Audit of Control Certification by the Chief Financial Officer – Policy on Internal Control
From Employment and Social Development Canada
On this page
Alternate formats
Large print, braille, MP3 (audio), e-text and DAISY formats are available on demand by ordering online or calling 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105.
1. Background
The Treasury Board Policy on Internal Control (PIC), effective April 1, 2009, required departments to adequately manage risks relating to the stewardship of public resources through effective internal controls, including Internal Control over Financial Reporting (ICFR).
1.1 Context
In accordance with PIC, the Deputy Head was responsible for:
- Ensuring the establishment, maintenance, monitoring and review of the departmental system of internal control to mitigate risks in the following broad categories:
- The effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets
- The reliability of financial reporting
- Compliance with legislation, regulations, policies and delegated authorities
- Signing an annual departmental Statement of Management Responsibility including ICFRs, also signed by the Chief Financial Officer (CFO), which prefaces the departmental consolidated financial statements
- Monitoring compliance with PIC and its supporting directives and standards through periodic audits and other reviews to ensure their effective implementation
- Ensuring that appropriate and timely action is taken to address any significant issues relating to the departmental system of internal control
- Providing reports or information on the departmental system of internal control as requested by the Comptroller General
The Internal Control Unit (ICU) within the Chief Financial Officer Branch (CFOB) supports the Deputy Head and the CFO with respect to the Statement of Management Responsibility. The ICU has two primary functions:
- Collaboration with other stakeholders in the PIC process, including the Internal Audit Services Branch, the Office of the Auditor General of Canada and key business process owners
- Execution and management of the Departmental Internal Control Framework, including performing design and operating effectiveness testing
1.2 Audit objective
The objective of this audit was to provide assurance on the adequacy of the PIC FrameworkFootnote 1 to maintain an effective departmental system of internal control, including ICFR to support the annual Statement of Management Responsibility sign-off.
1.3 Scope
The scope of the audit included the adequacy of the Departmental Internal Control Framework (the Framework), which is the cornerstone of the CFO certification process for the Statement of Management Responsibility and ICFR activities. In addition, the following key control areas were selected and assessed to determine whether the Framework was effectively implemented:
- Entity Level Controls (ELCs)
- Information Technology General Controls (ITGCs)
- Canada Student Loans Program (CSLP)
- Managing Planning and Budgeting
- Manage Grants and Contributions (Gs and Cs)
- Employment Insurance (EI)
- Canada Pension Plan (CPP)
- Manage Financial Close
The scope period of the audit focused on activities conducted to support the Statement of Management Responsibility for the 2015 to 2016 financial statements.
1.4 Methodology
The audit used a number of methodologies during the conduct phase including:
- Documentation review and analysis
- Sampling and file review testing
- Process observations and analysis
- Interviews with key business owners, management and staff from CFOB
- Information analysis and validation to support conclusions
2. Audit findings
2.1 Key components of the Framework are in place
Risk assessment methodology
The Framework was approved by the Deputy Minister in November 2013 and is currently being revised. It provides structure and guidance around the financial functions within the Department. It provides direction to senior management, managers, financial officers and employees responsible for ensuring sound stewardship of financial resources. An initial step in the system of ICFR is to identify financial statement items based on materiality, specifically in terms of the reliability of financial reporting. These financial statement items are to be linked to the Employment and Social Development Canada’s (ESDC) key business processes. The Framework indicates that a risk assessment is to be conducted on an annual basis to identify significant financial statement items and consequently key business processes. The risk assessment is done using risk assessment criteria, such as materiality and impact of transactions. However likelihood and impact of the risk occurring are not considered. In our opinion, the risk assessment methodology would be strengthened by considering the likelihood and impact of the risk and would result in a better risk ranking of the key business processes. It could also assist with resource allocation for testing purposes.
ELCs and ITGCs testing
ELCs are controls that are pervasive across a department. They include the “tone from the top”, the organization’s culture, values and ethics, governance, transparency and accountability mechanisms as well as the activities and tools put in place across the organization to raise staff awareness, and ensure clear understanding of roles and responsibilities. The Framework indicates that ESDC has 17 ELCs. The audit found that the Framework did not provide a detailed approach on how to develop and test ELCs at ESDC. A further defined ELC methodology would allow a more consistent approach when assessing the design and operating effectiveness of the ELCs. CFOB Management indicated that they are developing a more tailored methodology going forward with an “ICFR-focus”, as they conduct ongoing monitoring of ELCs.
ITGCs are also a key area to be assessed as part of the ongoing monitoring of ICFR. ITGCs are controls relative to the organization’s general information technology (IT) infrastructure and systems that are used across a department (including network/system access controls to protect against risks of unauthorized access, loss of data integrity, etc.). Controls specific to IT applications are typically addressed at the business process level where applications support financial data and transactions. Key elements specific to ESDC’s ITGCs methodology, such as the basis to test against; the structure used to determine systems and applications in scope; and the inventory of systems and applications are not documented in the Framework. To improve the framework, management should consider documenting its ITGCs methodology.
In 2015, an external consultant conducted an assessment of the ITGCs environment which documented and identified key financial systems. The report on the design and operating effectiveness of ITGCs was issued by the external consultant in August 2016. Management indicated that this external assessment report became the basis of ITGCs related work afterwards.
2.2 Oversight and quality assurance could be enhanced
Business process documentation
Documentation is a key aspect of PIC that helps position key controls in applicable processes and includes process narratives, flowcharts, and control matrices. ESDC has identified and documented key business processes, flowcharts and control matrices including ELCs and ITGCs.
The Framework provides guidance on the frequency and approach to update business process and control documentation. It requires that flowcharts along with details of key controls be updated and formally approved, on an annual basis, by the Assistant Deputy Minister (ADM) responsible for the area. The Framework also requires business owners to communicate any significant changes to their key business processes. The audit noted that the majority of business process flowcharts and control matrices reviewed were not updated annually. There was no evidence that changes to key business processes were followed by materiality assessments and updates to the related business processes flowcharts and control matrices. Documentation included outdated systems and processes such as the Corporate Management System for the financial close process, which has not been updated since November 2011 to reflect the implementation of SAP in 2014. CFOB indicated that key stakeholders were informed that business process flowcharts and control matrices would not be updated annually. In the audit team’s opinion, there is an opportunity for management to update the framework and reflect the current approach.
Design effectiveness and operating effectiveness testing
The PIC required that the annual departmental Statement of Responsibility including ICFR acknowledge the conduct of an annual risk-based assessment of the system of ICFR to determine its ongoing effectiveness. Ongoing effectiveness is assessed through both design and operating effectiveness testing. The assessment of control design effectiveness involves identifying key controls that exist to prevent or detect material misstatement in the financial statements, and mitigating key risks that were identified. Testing of design is intended to confirm alignment of these key controls relative to key risks to the financial statements they aim to mitigate. The assessment of control operating effectiveness involves assessing the extent to which a key control has been operating as intended over a specified period of time.
The audit found that design effectiveness testing was completed for the key business processes reviewed. The audit noted that testing matrices and individual testing sheets were not always consistent and cross-referenced. It was also noted that two key controls that were effectively designed were not tested for operating effectiveness. As a result, ESDC may not be able to conclude on whether key controls identified and assessed through design effectiveness testing were operating effectively (or that failed controls were remediated). This would deem ESDC to not be in compliance with its Framework and the Guideline for PIC. This may also result in inconsistencies between what is stated in the Annex to the Statement of Management Responsibility and what was actually completed.
Sampling methodology
The requirement to document testing scoping strategies is included in the Framework but the audit found that scoping decisions were not consistently documented or based on risk (e.g. complexity, materiality, etc.). For example:
- Gs and Cs operating effectiveness testing assessed four (4) Gs and Cs programs representing 9.43% of all Gs and Cs program budgets
- CPP design effectiveness testing assessed only one processing centre, located in Victoria, British Columbia. The testing scope did not include a documented rationale for this testing scoping decision (e.g. complexity, materiality, etc.)
As a result, there is a risk that key controls related to material and/or complex transactions, programs or regions may not be assessed through design and operating effectiveness testing.
Another key step in operating effectiveness testing is the methodology used in the sample selection for testing purposes. Sampling is used to determine the amount of testing on a population. The sample is used to test if key controls work properly. ESDC has defined its sampling methodology in the Framework. ESDC’s sampling methodology consists of an approach based on the nature and frequency of the activities being performed but it does not consider the degree of risk related to key business process activities. Including a risk component within the sampling methodology would allow a better focus of operating effectiveness testing on high risk activities.
The audit found that the sampling methodology was not consistently followed throughout operating effectiveness testing. For example, within CPP, a monthly reconciliation control prescribed a minimum sample size of five however only two samples were assessed. Management indicated that the methodology and approach of an external consultant was used for operating effectiveness testing of CPP, instead of the ESDC’s sampling methodology.
Testing results
Once the design and operating effectiveness testing are completed, testing results are communicated and action plans are developed. The Framework requires that, for any gaps and deficiencies noted throughout testing, the process owner (e.g. ADM) develops a Management Response and Action Plan (MRAP) which outlines planned management actions and expected completion dates. The audit found that communication of results adhered to the Framework and there were no exceptions noted.
Monitoring methodology
The PIC required the Deputy Head to monitor the departmental system of internal control. An ongoing monitoring risk-based methodology has been developed. The Framework indicates that for high risk, key internal controls will be reviewed yearly; for moderate risk, every two years; and for low risk, once every three years. The on-going monitoring frequency is outlined in the Annex to the Statement of Management Responsibility including ICFR. Table 1 provides a summary of the monitoring schedule, as of March 31, 2016. Management informed us that this approach only started in the 2016 to 2017 fiscal year as part of on-going monitoring.
Business area | Assessed risk level | Year design effectiveness testing conducted | Year operating effectiveness testing conducted | Scheduled for reassessment as per the annex |
---|---|---|---|---|
CPP | Medium | 2013 to 2014 | 2015 to 2016 | 2018 to 2019 |
CSLP | Low | 2012 to 2013 | 2013 to 2014 | 2018 to 2019 |
EI | Medium | 2013 to 2014 | 2015 to 2016 | 2017 to 2018 |
Financial Close | Medium | 2008 to 2009 | 2011 to 2012 | 2017 to 2018 |
Gs and Cs | High | 2009 to 2010 | 2012 to 2013 | 2016 to 2017 |
Planning & Budgeting | Low | 2011 to 2012 | 2012 to 2013 | 2018 to 2019 |
Quality assurance
The Framework does not include specific steps or quality assurance requirements relating to PIC activities (e.g. quality review, sign-offs on testing scripts, work executed by external parties, etc.). Obtaining ICU Management sign-offs on key PIC activities such as business process documentation update, control testing scripts and results could decrease the risk of errors and/or misrepresentation and inconsistencies in the PIC work and improve the accuracy of the Annex to the Statement of Management Responsibility including ICFR.
The Deputy Minister and CFO are required to sign an annual departmental Statement of Management Responsibility including ICFR. This statement acknowledges the maintenance of an effective departmental system of ICFR. Given the importance of this statement, it was expected that a formal quality assurance process would be in place to support the signing of the Statement of Management Responsibility including ICFR. The audit did not find evidence of a formal and documented quality control process prior to the CFO attestation. Management indicated that the following activities are in place for quality control: The Annex to the Statement of Management Responsibility including ICFR is reviewed by the Director of ICU, Senior Director General (SDG) and the CFO. A briefing note is prepared for the CFO and a meeting with the SDG and CFO is held to go over the Annex. The CFO is aware of the progress of the work throughout the year through updates on PIC at the Corporate Management Committee and Departmental Audit Committee. There are reviews and sign-off of the Executive Summaries and MRAPs for all assessed processes. Multiple briefings are provided including outcomes of external financial audits and internal audits. He also gets briefings in his role as the Chair of the Assistant Deputy Minister-level Internal Control and Financial Assurance Senior Working Group.
Recommendation
- The CFO should establish a quality assurance process for PIC activities to ensure that the Framework requirements are met
Management response
Last year CFOB developed a revised framework which it presented to the Internal Control & Financial Assurance Senior Working Group in March 2017. It is expected to be formally approved in summer 2017. This framework is significantly different from the one on which this audit was based on and does not contain methodologies or processes. Through the evolution of the Internal Controls assessments, it became clear that the actual framework document should be kept at a higher level. As an overall framework document, it will now appropriately inventory departmental financial control activities and acknowledge more fulsomely the role of all assurance providers. CFOB recognizes the need to better document and consistently adhere to a quality assurance process in support of the Annual Statement of Management Responsibility signoff. A greater amount of detail will be found outside of the new framework document as it is more appropriate to show those types of details in a separate binder. These documents will all form part of a fulsome financial internal control landscape including documents to the effect of the framework, planning, scoping, risk assessment, and ongoing monitoring plan. Actions to fully document this quality assurance process will begin in 2017, and will be fully finalized by April 1, 2019 to allow for a full spectrum of evidence to be properly accumulated for a full cycle.
3. Conclusion
The audit concluded that key components of the Framework are in place. There is opportunity to improve consistency and strengthen the adherence to the Framework via the implementation of a quality assurance process.
4. Statement of assurance
In our professional judgment, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for the Audit of Control Certification by the Chief Financial Officer – Policy on Internal Control. The evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.
Appendix A: Audit criteria assessment
Rating: Controlled, but should be strengthened, medium risk exposure
Audit criteria:
- The Department has developed, documented, approved and implemented an adequate PIC Framework
- The Department reviews and periodically updates the PIC Framework, to ensure that controls are aligned with the current operating environment
- The Department has established key business processes controls, Entity Level Controls (ELCs) and Information Technology General Controls (ITGCs)
- The Department has tested the design and operating effectiveness of key controls within these business processes, ELCs and ITGCs in accordance with the approved PIC Framework
- The Department has documented and communicated the results of control testing to support the Statement of Management Responsibility including ICFR
Appendix B: Glossary
- ADM: Assistant Deputy Minister
- CFO: Chief Financial Officer
- CFOB: Chief Financial Officer Branch
- CPP: Canada Pension Plan
- CSLP: Canada Student Loan Program
- EI: Employment Insurance
- ELCs: Entity Level Controls
- ESDC: Employment and Social Development Canada
- Gs and Cs: Grants and Contributions
- ICFR: Internal Control over Financial Reporting
- ICU: Internal Control Unit
- IT: Information Technology
- ITGCs: Information Technology General Controls
- MRAP: Management Response and Action Plan
- PIC: Policy on Internal Control
- SDG: Senior Director General