ARCHIVED - Statement of Management Responsibility Including Internal Control over Financial Reporting 2009-2010
Responsibility for the integrity and objectivity of the accompanying financial statements for the year ended March 31, 2010, and all information contained in these statements rests with Health Canada's management. These financial statements have been prepared by management in accordance with accounting standards issued by the Treasury Board of Canada Secretariat which are consistent with Canadian generally accepted accounting principles for the public sector.
Management is responsible for the integrity and objectivity of the information in these financial statements. Some of the information in the financial statements is based on management's best estimates and judgment and gives due consideration to materiality. To fulfill its accounting and reporting responsibilities, management maintains a set of accounts that provides a centralized record of Health Canada's financial transactions. Financial information submitted to the Public Accounts of Canada and included in Health Canada's Departmental Performance Report is consistent with these financial statements.
Management maintains a system of financial management and internal control designed to provide reasonable assurance that financial information is reliable, that assets are safeguarded and that transactions are in accordance with the Financial Administration Act, are executed in accordance with prescribed regulations, within Parliamentary authorities, and are properly recorded to maintain accountability of Government funds. Management also seeks to ensure the objectivity and integrity of data in its financial statements by careful selection, training and development of qualified staff, by organizational arrangements that provide appropriate divisions of responsibility, and by communication programs aimed at ensuring that regulations, policies, standards and managerial authorities are understood throughout Health Canada and through conducting an annual assessment of the effectiveness of the system of internal control over financial reporting.
An assessment for the year ended March 31, 2010 was completed in accordance with the Policy on Internal Control and the results and action plans are summarized in the annex.
The system of internal control over financial reporting is designed to mitigate risk to a reasonable level based on an on-going process to identify risks, to assess effectiveness of associated key controls, and to make any necessary adjustments.
The effectiveness and adequacy of the department's system of internal control is reviewed by the work of internal audit staff, who conduct periodic audits of different areas of the department's operations, and by the Departmental Audit Committee, which oversees management's responsibilities for maintaining adequate control systems and the quality of financial reporting, and which recommends the financial statements to the Deputy Minister.
Management is supported by the Departmental Audit Committee, which ensures that the Deputy Minister has independent and objective advice, guidance and assurance as to the adequacy of risk management, control and accountability processes. Currently, the Committee is comprised of the Deputy Minister (Chair) and four members external to the Government, one of them being the vice-chair.
The financial statements of Health Canada have not been audited.
Acting Chief Financial Officer
Health Canada's Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting
Assessment of Internal Controls over Financial Reporting and the Action Plan for the fiscal year ending March 31, 2010
Note to the reader
With the Treasury Board Policy on Internal Control, effective April 1, 2009, departments are required to demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).
As part of this policy, departments are expected to conduct annual assessments of their system of ICFR, to establish action plan(s) to address any necessary adjustments, and to attach to their Statements of Management Responsibility a summary of their assessment results and action plan.
Effective systems of ICFR aim to achieve reliable financial statements along with providing assurances that:
- Transactions are appropriately authorized;
- Financial records are properly maintained;
- Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement; and,
- Applicable laws, regulations and policies are complied with.
It is important to note that the system of ICFR is not designed to eliminate all risks, rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.
The maintenance of an effective system of ICFR is an ongoing process designed to identify, assess effectiveness and adjust as required key risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to the other based on risks and taking into account their unique circumstances.
Table of Contents
- Health Canada's Control Environment Relevant To ICFR
- Assessment of Health Canada's System of ICFR
- Health Canada's Assessment Results
- Health Canada's Action Plan
This document is attached to Health Canada's (HC) Statement of Management Responsibility Including Internal Control over Financial Reporting for the fiscal-year ended March 31, 2010. As required by the Treasury Board Policy on Internal Control (PIC), effective April 1st 2009, for the first time, this document provides summary information on the measures taken by management to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the assessments conducted by HC as at March 31, 2010, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the department.
1.1 Authority, Mandate and Program Activities
1.2 Financial highlights
Below is key financial information for fiscal-year 2009-2010. More information can be found in HC's Financial Statements (unaudited) along with the Notes to Financial Statements. Information can also be found in the Public Accounts of Canada.
- Approximately 65% ($2.4 billion) of the department's total spending authorities ($3.7 billion) are derived from the First Nations and Inuit Health Branch and are incurred across Canada to provide health services to First Nations and Inuit communities.
- HC has over 9,800 employees, with salary costs representing about 24% of authorized spending.
- HC has a regional presence of approximately 34% of the department's total employees with the remaining 66% located in the National Capital Region. The regions play a key role in delivering the department's mandate to Canadians.
- There is a decentralized finance and accounting function in each of the regional offices which reports to the Regional Directors General under the functional leadership of the Chief Financial Officer.
- The regions initiate, approve and process a significant portion of operating expenses including goods and services, capital assets and some human resources/payroll transactions. Key control procedures for a significant portion of these types of services are performed by the regions.
- There are a significant number of information systems that are critical to the department's operations and financial reporting such as SAP (Systems, Applications, and Products in data processing), MCCS (Management of Contracts and Contributions System) and CRRS (Contract Requisition and Reporting System).
- As per the notes to the financial statements, which explain and expand on information contained in the financial statements, the department has to comply with numerous statutory and regulatory requirements.
1.3 Service arrangements relevant to financial statements
HC relies on other organizations and other organizations rely on HC for the processing of certain transactions that are recorded in its financial statements:
- Public Works and Government Services Canada (PWGSC) centrally administers the payments of salaries and the procurement of goods and services, as per HC's Delegation of Authority. As well, Treasury Board Secretariat provides the Department with information used to calculate various accruals and allowances, such as the accrued severance liability.
- The Department of Justice provides legal services to HC.
- An external service provider, pursuant to a contract with the Government of Canada, administers the Health Information and Claims Processing System for dental, medical supplies and equipment and pharmacy benefits on behalf of the First Nations and Inuit Health Branch program. The external service provider has the authority and responsibility to ensure that claims paid on behalf of HC for services provided to First Nations and Inuit clients are made in accordance with the Terms and Conditions set out by the First Nations and Inuit Health Branch program. As a result, reliance is placed on the control procedures of the external service provider.
- HC provides the Canada School of Public Service (CSPS), the Public Health Agency of Canada (PHAC) and other small health and scientific agencies with a SAP financial system platform to capture and report all financial transactions.
1.4 Material changes impacting ICFR in fiscal-year 2009-2010
The second year of operation of the Departmental Audit Committee (discussed in section 2) and continued improvements made to the department's system of ICFR (discussed in section 4) has demonstrated improved governance.
2. Health Canada's control environment relevant to ICFR
HC recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities effectively. The department's focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.
Key components of entity level controls in departments aim at ensuring solid governance and effective risk management at the corporate level, as well as the maintenance of other entity level controls to provide effective support to staff by raising awareness and providing appropriate knowledge, skills, and tools. The ultimate objective is to manage risks while maintaining a responsive control environment for people at all levels that supports innovation and continuous improvement.
2.1 Key Positions, Roles and Responsibilities
2.2 Key measures taken by Health Canada
The control environment is an important factor for ICFR. The department's control environment incorporates a series of measures to equip its staff to manage risks through raising awareness, providing appropriate knowledge and tools as well as developing skills. Key measures taken include:
- An Office of Values and Ethics under the Deputy Head, including an Ombudsman;
- HC's code of conduct and values and ethics code;
- A dedicated division reporting directly to the CFO on internal control;
- Annual performance agreements with clearly set out financial management responsibilities;
- Training program and communications in core areas of financial management;
- Departmental policies tailored to HC's control environment;
- Regularly updated delegated authorities matrix;
- Documentation of main business processes and related key risk and control points to support the management and oversight of its system of ICFR;
- IT processing systems to achieve greater security, integrity, efficiency and effectiveness.
In addition, HC's corporate risk management falls under the responsibility of the Senior Management Board sub-committee on Risk Management. HC's Corporate Risk Profile covers all aspects of corporate risks, including operational, regulatory/legal, financial and reputational. The Corporate Risk Profile is periodically updated through a number of environmental scans (internal and external) taking into account lessons learned and internal and external expert validations.
3. Assessment of Health Canada's system of ICFR
3.1 Assessment baseline
In 2004, the Government of Canada commenced an initiative to determine the ability of departments to sustain control-based audits of their financial statements, thus placing reliance on well functioning internal controls. As a result, beginning in 2006, the largest departments, including HC, began formalizing their approach to managing their systems of ICFR, including readiness assessments and action plans.
Whether it is to support the control-based audit requirements or those of the PIC, an effective system of ICFR with the objectives to provide reasonable assurance that:
- Transactions are appropriately authorized;
- Financial records are properly maintained;
- Assets are safeguarded; and,
- Applicable laws, regulations and policies are complied with.
Over time, this included assessment of design and operating effectiveness of the system of ICFR leading to ensuring the on-going monitoring and continuous improvement of the departmental system of ICFR.
Design effectiveness means to ensure that key control points are identified, documented, in place and that they are aligned with the risks they aim to mitigate and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main accounts by location as applicable.
Operating effectiveness means that key controls have been tested over a defined period and that any remediation is addressed.
On-going monitoring means that a systematic integrated approach to monitoring is in place, including periodic risk-based assessments and timely remediation.
3.2 Health Canada's assessment methodology
In proceeding with its preparation for the PIC, the department has taken measures to assess its system of ICFR starting from its financial statement with a focus on the following main accounts:
- Transfer payments;
- Materiel management;
- Travel - Non-insured medical transportation;
- Service revenues - Sales of goods and services; and,
- Capital assets
For each significant account/location, HC has addressed the following steps:
- Gathered information pertaining to processes and locations, risks and controls relevant to ICFR, including appropriate policies and procedures;
- Mapped out key processes with the identification and documentation of key risk and control points on the basis of materiality, volumes, complexity, geographic dispersion, susceptibility to losses/frauds, areas subject to audit observations, past history, external attention, and reliance on third-party.
- Commenced design and operating effectiveness testing.
HC also documented and assessed its entity-level controls and IT general controls. Assessment of the IT general controls was completed using control standards from the IT Control Objectives for the Sarbanes-Oxley framework (2nd edition), which was adapted for HC.
Finally, HC took into account new information available from recent audits or evaluations, including an audit of the Statement of Financial Position of April 1, 2008.
4. Health Canada's assessment results
As a result of the assessment approach described above, HC developed baseline architectures of all key control points by accounts, locations, processes and main IT systems.
In assessing its key controls, HC focused on design effectiveness which is the prerequisite to testing operating effectiveness.
As at year end 2009-10, management completed all testing of design effectiveness. It also commenced testing of operating effectiveness.
4.1 Design effectiveness of key controls
When completing design effectiveness testing, HC completed all documentation (including its validation by process owners) and undertook a walkthrough to determine whether the process corresponded to actual practice. When potential enhancements were identified, recommendations were made taking operational requirements into consideration and action plans were developed. These activities covered both headquarters and all regional offices. Design effectiveness also included ensuring appropriate alignment of each key control with the risks they aim to mitigate.
The result of these assessments support HC commitments toward continued enhancements and strengthening of its financial controls as several actions were completed and the following are at different stages of completion:
- Standardizing the quality, reliability and availability of documentation of controls and procedures across headquarters and the regions.
Data reconciliation and integrity:
- Enhancing controls (including policies) over vendor data to prevent adverse impacts on data integrity which may also negatively impact operating effectiveness of key internal controls.
- Tracking and updating of asset master records and verifying existence of individual capital assets, in particular for equipment and vehicles.
- Clarifying standards for the capitalization of projects and related eligible expenses and finalizing the policy on accounting for capital assets.
IT general system management:
- Strengthening of access controls related to IT programs and data, IT program changes, as well as backup and recovery of data.
Monitoring and quality assurance of financial statement preparation:
- Clarifying the roles and responsibilities as well as improving challenge functions and quality assurance over the trial balance or amounts and disclosures in the financial statements, including the central accounting and reporting team as well as all branches and programs.
4.2 Operating effectiveness of key controls
In 2009-10, HC commenced the assessment of operating effectiveness of key controls using a variety of activities. These activities include: developing a risk-based monitoring plan that identified key controls to be tested over a three year period; testing of low-risk Operating & Maintenance (O&M) expenditure using a statistical sampling model; a financial audit of their Statement of Financial Position of April 1, 2008; and, monitoring the compliance of the department's procurement and contracting activities.
5. Health Canada's action plan
5.1 Progress made during the fiscal year ending March 31, 2010
During 2009-2010 HC continued to make significant progress in assessing and improving its key controls. The following is a summary of a number of initiatives undertaken.
- Completion of the documentation and design testing of all key processes and controls at the headquarters and regional levels;
- Completion of the documentation of the entity level controls. This includes the establishment of a risk assessment process for ICFR and a revised control framework for grants and contributions, payroll, operating and maintenance and acquisition cards;
- Creation of an annual physical inventory of capital assets by a third party, and completion of such an inventory by year-end; and,
- A risk-based payment verification system (statistical sampling).
Initiatives in progress:
- Initiate streamlining and standardization of key controls between regional offices which initiate, approve, process and/or record a significant portion of Heath Canada's operating expenditures; and,
- Strengthening HC's Central Accounting and Reporting team with an increase in capacity.
5.2 Action plan for the next fiscal year
Whether it is to support control-based audits or meet the requirements of the PIC in both cases, departments need to be able to maintain an effective system of ICFR with the objectives to provide reasonable assurances that: a) transactions are appropriately authorized; b) financial records are properly maintained; c) assets are safeguarded; and, d) applicable laws, regulations and policies are complied with.
As of March 2010, the design effectiveness testing phase was completed and the testing of the operating effectiveness of key controls has begun to ensure they operate effectively throughout the fiscal year. The action plan for the next year is as follows:
By the end of 2010-11 Health Canada plans to:
- Address the management letter from the audit of the Statement of Financial Position at April 1, 2008 within the areas of the quality of supporting documentation and the accuracy of year-end accruals;
- Continue effectiveness testing of the ICFR using the HC risk-based monitoring plan;
- Initiate an independent assurance report (CICA section 5970 requirements) on the internal controls of the external service provider on behalf of the First Nations and Inuit Health Branch program; and,
- Follow-up on the results of the 2009-10 testing and continue to monitor the effectiveness of the statistical sampling project.
- Date modified: