3.1 Management Control Framework
A management control framework is made up of key management controls that are reasonably expected to be in place in any department or agency to enable the achievement of objectives. Management controls are practices and procedures established to create business value and minimize risk. They include policies, procedures, business processes, roles and responsibilities, objectives and/or performance measures, monitoring and reporting.
An effective system of internal control is integral to an organization’s ability to manage risks and to achieve objectives related to operational effectiveness, reliable reporting and compliance. Controls contribute to the proactive and intelligent management of risk, which, if left unmanaged, can prevent key performance objectives in these areas from being achieved. When the organization’s system of internal control is effective, losses are minimized and performance is optimized.
It is important to note that the organization’s control framework does not guarantee that risks will be prevented, detected and managed, nor that the organization will achieve its goals. It does, however, greatly increase the likelihood that organizational objectives will be achievedFootnote 1. Management controls also support compliance with applicable legislation, policies, and guidelines.
3.1.1 Planning
At the outset of the audit, the audit team expected to find that roles and responsibilities, key deliverables, resources, and timelines were clearly defined in an integrated framework supporting overall planning and delivery.
Roles and responsibilities were clearly defined as observed by the audit team during the delivery of the Passchendaele event and as documented in project charters, implementation directives and operations team documents. In addition, VAC staff involved in delivering the 2017 events indicated that roles and responsibilities were understood.
Early in the planning phase, the Vimy event had a documented project plan that included clearly defined roles, responsibilities, resources, timelines, risk management and communications plan. Documentary review and interviews did not indicate that the project plan was referenced or updated as planning progressed. The audit team did not receive documentary evidence of a project plan for the Dieppe and Passchendaele events; although other types of planning documents existed, they were not as fulsome as a project plan. A project management approach helps to minimize risk and identify problems early on, ensures good communication among team members and ensures project goals are achieved as efficiently and effectively as possible.
3.1.2 Risk Management
As part of any successful event planning process, hazards should be identified and risks assessed and controlled to minimize the potential for injury or harm to persons or property, or jeopardize the achievement of event objectives.
A review of key documents confirmed that risks associated with physical and personal health, safety and security of participants were adequately identified and assessed for the three events. These risks are high priority but there are other risks associated with event planning activities that occur during the months leading up to an event. While such risks may have been addressed by staff throughout the planning and delivery of events, the audit team did not find evidence of a risk management process according to which risks were being identified, monitored and reported on.
As part of risk management, lessons learned should be documented and include details related to the issue, steps taken to resolve and what corrective actions could be put in place to reduce the risk of recurrence. This information should be recorded in a timely manner to support the planning of future events. In 2017, there was a compressed period of time to record lessons learned given the limited transition time between events. The audit team reviewed the summary report prepared following each of the overseas events. Each summary report outlined successes and challenges. Two of the three summary reports would have benefited from more detail regarding the factors contributing to challenges encountered or a recommendation on corrective actions to reduce the risk of recurrence. One of the three summary reports was not prepared in time to inform the subsequent event. A wrap-up report was shared with the audit team during the drafting of the audit report. The report examined overarching areas and themes related to the three 2017 overseas events and identified potential improvements and recommendations to aid in the execution of future events. Leveraging lessons learned from previous events supports continuous improvement and reduces the risk of recurrence of similar issues in the future.
3.1.3 Monitoring and Reporting
Effective planning and risk management are supported by sound monitoring and reporting tools and processes. Monitoring is the process of systematically tracking key indicators to assess progress made in achieving goals and objectives. Monitoring related to planning and delivery of events would take information from project plans and periodically assess the progress achieved against these benchmarks and account for changes to the scope, scale or budget of the event. This ongoing monitoring would assist with decision-making and risk management during the life-cycle of the project. At the end of a project, analysis of this information would indicate if resources (time, money, staff/partners) were utilized effectively and these results would then inform future planning.
The audit found that there was monthly financial monitoring and reporting of year-to-date expenditures and outstanding commitments. There was also evidence of performance indicators (e.g. number of participants in person and online through VAC’s social media channels) used to monitor and report against desired outcomes. In addition, there was evidence of weekly meetings with strategic partners to track progress on planning efforts and resolve issues. These activities point to reporting and monitoring against strategic outcomes; however, the events would also have benefited from operational indicators to support monitoring related to resources used during the planning and delivery of events. For example, indicators could have been developed for expenditures related to salary, overtime and transportation. Reporting against operational indicators would increase the Department’s ability to assess whether resources are used effectively. Also, information derived from indicators could be leveraged toward the planning and delivery of future events.
3.2 Compliance with Applicable Policies and Directives
According to the TB Directive on Delegation of Spending and Financial Authorities, expenditure initiation approval is required prior to making an obligation that will result in the eventual expenditure of funds. At the time of the audit, VAC’s interpretation was that authorizations for overseas events were governed by the TB Directive on Travel, Hospitality, Conference and Event Expenditures, and according to this Directive, the Minister must provide expenditure initiation approval for events when total departmental costs exceed $50,000Footnote 2.
To assess if event authorizations were properly prepared and approved by the right authority, within the authorized limits and on a timely basis, the audit team completed a file review of the three event authorizations and a judgemental sample of associated expenditures. The audit team found that, although authorizations were provided by the right authority and within the authorized limits as per the TB Directive on Travel, Hospitality, Conference and Event Expenditures, they were not timely. For each event, there was evidence of commitment authority (FAA, section 32) and certification authority (FAA, section 34) prior to the expenditure initiation authority.
During the reporting phase of the audit, Finance Division assessed VAC’s delegated authorities and how VAC obtains authorizations for overseas events. Finance Division concluded that VAC’s earlier interpretation of the TB Directive on Travel, Hospitality, Conference and Event Expenditures was not appropriate, and that commemoration activities of the kind audited here should not fall within the definition of an “event” under the TB Directive on Travel, Hospitality, Conference and Event Expenditures. Rather, they should more appropriately be considered a part of VAC’s regular program activities, and therefore subject to the usual suite of delegated spending and financial authorities that apply in the Department.
3.3 Compliance with Business Processes
Documented business processes serve as a means for the direction of actions and/or activities into a defined and consistent process which creates structure, supports timely decision-making and promotes compliance with policies.
The audit team received over 50 tools and templates (e.g. project plan, terms of reference, budget tracking, staff orientation, memoranda of agreement, technical requirements, schedule, letters, invitations) related to the planning and delivery of the events. These documents would benefit from an overarching framework or business process to guide the use of these tools and templates. Given the absence of an overarching framework or business process, the audit team was not able to assess whether the planning and delivery of events were executed consistently and as expected because it was not clear in which circumstances to use which tool and when. Without documented and formalized procedures there is increased risk of error in planning and delivering activities, particularly for new staff.