2.1 Audit objectives and scope
Audit objectives:
The objective of this audit was to provide reasonable assurance that adequate governance monitoring frameworks were in place to ensure the successful management of information at Veterans Affairs Canada.
More specifically, the objective was to provide reasonable assurance that:
- VAC has implemented an effective management control framework which includes accountability, roles, responsibilities, and monitoring to mitigate information management risks;
- VAC has implemented effective operational and technical controls through the organization which includes recordkeeping methodologies and tools, as well as awareness and training activities to mitigate risks related to Information Management.
Scope:
Information Management is a vast topic with many different layers. The scope of this audit included the information management and governance control frameworks in place at VAC on 1 January 2020 up to and including 30 September 2021. Covering this time period, the Audit Team focused on the main activities of the VAC Information Management team as described above in the background section. The audit scope did not include a focus on the security of systems that manage information as it relates to vulnerability from outside attacks such as cyber-attack threats. In addition, this audit concentrated on the management of corporate information and not Veteran related information.
The audit findings and conclusions contained in this report are based on sufficient and appropriate audit evidence gathered in accordance with procedures that meet the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing as supported by the results of the quality assurance and improvement program.
The opinions expressed in this report are based on conditions as they existed at the time of the audit and apply only to the entity examined.
Additional information including the audit criteria and methodology are provided in Appendices A and B.