Audit of Accounting Officer Responsibilities, Including Risk Management

Final Report
February 11, 2014

[PDF 98 KB]


Table of Contents

  1. Executive Summary
  2. Statement of Conformance
  3. 1.0 Introduction
    1. 1.1 Authority
    2. 1.2 Objective
    3. 1.3 Scope
    4. 1.4 Background
    5. 1.5 Audit Approach and Methodology
    6. 1.6 Audit Risk Assessment
    7. 1.7 Audit Criteria
  4. 2.0 Audit Findings
    1. 2.1 Complying With Government Policies and Procedures
    2. 2.2 Maintaining an Effective System of Internal Controls
    3. 2.3 Preparation and Signing of the Public Accounts
    4. 2.4 Accountability For Duties Under the FAA and other Acts
    5. 2.5 Risk Management - A Subset of Accounting Officer Responsibilities
  5. 3.0 Conclusion
  6. 4.0 Audit Recommendation
  7. 5.0 Management Response and Action Plan
  8. Appendix A – Detailed Audit Criteria

Executive Summary

Objective

The objective of this internal audit was to assess the adequacy of departmental mechanisms in place to support the Clerk in discharging his responsibilities as Privy Council Office’s (PCO) Accounting Officer, including those mechanisms designed to ensure effective risk management.

Scope

The audit examined PCO’s framework of mechanisms, procedures, and processes for managing the Clerk’s Accounting Officer responsibilities and the department’s risk management framework. The audit’s scope included consideration of all relevant personnel, organizations, systems and technology designed and used by PCO for:

  • the environmental scanning of external authorities (i.e. laws, regulations, policies and directives) that PCO must adhere to and follow;
  • supporting the Clerk’s signing of the Public Accounts management representation letters (e.g. documenting, assessing, validating, and certifying the effectiveness of PCO’s system of internal controls); and
  • ensuring effective risk management practices are in place. 

Conclusion

Government departments operate in a dynamic environment. Deputy heads must be confident their departments have robust governance and internal control infrastructures in place to manage operations and risks. As Accounting Officers, deputy heads must also be confident these infrastructures are regularly reviewed and updated to remain current, and that they are adaptable to changes that invoke risks to achieving departmental objectives.

Since 2006 when Accounting Officer responsibilities were first presented in the Financial Administration Act (FAA), PCO has been progressively evolving and documenting its governance structures, its risk management activities, and its framework of management controls. Each is considered a key component of the overall infrastructure that helps PCO support the Clerk with his Accounting Officer responsibilities. Key improvements to PCO’s control environment include the documenting of controls in 2010 in the PCO Management Control Framework (MCF) followed by updates in 2011 and 2012, the April 2012 issuance of PCO’s Code on Values and Ethics, and the implementation of PCO’s first Statement of Management Responsibility Including Internal Controls over Financial Reporting covering the 2012-2013 fiscal year.

While the MCF articulates PCO’s control environment, no document can substitute or replace an active and engaged management team. The daily meeting of PCO’s Operations Committee chaired by the Clerk and attended by all senior executives is a key strength of the department’s governance structure that complements the MCF and PCO’s risk management activities. Any known or discovered issues that could affect the department can be raised, discussed, assessed and managed at Operations Committee.

When taken as a whole, the combination of PCO’s risk management activities, its MCF, and its formal governance structures including the daily meetings of the Clerk with his executive team at Operations Committee, along with both Central Agency oversight provided through the annual Management Accountability Framework (MAF) assessment process and the information obtained from internal and external audits, are seen to be an adequate set of mechanisms for supporting the Clerk with his Accounting Officer responsibilities. Collectively, these elements are seen to reduce any associated residual risks to discharging of the Clerk’s Accounting Officer responsibilities to a low overall level. However, given that management is relying on the internal controls presented in the MCF as a key support for the Clerk’s Accounting Officer responsibilities, there is a need to ensure controls are periodically reviewed, tested and reported on, and the MCF document itself is periodically reviewed and updated.

Summary of Findings

The audit findings are detailed in the body of the report. In summary, the main findings are as follows:

  • Since 2006 when Accounting Officer responsibilities were first presented in the FAA, PCO has been progressively evolving and documenting its governance structures and its management control framework, each of which is a key component in the overall PCO infrastructure that is in place to help managers manage PCO operations and activities and by extension the Clerk’s Accounting Officer responsibilities.
  • The Clerk has assigned primary responsibility for managing and monitoring his four Accounting Officer responsibilities to the Assistant Deputy Minister (ADM), Corporate Services Branch (CSB). The ADM CSB is also PCO’s Chief Financial Officer, and as such is responsible for establishing and maintaining a system of internal control related to financial management, including financial reporting. The Clerk also relies on all of his other senior executives to manage their areas of responsibility with appropriate due diligence.
  • Under FAA section 16.4(1)(a) the Clerk is accountable for measures taken to organize the resources of the department to deliver departmental programs in compliance with government policies and procedures. Under FAA section 16.4(1)(d) the Clerk is also accountable for the performance of other specific duties assigned to him by or under the FAA or any other Act in relation to the administration of the department. These legal and policy authorities can be categorized as financially and non-financially based. PCO’s Chief Financial Officer has established and implemented a robust system of financial management controls that appears right sized for the organization and that includes a formal compliance monitoring program for financially based government policies. Regarding non-financially based government policies, PCO had established and was using a risk-based Accounting Officer self-assessment tool to assess compliance with select “high risk” policies; due to issues noted in this report, management moved to a stronger system which includes the PCO governance structures and centralized management processes, its documented management control framework and its risk management activities, and PCO’s engaged executive team as the key tools supporting the Clerk’s Accounting Officer responsibilities. However, to fully support this multifaceted approach, PCO’s Management Control Framework document, which has not been revisited since June 2012, is now in need of updating.
  • Under FAA section 16.4(1)(b), the Clerk is accountable for measures taken by PCO to maintain an effective system of internal controls. As above, the combination of PCO’s governance structures, risk management activities and internal control elements are, when taken as a whole and combined with PCO’s engaged executive team, considered to be an effective overall system of internal controls within PCO.
  • Under FAA section 16.4(1)(c) the Clerk is accountable for the signing of the accounts that are required to be kept for the preparation of the Public Accounts, pursuant to section 64 of the FAA. The system of processes and controls established by the Chief Financial Officer and used by PCO when preparing the department’s annual Public Accounts and Financial Statements are appropriate and well documented and are adequately supporting the Clerk with this Accounting Officer responsibility.
  • Risk management at PCO improved in 2011 when PCO implemented its Integrated Risk Management Framework (IRMF) which describes a consistent and comprehensive organization-wide approach to risk management that is now integrated with PCO’s annual business planning process. The IRMF’s key tool is the PCO Risk Profile - it provides senior management with good quality information on operational, environmental and strategic risks that could adversely affect PCO, and it is formally cleared through PCO’s governance committees up to approval at PCO’s Executive Committee. Although the Risk Profile’s focus is mainly on corporate risks, given the combined impact of risk management now being integrated with corporate planning and being managed through the Risk Profile and as necessary through management interactions at the Clerk’s daily Operations Committee, any residual risk to the Clerk’s Accounting Officer responsibilities existing outside the reach of this multi-pronged departmental approach to risk management is considered to be at a low overall level.

Recommendation

The audit findings and conclusion have resulted in the following audit recommendation:

    Recommendation
    To ensure PCO is effectively supporting the Clerk’s Accounting Officer responsibilities, the Assistant Deputy Minister, Corporate Services Branch, with the involvement of the PCO executive team, should periodically: review, test and report on the adequacy of the department’s key controls at supporting the Clerk with his Accounting Officer responsibilities; and review and update the PCO Management Control Framework document.

Management Response

Management accepts this report and will oversee the implementation of its recommendation.

Statement of Conformance

In my professional judgment as Chief Audit Executive, this audit conforms with the Internal Audit Standards for the Government of Canada, as supported by the results of PCO’s quality assurance and improvement program.

Original signed by

Signature of Chief Audit Executive

Jim Hamer

1.0 Introduction

1.1 Authority

The internal Audit of Accounting Officer Responsibilities, Including Risk Management was approved by the Clerk as part of the Privy Council Office (PCO) 2011-2012 to 2013-2014 Risk-Based Audit Plan. 

1.2 Objective

The objective of this internal audit was to assess the adequacy of departmental mechanisms in place to support the Clerk in discharging his responsibilities as PCO’s Accounting Officer, including those mechanisms designed to ensure effective risk management.

1.3 Scope

The audit examined PCO’s framework of mechanisms, procedures, and processes for managing the Clerk’s Accounting Officer responsibilities and the department’s risk management framework. The audit’s scope included consideration of all relevant personnel, organizations, systems and technology designed and used by PCO for:

  • the environmental scanning of external authorities (i.e. laws, regulations, policies and directives) that PCO must adhere to and follow;
  • supporting the Clerk’s signing of the Public Accounts management representation letters (i.e. documenting, assessing, validating, and certifying the effectiveness of PCO’s system of internal controls); and
  • ensuring effective risk management practices are in place. 

1.4 Background

The Accounting Officer concept was introduced in 2006 through an amendment to the Financial Administration Act (FAA). Since then, additional information and guidance on the Accounting Officer role and responsibilities has been presented in various government documents.

Deputy heads are their department’s designated Accounting Officers under section 16.3 of the FAA and have a legal obligation, within the framework of their ministers’ responsibilities and accountability to parliament, to appear before committees of the Senate or the House of Commons and answer questions relating to the carrying out of the responsibilities and the performance of the duties outlined in section 16.4(1) of the FAA (reproduced below).

1.4.1 Legal Basis of Accounting Officer Responsibilities

Under section 16.4(1) of the FAA, the Clerk, as Deputy Head of PCO and the department’s designated Accounting Officer, is accountable before the appropriate committees of the Senate and the House of Commons for:

  1. The measures taken to organize the resources of the department to deliver departmental programs1 in compliance with government policies and procedures;
  2. The measures taken to maintain an effective system of internal controls in the department;
  3. The signing of the accounts that are required to be kept for the preparation of the Public Accounts, pursuant to section 64; and
  4. The performance of other specific duties assigned to him by or under the FAA or any other Act in relation to the administration of the department.

1.4.2 Treasury Board Policy: Elaborating on Accounting Officer Responsibilities

Treasury Board (TB) elaborates on each of the four Accounting Officer responsibilities through a number of its frameworks, policies and other instruments.

With respect to “measures taken to organize the resources of the department to deliver departmental programs in compliance with government policies and procedures”, the Accounting Officer’s responsibilities are elaborated in the TB Framework for the Management of Compliance, which requires that deputy heads monitor and manage compliance with legal and TB policy requirements within their institutions, and that they establish a robust and transparent environment of internal controls and sound management practices within their departments.

With respect to “measures taken to maintain an effective system of internal controls”, deputy heads are responsible under the TB Policy on Internal Control to establish, maintain, monitor and review a departmental internal control system to mitigate risks relating to (i) the effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets; (ii) the reliability of financial reporting; and (iii) compliance with legislation, regulations, policies and delegated authorities. This Policy also implicates all senior managers who support their deputy heads - within the context of the Accounting Officer’s responsibilities, the policy notes that Chief Financial Officers support deputy heads by establishing and maintaining a system of internal control related to financial management, including financial reporting, while other senior managers establish and maintain a system of internal control for their areas of responsibility and within the departmental system of internal control.

With respect to “the signing of the accounts that are required to be kept for the preparation of the Public Accounts”, the TB Policy on Internal Control requires deputy heads and their Chief Financial Officers to co-sign an annual Statement of Management Responsibility Including Internal Control over Financial Reporting2. This Statement acknowledges the responsibility of management to: ensure the maintenance of an effective departmental system of internal control over financial reporting; and, to conduct an annual risk based assessment of this internal control system over financial reporting to determine its ongoing effectiveness.

With respect to “the performance of other specific duties assigned to a deputy head by or under the FAA or any other Act in relation to the administration of a department”, the TB Framework for the Management of Compliance notes that deputy heads are responsible for, amongst other things, monitoring and managing compliance with legal and TB policy requirements in their institutions.

1.4.3 Risk Management – A Subset of Accounting Officer Responsibilities

Although not specifically mentioned in the FAA as an Accounting Officer responsibility, a department’s risk management framework is considered to be an integral part of its system of internal controls. The TB Policy on Internal Control highlights this connection by noting that deputy heads must be satisfied that internal controls are regularly reviewed in the context of risk and are balanced against and proportional to the risks they are intended to mitigate.

This deputy head responsibility dovetails with the TB Framework for the Management of Risk which provides guiding principles to deputy heads on the implementation of effective risk management practices at all levels of their organizations in support of strategic priority setting, resource allocation, informed decision making, risk tolerance, and improved results.

The Clerk’s responsibilities, as laid out in the TB Framework for the Management of Risk, include: ensuring risk management principles and practices are understood and integrated into PCO’s activities; creating a learning environment to promote continuous improvement in risk management competencies and capacity; ensuring issues affecting the organization’s risk management approach are examined, reviewed and addressed effectively; and monitoring departmental risk management practices.

1.4.4 The Accounting Officer Role - Longstanding Practices

While the FAA was updated in 2006 to include Accounting Officer responsibilities, these responsibilities were a part of management’s responsibilities prior to that time. In PCO’s 2007 document entitled Accounting Officers: Guidance on Roles, Responsibilities and Appearances Before Parliamentary Committees, an interpretation of the FAA’s Accounting Officer responsibilities notes that:

“The accounting officer provisions in the FAA codify long-standing practice whereby deputy ministers appear before parliamentary committees to provide information and explanations regarding matters of departmental management and thereby support the accountability of their Ministers for these matters.”

This document goes on to explain that:

“Section 16.4 of the FAA does not create new management responsibilities. Deputies have long had the responsibilities listed in section 16.4, as a result of delegation, Treasury Board policies or other legal provisions. The four areas are listed in section 16.4 in order to establish the field of questions concerning which accounting officers have a legal obligation to appear and answer questions.”

1.4.5 Key Tools Supporting Accounting Officer Requirements

In light of the significant number of Accounting Officer requirements outlined in legislation, regulations, policies and delegated authorities, deputy heads must have reliable mechanisms in place within their departments from which they can obtain information and draw confidence that their department is adequately managing both its business affairs and their Accounting Officer responsibilities. Two key mechanisms supporting the management of PCO operations and the Clerk’s Accounting Officer responsibilities are the department’s: (i) governance structures and processes; and (ii) management control framework.

1.5 Audit Approach and Methodology

This audit was conducted in three phases: Planning, Examination, and Reporting. The Planning Phase consisted of a review and analysis of relevant documents, interviews with key management and operational personnel, and an initial analysis of risks from an audit perspective applied within the audit’s scope and objective. The Examination Phase consisted of a detailed review of areas identified during the Planning Phase, and concluded with audit findings being validated with management. The Reporting Phase involved the preparation and clearance of the Audit Report to formally communicate the audit’s findings, conclusions and recommendations.

The clearance process was extended when it became clear that the examination phase had, as explained in the Audit Findings section of this report, taken place just prior to a major shift in PCO’s approach, and that the audit would be more useful if it considered these changes and took account of them in its recommendations. Moreover, it also became clear that additional research was needed to address a question of interpretation concerning Accounting Officer related terminology in the FAA and a subsequent resourcing issue occurred which impacted on reporting efforts. In the interim, management proactively implemented measures to address emerging policy requirements and in the process improved PCO’s control structures and reinforced PCO’s support for the Clerk’s Accounting Officer responsibilities.

1.6 Audit Risk Assessment

During audit planning, the team conducted a risk assessment from an audit perspective and identified the following risks:

  • PCO could have incomplete awareness of the applicable external authorities and consequently ineffective monitoring of its compliance to these authorities.
  • The Clerk may not receive sufficient, complete, timely and accurate information with respect to the managing of his Accounting Officer responsibilities.
  • The internal control system may not identify significant weaknesses or include controls to mitigate risks identified in the PCO Risk Profile3, which, if not addressed, could impact PCO’s ability to effectively manage the Clerk’s Accounting Officer responsibilities.
  • PCO may not identify all risks that could preclude the achievement of its objectives and/or may not adequately assess the risks it has identified, which could result in either resource allocations that do not consider accurate risk information, or inappropriate decisions about the acceptance or mitigation of departmental risks.

Risks are considered to be of three types: (i) strategic – risks that could adversely impact PCO’s achievement of its strategic objectives; (ii) operational – risks that could adversely impact PCO’s operational activities; and (iii) environmental – risks that could adversely impact PCO’s people or buildings. These three risk types are sourced from the risk model the Office of the Comptroller General uses when developing their Annual Horizontal Risk-Based Audit Plan and, although there is some minor variability, they are also consistent with risk classifications used by the Office of the Auditor General and various internationally recognized risk management organizations. 

1.7 Audit Criteria

At the end of the Planning Phase, the audit team developed and vetted with management two high level audit criteria plus more detailed supporting criteria (refer to Appendix A) that were designed to address the highest risk areas identified in the audit’s risk assessment. The two high level audit criteria are presented below. All of these criteria were based on core management controls as identified in the Office of the Comptroller General’s Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors.

Criterion:

  1. PCO should have an effective framework that ensures appropriate measures have been taken to effectively support the Clerk in managing his Accounting Officer responsibilities.
  2. PCO should have an approach to risk management that effectively addresses the risks affecting the organization through an adequate identification, examination, review, and resolution process.

2.0 Audit Findings

Since 2006 when Accounting Officer responsibilities were first presented in the FAA, PCO has been progressively evolving and documenting its governance structures4, its approach to risk management, and its management control framework. Each of these is a key component of the overall PCO infrastructure in place to help managers manage PCO operations and by extension the Clerk’s Accounting Officer responsibilities. Key improvements to this infrastructure include the documenting of controls in 2010 in the PCO Management Control Framework (MCF) followed by updates in 2011 and 2012, the April 2012 issuance of PCO’s Code on Values and Ethics, and the implementation of PCO’s first Statement of Management Responsibility Including Internal Controls over Financial Reporting covering the 2012-2013 fiscal year.

This infrastructure provides valuable information internally to the Clerk about the department’s operations and performance, including the results of internal audits. The Clerk also receives information from sources outside the department including the annual TB Management Accountability Framework (MAF) assessment, and the results of independent audits, reviews and/or other assessments conducted by external assurance providers including the Office of the Auditor General. PCO uses both its MAF results and the feedback from internal and external audits to develop and implement improvements to its governance and control infrastructure.

2.1 Complying With Government Policies and Procedures

Under FAA section 16.4(1)(a) the Clerk is accountable for measures taken to organize the resources of the department to deliver departmental programs in compliance with government policies and procedures.

Many Accounting Officer responsibilities relate to PCO’s financial activities and controls. The Clerk has assigned primary responsibility for managing and monitoring his Accounting Officer responsibilities to the Assistant Deputy Minister (ADM), Corporate Services Branch (CSB) who is also PCO’s Chief Financial Officer. In keeping with the TB Policy on Internal Control, the Clerk also relies on all his senior executives to manage their areas of responsibility diligently, and in so doing, to support the ADM CSB in managing his Accounting Officer responsibilities.

The full spectrum of government policies the Clerk must monitor and manage compliance with can be categorized as financially and non-financially based policies. While the bulk of the financially based policies are managed by CSB’s Finance and Corporate Planning Division (FCPD), the non-financially based policies are managed across the department (both within CSB and throughout PCO’s other branches and secretariats).

With respect to financially based policies, the Chief Financial Officer has established and implemented a robust system of controls that includes a formal compliance monitoring program for financial policies. These financial management controls, which are considered to be right sized for PCO, were recently improved when PCO instituted its first Statement of Management Responsibility Including Internal Controls over Financial Reporting. In doing so, PCO took the appropriate steps to maintain the currency of its internal controls over financial reporting as known changes occurred to TB’s suite of financially based policies.

With respect to non-financial TB policies, in 2009 PCO instituted on a trial basis a risk-based Accounting Officer self-assessment tool to identify and assess compliance with what managers believed were key policies that apply to their respective areas of responsibility. While this was a positive and proactive initiative, the use of this tool was ultimately discontinued in favour of using the PCO management control framework as one of the primary tools supporting the Clerk with his Accounting Officer responsibilities. Section 2.1.2 below covers this in more detail.

2.1.1 Financial Authorities

PCO’s financial controls are well documented in its 2011 Financial Internal Control Framework (FICF). PCO’s financial controls appropriately include:

  • identifying the highest risk financial activities;
  • designing, implementing and documenting appropriate controls for managing these financial activities;
  • establishing an ongoing monitoring process to determine if these controls are functioning as intended; and
  • documenting and providing senior management with the results of the monitoring activities performed.

Prior to implementing its Financial Internal Control Framework in 2011, CSB recognized the value of an independent review and validation of internal controls and in 2010 retained an independent firm of specialists in audit, accounting and finance to assess the auditability of PCO’s financial statements, including the department’s financial systems and relevant financial controls. The firm found the department’s internal controls over financial reporting were operating effectively.

2.1.2 Non-Financial Authorities

Assessing Compliance - Accounting Officer Pilot Project and Self-Assessment Process

In 2008, FCPD began inventorying the policies and legal authorities PCO must comply with. As the list grew to exceed 200 authorities (including 89 TB Policies), it was decided the list had become too difficult to risk-rank and manage, so other options were considered.

On April 1, 2009 the TB’s Framework for the Management of Compliance took effect. Paragraph 7.1.4 of this Framework notes that one of the principles upon which the Framework is based is that “…compliance with legal requirements and Treasury Board policy is monitored, with the focus of monitoring being determined on the basis of risk.”

In May 2009, PCO introduced its Accounting Officer Pilot Project, a risk based approach to assessing departmental compliance with non-financially based TB policies. This approach intended to balance the investment of resources against the value of information obtained. Managers from CSB, Security Operations (SECOPS) and Senior Personnel and Public Service Renewal Branch (SP&P) were consulted as these were the areas PCO believed most TB policies applied to. FCPD sent these managers a self-assessment questionnaire designed to determine if any control weaknesses existed. Managers did not test existing controls, but they were to explain their response or provide an action plan to address any suspected control weaknesses. Managers were also to sign an attestation on compliance with each policy assessed. Only 7 of the 20 distributed questionnaires were returned. Results were summarized in a presentation to PCO’s Executive Committee.

In 2010, FCPD repeated the pilot with other “high risk” TB policies and asked managers to explain what had been done to address control weaknesses identified the year before. Based on manager explanations, CSB determined all weaknesses had been addressed. However, while explanations were documented, corrective measures were not tested to see if they had addressed identified non-compliance risks. By the end of the second cycle, only 14 questionnaires were returned across the pilot’s two years. In 2011, questions arose about the approach’s effectiveness at informing decision making, and about its design and application (i.e. remain optional or become mandatory; expand to include legal authorities or not; expand to cover all of PCO or not). In considering these issues and the value of the information obtained in relation to the resources invested, PCO decided to move to a different approach that featured the combination of PCO’s management control framework, risk management activities, and governance model as the key tools supporting the Clerk’s Accounting Officer responsibilities.

Whether or not they participated in the Pilot Project, PCO managers are expected to manage compliance to authorities that apply to their area of responsibility. Audit results indicate compliance monitoring outside CSB/SECOPS/SP&P occurs as part of ongoing operations and that senior management can at any time raise any compliance risks or concerns with the Clerk through PCO’s daily Operations Committee meetings (a key control in PCO’s governance model) or through direct interactions with the Clerk.

2.2 Maintaining an Effective System of Internal Controls

Under FAA section 16.4(1)(b), the Clerk is accountable for measures taken by PCO to maintain an effective system of internal controls.

PCO follows the TB Policy on Internal Control in managing the department’s internal controls. The ADM CSB has established and maintains the department’s overall framework of internal controls, including those related to financial management. Control elements are documented in PCO’s Management Control Framework document which was designed based on Treasury Board’s 10 point management model found in the Management Accountability Framework – this was done so that PCO’s management control framework would align well with TB’s expectations for good management as depicted in the MAF. First created in 2010 and last updated in June 2012, the Management Control Framework documents the controls PCO has in place for managing PCO’s operations, and presents information on PCO’s approaches to both risk management and to the Clerk’s Accounting Officer responsibilities. However, the approach to managing the Clerk’s Accounting Officer responsibilities outlined in the PCO Management Control Framework refers to PCO using the Accounting Officer self-assessment tool, so it is again in need of updating.

While the Management Control Framework articulates PCO’s control environment, no document can adequately substitute or replace an active and engaged management team within a government department. To that end, the daily meeting of PCO’s Operations Committee chaired by the Clerk is considered to be a key strength of PCO’s governance structure that complements both the management control framework and PCO’s risk management activities. Any known or discovered issues that could affect the department, including issues that could affect the Clerk in his role as PCO’s Accounting Officer, can be raised, discussed, assessed and managed through the Operations Committee.

2.3 Preparation and Signing of the Public Accounts

Under FAA section 16.4(1)(c) the Clerk is accountable for the signing of the accounts that are required to be kept for the preparation of the Public Accounts, pursuant to section 64 of the FAA. The processes established by the Chief Financial Officer which PCO uses when preparing the department’s annual Public Accounts and Financial Statements are appropriate and well documented, and the resulting Public Accounts and Financial Statement documents are supported by appropriate documentation.

2.4 Accountability For Duties Under the FAA and other Acts

Under FAA section 16.4(1)(d) the Clerk is also accountable for the performance of other specific duties assigned to him by or under the FAA or any other Act in relation to the administration of the department.

As discussed in 2.1.2 above, PCO was using the Accounting Officer self-assessment tool to assess compliance with select “high risk” TB policies, not including any applicable legislative Acts and/or regulatory authorities. The TB Policy on Internal Control requires the Clerk to maintain and monitor a departmental internal control system to mitigate risks relating to, among other things, compliance with legislation and regulations. As such, in addition to compliance with TB policies, PCO’s control environment must mitigate against the risk of non-compliance with any applicable legislative and regulatory authorities.

When questions arose concerning its design, application and effectiveness, PCO opted to shift from the Accounting Officer self-assessment approach in favour of a different approach that featured the combination of its governance structures including the Clerk’s daily meetings with his executive team at Operations Committee, its risk management activities, and its documented Management Control Framework as the key tools supporting the Clerk with his Accounting Officer responsibilities. The combined impact of these governance, risk management and internal control elements, when coupled with central agency oversight provided through the annual MAF assessment process, are seen to reduce any residual risks to the discharging of the Clerk’s Accounting Officer responsibilities to a low overall level.

2.5 Risk Management - A Subset of Accounting Officer Responsibilities

Risk management is an important management duty, a key component of a department’s overall control framework, and a key part of the Accounting Officer’s responsibilities. Consistent with the TB Framework for the Management of Risk which strives to help deputy heads embed risk management as a critical element in all areas of work and at all levels of their organization, risk management at PCO is the responsibility of every PCO employee – all PCO managers and staff must manage risks on a daily basis commensurate with their accountability and responsibilities. As such, risk related decisions are being made and risk management activities are taking place across PCO as a part of normal daily operations. At the management level, risks are being managed through the formal governance committees and through existing internal control processes and procedures.

From the formal risk management perspective, PCO took a significant step forward in 2011 when it issued its Integrated Risk Management Framework (IRMF). The IRMF clearly defines and documents PCO’s risk management roles and responsibilities, and describes a consistent and comprehensive organization-wide approach to risk management which is now integrated with PCO’s annual business planning process.

PCO’s main risk management tool under the IRMF is the PCO Risk Profile. It provides senior management with good quality information on the risks that are captured in the Risk Profile, including: a definition of each identified risk; the relative rating of each identified risk (using a High/Medium/Low scale); the identification of the PCO managers responsible for managing each identified risk and for developing and implementing appropriate mitigation strategies; and an implementation plan and timeline for mitigation strategies.

The PCO Risk Profile, which is formally cleared through PCO’s governance committees up to and including PCO’s Executive Committee, is designed to identify and monitor key risks that could adversely affect PCO achieving its objectives. During the audit’s Examination Phase, the Risk Profile covered risks flowing from CSB and Security Operations in some detail, but it did not provide similarly detailed coverage of risks that might apply to other PCO Branches. As well, it focused on operational risks (i.e. human resources, information technology, and information management) and environmental risks (i.e. physical and personnel security, emergency management, and business continuity), but strategic risks were not then being captured. This was due to decisions made in 2006 and 2009 to exclude strategic risks from the PCO Risk Profile on the grounds those risks were outside of PCO’s influence. However, with the issuance of the IRMF, this position contrasted the IRMF which states “…risks that are not under PCO’s control should also be included.” Consequently, the situation was reconsidered and the updated Risk Profile issued in Spring 2012 included consideration of strategic risks.

The PCO Risk Profile is reviewed and updated semi-annually in the Spring and Fall. During the Fall update, PCO managers provide input that is used both to update the PCO Risk Profile and as input to PCO’s annual business planning process for the upcoming fiscal year. This ensures risk management at PCO is integrated with the department’s annual business planning process.

In 2012-13, PCO’s Audit Committee held discussions with PCO Deputy Secretaries to develop a stronger understanding of, among other things, the risks they face and how they are managing those risks. These discussions also suggested that the focus of the PCO Risk Profile is mainly on internal services managed by CSB and on security matters managed by Security Operations, and that the process of updating the PCO Risk Profile does not result in similarly detailed coverage being depicted in the Risk Profile of risks faced by PCO’s business lines outside of CSB and Security Operations. This being noted, given: (a) that PCO’s approach to risk management is now integrated with its annual business planning process; (b) that both PCO’s Risk Profile and its annual Integrated Business Plan are cleared through PCO’s governance committees up to and including PCO’s Executive Committee where they are given final approval; and (c) that risk issues can be raised as necessary at the daily meeting of PCO’s Operations Committee (a key control in PCO’s governance structure), management is comfortable with this overall approach to risk management at PCO. Audit results suggest that any residual risk to the discharging of the Clerk’s Accounting Officer responsibilities existing outside the reach of this multi-pronged approach to risk management is considered to be at a low overall level.

3.0 Conclusion

Government departments operate in a dynamic environment. Deputy heads must be confident their departments have robust governance and internal control infrastructures in place to manage operations and risks. As Accounting Officers, deputy heads must also be confident these infrastructures are regularly reviewed and updated to remain current, and that they are adaptable to changes that invoke risks to achieving departmental objectives.

Since 2006 when Accounting Officer responsibilities were first presented in the FAA, PCO has been progressively evolving and documenting its governance structures, its risk management activities, and its framework of management controls. Each is considered a key component of the overall infrastructure that helps PCO support the Clerk with his Accounting Officer responsibilities. Key improvements to PCO’s control environment include the documenting of controls in 2010 in the PCO MCF followed by updates in 2011 and 2012, the April 2012 issuance of PCO’s Code on Values and Ethics, and the implementation of PCO’s first Statement of Management Responsibility Including Internal Controls over Financial Reporting covering the 2012-2013 fiscal year.

While the MCF articulates PCO’s control environment, no document can substitute or replace an active and engaged management team. The daily meeting of PCO’s Operations Committee chaired by the Clerk and attended by all senior executives is a key strength of the department’s governance structure that complements the MCF and PCO’s risk management activities. Any known or discovered issues that could affect the department can be raised, discussed, assessed and managed at Operations Committee.

When taken as a whole, the combination of PCO’s risk management activities, its MCF, and its formal governance structures including the daily meetings of the Clerk with his executive team at Operations Committee, along with both Central Agency oversight provided through the annual MAF assessment process and the information obtained from internal and external audits, are seen to be an adequate set of mechanisms for supporting the Clerk with his Accounting Officer responsibilities. Collectively, these elements are seen to reduce any associated residual risks to discharging of the Clerk’s Accounting Officer responsibilities to a low overall level. However, given that management is relying on the internal controls presented in the MCF as a key support for the Clerk’s Accounting Officer responsibilities, there is a need to ensure controls are periodically reviewed, tested and reported on, and the MCF document itself is periodically reviewed and updated.

4.0 Audit Recommendation

The audit findings and conclusion have resulted in the following audit recommendation:

  • Recommendation
    To ensure PCO is effectively supporting the Clerk’s Accounting Officer responsibilities, the Assistant Deputy Minister, Corporate Services Branch, with the involvement of the PCO Executive team, should periodically: review, test and report on the adequacy of the department’s key controls at supporting the Clerk with his Accounting Officer responsibilities; and review and update the PCO Management Control Framework document.

5.0 Management Response and Action Plan

Management Response:
Management accepts this report and will oversee the implementation of its recommendation.

Audit of Accounting Officer Responsibilities, Including Risk Management
The Assistant Deputy Minister, Corporate Services Branch has overall accountability for the Action Plan.
Recommendation Management Response Office of Prime Interest Target Date
It is recommended that:
1. To ensure PCO is effectively supporting the Clerk’s Accounting Officer responsibilities, the Assistant Deputy Minister, Corporate Services Branch, with the involvement of the PCO Executive team, should periodically: review, test and report on the adequacy of the department’s key controls at supporting the Clerk with his Accounting Officer responsibilities; and review and update the PCO Management Control Framework document.
To ensure PCO is effectively supporting the Clerk’s Accounting Officer responsibilities, the Assistant Deputy Minister, Corporate Services Branch will, with the involvement of the PCO Executive team, oversee:
   
- An update of PCO's entity level controls (a 3-year rotational activity); Finance and Corporate Planning Division Oct. 1, 2014 and ongoing
- An update of PCO's Management Control Framework to track and maintain the continuity of current and future departmental control mechanisms. Finance and Corporate Planning Division March 31, 2015 and ongoing
- The review of the Department’s key internal control documents and their update to reflect changes in related Policies and processes. Finance and Corporate Planning Division March 31, 2015 and annually thereafter
- The regular reporting on the effectiveness of PCO’s internal key controls to Senior Management and to the Departmental Audit Committee. Finance and Corporate Planning Division March 31, 2015 and annually thereafter

Appendix A – Detailed Audit Criteria

Criteria 1: PCO has an effective framework that ensures that appropriate measures have been taken to effectively support the Clerk in managing his Accounting Officer responsibilities.

1.1 Governance and Strategic Directions

1.1.1 PCO has established an effective organizational framework and/or has identified the individuals responsible to monitor the effective management of the Clerk’s Accounting Officer responsibilities.

1.1.2 PCO has in place the tools and undertakes the appropriate activities necessary to achieve its objectives with respect to the management of the Clerk’s Accounting Officer responsibilities.

1.1.3 The Clerk receives sufficient, complete, timely and accurate information with respect to the management of his responsibilities as PCO’s Accounting Officer.

1.2 Policy and Guidance

1.2.1 The monitoring of departmental management of the Clerk’s Accounting Officer responsibilities occurs in a regular and timely manner.

1.3 Stewardship

1.3.1 All (financial and non-financial) external authorities (i.e. laws, regulations, policies, and guidelines) applicable and relevant to PCO are identified, documented and understood.

1.3.2 PCO identifies or assesses the risk of non-compliance with identified external authorities.

1.3.3 Compliance needs are resourced appropriately to ensure the compliant delivery of PCO’s departmental objectives (i.e. its services and outputs).

1.3.4 Adherence to the external authorities are periodically validated (adequacy and effectiveness), with areas of improvement identified and actioned.

1.3.5 PCO’s compliance with external authorities is monitored regularly and reported to senior management.

1.3.6 PCO’s internal controls support the Clerk’s signing on the Public Accounts management representation letter.

1.4 Accountability

1.4.1 PCO employees (formally) acknowledge their understanding and acceptance of their accountability.

1.4.2 PCO has established and documented a clear and effective organization structure.

Criteria 2. PCO’s approach to risk management effectively addresses the risks affecting the organization through an adequate identification, examination, review, and resolution process.

2.1 Risk Management

2.1.1 PCO’s management has a documented approach with respect to risk management.

2.1.2 PCO’s management identifies the risks that may preclude the achievement of its objectives (at either the entity or activity levels).

2.1.3 PCO management adequately assesses the risks it has identified.

2.1.4 PCO’s management appropriately communicates its risks and risk management strategies to the key stakeholders.

2.1.5 PCO’s business planning and resource allocation processes include consideration of relevant risk information. (Prioritization, Timeliness and Resource Allocation).


Endnotes

  1. While the FAA refers to departmental “programs”, this report follows PCO convention and uses “activities” when referring to PCO activities and its efforts to achieve the department’s objectives.
  2. Per TB’s Policy on Internal Control, the requirement to sign a Statement of Management Responsibility Including Internal Control over Financial Reporting was phased in over a three year period – PCO was only required to prepare this Statement starting with the 2012-13 fiscal year, which occurred after the Examination Phase of this audit.
  3. Up to 2013, PCO had its “Corporate Risk Profile”. In 2013, this document was renamed the “PCO Risk Profile”.
  4. In June 2012, PCO posted the Final Audit Report for the internal Audit of Corporate Governance on the PCO website.