Audit of the Corporate Risk Mitigation Strategies - April 2025
Internal Audit and Evaluation Division
As recommended by the Departmental Audit Committee, subject to approval by the Director of Public Prosecutions on March 24, 2025.
Approved by the Director of Public Prosecutions on April 24, 2025.
© His Majesty the King in Right of Canada, 2025
Cat. No.: J79-38/2025E-PDF
ISBN: 978-0-660-76652-2
Table of Contents
- Executive Summary
- Observations and Recommendations – Capacity
- Observations and Recommendations – Safety of Staff
- Management Action Plan
- Appendix A - Audit Information
- Appendix B - List of Acronyms/Abbreviations
Executive Summary
Background
The Public Prosecution Service of Canada’s (PPSC) Corporate Risk Profile (CRP) is the result of an exercise to identify potential risks that may hinder the achievement of the organization’s objectives, outlines mitigation strategies for those risks, and describes the formal monitoring and reporting cycles for risk management.
It is vital for the government to strengthen its ability to assess, communicate, and manage risks, thereby building trust and confidence both internally and with the public FootnoteA.
The PPSC has identified key risks and implemented mitigation strategies through its CRP, which is reviewed and updated every two years. While an updated 2024 CRP is in progress, senior management expressed the need for assurance on the effectiveness of the 2020-2022 CRP’s strategies, particularly in relation to safety of staff and capacity.
The Internal Audit and Evaluation Division’s Audit of the Corporate Risk Mitigation Strategies aims to provide this assurance, in alignment with the approved Risk-based audit plan.
Objective
The objective of this audit was to assess whether mitigation strategies identified in the 2020-22 CRP are implemented and effective at mitigating the risks identified.
Audit Conclusion
While mitigation strategies were developed and partially implemented, there is a need to use defined terminology in the expected outcomes. Improved accountability should facilitate timely implementation of the mitigation strategies. Including baseline metrics for measurability would allow for the evaluation of the effectiveness of the mitigation strategies at reducing the risk to a level acceptable to the organization.
While awareness helps employees understand policies and actions related to their security, it does not ensure that policies and tools effectively address the specific risks or that employees will use them. The lack of addressing agent safety in the mitigation strategy, combined with insufficient tracking, and a lack of clarity regarding the mitigation strategy by risk owners, weakened the PPSC’s ability to effectively mitigate the risks.
Recommendation
The Senior Director General, Corporate Services, in collaboration with risk owner(s), should document and implement risk mitigation strategies that are well defined and have measurable baseline metrics, with a risk-based approach to monitoring that ensures accountability in their timely implementation, and allows for the assessment of their effectiveness at reducing the risk to a level acceptable to the organization.
Observations and Recommendations – Capacity
What we expected to find
We expected that the PPSC had implemented risk mitigation strategies to effectively address risks related to capacity.
Findings
The PPSC's 2020-2022 CRP identified insufficient internal capacity as a key risk, citing challenges in timely recruitment and finding candidates with the necessary competencies for current and future needs. Six mitigation strategies were identified to mitigate the risk:
- Review organizational structures to ensure the resources required to deliver on the PPSC’s mandate are in place, allowing work to be allocated to the appropriate group and level.
- Improve forecasting needs through human resources planning and analysis of workforce data including attrition rates, employment equity data, etc. to implement recruitment strategies and succession planning for key management, legal, functional and administrative positions.
- Increase awareness of PPSC through proactive outreach activities (career fairs, public service-wide events, etc.).
- Develop and implement an action plan to address bias and systematic discrimination with the goal of creating and maintaining a diverse and inclusive workplace. The plan will include recruitment and employee development and advancement.
- Conduct an analysis of official languages capacity within the PPSC and develop a departmental strategy and action plan to address gaps.
- Modernize learning and development culture; nurture supervisory and management capacity through the Supervisors’ Network initiative and development programs; and encourage cross-training to increase capacity of specialized roles.
Overall, we found two of the six mitigation strategies were fully implemented, three were partially implemented, and one was not implemented. However, we could not determine whether the strategies were effective due to the following:
- Unclear terminology used in the mitigation statements and lack of baseline metrics made it difficult to determine if the expected results occurred.
- Some implementation activities occurred after the target date of 2020-22, with some as late as 2024.
Without clear accountability through monitoring, mitigation strategies may not be implemented in a timely manner, potentially allowing risks to persist at levels beyond what management is willing to accept.
Conclusion
While mitigation strategies were developed and partially implemented, there is a need to use defined terminology in the strategies and expected outcomes. Improved accountability should facilitate timely implementation of the mitigation strategies. Including baseline metrics for measurability would allow for the evaluation of the effectiveness of the mitigation strategies at reducing the risk to a level acceptable to the organization.
Observations and Recommendations – Safety of Staff
What we expected to find
We expected that the PPSC had implemented risk mitigation strategies to effectively address risks related to safety of staff.
Findings
The PPSC’s 2020-22 CRP identified safety of staff as a key risk, as employees and agents may be exposed to threats and intimidation due to the nature of their work as prosecutors. In response, the following mitigation strategy was developed to mitigate the risk:
- Implement the long-term security awareness strategy aimed at improving the departmental security posture in the areas of physical security, information security, and personnel security.
We did not review elements related to information security as that was outside the scope of this audit due to recent audit work.
Though we found Security Services’ long-term security awareness strategy (Strategy) to be documented through priority one and annex four of their Strategic Security Plan 2021-2024, and implementation of mitigation activities tracked through priority one of their Operational Business Plan 2021-2024, there was a lack of clarity from Security Services as to what constituted the Strategy, attributed partly to the departure of the previous security director.
We found the following concerning the five mitigation activities planned for 2020-22 in the Strategy:
- Security Awareness Week activities were implemented and took place in 2022.
- An increased presence and addition of security content was implemented on iNetFootnoteB, though not on other platforms.
- Security Awareness A230 training course was made mandatory, however, audit found only 57% of employees had completion records for it, and this was not tracked or followed up by the risk owner.
- The plan to implement organization-wide security sweeps was still in progress as of November 2024.
- We could not confirm implementation of one activity due to lack of response from the risk owner.
Further, the Strategy did not address agent safety, despite it being included in the 2020-22 CRP risk statement. Each of the mitigation activities noted above were focused on employees only.
Conclusion
While awareness helps employees understand policies and actions related to their security; it does not ensure that policies and tools effectively address the specific risks, or that employees will use them. The lack of addressing agent safety in the mitigation strategy, combined with insufficient tracking of progress, and a lack of clarity regarding the mitigation strategy by risk owners, weakened the Department's ability to effectively mitigate this risk.
Recommendation 1
The Senior Director General, Corporate Services, in collaboration with risk owner(s), should document and implement risk mitigation strategies that are well defined and have measurable baseline metrics, with a risk-based approach to monitoring that ensures accountability in their timely implementation, and allows for the assessment of their effectiveness at reducing the risk to a level acceptable to the organization. (medium)
Management Action Plan
| No. | Recommendation | Risk | Management Action Plan | Office of Primary Interest | Target Date |
|---|---|---|---|---|---|
| 1 | The Senior Director General, Corporate Services, in collaboration with risk owner(s), should document and implement risk mitigation strategies that are well defined and have measurable baseline metrics, with a risk-based approach to monitoring that ensures accountability in their timely implementation and allows for the assessment of their effectiveness at reducing the risk to a level acceptable to the organization. | Medium | Management agrees with this recommendation. For subsequent Corporate Risk exercises, the Strategic Planning and Performance Measurement (SPPM) Unit will gather key risks and mitigation strategies from the risk owners. Risk owners will be required to ensure that mitigation strategies have clearly defined, measurable baseline metrics. A risk-based monitoring plan will be established by SPPM to track implementation progress. Risk owners will be required to reassess risks and compare them with baseline metrics to assess the effectiveness in reducing risk to an acceptable level. Responsibilities and timelines will be assigned to ensure accountability, with regular reviews to adjust strategies as needed. |
Senior Director General, Corporate Services | December 2025 |
Appendix A - Audit Information
Statement of Assurance
The audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit as supported by the results of the external quality assurance assessment.
Scope
The audit included Safety of Staff and Capacity risks from the 2020-22 CRP and their related mitigation strategies.
The Internal Audit and Evaluation Division conducted the Audit of Corporate Risk Mitigation Strategies in accordance with the PPSC’s 2024-25 and 2025-26 Risk-based Audit Plan approved by the Director of Public Prosecutions on June 18, 2024. The planning and examination phases of this audit were conducted between October and December 2024.
Methodology
The audit methodology included, but was not limited to:
- Interviews with Security Services and Human Resources’ management.
- Review and analysis of data, documented policies, practices, procedures, and related corporate documents.
Audit Criteria
- Mitigation strategies are implemented and effective to address risks related to Safety of Staff.
- Mitigation strategies are implemented and effective to address risks related to Capacity.
Appendix B - List of Acronyms/Abbreviations
- CRP
- Corporate Risk Profile
- PPSC
- Public Prosecution Service of Canada
- SPPM
- Strategic Planning and Performance Measurement
- Date modified: