Internal Audit Report
Audit of the Catch Certification Program

Project 6B258

Final Report
December 6, 2013

TABLE OF CONTENTS

1.0 EXECUTIVE SUMMARY
2.0 BACKGROUND
3.0 AUDIT OBJECTIVE
4.0 AUDIT SCOPE
5.0 AUDIT APPROACH
6.0 AUDIT FINDINGS
7.0 AUDIT OPINION
8.0 STATEMENT OF CONFORMANCE
APPENDIX A — AUDIT CRITERIA

1.0  EXECUTIVE SUMMARY

On January 1, 2010, the European Union officially established a system that requires the traceability of all fish and fisheries products exported to the European Union in order to prevent deter and eliminate illegal, unreported, and unregulated fishing. In response to the European Union requirements, Fisheries and Oceans Canada launched the Catch Certification Program in December 2009 to comply with the urgent pressure to ensure market access and meet the European Union Regulation. The Catch Certification Program has two key business processes: the catch certificate issuance process and the post-issuance audit process.

While the Program was initially established to respond to the European Union requirements, it is currently responding to other international catch certification requirements arising from Japan, Ukraine and Chile as well as issuing export permits under the Convention on the International Trade of Endangered species and the Commission for the Conservation of Antarctic Marine Living Resources. In a global effort to combat illegal, unreported and unregulated fishing, the use of internationally agreed market-related measures, which includes catch certificate requirements, is expected to significantly increase in the future.

The audit objective was to provide assurance that the Catch Certification Program:

  • has adequate controls in place to support the Canadian fisheries industry in meeting the European Union Regulation while upholding its integrity; and
  • is strategically positioned to meet future international requirements.

Based on the audit findings, the overall conclusion is that, the Catch Certification Program has controls and processes in place to support the Canadian fisheries industry in meeting the European Union Regulation while upholding its integrity. However, controls should be strengthened for the key business processes of the Program and improvements should be made in the areas of program governance, risk management, and citizen-focused service to ensure that the Catch Certification Program is strategically positioned to meet future international requirements. More specifically, the recommended improvements are as follows:

  • Formally establish and maintain a governance structure  to provide strategic direction and to ensure the Catch Certification Program achieves its objectives;
  • Formally document, assess, and manage the risks of the Catch Certification Program and review the risks on an annual basis;
  • Strengthen the controls in the catch certificate issuance process by including, at a minimum, the following:
    • Expanding the range of automated controls within the Fisheries Certification System, where feasible;
    • Implementing secondary review of catch certificate applications;
    • Requiring registered companies to provide proof of representation to confirm that the individual submitting the application has been authorized to act on their behalf; and
    • Ensuring that the information from the Integrated Fisheries Management Plans is accurately imported into the Fisheries Certification System.
  • Assess the Administrative Follow-Up Procedures upon their implementation to ensure that they support timely corrective actions;
  • Periodically review the Service Level Agreement with the Regional Headquarters of the Gulf Region to ensure that the Operations Centre is receiving an adequate level of service to meet its service standards; and
  • Finalize, approve, and implement the Business Continuity Plan of the Catch Certification Program.

Management Response

Management is in agreement with the audit findings, has accepted the recommendations included in this report, and has developed a management action plan to address them.  The management action plan has been integrated in this report. 

2.0  BACKGROUND

On January 1, 2010, the European Union officially established a system that requires the traceability of all fish and fisheries products to be sold in the European Union in order to prevent, deter and eliminate illegal, unreported, and unregulated fishing. Formally known as Regulation (EC) No 1005/2008, the regulation requires that fish exports to the European Union be accompanied by a catch certificate issued by the competent authority in the country of origin.

In December 2009, Fisheries and Oceans Canada, as the competent authority of Canada, launched the Catch Certification Program to comply with the urgent pressure to ensure market access and meet the European Union Regulation. In 2012, the value of domestic exports to the European Union was $344 million. The value of exports to other European countries such as the Russian Federation and the Ukraine was $182 million and the value of exports to Japan was $260 million. Canada’s total value of domestic exports to all countries was over $4 billion in 20121.

The Catch Certification Program consists of the Integration and Planning Bureau, the Operations Centre, and the Audit Office. The Integration and Planning Bureau is responsible for Program coordination, reporting, development and integration as well as liaising with European Union officials and national-level stakeholders.

The Operations Centre is responsible for issuing catch certificates and relevant export permits and providing client services to Canadian fish exporters. The Operations Centre uses the web-based Fisheries Certificate System to process and validate applications and to issue catch certificates. As a requirement of the European Union Regulation, exporting countries must have an audit process in place to confirm the accuracy of the information provided by the applicant. In response to this requirement, the Department created the Audit Office, which is responsible for conducting post-issuance audits of catch certificates.

The Catch Certification Program is currently responding to other international catch certification requirements arising from Japan, Ukraine and Chile and also issuing export permits under the Convention on the International Trade of Endangered Species as well as the Commission for the Conservation of Antarctic Marine Living Resources. In a global effort to combat illegal, unreported and unregulated fishing, the use of internationally agreed market-related measures, which includes catch certificate requirements, is expected to significantly increase in the future.


1 DFO 2012 export data by Major Market and Top 5 Countries, Canadian Trade Statistical Services, Fisheries and Oceans Canada.

3.0  AUDIT OBJECTIVE

The audit objective was to provide assurance that the Catch Certification Program:

  • has adequate controls in place to support the Canadian fisheries industry in meeting the European Union Regulation while upholding its integrity; and
  • is strategically positioned to meet future international requirements.

4.0  AUDIT SCOPE

The scope of the audit was risk-based and focused on the two key business processes of the Catch Certification Program: the catch certificate issuance process and the post-issuance audit process. The audit team captured the key controls and identified control gaps through process mapping. The examination also included audit tests to determine the effectiveness of some of the controls through an examination of the following:

  • a sample of companies registered in the Fisheries Certificate System to ensure that they had a signed original Delegation of Authority document on file;
  • a sample of catch certificates that were issued in the fiscal year 2012-13 to verify applications were processed correctly;
  • a sample of fields in the Catch Validation Management Table to determine the accuracy of the information it contains;
  • a sample of completed audit reports for catch certificates that were issued in 2010 and 2011 to ensure that the audit reports were peer reviewed and received appropriate approvals.

5.0  AUDIT APPROACH

This engagement was conducted in conformance with the Treasury Board’s Policy on Internal Audit, the Internal Audit Standards for the Government of Canada and the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing. These standards require that the engagement be planned and performed in such a way as to obtain reasonable assurance that the objectives of the engagement are achieved. As such, the audit employed various techniques including a risk assessment of the audit entity, interviews of key personnel, process mapping, walkthroughs, file review, data analyses as well as documentation review.

The conduct phase of the audit engagement commenced in September 2013, following the acknowledgement of the objectives and scope by the client organization.

6.0  AUDIT FINDINGS

This section provides the observations and recommendations resulting from the audit work carried out.  While the audit was conducted based on the lines of enquiry and audit criteria identified in the planning phase, this report is structured along the following main themes:

●  Governance and Strategic Direction;
●  Risk Management;
●  Program Integrity and Stewardship; and
●  Citizen-focused Services.

For conclusions by audit criterion, please refer to Appendix A.
 
Based on the audit work performed and our professional judgment, the risk associated with each observation was rated using a three-point scale. The risk ranking (high, moderate, low) is based on the level of potential risk exposure we feel may have an impact on the achievement of Fisheries and Oceans Canada objectives, and is indicative of the priority Management should give to the recommendations associated with that observation. The following criteria were used in determining the risk exposure level:

High Controls are not in place or are inadequate.
Compliance with legislation and regulations is inadequate.
Important issues are identified that could negatively impact the achievement of program/operational objectives.
Moderate Controls are in place but are not being sufficiently complied with.
Compliance with central agency/departmental policies and established procedures is inadequate.
Issues are identified that could negatively impact the efficiency and effectiveness of operations.
Low Controls are in place but the level of compliance varies.
Compliance with central agency/departmental policies and established procedures varies.
Issues identified are less significant but opportunities that could enhance operations exist.

6.1  GOVERNANCE AND STRATEGIC DIRECTION

As per the Treasury Board Secretariat’s Audit Criteria related to the Management Accountability Framework, the presence of an oversight body is important “to ensure that management’s direction, plans and actions are appropriate and responsible”.
An oversight body or an equivalent governance function is a critical element of its management control framework. A formal governance function, serving as an assertion of senior management commitment, formalizes the ownership of the Program by ensuring that accountabilities, roles and responsibilities are clearly defined and understood. Furthermore, it supports the Program by defining the required resources and competencies, and ensuring that they are sufficient to meet the objectives of the Program. It also sets the strategic direction of the Program which will become increasingly important considering the rising international trends to combat illegal, unreported and unregulated fishing through market-related measures such as catch and sustainability certification requirements.

Observations 6.1.1
Observations
Low Risk 6.1.1 While the program structure is defined for the Catch Certification Program, the governance structure to ensure adequate oversight and monitoring of the Program has not been formally defined.

The Catch Certification Program is comprised of two functions: the Catch Certification Operations and the Catch Certification Audit Office. Due to the recent departmental reorganization, the Catch Certification Operations, which includes the Integration and Planning Bureau and the Operations Centre, is now managed by the Licensing and Planning Directorate. The Catch Certification Audit Office operates within the Conservation and Protection Directorate. Both directorates are within the Ecosystems and Fisheries Management Sector.

The audit found that the program structure is well defined, however, the governance structure including responsibility for oversight and monitoring has not been formally defined.

While the Catch Certification Program was initially established to respond to the European Union Regulation, the Program was also expected to provide an effective technological and operational platform to facilitate Canada's ability to respond to emerging regulatory requirements for traceability from other countries. It is expected that other countries will put in place similar measures as those of the European Union. As such, the strategic direction for the Catch Certification Program should consider a long-term vision to ensure the Program can meet these future requirements.

As the governance structure has not been formally established for the Catch Certification Program, the Program may lack the strategic direction and senior management support to meet its objectives and future international requirements. A governance function will become more and more critical to ensure that the Catch Certification Program continues to support the Canadian fishing industry in accessing international markets in the future.

Recommendation / Management Action Plan
Recommendation Management Action Plan

R-1.    The Assistant Deputy Minister, Ecosystems and Fisheries Management Operations, should ensure that a governance structure is formally established to provide strategic direction and ensure the Catch Certification Program achieves its objectives.

The Catch Certification Program: Integration and Planning Bureau, in collaboration with the Catch Certification Audit Office, will coordinate the revision of the proposed governance structure and the approval of the Assistant Deputy Minister, Ecosystems and Fisheries Management Operations to formalize the Program’s governance structure by March 31, 2014.

Office of Primary Interest: Ecosystems and Fisheries Management Operations
Due Date: March 31, 2014

6.2  RISK MANAGEMENT

As per Treasury Board Secretariat's Audit Criteria Related to the Management Accountability Framework and Framework for the Management of Risk, risk management should be a formal, documented and institutionalized process that is tied to planning. The lack of sound risk management can result in increased program costs, missed opportunities, compromised program outcomes and loss of public trust.

Observations 6.2.1
Observations
Moderate Risk 6.2.1 While a risk assessment was conducted for the program, the program risks have not been reassessed since the inception of the Catch Certification Program in 2010. In addition, the Program lacks a formal risk management strategy to ensure that identified risks are mitigated and monitored on an ongoing basis.

At the inception of the Catch Certification Program in 2010, a Performance and Risk Framework was prepared which identified two key risks for the program:

  1. There is a risk that other fish product exporters and associated harvesters may also demand or require support to assist them in exporting their products.
  2. There is arisk that the Department may not be able to recruit and retain adequate skilled and knowledgeable staff for the Catch Certification Office and the audit team, therefore jeopardizing effective and efficient Catch Certificate Program delivery.

The audit revealed that these risks have not been reviewed since 2010 to determine if they remain relevant or to identify any emerging risks for the program. The audit confirmed that the human resources capacity risk remains a significant risk. Currently, the staff turnover rate for Certification Officers is 11.5 months. Interviews with some of the staff revealed that the factors contributing to the high turnover rate are the remote location of the Operations Centre and a perception that the positions are under-classified. The human resource capacity risk will become increasingly more significant in the future as demand for catch certification is expected to rise considerably. In addition, the audit found that there is a risk there may not be sufficient capacity in the Catch Certification Audit Office to fully perform the audit role because its role may be expanded beyond the Catch Certification Program as part of the proposed organizational changes under the Conservation and Protection National Fisheries Intelligence Service initiative. Also, delays in staffing key positions such as the Chief of Catch Certification Audit Office have impacted the ability of the Audit Office to perform post-issuance audits of catch certificates in a timely manner.

To mitigate the human resources capacity risk for the Catch Certification Operations Centre, measures have been implemented such as hiring casual employees and establishing an inventory of candidates to staff Certification Officer positions and possible Team Leader positions in the future. There is no evidence that a mitigation strategy has been developed to address the first risk, mentioned above, related to increased demand for services.

To ensure a cohesive risk management approach, there is a need to have a comprehensive risk management strategy that addresses the program risks identified for the Catch Certification Operations and those of the Catch Certification Audit Office. This would ensure an integrated approach to risk management for the Program.

Recommendation / Management Action Plan
Recommendation Management Action Plan

R-2.    The Assistant Deputy Minister, Ecosystems and Fisheries Management Operations, should ensure that risks of the Catch Certification Program are formally documented, assessed and managed in a coordinated manner.

The Catch Certification Program: Integration and Planning Bureau will review and update its Performance and Risk Framework, in collaboration with the Catch Certification Audit Office. The Integration and Planning Bureau will coordinate the approval of the Assistant Deputy Minister, Ecosystems and Fisheries Management Operations by August 2014.

Office of Primary Interest: Ecosystems and Fisheries Management Operations
Due Date: August 2014

6.3  PROGRAM INTEGRITY AND STEWARDSHIP

In an international effort to combat illegal, unreported and unregulated fishing, the European Union implemented a regulation that requires all fish products exported to the European Union to be accompanied by a catch certificate issued by the competent authority of the country of origin, which attests that the fish exports originated from legal sources. Furthermore, the European Union Regulation also included a clause to audit the catch certification scheme of the country.

Fisheries and Oceans Canada, as the competent authority of Canada, established the Catch Certification Program to ensure market access for the Canadian fishing industry. Thus, the Catch Certification Program must uphold its integrity and be able to provide a catch certification scheme that supports the industry's compliance with the European Union Regulation.

Observations 6.3.1
Observations
Moderate Risk

6.3.1 The catch certificate issuance process is largely dependent on manual controls and is inefficient because officers must consult various disparate systems and databases in order to process applications for catch certificates. Furthermore, the lack of secondary review makes the issuance process subject to potential errors and can increase the risk for fraudulent activity.

While the post-issuance audit process carried out by the Audit Office acts as another mechanism to monitor the activities of the catch certification issuance process, it is also inefficient and does not support timely corrective action.

The Operations Centre is responsible for the issuance of all catch certificates using the Fisheries Certification System, a web-based system that enables the industry to register and apply for catch certificates while allowing the Operations Centre to validate the submitted certificate application information and issue catch certificates accordingly. Located in Tignish, Prince Edward Island, the Operations Centre is comprised of the Operations Manager, two Team Leaders and the Certification Officers.

The catch certificate issuance process begins with the registration of companies in the Fisheries Certification System. Once registered, these companies must provide an original and signed Delegation of Authority document which identifies a representative for the company to act as the Applicant Manager.  Upon approval of the Delegation of Authority document by the Operations Centre, the company may proceed with an application for either a Standard, Group-based or Foreign Export catch certificate. If the company decides to apply for a Group-based catch certificate, an additional Request-for-Grouping sub-process to validate and confirm the legitimacy of the group is required prior to the application due to the higher risk involved in catches sourced by groups. Upon receipt of a completed certificate application, the Operations Centre verifies the information provided by the company against various sources such as databases, monitoring systems, and logbooks. The company is contacted if there are questions or if further information or clarification is required. Once validated, the catch certificate is issued.

There are currently 382 companies registered in the Fisheries Certification System. The audit team conducted a file review of a random sample of 20 registered companies to confirm that companies that did not submit signed original Delegation of Authority documents were subsequently locked out of the Fisheries Certification System. Of the 20 companies reviewed, 4 had not submitted signed original Delegation of Authority documents. Of these 4, 2 companies had been denied access to the Fisheries Certification System; 1 company was approved based on the receipt of a faxed copy of the signed Delegation of Authority; and 1 company did not have any company representative listed to access the Fisheries Certification System. The Operations Centre has since acted on the two companies that were not previously denied System access by requesting one company to submit its signed original Delegation of Authority document while denying System access to the other company.

Considering that the Applicant Manager is responsible to manage the company's account in the Fisheries Certification System, the company should provide proof that they authorize this individual to act on its behalf. The Delegation of Authority is a document signed by the Applicant Manager to attest that he/she assumes the responsibility to create, maintain and terminate access privileges to the System to other company employees.

The Fisheries Certification System serves as the first layer of control for the catch certification issuance process since the system has some automated controls to perform completeness checks for company registrations and field accuracy checks for submissions of online application forms. As an additional control embedded in the Fisheries Certification System, a red "Not a certificate" watermark appears when a certificate is printed prior to approval. At the end of the catch certification issuance process, the Fisheries Certification System generates a security code for the approved catch certificate. When approved, the catch certificate can only be printed once as the Fisheries Certification System prohibits the re-printing of catch certificates. The catch certificate is then presented to the European Union border officials who confirm the legitimacy of the catch certificate by verifying the security code on the Fisheries Certification System website.

The audit found that the process for issuing catch certificates is highly manual and inefficient. For example, the Fisheries Certification System only validates a few of the information fields provided in a certificate application, such as the vessel length to ensure that it is within the prescribed allowable length. To complete the application process, the Certification Officer needs to access various sources including regional databases, systems and third parties to validate the information provided in the certificate application. For example, to verify the validity of the species fished, the Certificate Officer would access regional databases to which the corresponding fishing license would attest.

Moreover, the entire catch certificate issuance process allows a client company to be registered and set up in the Fisheries Certification System, subsequently apply for a catch certificate and have it reviewed and approved from beginning to end by solely one Certification Officer. A secondary review is only performed by Team Leaders for standard catch certificates issued by new Certification Officers as part of their training and for grouping requests and declined catch certificate applications, of which there are currently none. However, Team Leaders can issue catch certificates entirely by themselves.

For the fiscal year 2012-2013, there were 14,890 catch certificates issued. Given the lack of secondary review, the audit team reviewed a random sample of 15 issued catch certificates to verify whether applications were processed correctly. Of the 15 catch certificates, the audit team only received complete documents for 10 certificates. Of these 10, the audit team found two samples where the certificate attested to the incorrect license number and therefore, incorrect allowable species.

The Operations Centre uses various sources to validate information provided in catch certification applications. To validate information related to vessels, the Operations Centre relies on different regional databases, whereas to validate species-related information, the Operations Centre relies on two sources of information: the Common Language Application Management System database, and the Catch Validation Management Table. The Common Language Application Management System is a Departmental database that provides precise terms and codes applicable to unique data items within Departmental databases such as species biological names. The Catch Validation Management Table is an Excel spreadsheet that must be exported from the Fisheries Certification System to be updated manually by staff at the Operations Centre and Integration and Planning Bureau before being re-imported into the System. The information in the Catch Validation Management Table is based on the Integrated Fisheries Management Plans, which are generally published on the Departmental website. Updating the Catch Validation Management Table is a manual process that, even with the inclusion of secondary review, remains vulnerable to errors. The audit team selected a random sample of 19 species descriptions from the Catch Validation Management Table to determine the accuracy of its information, but was able to perform the review of only 2 descriptions due to the lack of access to the Integrated Fisheries Management Plans. However, for the 2 descriptions that could be reviewed, 1 had incorrect catch start and end dates for the catch area.

The Audit Office plays a direct role in upholding the integrity of the Catch Certification Program by ensuring that the information provided by clients at the time of application is true, accurate, and complete. The post-issuance audit process of catch certificates involves developing a risk-based annual audit strategy and annual audit plan using risk matrices to determine the list of audits to be completed for the coming year.

The audits involve contacting the exporter and the fishers for information to validate the catch certificates. The audits also involve reviewing various Conservation and Protection databases and intelligence sources, such as the Departmental Violations System and Major Case Management Coordinators, and using network software to identify links and relationships to determine that the information provided to obtain a catch certificate is true, accurate, complete, traceable and caught in compliance with acts and legislation. The audits require a lot of time and effort to complete.   However, the Audit Office is working on having an audit module incorporated into the Fisheries Certification System by December 2013 to automate some elements of the post-issuance audit process to make the process more efficient and improve the data quality controls and access of the information used by the Audit Office.

The Audit also found that the Audit Office has an effective quality assurance program to ensure that the post-issuance audit process is conducted appropriately and consistently. For example, templates and procedures are used to standardize the post-issuance audit process, and audit reports are peer reviewed before they are signed-off by the Intelligence Supervisor. 

Results of the audit reports are forwarded to the National Manager, who subsequently shares the results with the Operations Centre for corrective action. However, as the current audit cycle is behind schedule by at least one calendar year, the errors found may not enable timely corrective action. For irregularities that may signal actions that contravene the Fisheries Act, the Audit Office notifies the Conservation and Protection units in the regions for further investigation. For administrative errors, such as deficiencies in the information provided by the exporter, the Program drafted the Administrative Follow-Up Procedures to provide direction on how remedial action will be taken to correct any issues identified in the post-issuance audits. The Administrative Follow-Up Procedures have recently been approved by senior management, and are pending implementation by January 2014.

Recommendation / Management Action Plan
Recommendation Management Action Plan

R-3.    The Assistant Deputy Minister, Ecosystems and Fisheries Management Operations, should ensure that the controls in the catch certificate issuance process are strengthened and include at a minimum:

  • Expanding the range of automated controls within the Fisheries Certification System where feasible;
  • Implementing secondary review of catch certificate applications;
  • Requiring registered companies to provide proof of representation for the Applicant Manager to act on their behalf; and
  • Ensuring that the information from the Integrated Fisheries Management Plans is accurately imported into the Fisheries Certification System.
  • The Catch Certification Program: Integration and Planning Bureau is currently working on building additional automation functions in the Fisheries Certificate System to create efficiencies in the process of validation and approval of catch certificate applications. The Program has made continuous improvements to the system since January 2010 and will continue to work on creating system efficiencies and control points. The Program is currently working on creating a link to the National Online Licensing System or regional licensing databases to validate vessel and fishing licence information. The Program is conducting feasibility analysis to determine cost and effort, the system work is pending funding confirmation.
  • The Catch Certification Program: Operations Centre will develop a process for secondary review of catch certificate applications, with a target implementation of September 2014.
  • The Catch Certification Program: Operations Centre will explore options to ensure that evidence is received by the Operations Centre when a company submits a registration request in the Fisheries Certificate System. The Operations Centre will develop a procedure and standard criteria for the Applicant Manager of the company to submit proper evidence of their authority within the company, with a target implementation of September 2014.
  • The Catch Certification Program: Operations Centre will develop a standard operating procedure to update the Fisheries Certificate system with relevant information from the Integrated Fisheries Management Plans, with a target implementation of September 2014.
Office of Primary Interest: Ecosystems and Fisheries Management Operations
Due Date: September 2014
Recommendation / Management Action Plan
Recommendation Management Action Plan

R-4.    The Assistant Deputy Minister, Ecosystems and Fisheries Management Operations, should assess the Administrative Follow-Up Procedures upon their implementation to ensure that they support timely corrective actions.

  • The Catch Certification Audit Office audit cycle consists of conducting audits of certificates issued the previous calendar year. This cycle was opted due to two main reasons:
    • The audit target selection is based on a risk-managed process, which considers a number of pertinent factors such as exported species by volume and value, number of certificates issued per exporter, and level of exporter and supplier compliance.  Basing the risk matrix on data from the current year would provide inaccurate audit targets.
    • Some of the supporting information that is obtained from various Conservation and Protection databases and that is required to properly conduct the audits would not be available.
  • The Catch Certification Program: Integration and Planning Bureau, in collaboration with the Catch Certification Audit Office, completed the development of Administrative Follow-up Procedures to address deficiencies found through post-issuance audits of catch certificates. These Procedures may require the Catch Certification Audit Office to conduct audits of certificates issued in the current year, in addition to the certificates already identified through the risk matrix. Implementation of the Procedures will begin in January 2014.
Office of Primary Interest: Ecosystems and Fisheries Management Operations
Due Date: January 2014

6.4  CITIZEN-FOCUSED SERVICES

As per the Treasury Board Secretariat's Audit Criteria related to the Management Accountability Framework, the “Citizen-focused Service” element emphasizes the importance that services should be citizen-centered and policies and programs should be developed from the outside in. The Framework also outlines that information technology should be leveraged, where feasible, to enhance user service and access. Furthermore, Treasury Board Secretariat's Guidelines on Service Standards highlight the importance of establishing service standards to “reinforce government accountability by making performance transparent, and increase the confidence of Canadians in government by demonstrating the government's commitment to service excellence”.

Observations 6.4.1
Observations
Medium  Risk

6.4.1 A Service Level Agreement between the Ecosystems and Fisheries Management Sector and the Regional Headquarters of the Gulf Region to clarify responsibilities for the delivery of services to the Operations Centre was signed in 2011. While some performance indicators are articulated in the Service Level Agreement, there is no mechanism for the Program to ensure that the Operations Centre is receiving the level of service outlined in the Agreement or to provide issue resolution.

While the Fisheries Certification System and its issuance process have been deemed mission critical functions, the Business Continuity Plan is currently not yet approved.

The Catch Certification Operations is mainly responsible for issuing valid catch certificates in a timely manner. As part of the service delivery, the program put in place the following: a web-based application called the Fisheries Certification System; a Program website that includes instructions and a "Frequently Asked Questions" section; and an Operations Centre to issue catch certificates and assist users in submitting their catch certificate requests. As the Operations Centre provides services to exporters from across Canada, standard business hours were established to accommodate multiple time zones, seven days a week. There is also an additional provision for after-hours urgent requests. Service standards are established for each type of request and posted in the "Frequently Asked Questions" section of the Program’s website. The Catch Certification Program also seeks users’ feedback through their annual client satisfaction surveys. Based on the results of the 2012 client survey, 94.7% of clients were satisfied with the hours of service and 87.7% were satisfied with the services provided.

The Operations Centre developed various tools such as standard operating procedures, guides and training modules to support the Certificate Officers in meeting these service standards. A Quality Management Framework also provides both a step-by-step guide on how to provide service as well as the basis on how Certification Officers are to be monitored and evaluated. Certification Officers are evaluated on a monthly basis by the Team Leaders and the results are reviewed and consolidated by the Operations Manager and shared with the National Manager, Integration and Planning Bureau. While the responsibilities of the Team Leaders are outlined in the same Quality Management Framework, the basis for evaluating their work is currently under development.

To enhance user service and access, the Catch Certification Program has leveraged information technology through the development of the Fisheries Certification System, a web-based system with built-in functionality to permit validation of information and issuance of certificates as well as online chat and email support for clients applying for certificates. The Fisheries Certification System was developed by the Catch Certification Operations through the use of consultants. The system is based on European Union requirements and is currently maintained by a third party. Continuous improvements are being made based on industry feedback and suggestions from the Operations Centre as well as potential new international certification requirements. While the daily operations are processed in Tignish, Prince Edward Island, the System upon which the operations depend, resides on a server located in Ottawa. The network pathway is Ottawa-Dartmouth-Tignish for business continuity planning purposes as the backup server is in Dartmouth. Based on interviews with the Operations Centre staff, the network can become very slow. Based on the 2012 client satisfaction survey, 50.9% of users suggested that some improvement could be made to speed up the System's response time and 53.2% found that the speed of the System was slower than that of other websites. During interviews, employees at the Operations Centre have also indicated that the slow network speed and the lack of reliability of the network affects their ability to conduct their work. As the certificate issuance process requires that information provided by companies be verified by the Operations Centre using multiple regional databases as well as other government websites, network speed is again reduced. Considering the anticipated growing demand for certificates, this may impact the ability of the Operations Centre to meet service standards in the future.

The Operations Centre in Tignish is part of the Gulf Region. The Gulf Region Headquarters located in Moncton, New Brunswick, provides corporate services such as compensation, real property, and safety and security as well as information technology support to the Operations Centre in Tignish. While conducting fieldwork, the audit team observed that the Gulf Region Headquarters does not provide the support services, as per the service level agreement, to the Operations Centre. For example, the audit team noted that approximately half of the Operations Centre staff do not have an access and identification card, which is a federal government requirement to ensure the safety and security of its staff, assets and information.

In 2011, the Assistant Deputy Minister of the Ecosystems and Fisheries Management Sector entered into a Service Level Agreement with the Regional Director General of the Gulf Region to clarify responsibilities for the delivery of services to the Operations Centre. The Service Level Agreement outlines the responsibilities of the Regional Headquarters of the Gulf Region by describing the types of services the Regional Office would provide along with the corresponding performance indicators, when applicable.

Standard information management and technology services, such as desktop support, are also provided by the Regional Headquarters of the Gulf Region. As additional or optional services beyond the common services are not covered under this Service Level Agreement, a separate Service Level Agreement between the Assistant Deputy Minister of the Ecosystems and Fisheries Management Sector and the Chief Information Officer, Information Management and Technology Services was also signed in 2011 to provide specific support to the Fisheries Certification System. While the audit team noted that the Terms and Conditions of the Service Level Agreement with Information Management and Technology Services include clauses such as Service Quality Review, Service Support Escalation and a Dispute Resolution to ensure that the Operations Centre is receiving the level of service outlined in the Agreement or to provide issue resolution, such mechanisms are not outlined in the Service Level Agreement with the Regional Headquarters of the Gulf Region.

The Catch Certification Program's Fisheries Certification System and its issuance process have been deemed a mission critical function, and as such require a Business Continuity Plan approved by senior management. In 2010, a manual back-up process was included in the Operations Centre's standard operating procedures. This process allows the Operations Centre to continue its operations via fax or email during an outage. An interim certificate would be issued to the company and then reconciled with an official one when the System is back in operation. Additionally, the Operations Centre remains available to answer European Union officials’ certificate authentication enquiries during any outages. Furthermore, as Tignish experiences frequent power outages, a generator was installed. However, this manual back-up process only addresses instances of the Fisheries Certification System outages as opposed to all-hazard emergency situations such as a localized disaster. While the Integration and Planning Bureau in the National Capital Region has officers capable of issuing certificates, they still require extensive coordination with the Operations Centre. At the time of the audit, a draft Business Continuity Plan for the Catch Certification Program was submitted to senior management for their review.

Recommendation / Management Action Plan
Recommendation Management Action Plan

R-5.    The Assistant Deputy Minister, Ecosystems and Fisheries Management Operations, should ensure that, in light of the anticipated growing demand for certificates:

  • the Service Level Agreement with the Regional Headquarters of the Gulf Region is periodically reviewed to ensure that the Operations Centre is receiving an adequate level of service to meet its service standards; and
  • the Business Continuity Plan of the Catch Certification Program is finalized, approved and implemented.
  • The Catch Certification Program: Integration and Planning Bureau will propose an annual review process to update the Service Level Agreement with the Regional headquarters of the Gulf Region to ensure that the Operations Centre receives adequate services to meet its service standards. The Integration and Planning Bureau will conduct the annual review at the beginning of each fiscal year, starting in April 2014.
  • The Catch Certification Program: Integration and Planning Bureau is currently finalizing its Business Continuity Plan for approval, with a target to implement by April 2014.
Office of Primary Interest: Ecosystems and Fisheries Management Operations
Due Date: April 2014

7.0  AUDIT OPINION

Based on the audit findings, the overall conclusion is that, the Catch Certification Program has controls processes in place to support the Canadian fisheries industry in meeting the European Union Regulation while upholding its integrity. However, controls should be strengthened for the key business processes of the Program and improvements should be made in the areas of program governance, risk management, and citizen-focused service to ensure that the Catch Certification Program is strategically positioned to meet future international requirements. More specifically, the recommended improvements are as follows:

  • Formally establish and maintain a governance structure to provide strategic direction and to ensure the Catch Certification Program achieves its objectives;
  • Formally document, assess, and manage the risks of the Catch Certification Program in a coordinated and cohesive manner;
  • Strengthen the controls in the catch certificate issuance process by including, at a minimum, the following:
    • Expanding the range of automated controls within the Fisheries Certification System, where feasible;
    • Implementing secondary review of catch certificate applications;
    • Requiring registered companies to provide evidence of authorization for the Applicant Manager to use the Fisheries Certification System on their behalf; and
    • Ensuring that the information from the Integrated Fisheries Management Plans is accurately imported into the Fisheries Certification System.
  • Assess the Administrative Follow-Up Procedures upon their implementation to ensure that they support timely corrective actions;
  • Periodically review the Service Level Agreement with the Regional Headquarters of the Gulf Region is to ensure that the Operations Centre is receiving an adequate level of service to meet its service standards; and
  • Finalize, approve, and implement the Business Continuity Plan of the Catch Certification Program.

8.0  STATEMENT OF CONFORMANCE

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The extent of the examination was planned to provide a reasonable level of assurance with respect to the audit criteria. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with Management. The opinion is applicable only to the entity examined and within the scope described herein. The evidence was gathered in compliance with the Treasury Board Policy and Directive on Internal Audit. The audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program (QAIP). The procedures used meet the professional standards of the Institute of Internal Auditors. The evidence gathered was sufficient to provide Senior Management with proof of the opinion derived from the internal audit.

APPENDIX A – AUDIT CRITERIA

Based on a combination of the evidence gathered through documentation examination, analysis and interviews, each of the audit criteria listed below was assessed and a conclusion for the audit criteria was determined using the following definitions:

appendix a - audit criteria
  Conclusion on Audit Criteria Definition of Opinion
1

Criteria Met – Well Controlled

Well managed or no material weaknesses noted, controls are effective.

2

Criteria Met with Exceptions – Controlled

Requires minor improvements.

3

Criteria Met with Exceptions – Moderate Issues

Requires improvements in the areas of material financial adjustments, some risk exposure.

4

Criteria Not Met – High Impact – Significant Improvements

Requires significant improvements in the area of material financial adjustments, serious risk exposure.

The following are the audit criteria and examples of key evidence and/or observations noted which were analyzed and against which conclusions were drawn.  In cases where significant improvements and/or moderate issues were observed, these were reported in the audit report.

audit criteria examples of key evidence
Audit Criteria Conclusion on Audit Criteria Examples of Key Evidence/ Observations
Line of Enquiry 1 – Program Integrity and Stewardship
Criterion 1.1:  Adequate controls and processes are in place to support the integrity of the catch certification issuance process in meeting the European Union Regulation 3 6.3.1
Criterion 1.2: The post-issuance audit strategy is effective and efficient to support timely corrective actions  2 6.3.1
Line of Enquiry 2 – Citizen-focused Service
Criterion 2.1:  Adequate controls and processes are in place to facilitate the provision of timely, accurate and consistent services to support the Canadian fisheries industry 3 6.4.1
Line of Enquiry 3 – Governance and Strategic Direction
Criterion 3.1:  Governance functions and oversight bodies are in place and have defined a strategic direction for the Program that is communicated and understood by key stakeholders 2 6.1.1
Criterion 3.2:  Adequate strategic planning for future requirements is being carried out 3 6.2.1