Audit of Control Certification by the Chief Financial Officer – Policy on Internal Control

Risk assessment methodology

The Framework was approved by the Deputy Minister in November 2013 and is currently being revised. It provides structure and guidance around the financial functions within the Department. It provides direction to senior management, managers, financial officers and employees responsible for ensuring sound stewardship of financial resources. An initial step in the system of ICFR is to identify financial statement items based on materiality, specifically in terms of the reliability of financial reporting. These financial statement items are to be linked to the Employment and Social Development Canada’s (ESDC) key business processes. The Framework indicates that a risk assessment is to be conducted on an annual basis to identify significant financial statement items and consequently key business processes. The risk assessment is done using risk assessment criteria, such as materiality and impact of transactions. However likelihood and impact of the risk occurring are not considered. In our opinion, the risk assessment methodology would be strengthened by considering the likelihood and impact of the risk and would result in a better risk ranking of the key business processes. It could also assist with resource allocation for testing purposes.

ELCs and ITGCs testing

ELCs are controls that are pervasive across a department. They include the “tone from the top”, the organization’s culture, values and ethics, governance, transparency and accountability mechanisms as well as the activities and tools put in place across the organization to raise staff awareness, and ensure clear understanding of roles and responsibilities. The Framework indicates that ESDC has 17 ELCs. The audit found that the Framework did not provide a detailed approach on how to develop and test ELCs at ESDC. A further defined ELC methodology would allow a more consistent approach when assessing the design and operating effectiveness of the ELCs. CFOB Management indicated that they are developing a more tailored methodology going forward with an “ICFR-focus”, as they conduct ongoing monitoring of ELCs.

ITGCs are also a key area to be assessed as part of the ongoing monitoring of ICFR. ITGCs are controls relative to the organization’s general information technology (IT) infrastructure and systems that are used across a department (including network/system access controls to protect against risks of unauthorized access, loss of data integrity, etc.). Controls specific to IT applications are typically addressed at the business process level where applications support financial data and transactions. Key elements specific to ESDC’s ITGCs methodology, such as the basis to test against; the structure used to determine systems and applications in scope; and the inventory of systems and applications are not documented in the Framework. To improve the framework, management should consider documenting its ITGCs methodology.

In 2015, an external consultant conducted an assessment of the ITGCs environment which documented and identified key financial systems. The report on the design and operating effectiveness of ITGCs was issued by the external consultant in August 2016. Management indicated that this external assessment report became the basis of ITGCs related work afterwards.

Business process documentation

Documentation is a key aspect of PIC that helps position key controls in applicable processes and includes process narratives, flowcharts, and control matrices. ESDC has identified and documented key business processes, flowcharts and control matrices including ELCs and ITGCs.

The Framework provides guidance on the frequency and approach to update business process and control documentation. It requires that flowcharts along with details of key controls be updated and formally approved, on an annual basis, by the Assistant Deputy Minister (ADM) responsible for the area. The Framework also requires business owners to communicate any significant changes to their key business processes. The audit noted that the majority of business process flowcharts and control matrices reviewed were not updated annually. There was no evidence that changes to key business processes were followed by materiality assessments and updates to the related business processes flowcharts and control matrices. Documentation included outdated systems and processes such as the Corporate Management System for the financial close process, which has not been updated since November 2011 to reflect the implementation of SAP in 2014. CFOB indicated that key stakeholders were informed that business process flowcharts and control matrices would not be updated annually. In the audit team’s opinion, there is an opportunity for management to update the framework and reflect the current approach.

Design effectiveness and operating effectiveness testing

The PIC required that the annual departmental Statement of Responsibility including ICFR acknowledge the conduct of an annual risk-based assessment of the system of ICFR to determine its ongoing effectiveness. Ongoing effectiveness is assessed through both design and operating effectiveness testing. The assessment of control design effectiveness involves identifying key controls that exist to prevent or detect material misstatement in the financial statements, and mitigating key risks that were identified. Testing of design is intended to confirm alignment of these key controls relative to key risks to the financial statements they aim to mitigate. The assessment of control operating effectiveness involves assessing the extent to which a key control has been operating as intended over a specified period of time.

The audit found that design effectiveness testing was completed for the key business processes reviewed. The audit noted that testing matrices and individual testing sheets were not always consistent and cross-referenced. It was also noted that two key controls that were effectively designed were not tested for operating effectiveness. As a result, ESDC may not be able to conclude on whether key controls identified and assessed through design effectiveness testing were operating effectively (or that failed controls were remediated). This would deem ESDC to not be in compliance with its Framework and the Guideline for PIC. This may also result in inconsistencies between what is stated in the Annex to the Statement of Management Responsibility and what was actually completed.

Sampling methodology

The requirement to document testing scoping strategies is included in the Framework but the audit found that scoping decisions were not consistently documented or based on risk (e.g. complexity, materiality, etc.). For example:

• Gs and Cs operating effectiveness testing assessed four (4) Gs and Cs programs representing 9.43% of all Gs and Cs program budgets
• CPP design effectiveness testing assessed only one processing centre, located in Victoria, British Columbia. The testing scope did not include a documented rationale for this testing scoping decision (e.g. complexity, materiality, etc.)

As a result, there is a risk that key controls related to material and/or complex transactions, programs or regions may not be assessed through design and operating effectiveness testing.

Another key step in operating effectiveness testing is the methodology used in the sample selection for testing purposes. Sampling is used to determine the amount of testing on a population. The sample is used to test if key controls work properly. ESDC has defined its sampling methodology in the Framework. ESDC’s sampling methodology consists of an approach based on the nature and frequency of the activities being performed but it does not consider the degree of risk related to key business process activities. Including a risk component within the sampling methodology would allow a better focus of operating effectiveness testing on high risk activities.

The audit found that the sampling methodology was not consistently followed throughout operating effectiveness testing. For example, within CPP, a monthly reconciliation control prescribed a minimum sample size of five however only two samples were assessed. Management indicated that the methodology and approach of an external consultant was used for operating effectiveness testing of CPP, instead of the ESDC’s sampling methodology.

Testing results

Once the design and operating effectiveness testing are completed, testing results are communicated and action plans are developed. The Framework requires that, for any gaps and deficiencies noted throughout testing, the process owner (e.g. ADM) develops a Management Response and Action Plan (MRAP) which outlines planned management actions and expected completion dates. The audit found that communication of results adhered to the Framework and there were no exceptions noted.

Monitoring methodology

The PIC required the Deputy Head to monitor the departmental system of internal control. An ongoing monitoring risk-based methodology has been developed. The Framework indicates that for high risk, key internal controls will be reviewed yearly; for moderate risk, every two years; and for low risk, once every three years. The on-going monitoring frequency is outlined in the Annex to the Statement of Management Responsibility including ICFR. Table 1 provides a summary of the monitoring schedule, as of March 31, 2016. Management informed us that this approach only started in the 2016 to 2017 fiscal year as part of on-going monitoring.

Quality assurance

The Framework does not include specific steps or quality assurance requirements relating to PIC activities (e.g. quality review, sign-offs on testing scripts, work executed by external parties, etc.). Obtaining ICU Management sign-offs on key PIC activities such as business process documentation update, control testing scripts and results could decrease the risk of errors and/or misrepresentation and inconsistencies in the PIC work and improve the accuracy of the Annex to the Statement of Management Responsibility including ICFR.

The Deputy Minister and CFO are required to sign an annual departmental Statement of Management Responsibility including ICFR. This statement acknowledges the maintenance of an effective departmental system of ICFR. Given the importance of this statement, it was expected that a formal quality assurance process would be in place to support the signing of the Statement of Management Responsibility including ICFR. The audit did not find evidence of a formal and documented quality control process prior to the CFO attestation. Management indicated that the following activities are in place for quality control: The Annex to the Statement of Management Responsibility including ICFR is reviewed by the Director of ICU, Senior Director General (SDG) and the CFO. A briefing note is prepared for the CFO and a meeting with the SDG and CFO is held to go over the Annex. The CFO is aware of the progress of the work throughout the year through updates on PIC at the Corporate Management Committee and Departmental Audit Committee. There are reviews and sign-off of the Executive Summaries and MRAPs for all assessed processes. Multiple briefings are provided including outcomes of external financial audits and internal audits. He also gets briefings in his role as the Chair of the Assistant Deputy Minister-level Internal Control and Financial Assurance Senior Working Group.