This report presents the results of an internal audit of the Global Partnership Program (GPP) within the Department of Foreign Affairs and International Trade (DFAIT).
The Global Partnership Against the Spread of Weapons and Material of Mass Destruction (“Global Partnership”) was launched by world leaders at the 2002 G8 Summit with the singular objective of the prevention of weapons of mass destruction acquisition by terrorists. The Global Partnership Program is Canada ’s response to the Global Partnership. In terms of materiality to the department, GPP is one of DFAIT’s largest contribution programs receiving approximately $90 million annually in contribution funding. Canada committed up to $1 billion of funding over a 10 year period from 2003/04 to 2012/13.
Over recent years, the use of transfer payments in international program management has emerged as a significant activity within DFAIT. In fiscal 2009/10, transfer payments represented approximately 34% of DFAIT’s $2.2B budget. GPP’s contribution funding represents about 12% of DFAIT’s total $726 million transfer payment funding. Given its magnitude, the complex nature of the GPP, and because the GPP is a mature program (currently in its seventh year of operation, which had as a key requirement *** that an audit would be conducted), the audit of GPP was included in the Internal Audit Plan for fiscal year 2009/10, and approved at the June 2009 meeting of the Departmental Audit Committee.
The GPP activities are focused on five portfolio areas: biological non-proliferation; chemical weapons destruction; nuclear powered submarine dismantlement; nuclear and radiological security; and, redirection of former weapons scientists. The projects funded by the GPP range from $50,000 to in excess of $10M. The GPP is administered by the Major Programs Bureau which is headed by a Director General who reports to the Assistant Deputy Minister, International Security Branch.
The scope for this audit covered the period from June 2008 to February 2010 and included projects that took place in all five portfolio areas. The objective of this audit was to provide DFAIT senior management with assurance that:
Based on the audit team’s risk assessment, the following five areas were determined to be of elevated risk, and therefore were examined in detail during the audit: Governance and Strategic Direction; Stewardship; Operational Capacity (People/Systems); Results and Performance; and, Risk Management. The audit criteria selected for this audit have been mapped to the applicable Office of the Comptroller General Core Management Controls . Please refer to Appendix A for further details.
Throughout the audit fieldwork, the audit team observed strengths in GPP’s governance and risk management practices and observed internal controls which were properly designed, implemented and operating effectively. Examples of key strengths noted, particularly during the review of a sample of project files, include the following:
While the audit noted that the Program is in compliance with its Terms and Conditions, the following areas were identified where management practices and processes need improvement:
These areas are discussed in further detail within the body of this report.
As a result of the identified areas for improvement, the following key recommendations are made:
Overall, an appropriate management control framework is in place for the Global Partnership Program. Key components such as governance, risk management and internal control practices were generally found to be effective and adequate. Improvements are required, however, in the areas of resource management and the reporting of results. In addition, the audit noted that the GPP is in compliance with relevant acts, its Terms and Conditions and policies and procedures.
In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the information contained in this report. This is based upon a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed to with management. The evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.
Original signed by: Yves Vaillancourt, July 13, 2010
The Global Partnership Against the Spread of Weapons and Material of Mass Destruction (“Global Partnership”) was launched by World Leaders at the 2002 G8 Summit with the singular objective of the prevention of weapons of mass destruction acquisition by terrorists. The Global Partnership Program (GPP) is Canada ’s response to the Global Partnership. Canada committed up to $1 billion of funding over a 10 year period from 2003/04 to 2012/13 and the GPP is currently in its third and final phase. The GPP is one of the largest contribution programs in the Department of Foreign Affairs and International Trade Canada (DFAIT) - receiving approximately $90 million annually in contribution funding. The projects funded by GPP range from $50,000 to in excess of $10M. The GPP is administered by the Major Programs Bureau which is headed by a Director General who reports to the Assistant Deputy Minister, International Security Branch. The Program currently conducts its activities in five priority areas:
Given the complexity and breadth of the GPP projects, the GPP makes use of an array of delivery mechanisms such as contracts, implementation arrangements, contribution agreements, memorandums of understanding and treaties in order to achieve the GPP strategic objectives. To assist in monitoring the completionof the projects occurring in Russia and the former Soviet Union countries and to ensure funds are being used for their intended purposes, technical experts are hired to assist GPP program staff in monitoring and assessing the status and completion of projects.
To obtain an understanding of the GPP operations, a review of documentation and a sample of project files was performed and a series of interviews were completed. An assessment was then carried out to determine the extent to which each of the audit criteria had been met. Significant gaps between an audit criterion and an observed practice were evaluated and consideration was given to the degree of risk in order to assist in the development of recommendations for improvement. Details on the observations are provided in this section.
Given the magnitude, availability, and variability in funding which can be allocated amongst the various program priority funding areas, it is critical GPP have a transparent and documented rationale for the allocation of funding, which considers risk information and changes in the internal or external environment. It is important that a formal budgeting process exist to challenge resource allocations and appropriately align resources with priorities. The funding allocation process should include a review of new threats or priority areas as well as a periodic review of planned versus actual expenditures and documented rationale and approval of any funding amendments or changes. While GPP has a formal budgeting process, which takes most of the above factors into consideration, there were three areas for improvement noted, as described below.
As part of its fund management and resource allocation practices, the GPP sometimes transfers funds with other DFAIT transfer payment programs. Specifically, the audit noted that in fiscal 2009/10, net in-year transfers to/from other DFAIT Programs and GPP totalled approximately $5M. While the transfer of these funds between Programs is documented, reviewed and performed by Corporate Finance, the expectation within DFAIT is that when excess funds have been identified, the DFAIT Resource Management Committee (RMC) should be notified. A key role of RMC is to direct and coordinate measures to meet in-year departmental resource pressures and lead and manage re-allocations among resource centers. The audit observed, however, that there was inadequate communication by Corporate Finance to the RMC prior to making these program fund transfers. Without the perspective provided by the RMC, there is an increased risk that resource allocation decisions made unilaterally among programs may not reflect the priorities of DFAIT.
Additionally, the audit noted that GPP uses a number of mechanisms to establish priorities and associated resource allocations including the Global Partnership Advisory Group (GPAG), the Global Partnership Working Group (GPWG), and the Annual Priority Review (APR). The GPAG, chaired by the DG, GPP, includes representatives from other government departments; however, the audit noted that GPAG is used primarily as an advisory body on future policy issues, not in-year budgetary decisions. Although GPP priorities are discussed with other donor country members at GPWG meetings, these meetings are only held five to six times each year and while the APR provides for a formal review of the GPP’s priorities and minutes are forwarded to the Minister of Foreign Affairs for his approval, the APR is only an annual activity.
The Program could benefit from an additional oversight body in order to provide an ongoing advisory and challenge function to the GPP with regard to its decisions on spending priorities, and resource allocation, as well as to provide feedback on program risk and results reporting. One potential avenue is the existing Policy and Program Board within DFAIT whose mandate is to provide strategic direction and oversight for DFAIT’s international policy advice and integration, as well as for diplomacy and advocacy functions under which GPP is classified. Included in the Board’s responsibilities are providing feedback on major initiatives, exercising a challenge function for operational strategies and approaches, and approving programs related corporate planning and reporting requirements. Given that GPP is one of DFAIT’s largest transfer payment programs, with a high degree of visibility globally, and faces significant risks which could have a profound impact on DFAIT’s reputation, using this existing Board may be beneficial for the program as well as the department overall.
Lastly, the GPP has received Treasury Board approval to adjust funding amongst the GPP portfolios while staying within the overall funding profile. The Director General has the authority to transfer funds between portfolio areas to respond to funding pressures and the GPP’s staff has the authorization to perform the fund transfers in the Integrated Management System (IMS). While there is verbal discussion between the Director General and his staff regarding these fund transfers, no evidence or audit trail was found for the final review and approval of the transfer of funds between GPP portfolio areas. Given the frequency (i.e. approximately 20-30 times per year) and net value of the transfer of funds between portfolio areas, without evidence of approvals of such transfers, there is an increased risk that not all transfers receive approval from an appropriate level of authority. Further, it is difficult to determine whether the transfers are completed as intended by the Director General, GPP.
Within the public sector environment, it is expected that programs will gather relevant information on results and use that information to enable decision making, and to provide reporting to Parliament that is balanced, transparent, and easy to understand. In doing so, programs need to measure, review and report on results using established performance objectives.
For GPP, the Accountability, Risk and Audit Framework (ARAF) acts as the program’s primary source of guidance on accountability and also aims to provide guidance to the GPP on how to support the overall management of the program, demonstrate the achievement of planned results, and provide the ongoing information needed to support evaluation. Most performance measures listed in the ARAF are clear and measurable; however, certain performance measures used by the GPP (e.g. sustainable employment, industrial and scientific benefits to Canada , capacities enhanced, etc.) would be difficult for the GPP to quantify and attribute to program activities.
The audit noted that the primary mechanism used by the GPP to report on program performance is the program’s annual report, which is submitted to Treasury Board. Upon review, the audit noted that only a few of the ARAF performance measures are reported through the annual report such as the quantity of chemical agents that were destroyed; the status of construction projects to safeguard biological weapons; and, the number of submarines dismantled. To inform and report to Canadians, the GPP publishes progress updates for each of its portfolio areas through the GPP DFAIT web site as well as reporting publicly through the Departmental Performance Report (DPR). Other reporting mechanisms used by the GPP, such as the internal bi-monthly reports, contain some additional performance measures, but not all significant performance measures are reported. So while the audit found that performance reporting was being conducted, the GPP does not have a consolidated program-wide approach in its reporting against established performance measures and outcomes (as outlined in the GPP’s ARAF). This finding is consistent with a 2008 summative evaluation of the GPP which noted that more attention should be paid to the presentation and assessment of the overall program results which would enhance understanding of the GPP’s broader impact. A 2006 formative evaluation of the GPP also recommended the development of precise performance measures and indicators for each portfolio area and for the GPP as a whole.
Without a consolidated approach to reporting on performance measures, there is increased risk that GPP will not be able to: demonstrate results and the program’s overall impact to key stakeholders; enable decision making; and support resource allocation decisions.
Given that the program operates in high risk environments and deals with high risk projects, it is critical that the program has well established and documented risk management practices and enabling tools which are consistently used. Effective risk management should also include practices and tools which allow for reasonable completeness in the identification of risks, a formal assessment of risks, routine monitoring of mitigating actions and risks, and a consistent application of risk management practices across all portfolio areas.
The GPP’s project risk management process was found to be robust (i.e. identify, assess, monitor and report). The GPP uses risk management software called the Risk Info rmation and Assessment System (RIAS). RIAS is used by all portfolio areas for input of project risk-related information and for the creation of risk registers. As a leading practice, the RIAS tool provides for a standardized approach to project risk management. The outputs generated by RIAS are risk management plans, including mitigating actions, accountabilities and due dates. These risk management plans are used to facilitate decisions on monitoring and discussions within the project group. ***.
As well, the audit noted a list of program risks that have been identified and updated as most recent as May 2010. It is vital that a disciplined approach be taken by GPP management to continuously review, assess and update program risks in order to keep mitigating strategies as current as possible.
Given the nature of the GPP and its involvement in projects that facilitate chemical weapon destruction, nuclear submarine dismantling, and nuclear and radiological security, there is a need for heightened security and protection of confidential information. The possibility that terrorist groups may gain access to this knowledge represents a danger to domestic and international security.
The audit noted that precautions are taken by the GPP regarding the security and release of confidential information. Some of these observed practices included secured cabinets, secured email communication, restricted access to network servers, and additional logical access and physical security controls. As a federal government program, the GPP is sometimes, however, presented with opportunities to share information on its projects, practices and lessons learned with other government departments.
The audit noted that a formal practice is in place within the GPP to classify documents based on their intended use and obtain approval to present confidential information at these information sharing events. Audit testing, however, found one instance where a presentation on a GPP human and animal health biological containment laboratory (biolab) was mistakenly shared publicly on the internet. The biolab is being planned (i.e. construction has not yet started), and is a 6,200 square meter, $30 million project being considered for the Republic of Kyrgyz . ***. The presentation was given by the GPP to a restricted government audience and while the organizer of the conference was specifically instructed by the program not to post the presentation on the internet, this instruction was not followed.
Advice was sought in this matter from the Corporate Security Division (ISC) under the Departmental Security Officer (ISD). The Corporate Security Division is responsible for the development, implementation and effectiveness of security policies, personnel security services and security training for DFAIT. When requested by the auditors to review and assess the document in question, the division indicated that responsibility for the classification of a document rests with its author and therefore, no assessment of this document was provided.
The authority for this audit is derived from the Internal Audit Plan for the fiscal year 2009-2010 which was approved at the June 2009 meeting of the Departmental Audit Committee.
The objective of this audit was to provide DFAIT senior management with assurance that:
The audit scope covered the period from June 2008 to February 2010 and addressed areas of governance, internal controls and risk management. The audit was carried out at DFAIT headquarters in Ottawa , between February 2010 and May 2010. The focus of the audit was on areas of elevated risk which were identified in the audit planning phase.
The internal audit of the GPP was conducted in accordance with the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and the standards and requirements set out in the Treasury Board Policy on Internal Audit.
Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the audit conclusion provided and contained in this report.
The principal audit techniques used included:
The approach used to address the audit objectives included the development of audit criteria against which observations, assessments and conclusions were drawn. The audit criteria developed for this audit are shown below.
|Audit Recommendation||Management Action||Area Responsible||Expected Completion Date|
|1. Corporate Finance and Operations should ensure that the Resource Management Committee (RMC) is informed prior to the movement of GPP program funds for the purpose of addressing potential lapses in order to enable RMC to make resource allocation decisions which reflect DFAIT’s priorities.||Agreed — Corporate Finance will liaise with IGD to operationalize this. Corporate Finance will discuss with RMC the modalities, including the threshold amount for notification.||Chief Financial Officer (SCM)||September 15, 2010|
|2. Given the size, complexity, and sensitivity of the program, GPP management should further strengthen the program’s governance structure to provide challenge and advice on its decisions on spending priorities, and resource allocation, as well as to provide feedback on program risk and results reporting. The program should consider using the existing Policy and Programs Board within DFAIT for this purpose.||Agreed — While GPP has very robust oversight through the GPAG, GPWG, APR and Treasury Board, we will indeed avail ourselves of the Policy and Programs Board and regularly present its priorities, budget, risks and results regularly in order to obtain feedback and advice.||Director General, Major Programs Bureau (IGD)||Immediately, at first available opportunity|
|3. GPP management should establish a practice to formally document approval of significant fund transfers between GPP portfolios.||Agreed — The bureau will review internal fund transfers to determine and implement an appropriate procedure.||Director General, Major Programs Bureau (IGD)||September 15, 2010|
|4. GPP management should review performance measures for clarity and measurability and should consolidate performance data to enable better reporting of the program’s impact and performance.||Agreed — We do indeed report performance results in a number of different documents including DPR, Annual Report to Treasury Board Secretariat, Annual Report to Parliament and reporting to GPAG and GPWG. We will consolidate the performance measures in our Annual Report to TBS. We will also review our performance measures for clarity and measurability, adjusting as required, as contained in our ARAF.||Director General, Major Programs Bureau (IGD)||December 31, 2010|
|5. For the one instance in which a sensitive presentation, that was deemed to be unclassified, was mistakenly made available on the internet, GPP management should review its document classification process and procedures and implement any lessons learned.||Program management has reviewed their processes for classification of documents. The processes are well documented and staff is very aware of Classification and Security Guidelines. In this case, the Program deemed the document to be "unclassified" ***. When Program management became aware of the event, it took immediate action. No further action will be taken.||N/A||N/A|