2005 Audit Recommendations - Status Tracking

Document 2

Audit: Management Control Framework

(EMC Lead: K.Kirkpatrick / Staff Lead: various

Audit Recommendation

Management Response

Comments

Budget Implications
2007 or Beyond

Related Council Motions

Status Update

Audit Management Response

Action Required Based on DCM Implementation Plan

Management Timelines (Q1- Q4)

(Risks, issues regarding implementation, etc)

($$ if known)

That the City Manager ensure there is a review to update the Centres of Expertise Service Level Agreements, including definition of performance levels, monitoring requirements and approach for identifying and resolving issues or disputes.

Management agrees with this recommendation. A draft proposed process, addressing all of these elements, will be presented to Senior Management Team (SMT) at the January 2006 meeting. This project is a priority identified in the 2006 Corporate Services departmental business plan and will be included in the 2006 workplan of the Office of the Chief Corporate Services Officer.

This project is a priority identified in the 2006 Corporate Services departmental business plan and will be included in the 2006 workplan of the Office of the Chief Corporate Services Officer.

Q4 - 2006

January 2008 - EMC discussed this January 14. Action: COE Branch Directors to prepare a Briefing Note to address the following questions: Outline Audit recommendations specific to their branch and management responses re COE model and its components; Outline branch issues that came out of 2006 COE review work and assessment of what is required to be done to address; Outline of work that has occurred since 2006 and work yet to occur with respect to branch plans to address outstanding COE issues; Associated timelines and proposed process to implement. Briefing Notes to be considered at the April 7/14 EMC meeting.

Sept 2007: This recommendation will be reviewed by the EMT in Q1,2008.

May 31, 2007: Due to recent reorg changes, this recommendation will be reviewed by the Exec. Director, Business Transformation Services. Members of EMC & SMT continue to treat this as a significant issue and work on this project will be undertaken as part of transformational initiatives in the last two quarters of 2007.

The CCSO and Members of EMC & SMT continue to treat
this as a significant issue. Work on this project has
slowed down as a result of the accelerated 2007 Budget
approval process and the availability of resources in CS
and the availability of Directors.

That the Chief Corporate Services Officer develop a formal financial management control framework that clearly defines financial management accountabilities, control objectives, risks and the related control processes/mechanisms that have been put in place to mitigate the risks. The roles and responsibilities as they relate to shared services (in particular, the Financial Support Units) should link to those set out in the Service Level Agreements between Financial Services and client departments.

Management agrees with the recommendation to develop an overall framework. If this framework is supposed to be broad and intended to describe general control objectives, levels of responsibility, overall control policies and philosophy, then this exercise is achievable in 2006, likely within existing resources. One specific issue that will be addressed, as part of the SLA updates noted in the response above, will be a clarification of the role of the Financial Support Units, so that services will be provided on a consistent basis and their role will be well understood Management will also establish parameters for review of transactions that will be consistently applied.

The development of a financial control framework has not been initiated as the Auditor has undertaken an audit of the Financial Control Environment. This second audit will undoubtedly provide more substance as to the nature of the control framework therefore the work has been put on hold until the completion of the second audit.

Completion in Q2 2008

While the original response indicated that the framework could be developed with existing resources this no longer is possible therefore to undertake this work in 2007 will require one-time funding of $100,000 to hire a consultant to deal with this and whatever arises from the 2nd audit.

Jan 2008 - In October 2007, KPMG was engaged to develop an integrated financial control framework for the City of Ottawa. The consultants have completed the fieldwork, including site interviews with a number of stakeholders and other senior managers across the Corporation. A draft report is expected from the consultants by mid-February, following which it will be circulated to all stakeholders for their review and comments. The final report is expected by the end of February 2008.

Sept 2007 - Management agrees that a financial management control framework is vital to the successful operation of any mature business entity. Financial Services branch has examined alternative approaches to the development of the framework, taking into consideration the potential scope of this exercise and the impact of the framework on the rest of the corporation, and is recommending the adoption of a more holistic approach involving representativess of all management levels. Best practice in this area requires an integrated approach involving the key elements of an effective internal control system.

i.e. (1) Organizatinal Control Environment, (2) Risk Assessment , (3) Control Activities, (4) Information and communication, and (5) Monitoring. The completion of the framework is also predicated on the review of the roles and responsibilities of the Financial Support Units. These activities will be addressed by the Business Process Review Project that is currently underway.

May 31, 2007:The development of a financial management framework will be completed in conjunction with the implementation of the recommendations of the 2006 Audit of the Financial Control Environment. The expected completion is Q2 2008.

That the CCPR Officer introduce integrated risk management within the City, as part of the planning and performance management cycle. This would include such activities as:

a) development of an integrated risk management policy,

b) development of tools and approaches for risk management, and

c) provision of risk management training.

Although Management agrees with the Auditor General’s recommendation in principle, Management does not believe it would be practical to implement this recommendation at this point. The cost/benefit of implementing a full blown, organization-wide risk management initiative, as suggested by the Auditor General, is not clear, nor is it clear that this is a widely accepted best practice in municipal governance. Recent implementation of these types of programs in the private sector has been driven to a considerable extent by Sarbanes-Oxley requirements in the U.S. To Management’s knowledge, in the few cases where Canadian municipalities have experimented with them, implementation has not been successful.

Management’s priority at this point, from a management control framework perspective, is on rolling out the planning framework and developing and implementing the performance measurement and reporting framework, throughout the organization over the next 2-3 years. Nonetheless, certain steps Management is taking to enhance the Corporate planning process, such as the presentation of a comprehensive
environmental scan, which will identify risks to be considered in
developing the City Corporate Plan and Departmental
Business plans, will address this issue.

We do not believe it would be practical to implement this recommendation at this point. The cost/benefit of implementing a full blown, organization-wide risk management initiative, as suggested by the Auditor General, is not clear, nor is it clear that this is a widely accepted best practice in municipal governance. To our knowledge, in the few cases where Canadian municipalities have experimented with them, implementation has not been successful. Our priority at this point, from a management control framework perspective, is on rolling out the planning framework and developing and implementing the performance measurement and reporting framework, throughout the organization over the next 2-3 years.

N/A

$425K was never addressed in the original report - Revised financial implication coming forward in revised businss case.

Jan 2008 - The required funding for 2008 has been provisionally approved pending completion of the Operational Budget Reviews for Administrative Services. On 7 March 2008 a presentation will be made to Long-Range Financial Planning Sub-Committee outlining the planned approach to the broader, systems-wide initiative of "Enterprise Risk Management". Risk management approaches have been included in the detailed design for the strategic branch review process, that will go to Council on 13 March 2008.

Sept 2007 - The required funding for 2008 has been submitted as a budget pressure. In the meantime, risk management approaches are being built in to the conceptual design which has begun for the branch service review process.

May 31, 2007 - agreed to with action plan

Subject to further discussion between the Auditor General and the Council Audit Working Group. A business case for the potential implementation of an integrated risk management framework was completed in January 2007. Staff recommendation remains deferring implementation of such a framework to focus on other priorities.

Regarding the development of an integrated risk management policy management, Management believes that the Auditor General’s observations in this area should take into account that the City has a risk management policy, which was approved by Council in 2001, confirms the City’s commitment to sound risk management processes. Some of the specific measures that Corporate Services has taken to explicitly address risks in different areas are outlined in this policy. For example, risk management principles are explicitly applied in investment decisions, in decisions regarding insurance coverage and in providing and maintaining safe conditions in the workplace. In addition, risk management processes are also applied in other key areas.

Nonetheless, certain steps we are taking to enhance the Corporate planning process, such as the presentation of a comprehensive environmental scan, which will identify risks to be considered in developing the City Corporate Plan and Departmental Business plans, will address this issue. We have also developed an estimate of the cost involved in implementing an
integrated risk framework on a
Corporate-wide basis and will include
this activity for consideration by Council in the 2007 budget submission.

CAWG considered the business case at its meeting on January 29th.

CPPRO will undertake the following to address the AG recommendation: i) modify the existing risk management policy or develop a new Corporate integrated risk management policy by 2008;
ii) introduce into its guidance for the preparation of branch business plans, a section that outlines the potential risks to the achievement of the branch objectives; iii) develop a template that can be used to capture the 3-5 most significant risks for each branch & how those risks are addressed - this will be integrated with the branch business plan templates & will be made available in 2008 for the 2009 business planning cycle; & iv) develop a course to be offered in the latter part of 2008 on risk management relating to the application of these concepts & the use of the template.

Cont'd

The Emergency Measures Unit has identified catastrophic risks that could impact the City and has developed a program/plan to address them. Moreover, on an ongoing basis, Public Works staff perform construction/maintenance project risk assessments and procedures have been adopted by the City to ensure that risks are reasonably transferred through the tender, contract and agreement process. Both Real Property Asset Management and Public Works and Services have adopted Comprehensive Asset Management Strategies that have been approved by City Council and that include inventories, gap analyses
and strategies for decommissioning and rehabilitating infrastructure reaching the end of its lifecycle.

Yes

Since the budget requirement was identified after the tabling of the original report, discussion and approval will be required of CAWG.
This course will be offered to management staff involved in the the evaluation of risk as part of the business planning process. We estimate the cost of policy development, training material development & delivery is $150K, which we will include as a budget pressure for 2008.

That the Chief Corporate Services Officer complete plans for reviewing and updating corporate administrative policies and developing a new corporate policy framework, which should include a single point of access, common look and feel, the consolidation of by-laws, and defining a timetable for when the process will be completed. Departments should monitor their plans to ensure that the harmonization of operational policies and procedures are completed on a timely basis.

Management agrees. Plans are currently being developed within Corporate Administrative Policy and Performance Management (CAPPM) for reviewing and updating Corporate Administrative Policies and developing a new corporate policy framework. This framework will be completed and presented to EMC for approval in Q4 2006.

In defining a timetable for when the overall policy update process will be completed, consideration has to be given to availability of resources. The same resources to complete work outlined in 4.2 COE, will be deployed to complete this work. The Management Advisory Committee chaired by the Chief Corporate Services Officer will prioritize the updating of policies.

Plans are currently being developed within CAPPM for reviewing and updating Corporate Administrative Policies and developing a new corporate policy framework. This framework will be completed and presented to EMC for approval in 2006. The Management Advisory Committee chaired by the Chief Corporate Services Officer will prioritize the updating of policies.

by Q4 2008

Jan 2008 - Corporate policy review and approval continues to be coordinated centrally through the Office of the Executive Director of Business Transformation Services. The ongoing governance and policy framework will be reviewed later this year by the Executive Director of Business Transformation Services

Sept 2007 -
The following activities have been completed:
1. The Corporate Administrative Policy structure has been reviewed and updated and is now available electronically to all staff on Ozone, the City's Intranet.
2. This forms the single point of access for corporate administrative policies and procedures, providing a common look and feel with easy to search capability.
3. Consolidation of by-laws completed and also easily accessible to all staff on Ozone.

With recent reorganizational changes and direction, the Executive Director of Business Transformation Services will review delegated authority for the approval of policies formerly held by the Chief Corporate Services Officer. Once completed, the framework will be updated as required.

By-laws are now consolidated on the City’s Intranet, work being completed by these same resources.

With regard to departments monitoring of their plans to ensure timely harmonization of operational policies and procedures, management agrees but no specific changes or initiatives are required in response to this recommendation. As noted by the Auditor General, this responsibility rests with each department. CAPPM will work with each department regarding Corporate Administrative Policy to share experience, tools and approaches, however operational policies and procedures at the sub-corporate level (Departmental or Branch) are the responsibility of those policy owners. The CAPPM will monitor the implementation of the corporate framework and report on an annual basis to the Chief Corporate Services Officer.