Unaudited Financial Statements for the period ending March 31, 2017, Environment and Climate Change Canada, chapter 7
Annex to the Statement of management responsibility including internal control over financial reporting 2016-2017
Table of contents
- Introduction
- Environment and Climate Change Canada's system of internal control over financial reporting
- Departmental assessment results during fiscal year 2016-2017
- Environment and Climate Change Canada’s action plan
1. Introduction
This document provides summary information on the measures taken by ECCC to maintain an effective system of Internal Control over Financial Reporting (ICFR), including information on internal control management, assessment results and related action plans.
1.1 Authority, mandate and program activities
Detailed information on ECCC’s authority, mandate and program activities can be found in the Departmental Results Report (formerly Departmental Performance Reports) and Departmental Plans (formerly Reports on Plans and Priorities).
2. Environment and Climate Change Canada's system of internal control over financial reporting
2.1 Internal control over financial reporting
ECCC’s ICFR is governed by an over-arching, Deputy Minister (DM) approved Internal Control Framework (ICF) that includes a Financial Management Framework as an integral component. The ICF includes the following elements:
- governance and accountability structures for internal control management;
- an integrated ICFR approach and methodology;
- effective oversight, assessment and remediation mechanisms;
- a comprehensive ICFR ongoing monitoring program which includes an annual monitoring plan; and
- the ECCC Values and Ethics Code.
Organizational accountabilities structure
As described in its ICF, ECCC has a well-established governance and accountability structure which supports departmental assessment efforts and oversight of its system of internal controls throughout the organization.
Roles and responsibilities as they relate to ICFR are as follows:
- Deputy Minister (DM) – ECCC's DM, as Accounting Officer, assumes overall stewardship responsibility and leadership for ICFR. The DM is responsible for ensuring that a risk-based departmental system of internal control over financial reporting is established, monitored and maintained.
- Chief Financial Officer (CFO) – ECCC’s CFO reports directly to the DM and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR. The CFO’s key roles are as strategic advisor and steward of sound internal control and financial management practices.
- Senior Departmental Managers (SDMs) – SDMs, who report directly to the DM, are responsible to provide leadership in financial management, internal controls, and financial reporting and disclosure. They are also responsible for seeking the advice and support of the CFO in the development and maintenance of an effective financial management, risk and control framework over programs. Additionally, SDMs must provide the DM with assurance that business processes and appropriate controls are in place to ensure the effectiveness of their organization’s financial management and internal control systems to meet the requirements set out in the Statement of Management Responsibility (SOMR).
- Chief Audit Executive (CAE) – The CAE provides independent assurance to the DM regarding the effectiveness of risk management, control and governance processes.
- External Audit Advisory Committee (EAAC) – The EAAC is an independent committee, consisting of four external members, which provides the Deputy Minister with objective advice and recommendations regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the Department’s frameworks and processes for risk management, control and governance (including accountability and auditing systems). The EAAC also reviews the annual Departmental Financial Statements including the SOMR as an Annex.
- Executive Management Committee (EMC) – EMC is the collective senior executive body of the Department where consensus is built on horizontal management issues, options are discussed, and recommendations are made for decision by the Deputy Minister. EMC recommends the overall strategic direction and priorities of the Department and oversees the management of departmental activities, and their related resources, results and risks in an integrated way.
- Financial Policy, Systems and Controls (FPSC) Division of the Procurement, Accounting and Controls Directorate - Leads the integrated management, stewardship of departmental ICFR and continual transformation and improvement of departmental financial systems, corporate financial policy and business process management. FPSC internal control assessments and remediation of control deficiencies involve the engagement of all branches and regions to provide senior departmental officials with the assurance that ICFR is in place and operating effectively.
Governance and oversight measures
ECCC’s control environment includes a series of measures which help ensure that risks are effectively managed through a responsible and risk-based approach.
Key measures include:
- ECCC continues to advance and support public service values and ethical standards for its employees and managers through a mandatory online Values and Ethics Course;
- an Integrated Risk Management Framework, and a broadly communicated Corporate Risk Profile;
- a regularly updated Delegation of Financial Signing Authorities and Designation Order Instrument;
- annual Performance Management Agreements for SDMs that assess accountabilities and financial management responsibilities;
- an Internal Control Checklist signed by each SDM, integrated as part of the annual Public Accounts Letter of Representation approval process, confirming that the respective organization had maintained a system of financial management and internal control and that all known deficiencies in the operation of disclosure controls and procedures and of ICFR have been disclosed;
- ongoing training programs and regular communication to departmental employees on core areas of financial management; and
- a formal SAP financial system change management process.
2.2 Service arrangements relevant to financial statements
ECCC relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:
Common arrangements
- Public Service and Procurement Canada (PSPC) centrally administers the payments of salaries and benefits, the procurement of some goods and services, as well as the cost of accommodations on behalf of ECCC. In addition, PSPC is responsible for processing and the quality assurance of ECCC’s salaries and benefits transactions in the Phoenix pay system at its Pay Centre in Miramichi;
- Shared Services Canada (SSC) provides IT infrastructure services to ECCC in the areas of data centre and network services. The scope and responsibilities are outlined in the interdepartmental agreement between SSC and ECCC. SSC has updated its ITGC Framework with the objective to identify a set of common ‘end-state’ IT controls that can be applied horizontally to all infrastructure services, and that aims to differentiate the broad roles and responsibilities between SSC and departmental partners. End-state IT control testing is targeted to begin on-going monitoring rotation starting in 2018-2019;
- The TBS provides ECCC with information used to calculate some accruals and allowances such as the accrued severance liability;
- The Department of Justice provides legal services to ECCC; and
- The Public Prosecution Service of Canada provides prosecution services to ECCC.
Specific arrangements
- Agriculture and Agri-Food Canada (AAFC) provides ECCC with a SAP financial system platform to capture and report all financial transactions. Under this arrangement, ECCC relies on AAFC for the management of certain IT controls and procedures (e.g. security, configuration, change management, business continuity) and also manages various master data functions in SAP on ECCC’s behalf.
3. Departmental assessment results during fiscal year 2016-2017
In 2016-17 ECCC achieved ongoing monitoring status and has subsequently began the implementation of its ongoing monitoring program. Assessments completed in 2016-17 were based on the results of ECCC’s annual risk-based assessment (ARBA) and the associated controls assessment plan as presented in the 2015-16 Annex.
3.1 Ongoing monitoring
As part of its 2016-17 ongoing monitoring plan, ECCC focused on reviewing and updating documentation of high-risk business processes to reflect the continuously changing operating landscape. This risk-based approach ensures that critical controls for high-risk processes, as well as emerging risks are identified, assessed, and remediated as necessary and in a timely manner.
Information Technology General Controls (ITGCs)
- Update of ITGC documentation, including the ITGC Framework, to reflect the changing IT landscape, where the department is partnering with external service providers, who perform many ITGCs on behalf of ECCC.
- The updated ITGC Framework included assessments of the following areas: Third party assurances, Logical access, Change management, Operations and backups and IT security.
- Key recommendations were made to strengthen the process for third-party assurance over ITGCs.
Manage Pay Administration
Internal Control over Financial Reporting (ICFR) documentation of the pay administration was updated to reflect the implementation of the new pay system. The internal control descriptions in the control matrix were reviewed to identify current activities in place to manage identified risks.
The Department has been proactive in our readiness to address potential issues around the implementation of the Phoenix pay system. For example, an Environment and Climate Change Canada (ECCC) team has joined the Public Service and Procurement Canada (PSPC) satellite office to resolve matters, such as but not limited to, overpayments to employees. Furthermore, additional resources continue to analyze data from Phoenix and My Government of Canada Human Resources (My GCHR) to identify root causes and to mitigate against future issues.
In addition, the newly released Guide on Financial Management of Pay Administration, which will be implemented in the coming months, will lend to increased monitoring and controls. This new guide provides an overview of the end-to-end pay process and recommends procedures, controls and monitoring activities to be carried out by departments.
Operating expenditures
As part of its ongoing monitoring of operating expenditures (includes Manage Procure to Payment, Manage Travel, Manage Administration of Acquisition and Fleet Cards, Manage Delegation of Financial and Spending Authorities), ECCC continued to perform account verification by overseeing the implementation and monitoring of the Directive on Account Verification and the Account Verification process, bringing to the DM's attention any significant gaps in performance or compliance issues.
Results of ongoing monitoring:
- Implemented enhanced quarterly consolidated report which aims to inform Senior Management of errors detected, logged and corrected by Financial Officers following Account Verification.
- For Low, Medium and High-Risk Transactions, Financial Policy, Systems and Controls Division has developed new tools to raise delegated managers’ awareness with respect to their roles and responsibilities regarding account verification.
- Formal implementation of an enhanced escalation process is expected to be implemented in the next fiscal year.
4. Environment and Climate Change Canada’s action plan
4.1 Progress during fiscal year 2016-2017
During 2016-2017, ECCC dedicated its energy on continuing the implementation of its ongoing monitoring strategy by focusing on high risk areas to make significant progress in completing the assessment of its key controls and meeting all expectations set in its 2015-16 action plan. Table 1 provides a summary of the progress made by ECCC.
| Element in previous year’s (2015-16) action plan Ongoing monitoring |
Updated status at March 31, 2017 |
|---|---|
| Entity Level Controls (ELCs) | Initiated in 2016-17 and will continue in 2017-18, a review of relevant Departmental documentation (policies, procedures, guidelines, reports and minutes) that support Entity Level Controls activities. |
| Information Technology General Controls (ITGCs) | Conducted ICFR ongoing monitoring assessment to update the ITGC documentation and reflect the changing landscape where the department is partnering with external service providers. |
| Manage Pay Administration | Conducted a review of the documentation of the Manage Pay Administration process. |
Manage Procure to Payment
|
Conducted continuous monitoring of key controls on Manage Procure to Pay, Manage Travel, Manage of Administration and Fleet Cards, Manage Delegation of Financial and Spending Authorities through post payment verification and data analytics. |
| Manage Vendor Master Data File | Conducted monitoring of key control activities for Manage Vendor Master Data File in 2016-17. |
4.2 Action plan for fiscal year 2017-2018 and subsequent years
The ECCC’s rotational ongoing monitoring plan, as depicted below, extends over the next three years based on an annual validation of the high-risk processes and controls and related adjustments to the ongoing monitoring plan. ECCC has regrouped the Business Processes into key control areas as proposed in the new Treasury Board of Canada Guideline on Internal Control.
| Key control areas | 2017-2018 | 2018-2019 | 2019-2020 |
|---|---|---|---|
| Entity Level Controls | Yes | Yes | Yes |
| Information Technology General Controls | Yes | Yes | Yes |
| Payroll | Yes | Yes | Yes |
| Operating expenditures | Yes | Yes | Yes |
| Capital expenditures | Yes | No | No |
| Grants and contributions | No | Yes | No |
| Revenue | Yes | No | No |
| Financial close and reporting | No | Yes | No |
| Environmental liabilities | No | Yes | No |
Page details
- Date modified: