Introduction

Background

1. Farm Credit Canada (the corporation) is a Crown corporation that operates under the Farm Credit Canada Act.

2. The corporation’s mandate is to “enhance rural Canada” by providing specialized and personalized business and financial services and products to farming operations. The corporation’s customers comprise family farms and small and medium‑sized businesses related to farming. Farmers make up 84% of the corporation’s customers, while 16% are suppliers and processors.

3. Additionally, the corporation received letters from the Minister of Agriculture and Agri‑Food asking it to deliver on priorities, such as

• working to promote and strengthen products and services that facilitate intergenerational transfers and assist young farmers entering the industry
• supporting underrepresented groups in Canadian agriculture, including women and Indigenous agricultural entrepreneurs and producers
• working with and supporting like‑minded organizations to assist Canadian producers with mental health issues

4. The corporation offers loans, provides software and learning programs, and shares knowledge (such as ideas, advice, and resources) to help customers and others involved in the agriculture and agri‑food industry make sound decisions.

5. Farm Credit Canada is a financially self‑sustaining federal Crown corporation. It operates out of 100 offices located primarily in rural communities and has more than 2,100 employees. The corporation’s head office is in Regina. The corporation has a loan portfolio of more than $41 billion, as of March 2021. The corporation’s employee base and its loan portfolio have grown significantly since our last special examination of the corporation in 2012 (Exhibit 1).

6. On 23 March 2020, the corporation received an additional $500 million capital contribution from the Government of Canada to allow for more lending and risk exposure to support the industry during the coronavirus disease (COVID‑19)^{Definition 1} pandemic. This allowed the corporation to offer its customers more flexibility—for example, through longer repayment requirements, reduced interest rates and fees, more interest‑only loans, and an increase to the maximum customer lending limit.

Focus of the audit

7. Our objective for this audit was to determine whether the systems and practices we selected for examination at Farm Credit Canada were providing the corporation with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively, as required by section 138 of the Financial Administration Act.

8. In addition, section 139 (2) of the Financial Administration Act requires that we state an opinion, with respect to the criteria established, on whether there was reasonable assurance that there were no significant deficiencies in the systems and practices we examined. We define and report significant deficiencies when, in our opinion, the corporation could be prevented from having reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.

9. On the basis of our risk assessment, we selected systems and practices in the following areas:

• corporate management practices
• management of operations

The selected systems and practices, and the criteria used to assess them, are found in the exhibits throughout the report.

10. More details about the audit objective, scope, approach, and sources of criteria are in About the Audit at the end of this report.

Findings, Recommendations, and Responses

Corporate management practices

The corporation had good corporate management practices in some areas but needed improvement in others

11. We found that the corporation had good corporate management practices but some improvements were needed. Notably, the board did not perform an annual self‑assessment of its performance, and reporting to the board on certain oversight items was lacking or inaccurate.

12. The analysis supporting this finding discusses the following topics:

• Corporate governance
• Strategic planning
• Corporate risk management

13. The corporation is governed by a Board of Directors composed of 12 members, including the chairperson.

14. The board is supported by the Risk Committee, the Audit Committee, the Corporate Governance Committee, and the Human Resources Committee.

15. The board oversees the corporation, which reports to Parliament through the Minister of Agriculture and Agri‑Food.

16. To achieve its mandate, the corporation sets out strategic objectives in its strategic plan. It also develops performance indicators to measure its progress toward these objectives. Along with the indicators, the corporation uses targets to specify the success levels or goals it must reach to achieve its strategic objectives. For the 2019–20 fiscal year, the corporation identified 6 strategic objectives:

• great customer relationships
• vibrant and successful agriculture industry
• high‑performance culture
• execution excellence
• effective enterprise risk management
• financial strength

17. The corporation is exposed to 4 major categories of risk: strategic, financial, operational, and reputational. Examples of these risks include risks related to business continuity, information technology (IT) security, and cybersecurity. One of the corporation’s key financial risks is lending risk, which includes credit risk, market risk, and liquidity risk. Overall risk tolerances are established and broken down into thresholds and limits, which are assigned to and monitored by the various business areas of the organization.

18. The corporation’s overall assessment of risk determines the amount of capital required to support the corporation’s strategic direction and continue the delivery of its services through all economic cycles, including economic downturns and periods of extended loss. Although not formally regulated, the corporation manages its level of capital according to the Capital Adequacy Requirements Guideline issued by the Office of the Superintendent of Financial Institutions Canada.

19. Our recommendations in this area of examination appear at paragraphs 23, 26, 29, and 32.

20. Analysis. We found a weakness in that the board and its committees did not perform annual self‑assessments of their performance. We also found that the scope and results of a disaster‑recovery exercise were not reported to the board and that the corporation did not follow an evidence‑based process in formulating reports on its compliance with relevant authorities (Exhibit 2).

21. Weakness—Board appointments and competencies. We found that the board and its committees did not perform annual self‑assessments of their performance. The board last analyzed its performance in January 2019.

22. This weakness matters because performance self‑assessment, at both the committee and board levels, allows the board to identify areas for improvement and stay up to date on best practices for board conduct.

23. Recommendation. The board and its committees should regularly perform self‑assessments of their performance.

The corporation’s response. Agreed. The board’s intention was to conduct a board and committee evaluation when the new board chairperson had been in her role for 1 year (the appointment occurred in April 2020) and once all 3 outstanding director positions had been filled (this occurred in May 2021). Management will support a board and committee self‑assessment by 30 June 2022. Management will recommend that the Corporate Governance Committee Charter be enhanced to require a specific cadence for this assessment on an ongoing basis.

24. Weaknesses—Board oversight. In keeping with its business continuity management policy and plan, the corporation regularly undertook a disaster‑recovery exercise that involved key IT systems and infrastructure. We found that the scope and results of the most recent exercise were reported to the Chief Information Officer but not to the board. This was despite the fact that the corporation had identified information security (including the compromising of critical information) as a key risk area for the 2020–21 fiscal year. As an organization that relies on several IT systems to process and approve loans, provide customers with loan disbursements when needed, and store sensitive customer data, the corporation needs to be able to recover information and quickly resume operations if a disaster occurs.

25. This weakness matters because without this information, the board cannot exercise its oversight over a key risk mitigation measure, that the corporation be able to restart and recover its information in the event of a disaster.

26. Recommendation. The board should request that management communicate the objective, scope, and results of its risk mitigation measures related to business continuity management on a timely basis.

The corporation’s response. Agreed. The board identified the need for an independent advisor to assist with oversight of technology and information risk in February 2021. Following a competitive process, an advisor was selected and the advisor’s contract was finalized in June 2021.

In October 2021, management provided, to the Risk Committee of the Board of Directors and the board’s advisor, its summary report on information and technology risk, including processes for incident response and disaster recovery related to business continuity scenarios for unavailable systems. By 31 December 2021, management will share outcomes of past disaster‑recovery exercises with the committee.

The objectives and scope of the overall business continuity program and ongoing results of its business continuity management risk mitigation will be shared with the board by 15 December 2022.

27. We also found that the corporation lacked a rigorous process for formulating reports that were meant to provide assurance to the board that the corporation complied with relevant federal, provincial, and territorial laws and regulations. The board requires this assurance to fully exercise its oversight in this area. The corporation had a process for compiling an inventory of the laws and regulations that it needed to comply with. Those laws and regulations were operationalized in the corporation’s various business areas through policies and procedures. The corporation had also established an attestation process to confirm compliance with the applicable laws and regulations. Management requested confirmation from senior officers responsible for the corporation’s various business lines that they were not aware of any non‑compliance with such authorities. However, this confirmation was based on the senior officers’ self‑assessments, rather than on testing or documented evidence.

28. This weakness matters because to fully exercise its oversight role, the board requires reporting that is supported by rigorous testing and documented evidence for assessing compliance with authorities. Such a process would validate compliance and improve the rigour of the attestation process.

29. Recommendation. The corporation’s assessment process for ensuring compliance with authorities should be supported by rigorous testing and documented evidence.

The corporation’s response. Agreed. A corporate initiative to strengthen regulatory compliance management was initiated in January 2020 and reporting to the Audit Committee will commence in 2022. The program will enhance the corporation’s practices for ensuring compliance with federal laws, regulations, and Treasury Board instruments. It will also support the regulatory compliance assessment provided to the Audit Committee with formal control testing results and documented evidence. The program will be implemented by 31 March 2023.

30. Furthermore, we found that in its inventory of applicable laws and regulations, the corporation noted that the Canadian Environmental Assessment Act had been repealed and replaced by the Impact Assessment Act on 28 August 2019. However, the corporation had not yet operationalized the Impact Assessment Act in its business areas, as the corporation had not yet completed a full analysis of the effect of the new act on its policies and procedures. Before issuing loans, the corporation would perform environmental assessments in keeping with its Environmental Risk Management Policy and its procedures and assessment documents, which had not been updated to reflect the requirements of the new act.

31. This weakness matters because if the corporation does not update its environmental policies and procedures to incorporate the requirements of the Impact Assessment Act, it cannot fully assess its compliance with this act. In its compliance reports to the board, the corporation did not indicate that the assessments had not been performed against the most recent legislation.

32. Recommendation. The corporation should analyze the Impact Assessment Act and update its policies and procedures accordingly.

The corporation’s response. Agreed. The corporation has analyzed the regulatory requirements of the Impact Assessment Act. Management’s policy and legal attestation process have been updated to reflect the act. Aspects of the act have been embedded within the corporation’s established Environmental Risk Management Policy. Policy, procedures, and support material have been updated and implemented, including training, for Canadian domiciled projects, effective 27 September 2021. Application of compliance requirements for international projects, including training, will be implemented by 30 April 2022.

33. Analysis. We found that the corporation had good practices for strategic planning (Exhibit 3).

34. Analysis. We found that the corporation had good practices for corporate risk management (Exhibit 4).

Management of operations

The corporation had good practices for managing its operations, but some improvements were needed in cybersecurity and IT security

35. We found that the corporation had good operational practices, including operational planning, performance monitoring and reporting, and managing operations. However, improvements were needed in cybersecurity and information technology (IT) security.

36. The analysis supporting this finding discusses the following topics:

• Operations
• IT security

37. The corporation’s main business is to provide financing to the agriculture and agri‑food industry. It provides loans to primary producers (those that produce raw commodities such as grain, oilseeds, cattle, dairy, hogs, fish and other aquaculture products, fruit, and vegetables) and to the agribusiness and agri‑food sectors (suppliers or processors, such as equipment manufacturers, dealers, or wholesalers, that serve primary producers). The corporation has several loan products available to respond to the needs of the industry. Loan products are also targeted to specific groups, such as younger farmers, women in agriculture, and Indigenous farmers or organizations.

38. The corporation is highly dependent on IT. IT security, including cybersecurity, is a key service area within the corporation, as it provides online services to customers (for example, online credit risk adjudication of loans) and manages a large amount of financial data. The corporation also offers agriculture and accounting software solutions to its customers. As the corporation changes its technology to improve services, increase automation, and provide remote access, IT and cybersecurity risks also increase.

39. The corporation has offices across Canada, to be close to the customers it serves. Moreover, as a result of the COVID‑19 pandemic, the corporation’s workforce had to shift to working remotely and in the 2020–21 fiscal year, the corporation experienced a surge in phishing attempts, underscoring the importance of its cybersecurity program and controls.

40. Our examination covered lending operations, as well as IT security and cybersecurity. The corporation also has a marketing division that develops new lending products and develops and delivers knowledge and software offerings to its customers. For the operational planning criteria below, we have examined marketing programs in addition to lending.

41. Our recommendations in this area of examination appear at paragraphs 47 and 50.

42. Analysis. We found that the corporation had good practices in operational planning, operational plan implementation, and performance monitoring and reporting (Exhibit 5).

43. Analysis. We found that the corporation did not have a comprehensive cybersecurity awareness and training program and that it had not thoroughly assessed its exposure to the IT security and privacy risks posed by its third‑party contracts (Exhibit 6).

44. Weakness—Cybersecurity. We found that the corporation did not have a comprehensive cybersecurity awareness and training program. Nor did it have a formal curriculum for cybersecurity training. There were mandatory cybersecurity training courses for new employees, but the training content was limited to acceptable use of the corporation’s devices and software and protecting IT assets. A cybersecurity curriculum that includes training for all employees—covering examples of phishing attacks and other types of social engineering and malware, as well as what various cyber‑threats could look like—would better inform employees of cyber‑risks.

45. The corporation had performed some cybersecurity exercises and issued communications related to cybersecurity awareness. However, no overall plan specified the nature and frequency of these activities. A comprehensive and up‑to‑date cybersecurity awareness program would include training and communication, as well as monitoring and assessment. It would also include the timing and frequency of these activities and would reflect current threats and response plans for such threats.

46. This weakness matters because the corporation had identified cybersecurity breaches as a key risk area. Awareness programs and training can help employees recognize and react to cyber‑threats and events, reducing the chance that attempts to access the corporation’s systems and information would be successful.

47. Recommendation. The corporation should establish a comprehensive cybersecurity awareness and training program for all employees.

The corporation’s response. Agreed. Following the end of the examination period, management has reviewed the existing cybersecurity awareness and training program. Prioritized implementation of comprehensive enhancements are in progress with full completion by 30 September 2022.

48. Weakness—IT security. The corporation conducted IT security and privacy risk assessments of third parties when onboarding vendors. It also updated the assessments for key vendors through monitoring of controls assurance reports that covered security and privacy risks. It had also recently begun systematically adding provisions covering notification and reporting of third‑party security and privacy breaches for new contracts and those being renewed. We found that the corporation had started to assess some older contracts that were still in force, to determine whether they contained provisions covering notification and reporting of third‑party security and privacy breaches, but this process did not include all contracts.

49. This weakness matters because the corporation could be exposed to IT security and privacy risks for third‑party contracts that did not at their inception require the reporting and communication of IT security and privacy breaches. If the corporation is not able to respond quickly to a security or privacy breach, systems could become unavailable, data could be corrupted, and sensitive information could be lost or stolen. There is also a potential for fraud to occur. Awareness of any such breaches resulting from existing third‑party contracts would allow the corporation to respond accordingly.

50. Recommendation. The corporation should assess all contracts still in force with third parties to determine its exposure to IT security and privacy risks through contracts that might not contain clauses related to reporting and communication of IT security and privacy breaches, and implement mitigation measures as required.

The corporation’s response. Agreed. A corporate initiative to strengthen third‑party risk management was initiated in 2020. The program will enhance the corporation’s practices for ensuring that IT security and privacy risks are understood and mitigated as appropriate with all third parties. As part of this work, management will assess all third‑party contracts for the existence of IT security and privacy clauses by 31 March 2022. In accordance with the risk stratification of the arrangement, for those lacking a clause, the corporation will establish mitigation tactics as required, by 31 December 2022.

Conclusion

51. In our opinion, on the basis of the criteria established, there was reasonable assurance that there were no significant deficiencies in the corporation’s systems and practices we examined. We concluded that Farm Credit Canada maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.