2015 Fall Reports of the Auditor General of Canada Canadian Air Transport Security Authority—Special Examination Report—2015

2015 Fall Reports of the Auditor General of Canada Canadian Air Transport Security Authority—Special Examination Report—2015

Table of Contents

This report reproduces the special examination report that the Office of the Auditor General of Canada issued to the Canadian Air Transport Security Authority on 1 June 2015. The Office has not performed follow-up audit work on the matters raised in this reproduced report.

As the report contained information classified as “secret,” such information has been redacted for the public report, indicated by *** in the text. The Office of the Auditor General of Canada has reviewed the redactions and finds them to be reasonable.

Special Examination Opinion

To the Board of Directors of the Canadian Air Transport Security Authority

1. In my opinion, based on the criteria established, there is reasonable assurance that during the period covered by the examination there were no significant deficiencies in the Canadian Air Transport Security Authority’s systems and practices that we selected for examination. The Canadian Air Transport Security Authority (The Corporation) has maintained these systems and practices in a manner that provides it with reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.

2. Screening operations. Overall, we found that the Corporation had systems and practices in place to ensure that the delivery of screening services was effective, efficient, and consistent across Canada, and in the public interest. We also found that the Corporation had systems and practices to ensure that screening services met regulatory requirements. However, we noted weaknesses in relation to the communication of changes in screening procedures to screening officers and the oversight of screening officers’ training.

3. Strategic planning, risk management, performance measurement and reporting. Overall, we found that the Corporation defined strategic directions to achieve its mandate, taking into account government priorities, identified risks, and the need to control and protect its assets and manage its resources economically and efficiently. However, we found areas for improvement. The Corporation did not complete branch plans as part of the 2014–15 fiscal year corporate planning process, its risk management practices needed improvement, and the framework around performance measurement was not documented.

4. Procurement and contracting management. Overall, we found that the Corporation had systems and practices in place to exercise effective oversight and due diligence in the structuring, awarding, and approving of contracts, including a clear accountability framework. The Corporation also effectively administered contracts to ensure that third-party service providers complied with contract terms and conditions. We found that the Corporation could improve on some of its procurement and contracting practices.

5. Equipment management. Overall, we found that the Corporation had systems and practices in place to effectively and efficiently manage its screening equipment. The Corporation planned for the replacement of its screening equipment, performed operational testing on screening equipment, and monitored the maintenance it outsourced to third parties.

6. Project management. Overall, we found that the Corporation had systems and practices in place to plan, organize, and control resources to accomplish project objectives and outcomes. However, while the Corporation established project management processes, they were not always followed, and guidance and a methodology on how to carry out projects were not developed. In addition, project management roles and responsibilities were clear, but the oversight of projects needed strengthening in some areas.

7. Corporate governance. Overall, we found that the Corporation had in place key elements of a well-performing governance framework that meets the expectations of best practices in board stewardship, shareholder relations, and communications with the public. However, we found that there was room for improvement in some areas.

8. The rest of the report provides an overview of the Corporation and more detailed information on our findings and recommendations. The Corporation agrees with all of the recommendations. Its detailed responses follow the recommendations throughout the report.

9. Under section 131 of the Financial Administration Act (FAA), the Canadian Air Transport Security Authority is required to maintain financial and management control and information systems and management practices that provide reasonable assurance that its assets are safeguarded and controlled; its financial, human, and physical resources are managed economically and efficiently; and its operations are carried out effectively.

10. Section 138 of the FAA also requires the Corporation to have a special examination of these systems and practices carried out at least once every 10 years.

11. Our responsibility is to express an opinion on whether there is reasonable assurance that during the period covered by the examination—from September 2013 to October 2014—there were no significant deficiencies in the Corporation’s systems and practices that we selected for examination.

 

[Original signed by]

Maurice Laplante, CPA, CA
Assistant Auditor General
for the Auditor General of Canada

14 May 2015
Ottawa, Canada

Introduction

Background

12. The Canadian Air Transport Security Authority (also referred to as the Corporation) was established under the Canadian Air Transport Security Authority Act (also referred to as the CATSA Act) on 1 April 2002. It is a Crown corporation that reports to Parliament through the Minister of Transport (the Minister) and it is governed by the control and accountability regime established under Part X of the Financial Administration Act. The Corporation is also subject to other legislation, including the Aeronautics Act, the Access to Information Act, the Privacy Act, and the Official Languages Act.

13. The mandate of the Corporation is to take actions, either directly or through a screening contractor, for the effective and efficient screening of

Restricted areas are those established under the Aeronautics Act at an aerodrome designated by the regulations or at any other place that the Minister may designate. The Corporation is responsible for ensuring consistency in the delivery of screening across Canada and must carry out its responsibilities in the public interest, with due regard to the interest of the travelling public. During the period covered by our examination, there were 89 designated airports across Canada.

14. As a result of the mandate and responsibilities assigned to it, the Corporation provided security in four areas during the period covered by the examination:

15. The Corporation delivered screening services using contracted service providers. It administered four contracts with three private sector companies. Each contract covered one of four administrative regions (Pacific, Prairies, Central, East). The Corporation had regional personnel in place to manage daily operations and oversee service providers’ management. Personnel were also responsible for training, coaching, and certifying screening officers and representing the Corporation’s interests with key stakeholders at the airports. These included airport authorities, air carriers, and screening contractors.

16. Responsibility for civil aviation security in Canada is shared among several federal government departments and agencies, air carriers, and airport operators. Under the Aeronautics Act, the Minister of Transport is responsible for the development and regulation of aeronautics and the supervision of all matters related to aeronautics. As the lead federal government department responsible for aviation security, Transport Canada develops policies and regulations, and conducts oversight activities to ensure that industry and the Canadian Air Transport Security Authority are meeting their obligations. Transport Canada is also responsible for verifying Canada’s compliance with international obligations such as those set by the International Civil Aviation Organization.

Focus of the audit

17. Our objective for this audit was to determine whether the systems and practices we selected for examination at the Canadian Air Transport Security Authority were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively. We selected systems and practices based on our assessment of risks in the following areas:

18. We did not examine human resources management, with the exception of succession planning for senior and regional management.

19. More details about the audit objectives, scope, approach, systems and practices examined, and criteria are in About the Audit at the end of this report.

Findings, Recommendations, and Responses

Previous special examination

20. Our 2006 special examination of the Canadian Air Transport Security Authority was the first special examination undertaken on the systems and practices of the Corporation. In our report, we noted two significant deficiencies in the systems and practices we examined, which led us to conclude that the Corporation did not have the reasonable assurance required under Part X of the Financial Administration Act.

21. Our 2006 report included 44 recommendations that were considered as part of our current audit work. Of these recommendations, 9 were linked to the two significant deficiencies we identified. We found that 7 of them had been addressed, 1 was no longer applicable, and 1 had been partially addressed. As a result, we concluded that the two significant deficiencies had been addressed.

Screening operations

22. Overall, we found that the Corporation had systems and practices in place to ensure that the delivery of screening services was effective, efficient, and consistent across Canada, and in the public interest. We also found that the Corporation had systems and practices to ensure that screening services met regulatory requirements. However, we noted weaknesses in relation to the communication of changes in screening procedures to screening officers and the oversight of screening officers’ training.

23. This is important because the delivery of screening services is at the heart of the Corporation’s mandate and is critical to aviation security in Canada.

24. Screening services and other related costs totaled $405 million in the 2014–15 fiscal year. Screening contractors employed more than 5,500 screening officers as of October 2014.

The Corporation developed and communicated screening procedures, but the communication of changes needed improvement

25. We found that the Corporation defined screening procedures in accordance with regulatory requirements. We also found that screening procedures were communicated to screening officers but that the communication of changes in procedures needed improvement.

26. Our analysis supporting this finding discusses

27. This finding matters because the Corporation must develop and effectively communicate screening procedures to ensure regulatory requirements are appropriately implemented.

28. Our recommendation in this area of examination appears at paragraph 32.

29. Regulatory requirements. We examined 35 articles from Transport Canada’s regulatory requirements applicable to the Corporation, and we found that the requirements were adequately reflected in the Corporation’s standard operating procedures for screening.

30. Communication of operating procedures. Standard operating procedures were communicated to screening officers through their initial training. Screening contractors were then committed to communicate daily any changes in procedures to the screening officers, notably through shift briefings. The Corporation measured and scored the screening contractors’ compliance with this commitment on a monthly basis. We examined 16 of those scores (four months randomly selected for the four regions). We found that screening contractors did not meet their commitment as the compliance score was less than 70 percent in 4 cases, between 70 percent and 79 percent in 6 cases, and between 80 percent and 91 percent for the remaining 6.

31. Procedures to manage security incidents. The Corporation developed procedures to manage security incidents, which included the process to follow when either a critical or a non-critical incident arose. We examined whether these procedures were followed and found that they were, except that the screening contractor often did not submit security incident reports once the incident was resolved. We encourage the Corporation to consider revising its procedures to require obtaining these reports before closing incident case files.

32. Recommendation. The Corporation should revise its practices to ensure that changes to screening procedures are communicated to screening officers.

The Corporation’s response. Agreed. Management will improve how procedural changes are communicated to screening officers. The Corporation will leverage and enhance its existing educational toolkit, as well as review the delivery mechanisms, for the maximum benefit of screening officers. The format of the standard operating procedures (SOP) and bulletin release process will be enhanced, and SOP changes will be better complemented by existing and new products (e.g. training curriculum, job aids, shift briefings). In parallel, the Corporation will review the process for monitoring the knowledge saturation levels of screening officers across the national system. These improvements will be completed by 30 June 2016.

Training, certification, and oversight programs were in place but certain components needed improvement

33. We found that the Corporation had a program to train and certify screening officers, which operated in conjunction with an oversight and testing program to identify and address individual performance issues. However, we found that the Corporation needed to improve how it ensured that all elements of the training program were delivered and completed as required. We also found that the tool to track screening officers’ training history and qualifications had data integrity issues that were not systematically identified and corrected.

34. Our analysis supporting this finding discusses

35. This finding matters because training and oversight are essential to ensure that screening officers are properly equipped to identify and prevent threats from entering restricted areas of an airport. Under the CATSA Act, the Corporation is responsible for establishing criteria for the qualifications, training, and performance of screening officers. It is also responsible for certifying that screening officers meet these criteria.

36. Our recommendation in this area of examination appears at paragraph 49.

37. National Training and Certification Program (NTCP). The Corporation adopted a “shared model for training,” which meant that it shared responsibility with the screening contractors for delivering and assessing the various components of the training and certification program. The NTCP included the following components:

Component Description
Initial training—Screening Officer Foundations Program Basic pre-board screening training that must be completed by all new recruits. This program contained three parts for which two were delivered by screening contractors: basic training and on-the-job training.
Additional training Additional training required to perform different screening functions, such as hold-baggage screening. This included an on-the-job training part delivered by the screening contractors.
Recurrent Learning Program (RLP) Annual continuous learning program required for screening officers to maintain their certifications.
Refresher training Training provided to individual screening officers to address gaps identified in their skills and knowledge.

38. Initial training—Screening Officer Foundations (SOF) Program. We examined 65 screening officers randomly selected from the total population of 5,243 as of 16 April 2014, and we found that requirements of the SOF Program had been met by the screening officers. However, we found that the Corporation did not oversee the completion of the on-the-job training part to satisfy itself that screening contractors delivered it appropriately.

39. Additional training. Using the same 65 screening officers as noted in the previous paragraph, we found that those who were certified to screen hold baggage had completed the additional training requirements, which included classroom and on-the-job training. However, as with the SOF Program, we found that the Corporation did not oversee the completion of the on-the-job training part that was delivered by screening contractors.

40. Recurrent Learning Program (RLP). The RLP ran from 1 July to 30 June each year. The pre-board screening RLP was divided into three parts:

Component Description
Quarterly completion of e-modules Self-directed electronic learning modules dealing with specific screening topics.
Annual review of qualifications An online assessment exercise released in the last quarter of the training year.
Regular progress each quarter through X-ray Tutor (XRT) levels Image recognition software designed to improve screening officers’ abilities to identify threat items on x-ray and to respond appropriately. The software contains multiple levels with increasing difficulty.

41. We found that the first two components of the RLP (quarterly e-modules and the annual review of qualifications) started only in the training year after initial certification. This timing meant that if a screening officer was certified on 15 July 20X1, the first e-module needed to be completed only in the July–September 20X2 quarter (almost one year later), and the annual review would be completed only by 30 June 20X3 (almost two years later). We encourage the Corporation to consider enrolling newly certified screening officers in these components of the Recurrent Learning Program in the quarter immediately following their certification.

42. The screening contractors were responsible for scheduling time for screening officers to complete their Recurrent Learning Program requirements. For the period of July 2013 to June 2014, we found that the quarterly e-modules and the annual review of qualifications components of the pre-board screening RLP were completed. However, we found that 11 percent of active screening officers had not completed the X-ray Tutor component. Since the RLP was in place to ensure that screening officers maintain their certifications, it is important for the Corporation to oversee that screening officers complete the requirements and to take appropriate actions when they have not.

43. Refresher training. The Corporation identified screening officers in need of refresher training through various means, including its oversight of screening officers’ compliance with screening procedures (discussed in paragraphs 46 to 48). We found that the Corporation used a “performance event” process to identify and document performance gaps. A performance event occurred when a screening officer

44. The process required that performance events be documented in a performance event report. This report included a performance improvement plan that outlined any refresher training required to address the gap. We examined 45 performance event reports from the total of 1,407 reports issued between September 2013 and May 2014. We found that screening officers completed refresher training included in the performance improvement plans and underwent a skills assessment at the completion of the training.

45. Learning Management System (LMS). The Corporation used an LMS to record and track the training history and certification status of screening officers. The LMS fed into systems used for screening officers’ time tracking and related invoicing, and these systems relied on the LMS to validate that screening officers possessed current and proper qualifications. The Corporation also used the LMS to deliver training material electronically. We found that the LMS had data integrity issues, such as duplicate records, incorrect enrollment and completion dates, and missing course components.

46. Oversight of compliance with screening procedures. The Corporation developed an Oversight and Continuous Improvement Program, which included components to improve operational performance and consistency of screening services across airports. These components included a Core Oversight Program and a Contract Compliance Program (discussed in paragraphs 96 and 97).

47. The Corporation put the Core Oversight Program in place to monitor and measure compliance with standard operating procedures by daily observing screening operations. The Corporation’s data collection methodology provided guidance on frequency, sample size, measurement criteria, and grading of results. We found that the Corporation followed its methodology for collecting and recording data, with the exception of sample sizes. ***. We encourage the Corporation to consider reviewing whether the sample sizes in its methodology are still appropriate and can be collected.

48. In addition to the Oversight and Continuous Improvement Program, the Corporation

We examined each of these activities and found that they were performed continually to assess screening officers’ ability to detect threats.

49. Recommendation. The Corporation should

The Corporation’s response. Agreed. Management will strengthen its oversight of the Recurrent Learning Program and on-the-job training components of the National Training and Certification Program through the national deployment of a new program to oversee screening contractors’ delivery of training. This initiative is underway and will be implemented by 30 September 2015. In addition, the Corporation will proceed with the planned upgrade or replacement of its Learning Management System (LMS) to ensure that appropriate controls exist and that data included in the LMS is accurate and complete. This is underway and will be completed by 31 March 2017.

The Corporation monitored staffing levels of screening officers and potential screening contractors’ labour disruptions

50. We found that the Corporation monitored that screening contractors maintained a sufficient workforce to deliver the required screening services. The Corporation also monitored potential screening contractors’ labour disruptions.

51. Our analysis supporting this finding discusses

52. This finding matters because an insufficient workforce may increase demands on screening officers. Higher demands could cause fatigue and thereby increase the likelihood that screening officers fail to detect threats. As screening services could be impacted, it is important that the Corporation monitors screening contractors’ potential labour disruptions.

53. We made no recommendations in this area of examination.

54. Staffing level planning. Screening contractors were responsible for providing sufficient personnel to deliver screening services. We examined whether the Corporation monitored the screening contractors’ staffing levels. We found that it did so by

The Corporation also closely monitored screening personnel turnover rates by obtaining monthly reports from screening contractors that detailed hires and departures of screening personnel. As a result, we found the Corporation’s monitoring of screening contractors’ staffing levels to be appropriate.

55. Monitoring potential screening contractors’ labour disruptions. We examined what measures the Corporation had to mitigate the risk of screening contractors’ labour disruptions. We found that the Corporation developed and tested its own Emergency Response Plan for potential screening contractors’ labour disruptions and monitored labour relations between screening contractors and their unions.

The Corporation worked collaboratively with its regulator, Transport Canada, and with other key stakeholders

56. We found that the Corporation employed multiple channels of communication to manage its relationships with Transport Canada and other key stakeholders including screening contractors, airports, airlines, and passengers.

57. Our analysis supporting this finding discusses

58. This finding matters because to meet its mandate, the Corporation must work collaboratively with the regulator, other partners in Canada’s civil aviation security sector, and screening contractors. In addition, a positive public reputation helps the Corporation to maintain its credibility.

59. We made no recommendations in this area of examination.

60. Relationship management with Transport Canada. The Corporation interacted continually with its regulator, Transport Canada, across various levels and functions, using both formal and informal methods of communication. These interactions included, for instance, coordinating on regulatory matters and exchanging information on emerging security threats and risks. The Corporation also documented its process to assess and communicate the impact of emerging risks and threats on operations.

61. Relationship with screening contractors. The Corporation employed formal and informal avenues to communicate and manage its relationship with screening contractors locally, regionally, and nationally. The Corporation’s regional performance teams and the screening contractors’ regional management met weekly or biweekly to share performance information. Nationally, a Relationship Management Plan Steering Committee was in place, composed of executives and senior managers from the Corporation and from each screening contractor. This committee met three times a year to discuss performance management, scheduling, communications, passenger experience, and training. We found these means appropriate for the Corporation to effectively manage its relationship with screening contractors.

62. Airport and airline relations. We found that the Corporation employed both formal and informal mechanisms to interact and manage relations with the personnel of airport authorities and airlines. We also found that the Corporation had a list of items to collaborate on with the largest airport authorities and that achievements were assessed quarterly.

63. Passenger, non-passenger, and media relations. We found that the Corporation had a communications team to collect, document, and address complaints, claims, and inquiries from passengers, non-passengers, and the media. We also found that the communications team reported the number and nature of complaints to senior management and the Board of Directors.

Strategic planning, risk management, performance measurement and reporting

64. Overall, we found that the Corporation defined strategic directions to achieve its mandate, taking into account government priorities, identified risks, and the need to control and protect its assets and manage its resources economically and efficiently. However, we found areas for improvement. The Corporation did not complete branch plans as part of the 2014–15 fiscal year corporate planning process, its risk management practices needed improvement, and the framework around performance measurement was not documented.

65. This is important because strategic planning, risk management, and performance measurement assist the Corporation in achieving its legislated objectives and mandate. Performance measurement is also important for informed decision making and accountability reporting.

66. The Corporation business planning process contained three key steps: risk analysis and strategy setting, strategic planning, and branch planning. The output related to the first step was the Corporate Risk Profile, while the strategic planning generated a Corporate Plan that contained priorities, strategic initiatives, and performance objectives and measures. To assist in preparing the Corporate Plan, the Corporation’s various functional areas or “branches” (for example, human resources and service delivery) prepared plans, which were used to prioritize branch projects. The Corporation also produced an annual report to publicly communicate results, which described how well it met performance objectives and measures set in its Corporate Plan.

The Corporation did not follow its business planning process, but had most elements in place to manage corporate risks

67. We found that the Corporation’s business planning process was not followed for the 2014–15 fiscal year and that, specifically, branch plans were not produced. We also found that the Corporation identified and measured risks for impact and likelihood, and listed measures to mitigate these risks. However, the Corporation did not determine its response to each residual risk. (Residual risks are those that remain after measures have been put in place to mitigate a risk.) Also, we found that the Corporation needed to improve its monitoring of mitigation measures and its management of information technology risks.

68. Our analysis supporting this finding discusses

69. This finding matters because branch plans were to be used to realize the priorities and strategic initiatives outlined in the Corporate Plan. It also matters because failure to properly manage risks could result in consequences for the travelling public, ranging from delays to safety concerns.

70. Our recommendation in this area of examination appears at paragraph 77.

71. Implementing the business planning process. We found that the first two steps of the Corporation’s business planning process were followed for the 2014–15 fiscal year, but we found that branch planning did not take place: Specifically, detailed branch plans were not produced. The absence of branch plans made it difficult to understand how the Corporation prioritized projects and how work at the branches aligned with the Corporate Plan.

72. Identifying and measuring risks and reporting on risks. The Corporation identified key organizational or “corporate” risks and assessed the impact and likelihood of each one. This information, the mitigation measures in place to address each risk, and the remaining residual risks were presented in a Corporate Risk Profile. We found that the Corporation did not determine and document its response to each residual risk. According to good practices, such as those included in the Treasury Board of Canada Secretariat’s Guide to Integrated Risk Management, a response should be selected for each residual risk. Responses include avoiding, accepting, monitoring, reducing, or sharing a risk. If the Corporation determines that a residual risk warrants action (in other words, the Corporation does not accept the risk), specific actions should be taken to deal with the risk.

73. Monitoring mitigating measures. We examined 5 significant risks out of the 16 risks included in the 2013–2014 Corporate Risk Profile and assessed whether the Corporation’s stated mitigation measures were in place. We found that they were in place for 3 of the 5 and that the Corporation adequately monitored these measures. For the other 2 risks examined, we found that some mitigation measures were not in place, and others were either monitored insufficiently or monitored without documentation. As mitigation measures were used to assess residual risks, we encourage the Corporation to ensure that these measures are in place and to properly monitor the measures and document this monitoring.

74. Managing information technology (IT) risks. The Corporate Risk Profile also contained mitigation measures related to IT, notably the Business Continuity Plan, the Emergency Response Plan, and the periodic testing of these two plans. Mitigation measures also included IT Threat and Risk Assessments (TRAs) and Business Impact Analysis. We examined whether these mitigation measures were documented, and we found that the documentation was missing, incomplete, or outdated.

75. In relation to IT TRAs, we found that only two of four key systems examined had an assessment done, that they were outdated, and that no action plans were in place to address the risks identified. Conducting TRAs for key systems is important to identify potential vulnerabilities. Action plans are needed to mitigate, monitor, and report on identified IT risks.

76. ***.

77. Recommendation. The Corporation should

The Corporation’s response. Agreed. The business planning process, the Corporate Risk Profile, and the Business Continuity Plan will be updated, in line with the recommendation, by 31 March 2016 and reviewed periodically. Starting in the 2015–16 fiscal year, the Corporation will ensure that all critical systems are subject to periodic IT Threat and Risk Assessments and that action plans are maintained for each assessment.

The Corporation did not document its performance measurement framework

78. The Corporation identified key performance indicators and targets to measure the achievement of its mandate to deliver screening services effectively, efficiently, consistently across Canada, and in the public interest. The Corporation did not, however, document its performance measurement framework.

79. Our analysis supporting this finding discusses

80. Measuring performance against targets and reporting on results are important in a security environment to ensure that the desired performance is achieved.

81. Our recommendation in this area of examination appears at paragraph 86.

82. Performance measurement framework. The Corporation identified key performance indicators, measures, and associated targets for each aspect of its mandate. We examined 10 of the 31 performance indicators monitored by the Corporation between July 2013 and June 2014, including their associated measures and targets, and found that they were clear, concrete, and measurable. However, we found that the linkages between some indicators and the aspect of the mandate that they intended to measure were not clear.

83. We also found that the Corporation did not document the framework around performance measurement. This documentation would notably include how performance indicators, measures, and targets were established, removed, or changed; the sources of the performance management data; the systems used to collect performance data; and the responsibilities for collecting it. Having this documentation would help the Corporation to assess the adequacy of performance indicators, measures, and targets and the quality of the data used for decision making and accountability reporting.

84. For the 10 performance indicators examined, we found that, overall, the reported results were supported by raw data. However, we found no formal system to ensure that data used for performance reporting was accurate and complete. Instead, the Corporation conducted ad hoc quality reviews and identified some data quality errors through one of those reviews. Reviews are important as they are intended to ensure that information used for decision making and accountability reporting is accurate and complete.

85. Actions taken on performance results. The Corporation used key performance indicators to assess the performance of screening contractors. When these indicators fell below *** percent of target, the Corporation required screening contractors to prepare action plans to improve performance. Although the Corporation followed this practice, we found that contractors did not always implement action plans as intended and did not document reasons for deviating from the plans.

86. Recommendation. The Corporation should document its performance measurement framework. This framework should describe

The framework should also indicate when the Corporation should review the quality of performance information.

The Corporation’s response. Agreed. The Corporation’s performance measurement framework will be documented, in line with the recommendation by 31 March 2016 and updated periodically.

Procurement and contracting management

Procurement and contracting practices were in place, with some weaknesses

87. Overall, we found that the Corporation had systems and practices in place to exercise effective oversight and due diligence in the structuring, awarding, and approving of contracts, including a clear accountability framework. The Corporation also effectively administered contracts to ensure that third-party service providers complied with contract terms and conditions. We found that the Corporation could improve on some of its procurement and contracting practices.

88. This is important because the Corporation entered into various types of agreements every year and outsourced to third parties significant services such as screening and equipment maintenance.

89. Our analysis supporting this finding discusses

90. Between September 2013 and August 2014, the Corporation had 424 active contracts, of which 77 were issued during that time period. There was a total of 855 purchase orders issued against contracts that were active during that time period, for a total dollar value of $352 million.

91. Our recommendation in this area of examination appears at paragraph 98.

92. Compliance with procurement and contracting policies and procedures. The Corporation developed a Procurement and Contracting Procedures Manual, which contained policies, procedures, guidelines, forms, and templates. The Corporation’s Procurement and Contracting Policy described situations where the Corporation may purchase or lease goods or services without a competitive procurement process.

93. We examined contracts and purchase orders to determine whether the Corporation complied with its contracting policies and procedures and whether documentation of procurement files was complete. We found the following:

94. Oversight of the contracting process. The Senior Management Committee (SMC) was responsible for overseeing procurement and contracting matters. In performing its responsibilities, the SMC needed to be satisfied that contracting policies and processes were followed by the Corporation’s personnel. We found that the SMC fulfilled its responsibilities. However, considering the previous section’s observations about contracts and purchase orders signed after work had started, we encourage the SMC to better oversee this area to minimize such situations.

95. Monitoring of contract implementation. We examined key clauses from seven third-party service providers’ contracts, including screening contracts. For the majority of clauses examined (85 percent for one contract, over 90 percent for five contracts, and 100 percent for the other contract), we found that the Corporation monitored the implementation of these clauses. For the remaining clauses examined, we found that no monitoring was performed and that the rationale for its absence was undocumented. The Corporation could benefit by formalizing its practices to monitor key clauses in outsourced contracts and to document this monitoring.

96. In relation to screening contracts, the Corporation had a Contract Compliance Program to reward screening contractors for meeting selected critical contractual commitments. The Corporation developed regional monitoring plans that detailed how to measure compliance for each commitment. We examined 24 commitments out of the total of 86 included in the November 2013 monitoring plans and found that they were monitored, measured, calculated, approved, and reported as prescribed.

97. When results were unsatisfactory, performance improvement action plans could be leveraged to improve performance. We found that the Corporation set no performance threshold for the trigger of performance improvement action plans from contractors. Instead, the decision to request such plans was left to the discretion of regional management. To ensure that regional management addresses issues of non-compliance consistently, we encourage the Corporation to consider setting trigger thresholds.

98. Recommendation. The Corporation should ensure that its procurement and contracting policies and procedures are followed and that complete documentation is retained in the procurement files.

The Corporation’s response. Agreed. Several initiatives are already underway to ensure that procurement and contracting policies are consistently followed. Management will also refine measures to ensure that complete documentation is retained in the procurement files. These improvements will be completed by 31 March 2016.

Equipment management

The Corporation operationally tested and maintained its screening equipment and planned for its replacement

99. Overall, we found that the Corporation had systems and practices in place to effectively and efficiently manage its screening equipment. The Corporation planned for the replacement of its screening equipment, performed operational testing on screening equipment, and monitored the maintenance it outsourced to third parties.

100. This is important because the Corporation’s screening equipment is critical to delivering its mandate to conduct effective, efficient, and consistent screening that is in the public interest while complying with regulatory requirements set by Transport Canada.

101. Our analysis supporting this finding discusses

102. Transport Canada and the Corporation shared responsibility for the various types of screening equipment that the Corporation used to conduct security screening within designated airports:

103. The Corporation relied on third parties to perform preventative and corrective maintenance and to perform some operational testing of its equipment.

104. We made no recommendations in this area of examination.

105. Equipment replacement plans. We found that the Corporation developed replacement plans for *** percent of its screening equipment and that, for another *** percent, it budgeted for their replacement as part of the 2014–15 five-year capital plan and budget. ***. For the replacement plans that were developed, we found that the Corporation updated them as necessary when changes, such as timelines, occurred and included relevant information such as implementation priorities, timelines, and estimated resources needed.

106. We also found that the Corporation regularly communicated with Transport Canada and screening equipment manufacturers to identify risks and priorities related to screening equipment.

107. Operational testing and maintenance. Operational testing and maintenance requirements were documented in manuals and procedures. We found that various tests were performed on screening equipment by either the Corporation or a third party. Designed to ensure that equipment met performance standards, these tests were conducted before and once new equipment was operational and after equipment was repaired and back in service.

108. The Corporation received monthly maintenance reports from third parties. We noted that the Corporation produced and monitored daily outage reports and monthly reports that recorded the availability of screening equipment. We also noted that the Corporation communicated regularly with third-party representatives and met at least monthly with them to discuss, among other things, equipment performance and issues, planning, status and costs of technician training, and key performance indicators.

Project management

There were weaknesses in project management systems and practices

109. Overall, we found that the Corporation had systems and practices in place to plan, organize, and control resources to accomplish project objectives and outcomes. However, while the Corporation established project management processes, they were not always followed, and guidance and a methodology on how to carry out projects were not developed. In addition, project management roles and responsibilities were clear, but the oversight of projects needed strengthening in some areas.

110. This is important because successfully implementing projects often requires rigorous management, a coordinated effort, and significant resources. In particular, joint projects with airport authorities to integrate the Corporation’s screening equipment are typically complex and often cost millions of dollars.

111. Our analysis supporting this finding discusses

112. The Corporation established a Project Management Office (PMO)

113. Our recommendation in this area of examination appears at paragraph 120.

114. Project management processes. The objective of the Corporation’s Project Management Policy was to ensure that appropriate systems, processes, and controls for managing projects were in place. The Corporation also developed a Project Management Framework that defined project management phases and described activities, tasks, roles and responsibilities, deliverables, and processes for each phase.

115. We compared the policy and framework with the Project Management Body of Knowledge (PMBOK®) guide of the Project Management Institute. We found that the policy and framework did not contain a project management methodology and guidance for executing projects. Notably, we found no guidance in the following five areas:

116. We examined three projects out of the ten that were completed in the 2013–14 fiscal year and found that the Corporation partially followed project management processes. Although project managers worked with the PMO to follow the project management framework, we noted areas for improvement. Specifically, we found incomplete risk assessments in project charters (the documents that authorized a project and that contained information such as the project budget, scope, objectives, risks, and milestones). Furthermore, we found that risks and issues were not all documented centrally and were inconsistently identified, prioritized, assigned, and remediated from one project to the next. Finally, for two of three projects, we found that lessons learned and project closures were not conducted.

117. Project management oversight. While the Project Management Policy and Framework set out a structure for managing projects, we found that the Corporation had not designed an effective governance process for project management and oversight. While the framework referred to a process for managing project risk, it did not include the process for communicating risks to the Senior Management Committee (SMC), which was responsible for reviewing project risks. Also, there was no guidance on monitoring project outcomes, specifically on setting performance measures.

118. The absence of guidance on status reporting resulted in the rebaselining of projects in terms of budget, timeline, or scope. This meant that rebaselined projects were reported internally as on budget, on time, and in scope, even though they were under or overbudget, outside the timelines, and/or changed in scope. As a result, reporting to senior management did not reflect the true status of a completed project.

119. In addition, we found that the one-page project status report presented to the SMC lacked sufficient details for management to track progress by project. We did find, however, that in two of the three projects examined, change management was well-documented and brought forward to the SMC as required.

120. Recommendation. The Corporation should develop a project management methodology and provide guidance on how to carry out project management activities. It should follow its project management processes and strengthen the oversight of projects in three areas: managing risk, reporting on the status of projects, and monitoring project outcomes.

The Corporation’s response. Agreed. A review of the Corporation’s project management systems and practices was completed in the spring of 2015. The Corporation will implement a redesigned project management process by 31 March 2016.

Corporate governance

The Corporation had in place key elements of good governance, but there was room for improvement in some areas

121. Overall, we found that the Corporation had in place key elements of a well-performing governance framework that meets the expectations of best practices in board stewardship, shareholder relations, and communications with the public. However, we found that there was room for improvement in some areas.

122. This is important because good governance helps ensure that the Corporation can fulfill its mandate and meet the statutory objectives outlined in the Financial Administration Act.

123. Our analysis supporting this finding discusses

124. The Corporation is governed by a Board of Directors (the Board), whose members are appointed by the Governor in Council, on the recommendation of the Minister of Transport. The Board is composed of 11 members (including the chairperson), 2 of whom are nominated by the airline industry and another 2 by the airport industry. Since mid-June 2014, the Board has functioned with three committees: the Strategy Committee; the Audit Committee; and the Governance, Human Resources and Pension Committee.

125. Our recommendation in this area of examination appears at paragraph 127.

126. Corporate governance. We found that the Board had key elements of good governance, but certain improvements could be made. We assessed the strengths and weaknesses against best practices associated with seven key elements of the Corporation’s governance framework (Exhibit 1).

Exhibit 1—Key elements of the Corporation’s governance framework were in place, but weaknesses were identified

Key elements Findings (strengths and weaknesses)

Board profile and roles and responsibilities

Strengths

  • The profile was up to date. It contained roles and responsibilities of the Board of Directors and the core competencies, skills, knowledge, and experience that the Board as a whole should possess.
  • A gap analysis was performed between the profile and the competencies of board members. It showed that the Board had most of the competencies needed.
  • Roles and responsibilities of Board committees were clearly defined in the committees’ terms of reference.
  • Management conducted an annual compliance review to compare the activities of the Board and its committees with their stated roles and responsibilities.

Weakness

  • The Board did not clearly define the role it should play in terms of communicating with the Minister of Transport about vacant board positions.

Corporate succession planning and continuity on the Board

Strengths

  • The distribution of term endings allowed for continuity on the Board.
  • Management developed a succession plan for the executive level and presented it to the Board in March 2014.

Weaknesses

  • Of the current 10 board members, 4 were appointed after the end of the term of the board member they were replacing (ranging from 1 month to 19 months after).
  • One board position had been vacant since March 2014.
  • The succession plan did not identify key positions below the executive level, notably regional management positions.

Values, ethics, and conflict of interest practices

Strengths

  • There was a Code of Ethics, Conduct and Conflict of Interest for employees and management and a Code of Conduct and Ethical Behaviour for board directors. Both codes required annual confirmation of compliance.
  • Board members were required to disclose potential conflict of interest at board and board committees’ meetings, when needed.

Weakness

  • The Board did not get complete information about whether the code for employees was communicated, implemented, and adhered to and on whether there were exceptions or violations to the code.

Orientation and training

Strengths

  • New board members were provided key corporate documents and attended orientation sessions. They were also offered training to enhance their competencies and skills.

Weakness

  • The Governance, Human Resources and Pension Committee did not monitor board members’ participation in training courses or conferences.

Assessment

Strengths

  • The Board performed annual self-assessments.
  • The 2012 to 2014 Chief Executive Officer’s (CEO) performance objectives and assessments were sent to the Minister of Transport.

Weakness

  • The Board did not follow up on results obtained from the 2013 board assessment.

Information to the Board

Strength

  • The Board received relevant, timely, reliable, and complete information that it needed to make decisions.

Relationships

Strengths

  • The Board maintained ongoing communication with the Minister of Transport and stakeholders, the Chief Executive Officer, and the senior management team.
  • Reporting relationships were clear between the internal audit group and the Audit Committee.
  • The Audit Committee approved an internal audit plan annually.
  • Management presented Action Plans Status Reports quarterly to the Audit Committee on recommendations included in internal audit reports.

Weakness

  • Management’s Action Plans Status Reports did not provide details on management’s actions to address recommendations included in internal audit reports.

127. Recommendation. The Corporation should identify key positions below the executive level, including regional management and other management positions, and include them in its succession plan.

The Corporation’s response. Agreed. Starting in the 2015–16 fiscal year, key positions below the executive level, including regional management positions, will be identified and included in the succession plan.

Conclusion

128. We concluded that, based on the criteria established, there is reasonable assurance that during the period covered by the examination there were no significant deficiencies in the Canadian Air Transport Security Authority’s systems and practices that we selected for examination. The Corporation has maintained these systems and practices in a manner that provides it with reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.

About the Audit

All of the audit work in this report was conducted in accordance with the standards for assurance engagements set out by the Chartered Professional Accountants of Canada (CPA) in the CPA Canada Handbook—Assurance. While the Office adopts these standards as the minimum requirement for our audits, we also draw upon the standards and practices of other disciplines.

As part of our regular audit process, we obtained management’s confirmation that the findings in this report are factually based.

Objective

Under section 138 of the Financial Administration Act (FAA), federal Crown corporations are subject to a special examination once every 10 years. Special examinations of Crown corporations are a form of performance audit where the scope is set by the FAA.

The Auditor General provides an opinion on the corporation’s systems and practices examined. Special examinations answer the question: Do the Corporation’s systems and practices provide reasonable assurance that assets are safeguarded and controlled, resources are managed economically and efficiently, and operations are carried out effectively?

A significant deficiency is reported when there is a major weakness in the Corporation’s key systems and practices that could prevent it from having reasonable assurance that its assets are safeguarded and controlled, its resources are managed efficiently and economically, and its operations are carried out effectively.

Scope and approach

As part of our examination, we selected and tested samples on populations of items such as contracts, performance events reports, and screening officers, to determine whether systems and practices were in place. Sampling was used to test the operating effectiveness of selected key controls, or to determine whether selected attributes or characteristics of the populations tested were correctly specified and could be relied upon. Sample sizes were sufficient in size to conclude on the sampled populations, or on the key controls. They were established by assessing the underlying risk for each sampled population. We also interviewed the senior management team, other key members of the Corporation’s personnel, the chairperson of the Board of Directors and the Audit Committee, as well as other members of the Board of Directors. We observed some meetings of the Board of Directors and its committees during the examination period. In addition, we visited some airports where we interviewed the Corporation’s regional personnel, as well as screening contractors’ personnel and representatives of airlines and airports.

Systems and practices examined and criteria

At the start of this special examination, we presented the Corporation’s audit committee with an audit plan that identified the systems and practices, and related criteria, that we considered essential to providing the Corporation with reasonable assurance that its assets are safeguarded and controlled, its resources managed economically and efficiently, and its operations carried out effectively. These are the systems and practices and criteria that we used for our special examination.

These criteria were selected for this examination in consultation with the Corporation. They were based on our experience with performance auditing—in particular with our special examinations of Crown corporations—and on our knowledge of the subject matter. Management reviewed and accepted the suitability of the criteria used in the special examination.

Systems and practices examined Criteria

Screening operations

  • Relationship and communications with the regulator
  • Oversight of implementation of regulations
  • Staffing level planning for screening officers
  • Guidance to screening providers for hiring of screening officers
  • Training and certification program of screening officers and regional management
  • Succession planning for regional management
  • Standard operating procedures
  • CATSA verification testing
  • Transport Canada infiltration testing
  • Monitoring of screening contractors performance program
  • Operations Performance and Oversight Program
  • Threat and risk information analysis and communication procedures
  • Communication with screening contractors and monitoring of labour relations between screening contractors and unions
  • Process to respond to complaints, claims, and enquiries from passengers and non-passengers
  • Relationship with airport authorities
  • Contingency planning and procedures for labour disruptions

The Corporation has systems and practices in place to ensure

  • the delivery of screening services is effective, efficient, consistent across Canada, and in the public interest; and
  • screening services meet regulatory requirements.

Strategic planning, risk management, performance measurement and reporting

  • Corporate planning process
  • Operational and budgetary planning process
  • Risk management framework
  • IT and data security management
  • Corporate performance measurement framework and reporting

The Corporation has

  • clearly defined strategic directions and specific and measurable goals and objectives to achieve its legislative and public policy mandate. Its strategic directions, objectives, and goals take into account government priorities, identified risks, and the need to control and protect its assets and manage its resources economically and efficiently;
  • a risk management framework to support the realization of its mandate, goals, and objectives. It also has systems and practices in place to identify, measure, mitigate, monitor, and report on risks in order to keep them within a level appropriate to the nature of the business; and
  • identified performance indicators to measure the achievement of its mandate and statutory objectives. It also has systems and practices in place to ensure reports provide complete, accurate, timely, and balanced information for decision making and accountability reporting.

Procurement and contracting management

  • Contracting process and management oversight
  • Contract implementation monitoring and oversight

The Corporation has systems and practices in place to exercise effective oversight and due diligence in the

  • structuring, awarding, and approving of contracts, including a clear accountability framework; and
  • administration of contracts to ensure the terms and conditions are met when services are outsourced to a third party.

Equipment management

  • Life cycle planning and implementation
  • Hold-baggage screening recapitalization plan
  • Screening equipment operational testing and maintenance
  • Ongoing communications with Transport Canada
  • Capital and maintenance planning and implementation
  • Identification and monitoring of risks and priorities

The Corporation has systems and practices in place to effectively and efficiently manage its screening equipment.

Project management

  • Project management practices
  • Project management oversight
  • Relationship with airport authorities

The Corporation has systems and practices in place to systematically plan, organize, and control allocated resources to accomplish identified project objectives and outcomes.

Corporate governance

  • Board profile and competencies
  • Board continuity and staggering
  • Roles and responsibilities of the Board and its committees
  • Information provided to the Board
  • Values, ethics, and conflict of interest practices
  • Orientation and training of Board members
  • Relations with management and the shareholder
  • Board and CEO assessments
  • Board oversight
  • Senior management succession planning
  • Strategic direction
  • Internal audit

To maximize its effectiveness, the Corporation has a well-performing corporate governance framework that meets the expectations of best practices in Board stewardship, shareholder relations, and communication with the public.

Period covered by the audit

The special examination covered the systems and practices that were in place between September 2013 and October 2014. However, to gain a more complete understanding of the significant systems and practices, we also examined certain matters that preceded the starting date of the special examination.

Internal audit

In carrying out the special examination, we did not rely on any internal audits.

Audit team

Assistant Auditor General: Maurice Laplante
Principal: Martin Dompierre
Lead Director: Nathalie Chartrand

Joanne Butler
Chantal Desrochers
Audrey Garneau
Yin-Mei Kwok
Isabelle Marsolais
Joanna Murphy
Caroline Viens

List of Recommendations

The following is a list of recommendations found in this report. The number in front of the recommendation indicates the paragraph where it appears in the report. The numbers in parentheses indicate the paragraphs where the topic is discussed.

Screening operations

Recommendation Response

32. The Corporation should revise its practices to ensure that changes to screening procedures are communicated to screening officers. (25–31)

The Corporation’s response. Agreed. Management will improve how procedural changes are communicated to screening officers. The Corporation will leverage and enhance its existing educational toolkit, as well as review the delivery mechanisms, for the maximum benefit of screening officers. The format of the standard operating procedures (SOP) and bulletin release process will be enhanced, and SOP changes will be better complemented by existing and new products (e.g. training curriculum, job aids, shift briefings). In parallel, the Corporation will review the process for monitoring the knowledge saturation levels of screening officers across the national system. These improvements will be completed by 30 June 2016.

49. The Corporation should

  • strengthen its oversight of the Recurrent Learning Program and on-the-job training components of the National Training and Certification Program for screening officers to ensure that each element of the programs is delivered and completed as required, and
  • put in place appropriate controls to ensure that the data included in the Learning Management System is accurate and complete. (33–48)

The Corporation’s response. Agreed. Management will strengthen its oversight of the Recurrent Learning Program and on-the-job training components of the National Training and Certification Program through the national deployment of a new program to oversee screening contractors’ delivery of training. This initiative is underway and will be implemented by 30 September 2015. In addition, the Corporation will proceed with the planned upgrade or replacement of its Learning Management System (LMS) to ensure that appropriate controls exist and that data included in the LMS is accurate and complete. This is underway and will be completed by 31 March 2017.

Strategic planning, risk management, performance measurement and reporting

Recommendation Response

77. The Corporation should

  • follow its branch planning process to prioritize projects and develop branch plans that include timing, accountability, and annual targets for key performance indicators within each branch;
  • determine and document its response for all residual risks identified in its Corporate Risk Profile, aligning actions with the Corporation’s risk tolerance;
  • conduct information technology (IT) Threat and Risk Assessments on all critical systems and maintain action plans for each assessment; and
  • update its Business Continuity Plan including a Business Impact Analysis and a Disaster Recovery Plan. (67–76)

The Corporation’s response. Agreed. The business planning process, the Corporate Risk Profile, and the Business Continuity Plan will be updated, in line with the recommendation, by 31 March 2016 and reviewed periodically. Starting in the 2015–16 fiscal year, the Corporation will ensure that all critical systems are subject to periodic IT Threat and Risk Assessments and that action plans are maintained for each assessment.

86. The Corporation should document its performance measurement framework. This framework should describe

  • how performance indicators, measures, and targets were established, removed, or changed,
  • the sources of performance management data,
  • the systems used to collect performance data,
  • the frequency of and responsibilities for data collection, and
  • the timelines for achieving performance targets.

The framework should also indicate when the Corporation should review the quality of performance information. (78–85)

The Corporation’s response. Agreed. The Corporation's performance measurement framework will be documented, in line with the recommendation by 31 March 2016 and updated periodically.

Procurement and contracting management

Recommendation Response

98. The Corporation should ensure that its procurement and contracting policies and procedures are followed and that complete documentation is retained in the procurement files. (92–97)

The Corporation’s response. Agreed. Several initiatives are already underway to ensure that procurement and contracting policies are consistently followed. Management will also refine measures to ensure that complete documentation is retained in the procurement files. These improvements will be completed by 31 March 2016.

Project management

Recommendation Response

120. The Corporation should develop a project management methodology and provide guidance on how to carry out project management activities. It should follow its project management processes and strengthen the oversight of projects in three areas: managing risk, reporting on the status of projects, and monitoring project outcomes. (114–119)

The Corporation’s response. Agreed. A review of the Corporation’s project management systems and practices was completed in the spring of 2015. The Corporation will implement a redesigned project management process by 31 March 2016.

Corporate governance

Recommendation Response

127. The Corporation should identify key positions below the executive level, including regional management and other management positions, and include them in its succession plan. (126)

The Corporation’s response. Agreed. Starting in the 2015–16 fiscal year, key positions below the executive level, including regional management positions, will be identified and included in the succession plan.

PDF Versions

To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet: