Archived: Unaudited Financial Statements ending March 31, 2016, Environment and Climate Change Canada, chapter 7

Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting 2015-2016

Table of Contents

Annex to the Statement of Management Responsibility

1. Introduction
2. Environment and Climate Change Canada (ECCC)'s System of Internal Control Over Financial Reporting
   1. 2.1 Internal Control Management
   2. 2.2 Service Arrangements Relevant to Financial Statements
3. Departmental Assessment Results During Fiscal Year 2015-2016
   1. 3.1 Ongoing Monitoring of Key Controls
   2. 3.2 Design Effectiveness of Key Controls
   3. 3.3 Operating Effectiveness of Key Controls
4. Environment and Climate Change Canada’s ICM Action Plan
   1. 4.1 Progress During Fiscal Year 2015-2016
   2. 4.2 Status and Action plan for Fiscal Year 2016-2017 and Subsequent Years

1. Introduction

This document is an annex to Environment and Climate Change Canada’s (ECCC) Statement of Management Responsibility (SOMR) Including Internal Control Over Financial Reporting (ICFR) for the fiscal year 2015-2016. This document provides summary information on the measures taken by ECCC to maintain an effective system of ICFR, including information on Internal Control Management (ICM) and assessment results and related action plan. It should be noted that 2015-2016 was the first full year of ECCC’s SAP implementation and also the introduction of the Phoenix pay system on February 24, 2016.

Detailed information on ECCC’s authority, mandate and program activities can be found in the Departmental Performance Reports and Report on Plans and Priorities.

2. Environment and Climate Change Canada's System of Internal Control Over Financial Reporting

2.1 Internal Control Management

ECCC’s ICM is governed by an over-arching Internal Control Framework (ICF) that includes a Financial Management Framework as an integral component. ICM includes the following elements:

• governance and accountability structures for internal control management;
• an integrated ICFR approach and methodology;
• effective oversight, assessment and remediation mechanisms; and
• a comprehensive ICFR ongoing monitoring program which includes an annual monitoring plan.

ECCC has invested significant effort into aligning, streamlining and integrating these components essential to effective ICM. These efforts have been undertaken to ensure continuous progression towards a state of maturity that is consistent with the guidance and common practices set by the Office of the Comptroller General of Canada (OCG) and in accordance with the Treasury Board (TB) Policy on Internal Control (PIC).

Internal Control Framework

ECCC has an ICF approved by the Deputy Minister (DM), demonstrating an increased departmental focus on ICM and signaling management’s leadership and commitment towards financial integrity, transparency, and management accountability. The ECCC ICF incorporates leading practices and departmental lessons learned over the last seven years of ICFR assessments under the TB PIC.

The ICF provides an anchor point for ICM, and describes the structure, context and processes by which internal controls are identified, assessed and monitored. The purpose of the ICF is to:

• describe the roles and responsibilities of the DM, Senior Departmental Managers, Managers and employees for ICM;
• set out the commitments to provide regular status updates/reports on the effectiveness of internal controls to Senior Departmental Managers and the External Audit Advisory Committee;
• establish a common foundation for ICM within the Department;
• address the TB requirements relating to internal controls, including ICFR; and
• establish a context and structure that allow for effective ICM.

Organizational Accountabilities Structure

As described in its ICF, ECCC has a well-established governance and accountability structure which supports departmental assessment efforts and oversight of its system of internal controls throughout the organization.

Roles and responsibilities as they relate to ICM are as follows:

• Deputy Minister (DM) - ECCC's DM, as Accounting Officer, assumes overall stewardship responsibility and leadership for ICM. The DM is responsible for oversight of the establishment, monitoring and review of the departmental system of internal control, as well as for monitoring compliance with the PIC.
• Chief Financial Officer (CFO) - ECCC's CFO reports directly to the DM and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICM, inclusive of ICFR. The CFO's key roles are a strategic advisor and steward of sound internal control and financial management practices.
• Senior Departmental Managers (SDMs) - SDMs, who report directly to the DM, are responsible to provide leadership in financial management, internal controls, and financial reporting and disclosure. They are also responsible for seeking the advice and support of the CFO in the development and maintenance of an effective financial management, risk and control framework over programs. Additionally, SDMs must provide the DM with assurance that business processes and appropriate controls are in place to ensure the effectiveness of their organization’s financial management and internal control systems to meet the requirements set out in the SOMR including ICFR.
• Chief Audit Executive (CAE) - The CAE provides independent assurance to the DM regarding the effectiveness of risk management, control and governance processes.
• External Audit Advisory Committee (EAAC) - The EAAC is an independent committee, consisting of three external members, which provides the Deputy Minister with objective advice and recommendations regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the Department’s risk management, control and governance frameworks and processes (including accountability and auditing systems). The EAAC also reviews the Departmental Financial Statements and the annual SOMR, including the related Annex.
• Executive Management Committee (EMC) - EMC is the collective senior executive body of the Department where consensus is built on horizontal management issues, options are discussed, and recommendations are made for decision by the Deputy Minister. EMC recommends the overall strategic direction and priorities of the Department and oversees the management of departmental activities, and their related resources, results and risks in an integrated way.
• Financial  Policy,  Systems  and  Controls  (FPSC)  Division of the Procurement, Accounting and Controls Directorate - Leads the integrated management, stewardship of departmental Internal Control Management (ICM) and continual transformation and improvement of departmental financial systems, corporate financial policy and business process management. FPSC internal control assessments and remediation of control deficiencies involve the engagement of all branches and regions. Strong ICM is a requirement under the TB PIC and is a key assessment area under the Treasury Board Secretariat (TBS) Management Accountability Framework - Area of Management 7 - Finance.

Governance and Oversight Measures

ECCC's control environment includes a series of measures which help ensure that risks are effectively managed through a responsible and risk-based approach.

Key measures include:

• ECCC continues to advance and support public service values and ethical standards for its employees and managers through a mandatory online Values and Ethics Course. By the end the 2015-16 fiscal year, 82% of ECCC employees had completed values and ethics training;
• an Integrated Risk Management Framework, and a broadly communicated Corporate Risk Profile contribute to effective risk management at ECCC. Increased employee awareness, ongoing monitoring and timely mitigating activities ensure that emerging/changing risks are appropriately managed;
• the Delegation of Financial Signing Authorities and Designation Order Instrument was updated in 2015-2016 as per TBS Directive on Delegation of Financial Authorities for Disbursements requirements;
• annual Performance Management Agreements for SDMs that assess accountabilities and financial management responsibilities;
• an Internal Control Checklist signed by each SDM, integrated as part of the annual Public Accounts Letter of Representation approval process, confirming that the respective organization had maintained a system of financial management and internal control and that all known deficiencies in the operation of disclosure controls and procedures and of ICFR have been disclosed;
• ongoing training programs and regular communication to departmental employees on core areas of financial management, financial systems, business processes, and financial policy; and
• a formal SAP change management process to ensure key system-related issues and risks identified by users and stakeholders are recorded and communicated to the SAP system host (AAFC) for corrective action in a timely manner.

ECCC Monitoring Strategy for ICM

ECCC’s Monitoring Strategy for ICM provides a description of the approach and methodology to ensure that ICM activities, including monitoring of its system of ICFR, align with the PIC. This Strategy describes in detail ECCC’s ongoing system of testing, remediation and monitoring of its internal controls to ensure key controls are working as intended. The Strategy references and adopts generally accepted internal control assessment leading practices, including Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and Related Technology (COBIT) standards.

The key components of the ICM Monitoring Strategy include:

• an enhanced annual risk-based assessment based on a combination of quantitative and qualitative elements, as well as the findings of other oversight/assurance providers;
• an annual Controls Assessment Plan which includes documentation, design and operating effectiveness testing, and remediation and ongoing monitoring plans;
• the requirements for pre-payment, payment and post-payment verification, in accordance with the TBS Directive on Account Verification;
• comprehensive remediation monitoring activities that systematically addresses required adjustments stemming from assessments, which includes semi-annual follow-up with Business Process Owners and reporting on the status of outstanding remediation actions to the CFO;
• the requirements for reporting to the DM, the TBS, and ECCC’s EAAC, regarding ICM, inclusive of ICFR;
• FPSC collaboration with multi-disciplinary areas of responsibility across ECCC; namely, with the Finance Branch Corporate Development Unit and the Audit and Evaluation Branch for the risk-based assessment and monitoring of all key control elements; and
• stakeholder engagement and horizontal/cross functional integration to provide a coordinated approach to monitoring the effectiveness of ECCC’s ICM.

2.2 Service Arrangements Relevant to Financial Statements

ECCC relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:

Common Arrangements

• Public Service and Procurement Canada (PSPC) centrally administers the payments of salaries and benefits, the procurement of some goods and services, as well as the cost of accommodations on behalf of ECCC. In addition, PSPC, with its Transformation of Pay Administration initiative has established a new Pay Centre in Miramichi that is responsible for processing and the quality assurance of ECCC’s salaries and benefits transactions. Changes to the government wide payroll system (Phoenix) and the impact on internal controls will be reviewed in 2016-17;
• Shared Services Canada (SSC) provides IT infrastructure services to ECCC in the areas of data centre and network services. The scope and responsibilities are outlined in the interdepartmental agreement between SSC and ECCC. SSC has updated its ITGC Framework with the objective to identify a set of common ‘end-state’ IT controls that can be applied horizontally to all infrastructure services, and that aims to differentiate the broad roles and responsibilities between SSC and departmental partners. End-state IT control testing is targeted to begin on-going monitoring rotation starting in 2018-2019;
• The TBS provides ECCC with information used to calculate some accruals and allowances such as the accrued severance liability;
• The Department of Justice provides legal services to ECCC; and
• The Public Prosecution Service of Canada provides prosecution services to ECCC.

Specific Arrangements

• Agriculture and Agri-Food Canada (AAFC) provides ECCC with a SAP financial system platform to capture and report all financial transactions.  Under this arrangement, ECCC relies on AAFC for the management of certain IT controls and procedures (e.g. security, configuration,  change  management,  business  continuity)  and  also  manages  various master data functions in SAP on ECCC’s behalf.

3. Departmental Assessment Results During Fiscal Year 2015-2016

In 2015-16, consistent with Management Accountability Framework (MAF) assessment results, ECCC has advanced to the status of continuous monitoring during its first full year of SAP post implementation. ECCC was able to complete the full assessment of ICFR through the identification of key financial control testing work completed cumulatively over the past few years, particularly from updates made to documentation, data cleansing efforts made as part of the SAP implementation on April 1, 2015, as well as the establishment of SAP risk-based controls for Section 33 as well as risk-based quality assurance reviews.

ECCC will undertake rotational ongoing monitoring strategy for all key control areas in 2016- 2017.

3.1 Ongoing Monitoring of Key Controls

Work Completed as Expected and Planned:

ECCC has completed the full complement of internal control initiatives planned for 2015-2016. ECCC completed ongoing monitoring of the following Key Control Areas:

• Entity Level Controls (ELC) (focus on governance and fraud)
• Information Technology General Controls (ITGCs)
• Manage Financial Close (focus on petty cash)
• Manage Procure to Payment (P2P)

Additional Work Completed:

In  addition  to  the  work  completed  as  expected  and  planned,  ECCC  completed  ongoing monitoring of the following Key Control Areas:

• Manage Travel (focus on ECollab site)
• Manage Grants & Contributions
• Manage Vendor Master Data File
• Pay Administration (focus on employee departure)

Remediation Actions:

As a result of ongoing monitoring, ECCC identified the following key remediation actions:

• For  ELCs:  coordinate  a  review  of  the  governance  and  policy  framework  over  the management of fraud, in order to clarify the roles and responsibilities, and to enhance the existing policies; and
• For ITGCs: ensure proper governance structure and direction for the implementation of the  Enterprise  Asset  Management  (EAM)  Phase  2,  including  a  Project  Steering Committee that meets frequently, has broad ECCC representation and formalizes its proceedings.

In addition, this fiscal year ECCC implemented the following required key remediation actions:

• Obtained assurance on system governance and business continuity planning through a third-party ITGC audit conducted on the host system at AAFC;
• Conducted risk-based post-payment account verification to assess control efficiencies for various P2P and Travel transactions; and
• Advanced fraud awareness by integrating fraud prevention into mandatory values and ethics training for employees.

ECCC has improved ongoing monitoring of key ICM controls by implementing the approach and methodology set forth in the ECCC Monitoring Strategy for ICM. A key part of ECCC’s strategy has been continued focus on communication and stakeholder engagement, fostering a goal-oriented monitoring environment based on open dialogue and collaboration.

Furthermore,  in  2015-2016  ECCC  continued  its  monitoring  and  reporting  on  remediation actions, a key component of the ECCC Monitoring Strategy for ICM.  This monitoring provides the CFO and stakeholders with updates on the Department’s outstanding ICM  remediation actions and ensures that the progress in the Control Assessment Plan is aligned with management expectations.

In addition to the ongoing monitoring on material and high risk processes, design and operational effectiveness testing on low and medium risk processes continued as originally planned.

3.2 Design Effectiveness of Key Controls

Work Completed as Expected and Planned:

In 2015-2016, ECCC completed the design effectiveness testing of the last remaining key ICFR business processes:

• Manage Other Payments
• Manage Customer Master Data File
• Manage Revenue, Receivables and Receipts
• Manage Interdepartmental Settlements
• Manage Collection of Overdue Receivables
• Manage Departmental Chart of Accounts

Remediation Actions:

As a result of the design effectiveness testing completed this fiscal year, ECCC identified and is undertaking the following design effectiveness remediation actions:

• Strengthen governance and oversight over the revenue processes including enhancing revenue management capacity and skill sets, policies and procedures, and implementing internal training for creating and managing revenue financial arrangements;
• Review and strengthen controls related to conducting periodic reviews of customer records and overdue receivables;
• Ensure key policy updates and underpinning roles and responsibilities for inputting, processing and monitoring interdepartmental settlement and revenue transactions are captured and rolled out by the policy holders on a timely basis; and
• Update procedural guidance on ECCC’s intranet page as a result of the transition to SAP.

3.3 Operating Effectiveness of Key Controls

Work Completed as Expected and Planned:

In 2015-2016, ECCC completed the operating effectiveness testing of the following key control areas:

• Manage Customer Master Data File
• Manage Administration of Acquisition and Fleet Cards
• Manage Other Capital Assets
• Manage Real Property
• Manage Inventory
• Manage Travel
• Pay Administration
• Manage Grants and Contributions
• Manage Vendor Master Data File
• Manage Collection of Overdue Receivables (low-risk)
• Manage Departmental Chart of Accounts
• Environmental Liabilities

Remediation Actions:

As a result of the completed operating effectiveness testing conducted this fiscal year, ECCC identified the following required remediation:

• Review and clarify procedural steps pertaining to key controls, and the associated roles and responsibilities relating to Manage Grants and Contributions and Manage Administration of Acquisition and Fleet Cards.

4. Environment and Climate Change Canada’s ICM Action Plan

4.1 Progress During Fiscal Year 2015-2016

During 2015-2016, ECCC continued to make significant progress in completing the assessment of its key controls and met all of the expectations that were set in its action plan for the year in the 2014-2015 annex. Table 1 provides a summary of the progress made by ECCC based on the plans identified in the previous year's annex.

4.2 Status and Action plan for Fiscal Year 2016-2017 and Subsequent Years

Under the PIC, departments need to be able to maintain an effective system of ICM, including ICFR, with the objectives to provide reasonable assurance that transactions are appropriately authorized, financial records are properly maintained, assets are safeguarded and applicable laws, regulations and policies are followed.

All ICM activities planned for 2016-17 have been re-evaluated within the context of recent system functionality changes related to SAP and Phoenix implementation, as well as ECCC’s completion of its first full risk-based assessment of its system of ICFR.

For 2016-17, ECCC has highlighted the high-risk key control areas that will be assessed.  For the two subsequent years, all further ICM assessment activities will be conducted under a new risk and capacity based rotational ongoing monitoring strategy following a cyclical approach, currently in development.

The rotational ongoing monitoring action plan for ECCC’s ICM Assessments is shown in Table 2.

 

Notes: