Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting

From Employment and Social Development Canada

Official title: Employment and Social Development Canada 2016–2017 Departmental Results Report

On this page

• Introduction
• Departmental system of internal control over financial reporting
• Departmental assessment results during fiscal year 2015-2016
• Departmental action plan

Introduction

This document provides summary information on the measures taken by management to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the assessments conducted by Employment and Social Development Canada (ESDC) as at March 31, 2017, including progress, results and related action plans unique to the Department.

Detailed information on ESDC’s authority, mandate and program activities can be found in the Departmental Plan and Departmental Performance Report.

Departmental system of internal control over financial reporting

Internal control management

ESDC recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective systems of ICFR and is well equipped to exercise these responsibilities effectively. The Department’s focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.

The Department has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. A Departmental Internal Control Management Framework was developed and approved by the Deputy Minister in November 2013. The Framework was a collaborative effort between various branches of ESDC including Internal Audit Service Branch (IASB) in order to prepare a more robust internal control framework which includes:

• Organizational accountability structures as they relate to internal control management to support sound financial management including roles and responsibilities for senior managers in their areas of responsibility for control management
• Guidance to business process owners regarding impacts of changes on internal controls; and
• Monitoring and regular updates on a semi-annual basis on internal control management plus assessment results and action plans to the Chief Financial Officer (CFO), Corporate Management Committee (CMC) and Departmental Audit Committee (DAC)

The DAC is an advisory committee which provides objective views on the Department’s risk management, control and governance processes as well as general reporting.

Other key committees with responsibilities for maintaining and overseeing the effectiveness of its system of ICFR include:

Portfolio Management Board (PMB) – As the main decision-making body of the portfolio, the PMB determines strategic directions and priorities; approves portfolio-wide plans and strategies; and makes decisions on strategic issues that affect the portfolio as a whole. The PMB also acts as the key portfolio vehicle for information sharing, consultation and collaboration at the Deputy Minister and Assistant Deputy Minister (ADM) level. The CFO is a member of this committee

Corporate Management Committee (CMC) – Oversees the implementation of the portfolio’s management agenda, as approved by the PMB, including the achievement of the management outcomes and objectives set out in the Integrated Business Plan, the Management Accountability Framework, and the corporate fiscal and planning processes. The committee also oversees departmental activities related to the operationalization of departmental security measures. The CFO is a member of this committee

Internal Controls and Financial Assurance Senior Working Group (ICFA SWG) – This ADM-level working group was created in 2016-2017 to promote a departmental-wide coordinated approach to audit, oversight and other monitoring activities undertaken across the department with a focus on financial internal controls. Its membership includes the primary departmental assurance providers and the group focuses on collaboration at all levels within its member branches with the objective of strengthening internal controls in support of the Deputy Minister’s responsibilities as Accounting Officer. The CFO is the chair of the ICFA SWG committee.

ESDC’s control environment also includes a series of measures to equip its staff to manage risks well through raising awareness, providing appropriate training to enhance skills and expertise required. Key measures are comprised of:

• An Office of Values and Ethics;
• ESDC Code of Conduct;
• Guidelines of Professional conduct for the Labour Program and Service Canada;
• A dedicated division under the CFO on internal control;
• Documentation of main business processes and related key risk and control points to support the management and oversight of its system of ICFR;
• Ongoing communications in core areas of financial management;
• Departmental policies tailored to ESDC’s control environment;
• Periodically updated delegated authorities matrix;
• A Risk Assessment, Management and Mitigation methodology for Grants and Contributions;
• Integrated Business Plan;
• Multi-year risked based internal audit plan;
• Departmental Internal Control Management Framework;
• Regularly updated Corporate Risk Profile;
• Recipient Audit Strategy; and
• Payment Accuracy Review (PAAR) and Processing Accuracy Review (PRAR) for major benefit programs

Service arrangements relevant to financial statements

ESDC relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:

Common arrangements:

• Public Services and Procurement Canada centrally administers the payments of salaries, the delivery of compensation and benefits services, the procurement of goods and services in accordance with the ESDC delegation instrument and provides accommodation services;
• Treasury Board Secretariat provides the Department with information used to calculate various accruals and allowances, such as the accrued severance liability;
• The Department of Justice provides legal services to ESDC; and
• Shared Services Canada (SSC) provides information technology services to ESDC in the areas of data center and network services.

Specific arrangements:

• ESDC, through the Service Canada (SC) initiative, acts as a focal point for government access to Canadians. As a result, ESDC has entered into several agreements with many federal government departments designed to provide Canadians with better access to programs and services;
• A private service provider, pursuant to a contract with the Canada Student Loans Program, administers the delivery of the Direct loans issued under the Canada Student Loans Program. As a result, reliance is placed on the control procedures of the external service provider and the annual audit on financial information and internal controls performed by an external audit firm;
• The Canada Revenue Agency (CRA) provides full collection services to ESDC for the recovery of its Accounts Receivable. Although CRA uses ESDC’s departmental accounts receivable systems (DARS), reliance is placed on the control procedures at CRA for the collection services and CRA’s reporting capacity; and
• The CRA also administers a number of activities for the Canada Pension Plan (CPP), Old Age Security (OAS) and the Employment Insurance (EI) Operating Account.

Departmental assessment results during fiscal year 2016-2017

In 2016-2017 the Department commenced its full implementation of its ongoing risk-based monitoring program of ICFR.

ESDC completed or substantially completed its assessment of the following key control areas based on its 2015-2016 ongoing risk-based monitoring plan:

• Entity Level Controls (Risk Assessment Component);
• Grants and Contributions; and
• Old Age Security.

ESDC determined that key financial controls examined are generally working effectively to prevent or detect a material misstatement to the Financial Statements. There are however areas that have been identified requiring remediation including:

Entity level controls – Risk assessment component

The assessment of the Risk Assessment Component was conducted as part of the three year cycle to assess all of the five ELC components (Risk Assessment, Control Environment, Control Activities, Information & Communication, and Monitoring). No significant control deficiencies were identified, however a recommendation was noted for ESDC to continue with the development of the fraud framework while minimizing duplication of efforts among the various branches involved.

Grants and contributions

As a result of the assessment, some key recommendations included but were not limited to:

• Strengthen monitoring for potential duplicate payments; and
• Ensure the risk assessment that underlies the methodology for financial monitoring considers the most relevant factors linked to the integrity of financial reporting.

Old Age Security

As a result of the assessment, some key recommendations included but were not limited to:

• Strengthen the documentation and clarity of requirements for authorization under section 34 of the Financial Administration Act for Old Age Security payments; and
• Consistent with a recommendation raised in a recent audit by the Internal Audit Services Branch, update delegation of authorities and the functional guidance to align with with relevant program legislations

Management responses and action plans (MRAPs) will be prepared by the process owners with a view to strengthen control and progress against these plans will be tracked during 2017-2018.

Employment Insurance

For the Employment Insurance business process, assurance is provided through the yearly audit of the Employment Insurance Operating Account performed by the Office of the Auditor General of Canada as required under section 29 of the Department of Employment and Social Development Act.

Departmental action plan

Progress during fiscal year 2016-2017

During 2016-2017, ESDC conducted its ongoing monitoring according to the previous year’s rotational plan as shown in the following table:

Elements in previous year’s action plan	Status
Entity level controls	Ongoing monitoring assessment of operating effectiveness was completed as planned for the Risk Assessment Component. Remedial plans are to be finalized and tracked during 2017-18.
IT General controls under departmental management	The MRAPs were finalized by process owners. The progress against these plans will be tracked as part of the ongoing monitoring assessment testing to be conducted during 2017-18. Multi-year ongoing monitoring strategy developed.
Grants and contributions	Ongoing monitoring assessment of operating effectiveness was completed as planned. Remedial plans are to be finalized and tracked during 2017-18.
Old Age Security	Ongoing monitoring assessment of operating effectiveness is substantially completed. Remedial plans are to be finalized and tracked during 2017-18.

Action plan for the next fiscal year and subsequent years

Going forward, certain key control areas have been regrouped in order to simplify reporting and better align with the financial statement processes. Below is a crosswalk of the regrouped key control areas that have been used for the action plan this year. There is no reduction in assessment coverage as a result of the regrouping.

New key control areas	Previous key control areas
Procure to payment	Manage Procure to Payment Manage Travel Manage Other Payments Manage Post-payment Verification Manage Interdepartmental Settlements
Financial close and reporting	Manage Financial Close Manage Financial Reporting

ESDC’s rotational ongoing monitoring plan over the next three years is shown in the following table. Note that the plan will be adjusted as required subject to an annual revalidation of the high risk control areas, the timing of other relevant audit and monitoring activities and the impact of changes that occurred during the year or that are planned for the coming year(s).

Rotational ongoing monitoring plan

Key control areas	2017-2018	2018-2019	2019-2020
Entity level controls Footnote 1	Yes	Yes	Yes
IT General computer controls Footnote 2	Yes	Yes	Yes
Financial close and reporting	Yes	No	No
Procure to payment	Yes	No	No
Pay administration	No	Yes	No
Revenue, receivables and receipts	No	Yes	No
Canada Student Loans Program	No	Yes	No
Grants & contributions	Yes	No	Yes
Old Age Security	No	No	Yes
Planning & budgeting	No	No	Yes
Employment Insurance	Reliance on annual external audit

The CPP business process is not reported in the department’s financial statements and therefore will no longer be included within the universe of key control areas reported on in this Annex. It is noted however that CPP is also audited annually by the Auditor General of Canada.