Audit of the system of internal controls over financial reporting
Executive summary
Why it is important
Canadians expect the financial resources of the Government of Canada to be well managed and safeguarded through internal controls. They also expect reliable reporting that provides transparency and accountability for how public funds are spent to achieve results. An organization's system of internal controls over financial reporting (ICFR) is intended to support meeting these expectations. The system of ICFR is designed to mitigate risks based on a process to identify and prioritize key risks, assess effectiveness of associated key controls, and implement any corrective action.
The internal audit of ICFR was included in the 2023-2028 Audit and Evaluation Plan and is consistent with the Institute of Internal Audit standards which require that the internal audit functions assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
Objective
The audit objective was to provide reasonable assurance that Environment and Climate Change Canada (ECCC) has an effective system of ICFR in place, in compliance with the Treasury Board Policy on Financial Management requirements. The audit focused on an assessment of key ICFR elements including the ongoing monitoring and testing of the system in place at ECCC.
What we found
A system of ICFR is in place, comprised of a formal framework and associated processes to assess, monitor, remediate, and report on the state of ICFR. Overall, we found that these have been generally adequately implemented, in compliance with Treasury Board Policy on Financial Management requirements and the associated guidance. A few opportunities for improvement were noted.
Roles, responsibilities, and accountabilities for key stakeholders related to ICFR are defined and documented in the ECCC Framework on Internal Control Over Financial Management (ICFM) and have been implemented in support of the system. There is an opportunity to further clarify the role of Business Process Owners, their delegates, and Senior Departmental Managers in the ICFM Framework, and to enhance communication and reporting around ICFR related activities to increase senior management’s awareness and knowledge and support them in fulfilling their roles and responsibilities.
A risk-based ongoing monitoring program, including an annual risk-based assessment of ICFR, has been implemented, which generally aligns with Treasury Board of Canada Secretariat guidance. There are opportunities to further strengthen the risk-assessment methodology, as well as, expanding engagement with key stakeholders during the data-gathering phase to better inform the risk assessment results and the frequency and timeliness of assessments.
A process is in place and working as intended to issue recommendations to Business Process Owners following business process assessments, request the development of action plans to address control deficiencies, and monitor implementation on a semi-annual basis. Internal and external reporting is also in place for reporting remediation actions and progress of their implementation. An opportunity exists to improve the level of information related to the status of remedial actions to demonstrate progress achieved on the measures taken by the Department to maintain an effective system of ICFR, and to support departmental oversight of the overall system.
Recommendations
Three (3) recommendations were developed to address the opportunities for improvement identified in this report. The Chief Financial Officer and Assistant Deputy Minister, Corporate Services and Finance Branch, should:
- Review and update the ECCC ICFM framework to clearly articulate the roles and responsibilities of Business Process Owners and their delegates, and to enhance engagement of Senior Departmental Managers throughout the ICFR cycle as appropriate.
- Review and update the risk assessment methodology for ICFR to ensure that the assessments and environmental scans are informed by consulting with all key stakeholders, and that the various components of ICFR are evaluated on a regular basis, including the lower risk ones.
- Ensure that the Annex to the Statement of Management Responsibility includes details on the status of remedial actions associated to the ongoing monitoring activities from the previous fiscal year’s rotational plan.
Background
The Treasury Board Policy on Financial Management came into effect on April 1, 2017 with the objective of ensuring that the financial resources of the Government of Canada are well managed in the delivery of programs to Canadians and safeguarded through balanced controls that enable flexibility and risk management practices.
The Policy defines ICFR as a subset of ICFM. Specifically, ICFR is a set of measures and activities that allow senior management and users of the department’s financial statements to have reasonable assurance with respect to their accuracy and completeness.
The Policy sets out several requirements and assigns responsibility to the deputy head for ensuring that a risk-based departmental system of ICFM (including ICFR) is established, monitored, and maintained. The Policy specifies the key responsibilities of the Chief Financial Officer in exercising effective financial management. This includes establishing, monitoring, and maintaining a risk-based system of ICFR, as demonstrated by the departmental Statement of Management Responsibility Including ICFR, and to provide reasonable assurance, at a minimum, that:
- Records are maintained that support and represent fairly all financial transactions.
- Recording of financial transactions allows for the preparation of internal and external financial information, reports, and statements in compliance with financial management policy instruments.
- Expenditures are made in accordance with delegated authorities, and unauthorized transactions that could have a material effect on the financial statements are prevented or detected in a timely manner.
- Financial resources are safeguarded against material loss due to waste, abuse, mismanagement, errors, fraud, omissions, and other irregularities.
- Prompt corrective action is taken when control weaknesses and material unmitigated risks are identified, including the risk of fraud, in the system of ICFR.Footnote 1
The Policy on Financial Management specifies that the Annual Statement of Management Responsibility Including ICFR must include a summary of the results of the annual assessment of the system of ICFR, along with actions taken and future plans.
The ECCC system of ICFR is based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework. The framework’s five (5) complementary components of internal control (control environment, risk assessment, control activities, monitoring activities and information/communication) provide the basis for identification, documentation, and assessment of internal control at all levels in the department.
The system of ICFR includes an ongoing monitoring program, which includes detailed risk assessments of internal controls planned to be conducted every 3 to 5 years, as well as, yearly environmental scans, as shown in Appendix A. The last full risk assessment at ECCC occurred in fiscal year 2019-20. The assessments are designed to gauge the likelihood of risks materializing and how they might affect financial reporting and financial management. The ECCC business processes covered under the scope of ICFR are listed in Appendix B, which highlights all business processes under the ICFM.
Ongoing monitoring is intended to ensure that the ICFR continues to operate effectively and as designed. According to the Treasury Board Guide to Ongoing Monitoring of Internal Controls over Financial Management, ongoing monitoring of internal controls begins once a department has executed its initial control assessment plan, as noted in its Statement of Management Responsibility Including ICFR. Executing the plan involves completing the documentation, testing for design effectiveness, testing for operating effectiveness, and implementing remediation items or compensating controls to address the gaps or weaknesses identified. ECCC reached the ICFR ongoing monitoring stage in 2016.
The monitoring program was expanded to include ICFM in 2018 and implementation of the ECCC ICFM Framework came into effect on February 24, 2021. As a result, additional ICFM business areas were added to the internal controls monitoring program. The Department aims to achieve ICFM ongoing monitoring status by the end of 2024.
Governance and accountability
ECCC’s system of internal controls (Appendix C) was inspired by the Institute of Internal Auditors Three Lines of Defense Model. According to the ECCC ICFM Framework:
- Senior Departmental Managers constitute the first line of defense as they are responsible for internal controls within their areas of responsibilities.
- The second line of defense consists of the Procurement, Accounting and Controls Directorate, through the Financial Policy Systems and Controls Division (FPSC) in the Corporate Services and Finance Branch, which oversees the design and operating effectiveness of key controls, and the Corporate Management Directorate, which oversees the departmental integrated risk management approach.
- Finally, the third line of defense is based on independent and objective assurance provided by the Internal Audit function.
As described in the Policy on Financial Management, Senior Departmental Managers typically report directly to a deputy head and are accountable for effective financial management within their areas of responsibility. At ECCC, the Senior Departmental Managers are the Branch Heads.
Business Process Owners are executives at the Director General level. They are responsible for the various business processes in the scope of the ICFM framework including ICFR and may be supported by Business Process delegates at the Director level.
The Financial Policy Systems and Controls Division within the Corporate Services and Finance Branch is responsible for:
- maintaining and monitoring the risk based ICFR system;
- planning and conducting annual risk assessments;
- analyzing and testing the design effectiveness of key controls; and,
- testing their operational effectiveness.
The Corporate and Operational Accounting Division within the Corporate Services and Finance Branch is responsible for designing key controls and for ensuring quality assurance over financial transactions in relation with expenditure management.
Objective, scope and methodology
Objective
The audit objective was to provide reasonable assurance that ECCC has an effective system of ICFR in place, in compliance with the Treasury Board Policy on Financial Management requirements related to ICFR.
Scope
The audit focused on an assessment of key ICFR elements including the ongoing monitoring and testing of the system in place.
The audit excluded:
- a review and assessment of Information Technology general controls related to the System Applications and Products (SAP) financial system platform managed by Agriculture and Agri-Food Canada (the host).
- an assessment of the accuracy of ECCC’s financial statements.
- a review and assessment of business processes specific to ICFM.
The audit lines of enquiry and criteria are provided in Appendix D. These criteria were developed based on the results of a risk assessment conducted during the planning phase of the audit.
The audit covered the period from 2019–20 to 2022–23.
Methodology
The audit was conducted and completed using the following methods:
- a review of relevant documentation, including policies, guidelines, and procedures.
- interviews conducted with key stakeholders involved in the maintenance of ICFR.
- walkthroughs of key processes in place related to ICFR, including monitoring activities and reporting requirements.
- examination of the most recent full risk-assessment, which was completed during 2019-20.
- examination of the three (3) yearly environmental scans and assessments of business processes completed between 2020-21 to 2022-23.
- analysis of the results of ongoing monitoring activities on key controls in support of the Annex to the Statement of Management Responsibility related to ICFR.
Statement of Conformance
The audit conforms to the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.
Findings, recommendations and management response
1. Roles, responsibilities, and accountabilities
Findings: Roles, responsibilities, and accountabilities for key stakeholders related to ICFR are defined and documented in the ECCC Framework on ICFM and have been implemented in support of the system. There is an opportunity to further clarify the role of Business Process Owners, their delegates, and Senior Departmental Managers in the ICFM Framework, and to enhance communication and reporting around ICFR related activities to increase senior management’s awareness and knowledge and support them in fulfilling their roles and responsibilities.
What we examined
It was expected that an effective governance and accountability structure is in place to support the oversight of ECCC’s system of ICFR in compliance with the Policy on Financial Management. We expected that roles, responsibilities, and accountabilities were clearly defined, communicated, and understood in support of ongoing monitoring of ICFR activities.
What we found
ICFM Framework. ECCC’s approved framework defines the approach adopted by the department to manage ICFM, including ICFR. The Framework adequately builds on the Treasury Board of Canada Secretariat Guide to Internal Controls Over Financial Management and is communicated and available to all employees on the department’s intranet site.
Roles and responsibilities are formally defined in the ICFM Framework and align with the requirements of the Policy on Financial Management. A review of the Framework notes that generally, roles, responsibilities and accountabilities of most key stakeholders are clearly defined in support of ongoing monitoring of ICFM activities, inspired by the Institute of Internal Auditors Three Lines of Defense Model (Appendix C). A Responsible, Accountable, Consulted, and Informed (RACI) chart provides the steps and key stakeholders for the ongoing monitoring approach at ECCC.
Departmental Audit Committee (DAC). The main governance body that supports oversight of ICFM at ECCC is the DAC, which according to the Treasury Board Policy on Financial Management and the 2019 Treasury Board Guidebook for a Departmental Audit Committee, is responsible for assisting the deputy head in monitoring the organization’s core systems of control and accountability, by providing independent and objective advice to inform decision making.
In the context of ICFR, the DAC may be expected to review the annual Statement of Management Responsibility and associated plans and assessments. We noted that the DAC’s responsibilities are clearly outlined in the ECCC ICFM framework, and a review of DAC meeting minutes shows that the committee was presented with, and reviewed financial statements, including the Annex to Statement of Management Responsibility, and had the opportunity to ask questions and receive clarifications as required.
Business process owners. Business Process Owners have a key role as the individuals responsible for overseeing the controls associated with particular business processes. They also have a main role in detecting errors or potentially fraudulent activities and identifying and reporting to the Chief Financial Officer any control deficiencies and weaknesses in a timely manner. Furthermore, they are responsible for implementing timely corrective actions when control deficiencies are found during operations or following assessments of design and operational effectiveness performed by the Financial Policy Systems and Controls division, Corporate Services and Finance Branch as part of ICFR ongoing monitoring.
In the context of the ICFM related business processes at ECCC, the majority of Business Process Owners and business process delegates are within the Corporate Services and Finance Branch. The exceptions are the Pay Administration business process which is owned by a Director General in the Human Resources Branch, and the Project Management business process which is owned by a Director General in the Office of the Chief Information Officer.
There is an opportunity to define more clearly the roles and responsibilities of Business Process Owners and their delegates in the ICFM Framework. Business Process Owners are mentioned frequently in the Framework at various phases of the ongoing monitoring cycle and are included in the RACI chart. However, we found that detailed responsibilities could be more clearly articulated. Specifically, Business Process Owners are supported by delegates at the Director level, but this role is not defined in the Framework to clearly delineate the span of responsibilities in relation to the Business Process Owners.
Senior Departmental Managers. Branch Heads have an important role. They are responsible for implementing and maintaining a risk-based system of ICFM in their area of responsibility; notifying the Chief Financial Officer of material control weaknesses; and ensuring that prompt corrective action is taken when control weaknesses are identified in their area of responsibility.
The Treasury Board Guide on Internal Control over Financial Management and the Treasury Board Guide on Ongoing Monitoring of Internal Controls over Financial Management recommends that Senior Departmental Managers be engaged throughout the ICFR / ICFM life cycle in order to support them in fulfilling their roles. Specifically, they recommend that Senior Departmental Managers are informed during the data gathering and risk assessment phases of full risk assessments. This includes being solicited to provide input and feedback, informed of the development of the ongoing monitoring plan, informed of the conclusions and results of controls assessments, and consulted and informed with respect to the remediation actions and associated action plans, including implementation progress.
Most of the ICFR components are under the responsibility of Business Process Owners in the Corporate Services and Finance Branch, who report to the Assistant Deputy Minister, Corporate Services and Finance Branch as their Senior Departmental Manager. As such, in the context of the ECCC ICFM framework, we found that the level of engagement with the Assistant Deputy Minister Corporate Services and Finance Branch was adequate to support fulfilling their responsibilities both as the Chief Financial Officer and in their role as Senior Departmental Manager.
Compared to the Treasury Board of Canada Secretariat guidance, the ECCC ICFM framework has a limited role for Senior Departmental Manager involvement in the internal controls assessment and the ongoing monitoring cycle of ICFR / ICFM. By design, the framework limits their role to being informed, at the reporting stage of the ICFM cycle, of the results of assessments conducted on ICFR and ICFM components, including recommendations and associated remediation action plans. In addition, this only applies to Senior Departmental Managers of relevant Business Process Owners. As such, other Senior Departmental Managers who do not have Business Process Owners reporting to them, may not be involved in the internal controls assessment and ongoing monitoring cycle for ICFR / ICFM.
It was found that the design of the ECCC ICFM framework has a gap in terms of engaging and informing the other Senior Departmental Managers, for example branch heads from program branches who may not have a direct line of sight into the business processes covered under ICFR. This was reflected in our review of the various reports produced, for which we found limited evidence that they were shared beyond the Chief Financial Officer organization and the Departmental Audit Committee. This includes, for example, the annual Annex to the Statement of Management Responsibility including ICFR.
The involvement of all stakeholders, including senior management, is important to maintain an effective system of ICFR. It also allows the opportunity to understand how the ongoing monitoring of internal controls supports the reliability of the unaudited departmental financial statements for decision making.
Recommendation 1
The Chief Financial Officer and Assistant Deputy Minister, Corporate Services and Finance Branch, should review and update the ECCC ICFM framework to clearly articulate the roles and responsibilities of Business Process Owners and their delegates, and to enhance engagement of Senior Departmental Managers throughout the ICFR cycle as appropriate.
Management response
Management agrees with the recommendation.
The ECCC ICFM Framework outlines Senior Departmental Mangers responsibilities in exercising effective financial management, including internal controls, as per the Treasury Board Policy on Financial Management requirements. To affirm their commitment, all Senior Departmental Managers annually provide a signed Senior Departmental Manager Checklist and Sub-Certification to the Chief Financial Officer, in support of the Chief Financial Officer and Deputy Minister signing the annual departmental Statement of Management Responsibility Including ICFM.
However, as noted in the audit, aside from the engagement, the ECCC ICFM framework has a gap in terms of engaging and informing Senior Departmental Managers (branch heads from program branches) outside Corporate Services and Finance Branch, throughout the ICFR cycle. Although most of the ICFR components are under the responsibility of Business Process Owners in the Corporate Services and Finance Branch, including the other Senior Departmental Managers, it is important to maintain an effective system of ICFR, as it allows them to understand how the ongoing monitoring of internal controls supports the reliability of the unaudited departmental financial statements for decision making.
The Corporate Services and Finance Branch will review and update the ECCC ICFM Framework and underlying tools as appropriate to:
- enhance engagement of program Senior Departmental Managers throughout the ICFR cycle; and
- articulate the roles and responsibilities of Business Process Owners and their delegates.
2. Risk assessment and testing of ICFR components
Findings: A risk-based ongoing monitoring program, including an annual risk-based assessment of ICFR, has been implemented, which generally aligns with Treasury Board of Canada Secretariat guidance. There are opportunities to further strengthen the risk-assessment methodology, as well as, expanding engagement with key stakeholders during the data-gathering phase to better inform the risk assessment results and the frequency and timeliness of assessments.
What we examined
It was expected that risks related to ICFR are identified, assessed, addressed, and monitored effectively. We also expected to see that the assessment of ICFR is performed in accordance with established standards and guidelines.
What we found
Full risk assessments and environmental scans. The Financial Policy Systems and Controls division, Corporate Services and Finance Branch performs ongoing monitoring activities of internal controls using a risk-based approach via detailed risk assessments planned for every (five) 5 years, and yearly environmental scans in the interim years.
Environmental scans are completed to determine if there have been significant changes to the personnel, processes, or systems within each business process that would have an impact on risk, and to update the ongoing monitoring plan accordingly. This involves the same activities as full risk assessments and may be less intensive or comprehensive. A walkthrough of the processes demonstrated that these have been designed in compliance with the requirements of the Policy on Financial Management, and aligned with the Treasury Board of Canada Secretariat Guide to Internal Control over Financial Management and the Guide to Ongoing Monitoring of Internal Controls Over Financial Management.
An examination of available documentation from the most recent full risk assessment (2019-20) and the subsequent environmental scans found that they generally followed the established processes, guidance, and assessment methodology.
The full risk assessment was performed by gathering input from Business Process Owners or delegates on areas they were responsible for, including information on changes to business processes, staffing, systems, and organizational structure. It also included reviews of relevant documentation from internal and external sources such as the ECCC Corporate Risk Profile, internal and external audit reports, and mandate letters. It included an assessment and ranking of risks based on a set of criteria, which resulted in a multi-year assessment plan.
Similarly, environmental scans were conducted by gathering input from Business Process Owner delegates via the administration of a comprehensive survey, followed by an assessment of risks based on the following rating scale:
- 60% is attributed to the survey results.
- 20% is attributed to impact on processes resulting from ICFR Assessments and follow-up on outstanding recommendations from operational effectiveness assessment results.
- 10% on departmental information such as ECCC key documents, Management Accountability Framework results, mandate letter, information provided to DAC and issues raised by internal audit reports; and,
- 10% on governmental information such as changes in policies, directives and guidelines, emerging events, and issues raised by the Office of the Comptroller General and the Office of the Auditor General reports.
The audit noted that the quality of the survey administered to Business Process Owners has continued to improve over time, enabling more informed responses in support of the risk assessment. For example, rather than only asking whether there have been changes to staffing, the most recent survey focused on whether staff possess the necessary training, experience, and competencies to support the business process.
The following opportunities were identified to further strengthen the risk assessment and environmental scan methodology and approach, in preparation for the next full risk assessment, planned for FY 2024-25.
Timing and frequency of assessments. Departments are expected to use a risk-based approach to determine how often processes and controls need to be monitored to ensure that the system of ICFM (including ICFR) is effective, which results in more effective use of limited resources. According to Treasury Board of Canada Secretariat guidance, the timing and frequency of the assessments should take into account factors such as: critical emerging events, including proposed strategic plans, resource constraints, the costs and benefits of the assessment compared with the risks associated with the process, the status or results of remediation action plans (if remediation has not yet taken place, there may be little value in performing the assessment), audit findings that may have an impact or that may provide further evidence of the effectiveness of controls, and other parallel financial reviews or initiatives.
In the context of ECCC, these factors have been taken into consideration when developing the ongoing monitoring plans. Given that the Department has assessed all ICFR components for design, implementation, and operating effectiveness and reached ongoing monitoring status in 2016, its subsequent focus and allocation of resources has been towards assessing the design, implementation and operating effectiveness of new components to comply with the new requirements of the Policy on Financial Management regarding ICFM; and on re-assessing ICFR components (that were previously assessed) that emerged as high priority (for example, delegation of financial and spending authorities and purchases, payables and procurement).
While this methodology is in line with established guidance in terms of following the risk-based approach and efficient and effective use of limited resources, it does not make provisions for the re-assessment of all business processes on a regular basis, including those that end up as being assessed as low risk, which may lead to long periods of time in between re-assessments.
A historical analysis of assessments for ICFR components at ECCC showed that many ICFR business processes have not been re-assessed in their entirety for over five (5) years, with a couple of business processes that have not been fully re-assessed in ten (10) years (see Table 1).
ICFR business processes | Last tested | Planned testing year per current ongoing monitoring plan | Aging (years between last and planned testing) |
---|---|---|---|
Stewardship of Financial Management Systems | New process | In progress | Not applicable |
Real Property | 2018-2019 | 2023-2024 | 5 years |
Travel, Hospitality, Conferences and Events* | 2021-2022 | 2023-2024 | 2 years |
Purchasing, Payables and Payments | 2021-2022 | 2026-2027 | 5 years |
Capital Assets | 2018-2019 | 2024-2025 | 6 years |
Inventory | 2018-2019 | 2024-2025 | 6 years |
Delegation of Spending and Financial Authorities | 2021-2022 | 2025-2026 | 4 years |
Financial Close and Reporting | 2014-2015 | 2024-2025 | 10 years |
Public Money and Receivables | 2018-2019 | 2024-2025 | 6 years |
Grants and Contributions* | 2015-2016 | 2025-2026 | 10 years |
Entity Level Controls | 2018-2019 | in progress | 4 years |
IT General Controls | 2022-2023 | 2023-2024 | 1 year |
Environmental Liabilities | 2014-2015 | 2024-2025 | 10 years |
* Only the payment process controls associated to these business processes have been re-assessed in 2021-22 through the Purchasing, Payables and Payments business process.
As explained previously, there are many circumstances that come into play when determining which components to assess, and the timing of those assessments. For example, in the context of the grants and contributions business process, only the controls related to managing G&Cs payments were tested for operating effectiveness, as part of the Purchasing, Payables and Payments business process assessment completed in 2021-22.
Other factors that influenced the timing of re-assessment of the grants and contributions component included previous or planned coverage provided by several relevant internal audits (i.e. the 2018 internal audit of the management of grants and contributions, the audits of the administration of the Low Carbon Economy Fund and the Canada Nature Fund, and the 2024 internal audit of the administration of the grants and contributions). Coordination between the internal audit function and the internal controls function is a good practice to support the most effective use of resources and minimize the impact on stakeholders.
The 2024 internal audit on the administration of grants and contributions assessed related internal controls and noted several inconsistencies due to outdated business processes, and inconsistencies related to broader financial management practices. It is expected that the audit findings and recommendations will be addressed by reviewing, updating, and remediating internal controls with Business Process Owners accordingly as part of the normal ongoing monitoring cycle.
Notwithstanding the above, the frequency and timeliness of full re-assessments of those lower priority / risk components (which may create timing gaps between assessments), suggests that the methodology may need to be reviewed to make provisions for ensuring that all ICFR components are fully re-assessed on a more regular basis, notwithstanding the priority assigned for each ICFR component at the end of the full risk-assessment or environmental scan. Regular re-assessments would further strengthen the assurance that controls are kept up to date, and that deficiencies and weaknesses are identified and acted upon in a timely manner.
Enhancing stakeholder engagement throughout the ICFR cycle. We found limited evidence that stakeholders outside of Chief Financial Officer’s organization were engaged during the data gathering phase of risk assessments and environmental scans. There is an opportunity to better inform the risk assessments and prioritization and scheduling of ICFM and ICFR components by engaging with stakeholders outside of the Chief Financial Officer’s organization – for example, interviewing or surveying program managers to gather knowledge on operations, or meeting with a sample of Senior Departmental Managers to gain an understanding of the Department’s strategic direction, potential organizational changes, or concerns with respect to ICFM, as recommended by Treasury Board of Canada Secretariat guidance.
Assessments (testing of operating effectiveness of internal controls). Assessments are under the responsibility of the Financial Policy Systems and Controls division, Corporate Services and Finance Branch. The resource model for the assessments is a hybrid between Business Process Owner self-assessments validated by the internal controls team in the case of business processes that have been assessed previously and reached ongoing monitoring status, and independent assessments for other components (i.e. fraud risk assessment and IT General Controls entity level assessments conducted by third parties). This is in line with the Treasury Board Secretariat (TBS) Guide on Ongoing Monitoring of Internal Controls over Financial Management.
The audit reviewed the documentation supporting the assessments completed within the period in the scope of the audit. As mentioned previously, the focus being on assessing new components related to ICFM, two business processes related to ICFR were determined as high priority and were re-assessed for design and operating effectiveness in 2021-22: Delegation of Spending and Financial Authorities; and, Purchasing, Payables and Payments.
Their review was conducted in accordance with Treasury Board of Canada Secretariat guidance and methodology. For the testing of design effectiveness, the Financial Policy Systems and Controls division proceeded by conducting walkthroughs with the Business Process Owners and an evidence review. The process maps and control matrices were updated to reflect the business process and controls in place at the time of the assessment.
For the testing of operational effectiveness, the Financial Policy Systems and Controls division proceeded by enquiring and examining relevant documents and testing a sample of transactions. The results were documented in testing grids and included evidence to support them. Following the operational effectiveness testing, recommendations were issued to the Business Process Owner delegates requesting the development of Management Action Plans to remediate control deficiencies detected.
One of the key controls within Purchases, Payables and Payments (Financial Administration Act Section 33 Ongoing Monitoring Quality Assurance), the Account Verification Awareness Program, performs quality assurance testing on expenditure management payments to ensure they were properly authorized before payments were made. The results of this quality assurance testing are communicated quarterly to delegated managers. This control was determined to be effective because it detected errors in the expenditures in relation to delegation instruments.
Our review of the quality assurance reports for Q1 and Q2 of 2023-24 showed an increase of errors associated with certain types of expenditures (i.e., travel and hospitality) that was higher than the tolerable error rate set and approved by the Chief Financial Officer in the annual sampling plan. The audit noted that management took actions following those results to reduce the error rate through awareness activities involving all categories of delegate managers s.34.
Given the audit timelines, we could not determine if those actions combined with the current management actions to implement an escalation process will be sufficient to address root causes, and whether additional measures would be required such as more training to reinforce preventative controls of delegated authority to be repeated for sub-delegated managers to enhance financial management practices, or the need to develop additional guidance.
Recommendation 2
The Chief Financial Officer and Assistant Deputy Minister, Corporate Services and Finance Branch should review and update the risk assessment methodology for ICFR to ensure that the assessments and environmental scans are informed by consulting with all key stakeholders, and that the various components of ICFR are evaluated on a regular basis, including the lower risk ones.
Management response
Management agrees with the recommendation.
To ensure that the assessments and environmental scans are informed by consulting with all key stakeholders, the Internal Controls Team will review and update the ECCC ICFM Framework and underlying tools and guidance, to enhance required engagement with program Senior Departmental Managers (outside of the Corporate Services and Finance Branch), ensuring alignment with the Treasury Board Secretariat (TBS) Guide to Ongoing Monitoring. This will enable Senior Departmental Managers to identify potential ICFR risks more actively and effectively within their area of responsibility to the Chief Financial Officer, and have these concerns reflected within the departmental risk-based system of ICFM (including ICFR).
We have already begun this engagement. In the summer and fall of 2023, information sessions were held with all Assistant Deputy Ministers and delegated managers at every level on the effective use of public funds. It was an opportunity to remind every employee with delegated financial authorities, including Senior Departmental Managers, that they are accountable for sound, prudent, and proper use of public funds in the delivery of our mandate and to rethink discretionary expenditures.
Additionally, an escalation process for managing non-compliance in the application of spending and financial authorities has been developed and will be implemented in 2024-25, further reinforcing ICFR accountabilities.
To ensure that the various components of ICFR are evaluated on a regular basis, including those of low risk, the Internal Controls Team will review and update the annual risk based assessment and ongoing monitoring plan methodology to monitor the progress of assessments for each ICFR component against the five-year cycle, and develop a comprehensive internal work plan stemming from the ongoing monitoring plan, including a resource model and contingency planning for each ICFR component.
Although management agrees with this recommendation, additional context is needed regarding the meaning of a risk-based system of internal control. A risk-based systems implies that internal control assessments will be planned based on assessed level of risk and resource availability. The planned assessments may be modified to respond to emerging risks, such as the impact of a pandemic on the system of internal controls. This may result in delayed testing for other business processes which is acceptable from a policy perspective. Management does recognize that any changes to the ongoing monitoring plan and delays in testing should be properly documented and approved.
3. Monitoring and reporting
Findings: A process is in place and working as intended to issue recommendations to Business Process Owners following business process assessments, request the development of action plans to address control deficiencies, and monitor implementation on a semi-annual basis. Internal and external reporting is also in place for reporting remediation actions and progress of their implementation. An opportunity exists to improve the level of information related to the status of remedial actions to demonstrate progress achieved on the measures taken by the Department to maintain an effective system of ICFR, and to support departmental oversight of the overall system.
What we examined
It was expected that management action plans are developed, and mitigation measures are put in place and implemented to address control deficiencies and reduce risks related to ICFR. Also, that the implementation of management action plans is monitored in accordance with the ICFM framework and progress is reported until full implementation to the appropriate stakeholders.
What we found
Management Action Plan development, monitoring, and reporting. A formal process is in place to report to, and validate results with, Business Process Owners, and to monitor the implementation of management action plans to address recommendations issued to address internal control deficiencies from the assessments conducted on the various ICFR business processes identified in the annual risk-based assessment plan.
Following assessments of ICFM / ICFR components, the Financial Policy Systems and Controls division issues recommendations to Business Process Owners and requests the development of Management Action Plans to address gaps or weaknesses in key controls. The monitoring of progress made is done twice a year (at mid-year and at year-end). Assessment results are communicated to the Chief Financial Officer through internal memos, as well as recommendations to be closed once all actions are considered fully implemented by the Financial Policy Systems and Controls division.
Upon review of the results of the assessments completed, it was noted that assessment results were reported to, and validated with, the relevant Business Process Owner delegates, and recommendations were issued to address the control deficiencies identified through the operational effectiveness testing, as intended. A Management Action Plan was developed to address the recommendations and shared with the Financial Policy Systems and Controls division for follow-up purposes.
We noted that the Financial Policy Systems and Controls division also identified other opportunities to strengthen internal controls, which were reported in formal Ongoing Monitoring Assessments reports, along with the main findings. These were various findings that did not necessarily qualify as control deficiencies from a compliance perspective (in a manner that would have qualified the control in place as ineffective or partially effective), but relevant and useful opportunities for continuous improvement of the design of controls in place.
We also noted an opportunity to strengthen the role of the Financial Policy Systems and Controls division, by undertaking a challenge function upon development of the Management Action Plan by Business Process Owner delegates, to ensure management actions will fully address the recommendations, within the planned timeframe, to decrease the probability of recurring control weaknesses, and to ensure the continued integrity of financial reporting.
External reporting. In accordance with the Policy on Financial Management, the Deputy Head and the Chief Financial Officer are required to report on the annual assessment of ICFR in the annex to the Statement of Management Responsibility. The Annex is presented yearly to the Departmental Audit Committee for review and comment. It accompanies the departmental unaudited financial statements that are linked to, and published concurrently with, the Departmental Results Reports on the ECCC website.
The Annex to the Statement of Management Responsibility including ICFR provides a summary of the annual assessment of the system, and the progress achieved since the previous fiscal year. According to Treasury Board of Canada Secretariat guidance, its content depends on the size of the department and the level of maturity of internal control processes attained by the department according to its assessment.
A review of the annexes published between 2021-22 and 2022-23 noted that the department uses the standard annex proposed by the Guide to Internal Control over Financial Management, and generally included the level of information required. For ICFR components that had previously reached ongoing monitoring status and have been re-assessed, the Annex is expected to include progress information on the status of re-assessments.
We reviewed the Annexes published during the period under review for evidence that status of progress on management action plans implementation was reported accordingly for the two (2) ICFR business processes that have been re-assessed and completed in 2021-22 (Delegation of Spending and Financial Authorities and Purchasing, Payables and Payments). We noted an opportunity to improve the level of information related to remedial action progress status, to demonstrate the progress achieved since the previous fiscal year on the measures taken by the Department to maintain an effective system of ICFR. For example,
- The Annex for 2021-22 did not give a sense of whether remedial actions to address controls deficiencies related to the Delegation of Spending and Financial Authorities business process had been completed during the year.
- For Purchasing, Payables and Payments, the Annex reported that the ongoing monitoring assessment had been completed, that the results were communicated to the responsible area, and that a plan would be developed in early 2022-23 to ensure compliance with the Directive on Delegation of Spending and Financial Authorities.
- The subsequent Annex (for FY 2022-23) did not report information on the status of the assessments for these business processes.
Furthermore, according to the ECCC ICFM framework, an end-of-year report is to be provided to the Chief Financial Officer and the Departmental Audit Committee that identifies the level of the implementation of remediation action plans, specifically outstanding recommendations that have not yet been implemented. We noted that high level information on the status of the ongoing monitoring plan is presented at the Departmental Audit Committee, but it does not provide more detailed information on outstanding recommendations that have not yet been implemented.
Enhancing information related to the status of action plans from annual assessments reported in the Annex to the Statement of Management Responsibility is important to adequately demonstrate how the departmental system of ICFR is being managed, and to support departmental oversight of its overall system of internal controls.
Recommendation 3
The Chief Financial Officer and Assistant Deputy Minister, Corporate Services and Finance Branch, should ensure that the Annex to the Statement of Management Responsibility includes details on the status of remedial actions associated to the ongoing monitoring activities from the previous fiscal year’s rotational plan.
Management response
Management agrees with the recommendation.
The Internal Controls Team will review and update the methodology for the preparation of the Annex to the Statement of Management Responsibility to ensure it incorporates details on the status of remedial actions associated to the ongoing monitoring activities from the previous fiscal year’s rotational plan, as required by TBS Guidance. This will ensure the reporting of a more complete picture of the measures taken by ECCC to maintain an effective system of ICFR.
To strengthen the integrity of financial reporting, the Internal Controls Team implemented a more robust challenge function in June of 2023 for the Semi-Annual Follow-up on ICFM Action Plans, whereby areas of high residual risk are escalated to the Chief Financial Officer. This challenge will be further enhanced by incorporating Business Process Owners feedback.
Conclusion
A system of ICFR is in place, comprised of a formal framework and associated processes to assess, monitor, remediate, and report on the state of ICFR. Overall, we found that these have been generally adequately implemented, in compliance with Treasury Board Policy on Financial Management requirements and the associated guidance. A few opportunities for improvement were noted.
Roles, responsibilities, and accountabilities for key stakeholders related to ICFR are defined and documented in the ECCC Framework on Internal Control Over Financial Management (ICFM) and have been implemented in support of the system. There is an opportunity to further clarify the role of Business Process Owners, their delegates, and Senior Departmental Managers in the ICFM Framework, and to enhance communication and reporting around ICFR related activities to increase senior management’s awareness and knowledge and support them in fulfilling their roles and responsibilities.
A risk-based ongoing monitoring program, including an annual risk-based assessment of ICFR, has been implemented, which generally aligns with Treasury Board of Canada Secretariat guidance. There are opportunities to further strengthen the risk-assessment methodology, as well as, expanding engagement with key stakeholders during the data-gathering phase to better inform the risk assessment results and the frequency and timeliness of assessments.
A process is in place and working as intended to issue recommendations to Business Process Owners following business process assessments, request the development of action plans to address control deficiencies, and monitor implementation on a semi-annual basis. Internal and external reporting is also in place for reporting remediation actions and progress of their implementation. An opportunity exists to improve the level of information related to the status of remedial actions to demonstrate progress achieved on the measures taken by the Department to maintain an effective system of ICFR, and to support departmental oversight of the overall system.
Appendix A: ECCC ICFM Ongoing Monitoring Approach
Source: ECCC Internal Control Over Financial Management Framework
Long description for Appendix A
Circular decision making process
- 1 Risk assessment and planning
- Annual Risk-Based Assessment
- Risk-Based Ongoing Monitoring Plan
- 2 Complete the assessment
- Develop/update documentation
- Test design effectiveness
- Test operating effectiveness
- 3. Captue results and develop action plan
- Validate results with BPOs
- Develop Management Action Plan
- 4. Reporting
- Ongoing Monitoring Assessment Reports
- Semi-Annual ICFM Ongoing Monitoring Review
- SOMR including ICFR and Annex
- 5. Follow-up
- Measure BPO progress against Management Action Plans
- Integrate follow-up status into reporting
Entity-Level Controls
The FPSC's Entity-Level Controls (ELCs) assessment approach builds on the 5 components put forward by the COSO Framework, customized to the ICFM context:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
Note: ELCs assessment for the overall ECCC System of Internal Control is not within the scope of this framework
IT General Controls
ECCC's Information technology general controls (ITGC) Framework is based on Control Objectives for Information and Related Technology (COBIT 5), an internationally recognized standard for ITGCs that is referenced in the TB Policy on Service and Digital and used by most Canadian Government Departments for assessing ITGCs. ITGC categories were identified accordingly, and for assessment, customized to the ICFM context:
- third parties
- Logical access
- Change management
- Operations and backkups
- Network security
Note: ITGCs assessment for the overalECCC System of Inernal Control is not within the scope of theis freamework.
Business Processes
ICFM
- Planning, Budgeting and Forecasting;
- Costing;
- Investment Planning;
- Cabinet Submissions (including CFO attestations); and
- Expenditure Management.
ICFR
- Revenue, Receivables and Receipts
- Interdepartmental Settlements
- Collection of Overdue Receivables
- Procure to Payment
- Travel
- Other Payments
- Administration of Acquisition Cards and Fleet Cards
- Other Capital Assets & Real Property
- Inventory
- Equipment
- Pay Administration
- Grants & Contributions
- Vendor Master Data
- Customer Master Data
- Departmental Chart of Accounts
- Delegation of Financial and Spending Authorities
- Post Payment Verification
- Financial Close
- Environmental Liabilities
Source: ECCC Internal Control Over Financial Management Framework
Source: ECCC Internal Control Over Financial Management Framework
Long description for Appendix C
First line of defense
The ‘front line’ and operational areas performing the control activity across the Department’s Branches.
Senior Departmental Managers
Systems of internal control within their areas of responsabilities.
Second line of defense
Corporate Management Directorate
Division des politiques, des systèmes et des contrôles financiers.
Deputy Minister
System of internal control across the Department, which is an integral subset of integrated risk management.
The ECCC Integrated Risk Management Framework (IRMF) details the key accountabilities and governance in support of integrated risk management.
- ECCC System of Internal Control (ELCCs and ITGCs)
Chief Financial Officer
System of internal control of financial management and financial reporting.
The scope of this ECCC ICFM Framework involves the two inner circles of the figure, the systems of ICFM and ICFR, for which the CFO is accountable under the ECCC IRMF and the TB Policy on Financial Management (subsections 4.2.8, 4.2.9 and 4.2.10).
- ECCC System of ICFM (ICFM Processes)
- ECCC System of ICFR (ICFR Business Processes)
Third line of defense
Audit and Evaluation Branch
Fourth line of defense
External Audit and Regulators
- Treasury Board
- Comptroller General
- Auditor General
Appendix D: Lines of enquiry and criteria
The following criteria were developed to address the objective of the audit.
Audit criteria
- Line of enquiry 1: The governance in place supports effective oversight of the Department's ICFR.
- 1.1 Accountabilities, roles, and responsibilities are clearly defined, communicated, exercised, and are supported by an appropriate level of governance and oversight.
- Line of enquiry 2: An ongoing monitoring program for the ECCC system of ICFR is in place and operating effectively.
- 2.1 Risks related to ICFR, including the risk of fraud, are identified, assessed, addressed, and monitored effectively.
- 2.2 The assessment of ICFR is performed in accordance with established standards and guidelines.
- 2.3 Management action plans are developed, and mitigation measures are put in place and implemented to address control deficiencies and reduce risks related to ICFR.
- 2.4 Implementation of management action plans is monitored in accordance with the ECCC ICFM framework and progress is reported until full implementation.
Page details
- Date modified: