Annex to the statement of management responsibility including internal control over financial management – fiscal year 2017-18

Message from the deputy minister and chief financial officer

Responsibility for the integrity and objectivity of the accompanying financial statements for the year ended March 31, 2018, and all information contained in these statements rests with the senior management of the Department of Canadian Heritage (PCH). These financial statements have been prepared using the Government of Canada Accounting Handbook, which is based on Canadian public sector accounting standards.

Some of the information in these financial statements is based on management's best estimates and judgment, and gives due consideration to materiality. To fulfill its accounting and reporting responsibilities, management maintains a set of accounts that provides a centralized record of PCH's financial transactions. Financial information submitted in the preparation of the Public Accounts of Canada, and included in PCH's Departmental Results Report, is consistent with these financial statements.

Management is also responsible for maintaining an effective system of internal control over financial management (ICFM), including internal control over financial reporting (ICFR), which is designed to provide reasonable assurance that financial information is reliable, that assets are safeguarded and that transactions are properly authorized and recorded in accordance with the Financial Administration Act and other applicable legislation, regulations, authorities and policies.

Management seeks to ensure the objectivity and integrity of data in its financial statements through careful selection, training and development of qualified staff; through organizational arrangements that provide appropriate divisions of responsibility; through communication programs aimed at ensuring that regulations, policies, standards, and managerial authorities are understood throughout PCH and through conducting an annual risk assessment of the effectiveness of the system of ICFM.

The system of ICFM, including ICFR, is designed to mitigate risks to a reasonable level based on the ongoing monitoring of the key risks, to assess the effectiveness of associated key controls and to make any necessary adjustments.

A risk-based assessment of the system of ICFM, including ICFR, for the year ended March 31, 2018 was completed in accordance with the Treasury Board Policy on Financial Management and the results and action plans are summarized in the annex.

The effectiveness and adequacy of PCH's system of internal control is reviewed by the work of internal control and internal audit staff, who conduct periodic reviews and audits of different areas of PCH's operations. Additionally, the Departmental Audit Committee oversees management responsibilities for maintaining adequate control systems and the quality of financial reporting.

The financial statements of PCH have not been audited.

Graham Flack
Deputy Minister

Andrew Francis
Chief Financial Officer

On this page:

List of acronyms

CAE
Chief Audit Executive
CFO
Chief Financial Officer
COBIT
Control Objectives for Information and Related Technologies
CoE
Contributions Centre of Expertise
DAC
Departmental Audit Committee
DM
Deputy Minister
FAA
Financial Administration Act
FY2015-16
Fiscal year 2015-16
ICFM
Internal control over financial management
ICFR
Internal control over financial reporting
ISACA
Information Systems Audit and Control Association
IT
Information technology
ITGCs
Information Technology General Controls
MOU
Memorandum of Understanding
PCH
Canadian Heritage
PMBOK
Project Management Body of Knowledge
PSPC
Public Services and Procurement Canada
SAP
Departmental Financial Management System
SSC
Shared Services Canada
TB
Treasury Board

1. Introduction

This annex provides information on the measures taken by Canadian Heritage (PCH) to maintain an effective system of Internal Control over Financial Management (ICFM), including Internal Control over Financial Reporting (ICFR), assessment results and related action plans.

Information on PCH's authority, mandate and program activities can be found in the Departmental Results Report and the Departmental Plan.

2. Internal control over financial management

The Treasury Board (TB) Policy on Financial Management came into effect on April 1, 2017 and requires the establishment and maintenance of a risk-based system of ICFM.

In this context, PCH must perform the ongoing assessment of the design and operation of its internal controls and remediate identified deficiencies. This also provides reasonable assurance that public resources are used prudently and that financial legislation, regulations and policies are being complied with.

2.1. Internal control governance

PCH has a well-established governance structure to support departmental assessment efforts and oversight of its system of internal control. A departmental internal control management framework, approved by the Deputy Minister (DM) and the Chief Financial Officer (CFO), is in place and includes:

  • An annual risk-based internal audit plan, developed in consultation with senior management across the Department to address areas of higher risk and significance. This plan is instrumental to PCH's system of ICFM. Reports on completed internal audits are presented to the Departmental Audit Committee to seek recommendation for approval by the DM. In order to maximize the efficiency within the department, the ongoing monitoring plan is developed in consultation with the Office of the Chief Audit Executive (CAE) to coordinate the planning activities related to internal control assessments:
  • Organizational accountability structures as they relate to internal control management to support sound financial management including roles and responsibilities for senior managers in their areas of responsibility for control management;
  • A department-wide Code of Conduct supported by management and by the Office of Values and Ethics which provides confidential, independent, impartial and informal assistance to employees and groups of employees who are experiencing conflicts affecting their work;
  • On-going communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
  • Monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plan to the DAC, in order to provide advice to the DM on the adequacy and functioning of the department's risk management, control and governance frameworks and processes.

2.2. Service arrangements relevant to financial statements

  • PCH relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows.

2.2.1. Common arrangements:

  • Public Services and Procurement Canada (PSPC) centrally administers the payment of salaries and the procurement of some goods and services in accordance with PCH's Delegation of Authority, and provides accommodation services;
  • Treasury Board of Canada Secretariat provides PCH with information used to calculate various accruals and allowances, such as the accrued severance liability. They also provide policy guidance and interpretation on matters of financial management;
  • The Department of Justice provides legal services to PCH; and
  • Shared Services Canada (SSC) provides information technology (IT) infrastructure services to PCH in the areas of data centre and network services.

2.2.2. Specific arrangements:

  • Parks Canada Agency provides PCH with the PeopleSoft system platform to capture and report human resources data.
  • The Department of Agriculture and Agri-Food Canada provides hosting services to PCH for its Departmental Financial Management System (SAP).

3. Ongoing monitoring of key controls

Ongoing monitoring is intended to ensure that Internal Control over Financial Management (ICFM), including Internal Control over Financial Reporting (ICFR), continues to operate effectively and as designed, following the guidance received from the Office of the Comptroller General.

3.1. Assessment results during fiscal year 2017-18

In Fiscal Year 2017-18, PCH continued the ongoing monitoring of the key financial management business processes. The following table presents PCH's progress as at March 31, 2018, based on the previous year action plan:

Table 1. PCH's progress with regards to its previous year action plan
Key business process 2017-18
Salaries Completed
Grants and Contributions Completed
Information Technology General Controls Completed
Fraud Risk Assessment To be completed FY 2018-19

3.1.1. Salaries

Payroll processing was completely transferred to Miramichi as at March 31, 2015. The implementation of a new pay system (Phoenix) at the end of February 2016 changed the salary processes significantly and the platform has been unstable since then. PCH relies on the effectiveness of the PSPC's control framework to ensure that information is valid, timely, complete and accurate. Additionally, PCH relies on the effectiveness of the new pay system "Phoenix" for pay processing and time and labor reporting. However, Canadian Heritage remains responsible for monitoring controls related to the salaries key business process within the department.

An assessment of the salaries key business process was conducted in fiscal year 2017-18. The objective was to determine the design effectiveness of the key controls for the salaries process and to ensure that Canadian Heritage is compliant with the Financial Administration Act (FAA) and the key financial policies issued by Treasury Board (TB). The scope of this review focused mainly on the "new hires" sub-process. Key controls were tested on financial transactions to determine the design and operating effectiveness of the following sub-components as outlined in the TB Guideline on Financial Management of Pay Administration.

Recommendations:

  • Continue the dialogue with the Pay Centre to obtain current and valid information with regards to payroll information.
  • Roles and responsibilities with regards to required supporting documentation and document retention will be defined to enable the monitoring and oversight functions of pay related transactions by both the Finance and HR areas.
  • Business Intelligence system tools for salaries must be improved to enable standardized reporting and support the salary reconciliation process.
  • PCH must document the FAA Section 34 certification process for salaries, so that all managers exercises the same level of control and rigor for pay related transactions as any other charges against the appropriation.
  • A risk-based approach, for the purpose of FAA Section 33 certification, will be developed with regards to payroll transactions.

The internal controls for other salary sub-processes will be reviewed and assessed during fiscal year 2018-19, following a more detailed risk assessment exercise of payroll transactions.

3.1.2. Grants and Contributions

A detailed risk assessment of the grants and contributions business process was conducted in fiscal year 2017-18 in collaboration with the Grants and Contributions Centre of Expertise (CoE). The following four programs were selected for this review: Canada Arts Presentation Fund, Canada Periodical Fund, Celebration and Commemoration Program and Development of Official-Language Communities Program.

Key controls were tested to determine the design and operating effectiveness of the following process stages:

  • Develop grants and contributions program;
  • Initiate expenditure;
  • Control commitments;
  • Develop funding agreement;
  • Manage grants and contributions payments.

The next round of testing for the Grants and Contribution key business process is scheduled for FY 2020-21, following the implementation of the new Grants and Contribution Modernization Project system.

Recommendations:

  • The risk assessment process for Grants and Contributions be reviewed in order to align the operational and financial risks related to transfer payments.
  • The current Grants & Contributions business process be realigned to be compliant with the Treasury Board Directive on Delegation of Spending and Financial Authorities, with regards to the exercising of spending authorities (Expenditure initiation and commitment authorities (FAA Section 32)).
  • The concept of separation of duties be documented and communicated to all individuals exercising transaction authority and certification authority (FAA Section 34) in the context of the Grants and Contributions process to support the risk-based approach required by the Directive on Delegation of Spending and Financial Authorities.
  • Procedures for standardized document management for all transfer payment programs be developed and documented and should address the documents required to support the payment verification process (FAA Section 33) in accordance with the departmental account verification strategy.

3.1.3. Information Technology General Controls

Given the continued reliance on information systems and automated financial controls, adequately designed and operating Information Technology General Controls (ITGCs) are necessary to properly support ICFR. Appropriate controls related to ITGCs are fundamental in determining whether reliance can be placed on automated controls that support significant accounts presented in the financial statements.

ITGCs were previously reviewed by the Office of the Chief Audit Executive in FY2015-16. With its newly implemented Delegation of Authority Application, management wanted the assurance that the system of internal controls around its ITGCs was working effectively, to support the upcoming system changes (Invoice to Pay, Purchase to Pay, Grants and Contributions Modernization Project integration etc.).

The services of an external service provider were retained to assist in carrying out this review and focused on the COBIT 5Footnote 1 core artefacts.

Recommendations:

  • Establish a project management framework derived from best Project Management Body of Knowledge (PMBOK) practices. Depending on the classification of the project, the proper level of rigor should be applied based on the risks, complexity and costs of projects. Additionally, a financial management system strategy should be developed to govern test management, release management and quality assurance activities.
  • A change management strategy, including a stakeholder engagement plan, be developed to guide all the stages for processing system changes and govern stakeholder relations.
  • A formal request be made to Agriculture and Agri-Food Canada to:
    • Perform a periodic technical system monitoring to support system testing as per the approved MOU.
    • Include the SAP Early Watch Report in its monitoring practices when performing periodic technical system reviews.
  • A governance framework should be created to govern and address protocols with regards to monitoring activities in the areas of User Identity Management and Logical Access Provisioning.
  • A new organizational structure be proposed to senior management which should include a System Testing/Release Management Coordinator to coordinate System Testing, Release Management and Project Management activities.

3.1.4. Entity Level Controls (Fraud risk assessment)

In February 2017, a report on the assessment of the design effectiveness of PCH's Entity Level Controls was issued by the Office of the Chief Audit Executive. One of its recommendations was that the Chief Financial Officer, in collaboration with relevant senior officials, clarify the role for fraud management within PCH, including the conduct of regular fraud risk assessments and the promotion of fraud awareness within the Department.

The services of an external service provider were retained to assist in carrying out this fraud risk assessment, based on leading practice approach. The assessment will be completed by the end of June 2018. The results will be reported in the 2018-19 Statement of Management Responsibility – Internal controls over financial Management annex.

3.2. Three-year action plan

Based on the results of PCH's annual risk assessment exercise, the three-year ongoing monitoring plan was revised:

Table 2. Three-year ongoing monitoring plan
The X indicates the year in which the monitoring for each key control area will take place.
Key Business Processes 2018-19 2019-20 2020-21
Grants and Contributions - - x
Salaries x - -
Purchases and Payables - x -
Capital Assets - x -
Revenues - x -
IT General Controls - - x
IT Application Controls x - -
Entity level Controls x - -
Financial Reporting - x -
Planning, Budgeting and Forecasting x - -
Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: