ARCHIVED - MAF Assessment: Office of the Superintendent of Financial Institutions Canada - 2008

2.1 PAA Consistency: Opportunity for Improvement

• The Strategic Outcome statement(s) can be understood within and outside the department as a benefit to Canadians, however its/their clarity should be improved.

2.2 Measurability: Acceptable

• An adequate Program Activity Architecture has been developed with some issues to be resolved.

2.3 Quality:

• Expected results are not clear and distinct, and are not appropriate to their respective program descriptions.
• The performance indicators are not clear and cannot be used for data collection to provide reliable insight into program effectiveness.

3.1 Business Plan: Strong

• Human resources, IM/IT, communications and other key corporate plans are well integrated and communicated internally.

3.2 Governance Structure: Acceptable

• Management decisions and interventions are generally proactive and timely.
• Organization's corporate governance structure is generally aligned to the organization's PAA.

4.2 Participation in Priority Initiatives: Opportunity for Improvement

• Senior management has made some efforts to engage employees with regards to Public Service Renewal.
• There is an opportunity for the organization to improve its contribution to Public Service Renewal.

TBS has assessed OSFI with regards to its participation in Public Service Renewal (Opportunity for Improvement).

• GIVEN THE SPECIAL REQUIREMENTS AND LIMITED RESOURCES OF SMALL ORGANIZATIONS, SMALL ORGANIZATIONS WERE NOT ASSESSED FOR MAF ROUND VI IN THE AREA OF QUALITY AND USE OF EVALUATION (AOM 6). SMALL ORGANIZATIONS SHOULD CONSULT THE NEW TREASURY BOARD POLICY ON EVALUATION (2009) FOR EVALUATION REQUIREMENTS IN 2009-10 AND FUTURE YEARS.

7.1 MRRS Basis: Acceptable

• RPP and DPR present a clear PAA (with crosswalks as necessary).
• Some performance is reported against plans and expected results from the RPP.

7.2 Credible information: Opportunity for Improvement

• DPR generally provides independently verifiable evidence-based performance information. Some information on the validity and credibility of data used is provided.
• DPR is not sufficiently based on the PAA, i.e. performance is not reported consistently by Program Activity (PA) or at the PA level.
• Linkages between PA and Strategic Outcome (SO) level performance are not consistently made.

7.3 Context: Acceptable

• Comparisons are generally effectively and consistently used in the DPR.
• Reports adequately present the strategic context and operating environment information including challenges, risks, opportunities and capacities.

9.1 Engagement: Strong

• Accountability for key risks is assigned to senior management and performance is assessed.
• Each year, senior management reviews/approves the Corporate Risk Profile more than once.
• Senior management ensures that the organization’s Risk Management approach is tailored to the specific needs of the organization and is adjusted as required.
• Senior management leads by example in this area.
• Senior management reviews the organization’s Risk Management approach on a regular basis – scanning the environment to anticipate changes. This takes place often during the three-year planning cycle.
• The organization has a common risk assessment approach that is adjusted and approved as required by senior management.

9.2 Implementation: Strong

• Risk Management guidance and tools that enable the organization’s risk management approach are made available to staff in a variety of ways. This is proactively communicated to staff.
• The Corporate Risk Profile is systematically (horizontally and vertically) implemented into all operational levels across the organization.
• The organization’s Risk Management approach is regularly communicated to staff and stakeholders in a variety of ways.

9.3 Integration: Strong

• Operational level risks are prioritized into key risks and are adjusted as required.
• Risk information and Risk Management principles are ingrained in senior management reporting.
• Risk information is routinely consulted in senior management decision-making. This is done systematically and explicitly.
• Risk information Risk Management principles are ingrained in planning and resource allocation decisions.
• The organization makes course corrections on an ongoing basis based on Risk Management performance and new information.

9.4 Continuous Improvement: Strong

• Comprehensive risk information was extensively gathered from internal sources of the organization for preparing the CRP.
• Corporate risks are consistently linked to the organization’s strategic outcomes and are adjusted as required.
• Many relevant external sources are consulted during the development of the organization’s CRP.
• The CRP provides a reliable assessment of the quality of risk information used.
• The organization explicitly builds on past experience, better practice, and adjusts to fit any changes in management structures, priorities or strategic direction.

OSFI demonstrates that it values sound risk management practices and consistently integrates risk identification, assessment and mitigation into all aspects of its business.

OSFI should be commended on its efforts as it provides examples of good practices in enterprise risk management and a risk-smart organizational culture that could be adopted by organizations of any size.

10.1 Fair: Strong

• Organization is undertaking action to improve the classification program in accordance with its level of risk.
• This section is based on the assessment submitted by this separate employer to TBP.
• Evidence shows that the organization exceeds standards of timeliness in payments to employees.
• Evidence shows that the organization is proactively seeking labour relations policy direction (terms and conditions of employment, collective agreements and/or applicable legislation).

10.2 Enabling: Acceptable

• The Official Languages portion of this evaluation has been made by CPSA.
• Organization demonstrates a generally adequate linguistic capacity to provide personal and central services and supervision in both official languages.
• Organization has made progress in comparison to the previous year's representation, recruitments and promotions of the four employment equity groups.
• Work instruments, electronic systems and communication tools are generally available in both official languages.

10.3 Healthy and safe: Strong

• This section is based on the assessment submitted by this separate employer to TBP.
• Evidence shows that the organization has in place a well-managed program to protect employees' occupational health and safety which follows or establishes best practices in occupational health and safety.

11.1 Productive: Acceptable

• This section is based on the assessment submitted by this separate employer to TBP.
• A sufficient number of employees indicate their organization supports their career development and learning needs.

11.2 Principled: Acceptable

• The Official Languages portion of this evaluation has been made by CPSA.
• Communications with and services to the public in both official languages are always or nearly always available.
• Employees consider that they generally can communicate in the official language of their choice within their organization and work instruments, electronic systems and communications in both official languages are generally available.
• Necessary linguistic capacity is in place as is shown by the vast majority of incumbents of bilingual positions who meet the language requirements of their position.

11.3 Sustainable: Acceptable

• This section is based on the assessment submitted by this separate employer to TBP.
• Evidence indicates human resources planning integrated with business planning is generally in place and governance/organizational infrastructure generally exists to support it.

11.4 Adaptable: Acceptable

• This section is based on the assessment submitted by this separate employer to TBP.
• A sufficient number of employees indicate their organization encourages continuous learning, improvement and innovation.

12.1 Governance: Strong

• IM requirements are integrated as a part of the approval, development, implementation, evaluation, and reporting of departmental policies, programs, services, or projects.
• IM is fully represented in the corporate-wide governance structure and in the corporate-wide governance or approval committee(s).
• Responsibilities are identified for IM policy development and implementation is wholly consistent with the GC IM Strategy and policy instruments.
• Participation is evident in GC-wide approaches and initiatives related to developing, implementing, sharing, and leveraging IM policies and practices.

12.2 Strategy: Acceptable

• A current and active IM strategy identifies support to business priorities and operations, information needs and accountabilities, IM policy considerations and is partially integrated with other corporate strategies, plans and planning cycles.
• An IM strategy implementation plan, including some timelines and resources, is underway and some achievements to date are identified.
• IM awareness activities are underway in the department to help staff and executives understand their IM roles, responsibilities and accountabilities.

12.3 Privacy Act: Attention Required

• Organization has no institution-specific descriptions of personal information under its control as required by the Privacy Act.

12.4 Access to Information Act: Opportunity for Improvement

• A significant number of institution-specific Classes of Records do not meet Treasury Board Secretariat requirements.
• A significant number of the organization's functions, programs, activities and related information holdings have not been appropriately identified or described in its 2008 Chapter of Info Source: Sources of Federal Government Information. This information is a requirement of the Access to Information Act to facilitate public access to federal government information.

13.1 Leadership: Acceptable

• The senior official has responsibility and accountability for the full scope of information technology responsibilities and ensures that information technology supports organizational outcomes.
• Some participation in setting government-wide directions for information technology is evident.

13.2 Planning: Acceptable

• Acceptable information technology plan is in place that aligns with the government-wide directions for information technology and departmental business needs.
• Organization has aligned corporate and information technology governance structures and has an integrated planning process.

13.3 Value: Acceptable

• Organization is making efforts to appropriately use and plan for further use of information technology shared services.
• Organization devotes adequate management attention to service costing, asset management, performance measurement and reporting to ensure value delivery.

14.1 Investment Planning: Acceptable

• The organization has a current long-term investment planning document that has been approved by the proper authority.
• The organization has a planning document that ranks priority investments.
• Organizational priorities and areas of highest risk are identified and guide investment decisions.
• The investment planning process integrates investments decisions across all asset classes.
• The organization’s investment planning process considers investments over multiple years.

14.3 Materiel Management: Acceptable

• All elements of a materiel management framework are evident.
• Comprehensive internal policies are documented and disseminated.
• Governance structures, approval processes and authority limits are documented and disseminated.
• Reliable and sufficiently integrated information systems are in place.

15.1 Governance and Oversight: Acceptable

• There is evidence of formal project governance and oversight mechanisms and that approved projects are generally linked with the strategic plans and priorities of the organization through established organization-wide procedures. Approval and corrective action decisions are documented.
• There is no evidence that the organization has exceeded Treasury Board project approval limits, or failed to notify TB/TBS when it did.

15.2 Effective Management of Project Resources: Acceptable

• Adequate processes/procedures exist to ensure that planned projects have the required resources to achieve expected outcomes.
• The organization recognizes project management as a discipline and most employees with project management responsibilities have completed relevant project management training.
• There is evidence that most project managers prepare a staffing plan to secure authorization for necessary resources prior to project execution.

15.3 Effective Management of Project Results: Acceptable

• All projects are subject to ongoing monitoring and reporting activities. There is evidence that this information is consistently used to support corrective action and decisions are documented.
• There is a clear link between the review process and project management governance and oversight mechanisms.
• There is evidence of organization-wide procedures and processes which communicate project monitoring and performance information to project managers and project oversight mechanisms.

16.1 Governance and Oversight: Acceptable

• Effective and accountable procurement management processes and controls are in place (e.g., contract review mechanisms, documented decision making, guidance documents, appropriate delegation instruments or proper use of delegated authorities).

16.2 Meeting Operational Requirements: Acceptable

• Efficient and integrated procurement information systems and processes are in place.
• Informed decision making and oversight exist.
• Qualified procurement human resources exist.

Effective and accountable procurement management processes and controls are in place. Qualified procurement human resources exist. Efficient and integrated procurement information systems and processes are in place. Informed decision making and oversight exist.

17.1 Authorities and Policies: Acceptable

• Audit report results show evidence of deficiencies that are of some concern.
• Departmental procedures, tools, training and support for those individuals delegated with Section 34 authority show evidence of good financial management practices.
• Departmental processes for classification of moneys, internal controls for receiving and recording money and depositing money show evidence of good financial management practices.
• Departmental processes for informing those delegated with Section 33 authority of their responsibilities and dealing with requests for payments that are problematic show evidence of solid financial management practices.
• Departmental processes to provide individuals delegated Section 33 authority with the information necessary to assess and approve transactions and to assess the adequacy of Section 34 account verification show evidence of good financial management practices.
• The reporting of external user fee information meets or nearly meets the requirements of the reporting guidelines.

17.2 Public Accounts Reporting: Acceptable

• Ninety to 96% (Grade A) of Public Accounts reporting plates submitted on time.
• Several Financial Management Reporting System (CFMRS) coding errors.

17.3 Management Capacity: Acceptable

• A significant amount of training is provided for the financial management organization.
• All, or almost all, FIs and management team members in the financial management organization have current, approved learning plans.
• Positions, the duties of which are being performed by an individual indeterminately appointed to that position, comprise a low proportion of the FI segment of the financial management organization.
• Positions, the duties of which are being performed by an individual indeterminately appointed to that position, comprise all, or almost all, of the positions on the management team of the financial management organization.
• Some processes in support of a sound succession plan for key positions are in place.

17.4 Financial Statements: Strong

• The Financial Statements are compliant with Treasury Board Accounting Standard 1.2 – Departmental and Agency Financial Statements and reporting deadlines were met.
• The organization received an ‘unqualified audit opinion' with respect to its financial statements.
• There are no known financial internal control weaknesses.

17.5 Internal Reporting: Strong

• The internal financial reporting package is accompanied by a comprehensive discussion and analysis.
• The internal financial reporting package is presented to senior management less than one month after period end.
• The internal financial reporting package is presented to senior management ten or more times per year.
• The process for reviewing information before it is presented to senior management to ensure no material errors or omissions is established.
• The scope of the internal financial reporting package is comprehensive.

The organization received an overall rating of Acceptable as a result of Strong ratings for the quality of its organizational financial statements and progress towards realizing audited financial statements and the quality of its internal financial reporting.

18.1 Internal Audit governance: Strong

• There is an approved Internal Audit Charter in line with the 2006 Policy on Internal Audit.
• The Implementation Plan covers all of the required policy elements.
• Ongoing monitoring of, and progress in implementing, key elements of the plan are on track with planned timelines.
• Chief Audit Executive reports solely and exclusively to the Deputy Head.
• An independent Departmental Audit Committee is in place.
• There is an approved Departmental Audit Committee Charter in line with the 2006 Policy on Internal Audit.
• There is a draft annual Departmental Audit Committee Plan for fiscal year 2008-2009.
• The Departmental Audit Committee has met at least four times over the past twelve months.
• A Departmental Audit Committee (DAC) Annual Report addressing some or all of the eight areas of DAC responsibility has been prepared for fiscal year 2007-2008.
• The Departmental Audit Committee Annual Report for 2007-2008 has been submitted to the Deputy Head and the Office of the Comptroller General.

18.2 Internal Audit Professional Practices: Acceptable

• Annual Risk-Based Audit Plan methodology is, for the most part, evident and applied.
• There is evidence of preparation to provide for holistic assurance.
• All post-engagement follow-up activities are clearly identified.
• There is partial information on the planned use of all audit function resources.
• Vast majority of planned work is on audit assurance versus other types of activities.
• Continuity of previous years work is identified with status or rationale.
• Approved assurance products are consistent with policy and internal audit standards requirements.
• High completion rate of assurance products (number of assurance audit reports) against 2007-2008 Risk-Based Audit Plan.
• Internal Quality Assurance and Improvement Program is documented and is in the process of being implemented.
• Assurance products (reports) are produced in a very timely manner.
• Approved assurance products are made accessible to the public in a reasonably timely manner.
• Post-engagement follow-up process is well documented, and recommendations are followed up using a risk-based approach.
• The department or agency provides notification to the Treasury Board Secretariat on issues of importance on an ad hoc basis or is aware of this requirement.
• The department or agency does not provide notification to the Treasury Board Secretariat on the posting of reports.

18.3 Administration of the Internal Audit Function: Acceptable

• Recruitment and external resourcing activities are guided by a documented Human Resources Plan.
• Investment in Certified Internal Auditor certification, learning and training does not meet the basic requirement of 4% of FTE salaries.

18.4 Internal Audit Performance: Strong

• A Chief Audit Executive Annual Report for 2007-2008 was presented to the Departmental Audit Committee and the Deputy Head and submitted to the Office of the Comptroller General.
• Extensive periodic reporting on the follow-up of Management Action Plans is evident.

The organization has implemented key elements of Internal Audit Governance and Reporting on IA Performance. In particular, the Chief Audit Executive reporting relationship to the Superintendent is established and the Departmental Audit Committee is in place. The DAC and CAE produced approved Annual Reports for 2007-2008. There is extensive periodic reporting on the follow-up of management action plans to the DAC.

19.1 Departmental Security Program: Opportunity for Improvement

• Organization has a partially developed security program that contains some of the required policy elements.
• Some deficiencies in meeting key policy requirements for the departmental security program.

19.2 Management of IT Security (MITS): Acceptable

• Organization has achieved the three priority objectives that form the foundation for Management of Information Technology Security (MITS) and complies with most MITS requirements.
• Some deficiencies in meeting key MITS requirements.

19.3 Business Continuity Planning (BCP):

• Organization has conducted a Business Impact Analysis (BIA) and has determined that it does not provide critical services to the public and private sectors.

Note: The assessment methodology for Line of Evidence 19.3 will be revised for MAF Round VII.  Please refer to the assessment for details.

20.1 Management Engagement – Service and CLF: Opportunity for Improvement

• The institution may have committees or sub-committees which consider and/or make decisions about service. Such committees or sub-committees may not be composed of senior management accountable for services. The institution, however, does not have a committee which is responsible for making decisions about and overseeing service at the institutional level.
• There are limited expectations set by senior management for an institutional focus on meeting the needs of clients, specifically with respect to service standards and client satisfaction measurement.
• There are priorities and goals for service, but not always at the institutional level; these limited priorities and goals are set by senior management based on the use of limited performance evidence.
• There has been no monitoring or no steps to set up monitoring of progress towards the achievement of goals by senior management.
• There is little monitoring by senior management to ensure that the requirements of CLF 2.0 are being met institution-wide; there is limited information on which to make decisions and course correction.

20.2 Public/client views: Acceptable

• Evidence of incorporating feedback in the implementation of its services, programs, policies or initiatives.
• Few tools used to obtain views from clients.
• Minor plans to obtain views from clients.
• Strong evidence of making consultation results available to the public.
• There is a clearly identified target clientele for public consultations.

20.3 Official Languages: Strong

• Analysis of the Annual Review on OL shows the institution is fully meeting its obligations.
• Audits reveal very good performance in active offer and service delivery in both OL.
• No complaint or minimal number of founded complaints exits.
• The institution has the necessary linguistic capacity to serve the public in both OL.