Annex to the Statement of management responsibility including internal control over financial reporting for the fiscal year ended March 31, 2016

Official title: Employment and Social Development Canada 2015–2016 Departmental Performance Report

On this page

1 Introduction

This document provides summary information on the measures taken by management to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the assessments conducted by Employment and Social Development Canada (ESDC) as at March 31, 2016, including progress, results and related action plans unique to the Department.

Detailed information on ESDC’s authority, mandate and program activities can be found in Departmental Performance Report and Report on Plans and Priorities.

2 Departmental system of internal control over financial reporting

2.1 Internal Control Management

ESDC recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective systems of ICFR and is well equipped to exercise these responsibilities effectively. The Department’s focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.

The Department has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control.  A Departmental Internal Control Management Framework was developed and approved by the Deputy Minister in November 2013.  The Framework was a collaborative effort between various branches of ESDC including Internal Audit Service Branch (IASB) in order to prepare a more robust internal control framework which includes:

The DAC is an advisory committee which provides objective views on the Department’s risk management, control and governance processes as well as general reporting.

Other key committees with responsibilities for maintaining and overseeing the effectiveness of its system of ICFR include:

Portfolio Management Board (PMB) – As the main decision-making body of the portfolio, the PMB determines strategic directions and priorities; approves portfolio-wide plans and strategies; and makes decisions on strategic issues that affect the portfolio as a whole.  The PMB also acts as the key portfolio vehicle for information sharing, consultation and collaboration at the Deputy Minister and Assistant Deputy Minister level.  The CFO is a member of this committee.

Corporate Management Committee (CMC) – Oversees the implementation of the portfolio’s management agenda, as approved by the PMB, including the achievement of the management outcomes and objectives set out in the Integrated Business Plan, the Management Accountability Framework, and the corporate fiscal and planning processes.  The committee also oversees departmental activities related to the operationalization of departmental security measures.  The CFO is a member of this committee.

ESDC’s control environment also includes a series of measures to equip its staff to manage risks well through raising awareness, providing appropriate training to enhance skills and expertise required.   Key measures are comprised of:

2.2 Service arrangements relevant to financial statements

ESDC relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:

Common arrangements:

Specific arrangements:

3 Departmental assessment results during fiscal year 2015-2016

During 2015-2016, ESDC completed the operating effectiveness testing of the remaining key control areas.

With the implementation of the new Enterprise Resource Planning (ERP) system in 2014-2015, various business processes have been affected by this new solution and therefore, the design effectiveness along with the operating effectiveness will have to be assessed in the context of the new system as part of on-going monitoring.

The following sections will summarize the significant findings of the internal control assessment activities undertaken during fiscal year 2015-2016.

3.1 Design effectiveness testing of key controls

During 2015-2016, the design effectiveness testing of IT General Controls (ITGC) was updated concurrently with testing of operating effectiveness.  Accordingly, the results from this assessment can be found in section 3.2 Operating effectiveness of key controls.

Design effectiveness testing of the CPP business process was conducted during 2013-2014. Since then, three new relevant systems have been implemented and new internal controls have been put in place as a result of these new systems. Two CPP business sub-processes, CPP Benefit Payments and CPP Overpayments and Receivables were significantly impacted by the system changes where a number of controls documented during design effectiveness testing had changed or new key controls introduced. As a result, the following approach was taken to address the changes:

Assessment results can be found in section 3.2 Operating effectiveness of key controls. It is noted that this scenario in which significant changes had been brought to a process in a relatively short time is illustrative of the dynamic environment at ESDC where transformation, modernization and process reengineering are often underway.

3.2 Operating effectiveness testing of key controls

ESDC has made progress in advancing remediation actions required from process owners following the operating effectiveness testing of key controls for the majority of the business processes in 2014-2015 and earlier. Although full remediation has not yet been attained in all cases, compensatory controls were identified by process owners in their respective action plans. For certain business processes for which operating effectiveness had been assessed prior to 2014-2015, remediation was contingent on the implementation of SAP which occurred on April 1, 2014. The extent to which the new system has addressed the previously identified control deficiencies will be determined through risk-based ongoing monitoring.

During 2015–2016, ESDC completed operating effectiveness testing of key control areas: CPP, EI and ITGC.  ESDC determined that key financial controls for significant or high risk accounts are generally working effectively to prevent or detect a material misstatement to the Financial Statements.  There are however areas that have been identified requiring remediation:

CPP

As a result of the assessment, some of the key recommendations included but were not limited to:

Management responses and action plans (MRAPs) will be prepared by process owners with a view to strengthening control and progress against these plans will be tracked during 2016-2017.

EI

No significant control deficiencies were identified for EI, however two key control areas surrounding authorization of section 34 and section 33 of the FAA were not tested as the required remediation which was previously identified in the design effectiveness testing had not been fully implemented.

ITGC

The assessment of ITGC was conducted as part of a multi-year contract awarded in 2014-2015 which includes developing the strategy for ongoing monitoring of ITGC.  Following an extensive risk assessment and scoping exercise, the assessment conducted during 2015-2016 included SAP and 12 feeder systems.

Assessment results identified that several controls operated effectively however there are areas for improvements in all four main control pillars evaluated: Access to programs and data, change management, program development and computer operations.  The majority of the findings pertain to the access to programs and data pillar.   

Management responses and action plans (MRAPs) will be prepared by process owners with a view to strengthening control and progress against these plans will be tracked during 2016-2017.

As a result of operating effectiveness findings during 2015-2016 and prior, ESDC has continued to advocate the following types of remediation required:

3.3 Ongoing monitoring of key controls

During 2015-2016, ESDC developed a risk-based ongoing monitoring plan.  Ongoing monitoring of key controls will begin in 2016-17 for Entity-Level Controls (ELCs), the Manage Grants & Contributions business process and Old Age Security.  Ongoing monitoring will also include tracking the implementation of the existing MRAPs to ensure ESDC is progressing in strengthening its system of ICFR.

As noted earlier, significant transformations have taken place, or are planned to take place, within ESDC since the initial design and operating effectiveness assessments were conducted. These initiatives include, but are not limited to, the implementation of SAP (my EMS) and PeopleSoft, the migration of the departmental pay function to a centralized provider, onboarding to the new Phoenix pay system as part of the implementation of the Transformation of Pay Administration initiative and the ESDC Grant and Contribution Modernization initiative. Transformations of this extent will impact the initial design and operating effectiveness assessments, and will require reassessments of the key control areas impacted as part of the ongoing monitoring. The timing of such transformations are considered to the extent possible in ESDC’s risk-based ongoing monitoring planning.

4 Departmental action plan

4.1 Progress during fiscal year 2015-2016

During 2015-2016, ESDC continued to make progress in assessing and improving its key controls.  The following table summarizes the department’s progress based on the plans identified in the previous fiscal year’s annex: 

Elements in previous year’s action plan

Status

Completion of operating effectiveness (OE) testing for Information Technology General Computer Controls (ITGC). 

OE testing was completed for ITGC.  One relevant SAP feeder system originally anticipated to be within scope of 2015-16 testing (the Internet Reporting System (IRS)) was taken out of scope and deferred to 2016-17 and will be reported on then.

Completion of OE testing for Employment Insurance (EI).

OE testing was completed for EI. 

Completion of OE testing for Canada Pension Plan (CPP). 

OE testing was completed for CPP. 

4.2 Status and action plan for the next fiscal year and subsequent years

Building on the progress to date, ESDC has completed the initial full risk-based assessment of its system of ICFR in 2015-2016 and is positioned to implement its ongoing monitoring plan for reassessing control performance using a risk-based approach across all control areas.

ESDC will also continue to strengthen the existing risk assessment and methodology for the implementation of the ongoing monitoring of its departmental system of ICFR. During 2015-2016, significant progress was made with respect to improved collaboration and coordination between organizations within ESDC with an assurance/monitoring mandate. Further gains with respect to such collaboration are expected to be realized in 2016-2017.

The status of the identified control areas and the planned timing for ongoing monitoring in the next three fiscal years are shown in the table below. Ongoing monitoring plans will be reassessed annually based on a risk assessment, the timing of other relevant audit and monitoring activities and the impact of changes that occurred during the year or that are planned for the coming year(s).

Key control areas 2015-2016

Assessment elements1

Design effectiveness testing

Operational effectiveness testing

On-going monitoring Rotation

Entity Level Controls

Completed

Completed

2016-20172

IT General Computer Controls

Completed

Completed

Future Years3

Manage Revenue, Receivables and Receipts

Completed

Completed

2018-2019

Manage Interdepartmental Settlements

Completed

Completed

2018-2019

Manage Procure to Payment

Completed

Completed

2017-2018

Manage Planning and Budgeting

Completed

Completed

2018-2019

Manage Travel

Completed

Completed

2018-2019

Manage Other Payments

Completed

Completed

2017-2018

Manage Post-payment Verification

Completed

Completed

2017-2018

Manage Other Capital Assets

Completed

Completed

2017-2018

Manage Financial Close

Completed

Completed

2017-2018

Manage Financial Reporting

Completed

Completed

2017-2018

Pay Administration

Completed

Completed

2017-2018

Manage Grants and Contributions

Completed

Completed

2016-2017

Canada Student Loans Program

Completed

Completed

2018-2019

Canada Education Savings Programs

Completed

Completed

2018-2019

Employment Insurance (EI)

Completed

Completed

2017-2018

Canada Pension Plan (CPP)

Completed

Completed

2018-2019

Old Age Security (OAS)

Completed

Completed

2016-2017

 1 Status as of March 31, 2016

 2 A portion of Entity Level Controls will be monitored annually. Over a three year cycle, each component will be revisited.

3 An ITGC monitoring strategy will be developed in 2016-17 that will include consideration of the action plans developed in response to the assessment conducted in 2015-16.

Page details

Date modified: