NOVA SCOTIA HOUSE OF ASSEMBLY
Wednesday, December 12, 2018
December 2018 - Report of the Auditor General
Printed and Published by Nova Scotia Hansard Reporting Services
Public Accounts Committee
Mr. Eddie Orrell (Chairman)
Mr. Gordon Wilson (Vice-Chairman)
Mr. Ben Jessome
Ms. Suzanne Lohnes-Croft
Mr. Brendan Maguire
Mr. Hugh MacKay
Mr. Tim Halman
Ms. Lisa Roberts
Ms. Susan Leblanc
[Mr. Brendan Maguire was replaced by Ms. Rafah DiCostanzo.]
Ms. Kim Langille
Legislative Committee Clerk
Mr. Gordon Hebb
Chief Legislative Counsel
Office of the Auditor General
Mr. Michael Pickup,
Mr. Andrew Atherton,
Assistant Auditor General
Mr. Adam Harding,
Senior Audit Principal
Ms. Ashley Richardson,
HALIFAX, WEDNESDAY, DECEMBER 12, 2018
STANDING COMMITTEE ON PUBLIC ACCOUNTS
Mr. Eddie Orrell
Mr. Gordon Wilson
MR. CHAIRMAN: I’d like to call the meeting of the Public Accounts Committee to order. Today on the agenda, we have the Office of the Auditor General. First of all, if I could remind everybody, if they have their phone, to turn it on vibrate or silent. I would ask the committee members to introduce themselves.
[The committee members introduced themselves.]
MR. CHAIRMAN: On today’s agenda, we have officials from the Office of the Auditor General with us to discuss the December 2018 Report of the Auditor General. If I could right now, I’d ask the witnesses to introduce themselves and then make their opening remarks.
[The witnesses introduced themselves.]
MR. CHAIRMAN: We’ll open the floor now to discussions, beginning with the PC caucus for 20 minutes. Mr. Halman.
MR. TIM HALMAN: I want to thank the Office of the Auditor General for conducting this audit. This is very important work being done on behalf of your office, specifically as it relates to the IWK. This is an institution very near and dear to the hearts of Nova Scotians. My two children were born at the IWK.
I appreciate the remarks you had made in your video clip, Mr. Pickup, that this audit has to do with financial oversight and not the great work being done at that facility, the great medical staff. I appreciate you making that comment.
That being said, after reading the report on the IWK financial management, in my mind, it’s clear that a scandal was inevitable. I think back to my career as a teacher. When I served as an athletic director, simple purchases for the school for athletic equipment would require three quotes, and your supervisor would not sign off to authorize that purchase without you proving that you did your due diligence and got the best price for your school.
Certainly, from the experience that I had and that perspective, for myself and I think many Nova Scotians, what’s revealed in your report, specifically in Chapter 2 related to the IWK, is quite alarming. I think we can say there has been a catastrophic failure in the oversight of the IWK. Did your audit reveal any sort of pathway or slippery slope that led us to this point?
MR. CHAIRMAN: Mr. Pickup.
MR. MICHAEL PICKUP: In relation to answering your question, I just want to set the groundwork a little bit. On the financial controls themselves, we examine seven key business processes, we call them in accounting - anything from payroll and accounts payable, human resources, to procurement. Those are business processes. In each of those seven areas, we found that in fact internal controls were ineffective.
So let’s roll back in terms of your question, to say how far back or what laid the groundwork that those things could happen. This is why we looked at tone from the top - what was the role of the board of directors and the senior management group, and were they effectively managing controls or overseeing controls or setting the tone so that internal controls were important?
We gave some clear examples and I would give you two examples, so as not to use up too much of your time. One of the examples I would give is that if we roll back to 2013-14, the board had an external consultant report that told them they weren’t setting the tone at the top with the proper emphasis on internal controls. That warning sign was there that internal controls - there needed to be more work at the board level.
The second example I would give you is that approximately 13 financial risks came to the attention of the board by management - including a high risk procurement area - but the board didn’t turn back and say to management, follow up with us, we want to know how you’re handling that risk, we want to know how you’re managing that risk. What happened with those 13 risks is that only five of them went back to the board and two of those were lower-risk ones. Procurement never, ever went back to the board.
Am I surprised that we ended up where we are, given all of that? To go back to the start of my answer, we have seven key business processes that don’t have effective controls. No, because I think it did start at the top.
MR. HALMAN: So essentially we’ve known since 2014 that there were issues. Red flags were raised with respect to financial oversight. Do you think it is then fair for the minister and the Premier to indicate that they have full confidence in the board when we’ve known since 2014 that there were some major issues that needed to be addressed?
MR. PICKUP: What I will focus on is our comments and conclusions on whether we believe that the board was effective in overseeing financial management and controls during our audit period. To me, that is clear.
I think in fairness to the board and to the IWK, they’ve accepted our recommendations and they have started working on things. I’m trying to put some context here and some fairness to say they haven’t rejected what we’ve said, they have already started working on things but frankly, I think they have a lot of work left to be done.
I wouldn’t go beyond that, sticking to the audit conclusions and the points that we raised.
MR. HALMAN: Starting this year, Mr. Pickup, your office will conduct the annual financial audit. Based on what you know, will you be able to offer a clean audit or do you anticipate having to qualify the audit?
MR. PICKUP: For now we are at the planning phase of the audit and in through a certain number of steps. Those steps include identifying and figuring out - assessing, if you will - what the risk is to a material misstatement of financial reporting. Then whatever we determine the risk to be, that’s how we plan our procedures.
So in simple non-audit terms, the higher risk the engagement, the more audit hours it is likely going to take. So for the 2019 year end, which is the first year end that we are the financial auditors, we have classified the IWK financial audit as a high-risk audit. Therefore, we are planning our resources accordingly and we have a plan to do that.
In terms of what that will mean, I sure hope we will be able to get the audit evidence we need and make the conclusions to ultimately be able to issue an opinion - goal number one is to have an opinion - and I certainly would hope that we can gather the evidence and make the judgments to eventually be able to have an unmodified - or clean, if you will - opinion.
Today, not having gone through the audit - I mean, we can’t prejudge what the results of that testing will be, but I can leave you with this. It is a high-risk audit for us, but I believe we have planned it to gather the evidence needed to make the judgments so that we can have an audit opinion, say, early June 2019.
MR. HALMAN: Mr. Pickup, could you elaborate what you mean by a high-risk audit. What does that mean?
MR. PICKUP: High risk means the risk on the financial statements to what we call a material misstatement. A material misstatement is that level of precision, if you will. When you pick up a set of financial statements - a balance sheet, an income statement for the IWK or for the Royal Bank or for your local charity - the audit opinion goes with that. The auditors decide at the outset and throughout the audit what the risk is for a misstatement in those financial statements?
If the organization is spending $300 million, for example, you’re saying what the risk is that there may be a misstatement in there that you will detect in your audit. When I say “high risk,” that means we have to plan to do a lot of testing to be very comfortable that we can give an opinion to the precision we want or the materiality we want on those financial statements.
I know that’s a long, technical audit-type answer, but it is fairly technical, if you will.
MR. HALMAN: Thank you, Mr. Pickup, for clarifying. You certainly go in depth in Chapter 2 as to what the issues are, and I appreciate you making those recommendations. I’m curious, though - in the audit, did you and the staff find any indication that the Premier and the Minister of Health and Wellness stepped in along the way to try to fix what was happening? Was there any evidence of that occurring?
MR. PICKUP: I will look to my right to my colleague if they want to add anything different, but I would say that we saw nothing - it was actually the opposite way. There would be reporting from the board through to others that they may report to in some sort of fashion, being a somewhat independent board, so keep that in mind. But I know of nothing in terms of reporting to ministers or others in terms of the state of controls. We are not aware of anything having gone from the IWK.
I think honestly, that doesn’t surprise me because I’m not sure the board itself wasn’t aware of the state of internal control, so I’m not sure how they would have been reporting outward or to the Department of Health and Wellness or to anybody else on the poor state of their internal controls if they weren’t aware of it themselves.
MR. HALMAN: It can be said, Mr. Pickup, that if you take something seriously, you participate and you oversee it. The fact that there were two vacant spaces on that board that I suppose should have been appointed by the government - do you believe that was a fatal mistake, in terms of the end goal of mitigating and reducing financial mismanagement? Do you believe that was a critical error?
MR. PICKUP: In terms of the number of board positions and how many board positions there should be and when they get filled, that’s probably more of a policy decision, a government decision.
What I think is important is if you sign up to be a board member, and you’re going to be a board member, you know what you’re facing - you know how many board members an organization has. For example, if you got appointed to a board and there was 20 people and there was only 10 people on the board, and there had only been 10 of 20 people for 10 years, you might question whether you want to be on that board, given the probably enhanced responsibility you have.
I think the number of vacancies on the board shouldn’t dismiss or diminish the responsibilities that the board has - particularly the board’s work through committees. There would be a finance, audit and risk committee, for example, of the board. Boards very much work by those committees, so I think that would probably be as far as I would go on that.
MR. HALMAN: Correct me if I’m wrong. This is a board that oversees a budget of over $300 million, and it is a volunteer board. As far as you know, what training or professional development is offered to members of the board to ensure competency, to ensure that there is an awareness of the expectations? Could you clarify and perhaps provide some answers to that?
MR. PICKUP: We didn’t look to individual training plans for board members or what training they may or may not have taken. I would suggest, respectfully, that when people sign up to be board members in Canada, the responsibilities are fairly laid out. It’s fairly clear what your responsibilities as a board member are. There’s all kinds of training that is available for people to take.
I think ultimately, my view would be - and this may be the professional accountant part of me speaking - that if you take on board member responsibilities, you figure out what kind of training you may need, you figure out where you are in your own maturity as a potential board member, and then you plan accordingly. Likely not everybody would be in the same situation. To directly answer your question, we didn’t look at things like training plans and competencies and what the board may or may not have taken. We really did look at whether they did A, B, and C, for example.
MR. HALMAN: It has been indicated by the current chair of the board that it’s the hope that Nova Scotians will judge what’s happening with that board based on what they’re doing now in terms of the actions they’re taking to correct the financial mismanagement of this institution. I’m very curious in terms of what policies are now being worked on by that board and by that institution as it relates to fraud. Would you be able to comment on that?
MR. PICKUP: The responses that they gave to the recommendations were fairly detailed. One of the things that they talk about in there is now having a fraud policy in place, having done a fraud risk assessment. They have played catch-up to some extent and have done these things, but again I reported to the House in October on where public sector organizations are on fraud risk assessments. In fact, I think four out of 22 organizations had fraud risk assessments, so there are lots of other organizations out there that aren’t doing this and that haven’t done it. I made that report in October, and I think I’m at the Public Accounts Committee next week on a related matter. Anyway, I digress a little bit.
The responses are detailed. They are working on things. I want to be fair. While we judged over a period of time on the things that weren’t done and the issues we have, the commitment is there to do things and work on the responses to the recommendations.
MR. HALMAN: Can you comment on any specifics that they have as it relates to fraud? You have indicated that there are a lot of institutions within government that don’t do that. That reminds me of the old statement in the classroom, “Everybody’s doing it, so it must be okay.” To me, we have to do better when it comes to this. When it comes to moving forward, what are they doing specifically to try to address fraud issues?
MR. PICKUP: I just want to clarify, I completely meant the opposite of the way that might have sounded. I didn’t mean that’s fine because others aren’t doing it. I mean I hope people are somewhat doubling down on their concern here now in terms of okay, we see some of the bad things that can happen when organizations aren’t doing these types of things. The Auditor General has been commenting to the House on the lack of movement on fraud since 2016. If anything, it was to elevate my concern, to say I hope this will be, not a lesson, but an experience worth reading for those organizations that haven’t taken it upon themselves to do fraud risk assessments. I just want to clarify that.
If I go to Page 26, for example, in their response, they talk about a policy on wrongdoing. A fraud hotline was improved in February 2018. They talk about policies relating to fraud and investments. They were reviewed by the committee in November 2018 and will be brought forward for approval by the board at its December meeting.
There is a lot of fluidity, I think, in the responses in terms of things happening well after the audit period, in some of these cases, and through the Fall. Whether these things are all done now and where they stand now is a question obviously better addressed to the IWK.
MR. HALMAN: Thank you, Mr. Pickup. So the nature of the questions very much will now be very detailed. I’m curious as to what’s happening now, what they’re doing now in certain areas. I believe that’s of great concern to Nova Scotians.
With respect to travel and hospitality, would you be able to comment on what they’re doing now to ensure they are improving the situation?
MR. PICKUP: I know these answers can be frustrating when I remind you that we cut off during the audit at the end of the audit period to say okay, was this being done and then we make the audit conclusions and give the recommendations. Then in their responses, they may put things like I just referred to - policies are being developed or have been developed subsequent to the audit period.
I think those types of questions, in terms of the responses themselves and where they actually stand now with policy in terms of - probably what is more relevant is an update today from the IWK of where they stand. I think from where I sit, that is an excellent question that I think can help alleviate people’s concerns, to know okay, where are they now in terms of dealing with these things. I know that can be a frustrating answer.
MR. CHAIRMAN: Mr. Halman, with just over a minute.
MR. HALMAN: So essentially then things related to internal meeting expenses, in terms of staff social events, gifts of appreciation, signing authority and of course procurement - in terms of the notes that I took - we wouldn’t be able to get answers today as to what steps are happening now, what steps are being taken to ensure this is being corrected. Is that essentially what is being stated here?
MR. PICKUP: You can go to the responses where they have indicated what they say they are doing but those responses are not audited, of course. They say things have happened in some of the responses, like November 28th, the risk was reviewed, policies were reviewed, things were put in place. But again, I can’t give an audit opinion on that because it is a response that we just left and essentially was given to us to print.
MR. CHAIRMAN: Thank you. That concludes the time for the PC caucus. I’ll turn it over to the NDP caucus and Ms. Roberts.
MS. LISA ROBERTS: I’d like to also start with the IWK audit. I wonder, there’s reference to this 2012 report on financial risks in the organization and reference to certain sort of lower-risk areas being addressed in terms of risks while some others were not addressed. What sort of things were fixed after issues were raised in 2012? Could you give us an example of a change made back in 2012, or subsequent to that?
MR. PICKUP: Sure. I’ll have to look to my colleague here if we have the details with us on that.
MR. CHAIRMAN: Mr. Harding.
MR. ADAM HARDING: In terms of what we looked at for what had been improved, some of the risks they had identified were things around revenue collection and collectability, operational processes and policies, and that sort of thing. We had looked at reporting that was taking place up to the board, through the Finance and Audit Committee. It was reporting and plans that they had at that point in time, in terms of they were looking at policies, they were doing reviews, they were taking action that way.
We didn’t delve into that in tremendous detail because a lot of the work from 2012 was before audit periods, so we were looking at it from the perspective of what reporting took place within our audit period, which was January 2014. We were just looking at that initial reporting, that was sort of the last main reporting that took place to that committee that we saw around those risks. After that, it transitioned more to the Enterprise Risk Management Framework that we talk about in the report.
MS. ROBERTS: The word “risk” is used many times in the report so I guess I’m just trying to understand what the risk is in a more concrete fashion. One is that there would be a risk that goods would be procured that either actually were not received or else where there would be a procurement process where the organization is not giving the best value for money for the items that are required. Could I have you speak a little bit more in terms of what that risk actually looks like, in a way that I can understand?
MR. PICKUP: A couple of risks that we identified ourselves through the audit, and then I’m going to give you a couple that they’ve identified themselves as well. For us, one of the risks is on the approval. The approval process is meant to ensure that you’re buying things that have been properly approved at the proper price. The goods and services, for example - a normal control procedure would be that you only pay for things when there’s evidence that the goods or services were received. In many cases, we couldn’t find evidence that the goods or services were received, which increases the risk that you pay for things without having received them.
On the procurement contracts, they couldn’t find 80 per cent of the procurement contracts. That creates all kinds of risks like, how can you hold a vender responsible? What if you have issues? How do you demonstrate that you’ve followed proper procurement without being able to find the contracts? You run the risk of paying too much when you can’t demonstrate that you got three quotes? Those are some of the risks we identified.
I will point out Paragraph 2.12 on Page 27 - in early 2018, during the course of the audit, management did some work on procurement and they did a review of the procurement process. They identified 242 gaps in the procurement process. To go to your question on what kind of risks there are in that, they indicated that there were 19 near-misses in the supply chain. A near-miss has the potential to negatively impact health care. That’s their assessment, not ours. What we’re reporting here is their own review process during our audit, when we were there, indicated some of these things.
If you look at number three, “Half of the items physically counted during a mid-year inventory count were different from the values in the inventory system.” Management said it could be the result of theft, error, or other reasons. That can be kind of concerning when you think you have 10 of something in your records and you’re counting on 10 of something, and then tomorrow you need to use eight of them because something happened, but you go to get them and you only have two. You can see why they would identify the potential risk of impacting something other than accounting by that. Is that helpful?
MS. ROBERTS: Yes, thank you. I guess part of me is just wanting to connect this back to patients and back to families. One decision that I’m very aware of was a decision that was made by management in 2017 to abruptly end a program that supported primarily low-income moms and a lot of new immigrant moms and moms of multiple babies.
That program, called Extra Support for Parents, would have had a budget of - I’m guessing a little bit, but it had three staff and a whole bunch of volunteers, of whom I was one at one point in time. I’m guessing that the budget for that very modest program would have been in the range of $300,000, which is what management estimated that they saved between June 2016 and early 2018, just trying to tighten up some of the controls on procurement.
Would it be a stretch to say that because of these risks and because of the lack of controls on expenditures, that decisions may have been made that had negative impacts for patients because certain spending decisions were made based on a financial picture that was distorted by lack of good financial management?
MR. PICKUP: That would go beyond what we looked at. When we looked at control weaknesses, we say that has the potential of these types of things happening, versus trying to make a direct correlation between A and B. I think for people running the organization, that’s probably a fair question for them to answer.
MS. ROBERTS: I’m pretty sure that somewhere in here there’s reference to a tip line. I wonder if you can discuss your thoughts around a tip line and whether that has been accepted as a practice that will be used moving forward.
I recall from news reports that predated your office being called on to look at the IWK that there were efforts by people within the organization to question. It’s very difficult to question if the folks who are higher up than you, are, in fact, not responding with any alarm to bad practices.
MR. PICKUP: Two answers to that. One answer would be that if we step out of the IWK, for example - I’ve been talking about fraud since 2016, so it predates any of the issues we have here at the IWK. I’ve made the recommendations to government in previous reports to the House that I thought there needed to be fraud risk policies, fraud risk assessments and an evaluation of the usefulness of a fraud risk hotline.
Fraud risk hotlines can be done relatively effectively, based on my understanding, but I didn’t say go have a hotline. I said at least evaluate the need because in some organizations it may make more sense than in others. There may be a way to do that with economy and efficiency so that not everybody is sort of reinventing process.
I had made that suggestion - recommendation, if you will - on the need for a hotline. That is my lead-in to say I do feel the research shows, and based on my experience, that fraud hotlines work. They work because people will use the hotlines, whatever you call them - hotlines, tips, wrong-doing lines. Whatever they are, people will use them. Research and the empirical evidence in cases show that organizations generally have less fraud.
I think how you do that has to make sense. I mean, an organization probably doesn’t want to spend $1 million on a fraud hotline to control $20,000, but these things aren’t $1 million any more.
Anyway, the long and short of that is the government accepted that recommendation for the core of government. They are going to put a hotline in place for the core of government. In their response on Page 26, the IWK said, “A Policy on Wrong Doing which includes a fraud hotline was approved in February 2018 and has since been implemented.” They say it is now in place.
MS. ROBERTS: So we can follow up and ask them how that has been implemented, when we have them in here.
MR. PICKUP: Yes.
MS. ROBERTS: Thank you. Do I understand correctly that there has been a fraud hotline actually implemented for the core of government as well?
MR. PICKUP: If I go back, rolling back here in my head to the last time we had an update on this, I believe the last update said the evaluation had happened and the plan was for the end of this calendar year to get a hotline up and running in the core. I am going by memory from that and generally it works.
MS. ROBERTS: Just going back one more time to some of the risks, there was a risk identified that I’m not entirely sure if I understand what that looks like, in terms of lack of storage, choices being made to move executive offices into a space that had previously been used for inventory. What sort of risks did that result in?
MR. PICKUP: I’m going to let Mr. Harding take that question.
MR. HARDING: That change was to move administrative services in the IWK into some of the lower levels. In terms of risk by reducing the amount of inventory storage space, what you are doing is effectively saying, we are going to be holding less inventory on hand so we’re going to have to order inventory more frequently.
By holding less on hand it creates a risk that you might be more susceptible to supply disruptions, that you may not have as much inventory on hand. If you haven’t done a full assessment, you may not know that you have enough of something that you need. That’s the type of risk that gets created when you say we’re simply going to reduce inventory storage space.
MS. ROBERTS: From the time that you spent in the organization, what sort of items would they have been storing? Obviously I understand that explanation quite well if we’re talking about drugs, if we’re talking about formula that’s used with pre-term babies - I don’t know exactly in this case.
MR. HARDING: I couldn’t give you a lot of specifics as to the exact type of inventory but again, it should be the general inventory that a hospital would carry: supplies, equipment, the regular day-to-day operations and the items that they would use.
MS. ROBERTS: I am going to move to the management and oversight of information technology in the health sector. There’s reference in the audit to a key executive oversight committee responsible for overseeing IT that has never met, or at least did not meet in the audit period. Can you indicate who would have been on that committee?
MR. CHAIRMAN: Ms. Richardson.
MS. ASHLEY RICHARDSON: I don’t think I would be able to tell you off the top of my head. We would probably have that information, if it was defined. I wouldn’t say it right now.
MR. PICKUP: You’re probably not looking for exact names, though, are you?
MS. ROBERTS: Functions.
MR. PICKUP: I would think it would be the more senior folks from the four parties that are part of it, how to salvage this executive oversight committee. But we didn’t get into the details of what level down in the departments, but very senior.
MS. ROBERTS: There was an executive oversight committee that didn’t meet to oversee IT. Also, from the audit, there were no signed agreements between the four parties in terms of defining each of their roles in oversight. Can I just have some of your general thoughts in terms of the consequences of that and how surprising or alarming that was to discover?
MR. PICKUP: A couple of thoughts on that, and we do these audits to identify exposures or risks in order to tighten them up, I like to say, so bad things don’t happen. This is really about having secure and available systems.
On roles and responsibilities and the clarity around roles and responsibilities, we give the example where the Department of Health and Wellness and the Nova Scotia Health Authority haven’t been able to reach an agreement on who’s responsible for the drug information system. What you don’t want to see is unclear responsibility so that something is getting done one way and not another, or something is not getting done, or something drops off the table. That would be an example, I think, of the importance of clarifying roles and responsibilities and who is to do what so that you’re not into those types of disagreements.
MS. ROBERTS: Given that the province is currently in a procurement process for a major health information system, One Person One Record, what should we as representatives on this committee but also as citizens of Nova Scotia be specifically concerned about as that procurement process rolls out?
MR. PICKUP: To be completely fair, we haven’t audited One Person One Record, for example, but part of why we did this audit was to look at some of the oversight and management of some of the basic IT systems.
We made a recommendation to government to say you ought to take the recommendations out of this audit, and look at them on things like One Person One Record so as to prevent any issues - not to say there are issues, because we haven’t audited that. It’s probably not a stretch to think if you have issues on the basic IT, that you probably want to give those some thought as you look at these systems to do as well.
We made that recommendation. There’s no disagreement with these four parties: yes, you’re right, we do need to clarify these things, and then we need to look at them for the OPOR as an example as well.
MS. ROBERTS: Given that that procurement process is already somewhere mid-stream, what could or should we be calling on the government to do to ensure that Nova Scotians are not being left at risk?
MR. PICKUP: I believe this audit report and the good work the team did on this lays out some really good questions if you take the six recommendations and turn them into questions and say, how are you dealing with these things on OPOR, for example - give us some comfort. There are specifics in these recommendations. Are you managing risk? What kind of framework do you have over risk from procurement right on through to implementation? So high-level questions but that are very specific - whether it is on risk, whether it is on roles and responsibilities. Have they clearly defined roles and responsibilities for OPOR? Does everybody have agreement on these?
This is about governance. What kind of oversight is happening? If there is a committee in place, is it meeting? What is it doing? Is it providing direction? Again, I’m not saying these things aren’t happening. You asked me - the way I took the question was, what can we take from this to ask not only on the basic IT stuff, but on things like OPOR. I think this gives a nice little road map, and that’s part of why we did this audit - to provide both government - the people we audit, but also the House - with some thoughts on these big IT projects that are coming.
I always say, there is no point us coming well after the fact, in my view, to say, you know when you were doing OPOR, you should have defined roles and responsibilities - you should have had governance, you should have had risk management framework. We’re laying it out for you now in terms of the questions you might want to ask.
MS. ROBERTS: Much of this audit does speak to four parties: the Nova Scotia Health Authority, the IWK Health Centre, the Department of Internal Services, and the Department of Health and Wellness. Where does the buck stop? Which of those parties is the party which is primarily responsible for ensuring that that risk management framework is in place?
MR. PICKUP: I think we have clearly answered. I think I am trying to be helpful to the House, to this committee and to Nova Scotians to say primary responsibility goes to the Department of Health and Wellness. They are the lead here. There is no disagreement with them on that. They are the lead department. People like the Department of Internal Services are a service provider, and the Nova Scotia Health Authority and the IWK are important partners to this, but that lead organization is the Department of Health and Wellness.
That’s why we put so much of it on them in terms of, “You need to step up here and take the lead on these things.” But equally if you look at the recommendations, the recommendations all aren’t to the Department of Health and Wellness. They are the lead and then the other organizations have their part to do as well.
MR. CHAIRMAN: That concludes the NDP caucus questioning. We’ll now move to the Liberal caucus and Mr. Gordon Wilson.
MR. GORDON WILSON: Thank you Mr. Pickup, and your team for your report. Just to start, I think you’ve touched on it a couple of times, but it’s always good to emphasize the role and responsibility of the AG in the Public Accounts Committee. I know that we’re working hard here as a team to try to refocus that. I think you’ve brought a lot of points forward - not just on your audits on how important it is to have those folks here before the Public Accounts Committee, but also on the follow-up side. I think we are striving to do a better job there, which sends a good message out, I believe, to a lot of the departments. The role of the Public Accounts Committee is one that is going to look at that.
I have a few questions and then will pass on to my colleagues here. There was an audit done, I believe, in June 2017 by Grant Thornton that was commissioned by the board. Did you use any portions of that audit in your foundational work or start-up or conclusions?
MR. PICKUP: I’m rolling back in my head to 2017. When that report that you refer to came out in terms of those expenses, I reached out to the IWK, to the Chair, and asked to meet with him to have a discussion around the report. I wanted to read it and go through it. That was very much a starting point for us in seeing the need to do a performance audit, because as you know, unless we’re directed somehow by Executive Council, which audits we do and where we spend our limited resources is a question of risk and judgment.
Once we saw that, there was enough there through that and through discussions to say there is a need to do something and we need to figure out what that something is.
MR. WILSON: Thank you. In determining it, I know that sometimes we don’t focus enough in your report on the objectives and criteria for all three chapters. Can you give me the process you would have gone through to set those objectives and criteria - not only for Chapter 2, but for Chapter 1 and 3?
MR. PICKUP: Sure, I love these types of questions because they are so important to the work we do. Audit standards require, and of course we fulfill those, that at the planning stage when we get out talking to organizations - let’s say we’re thinking about doing an audit in IT or thinking about doing an audit at the IWK. We would get out and talk to the organizations, review some documents, do some planning work, some preliminary work, to say okay, what are we trying to solve here in terms of a question? What is the audit objective?
The audit objective is, essentially, what questions are we trying to answer and can we get to a yes/no? When we figure out what that audit objective then is - because there may be more than one on an audit - we say okay, here’s what we think the audit objective is. Then we have a discussion around what the criteria would be. The criteria are simply the bar - how we are going to judge, how we are going to evaluate, what are we going to gather evidence around - to answer whether you meet that criteria.
If you have an audit objective that you’re trying to answer the question, then you come up with the four or five criteria as to how you are going to answer that, then the important thing for us - and I know I’m getting to your question - is that we then go back to the organizations that we’re auditing.
If it’s the department with the deputy minister and those folks - or if it’s an organization like the IWK to the board - we send a very brief audit plan to say here’s what we see as the audit objectives, here’s what we see as the audit criteria, let’s have a discussion around those. That is the time, at the planning stage, if you don’t agree on the audit objective, if you have concerns or if you think the criteria that you’re going to be evaluated against - I was going to say too high or too low, probably too high - if you think the audit criteria aren’t appropriate or missing something, then you have that discussion at the planning step.
Why that is important is because once you put that to rest, when you get into evaluating the evidence, gathering the evidence and saying okay, what are we going to report on, you’re not going back to say I don’t like the criteria you’re holding me against. No, no, we had that discussion. Unless there’s something very odd that happened, you don’t go changing the audit criteria after you’ve completed the audit because you don’t like the answer to the criteria.
I can be honest - after 30 years doing this, that hasn’t happened very often where somebody will say, oh, I don’t like the criteria anymore, let’s change the criteria because I don’t like the answer that came out of that.
That’s sort of the typical process - oh, not typical, that is the process on all of our performance audits.
MR. WILSON: Thank you. I’ve got just a quick question for our clerk. With the recommendations that were accepted - and I believe there were six, all six on the IT one, all 10 in the IWK and all three with the WCB - have we received, or when will we be receiving action plans on those recommendations from those departments?
I surprised you by asking you a question, didn’t I? I got Hansard all off.
MS. KIM LANGILLE (Legislative Committee Clerk): I think what was decided is that once the department or the entities were called in that we would then request them to provide the action plan and then we would do a follow-up at some point later, saying okay, maybe it’s a year later, then we’re going to follow up again to ask where they are now. So it’s up to the committee to decide when they’re going to bring them in and I will then say can you provide us with your action plan.
MR. WILSON: Would it be outside of the realm of possibilities to ask them to start preparing those action plans now, even before we’re asking them to come in?
MS. LANGILLE: If that is the wish of the committee.
MR. WILSON: Okay, just a thought.
Just a note - I was curious about the objectives and criteria because I think what it does also is it starts that entity - whatever audit it might be that you are doing - thinking of okay, here’s where we’re going to be focusing but at the same time thinking on here’s some areas that maybe we need to be fixing - risks, like you said, fraud, all those things.
I do believe you mentioned controlled enhancements on payables was completed January of this year; disclosure of wrongdoing and policy confidential tip line was completed in May 2018; an organizational integrated financial reporting tool was completed in August of this year; risk registry and re-evaluation by management and presented to FARM was completed November 2018. I believe also that the fraud risk assessment through Nova Scotia Internal Services was completed in June 2018; the enhancement to existing travel and hospitality policies, which certainly probably started a lot of the problems, was completed January 2018; and enhanced credit card controls were completed. It would be interesting to see with the other recommendations where we’re at.
Lastly, you talked about implementation has risen from 50 to 75 per cent. Sometimes I get confused by that number. Is that implementation of actual recommendations? Can you refer to exactly what that would mean and what those numbers refer to in your audit?
MR. PICKUP: When I refer to 75 per cent completion rate or implementation rate - and I probably use those interchangeably - that is the completion by the organization of the response to the recommendation, which we then feel if we agree with the completion that addresses the recommendation that we made.
MR. WILSON: Is this noted in your follow-up reports? Sometimes those follow-up report numbers seem different than that.
MR. PICKUP: The follow-up report that we did in the Spring of this year, 75 per cent was the overall completion rate. If you get into individual departments or you start breaking down by audits or by multiple years, but the blended overall rate - the one number that I keep using is the 75 per cent.
MR. CHAIRMAN: Ms. Lohnes-Croft.
MS. SUZANNE LOHNES-CROFT: Mr. Chairman, welcome to the seat and I look forward to working with you for the next while.
The financial committee’s terms of reference you referred to didn’t meet the best practices. You cite that there seemed to be - you refer to the tone at the top of the organization on internal controls. Can you explain what that tone was?
MR. PICKUP: Tone at the top would include the board of directors and senior management to ask, what message in fact are these folks sending to people in the organization about the importance of the internal controls? When I refer to tone, it is really a summary of what those actions say about the importance of internal controls.
For example, when I would say the board didn’t follow up or its committee didn’t follow up with management - when they ask management for things and management didn’t come back, so management then would say, they asked us for that and we didn’t give it to them - they’re not following up. That would contribute to a tone that says, follow-up is not that important, internal controls are not as important.
Asking the tough questions, doing the follow-up, having the rigour - that’s what tone is. It’s the totality of all those individual things that create something called tone.
MS. LOHNES-CROFT: Did you feel there was any kind of culture of fear amongst the board or the executive decision makers and the management?
MR. PICKUP: I think I would keep it to the comments we made around not placing the proper emphasis on the importance of internal controls and asking the tough questions. Why those things weren’t done - you would have to pose those to the organization themselves, to the board, in terms of asking some of those types of questions.
MS. LOHNES-CROFT: I notice that there is now a matrix going through for board members, and it should be passed in December - I think the December board meeting. It was approved in September, and it’s going through this month. Was anyone from your department consulted or asked to review this matrix to see if they were on track?
MR. PICKUP: The short answer is no.
MS. LOHNES-CROFT: Okay, that’s good. I’m just going back to my notes - I found reference to a lack of documentation. That seems to be a pattern at the IWK. When people were asked for information, there was a lack of documentation or getting back and reporting instances. I cite Paragraph 2.35 if you’re looking for it. What kind of recommendations did you make towards suggestions that they could be more detailed?
MR. PICKUP: There’s the example you give in terms of documentation of how a committee demonstrates its effectiveness. Often the only way to assess these things is through minutes, through discussions back and forth, through how you exercise follow-up. For example, if a board asked management a question and wanted management to report back to them and we got that out of committee minutes for example, we would then expect to see something somewhere either in minutes that management did get back to folks, or somebody provide us with emails or notes to say this was done through this means. In that case, that wasn’t happening.
MS. LOHNES-CROFT: What improvements on internal controls have you found? When you went back in to talk to the IWK, did they indicate that they had begun implementing some internal controls? If so, which ones?
MR. PICKUP: In terms of the audit conclusions, I think it’s clear, and you’re not asking me about the audit conclusions, so I won’t go in and back through the support for the audit conclusions.
MS. LOHNES-CROFT: Okay.
MR. PICKUP: I’ll focus on your point. I think your point really comes through in the responses to the recommendations. Our audit period went up to, say, March 2018. A number of the responses talk about things that may have been started at that point, may have been ongoing, may have been started in November, or may have been subsequent to that. It really is through the responses that you see where they indicate that they have made progress.
While I try to support and show and explain the audit results to folks, I want to be a bit fair here as well, and say it’s not like nothing has been done subsequent to us raising these points, but I do have to focus on the audit results. The results stand as they are. The responses and the things that have happened, I think, really should come through in a discussion with the folks from the IWK themselves and ask, are these things in fact done, what has been the result of these, where do they stand now?
MS. LOHNES-CROFT: Moving on to the IT management, can you explain how you go in and audit IT management in different organizations?
MR. PICKUP: I just want to refer you to the audit objectives in that audit. If we go to Page 18 of Chapter 1, this very much is the starting point of an audit. We get in, we do some planning, we do some discussion, and we talk to folks. Then we ask, what are we trying to answer here? What question? What is our audit objective? On this one, we came up with the appropriate IT governance - I’m on Page 18 of that chapter.
Then we come up with criteria. What criteria were we looking at to see if they were implemented? This is where we get into things like risk management frameworks, processes to align IT with the needs of the business. We go through and we identify what are the key criteria that we’re going to look at.
To get to that point, this doesn’t happen in a vacuum, with our team sitting across the street and just in our offices coming up with this. There’s back and forth, there’s discussion. I think I’ve been at this for 30 years now and things have changed over the last 30 years where it is more of this back and forth and discussion. I think I have frank discussions with deputy ministers, with CEOs, and I am of the view that they look at these audits as being useful and what does that mean. Well it means if you think we’re missing a criteria, if you think we’re missing an audit objective, my experience has been that people will tell us you know what, we might have an exposure here, we might have a risk here, we might have an issue but I would hope you would consider adding that to your audit, I hope you would consider looking at that.
I think the days are gone by long ago where people say yes, I hope the auditors come in, they don’t do anything that’s risk-based, they don’t look at anything that’s going to cause us concern, they don’t do anything that’s going to be an issue. That’s not my experience with the senior folks in government. They do look at this as being helpful and they know that I would say to a deputy minister or a CEO, we have limited resources as well, we want to make sure we’re doing the important stuff so if you don’t think we should be in here, tell us why and tell us what we should be looking at. Tell us where the high-risk areas are, and I think that’s going well.
MS. LOHNES-CROFT: Do departments do pre-audits themselves, like to look for their own faults or weaknesses or gaps?
MR. PICKUP: I think that depends on what the topic is, depends on what the issue is. Sometime organizations will do self-assessment processes. I mean internal controls is a great example. Honestly, it shouldn’t be the Auditor General’s Office coming to tell an organization that their internal controls are working or not working. That is incumbent on the organization to figure out. They should be doing the processes to assess whether they have internal controls, to see if they are effective, to monitor them on an ongoing basis. If I relate it back to internal controls, organizations should be doing that. Whether they are is what we see in audits like this.
MS. LOHNES-CROFT: Okay, thank you.
MR. CHAIRMAN: We’ll move on to the PC caucus, Mr. Halman, for 12 minutes each round.
MR. HALMAN: I want to thank Mr. Pickup and the staff of the Auditor General’s Office. I’ve listened attentively to the questions from my colleagues in the NDP caucus and the Liberal caucus.
I’d like to go back to Chapter 2, to the IWK, and sort of a couple of other follow-up questions I had prior to my colleagues taking over. Specifically, with respect to when I was asking sort of where we are now in terms of the IWK adequately addressing the recommendations, and of course I do recognize that there are some limitations to the response you can give. I’m curious, has the board asked for your opinion in terms of moving forward? Has there been an attempt to reach out to you to get your input on the best way forward, the best practices forward?
MR. PICKUP: I pause only because I have to be careful how I answer that question in the sense of what can be a non-loaded term in a non-audit world can mean a lot in an audit world. When you asked did they ask for an opinion, an opinion is what we give, for example, on the financial statements after an audit, so an opinion means like a separate engagement.
To give like the technical answer, there is no opinion or advance ruling on the responses to the recommendations, for example.
As we went through this audit, as we cleared findings, as we brought up points, I think the agreement to the underlying facts, the agreement to the conclusions, the agreement to the recommendations is the result of some level of discussion, without us having said that that will exactly address our recommendations.
At the same time, I’m trying to be helpful to you in answering the question to say, if we saw a response and we thought this is absolutely ridiculous, we would have a discussion with the organization to say - while we don’t give advance rulings - do you really think this is going to deal with it? Particularly if they told us something is going to take two years to do and they want to do a response that will be done in six weeks but they told us it will take two years, I would feel a responsibility to speak up and say something about that.
I know it’s not a simple answer to the question but I’m trying to give the practical, day-to-day answer of how we actually work.
MR. HALMAN: Thank you, Mr. Pickup. So there’s nothing formal - it’s more of an informal outreach to perhaps remind best practice is essentially what’s being said?
MR. PICKUP: I think the conclusions or the responses they give - I would say my experience has been, would be to meet the recommendations. I’ll be honest with you, we want to make recommendations that are going to be implemented, they are going to be completed, they are going to be done. We’re not really doing this to end up with recommendations that aren’t going to be done - what’s the purpose? How do I gauge that? Part of how I gauge it, as the Auditor General, is to say well what does the history show? So now the history is showing me two things: first, that 75 per cent of the recommendations are being completed by government, which this year was the highest ever. This must be a good sign that the recommendations to me are relevant, they are doable, they can happen.
The other thing is that that group of recommendations that aren’t yet done, when we go back and follow up we ask the organizations, you haven’t done this, do you still intend to do it? We have that discussion and probably 99 per cent, I could count on one hand out of 400 recommendations where they say no, we’re no longer going to do that, it’s not relevant, we don’t want to do it, they continue to agree with the recommendations.
That gives me some comfort that the responses, the case history on the responses - to go back to every caveat I said earlier that we don’t give an advance ruling and all that but I’m trying to give you what my practical experience has been. The other thing is the responses when we do see if they did it, when we say it’s complete we have to be comfortable that that reasonably met the recommendation.
The case history is good and I think that it’s important for me to say that to the Public Accounts Committee, that I do have some faith that the responses are going to be done and we’ll address the recommendations.
MR. HALMAN: Going back to the topic of fraud, my colleague asked a question about that and certainly piqued my interest. You’ve indicated that you have been raising that red flag for quite some time. You’ve indicated you see great validity, great utility with fraud lines. You’ve indicated there’s great evidence to support that it can perhaps mitigate or prevent certain actions.
Does the IWK have a fraud line?
MR. PICKUP: In their response on Page 26 to Recommendation 2.1, they’ve indicated that a fraud hotline was approved in February 2018 and has since been implemented.
They also said - I think you may have asked me earlier - that policies relating to fraud, travel, hospitality, internal meeting expenses, recognition events, and signing authority were reviewed by the IWK Finance, Audit and Risk Management Committee in November 2018. That’s after our audit period so we wouldn’t have looked to see if that was actually done and will be brought forward for approval by the board at its December meeting - this month, presumably.
MR. HALMAN: Do you know who answers that hotline? Is it external to the IWK, or is that an internal hotline?
MR. PICKUP: I don’t know the answer because again, we didn’t get into sort of auditing if the hotline was working. We just looked at whether in fact it was in place.
MR. HALMAN: One of the things through Chapter 2 that I found quite shocking was sort of the work culture, the management culture that existed at the IWK Board. One of the things noted is that management was approving the expenses of the board. How critical might a board member be of management, in your opinion, if they are relying on management to pay for their expenses? In your experience, have you seen this manifest itself at different agencies?
MR. PICKUP: It may seem like a small point, but the reason why it’s not a small point to me is that it helps set a tone for internal controls. If the Chair of the board appropriately says, I’m responsible as the Chair of the board to approve board members’ expenses, which is a best practice, which is the way things should work, that’s a good control structure. If the Chair says, management, you approve the board member expenses - keeping in mind at the end of the day, who is management reporting to? The board. So you don’t want the people in the management level approving the expenses of the people they report to. You want the Chair of the board reporting those expenses.
It may seem like a trivial point, but it’s not a trivial point because I think those things send important messages. That’s not to pre-judge that management wouldn’t do their job on going through the board members’ expenses, but you can think they could be in a difficult position to challenge a board member on reviewing their expenses, given that that’s who they report to, versus the Chair of the board is essentially the head of the board, and if there is an issue with a board member’s expense, it should be the Chair having that discussion with the board member - not management. That’s why it’s a best practice.
MR. HALMAN: Certainly, reading through Chapter 2, when it comes to that work culture or that work dynamic that was created, it seems very sloppy for a lack of a better term. I’m just curious as to the genesis of that. Where does a work culture like that come from, where it almost seems like it happened where the accountability wasn’t there. Is it a lack of willingness to lead and ensure policies are being implemented? Where does a culture like that come from? From all the years of experience you have auditing different departments, where does the sloppiness, the lack of desire to implement best practices come from? What are your recommendations to make sure that this is prevented?
MR. PICKUP: I think culture is as culture does. The culture is how you act. So if, for example, you don’t follow up when you ask management a question - a critical question perhaps - and you don’t follow up and you don’t get an answer, that starts the groundwork for a culture and that is an example that we give.
When, as we cited in here, management comes and tells you that internal controls are strong because of your internal audit department and you as a board don’t challenge them that you don’t have an internal audit department, that creates a culture of not being on top of internal controls. When the management brings you 13 financial risks - some of which are high, but the board does not question them and ask for follow-up and monitor it, that creates culture.
So culture is the behaviours that an organization experiences, and then that culture would then be passed on to the senior management folks so then you get into things not being approved, contracts not being able to be found and you get into these other issues. That’s why tone from the top that’s creating the culture at the board level is critical in any organization, and when we do audits that’s how we start. We look at - what is that tone at the top? What is the culture being created? Because if that is not strong, then a lot of extra risks and things can happen as a result of that.
MR. HALMAN: Could you specifically describe that tone that existed with that board? Based on your evaluation, how would you describe that tone?
MR. PICKUP: I think in simple terms, the tone I would describe is one that didn’t place the appropriate emphasis on internal controls by not asking the right questions and not doing the follow-up and just not carrying through. I think it is that clear and that simple.
MR. HALMAN: Thank you for that response. You indicated that audits are often directed by risk and sometimes they can also be directed by Executive Council.
MR. CHAIRMAN: Time is up. Okay, I will allow it.
MR. PICKUP: I wasn’t going to respond, I was going to say Mr. Atherton is going to take the questions for just two minutes. I have to step out for 90 seconds, I’ll be right back. If there is something pressing he’ll circle back to me but I do have to step out for 90 seconds.
MR. CHAIRMAN: Ms. Leblanc.
MS. SUSAN LEBLANC: I am also going to talk about the IWK a little bit and ask a few more questions. Many of my questions have been asked already and I find myself scratching them out as we go but anyhow, I still have a few more.
In the conclusions on the IWK, you state that the board did not meet the expectations of an effective board. Can you talk a little bit about what the expectations of an effective board are?
MR. CHAIRMAN: Mr. Atherton.
MR. ANDREW ATHERTON: I’ll go back to some of the topics that Mr. Pickup has already talked about. When we do an audit, we set the objectives and the criteria at the front end so that’s how we would have defined an effective board. As he has mentioned, we sit down with the board to go through that plan and make sure they are fine with it. We get their sign-off. They send us an email that yes, we’re fine with those criteria, that’s a reasonable standard.
I could walk you through the criteria but it’s all there in the report and that would be what we would use as a measuring stick.
MS. LEBLANC: In your studying of the situation, did you discover if the IWK ever had appropriate policies in place around oversight and financial management, and/or did something change at a certain point historically to get the organization where it is or where it was last year?
MR. ATHERTON: Our audit just focused on the audit period as we defined it. I think it’s safe to say that during that period we didn’t see anything that changed drastically. We didn’t see that there were good policies until such and such a date, so throughout the period what we reported is what we saw.
MS. LEBLANC: I’m wondering then if you can talk about - we’ve heard a lot about the issues at the board level and how there was not financial management at that level. Can you possibly give an opinion on whether or not you think that we, as Nova Scotians, need to change the way boards for these types of provincial organizations are chosen?
MR. ATHERTON: I think that’s getting well into the policy world, which isn’t a place we would provide an opinion. I would go as far as what Mr. Pickup has said - when somebody signs on to a board, there should be a certain expectation and it’s reasonable to expect that they will meet that. Clearly that hasn’t happened to date for the IWK and hopefully it will, going forward.
MS. LEBLANC: This may also be policy but I’m going to ask it anyway. Given that Mr. Pickup has said that the buck sort of stops at the Department of Health and Wellness, how do you think the Department of Health and Wellness could provide better oversight to the management of the board at the IWK?
MR. ATHERTON: I think you are mixing two reports there. We haven’t said that the buck stops at the IWK. This is on the Health IT that the buck stops with the . . .
MS. LEBLANC: I’ll ask that question first, then.
MR. ATHERTON: So which one do you want me to respond to?
MS. LEBLANC: I’ll ask the question: In your opinion, who is overall responsible for the governance of the IWK Board? Where does the buck stop?
MR. CHAIRMAN: Mr. Pickup.
MR. PICKUP: If I understand the question, in terms in results of the audit, we have said the board was responsible to set the tone and the board did not do their proper governance and oversight. But it’s not all on the board, it was that senior management group as well that didn’t do what they ought to have done. So you’ve got the board not doing their oversight and governance role and then you have management who didn’t do theirs and then the controls. I think all the examples that came out of that is directly the impact of those two first things not happening.
MS. LEBLANC: Do you see a role for the Department of Health and Wellness in that, or the minister, in overseeing that?
MR. PICKUP: Governance structures can vary in terms of accountability in reporting and what is that line versus the dotted line, as we say, in terms of the authorities and the responsibilities. How that is laid out really is up to government to say where we want those lines drawn and how we want accountability.
In this case, the board is set up to be independent in a way described by the legislation. It’s set up in a certain way. Boards are set up in a way for a certain reason, for certain policy objectives that governments have. I wouldn’t provide any thoughts or opinions in terms of what exactly that relationship should be.
MS. LEBLANC: Recommendation 2.2 says, “Management should design, document, and implement appropriate internal controls and monitor to ensure the controls are operating effectively on a regular basis.” In your opinion, why do you think management should do that part of that work and not the board?
MR. PICKUP: The role of management is to put the controls in place. The role of the board is to monitor, get assurance that that is happening, and have reporting up that way. Ultimately the responsibility for the controls to start with rest with management to put these things in place and then the board to oversee that that is happening.
The board is not meant to be there managing day to day. They are meant to be a board, to oversee. That doesn’t mean that you expect a board member to be in there testing transactions to make sure goods or services were received. That’s management’s job. It’s the board’s job to make sure that all of that is happening and that they’re getting assurance in the appropriate way that that is taking place.
MS. LEBLANC: In Recommendation 2.3, you write, “The IWK Health Centre Board of Directors should oversee the development and implementation of internal controls and receive regular reporting on the effectiveness of internal controls”, as you have just said. Do you see that therefore management is the one that’s reporting on the effectiveness of the controls? Or does the board then go and take a look on their own?
MR. PICKUP: Management should report in a way that the board has described would meet its requirements and needs. That could vary in different organizations depending on the maturity of internal controls. In an organization where internal controls may not be as sophisticated, may not be up and working well, a board may want more assurance. The reporting that they want might be greater than it would be in an organization where they have had internal control reports, they have been working for years, and they know it’s in place. That may differ.
Also, the board at the time didn’t have any sort of assurance that the reporting they were getting was accurate, for example. There was no internal audit function. The board then needs to be comfortable, based on an assessment of the conditions, as to what level of accuracy and completeness and how they get that on the reports that they get from management.
MS. LEBLANC: In Recommendation 2.4, you reference strategic risks. “This framework should identify both operational and strategic risks and identify how the IWK Health Centre is responding to the risks.” Can you explain what you mean by strategic risks?
MR. PICKUP: Strategic risks could be things like what happens when you have seven business processes where the internal controls are not effective. What might that mean in terms of your operations? Is there anything there that could affect your ability to procure? Is there anything there that could affect your day-to-day operations in terms of having inventory? You want to be a well-run organization in terms of your use of money. Is there anything in those types of things that could impact your ability to be efficient with the money? Strategically, reputational risk is an issue. From a strategy, organizations want to manage their reputation. Is there anything there to be concerned about from a reputation?
MS. LEBLANC: Recommendation 2.6 says, “The IWK Health Centre Board of Directors should update its governance policy to set a clear expectation of the significant transactions requiring Board approval.”
Can you speak a little bit to - and maybe this is outside the scope of the audit - were there already policies to that effect in place that need to be strengthened or they need to actually be put in place?
MR. PICKUP: The example that we gave, which is part of the foundation as to the recommendation is that we found the board did not set a threshold dollar amount for a significant expense that differs from the budget that would require going back to the board. We had approved $300,000 for this, management decides they’re going to spend for some reason $600,000 on that - okay, we only want to see it as a board if it’s over $500,000 or if it’s over $700,000 or if it’s over $1 million.
That is a clear example of sending a message to management about the importance of budgets, about the importance of oversight to say, we’re giving the okay, go over budget 10 per cent, 15 per cent on this item, that item, not on these, but defining what your expectations are. That sort of lays the groundwork for Recommendation 2.6.
MS. LEBLANC: In Recommendation 2.8, the board of directors “. . . should review the Finance, Audit and Risk Committee terms of reference.” Do you see any scenario in which the terms of reference can be considered binding for the management of the board?
MR. PICKUP: I guess it depends on the definition of binding, I suppose. Terms of reference, to me, would generally be put in place by an organization because that’s how they want the place to be run. I think rather than a question of legality and saying you must do this legally, it’s more a question of this is how we want things to work, and you set the terms of reference to reflect that.
MR. CHAIRMAN: Thank you. The time has expired for the NDP caucus. We’ll now move to the Liberal caucus and Ms. DiCostanzo.
MS. RAFAH DICOSTANZO: I’m really delighted to be here on a health-related session. I have a real question about the IT system, which you guys have looked into - the COBIT framework that is coming. Working in the IWK and in health for 20 years, I have always thought we need to upgrade our system, and with IT evolving over the years, I found we are behind. So I’m excited and delighted that we are spending some money to upgrade our system.
I just want to know, in your practices as an auditor, how do you - when they are trying to bring in a new system, what do you look at and how do you compare it, for example, to other countries and other provinces the value and what this is going to implement? If you could give us an outline of what this COBIT system is going to do and how it compares in other places.
MR. PICKUP: To go back to something I talked about earlier, when we determine on an audit what the audit objective is and then what the criteria will be - so that bar as to say, you did A - the criteria was A plus 4, so where did you get that criteria from? Often the criteria that we use on IT-related audits are things from COBIT. This is sort of - I won’t say best practice, but this is your acceptable standard. This is what you should do in terms of criteria or a practice. That’s accepted within the IT world.
If you look at the responses to a number of these recommendations, the department, in fact, makes reference to following the COBIT framework. When we go in to do these audits, we have a good discussion around the bar to which we hold them to. It really is more on the acceptable standards to hold people to, agree to frameworks versus, here’s what’s happening in another jurisdictions, here’s what’s happening in this province or that province. It really is about what in a certain area are the likely criteria.
MS. DICOSTANZO: This new system is custom-made for Nova Scotia by Nova Scotia, not a program that we’re buying or following other good practices?
MR. PICKUP: The COBIT framework that they’re referring to is actually a set of standards, if you will - practices or procedures. It’s not buying COBIT to take off the shelf and say we’re going to implement COBIT and that’s going to be our IT system. It’s really on the approach to overseeing the IT systems to managing these, that you’re following something called COBIT.
Just to give you an example, because that might help. If you have a COBIT framework that you’re judging against, the COBIT framework may say, you should do A, B and C to protect passwords; you should have clear roles and responsibilities to find at the outset so as to avoid this. So it’s this great, big framework of steps, practices, approaches that is seen to be in the industry the way to go - an acceptable framework, if you will.
What they’re saying is, as they approach all of these IT systems - we have this IT system and we have that IT system - the framework that we’re going to hold ourselves against is something called COBIT. We will go back to COBIT as we approach any IT system - we will be attempting to follow those best practices laid out in COBIT. That’s what we did on this audit as well is in many ways looked at the COBIT expectations.
MS. DICOSTANZO: Where do we stand in spending for IT compared to other provinces in percentage of our budget that goes to IT and upgrading IT?
MR. PICKUP: We didn’t make reference in the report to the context of how much these systems are costing or how much is invested in these systems, even in terms of the ongoing maintenance. I’m sure it’s a question the four partners that we audited probably could provide a lot of information on.
MS. DICOSTANZO: I’ll have to ask that question at the other committee meeting. Thank you.
MR. CHAIRMAN: Mr. Jessome.
MR. BEN JESSOME: Given that the shared services initiative is the intention of government, I’m just wondering, is it a requirement or is it essential that each individual entity has their own controls? Or with the consideration of shared services being the goal, is there a requirement that each entity would have their own set of controls or can there be kind of like a parent control structure?
MR. PICKUP: In this case, two examples I would give you. One, the overall approach to risk has to be coordinated, if you take the four partners in this audit. There has to be a coordinated risk management approach looking at the risks within those individual organizations, but also collectively as well.
One of the examples we point out in here is that two of the four partners who ought to have had monitoring of internal controls in place - a policy around that, reporting on exceptions and looking at that - that wasn’t working. That wasn’t in place so we made a recommendation around that. So it really does depend on what your role is in this and the service that you’re providing.
Internal Services, for example, is a big service provider so it would be incumbent upon them then to be doing work on internal controls, making sure they’re working, making sure they’re operating effectively as a service provider. You wouldn’t then expect the Department of Health and Wellness to send people over to Internal Services and say, we are also going to check your internal controls. You would want the service provider to give you that assurance back that they’re doing something to make sure those controls are working.
MR. JESSOME: I’m going to ask you a bit of a philosophical question on the same subject that my NDP colleagues were referencing, about who the parent is in this relationship. If there are board structures at the IWK and there is a board structure at the Nova Scotia Health Authority, you’ve referenced the Department of Health and Wellness as the parent. So where does that relationship evolve for the department to have the authority over these two governing bodies?
MR. PICKUP: I like that question because it does go back to a key part of the audit that we had a lot of good discussions around with the organizations we audit because we did want to get it right and they told us we have it right. Can you point to five specific documents to say okay, here you go, Department of Health and Wellness, you really are the one that is the lead here, or is that a practical discussion around the role of the department, the fact that there are four players?
It’s hard to go to five specific documents and say here is why you are the leader. It really is based on their role as it has become defined either more informally and to some extent formally. They recognize they are the ones with that leadership role to bring the four parties together and to be able to say okay, we are the ones at the department who have to take the overall lead in making sure, for example, the committee is meeting, making sure oversight is happening, making sure we come to an agreement on roles and responsibilities.
I think it really is unique to the situation we have here with the four parties and it happens in this world and it happens in this environment where you are absolutely right - there are these separate organizations. There’s the IWK board, there’s the NSHA board, but that doesn’t complicate or take away from the way things need to work, as defined. All of this can happen, as the recommendations suggest, in the structure as it is, right? So I think it’s less about some of those structures and more about doing the things that need to be done. I think that’s probably why they responded yes, that they do intend to implement these recommendations because it’s not an issue of structure.
MR. JESSOME: So it draws back to the reports’ comments on identifying roles and responsibilities. Okay, thank you.
Just kind of a more particular question in my last couple of minutes here. The report references a failure to identify security risks in one of the latter recommendations, without being too specific. I think it’s . . .
MR. PICKUP: Paragraph 1.30 if I can, Page 15.
MR. JESSOME: Is that referencing - the example is unauthorized access here - is that an inability to sense that there was unauthorized access or is that an indication that there’s no, I guess, repercussions or consequences for unauthorized access when that takes place?
MR. PICKUP: I would say this is one step even before that. This is the discussion, the evaluation, the analysis around if that even is a risk. How much you’re going to manage something like that would correlate to whether you consider that low risk, medium risk or high risk.
What we’re seeing here is when the risk assessment was done, when they looked at security risks, some of the risks that were missed or failed to be considered were things like unauthorized access to personal health information and outsourcing. We’re not saying they are risks, we are not saying you should go do a, b, or c. What we’re saying is, you didn’t evaluate and analyze those as expected when doing your risk assessment. So it’s one step before what you are referring to.
MR. CHAIRMAN: Thank you, that concludes the rounds of questioning. I’d like to thank everybody for their questions. I’d like to give the Auditor General and his department a chance for some closing remarks, if he will.
MR. PICKUP: I want to thank you all for the questions today. I hope we were able to provide some insight. As I say, we report to the House and we very much look at this committee as being a key client of ours, if you will. We’re trying to help you do your job, we’re trying to give you a tool and help you understand this tool as you strive to hold the government accountable for its performance and to do better.
I want to thank the people who are here with me today but equally so I guess the 31 people back across the street who are now working on the January audit report and the March audit report and the next May audit report and on we go. I want to thank all of those folks and just remind you that this is our fifth report in the calendar year 2018.
A few people are auditors but I greatly appreciate the efforts of everybody in our office, from the person you meet when you walk in the door who says hello to you - if you have ever been to our office - through to every single person you meet on the way through or you meet here, through to getting to my office in the corner.
It really is a team effort to be able to give to the Legislature this level of output. I have an amazing team. I get the easy job of coming here to answer the questions, really. I always say to the team I understand the hard work because I have spent 30 years doing it and have been at every other level that everybody else is. I do want to remind you of that.
I also want to quickly thank the organizations that we audit. Being audited is tough. These reports are clear, they are to the point, they are conclusions. Again, I can assure you and I always tell the public this because I think it’s important - even if people don’t report it - that we’re not having any disagreements, arguments, or differences with the organizations that we audit, either to get to this point today or to clear these facts. I respect the organizations that we audit for agreeing when we call something what it is, when we identify shortcomings, and for their commitment to address things after. I respect them for that, and I think it is important.
It is an independent relationship, but it does make this job more rewarding to see organizations that are co-operative and that want to do better and view our reports. I can assure you that in the five years I have been here that is my opinion of the people we audit in Nova Scotia. I want to thank them for that and share that with the Public Accounts Committee.
MR. CHAIRMAN: Thank you. We do have some committee business to take care of, if everybody will refer to their notes and agendas. Everybody was sent electronically the correspondence from the Department of Justice, the response to the committee request on October 17, 2018, meeting. Are there any questions or discussion on that piece of correspondence?
The Department of Justice response to the committee request on October 24, 2018 meeting, is there any discussion or questions on that piece of correspondence?
Arts Nova Scotia’s response to the committee correspondence and the Office of the Auditor General’s comments regarding Arts Nova Scotia’s response, is there any discussion regarding the response provided by Arts Nova Scotia and/or the Auditor General?
The last piece of correspondence we have is the Halifax Bridge Commission’s response to the committee, Chapter 1 of the October 28th report. Any response or discussion on that? We’ll accept that correspondence as presented.
As you know, there was a Subcommittee on Agenda and Procedures. Members have been provided with the record of decision of the December 5th meeting of the subcommittee. Is there a motion to approve the recommendation? Mr. Wilson.
MR. WILSON: Just in regard to action No. 1, my colleagues and I have been talking about that subsequent to our meeting here today. One of the questions that was asked of the clerk was in regard to getting action plans. I don’t want to speak for them, but I’ll ask them to follow up if they want on the conversation.
I would like to amend No. 1. It starts, “That Action Plans on Auditor General Recommendations be requested from departments/agencies the committee has decided to call before it. The Clerk will request an action plan from a department/agency. . .”
I would like to say that we strike out “when they are scheduled to appear before the committee” and put in place “following the tabling of the AG report.” That would allow us to get those action plans on the recommendations with the timelines in a more timely manner for the committee.
MR. CHAIRMAN: As I was directed, this has to be approved first before an amendment can be made. The committee has to move the Subcommittee on Agenda and Procedures first and then we can move an amendment to the committee meeting.
MR. WILSON: I’m always thankful we have lawyers to keep this straight - appreciate that. I make a motion that we accept the record of decision from our December 5th subcommittee meeting.
MR. CHAIRMAN: Ms. Roberts.
MS. ROBERTS: I will move that we modify the first point.
MR. CHAIRMAN: We need a seconder on the motion first.
MS. ROBERTS: I second it.
MR. CHAIRMAN: We don’t need it? Okay, that is approved. Now we will move to Mr. Wilson.
MR. WILSON: I can refer it to my colleague to make the motion that we entertain getting the follow-up and information sooner.
MS. ROBERTS: I think we would like to make an amendment to the first point so that we request an action plan from basically all departments and agencies that are subject to Auditor General Reports. We would strike out “when they are scheduled to appear before the committee” and replace that with “following the tabling of an audit report”.
MR. HALMAN: Are we going to attach a specific timeline to that? I think that may be prudent.
MS. ROBERTS: I think an action plan should include timelines. I think that’s where the timeline is and we would ask for the action plan following an audit report. Do you mean to be received by a certain time?
MR. HALMAN: Yes.
MS. ROBERTS: Okay, ask them within a month or six weeks. Maybe six weeks for an action plan?
MR. CHAIRMAN: Ms. Leblanc.
MS. LEBLANC: That’s what I was going to ask for clarification on - how long they have to provide the action plan.
MR. WILSON: Maybe we could ask the clerk on what typically she sees when she asks for these. Is there a problem in getting them quickly or are they usually always prepared?
MR. CHAIRMAN: Ms. Langille.
MS. LANGILLE: I normally give them between three to four weeks.
MR. WILSON: I don’t think we seconded the motion, but I would like to second the motion.
MR. CHAIRMAN: Is that including the time frame?
MR. WILSON: Yes.
MR. CHAIRMAN: Four weeks, are we saying? Mr. Halman.
MR. HALMAN: I’m just curious, with that time frame, are we impacting getting witnesses here if we attach four weeks, six weeks - is it a possibility that we could be impacting getting the witnesses here in a timely manner?
MS. LANGILLE: We’re in a bit of a new world, but I don’t think it would. I guess if I saw that it was a problem, I would mention it, but I don’t see that a four-week turnaround would cause an issue in that.
MR. JESSOME: I would suggest or offer the comment that is it not reasonable that the action plan be presented when the department appears before the committee?
MS. ROBERTS: I think our idea, Mr. Jessome, is that depending on the audit chapter, we may not call every single audited agency, but this gives us a way of doing follow-up with every single audited agency.
For example, in this most recent audit, there were multiple different agencies. We’ll certainly want to call the Department of Health and Wellness related to this or IWK, but we may not call the WCB related to this audit chapter. But this gives us a way of doing follow-up with that agency about this chapter, regardless of whether it’s called.
MR. CHAIRMAN: Is there any more discussion? Ms. Leblanc.
MS. LEBLANC: Given that Ms. Langille suggested three to four weeks, I suggest that we amend the number one to say the clerk will request an action plan from a department or agency within three weeks of the tabling of the Auditor General Report. I think that three weeks - to Mr. Halman’s concern that possibly it impacts the calling of witnesses, why not make it shorter than longer and so three weeks seems like - a department has to get their work done and get it in. It seems efficient to me.
MR. WILSON: I could understand making that request if we were stating that we couldn’t have the department in until we received that information, but that’s not the case here. My only concern is that we don’t set expectations that are extremely difficult to make. I would assume that the response and the reports that come from the AG aren’t a surprise to the departments. I’m hoping they would be prepared to have their action plans in place actually the day that these reports come out, in essence.
From my experience here I see no way that this is going to impede timeliness of getting witnesses here, it’s just an added thing. It’s not a hill that I think we’ll die on but the sooner the better, obviously. I just don’t want to set a bar that’s going to be difficult for departments to meet.
MR. CHAIRMAN: So are we in agreement that we’ll amend that for three weeks? (Interruptions) So is the amendment for three weeks? Ms. Leblanc.
MS. LEBLANC: I will amend my amendment to make it four weeks.
MR. CHAIRMAN: Would all those in favour of the amendment please say Aye. Contrary minded, Nay.
The motion is carried. Thank you.
Moving on, now we need a vote on the main motion. Would all those in favour of the main motion please say Aye. Contrary minded, Nay.
The motion is carried. Thank you, Mr. Hebb.
Moving on, there have been issues about the public sector pension witnesses, finding a date when the officials from the three pension plans - the Teachers’ Pension, health employees, and the Public Service can be available. All officials with the exception of Mr. John Carter, Chair of the Teachers’ Pension Plan Trustee Inc., can be available on January 30th. In an effort to schedule the matter in a timely fashion the subcommittee has agreed to having Mr. Doug Moodie, CEO of the Nova Scotia Pension Services Corporation, appear on behalf of Mr. Carter.
The Nova Scotia Pension Services Corporation provides plan administration and investment services to the Teachers’ Pension Plan and is able to answer questions in this regard. Are there any problems or is the committee in agreement with having Mr. Moodie appear as a witness in relation to the Teachers’ Pension Plan instead of Mr. Carter? Ms. Roberts.
MS. ROBERTS: Can I just ask if anyone from the Auditor General’s Office, which probably understands the structure of these entities better than anyone on this committee, do you have any concerns about that substitution of witnesses due to their availability?
MR. CHAIRMAN: Mr. Pickup.
MR. PICKUP: One alternative I guess could be - and he’s the Chair, right, Mr. Carter - if they had a Vice-Chair because I think you’re switching the Chair of the Teachers’ Pension Plan with the CEO from the Nova Scotia Pension Services Corporation that sort of administers it so I’m not sure you are necessarily getting someone from the same area. I think my general thought would be if a Chair can’t come, can the Vice-Chair come? That body serves a certain purpose, right? They do a certain function, they have a certain purpose. Not that I would have an issue with Mr. Moodie but it’s just that he may not be coming from the same perspective or the same organization as Mr. Carter. That’s my thought.
MS. ROBERTS: Does the clerk have anything to add to that discussion?
MS. LANGILLE: First, I don’t know who the Vice-Chair is. I can certainly check on that. Secondly, in my discussions both with Mr. Carter and Mr. Moodie, that was the indication, that certainly Mr. Moodie would be able to answer because of the role that he plays. I can certainly check and see if there is a Vice-Chair who would be available and able to answer.
MR. PICKUP: If Mr. Carter feels that Mr. Moodie can do that - I wasn’t giving a specific, I was giving a general, but if he feels comfortable.
MR. CHAIRMAN: Would all those in favour of having Mr. Moodie instead of Mr. Carter, please say Aye. Contrary minded, Nay.
The motion is carried. Mr. Moodie it is.
Lastly on the agenda, the Nova Scotia Gaming Corporation. There was a discussion about payment for attendance at Law Amendments Committee on Bill No. 49. Ms. Roberts, you requested that this be placed on the agenda. Can you address the committee, please?
MS. ROBERTS: This is a situation that arose during our very last days in the House where Nova Scotia Gaming Corporation paid for - I think it was Responsible Gaming, I’m not sure of the full name of the organization - to be flown to Nova Scotia to appear at the Law Amendments Committee. I think it raised concerns on all sides of the House and I would like to move that this committee draft correspondence to the Nova Scotia Gaming Corporation to ask for an explanation of how they arrived at that decision, and maybe also who was involved in approving that.
I’m open to other suggestions. Ideally, I would like the opportunity to ask them questions, but I don’t think it would be an appropriate use of a full committee hearing.
MR. WILSON: Yes, I would agree to that. I would also ask to find out what procedures they put in place to make sure that doesn’t happen again in the future.
MR. HALMAN: I’m certainly in favour of that.
MR. CHAIRMAN: We will get the clerk to draft a letter. Would all those in favour of that motion please say Aye. Contrary minded, Nay.
The motion is carried.
We will ask the clerk to draft the letter and send it off.
The next meeting, December 19, 2018 here in the Chamber - 8:30 a.m. to 9:30 a.m. is an in camera session. It’s the Office of the Auditor General from 9:00 a.m. to 11:00 a.m., and the Department of Finance and Treasury Board about the finances from the 2018 Public Accounts, Chapter 2, October 2018 Report of the Auditor General.
If there is no further business, we’ll adjourn the meeting.
[The committee adjourned at 10:57 a.m.]