Archived: Unaudited Financial Statements for the period ending March 31, 2014, Environment Canada, chapter 7
Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting 2013-2014
Table of Contents
- Annex to the Statement of Management Responsibility
- Introduction
- Environment Canada's System of Internal Control Over Financial Reporting
2.1 Internal Control Management
2.2 Service Arrangements Relevant to Financial Statements - Departmental Assessment Results During Fiscal Year 2012-2013
3.1 Design Effectiveness of Key Controls
3.2 Operating Effectiveness of Key Controls
3.3 Ongoing Monitoring of Key Controls - Environment Canada’s ICFR Action Plan
4.1 Progress During Fiscal Year 2013-2014
4.2 Status and Action plan for Fiscal Year 2014-2015 and Subsequent Years
1. Introduction
This document is an annex to Environment Canada’s (EC) Statement of Management Responsibility (SOMR) Including Internal Control Over Financial Reporting (ICFR) for the fiscal year 2013-2014. This document provides summary information on the measures taken by EC to maintain an effective system of ICFR, including information on Internal Control Management (ICM) and assessment results and related action plan.
Detailed information on EC's authority, mandate and program activities can be found in the Departmental Performance Report and Report on Plans and Priorities.
2. Environment Canada's System of Internal Control Over Financial Reporting
2.1 Internal Control Management
EC’s ICM is governed by an over-arching Internal Control Framework (ICF) that includes a Financial Management Framework as an integral component. ICM includes the following elements:
- governance and accountability structures for internal control management;
- an integrated ICFR approach and methodology;
- effective oversight, assessment and remediation mechanisms; and
- a comprehensive ICFR monitoring program which includes an annual monitoring plan.
EC has invested significant effort into aligning, streamlining and integrating these components essential to effective ICM. These efforts have been undertaken to ensure continuous progression towards a state of maturity that is consistent with the guidance and common practices set by the Office of the Comptroller General of Canada and in accordance with the Treasury Board (TB) Policy on Internal Control (PIC).
Internal Control Framework
In October 2013, an updated ICF was approved by the Deputy Minister, demonstrating an increased departmental focus on ICM and reinforcing management’s leadership and commitment towards openness, honesty, integrity, and ethical behavior. The update to the ICF incorporates leading practices and departmental lessons learned over the last five years of ICFR assessments under the TB PIC.
The EC ICF provides an anchor point for ICM, and describes the structure, context and processes by which internal controls are identified, assessed and monitored. The purpose of the EC ICF is to:
- describe the roles and responsibilities of the DM, Senior Departmental Managers, Managers and employees for ICM;
- set out the commitments to provide regular updates/reports on the effectiveness of internal controls to Senior Departmental Managers and the External Audit and Advisory Committee;
- establish a common foundation for ICM within the Department;
- address the TB requirements relating to internal controls, including ICFR; and
- establish a context and structure that allow for effective ICM.
Organizational Accountabilities Structure
As described in its ICF, EC has a well-established governance and accountability structure which supports departmental assessment efforts and oversight of its system of internal controls throughout the organization.
Roles and responsibilities as they relate to ICM are as follows:
- Deputy Minister (DM) - EC's DM, as Accounting Officer, assumes overall stewardship responsibility and leadership for ICM. The DM is responsible for oversight of the establishment, monitoring and review of the departmental system of internal control, as well as for monitoring compliance with the PIC.
- Chief Financial Officer (CFO) - EC's CFO reports directly to the DM and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICM, inclusive of ICFR. The CFO's key roles are as a strategic advisor and steward of sound internal control and financial management practices.
- Senior Departmental Managers (SDMs) - SDMs, who report directly to the DM, are responsible to provide leadership in financial management, internal controls, and financial reporting and disclosure. They are also responsible for seeking the advice and support of the CFO in the development and maintenance of an effective financial management, risk and control framework over programs. Additionally, SDMs must provide the DM with assurance that business processes and appropriate controls are in place to ensure the effectiveness of their organization’s financial management and internal control systems to meet the requirements set out in the SOMR Including ICFR.
- Chief Audit Executive (CAE) - The CAE provides independent assurance to the DM regarding the effectiveness of risk management, control and governance processes.
- External Audit Advisory Committee (EAAC) - The EAAC is an independent external advisory committee, consisting of the DM and Associate DM (ex-officio participants) and three external members. EC’s EAAC provides the DM with objective advice and recommendations regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the Department’s risk management, control and governance frameworks and processes (including accountability and auditing systems). The EAAC also reviews the Departmental Financial Statements and the Annex to the SOMR. There are three in-person and two videoconference meetings held during the year.
- Executive Management Committee (EMC) - The EMC is the most senior management committee with oversight responsibilities for the Department. The EMC is responsible for monitoring the organization's response to corporate risks and ensuring the effectiveness of risk mitigation measures and that internal controls are in place to address key corporate risks.
- Corporate Transformation Oversight Committee (CTOC) - Supporting the EMC, the CTOC, formerly known as the Corporate Accountability and Administrative Renewal (CAAR) Committee, provides coordination and oversight on the integrated implementation of department and government-wide enabling business transformation initiatives and also provides support to managers and employees in adopting change.
- Directors General Business Transformation Committee (DG BTC) - Provides guidance to the CTOC with the mandate of enabling business transformation related to the DFMS Renewal transition to SAP. The DG BTC is comprised of the DGs representing most branches and regions of the Department.
- Internal Control Management Division (ICMD)- ICMD functions as a client-focused Centre of Expertise for ICM, inclusive of the assessment of the effectiveness of ICFR and for business process management. ICMD leads on the design and monitoring of internal controls by providing advice and developing standards to enable accountability through business process management and dedicates itself in attaining quality on a continuous basis. ICMD internal control assessments and remediation of controls deficiencies involve the engagement of all branches and regions. Strong ICM is a requirement under the TB PIC and is a key assessment area under the TBS Management Accountability Framework - Area of Management 7 - Finance.
- Quality Assurance (QA) Unit - The QA Unit is responsible for the implementation of the 2012 National Framework of Quality Assurance on Account Verification, monitoring key financial transactions and account verification controls, and informing ICMD on the status of these controls.
Governance and Oversight Measures
EC's control environment includes a series of measures which help ensure that risks are effectively managed through a responsible and risk-based approach.
Key measures include:
- EC continues to advance and support public service values and ethical standards for EC employees and managers by providing a mandatory online Values and Ethics Course. The Department anticipates that all EC employees will have completed this important training by fall 2014;
- an Integrated Risk Management Framework, a strengthened Risk Governance Structure, and a broadly communicated Corporate Risk Profile contribute to effective risk management at EC. Increased employee awareness, ongoing monitoring and timely mitigating activities ensure that emerging/changing risks are appropriately managed;
- the results of a comprehensive review of the Delegation of Financial Signing Authorities and Designation Order Instrument were implemented in 2013-2014;
- annual Performance Management Agreements for SDMs that assess accountabilities and financial management responsibilities;
- a Public Accounts Letter of Representation signed by SDMs confirming that the respective organization had maintained a system of financial management and internal control and that all known deficiencies in the operation of disclosure controls and procedures and of ICFR have been disclosed; and
- training programs and regular communication to departmental employees on core areas of financial management and financial policies.
EC Monitoring Strategy for ICM
EC’s Monitoring Strategy for ICM, a foundational document for EC’s ICM, provides a description of the approach and methodology to ensure that ICM activities, including monitoring of its system of ICFR, align with the PIC. This Strategy describes in detail EC’s ongoing system of testing, remediation and monitoring of its internal controls to ensure key controls are working as intended. The Strategy references and adopts generally accepted internal control assessment leading practices, including Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and Related Technology (COBIT) standards.
The key components of the ICM Monitoring Strategy include:
- an enhanced annual risk-based assessment based on a combination of quantitative and qualitative elements, as well as the findings of other oversight/assurance providers;
- an annual Controls Assessment Plan which includes documentation, design and operating effectiveness testing, and remediation and monitoring plans;
- comprehensive remediation monitoring activities that systematically address required adjustments stemming from assessments;
- the requirements for reporting to the Treasury Board Secretariat, EC’s EAAC, CTOC, and the DG BTC regarding ICM, inclusive of ICFR;
- ICMD collaboration with multi-disciplinary areas of responsibility across EC; namely, with the Finance Branch QA Unit and the Audit and Evaluation Branch for the risk-based assessment and monitoring of all key control elements; and
- stakeholder engagement and horizontal/cross functional integration to provide a coordinated approach to monitoring the effectiveness of EC’s ICM.
2.2 Service Arrangements Relevant to Financial Statements
EC relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:
Common Arrangements
- Public Works and Government Services Canada (PWGSC) centrally administers the payments of salaries and expenditures, and the procurement of goods and services, as per EC's Delegation of Authority and provides accommodation services;
- The Treasury Board Secretariat provides EC with information used to calculate some accruals and allowances, such as the accrued severance liability;
- The Department of Justice provides legal services to EC; and
- Shared Services Canada (SSC) provides IT infrastructure services to EC in the areas in the areas of data centre and network services.
Specific Arrangements
EC has no specific arrangements in place at this time.
3. Departmental Assessment Results During Fiscal Year 2013-2014
During 2013-2014, EC completed all of its planned design effectiveness testing and completed or advanced design effectiveness testing of several additional control areas by completing documentation based on the Office of the Comptroller General (OCG) Common Financial Management Business Processes (CFM-BPs). EC also completed its operating effectiveness testing of key control areas expected for the year, while ongoing monitoring continued to be implemented as planned.
Work Completed as Expected and Planned:
EC completed the design effectiveness testing of the following Key Business Processes:
- Manage Other Capital Assets
- Manage Real Property
- Manage Procure to Payment - Manage Commitments
- Pay Administration - HR and Systems
- Manage Travel (updated process)
Additional Work Completed:
In addition to the planned work, EC also completed the design effectiveness testing of the following Key Business Processes and Sub-processes:
- Manage Administration of Acquisition and Fleet Cards (updated process)
- Manage Delegation of Financial and Spending Authorities
- Manage Financial Close - Suspense Accounts
- Pay Administration - Employee Departure Form
- Environmental LiabilitiesFootnote1
EC also substantially advanced design effectiveness testing by formally completing the documentation for the following Key Business Processes and Sub-Processes:
- Manage Vendor Master Data
- Manage Travel - Events Expenditures Subsection
- Pay Administration - Extra Duty Pay
- Manage Procure to Payment - Low-dollar Value Contracts
It should be noted that plans established for 2013-2014 were impacted as a result of the in-year approval of EC’s Departmental Financial Management System (DFMS) Renewal planned transition to SAP, a significant business transformation (BT) initiative. In support of the Business Blueprint and Realization Phases of this BT initiative, EC completed documentation (level 3 process maps and control matrices) for each of the 20 OCG CFM-BPs as well as for Environmental Liabilities. Furthermore, due to the resulting shift of departmental priorities, Manage Procure to Payment - Procurement was limited to documentation, with the remaining design effectiveness testing (initially planned for 2013-2014) to occur after the completion of the SAP Run Phase optimization and stabilization.
Remediation Actions:
As a result of design effectiveness testing, EC identified and is undertaking the following key design effectiveness remediation actions:
- Ensure supporting documentation of key controls within processes exist and are sufficient and comprehensive;
- Ensure key policy updates and underpinning roles and responsibilities are captured and rolled out by the policy holders on a timely basis; and
- Collaborate with multiple EC branches to design new work procedures and strengthen key controls.
Work Completed as Expected and Planned:
EC completed the operating effectiveness testing of Manage Procure to Payment - Finance.
Remediation Actions:
As a result of the operating effectiveness testing, EC identified and is undertaking the following key operating effectiveness remediation action:
- Review and clarify procedural steps pertaining to key controls, and the associated roles and responsibilities relating to payment processing and post-payment verification.
Work Completed as Expected and Planned:
EC completed planned ongoing monitoring of the following key control areas:
- Entity Level Controls (ELC); and
- Information Technology General Controls (ITGC).
Remediation Actions:
As a result of ongoing monitoring, EC identified the following required key remediation actions:
- Utilize a tracking mechanism to ensure that all staff take the mandatory values and ethics course;
- Formalize oversight reporting on internal controls and risk management to the DM.
EC has continued to improve the application of ongoing monitoring of key ICFR controls by implementing the approach and methodology set forth in the EC Monitoring Strategy for ICM and the associated Annual Monitoring Plan. Building on the foundation set in 2012-2013, EC continued to focus on communication and stakeholder engagement, fostering a goal-oriented monitoring environment based on open dialogue and collaboration. To facilitate stakeholder communication, EC also developed guides on ICFR that describe all steps required by staff and stakeholders to conduct an assessment of the effectiveness of the Department’s ICFR.
Furthermore, in 2013-2014 EC launched its quarterly monitoring and reporting of remediation actions, a key component of the EC Monitoring Strategy for ICM. Quarterly monitoring provides the CFO and stakeholders with updates on the Department’s outstanding ICFR remediation actions and ensures progress in the control assessment plan is aligned with management expectations. In 2014-2015, given EC’s approved DFMS Renewal planned transition to SAP, all outstanding remediation actions will be integrated into the scope of any planned ICFR work impacted by this initiative.
4.1 Progress During Fiscal Year 2013-2014
During 2013-2014, EC continued to make significant progress in completing the assessment of its key controls and met all of the expectations that were set in its action plan for the year in the 2012-2013 annex. Table 1 provides a summary of the progress made by EC based on the plans identified in the 2012-2013 annex.
| Table 1 - Work Completed in 2013-2014 Based on Action Plan in 2012-2013 Annex | |
|---|---|
| Element in previous year’s (2012-2013) action plan | Updated Status at March 31, 2014 |
| Manage Other Capital Assets and Manage Real Property - Documentation phase. | Documentation phase completed for Manage Other Capital Assets and Manage Real Property. |
| Manage Other Capital Assets, Manage Real Property and Manage Procure to Payment - Procurement - Design effectiveness testing. | Design effectiveness testing completed for Manage Other Capital Assets and Manage Real Property. For Manage Procure to Payment - Procurement, the scope of the ICFR assessment was revised due to EC’s DFMS Renewal and was limited to documentation only. |
| Manage Procure to Payment, Manage Financial Close, Manage Other Capital Assets, Manage Real Property, Manage Inventory, Manage Travel, Pay Administration, Manage Grants and Contributions, and Manage Administration of Acquisition and Fleet Cards - Design effectiveness remediation. | Monitoring of remediation actions was conducted throughout 2013-2014 with quarterly status updates on remediation actions provided to the CFO. In 2014-2015, progress was made by EC in advancing remediation where the actions related to automated controls. However, given EC’s DFMS Renewal, all outstanding remediation actions will be integrated into the scope of any planned ICFR work impacted by this initiative. |
| Manage Procure to Payment - Finance - Operating effectiveness testing. | Operating effectiveness testing completed for Manage Procure to Payment - Finance. |
| Manage Procure to Payment - Finance, Manage Financial Close, and Manage Travel - Operating effectiveness remediation. | Operating effectiveness remediation completed for Manage Procure to Payment - Finance. Operating effectiveness remediation for Manage Financial Close was deferred due to ongoing remediation actions relating to the design effectiveness of a key sub-process. For Manage Travel, outstanding operating effectiveness remediation actions were integrated into the design effectiveness testing that was conducted on the updated Manage Travel process. |
| ELCs and ITGCs - Ongoing monitoring. | Ongoing monitoring was performed throughout 2013- 2014. |
In addition to meeting the expectations set in the 2012-2013 annex, EC also made significant progress in assessing and improving its key controls by completing documentation (level 3 process maps and control matrices) of all 20 CFM-BPs, as well as Environmental Liabilities (cradle-to-grave). EC also completed design effectiveness testing of several Key Business Processes and Sub-processes as described under Additional Work Completed in Section 3.1 of this document.
4.2 Status and Action plan for Fiscal Year 2014-2015 and Subsequent Years
Under the PIC, departments need to be able to maintain an effective system of ICFR with the objectives to provide reasonable assurances that transactions are appropriately authorized, financial records are properly maintained, assets are safeguarded and applicable laws, regulations and policies are followed.
Building on progress made to date on previously established plans, EC focused its ICFR assessment efforts in 2013-2014 on aligning to the OCG CFM-BPs and on standardizing, streamlining, and integrating business processes in support of the DFMS Renewal transition to SAP, a major BT initiative that involves a hosted partnership and was approved mid-year. As a result of the planned transition to SAP, all planned ICFR activities are subject to and have been re-evaluated within the context of the DFMS Renewal and associated BT progress.
EC will be undertaking the documentation and design effectiveness testing of all affected CFM- BPs and associated controls using a risk-based approach throughout the SAP implementation timeline. Once SAP has been implemented and EC formally declares completion of the Run Phase stabilization and optimization, expected in 2015-2016, EC will begin to undertake the operating effectiveness testing of these affected CFM-BPs and associated controls using a risk- based approach. It should be noted that ICFR assessment activities for many of the Key Control Areas impacted by the DFMS Renewal are tentatively planned for 2017-18 and beyondǂ, falling outside of the scope of the ICM three year Controls Assessment Plan (see Table 2). Ongoing monitoring on Key Control Areas will begin thereafter, also using a risk-based approach.
The status and action plan for EC’s ICFR Assessments for 2014-2015 and two subsequent yearsǂ is shown in Table 2.
| Table 2- ICM Three Year Controls Assessment Plan for 2014-2015 to 2016-2017*ǂ | ||||||
|---|---|---|---|---|---|---|
| Key Control Areas | Assessment elements | |||||
| Documentation | Design Effectiveness | Operating Effectiveness | Ongoing monitoring rotation | |||
| Testing | Remediation | Testing | Remediation | |||
| Entity Level Controls | Complete | Complete | Complete | Complete | Complete | Since 2013-14 |
| Information Technology General Controls (ITGCs) | Complete | Complete | Complete | Complete | Complete | Since 2013-14 |
| Manage Procure to Payment Footnote2 | 2014-15 | 2016-17 | 2017-18 | 2017-18 | 2018-19 | 2018-19 |
| Manage Financial Close | 2014-15 | 2016-17 | 2017-18 | 2017-18 | 2018-19 | 2018-19 |
| Manage Other Capital Assets | 2014-15 | 2016-17 | 2017-18 | 2017-18 | 2018-19 | 2018-19 |
| Manage Real Property | 2014-15 | 2016-17 | 2017-18 | 2017-18 | 2018-19 | 2018-19 |
| Manage Inventory | 2014-15 | 2016-17 | 2017-18 | 2017-18 | 2018-19 | 2018-19 |
| Manage Travel | 2014-15 | 2015-16 | 2016-17 | 2016-17 | 2017-18 | 2017-18 |
| Pay Administration | 2014-15 | 2015-16 | 2016-17 | 2016-17 | 2017-18 | 2017-18 |
| Manage Grants and Contributions | 2014-15 | 2015-16 | 2016-17 | 2016-17 | 2017-18 | 2017-18 |
| Manage Administration of Acquisition and Fleet Cards | 2014-15 | 2014-15 | 2015-16 | 2015-16 | 2015-16 | 2016-17 |
| Manage Other Payments | 2014-15 | 2015-16 | 2016-17 | 2016-17 | 2017-18 | 2017-18 |
| Manage Vendor Master Data File | 2014-15 | 2014-15 | 2015-16 | 2015-16 | 2016-17 | 2016-17 |
| Manage Customer Master Data File | 2014-15 | 2016-17 | 2017-18 | 2017-18 | 2018-19 | 2018-19 |
| Manage Revenue,Receivables and Receipts | 2014-15 | 2015-16 | 2016-17 | 2016-17 | 2017-18 | 2017-18 |
| Manage Interdepartmental Settlements | 2014-15 | 2015-16 | 2016-17 | 2016-17 | 2017-18 | 2017-18 |
| Manage Planning and Budgeting | 2014-15 | 2016-17 | 2017-18 | 2017-18 | 2018-19 | 2018-19 |
| Manage Forecasting and Budget Review | 2014-15 | 2016-17 | 2017-18 | 2017-18 | 2018-19 | 2018-19 |
| Manage Collection of Overdue Receivables | 2014-15 | 2016-17 | 2017-18 | 2017-18 | 2018-19 | 2018-19 |
| Manage Departmental Chart of Accounts | 2014-15 | 2014-15 | 2015-16 | 2015-16 | 2016-17 | 2016-17 |
| Manage Delegation of Financial and Spending Authorities | 2014-15 | 2014-15 | 2015-16 | 2015-16 | 2016-17 | 2016-17 |
| Manage Post Payment Verification | 2014-15 | 2016-17 | 2017-18 | 2017-18 | 2018-19 | 2018-19 |
| Environmental Liabilities | Complete | Complete | Complete | 2014-15 | 2015-16 | 2015-16 |
| *Note: Certain CFM-BPs will be significantly impacted by EC’s planned DFMS Renewal. Design Effectiveness and Operating Effectiveness Assessments of CFM-BPs will be determined using a risk-based approach once EC formally declares completion of the Run Phase (stabilization and optimization) of the SAP implementation. ǂNote: ICFR assessment activities for many of the Key Control Areas impacted by the DFMS Renewal are tentatively planned for 2017-18 and beyondǂ, falling outside of the scope of the three year Controls Assessment Plan. |
||||||
In completing the action plan as presented, EC will ensure a timely progression is made towards a mature system of ICM that provides the Government and Canadians with assurance regarding the reliability of its financial reporting contained within departmental financial statements and Public Accounts. This progression reflects EC’s commitment to continue advancement towards more robust and auditable financial statements.