ARCHIVED - Final Audit Report - Audit of Financial Reporting Controls
December 2010
Table of Contents
Executive Summary
Health Canada is required to report its financial results to external parties on an annual basis using Public Accounts of Canada and financial statements.
Public Accounts provide summary level departmental financial information. This information is audited by the Auditor General of Canada and included as a component of the overall Consolidated Accounts of the Government of Canada.
On the other hand, financial statements are intended to provide more detailed financial information regarding a department's financial position and operations. These entity-level financial statements are prepared to withstand the test of an external audit. These financial statements are included in the annual Departmental Performance Report.
The Government of Canada has recently undertaken a government-wide initiative to improve the quality of financial management and internal controls in departments and agencies. Key changes resulting from this initiative include the requirement that all departments, defined under Schedule 2 of the Financial Administration Act, which includes Health Canada, prepare annual financial statements, in accordance with generally accepted accounting principles, that can withstand the test of an audit. There is also a requirement that Deputy Heads sign an annual departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting.
In preparation for auditable financial statements, and in order to be in compliance with the Treasury Board of Canada's Policy on Internal Control, Health Canada has developed the Internal Control over Financial Reporting Framework (ICOFR). The Framework identifies and documents the supporting processes, procedures and related internal controls that must be in place to mitigate financial reporting risks, in the six following key business processes:
- Management of parliamentary appropriations;
- Revenue/receivable/receipts;
- Purchasing/payable/payments including transfer payments;
- Payroll;
- Capital assets; and
- Financial statement preparation, year-end and reporting.
Since the initial development of the ICOFR in 2007-2008, Health Canada has made sound progress in implementing the Framework. For example, for the last fiscal years, the Department has prepared annual financial statements that were supported by the departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting.
The objective of the Audit of the Financial Reporting Controls was to determine whether Health Canada has put in place an effective management control framework that ensures reliable external financial reporting.
In the professional judgement of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.
Overall, the auditors have concluded that Health Canada has an effective management control framework in place that ensures reliable external financial reporting. A comprehensive framework has been designed and is in place. In addition, risk management practices are reasonable, key controls have been designed, including those over year end transactions and the review and approval, and timeliness of external financial reporting is reasonable.
Nonetheless, in order to further strengthen overall stewardship and accountability, and improve the management of external financial reporting, recommendations were made in the following areas: roles and responsibilities, and maintenance of key business process documentation.
Management agrees with the recommendations and its response indicates its commitment to take action.
Introduction
Background
Health Canada is required to report its financial results to external parties on an annual basis using Public Accounts and financial statements.
Public Accounts provide summary level departmental financial information. This information is audited by the Auditor General of Canada and included as a component of the overall Consolidated Accounts of the Government of Canada.
On the other hand, financial statements are intended to provide more detailed financial information regarding a department's financial position and operations. These entity-level financial statements are prepared to withstand the test of an external audit. They are included in the annual Departmental Performance Report.
In recent years, the Government of Canada has been carrying out a government-wide initiative to improve the quality of financial management and internal controls. Some of the changes resulting from this initiative include:
- Treasury Board Accounting Standards (TBAS 1.1) that requires that all departments defined by Schedule 2 of the Financial Administration Act produce annual financial statements that can withstand the test of an audit; and
- Treasury Board of Canada's Policy on Internal Control that requires that the Deputy Head sign an annual departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting.
In addition, the Deputy Head and the Chief Financial Officer are required to sign an annual Letter of Representation to the Auditor General and the Deputy Receiver General in support of the Public Accounts covering their responsibilities for internal control and assertions over the integrity of financial information.
The preparation and validation of the financial information in a large department with a decentralized financial operation structure requires good communication and co-ordination. In this regard, it is important for Health Canada to have appropriate internal controls to ensure that financial information is reliable, fairly presented, and fully disclosed. It must also support the assertions made in the annual departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting.
In preparation for auditable financial statements, and in support of the Policy on Internal Control, Health Canada has developed the Internal Control over Financial Reporting Framework. The Framework identifies and documents the supporting processes, procedures, and related internal controls that must be in place to mitigate financial reporting risks, in the six following key business processes:
- Management of parliamentary appropriations;
- Revenue/receivable/receipts;
- Purchasing/payable/payments including transfer payments;
- Payroll;
- Capital assets; and
- Financial statement preparation, year-end and reporting.
Objective
The objective of the audit was to determine whether Health Canada has put in place an effective management control framework that ensures reliable external financial reporting.
Scope and Approach
The audit was undertaken by the Audit and Accountability Bureau in accordance with Health Canada's Risk Based Audit Plan for the period 2009-12.
The audit examined the effectiveness of Health Canada's management control framework that is in place to support the preparation of its financial statements. The audit focussed on the Office of the Comptroller General's Core Management Controls, in particular, on control elements pertaining to risk management, stewardship, people and accountability. Audit criteria have been derived from these controls and have been vetted with management (see Appendix A).
The scope of the audit included a review of the year-end procedures and processes for preparing, reviewing, challenging, and attesting the departmental financial statements and Public Accounts templates and forms within the Financial Operations Directorate and in Health Canada Branches and Regions. The following branches and regions have been included in the audit's scope: Chief Financial Officer Branch (CFOB) Corporate Services Branch (CSB), First Nations and Inuit Health Branch (FNIHB), National Capital Region, Ontario Region and Alberta Region.
This audit covered year-end activities conducted in fiscal year 2009-10. The audit methodology included interviews with key members of the organization, the review of documentation (e.g. departmental policies and procedures), and observation of key processes and controls.
It should be noted that this audit does not provide an overall assessment of the effectiveness of the Department's internal controls over financial reporting. Furthermore, its scope does not include any identification and assessment of internal controls within the key business processes involved in the processing of financial transactions such as: Purchasing/Payable/Payments, Revenue/Receivables/Receipts, Payroll, Capital Assets, etc. Finally, the audit does not provide an opinion on the accuracy of financial statement account balances.
Statement of Assurance
In the professional judgement of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.
Findings, Recommendations and Management Responses
Management Control Framework
Consistency with Legislation and Communication
Audit Criteria
Health Canada's financial management control framework related to financial statement preparation and reporting is consistent with applicable laws and policies and communicated to employees.
Health Canada's financial management control framework sets out the overall departmental standards for sound financial management and controls consistent with the Financial Administration Act, the Federal Accountability Act and the Treasury Board of Canada's Financial Management Policy suite.
Health Canada's Internal Control Over Financial Reporting Framework (ICOFR Framework), an integral part of the overall financial management control framework, sets out the Department's system of internal control by identifying and documenting the supporting processes, procedures, and internal controls in place to mitigate financial reporting risk. Appendix B provides an overview of the key components of the ICOFR Framework.
The ICOFR Framework was developed in fiscal year 2007-08 to ensure that Health Canada will be able to meet the Treasury Board of Canada requirement to produce auditable financial statements and the requirements of the Treasury Board's Policy on Internal Control. This policy requires that Deputy Heads and Chief Financial Officers sign an annual Statement of Management Responsibility Including Internal Control Over Financial Reporting.
The ICOFR Framework is based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework which is one of several control frameworks that is accepted for use in the Federal government by the Treasury Board of Canada Secretariat. The ICOFR Framework is also linked to the Core Management Controls outlined in the Secretariat's Management Accountability Framework. It is important to note that both this framework and the financial management control framework are subsets of the Department's overall system of internal control.
The auditors have examined the ICOFR to assess its soundness. The Framework is comprised of five key components: control environment; financial risk assessment and management; monitoring; control activities and information and communications. Each key component is supported by a set of principles. Each of these principles must be met in order for the system of internal control to be operational and effective. At the time of the audit, the five key components of the Framework were in place and have continuously improved since 2007, with the goal of full implementation for fiscal year 2012-13.
The ICOFR Framework's Control Environment component has been defined in line with government requirements. The fundamental tenets of the government's Management Accountability Framework have been embedded in that component of the ICOFR Framework.
For the Financial Risk Assessment and Management Component, the auditors noted that Health Canada has been proactive in bringing increased rigour to defining financial reporting objectives and assessing financial reporting risks.
With regard to the Monitoring Component, the audit confirmed that Health Canada is conducting monitoring and assessments on an ongoing basis and is reporting on deficiencies.
With respect to the Control Activities Component, the auditors confirmed that CFOB's Internal Control Division is carrying out monitoring activities and the Audit and Accountability Bureau is conducting internal audits of the activities under that component.
Finally, with regard to the Information and Communications Component, the audit revealed that Health Canada has clearly established requirements for financial reporting information, internal communications, internal control information, and internal and external communications.
The final aspect of the ICOFR Framework's implementation that the auditors examined was the availability and communication of information regarding the ICOFR Framework. The auditors have reviewed the documentation that has been developed and provided to inform all stakeholders involved with the Framework. This review demonstrated that the CFOB has communicated to appropriate stakeholders the information regarding the ICOFR Framework, such as the requirements relating to improving financial reporting. The Department has also actively and effectively engaged the pertinent senior management committees, including the Executive Committee, the Departmental Audit Committee, the Office of the Auditor General, and central agencies throughout the design and implementation of the ICOFR Framework (for example through working groups set up by the Treasury Board Secretariat).
The auditors conclude that Health Canada's ICOFR Framework is comprehensive, complies with applicable laws, policies, and has been well communicated throughout the organization.
Roles and Responsibilities
Audit Criteria
Roles and responsibilities are clearly defined, communicated, and understood.
The CFO issued a document entitled "Financial Management Roles and Responsibilities at Health Canada" in 2007. This document sets out the Department's key business activities related to financial management and delineates the roles and responsibilities across the Department.
This document clearly outlines roles and responsibilities with regard to activities involved in year-end accounting as well as the preparation of Public Accounts and departmental financial statements. These activities are further detailed in a document entitled "Roles and Responsibilities related to the preparation and disclosure of the Departmental Financial Statements at Health Canada".
With respect to activities supporting the "Statement of Management Responsibility Including Internal Controls over Financial Reporting", departmental roles and responsibilities have not been defined in the Financial Management Roles and Responsibilities at Health Canada document. Such roles and responsibilities are only defined at a high level in Appendix B of the Statement. The auditors are of the view that an update to this document would enhance and complement the delineation, communication, and understanding of the activity requirements related to the ICOFR Framework.
Recommendation No. 1
It is recommended that the Chief Financial Officer revise the "Financial Management Roles and Responsibilities at Health Canada" to ensure that activity requirements related to Internal Control Over Financial Reporting are clearly outlined.
Management Response
Management agrees with this recommendation.
Health Canada identified key positions and their respective roles and responsibilities (R&R) in its 2009-10 Departmental Statement of Responsibilities Including Internal Control Over Financial Reporting (ICOFR). This information is at a higher level than the one presented in the 2007 Financial Management R&R document. Taking into account that some of the activities listed in the 2007 Financial Management R&R contribute toward the identification and mitigation of financial risk, CFOB will revise the "Financial Management Roles and Responsibilities at Health Canada" document to further enhance and complement the activity requirements related to the ICOFR.
Training, Tools, Resources, and Information
Audit Criteria
Employees are provided with the necessary training, tools, resources, and information to support the discharge of their responsibilities.
The CFOB has procedures in place to ensure that all parties involved with the preparation and reporting of financial statements are: properly trained; have the necessary tools available to complete their duties; are adequately resourced; and have the information necessary to discharge their responsibilities.
Training
The auditors have reviewed the training measures utilized in the CFOB to determine whether employees involved in financial statement preparation and reporting activities, linked to the preparation of either Public Accounts or financial statements are properly trained. This review has demonstrated that, although no formal training (classroom, self learning, etc.) is currently provided, training is provided in the form of "on the job" training, in most cases, by professionally designated accountants.
Tools
The audit has demonstrated that several tools are in place to assist employees in carrying out their duties with respect to the preparation of Public Accounts and financial statements. For example, the "Trial Balance Automated Review " tool assists employees in validating the Trial Balance for Public Accounts. Another tool developed in excel is used to assist employees in formatting financial information into financial statements.
Resources
Overall, the CFOB has a group of experienced financial professionals to achieve the full implementation of the ICOFR Framework including the requirements regarding the preparation of Public Accounts and financial statements. The Central Accounting and Reporting Section, within the Public Accounts and Policy Division of the Financial Operations Directorate, has primary responsibility for the preparation of Public Accounts and financial statements.
Although the recruitment and retention of resources to meet the increasing demands related to more rigorous external financial reporting requirements is an ongoing challenge for the CFOB, the Branch has successfully staffed the Central Accounting and Reporting Section, to ensure there is adequate capacity to respond to these increasing demands.
Information
The Central Accounting and Reporting Section has access to and uses information pertinent to the preparation of Public Accounts and financial statements. There are multiple data sources available in this regard. For example, each year this group receives year-end procedures for the preparation of Public Accounts from the Receiver General of Canada. It participates in central agency working groups for departmental officials involved in the preparation of Public Accounts and financial statements. This group liaises on an ongoing basis throughout the year with various central agencies regarding external financial reporting requirements.
Through the above-described means, the Central Accounting and Reporting Section remains abreast of current financial reporting requirements. CAR disseminates this information to appropriate CFOB staff including the Branch Senior Financial Officers (located in the National Capital Region, within each branch) and the Regional Senior Financial Officers (located in each region). At the inception of each annual reporting cycle, the Section also conducts internal workshops for administrative officers and cost centre administrators regarding the year-end closing process.
On the basis of the audit work performed, the auditors are of the view that appropriate training is provided, the existing tools are reasonable, current resource capacity is appropriate, and the information regarding the preparation of Public Accounts and financial statements is properly communicated.
Risk Management
Audit Criteria
Risk related to financial reporting have been identified, assessed, and documented. Management formally responds to its risks.
The requirements related to the above-noted are contained in the Treasury Board of Canada's Policy on Internal Control. The policy objective states "risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting."
The policy requires Deputy Heads and Chief Financial Officers to sign the departmental Statement of Management Responsibility including Internal Control Over Financial Reporting annually. The Statement prefaces the departmental financial statements and indicates that the Deputy Heads and Chief Financial Officers: acknowledge responsibility for an effective system of internal control; the conduct of annual risk-based assessments; establishing action plans to address significant weaknesses found; and, summarizing results and actions taken.
In Health Canada, the Chief Financial Officer has primary responsibility for corporate risk management and ensuring the Corporate Risk Profile is kept up to date and risk management activities are focused on areas of highest risk. Modifications to the Corporate Risk Profile are periodically presented to the Senior Management Committee and the Departmental Audit Committee. A key component of the Corporate Risk Profile relates to financial management, including risks over financial reporting with a particular focus on key financial statement accounts, key locations, related processes, and IT systems.
During its examination of risk management, the auditors assessed practices relative to the following four Core Management Controls issued by the Office of the Comptroller General:
- Management has a documented approach with respect to risk management related to financial management;
- Management identifies the risks that may preclude the achievement of its objectives;
- Management assesses the risks it has identified; and
- Management formally responds to its risks.
Documented Approach
Management has a documented approach with respect to risk management related to financial reporting.
"Financial Reporting Risk Assessment and Management" is an integral component of the ICOFR Framework. The CFOB has outlined the Department's approach to risk management related to financial reporting in a draft document entitled "Health Canada's Approach to Assessing and Managing Risks Related to Financial Reporting". The guidance clearly outlines the key tools and activities to be addressed in assessing financial reporting risks. It breaks down the risk management process as follows: understanding financial reporting objectives; identifying financial reporting risk areas; assessing financial reporting risk; implementing a financial reporting risk control strategy; and, monitoring, evaluating, and revising the strategy as required.
Risk Identification
The CFOB uses three key tools/activities to identify financial reporting risk areas: Financial Statement Account Assessment (decomposition); Key Process Description, (Flowchart and Internal Control over Financial Reporting Matrix) and the "Financial Reporting Risk Assessment".
Financial Statement Account Assessment (decomposition) activities are carried out annually by the CFOB. Each account represented in the Department's financial statements are analysed for inherent risks that may materially misstate the financial statements. In assessing risk related to individual accounts, the likelihood and impact of risk is analyzed. Quantitative and qualitative factors are considered during the assessment process.
Activities related to Key Process Description, Flowchart and Internal Control over Financial Reporting Matrix are carried out by the Internal Control Division on an ongoing basis. The Division has documented the key processes supporting financial reporting using narrative process descriptions and process flowcharts. For each process, the key risks and related controls have been identified. The Internal Control Matrix identifies and documents the control objectives, activities designed to address risks, and cross-references key controls to the process flowcharts.
The Financial Reporting Risk Assessment is conducted annually by the Internal Control Division in the CFOB. It is intended to provide the Chief Financial Officer with assurance that financial reporting risks have been adequately mitigated to permit the Department to produce reliable financial statements. The Assessment provides feedback with respect to the overall risks identified in the ICOFR Framework as well as those identified through the individual account assessment.
Risk Assessment
During the fiscal year 2009-10, the CFOB took action to improve the Department's capability to assess financial reporting risk. For example, the Internal Control Division led the development of the "Health Canada Operating Effectiveness Strategy" that came into effect in the fall of 2009. The purpose of the Strategy is to provide details regarding the approach to test and document the operating effectiveness of Health Canada's internal control activities. The full monitoring strategy is detailed in the draft "Guide to Monitoring Internal Control over Financial Reporting." The strategy covers the entire system of internal control at Health Canada and includes testing key control activities (manual and automated).
The scope of the Strategy includes testing the manual key controls and reporting for 23 processes that have been documented (process flowcharts and key internal control matrices) across all Regions and Headquarters in Ottawa. The plan is to conduct the testing over a three-year period using a risk based approach. According to the Strategy document, the focus of the Strategy in 2009-2010, the first year of its implementation, was to test the operating effectiveness of key manual internal controls in selected business processes. The audit work confirmed that during the fiscal year 2009-10, the Internal Control Division carried out its strategy and assessed the risks associated with the following key business processes: transfer payments; payroll; materiel management; capital assets; travel; and service revenue.
The Internal Control Division completed its second Annual Assessment of Financial Reporting Risk prior to the signing of the 2009-10 Statement of Management Responsibility including ICOFR by the Chief Financial Officer and the Deputy Minister. It also prepared Appendix B to the Statement of Management Responsibility including ICOFR. This latter document includes pertinent information regarding Health Canada's assessment results regarding the design and operational effectiveness of key controls. Appendix B also provides Health Canada's Action Plan, which clearly states the progress made during the fiscal year 2009-10 and the action plan for 2010-11. This action plan includes continuing effectiveness testing of the ICOFR using the departmental risk-based monitoring plan.
As part of the financial reporting risk assessment, the Internal Control Division took into account the results of recently completed audits or evaluations including an audit of the opening balances as shown on the Statement of Financial Position.
Responding to Risk
Management is formally responding to the risks it is facing with respect to financial reporting, as per the Policy on Internal Control, and the requirement to produce auditable financial statements through progressive implementation of the ICOFR Framework.
Management is formally responding to specific risks identified at the entity level as well those identified in the key business processes as evidenced by the fact that these risks are being formally identified, assessed, and managed by both program and financial management officials. Where risks have been identified and controls are not in place or the controls in place are insufficient to mitigate risk to an acceptable level, action plans are established to improve controls. The audit confirmed that senior management actively oversees the implementation of the action plans and that weaknesses identified are being remedied in a complete and timely fashion.
The auditors reviewed and analyzed documentation and conducted interviews with CFOB staff to determine the reasonableness of financial risk assessment and management practices re: the adequacy of the documented approach to risk management, risk identification, risk assessment and Health Canada's response to the risks identified.
On the basis of the audit work conducted in this regard, the auditors have reached the conclusion that overall, sound financial reporting risk practices are in place.
Key Controls
Documentation and assessment of key controls
Audit Criteria
Key Controls over financial reporting have been documented and assessed.
Key controls over financial reporting have been documented. As at March 31, 2010, management had completed its testing of the design effectiveness of key controls in place in its major business processes. That is, management had conducted walkthroughs of each major business process to verify whether the processes described corresponded to the actual practices. In assessing design effectiveness, they also ensured appropriate alignment of each key control with the risks they were designed to mitigate. As a result of the design effectiveness testing, Health Canada identified several activities that require enhancement to strengthen overall financial control. The actions required include: standardizing the quality, reliability and availability of the documentation of procedures and controls in headquarters and regions; improving data reconciliation and integrity; strengthening IT controls (access controls, program & data change procedures, backup and recovery).
During the fiscal year 2009-10, management commenced activities aimed at assessing the operating effectiveness of key controls. These activities included: the development of a risk-based three year operating effectiveness testing plan; a risk-based statistical sampling account verification regime; monitoring of procurement and contracting activities; monitoring of payroll activities; and, an external audit of the Statement of Financial Position.
During the same timeframe, Health Canada has completed several audits, the results of which are intended to contribute to improving the quality of financial reporting in the Department. They include the audit of asset management; financial forecasting and year-end procedures; and, various audits dealing with the integrity of the systems feeding the financial system (SAP). In addition, an internal audit of payroll administration is currently underway and plans are in place to audit other key business processes such as the Purchasing/Payable/Payments cycle.
The auditors' examination revealed that progress has been made with respect to the assessment of the key controls in place in Health Canada's major business processes. Notwithstanding the progress made in the past years to improve the integrity of financial reporting in the Department, the auditors are of the opinion that the Chief Financial Officer should remain vigilant to ensure the progress is sustained.
In order to meet the March 31, 2013 deadline for auditable financial statements, the auditors are of the opinion that emphasis should be maintained on the completion of testing the operating effectiveness of controls in key business processes and the operational effectiveness of IT General Controls. The CFOB has clearly recognized this as an important area and therefore has included operating effectiveness testing in 2010-11.
The auditors analyzed if the documentation of the key business processes remains current. It revealed that some descriptions dated back to 2007 and half of the documentation had not been validated during the fiscal year 2009-10. In addition, it was revealed that some process owners were unclear about their responsibility to update the process description. As a result, the auditors are of the view that there is a need to formalize the process for updating the key business processes descriptions maintained by the Internal Control Division. This would assist the Division with the revision and update of the risk based monitoring plan supporting the Statement of Management Responsibility Including Internal Control Over Financial Reporting.
Recommendation No. 2
It is recommended that the Chief Financial Officer ensure that the process for updating the key business processes descriptions is documented.
Management Response
Management agrees with this recommendation.
The process owners' roles and responsibilities (R&R), which are aimed at informing the Internal Control Division of revisions and updates in their respective processes, and providing an annual validation, will be formalised and documented as part of the update and enhancement to the "Financial Management Roles and Responsibilities at Health Canada" document referred to in recommendation 1.
CFOB will use its three year risk based monitoring plan as a phase-in strategy towards the implementation of the annual process owners' validation.
Control over the recording of year-end transactions
Audit Criteria
The internal control processes in place are appropriately designed to mitigate the risks related to year-end transaction processing.
The CFOB has functional responsibility for ensuring that internal control processes are appropriately designed and operating to mitigate the risks related to year-end transaction processing.
The CFOB has put into place an elaborate mechanism that is intended to mitigate risks related to year-end transaction processing. From an organizational perspective, the CFOB has a team of professionals who have considerable experience with the preparation of Public Accounts. Secondly, direction and guidance regarding year-end procedures provided by the Receiver General of Canada, Public Works and Government Services Canada and the Treasury Board of Canada Secretariat are very prescriptive, well-entrenched, and generally well understood in Health Canada's financial community. On the other hand, there is not the same degree of detailed guidance and experienced resources in place or available with regard to the preparation of financial statements. This is understandable as the preparation of financial statements at the department and agency level is a relatively new requirement in the federal government.
Therefore, as previously mentioned, there is an ongoing need to ensure that the Corporate Accounting and Reporting (CAR) Section in the Public Accounts and Policy Division remain fully staffed with experienced professionals. This is particularly important given the ongoing changes in public sector reporting requirements driven by the demand for improved financial disclosure.
The auditors performed a review of the measures undertaken in the CFOB to ensure the efficacy of year-end transaction processing. They examined the roles of the Corporate Accounting and Reporting (CAR) Section in the Public Accounts and Policy Division, the Accounting Operations and Systems Division and the Internal Control Division in headquarters and the involvement of Branch Senior Financial Officers and Regional Senior Financial Officers as they relate to year-end transaction processing.
They also examined the adequacy of the guidance documentation provided to all constituents involved with the preparation of external financial reports and they assessed the reasonableness of the tasks carried out to ensure the integrity of year-end transaction processing.
On the basis of the audit work performed, the auditors are of the view that reasonable measures were undertaken by the respective CFOB groups involved in the management of the risks associated with year-end transaction processing.
System Application Controls Over Year-End Transactions
The ICOFR Framework indicates that Health Canada is documenting its systems of internal controls including, information technology General Controls. The Framework also indicates that, for each business process, there are control activities regarding the management of information (e.g. IT Application Controls and Database and Records Management Controls)
The auditors' examination included interviews with the Internal Control Division staff regarding system application controls over year-end transactions. The review of the 2009-2010 Risk Assessment Binder prepared by the Division revealed that general computer controls of the financial system (SAP) had been tested.
The auditors interviewed staff of both the CAR and the Framework for Integrated Resource Management System (which is part of CFOB's Financial Operations Directorate, within the Accounting Operations and Systems Division). This allowed to confirm that access controls are in place with regard to SAP and other systems used for the preparation of Public Accounts and financial statements. As a result of their examination, the auditors noted several good practices regarding CAR's efforts to ensure the integrity of system application controls over year-end transactions. For example, only authorized users are allowed to log in to the Public Accounts Preparation System, the system used to record the Public Accounts plates. Segregation of duties requirements have been considered prior to granting access to SAP. Access to record post year-end transactions in SAP is limited to authorized employees.
Financial Reporting
Review and approval of financial reporting
Audit Criteria
Financial reporting is reviewed and approved.
The requirements regarding the review and approval of Public Accounts and financial statements are contained in departmental policies, procedures, directives, and guidance.
Guidance regarding Public Accounts and financial statements reporting can also be found in other departmental sources. For example, the ICOFR Framework provides information regarding financial reporting requirements. Health Canada's Intranet site provides useful guidance regarding ICOFR including financial reporting requirements. It also provides comprehensive information regarding Financial Policies, Procedures and training including specific requirements regarding financial reporting.
The auditors' examination focused on the processes to ensure the completeness, accuracy, reasonableness of information in Public Accounts, and financial statements; the approval processes including sign offs and the practices to detect significant control breakdowns.
The auditors examined that the Department's policies, directives, procedures and guidance provide appropriate direction regarding financial reporting requirements related to the preparation of the Public Accounts and Financial Statements. The auditors examined the processes and activities conducted by the CFOB in preparing these two reports. They interviewed key CFOB officials, reviewed and analyzed extensive documentation and observed the processes surrounding the preparation, review and approval of these reports. The auditors found that the CFOB was compliant with requirements for reviewing and approving reports.
The Public Accounts and financial statements were thoroughly reviewed and approved at various stages of completion; corrections were made to these reports with the result that the final versions of these documents had gone through an appropriate level of challenge. This demonstrated that an appropriate governance structure is in place to ensure the integrity of financial reporting. This is evidenced by the fact that the Senior Management Board Subcommittee on Finance, Evaluation and Accountability and the Departmental Audit Committee were actively engaged in key phases of the development of these documents. These senior-level committees were apprised of significant matters relating to financial reporting, were given the opportunity to review and provide input on the Internal Control over Financial Reporting Framework and on the initial drafts of the Public Accounts and the financial statements and the accompanying Statement of Management Responsibility Including Internal Control over Financial Reporting and Public Accounts.
The auditors conducted interviews, reviewed, and analyzed documentary evidence to verify that there was compliance with the requirements for the review and approval of Public Accounts and financial statements. On the basis of the audit work performed, the auditors conclude that these requirements are met.
Appropriate and timely financial reporting
Audit Criteria
Appropriate and timely financial reporting is communicated internally and externally.
Health Canada's ICOFR Framework sets out the general requirements regarding appropriate and timely financial reporting and how these reports should be communicated internally and externally. The Framework specifies the particular requirements for the preparation of Public Accounts and financial statements supported by the Statement of Management Responsibility Including the Internal Control Over Financial Reporting and the accompanying Appendix B.
Health Canada's Draft "Guideline for the Information and Communication Component of ICOFR" sets out the Department's approach to the Information and Communications component of the ICOFR Framework and the processes needed to satisfy the Framework. This guideline states that it is critical that reports contain appropriate data to support effective control. It further indicates that the quality of information includes ascertaining whether it is current accurate and accessible.
The auditors' examination consisted of interviews, review, and analysis of documentation and a review of the reasonableness of the processes applied to prepare the Public Accounts and the financial statements.
The auditors did not perform a detailed assessment of the quality/appropriateness of the information contained in the Public Accounts or in the financial statements. Therefore, the auditors are not in a position to express an opinion regarding the quality/appropriateness of the content in these documents.
However, the auditors did examine the reasonableness of the process followed to ensure appropriate information was included in these external financial reports. They also reviewed the schedules for preparing the Public Accounts and the financial statements for the fiscal year 2009-10.
The audit concludes on the basis if their examination, that the process has sufficient rigor to ensure adequate information is contained in the external financial reports. Furthermore, the auditors determined that Health Canada met its external financial reporting deadlines.
In summary, reasonable and timely financial reporting is occurring in the Department.
Conclusion
The auditors have concluded that Health Canada has an effective Management Control Framework in place that ensures reliable external financial reporting. A comprehensive management control framework has been designed and is in place. In addition, risk management practices are reasonable, key controls have been designed including those over year end transactions and the review, approval, and timeliness of external financial reporting is reasonable.
Nonetheless, in order to further strengthen overall stewardship and accountability, and improve the management of external financial reporting, recommendations were made in the following areas: roles and responsibilities, and maintenance of key process documentation.
Appendix A - Audit Criteria
Management Control Framework
- Health Canada's financial management control framework related to financial statement preparation and reporting is consistent with applicable laws and policies and communicated to employees.
- Roles and responsibilities are clearly defined, communicated, and understood.
- Employees are provided with the necessary training, tools, resources, and information to support the discharge of their responsibilities.
Risk Management
- Risks related to financial reporting have been identified, assessed, and documented. Management formally responds to its risks.
Key Controls
- Key Controls over financial reporting have been documented and assessed.
- The internal control processes in place are appropriately designed to mitigate the risks related to year-end transaction processing.
Financial Reporting
- Financial reporting is reviewed and approved.
- Appropriate and timely financial reporting is communicated internally and externally.
Source: Guide on Internal Audit, Core Management Controls, Treasury Board of Canada Secretariat, Office of the Comptroller General of Canada, November 2007.
Appendix B - Key Components of the Internal Control Over Financial Reporting Framework
Source: Health Canada Draft Internal Control over Financial Reporting (ICOFR) Framework, January 2008.
Page details
- Date modified: