Internal Audit of Conflicts of Interest
Audit Report, June 2021

Contents

  1. Executive Summary
  2. Detailed report Appendix A: Color coding of recommendations
    Appendix B: Relevant audit criteria

Executive summary

1.1 Background

CIHR's mandate, as defined in the Canadian Institutes of Health Research Act, is to create new scientific knowledge and to enable its translation into improved health, more effective health services and products, and a strengthened Canadian health care system. To deliver against this mandate, CIHR relies on active researchers, often CIHR-funded, to participate in its governance, develop its strategic plan, and operate the Institutes. Given that the agency's governance relies on and benefits greatly from the expertise of the research community, potential, perceived, or actual conflicts of interest (COIs) are an inherent part of CIHR's business. As such, in addition to the management of potential, perceived, or actual COIs being a requirement for strong governance, CIHR must manage potential, perceived, or actual COIs actively, effectively, and transparently, to maintain its reputation as an impartial and trustworthy health research funding agency.

1.2 Why this is important

An audit of COI is identified in CIHR's Risk-based Audit Plan (2019-20) as a priority engagement. CIHR's COI management framework has not been audited to date.

Since CIHR must rely on the expertise of stakeholders with potential, perceived, or actual COIs to inform strategic decision making, it is essential to ensure that CIHR has an effective approach to manage these situations, both in fact and appearance. Robust COI management is important because it instills confidence in CIHR's stewardship and decision-making while promoting an environment that is characterized by high ethical standards.

1.3 Objective and scope

The objective of this audit is to provide independent assurance that CIHR's COI framework is designed appropriately and implemented effectively to manage potential, perceived, or actual COIs.

The scope of the audit work encompasses the COI management structures and activities that were in place from April 1, 2018 to December 31, 2019, focussing on senior management (CIHR's President, Vice Presidents, and Associate Vice Presidents), Governing Council (GC) members, and Scientific Directors (SDs). The scope excludes peer review committee members, external partners, and all employees below the Associate Vice-President level.

1.4 Overall audit opinion

The audit concludes that while some structures and practices exist to support COI management for Members and senior management, the governance, case management process, and training require updating and operationalization to ensure effective COI management throughout the organization.

1.5 Key audit findings

The following findings require management's attention:

Governance

  1. Accountability for the agency's COI function is not clearly established. The roles, responsibilities, and authorities of the COI function are poorly understood and underlying policy documents have not been updated to reflect changes to the COI function.
  2. Oversight of COI management is limited. There are no oversight or reporting requirements for COI activities, or review of COI performance against objectives.
  3. COI risk management is incomplete. The COI function has not completed a formal and comprehensive assessment to determine where CIHR's highest COI risks are, or appropriate mitigation activities.

COI management process

  1. The COI management process is informal and incomplete. The COI function lacks a documented management process defining roles, responsibilities, activities, and service standards regarding COIs.
  2. COI case management is not supported by formal tracking and appropriate information management practices. Tracking and follow-up on the resolution of COI issues are unclear with no requirements for the appropriate management of COI information or follow-up.

Training and awareness

  1. CIHR does not have formal COI training. Few have received COI training, and there is a lack of ongoing activities, training materials, or communication on COI management.

Management's response to the audit observations and recommendations can be found in Section 2.8.

1.6 Statement of conformance

The Audit of COIs conforms with the Policy on Internal Audit as supported by the results of the quality assurance and improvement program.

The Internal Audit Unit thanks management and staff for their assistance and cooperation throughout the audit.

John-Patrick Moore
Acting Chief Audit and Evaluation Executive & Director General, Office of Audit and Evaluation
Canadian Institutes of Health Research

Michael J. Strong, MD, FRCPC, FAAN, FCAHS
President
Canadian Institutes of Health Research

Detailed Report

2.1 Background

CIHR's mandate, as defined in the Canadian Institutes of Health Research Act, is to create new scientific knowledge and to enable its translation into improved health, more effective health services and products, and a strengthened Canadian health care system. To deliver against this mandate, CIHR relies on active researchers, often CIHR-funded, to participate in its governance, develop its strategic plan, and operate the Institutes (collectively referred to as "Members" throughout this report). For example, CIHR has

Given that the agency's governance relies on and benefits greatly from the expertise of the research community, potential, perceived, or actual COIs are an inherent part of CIHR's business. As such, in addition to the management of COIs being a requirement for strong governance, CIHR must manage potential, perceived, or actual COIs actively, effectively, and transparently, to maintain its reputation as an impartial and trustworthy health research funding agency.

During the principal scope of the audit, CIHR's Human Resources (HR) Branch was acting as the agency's COI function, managing COI issues for both Members and employees through the application of two separate but complementary COI policies – the Policy for Members and the CIHR COI Policy, respectively.

The Policy for Members defines a COI as,

"A situation in which external interests or engagements of CIHR members compete or conflict with their official responsibilities to CIHR, and could be seen as furthering their interests or the interests of others, or giving an unfair advantage to others in their dealings with CIHR or with the government in general."

The CIHR COI Policy uses a comparable definition:

"[A COI is] a situation in which the employee has private interests that could improperly influence the performance of their official duties and responsibilities."

In recent years, GC and SC have raised concerns regarding the completeness and effectiveness of CIHR's COI framework. In 2019, the Governance Renewal Unit hired the Institute of Governance to complete the report, Conflict of Interest Assessment: Document Review for CIHR's COI regime. While this review identified important improvements to the agency's management of COIs, it was a first step. Additional work was needed to provide management with assurance that CIHR's framework had been appropriately designed and implemented effectively.

2.2 About the audit

This report presents the results of the internal audit of conflicts of interest. The audit was undertaken by the Internal Audit function of CIHR between November 2019 and March 2021 as part of the 2019-2020 Risk-Based Audit Plan as approved by GC. The purpose of the audit was to assess the adequacy of CIHR's COI management framework and effectiveness of activities.

It is important to note that the audit was significantly delayed due to the COVID-19 pandemic. Most of the audit testing was completed by early 2020. As a result, the principal audit work reflects a point in time, consistent with the period under assessment, as defined in the engagement Terms of Reference (April 1, 2018 to December 31, 2019). When the audit resumed in March 2021, a survey of management and Members regarding COI issues was completed and the results were incorporated in this report. The audit acknowledges that during the time in which the audit was delayed, management began taking steps to improve COI governance, based on initial discussions of preliminary audit findings. However, this work is outside the principal scoping period of the engagement and was not considered.

2.3 Significance of the audit

An audit of COI is identified in CIHR's Risk-based Audit Plan (2019-20) as a priority engagement. CIHR's COI management framework has not been audited to date.

Since CIHR must rely on the expertise of stakeholders with potential, perceived, or actual COIs to inform strategic decision making, it is essential to ensure that CIHR has an effective approach to manage these situations, both in fact and appearance. Robust COI management is important because it instills confidence in CIHR's stewardship and decision-making while promoting an environment that is characterized by high ethical standards.

2.4 Audit objective and scope

The objective of this audit is to provide independent assurance that CIHR's COI framework is designed appropriately and implemented effectively to manage potential, perceived, or actual COIs.

The scope of the audit work encompasses the COI management structures and activities that were in place from April 1, 2018 to December 31, 2019. The audit focuses on two groups:

The scope of this audit excludes peer review committee members, external partners, and all employees below the Associate Vice-President level. Institute Advisory Boards (IABs) were initially included in the audit but to expedite reporting the President approved a change in scope that deferred the review of IAB COIs to a subsequent project.

2.5 Audit criteria and methodology

Audit criteria were selected based on a preliminary risk assessment. The sources of criteria include:

Please refer to Appendix B for the detailed audit criteria. The criteria guided the audit fieldwork and formed the basis for the overall audit conclusions.

The audit uses three principle methods to collect and assess the evidence against the audit criteria:

2.6 Findings and recommendations

The following section captures the principal findings and key recommendations from the audit.

Governance

Governance is the combination of processes and structures implemented by management and the Board to inform, direct, manage, and monitor the activities toward the achievement of objectives. In order for governance of COI to be effective, accountabilities must be clear, oversight established, and processes and structures in place to monitor and support achievement of objectives.

Finding 1) Accountability for the agency's COI function is not clearly established. Urgency: High

The audit found accountability for the agency's COI function to be unclear. Results from a COI management survey administered as part of this audit show that a large proportion of management (64%), GC members (50%), and SDs (50%) do not feel the roles, responsibility, and authorities of the COI Officer and the COI Office are clear. Furthermore, the audit found that the lack of clarity may stem from obscurity within CIHR's COI policies. For example, the Policy for Members does not identify who the COI Officer is or where the COI Office resides within the agency. In contrast, the COI Policy for employees (which applies to senior management) identifies the Chief Financial Officer (CFO) as responsible for managing employee COI. However, the CFO position has not managed employee COIs since 2018. Policies governing COI management have not been updated to reflect changes in CIHR's organizational structure.

In the absence of formal accountability, the agency has relied on the Human Resource (HR) Branch to manage the COI function. However, the agency has not conducted a formal assessment to determine whether that is the most appropriate area within the organization to manage the COI function or the level of human and financial resourcing required to maintain a robust COI program.

Impact

A lack of clear accountability has made it difficult for the organization to establish consistent leadership in the COI management space. As a result, deficiencies identified later in the report have gone unaddressed.

Finding 2) Oversight of COI management is limited. Urgency: Moderate

The audit found that oversight has not yet been established for COI management. For example, the agency does not have an oversight committee or body tasked with ensuring it has an effective COI program in place that is appropriately resourced and operating effectively. As a result, there is no monitoring or reporting (i.e., dashboards, key performance indicators rollups, reviews) of performance against plans or objectives (e.g. timeliness for processing cases, time to closing cases, satisfaction) to senior management or any other governing body. Instead, the agency has relied on ad hoc briefings regarding specific COI cases to the COI Officer in place of more structured reporting.

Impact

Limited oversight (monitoring and reporting) reduces the agency's ability to address deficiencies when they arise, making it difficult to ensure COI management is operating effectively and continues to meet the needs of the organization.

Finding 3) COI risk management is incomplete. Urgency: Moderate

The Treasury Board Policy on Conflict of Interest and Post-Employment (Archived) required that COI risks related to the organization's mandate be managed. Similar requirements for the management of risk are stipulated in CIHR's COI Policy and Policy for Members. In order for risks to be appropriately managed, a formal approach needs to be established whereby risks are identified, assessed, mitigated, and monitored. While the audit found that informal risk assessments exist for some COI situations, the agency does not have a comprehensive, CIHR-wide approach for managing COI risks. As such, it is not known which types of COIs are most likely to occur or have the greatest potential impact to the agency, nor which business areas, activities, committees, or positions are at highest risk.

Impact

In the absence of a formal COI risk management approach, CIHR does not have assurance that the COI activities currently in place target areas where the agency is most vulnerable. Furthermore, without a formal approach, management does not have assurance that COI risks are being appropriately mitigated.

Governance recommendations

  1. Management should review the organizational structure and identify a single point of accountability for the agency's COI function. The individual accountable should have sufficient authority to set a direction for the agency's COI function and ensure the function is appropriately resourced and operating effectively to achieve its objectives. Once this has occurred, the single point of accountability should,
    • Update and clarify accountabilities, roles, and responsibilities in CIHR's COI policies;
    • Ensure sufficient human and financial resources are allocated to support the COI function;
    • Develop an operational plan that documents the objectives and priorities of the COI function; and
    • Widely communicate changes to CIHR's COI function to employees, Members, and key agency stakeholders.
  2. Management should establish oversight for COI management, including expectations for monitoring and reporting.
  3. Management should conduct a comprehensive risk assessment to formally identify and assess CIHR's COI risks, and then establish a risk management approach to mitigate areas of vulnerability.

COI management process

A management process describes the steps and tasks required to achieve an objective. A formal and pre-defined COI management process ensures that COIs are processed and monitored in a standard, transparent, and timely manner to ensure results are achieved.

Finding 4) The COI management process is informal and incomplete. Urgency: High

The COI Office conducts a formal annual assessment of Member COI declarations, so that on a yearly basis all Members are prompted to declare, and receive guidance on, their specific COIs. In addition, employees are provided with a briefing and opportunity to declare COIs upon hiring. Both groups may also declare and receive guidance on new COIs that arise at any time. To support these formal requirements, there are a series of practices, managed by a small number of specialists within the COI Office, by which COI issues are recorded, analyzed, and addressed.

Despite good practice around employee and Member declarations, the audit found that the broader COI management process was largely informal and incomplete. For example, the agency does not have a documented end-to-end COI management process that incorporates roles and responsibilities, activities, and steps for COI identification, analysis, resolution, and follow-up. In addition:

As a result of a largely informal and undocumented process, the level of COI understanding is uneven across the agency. While all GC members responding to the COI management survey feel their roles and responsibilities have been clearly defined for them and most (86%) understand the broad COI management process, this is not the case for others within the agency. A much smaller proportion of SDs and management report their roles and responsibilities are clearly defined (37% and 14%, respectively) and the broader COI management process is understood (50% and 14%, respectively).

Impact

Without a formal COI management process, it is difficult to manage COIs in a clear, transparent and consistent manner. Furthermore, inconsistent practices around the management of COIs – particularly those that are sensitive and high risk – could erode confidence in how CIHR manages COIs.

Finding 5) COI case management is not supported by formal tracking and appropriate information management practices. Urgency: Moderate

In order for COI cases to be managed effectively, a process needs to be followed whereby potential, perceived, or actual COI situations are identified, assessed, mitigated, and monitored. While the agency does not have a formal end to end process to prescribe this, the Values and Ethics Code for the Public Service and CIHR's COI policies support these basic expectations.

To establish whether a basic process had been applied to actively manage COI cases, the audit reviewed a judgmental sample of eight COI case files. The review found that while the identification and assessment of COI cases was well documented, there was limited documentation to suggest the COIs had been mitigated and follow-up had occurred to ensure mitigations were applied and working. The results of the file review are consistent with Members' interviews which suggest that COI decisions and follow through have been, at times, unclear.

While these findings may suggest deficiencies in how COI cases are processed, poor information management played a significant role in the results of the file review. CIHR does not have a tracking system to monitor COI cases as they move through the process (e.g., identification, assessment, mitigation, monitoring) and it does not maintain a central repository of key COI case management information (e.g. decisions, approvals). Instead, the agency relies on a mixture of personal and unit e-mail in-boxes, semi-structured network folders, and the corporate memory of individuals.

Impact

Strong information management practices are critical to supporting effective monitoring, planning, and continuous improvement. Deficiencies in information management reduce the agency's ability to track COI cases and make improvements to the broader COI management process over time.

Management recommendations

  1. Management should develop and formalize an end-to-end COI management process which includes roles and responsibilities, key steps, activities, documentation required to be maintained, and service delivery standards.
  2. Management should develop an electronic tracking system for COI cases, ensuring information of business value is maintained in a central repository.

Training and awareness

Training and awareness activities are important to ensure employees and stakeholders understand expectations, responsibilities, and accountabilities. Effective training is often structured, formal, tailored, and provided at various points throughout an individual's career or duration of appointment, including upon hiring/appointment and when new responsibilities are assumed. Ongoing awareness activities help support training by reinforcing key concepts, principles, and messages. Ongoing awareness can also be used to update stakeholders on changes to processes, when improvements are made, and policies and guidance updated.

Finding 6) CIHR does not have formal COI training. Urgency: Moderate

Given the mandates and composition of CIHR's governing bodies, COIs are frequently encountered in the day to day business of the agency, underscoring the importance of effective training in how to manage COIs. In a survey to support the audit,

Despite the prevalence of COIs within the agency's operations, the audit found that COI training to manage these situations is limited. Only a small proportion of respondents to the same survey (28%) report having received any COI training from the agency (GC members, 21%, SDs, 50%, management, 21%). In terms of the training provided, the audit noted that CIHR offers some briefings on COI management that occur as part of the hiring/onboarding process and various materials are available for both Members and employees. However, these training efforts are not part of a broader and more comprehensive COI suite of training to cover,

Furthermore, several respondents to the survey identify the need for greater training supports (e.g. effectively executing their roles and responsibilities, COI case studies, ongoing training beyond what is provided during onboarding, application of COI policies).

Impact

Without effective training, Members and management may not recognize when high risk COI situations arise, or understand how to effectively manage COI situations.

Training and awareness recommendations

  1. Establish comprehensive, needs-based COI management training targeted to Members and management. This should include initial training, ongoing awareness, and tracking of completion.
  2. On a periodic basis, assess COI training to ensure it remains current and effective, and make necessary improvements as required.

2.7 Conclusion

The audit concludes that while some structures and practices exist to support COI management for Members and senior management, the governance, case management process, and training require updating and operationalization to ensure effective COI management throughout the organization.

2.8 Management response to recommendations

Item Recommendation Management response Completion date
1

Management should review the organizational structure and identify a single point of accountability for the agency's COI function. The individual accountable should have sufficient authority to set a direction for the agency's COI function and ensure the function is appropriately resourced and operating effectively to achieve its objectives. Once this has occurred, the single point of accountability should,

  • Update and clarify accountabilities, roles, and responsibilities in CIHR's COI policies;
  • Ensure sufficient human and financial resources are allocated to support the COI function;
  • Develop an operational plan that documents the objectives and priorities of the COI function; and
  • Widely communicate changes to CIHR's COI function to employees, Members, and key agency stakeholders.

Agreed/Disagreed: Agreed

Responsibility: AVP, Corporate / COI Officer

Actions: Official delegation of the COI Officer is being finalized. The delegation will be complete by June, 2021.

CIHR's website will be updated and organizational wide communications will be shared to ensure clarity in core enhancements within the COI function. This will be complete before July, 2021.

An operational plan will be developed to document the objectives and priorities of the COI function. This will be complete by September 2021.

Core internal website updates (e.g., announcing the comprehensive COI structure) to ensure clarity in organizational accountabilities, roles, and responsibilities will be complete by October 2021.

Policy guidance and related process documents will be created and implemented throughout the 21/22 Fiscal Year and more in-depth policy updates will be implemented in alignment with Strategic Planning commitments and added to the operational plan as part of FY 22/23 planning.

There are multiple competing HR and financial priorities within the organization; however, the AVP, Corporate will continue to advocate for human and financial resources in order to ensure support for the COI function. Commitments herein will be impacted by related prioritization decisions.

 Less than 6 months
Urgency: High
2 Management should establish oversight for COI management, including expectations for monitoring and reporting.

Agreed/Disagreed: Agreed

Responsibility: AVP, Corporate / COI Officer

Actions: The COI Officer has implemented quarterly briefings for the President and Executive Vice President to facilitate early expectations of monitoring and reporting. The first meeting was completed in June 2021.

A COI Advisory Committee Terms of Reference will be created in turn permitting determination of membership and implementation. This Advisory Committee will be in place by October 2021.

A proposed COI Governance Structure to support COI management will be drafted and approved by CIHR governance tables. This structure will assure a more immediate capacity for increasing rigor around monitoring and reporting. Proposals for comprehensive COI reporting (i.e., all factors within CIHR's COI Framework) will be created by March 2022.

7 – 12 months
Urgency: Moderate
3 Management should conduct a comprehensive risk assessment to formally identify and assess CIHR's COI risks, and then establish a risk management approach to mitigate areas of vulnerability.

Agreed/Disagreed: Agreed

Responsibility: AVP, Corporate / COI Officer

Actions: There is agreement with the value of a comprehensive risk assessment to formally identify and assess CIHR risks.

With recent audit outcomes and independent reviews, CIHR has an increased understanding of risks.  In turn, assuming continued resource support it is anticipated that a more comprehensive assessment will be completed by November 2021.

7 – 12 months
Urgency: Moderate
4 Management should develop and formalize an end-to-end COI management process which includes roles and responsibilities, key steps, activities, documentation required to be maintained, and service delivery standards.

Agreed/Disagreed: Agreed

Responsibility: COI Officer

Actions: COI processes will be refined, updated and formalized to ensure clarity in an end-to-end COI management process. Building upon existing policies, these processes will be drafted and flow through governance tables by December 2021.		 Less than 6 months
Urgency: High
5 Management should develop an electronic tracking system for COI cases, ensuring information of business value is maintained in a central repository.

Agreed/Disagreed: Agreed

Responsibility: COI Officer & Chief Information Officer

Actions: As outlined below, work with IT will commence by January 2022 in order to determine capacity to prioritize an electronic tracking system. In the interim, existing tracking systems will be enhanced for use in regular monitoring and reporting. Commencing in January 2021, existing logs have been populated and refined within a centralized repository.

Presuming organizational capacity to prioritize an electronic tracking system, a proposed system requirements will be presented to governance tables (as appropriate) by May 2022.

Collaboration with IT will be undertaken to ensure appropriate systems in support of COI monitoring and reporting. This work will commence by January 2022.

 7 – 12 months
Urgency: Moderate
6 Establish comprehensive, needs-based COI management training targeted to Members and management. This should include initial training, ongoing awareness, and tracking of completion.

Agreed/Disagreed: Agreed

Responsibility: COI Officer

Actions: Existing training materials will be refined and augmented in order to establish comprehensive needs-based COI management training for Members and management. This work will commence by February 2022 with intention to finalize prior to April 2022 for implementation thereafter. In the interim, existing training materials will continue to be utilized for training and awareness sessions.		 7 – 12 months
Urgency: Moderate
7 On a periodic basis, assess COI training to ensure it remains current and effective, and make necessary improvements as required.

Agreed/Disagreed: Agreed

Responsibility: COI Officer

Actions: As part of on-going operational COI planning, periodic assessments of training will occur in order to ensure effectiveness, efficiency, and adjust forward training as appropriate.

This work will be conducted through surveys as training and awareness sessions unfold between now and April 2022 and as the COI function evolves, regular assessments will be built in (as feasible) as part of a COI performance management function.		 7 – 12 months
Urgency: Moderate

Appendix A: Color coding of recommendations

It is good practice that all recommendations be cleared within an 18 month window of the approval of an audit report. To that end, the Internal Audit unit uses a color-coded system to assist management with the prioritization of remedial actions.

The color-coding, outlined below, takes into consideration the urgency with which recommendations should be addressed, the complexity of the recommendation and/or the underlying issues or causes for concern, and the level of risk to which the Agency is exposed as a result of the issue identified.

Colour

Suggested timeline for completion

High

Less than 6 months

Moderate

7 – 12 months

Low

13 – 18 months

Appendix B: Relevant audit criteria

The criteria used for assessing the audit objectives were adapted from the following documents:

The following are the key criteria used for the audit report. They have been simplified for reporting purposes.

Criteria

Reference to findings

Line of Inquiry 1: Governance
1.1 A formally defined COI governance and organizational structure, that is commensurate with the risk and priority of COI management, has been established.

Findings 1, 2, and 3
1.2 Appropriate roles, responsibilities, and authorities for COI have been defined and are understood by key stakeholders and management.

Findings 1, 2, and 6

1.3 A formal assessment has been conducted and documented to determine COI risk tolerances and thresholds, along with strategies to ensure that COI risks are mitigated appropriately.

Finding 3

Line of Inquiry 2: Framework and Management

2.1 The values, objectives, and expectations related to COI have been formally documented within the COI Framework and are understood by key stakeholders and management.

Findings 1, 2, and 6

2.2 Policies, procedures and guidelines have been established and provide a clear protocol/process for handling COI situations, including identification, escalation, resolution, and reporting.

Findings 4 and 5

2.3 The COI Office provides clear direction and support to the organization when receiving COI declarations and ad hoc requests.

Findings 4 and 5

2.4 Real or potential COI issues are identified and discussed at the outset of all decision-making meetings.

Finding 4

2.5 Appropriate strategies to manage COIs and mitigate COI risks have been established and implemented.

Findings 3, 4, and 5

2.6 Escalation protocols are in place and working effectively to challenge decisions around COI issues.

Finding 4

Line of Inquiry 3: Awareness and Training

3.1 Adequate communication strategies exist and have been implemented in relation to COI expectations and the broader framework.

Finding 6

3.2 Adequate training exists and has been provided in relation to the COI framework.

Finding 6

Line of Inquiry 4: Monitoring, Oversight and Reporting

4.1 There is an effective monitoring, reporting and oversight mechanism in place to ensure that COIs are being tracked and managed consistently across the organization.

Findings 2, 4, and 5
Date modified: