Audit of Policy on Internal Control Implementation – Phase 2

Juin 2017

1850-3-014 (ADM(RS))

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

Acronyms and Abbreviations

Results in Brief

The Policy on Internal Control is one of the core policies within the Treasury Board Policy Framework for Financial Management. It took effect on April 1, 2009 for all departments and agencies within the Government of Canada. The key objective of the Policy is to adequately manage risks relating to the stewardship of public resources through effective internal control, including internal control over financial reporting.

As the largest and most complex department in the Government of Canada, the Department of National Defence and the Canadian Armed Forces (DND/CAF) has been working on the implementation of the Policy on Internal Control within the broad span of its organization. The Department has made progress on implementing the requirements of the policy by completing several major activities. These include establishing a formal project management office, creating a Three-Year Integrated Work Plan, reorganizing and prioritizing internal resources, embedding policy activities and requirements in various transformation initiatives, and including policy-related work objectives in the performance agreements for both civilian and military personnel.

The Assistant Deputy Minister (Finance) / Chief Financial Officer (ADM(Fin)/CFO) leads the implementation of the Policy on Internal Control, working in collaboration with various other stakeholders within the Department. An effective system of internal control depends on the participation of all parts of the organization, whether it is in its initial design or continuing operation.

Given the importance of an effective system of internal control in the DND/CAF, an Audit of Policy on Internal Control Implementation was included in the Assistant Deputy Minister Review Services (ADM(RS)) Risk-Based Internal Audit Plan for fiscal years (FY) 2016/17 to 2018/19. This audit is intended to assess the Department’s efforts towards implementation of the Policy on Internal Control. The first phase of the audit was completed in a report approved in August 2016; it addressed the governance structures and risk management processes in place to support the Department’s policy implementation activities. This report presents the results of the second phase of audit, which examines the processes for policy implementation.

Findings and Recommendation

Processes for Policy Implementation

The Director Financial Controls organization, on behalf of the ADM(Fin)/CFO, is responsible for the implementation of the Policy on Internal Control within the Department. It works with business process owners and key stakeholders to establish a system of internal control. An external contractor has been engaged to support implementation activities, including project management, process mapping, testing and remediation of key controls. The approach followed by the Department is consistent with guidelines provided by the Office of the Comptroller General. Based on the work planned, the Department should be in a position to achieve the objective of the Policy and its expected results.

Information Management

In order to identify and assess key controls, the Department, with the assistance of the external contractor, performs detailed analyses of control areas and business processes. While these efforts have focused on delivering results, the process could be strengthened with increased attention to the retention of documentation to better substantiate the work performed and how key decisions were made. Without an adequate record of implementation activities, the verifiability and repeatability of the work performed in the design and initial testing of the internal control system may be limited. This is particularly important as implementation activities progress to the ongoing monitoring and retesting stage, in which personnel who may not have been involved in the development of the control system will require an understanding of work previously performed.

It is recommended that the ADM(Fin)/CFO improve its information management practices over the implementation of the Policy on Internal Control. This would better explain the process followed, document the rationale for key decisions, and retain the results of control testing to an extent that allows those supporting the control system and others seeking to rely on it to understand the work performed.

Note: Please refer to Annex A—Management Action Plan for the management response to the ADM(RS) recommendations.

Back to Table of Contents

1.0 Introduction

1.1 Background

The Treasury Board Policy on Internal Control took effect on April 1, 2009 for all departments and agencies within the Government of Canada as defined in section 2 of the Financial Administration Act. This Policy supports the focus on government accountability arising from the Federal Accountability Act, and is one of the core policies within the Treasury Board Policy Framework for Financial Management.

The key objective of the Policy on Internal Control is that “risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting,” Once implemented, departments are expected to have:

• An effective risk-based system of internal control that is properly maintained, monitored and reviewed, with timely corrective measures taken when issues are identified; and
• An effective system of internal control over financial reporting as demonstrated by the departmental Statement of Management Responsibility Including Internal Control over Financial Reporting.

Since the Policy on Internal Control came into effect, the DND/CAF has worked to meet its requirements. Within the Department, the ADM(Fin)/CFO is responsible for leadership of the overall implementation of the policy. On behalf of the ADM(Fin)/CFO, the Director Financial Controls organization works with departmental stakeholders, such as business process owners or departmental functional authorities, to document and assess internal controls, and to identify and remediate deficiencies and gaps. All parts of the organization have a role in the implementation of internal controls, whether it is in their design or operation.

The Department’s size, complexity, risk, capacity, decentralization, and other pertinent factors have required a significant dedication of effort and resources in the implementation of the Policy on Internal Control. This has included work in establishing a formal project management office, creating a Three-Year Integrated Work Plan, reorganizing and prioritizing internal resources, embedding policy activities and requirements within relevant departmental transformation initiatives, and including policy-related work objectives in the performance agreements for both civilian and military personnel. These activities have contributed towards the progress made in the assessment of the design and operating effectiveness of the Department’s system of internal control.

In accordance with the ADM(RS) Risk-Based Internal Audit Plan for FY016/17 to 2018/9, an internal audit was undertaken to assess the Department’s efforts towards the implementation of the Policy on Internal Control. In order to provide timely information to the Department, this audit has been delivered in two phases.

The first phase of the audit assessed the governance and risk management aspects of the Department’s policy implementation, and was completed through a report approved in August 2016. This report (Annex C) made note of the need to provide the Defence Management Committee and the Departmental Audit Committee with updates on the progress made. It also recommended that steering committees at senior management levels meet on a more frequent and regular basis in order to address cross-functional issues.

The second phase of audit, which considers the processes in place to support the effective implementation of the policy, is presented in this report.

In accordance with the Treasury Board Guideline for the “Policy on Internal Control” and the draft Policy on Internal Control – Diagnostic Tool for Departments and Agencies, the Department has set out a framework to establish, maintain, monitor and review its system of internal control. This framework consists of the following steps:

• Risk assessment and scoping;
• Documentation of control activities;
• Evaluating design effectiveness of controls;
• Remediating control design deficiencies;
• Evaluating operating effectiveness of controls;
• Remediating operating effectiveness deficiencies; and
• Ongoing monitoring of controls and periodic risk-based retesting and remediation.

As part of its approach to policy implementation, the Department has identified internal controls within 13 key control areas. The steps in the implementation framework above are being applied to each of the following key control areas:

• Entity Level Controls
• Information Technology General Controls
• Financial Reporting and Financial Close
• Process Level Controls:
  • Revenues and Receivables
  • Prepaid Expenses
  • Procurement to Payment
  • Other Payables and Payments
  • Civilian Payroll
  • Military Regular & Reserve Force Payroll
  • Inventories
  • Capital Equipment Assets
  • Real Property Assets
  • Remediation Liabilities

The Department has completed the steps of risk assessment and scoping, and documentation of control activities in all key control areas. Work is now proceeding in various stages of progress for each of the key control areas to execute the steps of design effectiveness testing and remediation, operating effectiveness testing and remediation, and on-going monitoring. The Department plans to complete this work in all key control areas by FY 2018/19.

The Policy on Internal Control is currently under review, as part of the initiative of the Treasury Board of Canada Secretariat to streamline all of its policies. Notwithstanding this review, it is expected that departments and agencies will continue to be required to have in place a system of internal control.

1.2 Rationale

This audit was identified in the ADM(RS) Risk-Based Audit Plan for FY2016/17 to 2018/9. It supports the ADM(Fin)/CFO in its strategy towards compliance with the Policy on Internal Control by providing timely assurance on its progress in meeting policy requirements.

1.3 Objective

The objective of the audit was to determine whether the governance structure, risk management, and processes were in place to support the successful implementation of the Policy on Internal Control.

1.4 Scope

The scope of the audit included completed and planned implementation activities as defined in the ADM(Fin)/CFO policy implementation framework within the thirteen key control areas, as at August 2016. The audit excluded those entity level controls where ADM(RS) is identified as the Office of Primary Interest (OPI) responsible for implementation.

1.5 Methodology

The audit results are based on an examination of a sample of the key control areas within the Department’s system of internal control. Consideration for the sampling of key control areas was based on factors such as the complexity and nature of the area, other recent and planned audit coverage, and reported progress of implementation. Key control areas examined in this audit included:

• entity level controls;
• financial reporting and financial close; and
• remediation liabilities.

The audit used the following methodology:

• file and document reviews of various sources of information from the DND/CAF, including flow charts, descriptions, narratives, risk and control matrices and committee minutes;
• interviews with key internal DND/CAF stakeholders (i.e., ADM(Fin)/CFO, Director General Financial Operations, Director Financial Controls, a number of business process owners, and the external contractor responsible for the testing of the design and operating effectiveness of internal controls); and
• re-performance of design and operating effectiveness testing of selected key control areas.

1.6 Audit Criteria

The audit criteria can be found at Annex B.

1.7 Statement of Conformance

The audit findings and conclusions contained in this report are based on sufficient and appropriate audit evidence gathered in accordance with procedures that meet the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing. The audit thus conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. The opinions expressed in this report are based on conditions as they existed at the time of the audit, and apply only to the entity examined.

Back to Table of Contents

2.0 Findings and Recommendation

2.1 Processes for Policy Implementation

The Department’s approach to implementing the Policy on Internal Control follows a process consistent with the expectations of the Office of the Comptroller General; however, documentation of the reasoning for procedures performed, the rationale for key decisions, and the results of control testing could be improved to substantiate the Department’s work on the development of its system of internal controls to support its ongoing monitoring and retesting.

The DND/CAF has continued to make progress towards the documentation and assessment of its system of internal controls in order to meet the expected outcomes of the Policy on Internal Control. On behalf of the ADM(Fin)/CFO, the Director Financial Controls organization is responsible for the implementation of the policy within the Department, and maintains a close working relationship with business process owners to ensure that internal controls are accurately documented and updated whenever changes are made to business processes.

The Office of the Comptroller General has issued a draft diagnostic tool to guide the implementation of the Policy on Internal Control. The guidance describes a framework to assess the effectiveness of internal control systems, and has been used in other departments in establishing their systems of control.

To carry out the implementation of the policy, the Director Financial Controls has engaged an external contractor to work with business process owners and key stakeholders to identify and document key internal controls and related risks for each of the key control areas. After mapping the key controls, the external contractor tests the effectiveness of their design through a process walk-through, and identifies any controls gaps or deficiencies in the internal control system.

Upon completion of design effectiveness testing, the Director Financial Controls collaborates with business process owners to make the necessary changes to remediate the control deficiencies identified. Depending on the complexity of the key control area and the number of stakeholders involved in the business process, a working group may be established to address the control weakness identified. A working group facilitates the remediation of controls where the redesign of a business process may be required, which may have implications on multiple organizations within the Department.

Operating effectiveness testing for key controls is performed at least six months after the remediation of deficiencies in the design of controls, in order to allow sufficient time for the newly designed controls to become established. The operating effectiveness of internal controls is tested to assess whether financial reporting risks have been reduced as a result of the control working over a period of time. Any control deficiencies identified during operating effectiveness testing is remediated and subsequently retested.

In the course of establishing key controls, unanticipated changes to business processes may occur, requiring reassessment of the area. Changes in areas such as Remediation Liabilities have resulted in the need to revisit the design effectiveness of controls that had previously been completed.

After the Department is satisfied that key controls have been successfully established within a business process, it will conduct periodic risk-based retesting of the internal controls as part of its ongoing monitoring activities. As process changes and ongoing monitoring occur over the continued operation of the business process, personnel responsible for supporting the system will need to rely on documentation of the initial development and testing of controls.

Overall, the steps previously described are being followed by the Department in the implementation of Policy on Internal Control, and are consistent with the draft Policy on Internal Control – Diagnostic Tool for Departments and Agencies, issued by the Office of the Comptroller General. Upon completion of its implementation activities, the Department should achieve the objective of the policy and its expected results.

The Department relies significantly on external expertise for the implementation of this policy. The current service contract related to the implementation of the Policy on Internal Control expired in March 2016. While the Director Financial Controls had initiated a new contracting process in June 2015, it continues to work with the Department of Public Services and Procurement Canada to tender a new contract to continue with policy implementation. In the interim, amendments to extend the current contract have been issued with the existing service contractor to continue its progress in testing and monitoring of its system of controls.

2.1.1 Information Management

As part of the audit’s examination of the sampled key control areas, a process for the identification, documentation and assessment of controls was found to be in place. This process could be strengthened to provide for further substantiation of the work performed and how key decisions were made. For example, there was limited documentation available to explain the approach followed in the identification and risk assessment of key control areas, or the rationale for the tests performed. It was often difficult to validate how the Director Financial Controls or the external contractor reached their conclusions in the control documents, as the documentation retained was not sufficient to allow for an independent party to be able to follow the work performed.

The implementation of a system of internal controls is expected to be a long-term endeavor. After the current work is completed to confirm the design and operating effectiveness of key controls, the Department will enter a phase of ongoing monitoring. As such, it is important that personnel who may not have been involved in the initial development of the control system be able to follow previous work in order to conduct continuing maintenance and monitoring. In addition, adequate information management is necessary to mitigate personnel changes during policy implementation either due to regular staff turnover or the tendering result of the new service contract. The ability to retain and transfer acquired knowledge is necessary to provide efficiencies and ensure consistency and continuity in the system of internal controls.

Documentation of Work Performed. In establishing internal controls in key areas and business processes, key documents were produced, including process flowcharts, control narratives and matrices, and the results of control testing. The audit sought to assess the work performed in order to validate the conclusions reached. However, supporting documents describing the analyses conducted in the development of the control system were not maintained. In order to assess the validity and adequacy of the work performed, it was necessary to re-perform certain procedures on key controls.

This was found particularly in the examination of control testing for the entity level control area. Thirteen entity level controls were selected for testing. In one of the controls examined, the results of work performed could not be replicated due to information that was no longer available. This entity level control required an “action plan to address issues in the Management Accountability Framework (MAF) and Public Service Employee Survey (PSES)”. The documentation provided had reported that this control was working effectively, citing the information posted on the Vice Chief of the Defence Staff intranet site as evidence. However, at the time of the audit, the information referenced could not be located on the intranet site as described. While it is possible that the information was posted and the control was functioning as intended at the time that the control was originally tested, without having retained the supporting information, it was not possible to substantiate the validity of the previously drawn conclusion.

As policy implementation progresses to the stages of operating effectiveness testing and ongoing monitoring, the absence of complete documentation will result in an increased level of effort necessary to obtain the level of confidence to rely on previously performed activities. Testing of controls re-performed in the course of the audit yielded similar results as those concluded by the Director Financial Controls, confirming the conclusions made.

Records of Decisions Made. Remediation Liabilities was one of the business process control areas selected for sampling to assess the control system development process. The Department currently has 829 active contaminated sites in various locations across Canada. However, in performing the design effectiveness testing for the Remediation Liabilities control area, the implementation team relied on analysis of the existing process at only one location with 10 active contaminated sites. Documentation was not retained to explain the rationale for the selection of this single location as the basis for control testing. This level of testing may not have been sufficient as it may not have considered regional differences that may exist between sites requiring a different design to the internal controls. A similar observation had been made in the ADM(RS) Audit of Contaminated and Unexploded Explosive Ordnance Legacy Site Liabilities, December 2015, which noted that “there was inconsistent supporting evidence to demonstrate that formal departmental review, challenge, and approval of key site management decisions and activities had been performed.”

When queried, management explained that the site selection was based on its assumption that business process owners would ensure consistent application of departmental processes and internal control frameworks across operations upon remediation of control deficiencies identified during design effectiveness testing. The ADM(Fin)/CFO is currently working with the Assistant Deputy Minister (Infrastructure and Environment) to finalize a guide on Remediation Liabilities and The Treasury Board Policy on Internal Control to ensure consistency in the business process across the country prior to operating effectiveness testing.

While the explanation provided was reasonable, improved documentation would be useful in supporting key decisions that may be challenged in the future. As control implementation progresses to a steady state, a complete understanding of decisions made would allow those responsible for maintaining the system or others seeking to rely on the controls to follow the logic of the work previously performed.

Consistency of Implementation Processes. Finally, the Department has set up remediation working groups to carry out remediation activities for identified control gaps. It is the task of each remediation working group to develop remediation plans. Similar processes were found to have been used by the groups examined; however, a formal approach to control deficiency remediation had not been documented. Particularly in process areas involving a single organization as the OPI, the remediation process was found to have followed a more ad hoc approach. Terms of reference were only developed for working groups where more than one organization was involved in the business process. In order to facilitate a more consistent approach, terms of reference could have been developed for each working group. General guidance on control deficiency remediation could provide for efficiencies through a more standardized implementation process between control areas, and contribute to the continuity of the process in the event of personnel changes.

The observations related to information management practices for the implementation of the Policy on Internal Control may be attributed to the absence of departmental implementation policies. With the precedence given to policy implementation across the Government of Canada, development of policies and procedures may have been a lesser priority. While the prescriptive nature of the Treasury Board guidance may have reduced the need for departmental procedures in some aspects of policy implementation, specific direction for information retention as well as the documentation of methodology and procedures would have been useful.

Back to Table of Contents

3.0 General Conclusion

DND/CAF has identified key internal controls for important risks, tested their effectiveness, and developed remediation activities to strengthen weaknesses to attain an effective system of internal control as it implements the Policy on Internal Control. However, documentation of the methodology behind the performed procedures as well as of information retention requirements would facilitate the efficient continuation of policy implementation. This would reduce the risk of inefficiency in the implementation process that may result from turnover of key personnel responsible for policy implementation, particularly as the internal control system progresses to the stages of operating effectiveness testing and ongoing monitoring.

Considered in conjunction with the findings of the first phase of audit, the governance structure, risk management and processes to support the successful implementation of the Policy on Internal Control are generally in place to allow for the establishment of an effective system of control within the Department.

Back to Table of Contents

Annex A—Management Action Plan

ADM(RS) uses recommendation significance criteria as follows:

Very High—Controls are not in place. Important issues have been identified and will have a significant negative impact on operations.

High—Controls are inadequate. Important issues are identified that could negatively impact the achievement of program/operational objectives.

Moderate—Controls are in place but are not being sufficiently complied with. Issues are identified that could negatively impact the efficiency and effectiveness of operations.

Low—Controls are in place but the level of compliance varies.

Very Low—Controls are in place with no level of variance.

Information Management

Management Action

The ADM(Fin) concurs that additional information management practices and documented procedures would strengthen the overall internal controls program administration and related activities, supporting the ongoing maintenance and monitoring of DND’s system of internal control.

ADM(Fin) will develop a monitoring plan consistent with Treasury Board policy guidelines, and project management will include necessary record management guidance on the following areas:

• general procedures for the testing, remediating and ongoing monitoring of controls, including requirements for remediating action plans with business process owners that provide for clear accountability and responsibility; and
• the nature of documentation that should be retained to support control testing as well as a retention period for the documentation.

OPI: ADM(Fin)/CFO

Target Date: March 31, 2018

Back to Table of Contents

Annex B—Audit Criteria

Criteria Assessment

The audit criteria were assessed using the following levels:

Assessment Level and Description

Level 1—Satisfactory

Level 2—Needs Minor Improvement

Level 3—Needs Moderate Improvement

Level 4—Needs Significant Improvement

Level 5—Unsatisfactory

Governance – Assessed in Phase 1

1. The Department has established clear roles, responsibilities, accountabilities, oversight, and the appropriate governance structures to support the implementation of the Policy on Internal Control.

Assessment Level 3 – Needs Moderate Improvement. Additional information should be provided to Departmental Audit Committee and Defence Management Committee to ensure visibility of the progress towards implementation of the Policy on Internal Control. Steering committees at the Assistant Deputy Minister and the Director General levels should be held more frequently to address any issues requiring intervention at these levels.

Risk Management – Assessed in Phase 1

2. The Department has conducted risk assessments to identify and prioritize risks impacting corporate objectives to achieve an effective, risk-based system of internal control.

Assessment Level 1 – Satisfactory. Program and project risks are identified by business owners and remediation action owners to the project management office for policy implementation, and a risk management process is in place.

Controls – Assessed in Phase 2

3. The Department has identified key internal controls for important risks, tested their effectiveness, and developed remediation activities to strengthen weaknesses to attain an effective system of internal control.

Assessment Level 2 – Needs Minor Improvement. Retention of documentation should be improved to better substantiate the work performed and how key decisions were made.

Sources of Criteria

Committee of Sponsoring Organizations of the Treadway Commission. Internal Control – Integrated Framework, 2013.

Office of the Comptroller General. Policy on Internal Control – Diagnostic Tool for Departments and Agencies (Preliminary Draft), 2010.

National Defence. PIC Implementation – Integrated 3 Year Plan.

Treasury Board of Canada. Policy on Internal Control, 2009.

Treasury Board of Canada Secretariat. Guideline for the “Policy on Internal Control.”

Back to Table of Contents

Annex C—Audit of Policy on Internal Control Implementation (Phase 1)

Please find the published report of the Audit of Policy on Internal Control Implementation (Phase 1) at the following link:

• https://www.canada.ca/en/department-national-defence/corporate/reports-publications/audit-evaluation/audit-policy-internal-control-implementation-phase-1.html