Audit of the Competition Bureau

Audit and Evaluation Branch

May 2009

Recommended for Approval to the Deputy Minister by Departmental Audit Committee on April 30, 2009
Approved by the Deputy Minister on May 1^st, 2009

Table of Contents

• 1.0 Executive Summary
  • 1.1 Introduction
  • 1.2 Main Findings
  • 1.3 Recommendations
  • 1.4 Statement of Assurance
  • 1.5 Audit Opinion
• 2.0 About the Audit
  • 2.1 Background
  • 2.2 Objective
  • 2.3 Scope
  • 2.4 Methodology
• 3.0 Findings and Recommendations
  • 3.1 Introduction
  • 3.2 Governance
    • Finding 1.0: Inadequate communication of actions being taken to deal with sudden changes in the market
    • Recommendation 1.0:
    • Finding 2.0: Knowledge/information management strategy is not formally defined
    • Recommendation 2.0:
  • 3.3 Internal Control
    • Finding 3.0: Incomplete documentation to support review and approval process
    • Recommendation 3.0:
    • Recommendation 3.1:
    • Finding 4.0: Inconsistent application of user access controls
    • Recommendation 4.0:
  • 3.4 Risk Management
• Appendix A: Audit Criteria
• Appendix B: Management Action Plan

1.0 Executive Summary

1.1 Introduction

The Competition Bureau of Industry Canada ("Bureau") is an independent administrative and law enforcement body responsible for the preservation of a competitive marketplace in Canada. The head of the Bureau is the Commissioner of Competition, appointed under the Competition Act. In addition to the Competition Act, the Commissioner is responsible for the administration and enforcement of the Consumer Packaging and Labelling Act, the Textile Labelling Act, and the Precious Metals Marking Act (the "standards-based acts"). The Commissioner of Competition reports to the Industry Canada Deputy Minister for administrative and financial purposes and reports to Parliament via the Minister of Industry with respect to its independent law enforcement role.

This audit was conducted in accordance with the Audit and Evaluation Branch's (AEB) 2008/09 risk-based audit plan which was recommended to the Departmental Audit Committee and approved by the Deputy Minister. The objective of the audit was to provide senior management with assurance that the Bureau's existing internal control, risk management and governance processes in place are functioning as intended and would enable the Bureau's objectives and goals to be met. The scope of the audit focused on four areas:

• Plan and processes to deal with sudden changes in the marketplace;
• Knowledge management systems/processes;
• Processes used to determine which matters to pursue, including obtaining management approvals to use powers under the Competition Act; and,
• Protection of assets, records and information.

The time period the audit covered was from April 1, 2007 to March 31, 2008.

During the planning phase of the audit, it was determined that the Strength, Weaknesses, Opportunities and Threats (SWOT) analysis undertaken by the Bureau addresses some components of the corporate risk management framework and therefore was not considered as key priorities for the Bureau at the time of the audit. The audit did, however, address individual risks in the areas of governance and internal controls.

1.2 Main Findings

Four main findings were identified through the audit:

Governance

1. Steps and actions which are being taken (either formally or informally) to plan for sudden changes in the market are not being adequately communicated to senior management.

2. A strategy has not been formally defined to address knowledge/information management challenges.

Internal Control

3. Documentation used to support approvals was not readily available and a clear process description and set of procedures/guidelines which describe the necessary approval activities that should be performed by Bureau staff were incomplete or not clear.

4. Some of the controls implemented by the Bureau regarding authorization, modification, review and termination of user access to the network and key systems were not operating effectively.

1.3 Recommendations

To address the findings described above, the following recommendations are provided:

Governance

1. The Deputy Commissioner, Compliance and Operations Branch, should communicate, to the Bureau's senior management team, the steps and actions to be taken (either formally or informally) to deal with sudden changes in the market.

2. The Deputy Commissioner, Compliance and Operations Branch should ensure efforts continue to define the Bureau's overall strategy for knowledge and information management to address issues noted as well as defining overall requirements for governance, roles/responsibilities, and enabling systems.

Internal Control

3. The Deputy Commissioners of each Branch should ensure that procedures regarding the expected and acceptable level of file documentation, review and approval, are documented, communicated and enforced.

3.1 The Deputy Commissioner, Compliance and Operations Branch should ensure that an approach be implemented to ensure quality control over compliance with established procedures for file documentation, review and approval.

4. The Deputy Commissioner, Compliance and Operations Branch should strengthen controls around management and monitoring of user access to key Bureau networks, systems and data centers by ensuring that supporting user authorization evidence is obtained and retained, a periodic review of user network access privileges is conducted, and procedural guidance for key Bureau security procedures is developed.

1.4 Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.

1.5 Audit Opinion

In my opinion, the Competition Bureau has moderate weaknesses, with moderate risk exposures related to control and governance processes that require management attention.

Bill Merklinger
Chief Audit Executive, Industry Canada

Date

2.0 About the Audit

2.1 Background

The Competition Bureau of Industry Canada ("Bureau") is an independent administrative and law enforcement body responsible for the preservation of a competitive marketplace in Canada. The head of the Bureau is the Commissioner of Competition, appointed under the Competition Act. In addition to the Competition Act, the Commissioner is responsible for the administration and enforcement of the Consumer Packaging and Labelling Act, the Textile Labelling Act, and the Precious Metals Marking Act (the "standards-based acts"). The Commissioner of Competition reports to the Industry Canada Deputy Minister for administrative and financial purposes and reports to Parliament via the Minister of Industry with respect to its independent law enforcement role.

As a unique enforcement agency, the Commissioner and the Bureau are required to respect these Acts and the formal powers and responsibilities granted to the Bureau. The Acts stipulate when the Commissioner can make an inquiry; how and when the Bureau can issue warrants; what records and computer systems can be possessed; and, when and for what purposes the Bureau can summon witnesses. The Acts also detail the responsibilities of the Bureau in caring for copies, records, items seized, and returning records at the completion of an investigation or decision. The Acts also define the legal definition of a notifiable transaction, and unwanted offence and/or undesired anti-competitive behaviors (e.g. bid rigging, conspiracy, cartel etc).

The Bureau is comprised of eight branches: Mergers, Criminal Matters, Civil Matters, Fair Business Practices, Compliance and Operations, Economic Policy and Enforcement, External Relations, and Public Affairs and Legislative and Parliamentary Affairs. At the time of the audit, the Bureau employed approximately 440 people, consisting of approximately 360 people in the National Capital Region and 80 in seven regional offices.

2.2 Objective

The objective of the audit was to provide senior management with assurance that the Bureau's existing internal control, risk management and governance processes in place are functioning as intended and would enable the Bureau's objectives and goals to be met.

2.3 Scope

The scope of the audit focused on four areas:

• Plan and processes to deal with sudden changes in the marketplace;
• Knowledge management systems/processes;
• Processes used to determine which matters to pursue, including obtaining management approvals to use powers under the Competition Act; and,
• Protection of assets, records and information.

The time period the audit covered was from April 1, 2007 to March 31, 2008.

2.4 Methodology

This internal audit of the Competition Bureau was conducted following the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and in accordance with the Federal Government Policy on Internal Audit. The approach to the audit consisted of the following:

• A risk and control self-assessment working session was held with members of the Bureau management team in the audit planning (preliminary survey) phase and the results, along with the results of interviews and document review, formed the basis for the audit program followed for this audit;
• Documentation was examined to gain an understanding of the internal control framework, Bureau processes and procedures, and supporting analysis and documentation used by the Bureau;
• A sample of 55 case files, closed in fiscal year 2007/08, were selected and examined to test key controls for effectiveness and consistency in application. This sample represented a statistical sample of total closed cases. The audit team randomly selected closed cases from each branch (including headquarters and regions) based on a proportional volume of activity;
• A total of 21 interviews with stakeholders, management, and staff of the Bureau were conducted for inquiry and corroboration; and,
• A site visit was conducted of Bureau systems and server rooms.

The information gathered through the above procedures was analyzed against the audit criteria contained in Appendix A. The audit criteria selected for this audit were based on the Treasury Board Core Management Controls, in combination with 'risk-based' controls that were specific to the Bureau. The audit criteria were designed to enable an assessment of key practices, procedures and controls in place within the Bureau.

Audit fieldwork was conducted between August 2008 and October 2008.

3.0 Findings and Recommendations

3.1 Introduction

This section presents detailed findings from the audit of the Competition Bureau.

In addition to the findings presented below, observations of conditions that were non-systemic and of low materiality and risk have been communicated to management in the form of a Management Letter for their consideration.

3.2 Governance

Finding 1.0: Inadequate communication of actions being taken to deal with sudden changes in the market

The possibility that a sudden change occurs in the market place (e.g. merger between two companies with significant market share) which requires the Bureau to quickly obtain increased funding and resources, or change current focus for a large portion of the Bureau's staff, was identified by Bureau senior management as a high risk. Although the impact to the Bureau could be significant (in terms of workload, reprioritization of efforts, etc.), historically, there has been a low likelihood of such a sudden change occurring. Bureau management reported that predicting which industry sector these changes could occur in is not practical or feasible and therefore, the development of a formal contingency plan or formal preparedness process has not been considered a priority to date.

The audit noted a contingency measure being implemented by the Bureau—specifically, a draft Treasury Board Submission template has been developed to outline the terms and conditions for emergency increases in funding and resources. Bureau management reported that other initiatives (e.g. competency based recruiting) and teaming strategies (e.g. sector teams) have also been implemented, which, although not specifically put in place to prepare for a sudden change in the market place, do provide opportunities for cross-training of staff which would be beneficial if a sudden change in the market did occur. In addition, macro-environment trends/changes (e.g. recession, credit crisis) are discussed at Bureau senior management meetings and through periodic discussions with industry and government personnel.

However, as the possibility of a sudden change in the market continues to be identified by Bureau senior management as a high risk area, the Bureau has acknowledged that its steps and actions in this area need to be better articulated and communicated to senior management to alleviate concerns.

Recommendation 1.0:

The Deputy Commissioner, Compliance and Operations Branch, should communicate, to the Bureau's senior management team, the steps and actions being taken (either formally or informally) to deal with sudden changes in the market.

Finding 2.0: Knowledge/information management strategy is not formally defined

The Bureau has recently formed a management committee to investigate the Bureau's knowledge management, information management, information technology and intelligence gathering requirements. This is one of the Bureau's top priorities for fiscal year 2008-09. This committee is a cross-branch committee and its purpose is to gather comments from all Branches on knowledge/information management needs, priorities, and capacity. The committee will make its recommendations to the Bureau senior management committee in the Spring of 2009. As such, the Bureau has not yet defined or communicated a strategy for knowledge/information management.

The focus of this audit criterion pertained to the management of information which is relevant and pertinent to assist Competition Officers in completing their investigation (i.e. "case knowledge/information"). Through the course of the audit, a number of information management challenges were noted:

• Version control—File naming conventions and file structures are not formalized; therefore, it is not always clear to Competition Officers which version of key documents on the Bureau's shared drive is the most recent.
• When referring to the Bureau's Record Creation, Handling, and Destruction Policy paragraph 169, the Library and Archives Act S.12(1), and the Policy on Access to Information and Privacy, Bureau personnel reported that there is sometimes confusion over when draft and transitory copies of documents should be retained. This is evidenced by the fact that many people are sharing different drafts of the same document in different folders.
• Information stored on the Bureau's shared drive is not easily searchable, making it more difficult for Competition Officers to search and find relevant precedents and market research on similar cases.
• While an intranet site (Cintra) is used to store templates which are used by Competition Officers, it was reported that the information stored on the intranet site is not always current. As a result, it has become common practice to use recently completed documents as the template. This increases the risk that incorrect documents are used and possibly incorrect processes are being followed.
• A database application developed internally to assist with knowledge management/ information management needs ("Toolbox") has not yet received formal approval and recognition as the Bureau's central repository for current versions of key documents. To date, there is no governance structure defined or formal budget assigned for the "Toolbox" and no individual or group has been assigned ongoing responsibility for populating the "Toolbox".

The primary risk in the above noted discrepancies is the ability to access and quickly retrieve reliable information and templates, perform market research and share precedent case information/analysis that are critical to conducting investigations. By not adequately managing knowledge and information, there is also a risk that incorrect decisions could be made based on incomplete or incorrect information.

Recommendation 2.0:

The Deputy Commissioner, Compliance and Operations Branch should ensure efforts continue to define the Bureau's overall strategy for knowledge and information management to address issues noted as well as defining overall requirements for governance, roles/responsibilities, and enabling systems.

3.3 Internal Control

Finding 3.0: Incomplete documentation to support review and approval process

The Bureau follows an established process and set of procedures to determine which matters to pursue and to ensure all necessary approvals are obtained on decisions taken in order to uphold the Bureau's formal powers under the Acts. Although Bureau branches have developed assorted templates and practice guides, with the exception of one Branch, the audit team did not find a clear process description and set of procedures/guidelines which describe the necessary approval activities which should be performed by Bureau staff (i.e. who approves, how they evidence their approval, when/where they approve) throughout the process. The primary risk of inadequate documentation of the process is that it increases the likelihood that inconsistent or unexpected practices may be followed and decisions taken.

While a review/approval process is being followed, 22 out of 55 (40%) files reviewed did not have key control documents or signed copies on file as expected, and the documents could not be provided by Competition Officers upon request. The key risk of incomplete documentation or "audit trail" is that it reduces management's ability to demonstrate due diligence and oversight over review and approval processes.

Recommendation 3.0:

The Deputy Commissioners of each Branch should ensure that procedures regarding the expected and acceptable level of file documentation, review and approval, are documented, communicated and enforced.

Recommendation 3.1:

The Deputy Commissioner, Compliance and Operations Branch should ensure that an approach be implemented to ensure quality control over compliance with established procedures for file documentation, review and approval.

Finding 4.0: Inconsistent application of user access controls

The audit team noted the following areas where user access controls could be improved:

1. Inconsistent supporting evidence of user access authorizations:
   • Evidence of user access authorizations was not always available. New user access authorizations are controlled by Managers/Supervisors, who have further delegated this duty to Branch Administrators. The audit, however, did not find a detailed listing, indicating which Branch Administrators are authorized to request new user access. The audit also found that not all new user access requests were accompanied by evidence of the Manager or Supervisor's approval for granting access. A test indicated that 11 out of 15 (73%) documents returned to the Bureau did not have evidence of proper approval. By not adequately maintaining supporting evidence of user access authorizations, there is increased risk of inappropriate user access and the ability of management to demonstrate due diligence and oversight is reduced.
2. Informal review of user access and access privileges:
   • A formal, periodic review of Bureau network and Bureau Information Management System (BIMS) user accounts, as well as the data centre electronic swipe card access log was not being conducted. Evidence of a review to ensure user account access privileges remain appropriate was also not retained. In addition, we noted that user account modifications and terminations were not always processed in a timely manner (i.e. in less than 2 days from departure). A review of a sample of 15 BIMS accounts identified that 9 out of 15 (60%) accounts took longer then 2 days and a review of a sample of 15 network accounts identified 8 out of 15 (53%) accounts took longer then 2 days to terminate. By not conducting a periodic review of user access and ensuring timely termination of user accounts, there is increased risk of unauthorized access.
3. Incomplete procedural guidance for some Bureau-specific security procedures:
   • It was noted that the Bureau relies primarily on Industry Canada's and the Government of Canada's security policies for guidance/reference. Some additional security procedures and practices, however, have been developed to meet the Bureau's specific security requirements. With regards to the Bureau-specific security practices, the audit did not find documented procedural guidance which explained how the Bureau's practices were to be implemented. Specifically, further explanation of the required procedures for the following areas were noted as areas for improvement: user administration (i.e. procedures for granting new user access, modifications to user access, and removal of user access) and information technology (IT) operations (i.e. procedures for IT change management, batch and/or job scheduling, backups, destruction of media). Without more specific procedural guidance, there is an increased risk of non-compliance with expected practices as well as a potential loss of corporate memory with respect to processes that should be followed, should the Bureau experience staff turnover in these areas.

Recommendation 4.0:

The Deputy Commissioner, Compliance and Operations Branch should strengthen controls around management and monitoring of user access to key Bureau networks, systems and data centres by ensuring that supporting user authorization evidence is obtained and retained, a periodic review of user network access privileges is conducted, and procedural guidance for key Bureau security procedures is developed.

3.4 Risk Management

During the planning phase (preliminary survey) of the audit Risk Management was discussed with the Bureau's management. They identified a series of practices they have in place including a SWOT analysis which is part of their annual corporate planning and business planning processes. In finalizing the scope for the conduct phase of the audit, other core management control areas were identified as a higher risk and priority. As a result, Risk Management was not examined further in the conduct phase of the audit.

Appendix A: Audit Criteria

The following audit criteria were used in this audit:

Methods are developed to acquire necessary resources and tools to deal with sudden changes in the market place.

• Management regularly monitors changes in the market place and takes appropriate action.
• Agreements with stakeholders for additional capacity and resources are in place.
• Programs and/or initiatives to prepare for sudden changes in the market place are in place and actively managed.
• Actions and steps taken by senior management to prepare for sudden changes in the market place are communicated.

Knowledge is effectively captured, documented and shared within the Bureau.

• Knowledge/information management requirements have been identified and a plan is in place to address needs.
• Policies and procedures relating to acquiring, retaining, archiving, expiration, and destruction of content exist.
• Resources responsible for organizing, classifying and controlling access to content are in place.
• An ongoing communications/awareness process is in place for the use and dissemination of content.
• A person or team is responsible for compliance with policies (e.g., monitoring, auditing, evaluating).
• A maintenance and on-going review process for content is in place.

Process used to determine which matters to pursue, including obtaining management approvals to use powers under the Competition Act.

• A formal process exists and procedures have been developed to determine which matters/advocacy to pursue.
• All necessary and appropriate approvals are obtained from senior management to pursue a case or undergo an investigation of a matter.
• Case file management, acknowledgements (e.g. letters to counsel), completion of templates, and record retention is performed in accordance to Bureau policies.
• Approvals throughout key steps in the process are appropriately documented.
• Tracking and monitoring of performance standards and key events is performed.

Assets and confidentiality of client (e.g. business) information is protected (i.e. records and information, access/physical protection).

• Users are authenticated and required to have a unique user identifier in order to establish accountability.
• Formal IT policies have been established to provide for the overall direction and implementation of information security. Compliance with these policies is monitored.
• The ability to make modifications to overall system security parameters is limited to appropriate personnel.
• Authorized access to sensitive data is logged and the logs are regularly reviewed.
• Application owners authorize user access privileges and ensure access privileges remain appropriate. Procedures are in place to modify and delete user access in a timely manner.
• Backups are performed on a timely basis to ensure the recovery of case information is available to staff in the event of system outage or if a disaster is declared.

Appendix B: Management Action Plan

Project Name/Number: Audit of the Competition Bureau

Updated As At: April 30, 2009