← HealthArchive.ca
Audit of the Safe Voluntary Isolation Sites Program - Canada.ca
2025-04-18 www.canada.ca/en/public-health/corporate/transparency/corporate-management-reporting/internal-audits/reports/safe-voluntary-isolation-sites-program.html
Independent archive · Not an official government website · Archived content may be outdated
View replayView diffDetailsMetadata JSONCiteReport issueAll snapshots
Audit of the Safe Voluntary Isolation Sites Program - Canada.ca

Language selection

Government of Canada / Gouvernement du Canada

Search

Audit of the Safe Voluntary Isolation Sites Program

Download in PDF format
(286 KB, 12 pages)

Organization: Public Health Agency of Canada

Published: 2025-02-27

Public Health Agency of Canada
Office of Audit and Evaluation
July 2024

Table of contents

Executive summary

Engagement objective

The audit objective was to assess the governance, risk management activities, and management controls in place to support the achievement of the Program's objectives.

Engagement scope

The audit scope focused on the adequacy of the management control framework to support the Program's main activities. This included examining whether the Program's roles, responsibilities, and authorities were defined and implemented effectively, as well as program and recipient risk management controls.

The audit covered activities carried out over the period of September 20, 2020, to March 31, 2023. Activities related to the program close out were excluded. However, it was expected that results of the audit would inform and augment lessons learned being identified by management as part of program close out.

What we found

Overall, the audit found that the Safe Voluntary Isolation Sites Program (SVISP) was delivered in a manner that was generally consistent with the departmental framework for administering grants and contributions agreements (G&Cs), including having clearly defined roles and responsibilities for performing control activities related to contribution payments. In addition, some risk management principles were applied as part of the management of individual agreements and recipients. However, the following improvement opportunities and lessons learned were noted to further strengthen the management of G&Cs:

  • Ensuring a formal program risk management approach is documented to enable the alignment of administrative transfer payment program requirements, specifically the delegation of authorities, with the identified risks to the achievement of program objectives, thus ensuring that program funds are made available to approved recipients in a timely manner.
  • Where costs are variable, controls could be strengthened so that appropriate measures to allow renegotiation are considered in advance of approval and support due diligence file reviews of recipients to ensure that terms and conditions are being respected.

As the Program closed on March 31, 2023, the noted improvement opportunities should be considered as lessons learned by the Agency for the design and delivery of new transfer payment programs, particularly those that are established to address a public health emergency.

Introduction

In September 2020, the Public Health Agency of Canada (PHAC or the Agency) launched the Safe Voluntary Isolation Sites Program (SVISP or the Program) as a time-limited emergency response measure to address COVID-19 public health response. Due to the Infectious Disease Prevention and Control Branch's increased workload as a result of the COVID-19 pandemic, the Health Promotion and Chronic Disease Prevention Branch administered the Program. SVISP addressed the health equity needs of vulnerable populations and aimed to decrease community transmission of COVID-19 by providing accommodations to individuals who were unable to safely isolate in their usual residence. Specifically, the goals of this program were to:

  • Increase the availability and accessibility of voluntary isolation sites;
  • Ensure the safety of individuals making use of voluntary isolation sites; and
  • Support the integration of voluntary isolation sites into relevant COVID-19 prevention and control efforts, as necessary.

SVISP was aimed at individuals from lower-income and densely populated neighborhoods who may have experienced challenges isolating due to factors like crowding and multigenerational living arrangements, and resource constraints. SVISP complemented existing rapid-response tools and augmented the efforts of public health partners to reduce the spread of COVID-19. SVISP provided contribution funding to provincial, territorial, and local governments, regional health authorities, and non-profit organizations to establish sites where people could safely isolate. SVISP approved $141.1M worth of contributions and spent $104.7M before its closure on March 31, 2023.

Management of grants and contributions (G&Cs) agreement programs at the Agency is guided by the Grants and Contributions Standard Operating Procedures (SOP) Database, which was created by the Centre for Grants and Contributions (CGC). The SOP Database is the result of research into various policies, procedures, practices, and guidelines issued by the Treasury Board Secretariat, other government departments (OGD), and PHAC programs in order to establish a standard approach to managing G&Cs programs throughout the Agency. The Agency has a centralized G&Cs model through the CGC. CGC's role is to provide cost-effective and timely G&Cs administration, policy advice, training, systems, standard operating procedures, processes and tools from program design to the close out.

An Audit of SVISP was identified in the Agency's 2022 to 2024 Risk-Based Audit Plan.

Criterion 1 - Program risk management

Context

Effective risk management contributes to improved decision making and provides a mechanism to prioritize resource allocation to areas of greatest risk or opportunity. Risk management is a systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, and making decisions, as well as communicating risk issues.

What we expected to find

According to the Treasury Board (TB) Policy on Transfer Payments, transfer payment programs are to be designed, delivered, and managed in a way that achieves program outcomes, contributes to departmental results, and considers risks. Appendix B of the TB Directive on Transfer Payments identifies activities that are to be performed during the design or redesign of a transfer payment program, including the requirement to assess its specific risks, the potential risks associated with applicants and recipients, and the measures that will be used to manage these risks. In light of the requirements of Appendix B of the TB Policy and nature of the program objectives, as in the timely establishment of isolation sites, we expected that a risk management framework for SVISP would be established and used to monitor and manage risks related to achieving the Program's objectives.

Why it matters

SVISP was established as part of the emergency response to the COVID-19 pandemic. As a result, the evaluation of potential recipients, creation of funding agreements, and initiation of program delivery occurred in an accelerated timeframe. Given the importance of identifying and responding to risks, the guidance and supporting tools for the management of program-level risks assist managers in linking implementation decisions, such as using flexible measures to expedite funding delivery, to identified risks.

Key findings

The G&Cs Standard Operating Procedures (SOP) included risk management guidance reflective of the requirements of the TB Policy on Transfer Payments. Further risk management guidance for G&Cs programs is provided through the Health Portfolio's Integrated Risk Management (IRM) Framework for G&Cs. This framework includes guidance on taking structured approaches to manage program, applicant, and recipient risks in an integrated manner, as well as the need to manage risks across the G&Cs life cycle, including design, delivery, and management.

At the agreement and recipient level, the Agency has also implemented an Agreement and Recipient Risk Assessment Tool (ARRAT), which is complemented by a Risk-based Monitoring Strategy. Within the ARRAT, there are several different points where a risk assessment is performed, including at the “assess” stage, which occurs prior to funding agreement approval. The ARRAT results at the “assess” stage inform the recipient monitoring strategy to be deployed for managing the funding agreement.

It was noted that for each of the 23 recipient funding agreements that were reviewed as part of the audit, SVISP used the ARRAT to assess risks related to the agreement and recipient as part of the funding approval and leveraged the results to inform the recipient monitoring strategy for the recipients. This process was consistent with the Agency's SOP guidance.

The requirements of the TB Directive on Transfer Payments provide for accountability, transparency, and effective control in managing transfer payments. The Directive also provides flexibility to adapt the administrative requirements for applicants and recipients based on the risks involved, and allows departments to develop a measured response to risk throughout the management cycle of transfer payments. The formal identification of program-level risks therefore helps to guide all further program decisions. The isolation sites provided through SVISP were one of the rapid response tools used to reduce the spread of COVID-19. Given the nature of the underlying need the Program was addressing, timely delivery of funding to its recipients, such as municipalities and regional public health authorities, needed to be considered against the need to have appropriate controls over the stewardship and allocation of public funds.

While risk management was implemented at the agreement and recipient level, risks specific to the Program and the achievement of the SVISP's objectives were not formally identified or assessed. A formal process is needed to identify risks that could affect the achievement of program objectives, such as the risk of delayed funding allocation to a regional health authority, which could affect the timeliness of setting up safe isolation sites for individuals at risk from COVID-19. This would be consistent with the requirements of Appendix B of the TB Directive on Transfer Payments and would allow for risk-based decision making across the G&Cs life cycle. For example, there is little risk tolerance for delayed funding, so understanding risk events that could delay funding would provide a foundation to inform measures like delegating decision making or streamlining operating procedures, and to rationalize the degree of flexibility applied.

At the program level, it was observed that there was limited operational guidance or tools to support program-level risk assessments. For example, the Enterprise Risk Management (ERM) ARRAT user guide suggested that program-level risks should be assessed and managed through the Program Risk Assessment Tool (PRAT). The PRAT has not yet been developed, and the ERM ARRAT user guide was last updated in January 2015. Without a formal and documented assessment of the risks associated with not achieving program objectives, program managers cannot easily support decisions regarding program implementation such as exercising flexibilities within their delegated authorities, as opposed to simply following published G&C Standard Operating Procedures.

Recommendation #1

The VP of the Chief Financial Officer and Corporate Management Branch should develop operational guidance and associated toolsets to assist program managers with the identification, assessment, and management of G&Cs program-level risks to inform decisions in actions taken throughout the design, delivery, and management of a G&Cs program.

Criterion 2 - Risk-based approach to deliver funding

Context

Transfer payment programs are required to follow a risk-based approach to funding delivery and management. As specified in the TB Directive on Delegation of Spending and Financial Authorities, delegations of spending and financial authorities are to be risk-based while balancing the timely delivery of programs and the empowerment of individuals with departmental controls and individual accountabilities.

What we expected to find

As noted previously, SVISP was one of the Agency's COVID-19 rapid response tools, and as such, the timely establishment of agreements and disbursement of funding to recipients were key to the establishment of safe isolation sites. Accordingly, we expected the roles, responsibilities, and relevant authorities for the management of SVISP to be established and carried out with consideration of risks, while balancing timely delivery of the program and funding.

Why it matters

Using flexibilities consistent with program managers' delegated authorities allows them to establish agreements within delegated authorities, while still considering risks to the Program achieving its objectives.

Key findings

We found that, despite the short timelines within which the SVISP was initiated, the Program was delivered in a manner that was generally consistent with the departmental framework for administering grants and contributions (G&Cs) agreements, including having clearly defined roles and responsibilities for performing control activities related to contribution payments.

We also examined the degree of risk management applied in approving funding agreements, administering the disbursement of funds, and monitoring recipients. While there was no framework for formally identifying, assessing, or documenting program-level risks, the following are examples that highlight efforts taken by SVISP to balance timely program delivery with risk consideration to allow some recipient projects to start sooner and to reduce the administrative burden on some recipients:

  • Some recipients were able to retroactively claim eligible expenditures that were reasonably incurred for their safe isolation site project prior to having a signed funding agreement.
  • Reductions in the documentation that a low-risk recipient was required to submit in support of an expenditure claim.
  • Reporting requirements were reduced for recipient monitoring for some recipients.

The Agency's delegation of authority instrument delegates to branch heads full spending initiation authority for approving transfer payments. However, the G&Cs standard operating procedures have more restrictive approval levels than the delegation instrument. We found that the SVISP followed the more restrictive procedure by going to the President for all approvals. The context of SVISP was to establish the program efficiently, and as we noted above, some flexibilities were used to expedite the SVISP. While requesting Deputy Head approvals instead of branch head approvals does not appear to have affected the timeliness for the fundings approvals, there is a risk that each additional approval step during an emergency could affect the timeliness for releasing funds. Accordingly, a risk-based approach to approving funding amounts and subsequent amendments, such as delegation of authority to managers more actively involved in managing the transfer payment program, may be beneficial for future emergency responses.

Criterion 3 - Control Activities to Administer Funding

Context

The TB Policy and its Directive on Transfer Payments outline requirements to support effective controls in the management of transfer payment programs. Furthermore, the Agency G&Cs SOP provides guidance for administering the funding agreement.

What we expected to find

Given the requirements of the TB Policy and Directive, as well as the Agency G&Cs SOP, the audit team expected that control activities would be in place throughout the life cycle of the recipient agreement.

Why it matters

During the periods where the SVISP agreements were being established and renewed, the projected usage rates at individual isolation sites were challenging to estimate given the unpredictable nature of the pandemic. An expressed concern of recipients was the risk that sufficient space for isolation would not be available when needed. As such, accommodation plans varied amongst recipients, some were able to secure locations that would allow changes to occupancy rates, while others booked blocks of room regardless of projected or actual usage.

Key findings

We noted that controls were in place to receive and assess recipient funding proposals, inform funding approval decisions, administer payments, and receive and monitor required recipient reports, as per the funding agreement. The following is an overview of control activities that were implemented and followed consistently for recipients over the life cycle of the funding agreement:

  • Funding proposals were assessed for eligibility, initially by SVISP staff, then by three independent external reviewers, while the budget was reviewed and approved by the Centre for Grants and Contributions (CGC).
  • Conflict of interest forms were signed by proposal assessment reviewers.
  • Funding approvals (expenditure initiation and commitment authority) were obtained prior to signing the funding agreement (transaction authority) and allocating funds (certification authority and payment authority).
  • Certification authority was provided on each payment and was supported by the documentation required to be provided by the recipient as part of the claim process.
  • The SVISP team performed regular monitoring of recipient reports and followed up on exceptions.

We noted an opportunity to strengthen the funding proposal due diligence procedure on assessing recipient proposals, which is a key control to inform the funding decision process. The purpose of the recipient proposal process is to determine eligibility and assess the recipient, and the proposed project to establish and operate a safe isolation site and to report on required indicators. One project assessment factor included the detailed review of the project budget, and was completed by the CGC. The proposal assessment team had to assess each of the following for each recipient proposal:

  • The total funding requested from PHAC (budget) is appropriate to support the proposed activities and demonstrate value for money.
  • Budget explanations provided are appropriate and clear to assess and support the amount requested in each of the budget categories.

It was noted that limited details were included in the funding request assessment form to support the budget assessment. The detailed budget was considered separately by the CGC. Consideration of factors related to the funding project costing model and cost drivers were not documented, including assessing supporting details on the nature of the costs. This included costs that were variable, such as cost increases proportionate to site use, and fixed, such as minimum charge regardless of usage. There were multiple recipients that followed a fixed price costing model, whereby recipients would incur and subsequently claim reimbursement of costs for accommodation sites, regardless of occupancy rates.

SVISP identified this costing issue through its fiscal prudence initiative in fiscal year 2022-23, and sought to work with recipients to align spending to regional rates of usage. Furthermore, a number of agreements were amended throughout the Program cycle to prevent the lapse of surplus funding.

Strengthening the due diligence of funding request assessments, including more complete and thorough reviews of project costs, while still considering the associated risks, would act as a preventive measure and provide potential value for money benefits.

Lesson learned

To ensure appropriate measures are considered for inclusion in agreements to allow programs to renegotiate funding amounts and make necessary amendments to transfer payment agreements during the life of the project, in instances where project costs are based on variable metrics, such as expected usage, project terms and conditions should be based on addressing the risks to achieving the program objectives documented in the project risk assessment.

Conclusion

Overall, the audit found that SVISP was delivered in a manner that was generally consistent with the departmental framework for administering grants and contributions agreements, with clearly defined roles and responsibilities for performing control activities that were implemented for contribution payments. The audit also found that risk management was applied as part of the management of individual agreements and recipients.

However, opportunities for improvement were noted in the following areas:

  • Ensuring a formal program risk management approach is documented to enable the alignment of administrative transfer payment program requirements, such as delegation of authorities, with the identified risks to the achievement of program objectives, like ensuring that program funds are made available to approved recipients in a timely manner.
  • Appropriate measures should be considered for inclusion in agreements to allow programs to renegotiate funding amounts and make necessary amendments to transfer payment agreements during the life of the project.

Appendix A – About the audit

Audit objective

The objective of the audit was to assess the governance, risk management activities, and management controls in place to support the achievement of the Program's objectives.

Audit scope

The scope of the audit focused on the management control framework in place to support the Program's main activities.

The audit covered activities carried out over the period of September 20, 2020, to March 31, 2023.

The audit scope excludes activities related to the Program closure. However, it is expected that audit results may inform and augment lessons learned identified by management as part of the Program's closure.

Audit approach

The audit was conducted in accordance with the Government of Canada's Policy on Internal Audit, which requires examining sufficient and relevant evidence, and obtaining sufficient information and explanations to provide a reasonable level of assurance in support of the audit conclusion.

The audit approach included, but was not limited to:

  • Interviews with management and with program employees;
  • Review of processes and methodologies, and examination of outputs and other relevant supporting documentation; and,
  • Testing of the processes in place to review funding proposals, to initiate contribution agreements and amendments, and to review of reports.

Statement of conformance

This audit was conducted in conformance with the 2017 International Standards for the Professional Practice of Internal Auditing and is supported by the results of the Office of Audit and Evaluation's Quality Assurance and Improvement Program.

Audit criteria

  • A risk management framework for SVISP has been established and is used to monitor and manage risks related to SVISP's objectives (COSO Principle 6 and Principle 7).
  • Roles, responsibilities, and relevant authorities related to the achievement of SVISP objectives have been adequately defined, communicated, and implemented (COSO Principle 3).
  • Control activities related to the assessment of funding proposals, payment delivery, and program monitoring and reporting are established and operating effectively (COSO Principle 10, Principle 12, Principle 13, Principle 15).

Page details

Date modified: