Audit of Internal Controls over Financial Reporting

Final Report
September 16, 2015

[PDF 116 KB]

Table of Contents

  1. Statement of Conformance
  2. 1.0 Introduction
    1. 1.1 Authority
    2. 1.2 Objective
    3. 1.3 Scope
    4. 1.4 Audit Criteria
    5. 1.5 Approach and Methodology
  3. 2.0 Conclusion
  4. 3.0 Findings and Recommendations
    1. 3.1 Roles, Responsibilities and Governance
    2. 3.2 Risk Management
    3. 3.3 Significant Financial Processes, Key Controls and Assessment of Their Effectiveness
    4. 3.4 Ongoing Monitoring and Reporting
  5. 4.0 Management Response and Action Plan

Acronyms Used in this Report

CAE Chief Audit Executive
CFO Chief Financial Officer
DAC Departmental Audit Committee
DCFO Deputy Chief Financial Officer
FPAD Finance, Planning and Administration Division
ICFR Internal Controls over Financial Reporting
PIC Policy on Internal Control
PCO Privy Council Office

Statement of Conformance

In my professional opinion as Chief Audit Executive, this audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Privy Council Office’s quality assurance and improvement program.

Original signed by

Chief Audit Executive

Jim Hamer
Director, Audit and Evaluation

1.0 Introduction

Internal Controls over Financial Reporting (ICFR) provide a means by which management and users of financial statements can have a level of confidence that the financial statements fairly reflect all financial transactions, and also provide information which aids the Privy Council Office (PCO) in the preparation of internal and external financial information, reports and statements in accordance with policies, directives and standards. In addition, ICFR help to provide assurance that revenues received and expenditures made are in accordance with delegated authorities, and unauthorized or erroneous transactions that could have a material effect on financial information and financial statements are prevented or detected in a timely manner. This includes providing reasonable assurance that financial resources are safeguarded against material loss due to waste, abuse, mismanagement, errors, fraud, omissions and other irregularities.

In 2009, Treasury Board introduced the Policy on Internal Control (PIC), the objective of which is to ensure that “risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting.” One of the primary requirements of the PIC is that the Deputy Head and the Chief Financial Officer (CFO) sign an annual departmental Statement of Management Responsibility Including Internal Control over Financial Reporting. This policy requirement is intended to acknowledge management's responsibility for maintaining an effective system of internal controls to ensure reliable financial information, safeguarding of assets and proper authorization of transactions.

As such, the commitment made by the Clerk of the Privy Council (the Clerk) towards ICFR is established through the Statement of Management Responsibility Including Internal Control over Financial Reporting - this Statement, signed annually by the Clerk and the CFO, has prefaced PCO financial statements since the 2011-12 fiscal year.

At PCO, most corporate functions including Finance are centralized under the responsibility of the Assistant Deputy Minister, Corporate Services Branch who is also the Department’s CFO. Although each employee has an important role to play in the system of ICFR by ensuring that approved processes are followed and that due diligence and sound stewardship is applied, most key ICFR processes are owned by and operate within the Corporate Services Branch.

A Financial Policy, Systems and Internal Control Team (the Internal Control Team), which was re-established in September 2014 following a period of staff turnover, has been assigned responsibility for the development and maintenance of the framework over the system of ICFR. The Team is comprised of three individuals who discharge the above-noted ICFR responsibility while concurrently performing other Finance related duties. The Team is overseen by the Deputy CFO (DCFO) and Executive Director, Finance, Planning and Administration Division (FPAD).

1.1 Authority

The Audit of Internal Controls over Financial Reporting was approved by the Clerk as part of PCO’s 2014-15 to 2016-17 Risk-Based Audit Plan.

1.2 Objective

The overall objective of the audit was to assess whether PCO has established an effective framework of management controls to maintain and assess the system of ICFR in support of the Department’s annual Statement of Management Responsibility Including Internal Controls over Financial Reporting.

1.3 Scope

The scope of the audit included an assessment of the governance structure in place to enable strategic and operational oversight of the ICFR framework within PCO. This included an assessment of the governance that helps to set both the “tone at the top” and senior management expectations as they pertain to ICFR. In terms of personnel, the audit focused on the roles, responsibilities and accountabilities of individuals with formal obligations for ICFR. Further, the audit assessed the framework in place to provide assurance over the operational effectiveness of controls over financial reporting, including mechanisms established for the monitoring and reporting of ICFR. The period of audit coverage was April 1, 2012 to May 8, 2015.

The audit did not include testing of transactions to ensure operating effectiveness of controls has been achieved, but rather assessed the framework in place to support the Statement of Management Responsibility Including Internal Control over Financial Reporting.

1.4 Audit Criteria

During the audit’s planning phase, the audit team established four main audit criteria to be assessed during the audit. These criteria, which were agreed to by management, included:

  1. Appropriate and effective oversight bodies and clear roles, responsibilities, and accountabilities for key personnel have been established to support the Statement of Management Responsibility Including Internal Controls over Financial Reporting.
  2. A framework is in place for the identification and assessment of the risks associated with the system of internal controls over financial reporting.
  3. A framework and a formal process have been established for the documentation of key financial processes, the identification of key controls and the assessment of their effectiveness.
  4. Processes for monitoring the state of the system of internal controls over financial reporting have been established, including processes for addressing identified control issues and proposed recommendations.

1.5 Approach and Methodology

The audit began with a planning phase, conducted in January and February 2015, during which the audit team identified the relevant risks to the achievement of the objectives and expected results of PCO’s system of ICFR. From these risks, the audit team established audit criteria, identified above. Prior to moving to the examination phase, the Chief Audit Executive (CAE) communicated the results of the planning phase to management and received their agreement with the proposed audit criteria and scope.

The audit examination phase, conducted from March to June 2015, consisted of a review of assigned roles, responsibilities and accountabilities, including governance, over the system of ICFR, the comprehensiveness of the risk assessment framework, key processes in place to implement the system of ICFR, and the mechanisms in place for monitoring and reporting on the system of ICFR. The audit approach included interviews with officials from PCO’s FPAD and stakeholders outside FPAD with responsibilities related to the system of ICFR. Additionally, the audit included a review of the documentation available to support theAnnex to the Statement of Management Responsibility Including Internal Control over Financial Reporting for fiscal year 2012-13 and 2013-14.

At the end of the examination phase, audit findings were discussed with management and a draft report was prepared and sent by the CAE to the Chief Financial Officer for response and development of an action plan to address the audit recommendations. Audit reports and management action plans are provided to PCO’s Departmental Audit Committee (DAC) for review and recommendation to the Clerk of the Privy Council for approval.

2.0 Conclusion

PCO has established the key components of an effective framework of management controls to maintain and assess the system of internal controls over financial reporting in support of the Department’s annual Statement of Management Responsibility Including Internal Controls over Financial Reporting. However, audit results note areas within this control framework where improvements are required to more fully mature and improve the effectiveness of this control framework.

Significant progress has been made during the in-scope period of this audit to refresh and improve the framework of controls over the system of ICFR at PCO. Specifically, the Financial Policy, Systems and Internal Control Team was re-established in 2014 under the direction of the DCFO and it is in the process of reviewing and renewing the ICFR Framework which outlines the key roles, responsibilities and accountabilities over the system of ICFR within PCO. Additionally, the Internal Control Team has been reviewing and refining key ICFR processes, including those relating to the development of the risk assessment, the documentation of key processes and controls, and the reporting of control deficiencies noted during ongoing monitoring activities.

While the Internal Control Team continues to review and improve the ICFR Framework, the audit noted a need to: refine and better communicate the roles and responsibilities of process owners within the system of ICFR; improve oversight reporting; provide additional justification for risk assessment results; conduct tests of design on updated/revised process; and develop a risk-based Monitoring and Quality Assurance Plan.

The following section details the audit findings and recommendations.

3.0 Findings and Recommendations

3.1 Roles, Responsibilities and Governance

The DAC has been established as a key governance body for providing advice to the Clerk. Additionally, clear roles, responsibilities, and accountabilities for key personnel within the FPAD have been formally defined and are well understood; however, there is an opportunity to improve the communication of the roles and responsibilities of process owners in the system of ICFR.

One of the requirements of PIC is that the Deputy Head ensures “the establishment, maintenance, monitoring and review of the departmental system of internal control”. A key component of the system of internal control is the establishment of a strong governance structure, including clear roles, responsibilities, and accountabilities for key personnel.

The audit noted that PCO had established a departmental Management Control Framework document (last revised in 2012) which is aligned to the requirements of PIC, the Financial Administration Act, and the Federal Accountability Act. Based on the requirements outlined in this Management Control Framework, the Department is also reviewing and updating its Internal Controls over Financial Reporting Framework document (ICFR Framework) with the expectation it will be finalized in the current fiscal year. Per the Directive on Internal Auditing in the Government of Canada, DAC is responsible for reviewing the annual Statement of Management Responsibility Including Internal Control over Financial Reporting and providing advice to the Deputy Head on the risk-based assessment plans and associated results related to the effectiveness of the departmental system of ICFR.

Although the audit noted that the DAC received information regarding the effectiveness of the system of ICFR during the in-scope period of the audit, the information provided to DAC typically came in the form of high-level, ad-hoc verbal updates from the CFO and the DCFO with the most formal element being the DAC’s review of the Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting.

Strengthening the financial reporting process to the DAC over the system of ICFR will reduce the risk that DAC may not be receiving all relevant and timely information required for the effective discharge of their assigned responsibilities under the TB Policy in Internal Audit.

The audit further noted the appropriate assignment of roles, responsibilities, and accountabilities to key personnel over the system of ICFR within the draft ICFR Framework, and alignment of these roles and responsibilities with the requirements of the PIC. The audit also noted an understanding of assigned roles and responsibilities of the Internal Control Team; however, an opportunity was identified to improve the communication and understanding of the roles and responsibilities of process owners. Process owners are generally senior management level personnel assigned responsibility for overseeing the implementation of internal controls over a specified process. The audit noted that process owners, specifically outside of FPAD, were not consistently aware of their assigned roles and responsibilities over the system of ICFR.

Recommendation 1:

The Assistant Deputy Minister, Corporate Services and Chief Financial Officer should ensure that the revised ICFR Framework document includes a formal communication strategy which would feature the development and use of a standardized reporting template for more regularized reporting to the DAC on the status of the system of ICFR within PCO, and a communication plan to ensure all process owners are aware of their assigned roles, responsibilities and accountabilities over the system of ICFR.

3.2 Risk Management

The Internal Control Team has recently undertaken an effort to formalize the ICFR risk assessment process, including the assessment of processes against established criteria; however, opportunities for improving the guidance and risk assessment tool were noted.

According to the PIC, as part of the Statement of Management Responsibility Including Internal Control over Financial Reporting, the Deputy Head should “acknowledge the conduct of an annual risk-based assessment of the system of Internal Control over Financial Reporting to determine its ongoing effectiveness,” which includes identifying high risk financial processes for monitoring purposes.

Towards the end of fiscal year 2014-15, the Internal Control Team refined their approach to the conduct of this risk assessment and completed a first draft of the risk assessment using the new approach. As part of this new approach, the Internal Control Team identified and assessed an inventory of financial processes against pre-defined risk source categories to identify the high risk processes that should be subjected to ongoing monitoring within the system of ICFR.

Although the new approach features a more robust assessment of the financial processes against key risks, the audit identified opportunities to strengthen both the documentation of the risk assessment methodology within the ICFR Framework document and the justification of risk ratings within the risk assessment approach. Improvements in these areas would ensure more consistency in the application of this assessment process. Specifically, the audit noted that although the ICFR Framework document outlines the risk categories, such as capacity, vulnerability to fraud and sensitivity to public opinion, it does not provide definitions of the risk considerations. Risk considerations include the qualitative and where appropriate quantitative factors to be considered in the assessment and scoring of the risk categories. Examples of risk considerations for the “capacity” risk category include the number of current vacancies and the levels of experience of key personnel. Additionally, the Framework document has not been refined to reflect the updated risk assessment approach, including the expectation for process owner consultations/validations. Lastly, through a review of the completed draft risk assessment for fiscal 2015-16, the audit noted that no documented justifications or explanations were provided for risk assessment results.

Without a well-defined and effective risk assessment methodology which has been fully documented and carried out in a consistent manner with the input of process owners, there is an increased risk that relevant high risk financial processes will not be identified and subsequently monitored through the system of ICFR.

Recommendation 2:

The Deputy Chief Financial Officer and Executive Director, FPAD should ensure the complete documentation of the new risk assessment approach within the revised Internal Controls over Financial Reporting Framework document. Specifically, the Framework document should include the definition of the risk considerations, their qualitative and quantitative factors, and the approach to their scoring. Additionally, the Framework should include the requirement for process owner consultations/validations as part of the risk assessment approach, and the documenting of justifications for the risk assessment results/scoring once applied.

3.3 Significant Financial Processes, Key Controls and Assessment of Their Effectiveness

A framework and formal processes have been established for the documentation and review of key financial processes; however, the completion of risk control matrices and tests of design for significant financial processes should be performed on a more timely basis.

Since late Fall 2014, the Internal Control Team has been undertaking an exercise to update the process documentation for all significant business processes identified in the updated risk assessment. For most significant business processes, process charts and related narratives have been developed; however, some process documentation was still being updated at the time of the audit. Once the process documentation has been updated for all significant financial processes, the expectation is that these documents will be reviewed, updated as necessary and signed off by the process owners on an annual basis.

Although this process has been established to update and validate process documentation with process owners on an annual basis, no formal walkthroughs/tests of design have been performed for new or updated processes. Consequently, each updated or changed process will only be subjected to testing when it comes up for monitoring within the three-year cycle established by FPAD.

Conducting tests of design effectiveness for new or significantly revised processes immediately after each process is completed would reduce the risk that potential control design issues which could adversely affect the effectiveness of processes would only be identified once ongoing monitoring activities are applied to this business process (within the three-year cycle).

Additionally, the audit noted that control matrices have not yet been developed to support the business process flowcharts. These matrices are important as they identify the key controls mitigating the significant financial risks relevant to that business process. A control matrix template for identifying and assessing key controls within processes was developed during the 2014-15 fiscal year; however, it was noted that the templates will only be populated as part of ongoing monitoring (i.e. over the three-year cyclical period). Without the timely completion of control matrices, there is an increased risk that gaps in key controls to mitigate identified risks will only be identified once full-scope operational effectiveness testing takes place over the course of a three-year period.

Recommendation 3:

The Deputy Chief Financial Officer and Executive Director, FPAD should ensure that the revised Internal Control over Financial Reporting Framework include a requirement for the conduct of formal tests of design and the identification of key controls, including the completion of control matrices, upon the updating of any significant financial processes.

3.4 Ongoing Monitoring and Reporting

Within the existing Monitoring and Quality Assurance Plan a formal process for addressing and following up on identified control deficiencies has not been established; however, a new process is in the midst of being developed.

According to the PIC, Deputy Heads are responsible for ensuring that “appropriate and timely action is taken to address any significant issue relating to the departmental system of internal control”. In order to achieve this, ongoing monitoring is to be performed by the Internal Control Team on significant financial processes, and any identified control weaknesses are to be identified, communicated and remediated on a timely basis. As noted through the Guideline on PIC, “internal control management includes activities to ensure that key internal controls are assessed and periodically reassessed on a risk-basis and for monitoring purposes [and that] corrective actions are being taken when necessary.”

The audit noted that the current Monitoring and Quality Assurance Plan (the Plan) has not undergone a review since its original implementation in 2010; however, it is slated to be reviewed within the next year. With this review, the audit team believes it is a good opportunity to ensure that the Plan is updated to include additional requirements.

Firstly, the Plan does not currently require a risk-based approach to the monitoring of significant financial processes, whereby the results of the risk assessment, reviewed annually, would help determine prioritization and frequency of monitoring activities undertaken by the Internal Control Team.

Secondly, the Plan does not include requirements for the communication and remediation of control deficiencies identified through the ongoing monitoring performed by the Internal Control Team. Specifically, through the review of previous monitoring activities, the audit team noted inconsistencies in the disposition of identified control weaknesses/deficiencies, the development and implementation of remediation action plans and the follow-up on remediation activities. As such, additional guidance regarding the establishment of remediation action plans, including the assignment of a remediation owner, and follow-up activities, is required to ensure that control weaknesses are adequately addressed by the appropriate individuals in a timely manner.

The audit noted inconsistencies in the level of documentation to support the findings included within the Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting (the Annex) for the 2012-13 and 2013-14 fiscal years. Specifically, not all deficiencies noted in the monitoring documentation were escalated and ultimately reported in the Annex. This was due to the application of an informal risk ranking which was not documented. However, the Internal Control Team is developing a formal risk ranking approach for the disposition of identified control weaknesses and their reporting in the Annex. This ranking is to be formally defined in the revised Monitoring and Quality Assurance Plan.

Recommendation 4:

The Deputy Chief Financial Officer and Executive Director, FPAD shouldensure that the Monitoring and Quality Assurance Plan, as part of its update, includes requirements for the (1) development of a risk-based monitoring plan, (2) formal communication of control weaknesses to process owners identified through ongoing monitoring, and (3) development and ongoing monitoring of remediation actions in response to identified control weaknesses.

4.0 Management Response and Action Plan

Management has accepted all audit recommendations; their action plan is presented on the following pages.

Management Action Plan

Audit of Internal Controls over Financial Reporting
The Chief Financial Officer has overall responsibility for the Action Plan.
Recommendation Planned Actions Responsibility Due Date
1.
The Assistant Deputy Minister, Corporate Services and Chief Financial Officer should ensure that the revised ICFR Framework document includes a formal communication strategy which would feature the development and use of a standardized reporting template for more regularized reporting to the DAC on the status of the system of ICFR within PCO, and a communication plan to ensure all process owners are aware of their assigned roles, responsibilities and accountabilities over the system of ICFR.
A.
The Policy on Internal Control requires that the Departmental Audit Committee, as applicable, be engaged on the risk-based assessment plans and results of the annual assessment of the effectiveness of the departmental system of internal control.

As part of the annual Financial Statements review, the Departmental Audit Committee has the opportunity to comment on the Statement of Management Responsibility Including Internal Control Over Financial Reporting.

The Statement provides information related to the assessment results, progress made during the year and the action plan for the next fiscal year’s based on an annual validation of the risk process.

Starting in 2015-16, the results of our annual monitoring of key processes will be presented annually to the Departmental Audit Committee and to the PCO Senior Executive Committee.

B.
During the business process review, FPAD sent the documentation to the process owners for their review and approval. For this year’s review, an Annex will be added to the documentation to outline the owner’s role and responsibilities. The owner will also be given the opportunity to meet with the Financial Policies, Systems and Internal Control team to discuss his roles and responsibilities related to the business process.

FPAD

















FPAD

A) March 31, 2016

















B) January 2016
2.
The Deputy CFO and Executive Director, FPAD should ensure the complete documentation of the new risk assessment approach within the revised Internal Controls over Financial Reporting Framework document. Specifically, this Framework document should include the definition of the risk considerations, their qualitative and quantitative factors, and the approach to their scoring. Additionally, the Framework should include the requirement for process owner consultations/validations as part of the risk assessment approach, and the documenting of justifications for the risk assessment results/scoring once applied.
A.
The Internal Controls over Financial Reporting (ICFR) framework document will be reviewed to include a definition of the risk considerations with the following information:

  • Qualitative and quantitative factors; and
  • An overview of the scoring of the risk categories.
B.
The risk assessment approach will be documented separately from the ICFR framework and will require the approval of the Deputy Chief Financial Officer on an annual basis. The document will outline the following information:

  • The scoring approach
  • Process owner requirement to validate the risk assessment
  • The justification for the risk assessment results/scoring

FPAD






FPAD

A) ICFR framework - December 2015





B) Risk assessment document August 2016
3.
The Deputy CFO and Executive Director, FPAD should ensure that the revised Internal Control over Financial Reporting Framework include a requirement for the conduct of formal tests of design and the identification of key controls, including the completion of control matrices, upon the updating of any significant financial processes.
A.
Formal design testing and identification of key controls will be added to the business process review when major changes to the business process are required.

B.
Control matrices will be completed by 2016-2017.

FPAD


FPAD

A) March 31, 2016


B) March 31, 2017
4.
The Deputy CFO and Executive Director, FPAD should ensure that the Monitoring and Quality Assurance Plan, as part of its update, includes requirements for the (1) development of a risk-based monitoring plan, (2) formal communication of control weaknesses to process owners identified through ongoing monitoring, and (3) development and ongoing monitoring of remediation actions in response to identified control weaknesses.
A.
The monitoring results of the 2014-15 key processes monitoring were communicated to the business process owners. For the majority of the weaknesses, a remediation plan was received from the owner. For those business processes for which FPAD did not receive a remediation plan, business owners are working on their plan and have committed to providing the information by October 30, 2015.

B.
Remediation plan follow-up sheets are being created to ensure that follow-up is done on remediation activities.

C.
The risk assessment document mentioned under recommendation 2 will also include the risk-based monitoring plan. Please note that the risk-based on-going monitoring is disclosed in the Statement of Management Responsibility Including Internal Control Over Financial Reporting included in the financial statements.

FPAD






FPAD


FPAD

A) Monitoring result communication and remediation plan November 30, 2015, and ongoing



B) Follow-up sheet September 30, 2015

C) Risk assessment document August 2016