of the Chair and the vice-Chair to try and help us come together around what makes the most sense in terms of timing, what makes the most sense in terms of what should be captured and what shouldn’t.

I think we look at some of these…. There will be some that we did agree to disagree on, and that’s okay. I think it’s much better to do it this way than to just capture everybody who hasn’t filled every single one of them out and then make them report every single year. That was a waste of time as well. Things weren’t changing in some cases for very good reasons.

P. Milobar (Chair): Yeah. Mindful that some of these are expected — well, they’re all expected updates in the reasonable near future — and then ordering in my own mind and in conversation that we’ve had around what would be important to the public on a broader scale versus not, I just threw together these six real quick based on the reports I read ahead of time.

Out of 2019, it would be the contracted services for children and youth, and the protection of drinking water. Those both seem like fairly significant pieces we would all like to know, as the public.

From 2020, the management of forest service roads. There’s been a lot of talk lately around what’s going on with that in terms of firebreaks and potentially things of that nature. Then from 2021, the conservation lands program, dam safety and the northern B.C. transportation.

To me that seems like a reasonable, broader spectrum of those topics that might be more of public interest and send a signal to people. But I’m open.

If people are comfortable with that as a starting point, I can always confirm things with the vice-Chair. I’m just worried, process-wise, if we need to vote on these. We don’t have another real meeting, and we’re coming near the end of session, so it’d be pretty tough to pull us back for a meeting just to vote. I’ll look to the Clerk on that side of the equation.

J. Arril (Clerk of Committees): Certainly, the committee could decide to take a decision today with respect to some reports to follow up on and request follow-up appearances by audit organizations. The committee could also certainly ask the Chair and Deputy Chair to take this away and come back with a recommendation.

Again, to your point, Chair, I think the committee’s next meeting is right at the end of November, so those recommendations would then not be considered until that time, unless the committee has an appetite to have another meeting scheduled to consider this. There are a few options there.

P. Milobar (Chair): If everyone’s comfortable, if you’re comfortable with that half a dozen or so…. Again, we all have schedules. We’re going to have try to fit in how to make these work. So, let’s walk before we run.

[8:50 p.m.]

If we had a motion or you’re comfortable with myself and Jennifer working on these with the Clerk around a potential list of six that we can agree on by the next meeting, we can make it official at the next meeting. Is everyone comfortable with that?

S. Chant: Is there any reason we can’t agree on them today?

P. Milobar (Chair): No. Sometimes people like a little extra time. If people are comfortable with the six that I mentioned, then….

S. Chant: I think I can be very comfortable.

J. Rice (Deputy Chair): I’m comfortable with us sorting it out tonight.

R. Merrifield: I would love to sort it out tonight, especially if that allows us to, on the 29th meeting, possibly have….

P. Milobar (Chair): These groups will take…. They will want a reasonable amount of time to prepare. The good thing…. The other reason with six is you could reasonably, probably, get through three in a meeting and only need a couple of meetings to see if we want to continue with more or not.

Was there any indigestion around the six that I suggested, or are we comfortable?

R. Leonard: I don’t have any indigestion on that, but I did have a concern around the Oil and Gas Commission. The only reason I’m saying that is it was one of those ones that stood out for me around not having any timelines in place.

If one of the outcomes of having them come and talk to us is to put their minds to timelines to tell the world what they’re intending to do, that, to me, is…. I just read the B.C. Hydro one, intention to complete by 2027. Well, that’s not incomplete, but I’m not going to call them back because they’re 66 percent, because one of them they’re not intending to complete, and so that brought them up. But you already have dumped them from the list.

P. Milobar (Chair): I can live with seven if people want Oil and Gas in there as well. Okay.

So we have…. I have to find the exact names of them all.

Interjection.

P. Milobar (Chair): Yeah, exactly. Well, that’s usually how committees are. This is not my first committee meeting. But compared to a regional district board of 26 electeds, this is much easier to manage. So, yes.

J. Rice (Deputy Chair): I don’t want to complicate things. I realize we’ve been sorting out, I think you mentioned, the protocol or the criteria, but I also feel that we should also be able to select government entities that we want to request a return.

From 2019, I’m personally interested in the access to emergency health services and getting an update on that. If that creates more work for the committee, I’m happy to do so independently, but….

Interjection.

J. Rice (Deputy Chair): They’re at the 50. I’m just expressing that in case other people have the same interest. If not, I’m totally comfortable with speaking to emergency health services on my own.

P. Milobar (Chair): How about this for a suggestion. Now we’re up to eight, and that’s fine. Again, this is new to all of us — this process. How about we do as the committee suggested earlier?

Jennifer and I will have a quick conversation over the next day or two. We’ll distribute a list of names of the eight or so that we kind of agree on, and we can have it here for ratification. We’ll get it to you ahead of time, so if there are any huge problems…. Then we can have a ratification vote on the next meeting, because we’re not going schedule these ahead of that anyways.

My concern…. I forgot we had one before we broke from session. As long as we have that meeting before session ends, we can deal with it then. Does that work for you?

J. Rice (Deputy Chair): Just a point of clarification. If we, though, sort this out tonight, does that not give those entities enough time to prepare to present to us at the end of session? I feel like….

Interjection.

J. Rice (Deputy Chair): That’s okay. You’ve got two Jennifers talking in your ear. I’ll repeat that. I’m fine to take it away. But I also feel like if we sort this out tonight, then we actually give those entities time to gather up their information and formulate a report.

I’m happy to withdraw my suggestion about emergency health services to shorten the list. I do feel like we should just sort this out this evening, because then the Clerk can go and inform these entities that they need to get prepared for the last week of session.

[8:55 p.m.]

S. Chant: Or something.

J. Rice (Deputy Chair): Or something.

P. Milobar (Chair): Well, let’s just see what happens with the eight, because four of the eight are actually from 2019. It’s not unreasonable that we’re asking them what the heck’s taking so long.

S. Chant: Could we agree tonight to send something out to those four and say, “We’d like to see you on the 29th,” in the hopes that we’ll at least get three of them?

P. Milobar (Chair): Well, we won’t get them on the 29th. To Jennifer’s point, this will just give them an extra two or three weeks notice to start getting ready. We’re still going to have to work with the Clerk’s office to find times to make this work.

S. Chant: Do we have sufficient agenda other than this for the 29th?

P. Milobar (Chair): Yes.

S. Chant: Okay.

P. Milobar (Chair): How about we try this as a motion, then?

The motion is that the Select Standing Committee on Public Accounts request that the audited organizations appear before the committee to provide an update on the status of implementing recommendations in the following reports of the Auditor General of British Columbia at the earliest opportunity.

From 2019, Access to Emergency Health Services, The B.C. Oil and Gas Commission’s Management of Non-Oerating Oil and Gas Sites, Oversight of Contracted Services for Children and Youth in Care and Protection of Drinking Water.

From 2020, Management of Forest Service Roads.

From 2021, it was the Management of the Conservation Lands Program, Oversight of Dam Safety in British Columbia and Ensuring Long-distance Ground Transportation in Northern B.C.

That would be the motion if someone wants to move it.

J. Tegart: I’ll move that.

P. Milobar (Chair): Is there a seconder?

Susie. Okay.

Motion approved.

P. Milobar (Chair): Any other discussion? Well, there we go. We got through that. Thank you, everyone.

R. Merrifield: I just wanted to make sure that that does not preclude us from doing another…. If we find that these are really helpful, and they’re really positive, we could go back and say: “Can we add these two at a later date, if the committee agreed?”

P. Milobar (Chair): Absolutely. The other ten are not free and clear. They still have to follow through on those recommendations. We have…. Well, yeah, at 100 percent…. But yeah, that was why this whole process was to streamline and try to get better clarity.

Thank you for everyone’s patience on that.

Any other business? All those in favour of adjournment?

Motion approved.

The committee adjourned at 8:57 p.m.