Final Audit Report - Audit of Internal Controls over Financial Reporting and Financial Statement Readiness

June 2013

Table of Contents

Executive summary

This audit focused on the Department's progress towards achieving operating effectiveness of internal controls over financial reporting (ICFR) and sustaining a financial statement audit. Recent government initiatives such as the development and implementation of Treasury Board's Policy on Internal Control and Policy on Financial Resource Management, Information and Reporting are aimed at strengthening public sector financial management and reporting, as well as internal controls.

Departments are required to take measures to ensure that they can sustain a control-based audit of their annual financial statements. A control-based audit is an audit in which the auditor gains assurance through the testing of internal controls over relevant financial statement assertions. A control-based approach can be used if the external auditor is able to obtain a high level of assurance that ICFR are effective in preventing, detecting and correcting material misstatements in the financial statements.

The Office of the Comptroller General's expectation to ensure readiness is that this will be achieved through the implementation of the Policy on Internal Control. Health Canada committed to having an effective system of ICFR and being able to sustain a financial statement audit.

The objective of the audit was to assess Health Canada's readiness to achieve operating effectiveness of ICFR and to sustain a financial statement audit.

In the professional judgement of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria agreed upon with management. Further, evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

The Department has adequate governance that includes an effective oversight body and clear accountabilities aimed at achieving operating effectiveness over ICFR and sustaining a financial statement audit. The Chief Financial Officer Branch has put in place a plan to attain effective ICFR. Significant progress was made during 2012-13 in assessing the operating effectiveness of the ICFR and continues to be made in 2013-14. Weaknesses were found, but remediation strategies have been initiated to correct the issues.

The process and documentation in place demonstrate that the Department is ready to sustain a financial statement audit.

To support the Department's operating effectiveness of ICFR and financial statement audit readiness objective, recommendations were issued in the following areas: system of internal controls (information technology and business processes) as well as documentation, reconciliations and source data.

A - Introduction

1. Background

Recent government initiatives have been aimed at strengthening public sector financial management and reporting and internal controls. Through its initiative of the renewal of financial management policies, Treasury Board (TB) introduced the following two policy instruments to enhance accountability and transparency. 

The TB Policy on Financial Resource Management, Information and Reporting requires the Deputy Head to take measures to ensure that the Department can sustain a control-based audit of its annual financial statements.Footnote 1 A control-based audit is an audit in which the auditor gains audit assurance through the testing of internal controls over relevant financial statement assertion.Footnote 2 This means that an auditor has sufficient confidence that the Department's internal controls relevant to the audit have been operating effectively throughout the year, so that substantive testing, the detailed testing activities performed on account balances by the auditor to detect material misstatement, can be reduced. The Office of the Comptroller General's expectation to ensure readiness is that this will be achieved through the implementation of the Policy on Internal Control.

The TB Accounting Standard 1.2 requires departments to produce financial statements in accordance with Generally Accepted Accounting Principles (GAAP) under the Canadian Institute of Chartered Accountants (CICA) Public Sector Accounting Handbook.

Departments have been preparing financial statements in accordance with GAAP since 2001-02. In 2004, the Government of Canada announced its intention to have audited departmental financial statements; however, this intention was modified in 2010.   Departments are now required "...to be capable of producing financial statements that can withstand a control-based audit... Rather, the decision on whether an audit is required, either in whole or in part, will be left up to the Comptroller General."Footnote 3 Health Canada committed to having an effective system of internal controls over financial reporting (ICFR) and being able to sustain a financial statement audit.

Achieving effectiveness of ICFR is a significant undertaking, since Health Canada qualifies as a large department, employing over 10,000 employees, with expenditures in excess of $3.3 billion per annum. The Chief Financial Officer Branch (CFOB) is responsible for financial management and reporting, achieving a control-based audit of financial statements and implementing the Policy on Internal Control. In addition, to gain efficiencies and streamline processes, CFOB is currently centralizing its accounting offices from seven centers across Canada into two centers, namely Winnipeg and National Capital Region. To this end, the CFOB is faced with many priorities and devotes resources accordingly to their achievement.

Health Canada commissioned a readiness assessment in 2007 to determine its ability to sustain a control-based audit of its financial statements. This resulted in the identification of deficiencies requiring remedial action.

In 2009, TB introduced the Policy on Internal Control, requiring the Deputy Head and the Chief Financial Officer to sign an annual departmental Statement of Management Responsibility Including Internal Control over Financial Reporting. This policy requirement is intended to acknowledge management's responsibility for maintaining an effective system of internal controls to ensure reliable financial information, safeguarding of assets and proper authorization of transactions. In addition to improving management's accountability over financial reporting, full implementation of the Policy on Internal Control is key to sustaining a control-based audit.

In response, Health Canada developed the ICFR Framework, which identifies and documents the main business processes and controls using a standardized approach. A plan to evaluate the effectiveness of internal controls within the main processes has been developed. Health Canada aims to have an effective system of ICFR and being ready to sustain a financial statement audit.

The Portfolio Audit and Accountability Bureau conducted a series of audits aimed at understanding and assessing specific business processes as part of Health Canada's ICFR Framework to support the departmental financial statements. These include: Audit of Respendable Revenues (2009), Audit of Financial Forecasting and Year-End Expenditures (2009), Audit of Capital Asset Management (2009), Audit of Contracting for Services (2010), Audit of Capital Contribution Agreements (2010), Audit of Payroll Administration (2010), Audit of Financial Reporting Controls (2010), Audit of SAP General Controls (2010), Audits of Key Financial Controls (2011 and 2012) and Audit of Purchasing, Payables and Payments Process (2012).

2. Audit objective

The objective of the audit was to assess Health Canada's readiness to achieve operating effectiveness of ICFR and to sustain a financial statement audit.

3. Audit scope

The audit focused on the progress towards achieving operating effectiveness of ICFR and readiness of sustaining a financial statement audit based on the latest financial statements prepared by the Department (March 2012).

The audit does not provide an opinion on the accuracy of the balances presented in the financial statements.

The audit was conducted between September 2012 and April 2013.

4. Audit approach

The audit methodology included: inspection of documentation, examination of policies and procedures, standards and guidelines, processes and frameworks, interviews and inquiries with employees, as well as testing and analytical procedures.

To assess readiness of the Department's internal control effectiveness, the audit leveraged previous work performed by the Portfolio Audit and Accountability Bureau, namely the Audit of Key Financial Controls, tabled at the Departmental Audit Committee on October 4, 2012.

The audit criteria, outlined in Appendix A, was developed using the Office of the Comptroller General Internal Audit Sector's Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors, TB Policy on Internal Control, TB Policy on Financial Resource Management, Information and Reporting and best practices for audit preparedness based on the audit requirement process, detailed as part of the Canadian Auditing Standards published by the CICA.

5. Statement of conformance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

B - Findings, recommendations and management responses

1. Governance

1.1 Oversight

Audit criterion: An effective oversight body exists to oversee and monitor progress towards achieving operating effectiveness of internal control over financial reporting and sustaining a financial statement audit.

The Executive Committee (EC) is Health Canada's central decision-making body. The Departmental Audit Committee (DAC) also provides oversight in its advisory role to the Deputy Minister. The EC and the DAC receive regular progress updates from the Chief Financial Officer Branch (CFOB) to oversee and monitor progress towards achieving operating effectiveness of internal controls over financial reporting (ICFR) and sustaining a financial statement audit. Plans such as the project roadmap, taking a risk-based approach to key controls testing and a risk-based monitoring strategy have been communicated to EC and DAC.

Senior management within CFOB is informed of the progress towards achieving readiness through weekly meetings, where various finance related issues and initiatives, including progress on implementing the Policy on Internal Control and financial statement readiness are discussed.

1.2 Strategic planning

Audit criterion: The Department has in place adequate plans and directives aimed at achieving operating effectiveness of internal controls over financial reporting and sustaining a financial statement audit.

An adequate plan outlines planned initiatives and activities to meet the Department's objectives and should include: clear objectives and activities to be delivered; expected results and performance targets and a process for monitoring progress. Operating objectives should also be reviewed continuously to ensure that they are realistic and where required, the plan should be amended to reflect new operational requirements.

In 2011, Health Canada determined that the Department was not ready to demonstrate effectiveness of ICFR. CFOB revised the plan to include clear objectives, activities to be delivered, implementation considerations, timetables for the realization of objectives and a process for monitoring progress in order to address readiness gaps.

CFOB also designed a risk-based monitoring strategy that was to commence following the completion of the initial testing of operating effectiveness. The Chief Financial Officer emphasized the need to maintain a risk-based focus to the ICFR program to ensure prioritized and coordinated ICFR activities throughout the Department and to track progress to enable ongoing reporting on the effectiveness of internal controls.

Testing of internal controls often resulted in the identification of control weaknesses; requiring changes by process owners within and outside of CFOB. Based on most recent information available for review in April 2013, testing of operating effectiveness had been completed by March 31, 2013 and 39 high risk control weaknesses had yet to be remediated as of that date (one information technology general control - see Table 1; 38 financial reporting controls - see Table 3).

Significant progress was made during 2012-13 in assessing the operating effectiveness of the ICFR and continues to be made in 2013-14. Remediation strategies have been initiated to correct the weaknesses and the Department will also initiate the monitoring phase of its ICFR.

1.3 Accountabilities

Audit criterion: Authorities, roles and responsibilities aimed at achieving operating effectiveness of internal controls over financial reporting and sustaining a financial statement audit are clearly defined and communicated.

Accountability consists of an appropriate organizational structure that clarifies authorities, responsibilities and the duty to report. This involves a delineation of responsibilities, delegation of authorities, segregation of duties and lines of communication to promote effective coordination.

Health Canada's authorities, roles and responsibilities for financial statements have been clearly defined and formalized in two documents, namely the roles and responsibilities for ICFR and the roles and responsibilities related to the preparation and disclosure of the departmental financial statements at Health Canada.

The former communicates the authorities, roles and responsibilities aimed at achieving a control-based audit of financial statements and implementation of the Policy on Internal Control, while the latter relates to the preparation and disclosures of the departmental financial statements in accordance with Generally Accepted Accounting Principles (GAAP) and Treasury Board Accounting Standard (TBAS). Both documents are clearly understood by CFOB (Central Accounting and Reporting (CAR), Internal Control Division (ICD), Accounting Operations) as well as by various process owners outside of CFOB.

1.4 Capacity

Audit criterion: Management has adequate resources aimed at achieving operating effectiveness of internal control over financial reporting and sustaining a financial statement audit.

Adequate capacity is defined as sufficient human resources with the necessary skills and expertise to support the achievement of the Department's objectives within set timelines.  Achieving effectiveness over ICFR and financial statement audit readiness requires coordinated resources from both CAR and ICD within CFOB. CAR's resources are focused on the preparation of the financial statements, while ICD's resources are focused on leading the ICFR effectiveness initiative. It is important to note these controls are embedded into other divisions within the Department, including CFOB.

The organizational structure of CFOB's CAR and ICD was assessed as these groups are primarily involved in the preparation of a financial statement audit. Each division is led by a certified experienced accountant that provides adequate supervision which demonstrates necessary divisional expertise.

The audit assessment of the documentation, reconciliation and source data for opening and year-end balances demonstrated that CAR has the necessary capacity to sustain an audit by external auditors, including providing timely explanations and clarifications to audit queries.

ICD has adequate resources to complete the operating effectiveness testing of ICFR. However, as noted above, the development and implementation of remediation are embedded in other divisions within CFOB and other branches which were at different stages of implementation as at March 31, 2013.

Achieving operating effectiveness over ICFR involves ongoing monitoring of internal controls. CFOB has adopted a risk-based monitoring strategy based upon a three-year rolling cycle. Currently, based upon this strategy, ICD has adequate resources for ongoing monitoring of internal controls.

2. Risk management

2.1 Risk management

Audit criterion: Risks that impact the achievement of operating effectiveness of internal controls over financial reporting and financial statement audit readiness are identified, assessed, documented and managed on an ongoing basis.

Risk management involves responding to risks that could prevent the Department from achieving its objectives. This involves having a systematic approach to identifying, assessing, mitigating, communicating and following-up on risks. Formalizing risk management activities adds rigour to the risk management process.

The risks that could impact the achievement of the operating effectiveness of ICFR for fiscal year 2013-14 have been identified and documented. The ICD maintains, tracks and monitors ICFR readiness risks raised by external consultants. In addition, issues raised by the Portfolio Audit and Accountability Bureau, the Office of the Auditor General and the Office of the Comptroller General are logged in a formalized document. Each risk identified has been risk ranked, prioritized and aligned to a mitigating strategy.

The risk of ICFR readiness is dependent on the results of the testing and the required implementation and effectiveness of remediation strategies. Internal control weaknesses have been assessed based on the risk and impact on the financial statements, and if deemed significant, CFOB, in collaboration with process owners has implemented strategies to manage risks.

3. Internal controls

3.1 Monitoring readiness

Audit criterion: Management has adequate monitoring processes over the departmental preparedness to achieve operating effectiveness of internal control over financial reporting and to sustain a financial statement audit.

Monitoring involves ongoing management and supervisory activities to assess progress towards departmental objectives. An important component for achieving audit readiness is an effective system of ICFR.

ICD monitors all observations requiring management actions. This information is updated and shared regularly with senior management within CFOB. In addition, senior management, including the Chief Financial Officer, receives regular updates on the status of the project. The DAC is also updated on the progress quarterly. These processes ensure that progress over the preparedness to achieve a control-based audit of financial statements is to be assessed and monitored in a timely manner.

As indicated in section 1.1, the Department's progress was communicated to senior management.

3.2 System of internal controls - Entity level

Audit criterion: Management has in place a process to document and assess entity level controls.

"Entity level controls refer to those controls and practices in place that permeate across the department and that may have a direct or indirect impact or influence on the integrity of the department's financial reporting."Footnote 4

Management is expected to have in place a process to document and assess key components of its entity level controls, namely values and ethics, employee learning and awareness, governance and risk management. The quality of entity level controls affects the strength of the control environment, which is fundamental for a control-based approach.

The Department's entity level controls are supported by frameworks, policies, activities and procedures. The review of entity level controls included the assessment of control activities within each key component and no issues were identified.

3.3 System of internal controls - Information technology

Audit criterion: Management has in place a process to document and assess information technology general controls.

Information technology general controls (ITGCs) are controls that impact the overall Department-wide information technology (IT) environment, such as access to computer programs and data, program changes, program development and computer operations. For an organization to rely on automated controls to support the achievement of its financial reporting objectives, relevant ITGCs for the related underlying systems must also be designed and operating effectively.Footnote 5

The Department's ITGCs were documented, assessed and tested by an external firm in April and May 2012. Some weaknesses were identified, specifically in relation to SAP, the financial system. The Department has implemented corrective measures and the ITGCs were re-tested prior to the end of March 2013. Six weaknesses were identified as part of the re-testing of the ITGCs, one of which is considered to be high risk as noted in Table 1.

Table 1 - ITGCs Weaknesses Identified as Part of the ITGCs Re-testing as of end of March 2013
# Risk Observations
1 High Lack of segregation of duties: change management (SAP) - in some cases, changes to SAP were developed, tested and moved into production by the same individual.
2 Medium Lack of effective user access removal procedures (SAP).
3 Medium Lack of effective formal access review procedures (SAP).
4 Low Evidence of monitoring changes to key tables is not retained for audit purposes (SAP).
5 Medium Evidence of job monitoring is not retained for audit purposes (SAP).
6 Medium Lack of effective user access removal procedures (PeopleSoft).

Source: ICD Summary of Observations.

The ITGCs weaknesses found will need to be remediated to achieve operating effectiveness of the Department's ICFR (refer to Recommendation 3).

The Department's plan does not consider obtaining assurance over the effectiveness of controls exercised by other governmental departments whose services directly impact the control environment. Systems where controls are exercised by other governmental departments are described in Table 2.

Table 2 - Systems Where Controls are Exercised by Other Governmental Departments
Systems Service Provider Use of Systems
PeopleSoft Agriculture and Agri-Food Canada Capture and track Health Canada's HR-related financial transactions (leave, etc.).
Regional Pay System Public Works and Government Services Canada Calculate employee pay and deductions (compensation).
Grants & Contributions Information Management System (to be implemented by April 2014) Aboriginal Affairs and Northern Development Canada Manage and monitor grants and contributions.

Source: CFOB

The reliance on intergovernmental systems is a recognized concern with respect to ICFR and audits of financial statements across the federal government. Treasury Board does not require that formal assurance be obtained for the Policy on Internal Controls. However, it is expected that departments will initiate discussions in order that better visibility can be obtained over the effectiveness of controls for systems hosted by other departments.

Recommendation 1

It is recommended that the Chief Financial Officer, in collaboration with the Assistant Deputy Minister, Corporate Services Branch, ensure that assurance can be obtained over the effectiveness of controls for systems (PeopleSoft and Regional Pay System) hosted and supported by Agriculture and Agri-Food Canada and Public Works and Government Services Canada respectively to ensure that these controls can be relied upon in the event of either a financial statement audit or a specific audit providing assurance on the effectiveness of the internal control over financial reporting for fiscal year 203-14. (Assurance will also need to be obtained for the Grants & Contributions Information Management System once it is operational).

Management response

Management agrees with the recommendation.

In the government context of hosting and shared services, it is important to deputies and chief financial officers to ensure that mechanisms are in place to receive means of assurance of controls managed on their behalf by other entities. Departments will not be seeking formal letters of assurance from one another until further direction is provided by the Office of the Comptroller General.

Health Canada will continue to participate in the discussion and will implement the government strategy and approach as it evolves.

Management will ensure that its various Memorandums of Understanding and/or Service Agreements clearly outline the authority of the user entity to obtain assurance over the effectiveness of controls conducted by a service organization. Discussions are still ongoing as to the best approach to obtain this assurance and options include: obtain assurance through third party auditor, directly perform internal audit in the service organizations, rely on internal audit work carried out at the service organizations and information reflected in their statements of management responsibility including Annex B or a combination thereof.

3.4 System of internal controls - Business processes

Audit criterion: Management has in place a process to document, assess and monitor business process controls.

"The assessment of control operating effectiveness involves assessing the extent to which a key control has been operating as intended over a specified period of time such as a fiscal year. Tests of operating effectiveness are intended to demonstrate the reliability of the controls over a period of time in reducing related financial reporting risks. They are conducted by selecting a sample of actual transactions over the fiscal year and testing them to determine if the control was performed consistently and as required based on organizational policy and procedures."Footnote 6

The operating effectiveness of internal controls over significant business processes include: identification of the significant business processes, documentation of the significant business processes, identification of business process level risks, alignment of key internal controls and risks and the performance of a walkthrough and testing of operating effectiveness.

The Department's internal controls for the significant business processes have been documented using flowcharts, narrative descriptions and internal control matrices. Certain narrative descriptions and flowcharts were out-of-date, for example, payroll. Nevertheless, ICD's work plans reflected current key controls.

The Department's assessment of the operating effectiveness of ICFR has been completed for all significant business processes by March 31, 2013. The testing led to the identification of significant control deficiencies (74 control deficiencies with 38 assessed as high risk as indicated in Table 3) by ICD. A remediation plan has been developed and is being implemented.

Table 3 - Results of Operating Effectiveness Testing as of end of March 2013
Significant Business Processes CFOB's Overall Initial Risk Assessment High Risk Key Control Deficiencies Number of Key Controls
Capital assets Medium 5 13
Financial statements, year-end & reporting High 4 24
Interdepartmental settlements Medium 0 3
Payroll Medium 6 20
Purchasing, payables and payments Medium 8 20
Revenue, receivables and receipts Medium 13 23
Non-insured health benefits - Medical transportation Medium 0 10
Non-insured health benefits - Third party processing High 0 3
Vision care/Indian residential schools High 0 22
Grants and contributions (First Nations and Inuit Health Branch (FNIHB) and non-FNIHB) Medium 2 21
Travel Medium 0 5
Acquisition cards Medium 0 2
Total   38 166

Source: ICD Summary of Observations.

The Department adopted a risk-based approach to key controls testing which involves evaluating the level of risk associated with each business process. The CFOB overall risk assessment methodology was based on: materiality, complexity and volatility, significance of judgment required, susceptibility to misstatement and existence of significant control breakdowns/gaps.

The overall risk assessment rating determines the nature and the extent of control testing required. For example, key controls within high risk processes are subject to a more detailed review of control evidence and potentially a larger sample size than medium risk processes. As such, a change in the risk assessment (from medium to high) impacts the audit work necessary to conclude on control effectiveness.

Most significant business processes were identified as medium control risk (see Table 3). However, given the control weaknesses identified through testing results of operating effectiveness conducted by the ICD, the risk associated to significant business processes may have been higher than originally anticipated.

In addition, the level of risk assigned to some significant business processes may have been understated given the impact and likelihood of misstatements. For example, grants and contributions represent approximately $1.2B for the Department, which is material to the financial statements, and the related controls are highly decentralized; both of these elements increase the overall risk for this business process. A higher risk rating is further supported by the findings identified in the Office of the Auditor General's (OAG) readiness review performed in 2008, where many weaknesses were identified for the grants and contributions process. At that time, the OAG had identified the grants and contributions as one of the highest risk areas for financial reporting.

A change in the level of risk established for a business process may impact the Department's testing strategy; for example, a high risk process is subject to more rigorous testing. Consequently, the testing actually performed may not provide a high level of assurance over the operating effectiveness of key controls for certain business processes.

Recommendation 2

It is recommended that the Chief Financial Officer re-confirm the initial risk assessment for the significant business processes to ensure that the extent and nature of testing is appropriate in order to confirm the operating effectiveness and adequacy of remediation.

Management response

Management agrees with the recommendation.

As outlined in the Risk-Based Monitoring Strategy, it is recognized that change in the inherent risk or control risk can influence the overall risk rating which will modify how frequently control testing is to be performed.

This principle is being implemented as part of the ongoing risk-based monitoring phase starting in 2013-14.

Recommendation 3

It is recommended that the Chief Financial Officer, in collaboration with the process owners, develop and implement remediation strategies to correct the risk control weaknesses identified as of March 31, 2013.

Management response

Management agrees with the recommendation.

The Chief Financial Officer Branch will continue its work to provide assurances to the Deputy Minister and the Departmental Audit Committee members on the effectiveness of the Department's internal controls over financial reporting, recognizing that this is a continuous improvement evolution and it is never projected to have 100% effectiveness of all controls at all times. Management is prepared to accept some level of risk in this regard.

The target is to provide a level of operating effectiveness assurance that senior management and Departmental Audit Committee members are comfortable with and to ensure that the Department is "capable of producing financial statements that can withstand a control-based audit"Footnote 7. As such, the Chief Financial Officer Branch will suspend the need for a controls-based audit of its 2013-14 financial statements unless further directed by the Deputy Minister and/or the Office of the Comptroller General.

3.5 Financial reporting process

Audit criterion: Management has an effective process for financial statement preparation.

"Responsibility for the integrity and objectivity of the financial statements and the financial reporting process that produces such statements rests with Health Canada's senior management. Senior management ensures that financial statements have been prepared in accordance with the TBAS, which are consistent with GAAP for the public sector as set by the Public Sector Accounting Board."Footnote 8

To assess the reliability of the Department's financial data, the audit included a review of the financial statement preparation process and output for the last fiscal year-end (March 31, 2012). No material issues were noted. The financial statements were appropriately supported by accounting records, which were mathematically correct and reconciled to the general ledger account balances.

Although the objective of this audit was not to verify whether the financial statements were prepared in accordance with GAAP and TBAS, based on our analysis of the detailed review performed by the Office of the Comptroller General on the Department's financial statements, no material compliance issues related to disclosure with current accounting standards were identified.

3.6 Documentation, reconciliations and source data - Opening balances

Audit criterion: Management has reliable and available documentation to support account balances and management estimates for an opening balance audit.

The financial statement auditor will perform audit procedures to obtain sufficient, appropriate audit evidence to support his or her opinion on the financial statements. To conduct this work efficiently, various supporting documents from the Department will be requested, including documentation (for example, written documentation on the basis for management's significant accounting estimates and cost allocations), reconciliations (for example, reconciliations between SAP accounts and supporting reports, modules and systems) and source data to support transactions (for example, contracts, invoices, forms, requisitions etc.).

CFOB demonstrated that adequate documentation exists to support the opening Statement of Financial Position account balances and management estimates (based on April 1, 2012 balances), with the exception of the following, which are significant, and within materiality:

  • Documentation to support the original cost and acquisition date of long standing fixed assets. A net book value of approximately $10-12M was noted.
  • General allowance for doubtful accounts receivable - The Department uses a method that does not consider historical trend in receivable collection (currently based on outstanding receivable after 2 years). The March 31, 2012 general allowance for doubtful accounts receivable is $10.3M.
  • Specific allowance for doubtful accounts receivable - Specific allowances were not recorded for receivables resulting from investigations. These amounts are often subject to negotiation and a specific allowance for doubtful accounts receivable assessment is required to reflect collectability issues.

CAR indicated that these issues were known and that CFOB intends to put in place a remediation strategy.

Recommendation 4

It is recommended that the Chief Financial Officer ensure that adequate supporting documentation be maintained, including appropriate justification for significant estimates, for the amounts reported in the financial statements.

Management response

Management agrees with the recommendation.

With respect to supporting documentation for capital assets, Public Accounts and Policy Division - Financial Policy has developed a strategy to obtain appropriate supporting documentation to support the original cost and acquisition date of all capital assets.

All significant amounts reported in the financial statements are appropriately justified with sufficient supporting documentation in the annual audit substantiation binder. The documentation includes analyses and detailed information relative to the sufficiency and appropriateness of the allowance for doubtful accounts which will be enhanced this year in line with the audit recommendation.

3.7 Documentation, reconciliations and source data - Financial statements

Audit criterion: Management has reliable and available documentation to support account balances and management estimates for a financial statement audit.

The only difference between an opening balance audit and a year-end financial statement audit relates to the scope. In a year-end financial statement audit, an external auditor will review the full set of financial statements, including the Statement of Financial Position, the Statement of Operations and Departmental Net Financial Position, the Statement of Change in Departmental Net Debt, the Statement of Cash Flow and the Notes to the Financial Statements and related disclosure requirements.

As such, this section includes readiness procedures to the full set of financial statements, including the notes. CFOB demonstrated that there is adequate documentation to support account balances and management estimates for its fiscal year-end financial statements (March 31, 2012) with the exception of certain statement of financial position account balances indicated in section 3.6 (refer to Recommendation 4).

C - Conclusion

The Chief Financial Officer Branch has put in place a plan to attain effective internal controls over financial reporting (ICFR). Significant progress has been made during 2012-13 in assessing operating effectiveness of ICFR and continues to be made in 2013-14. Weaknesses were found but remediation strategies have been initiated to correct the issues.

The process and documentation in place demonstrate that the Department is ready to sustain a financial statement audit.

Appendix A - Lines of enquiry and criteria

Audit of Internal Controls over Financial Reporting and Financial Statement Readiness
Criteria Title Audit Criteria
Line of Enquiry 1: Governance
1.1 OversightTable 1 footnote 1 An effective oversight body exists to oversee and monitor progress towards achieving operating effectiveness of internal controls over financial reporting (ICFR) and sustaining financial statement audit.
1.2 Strategic planningTable 1 footnote 1 The Department has in place adequate plans and directives aimed at achieving operating effectiveness of ICFR and sustaining a financial statement audit.
1.3 AccountabilitiesTable 1 footnote 1 Authorities, roles and responsibilities aimed at achieving operating effectiveness of ICFR and sustaining a financial statement audit are clearly defined and communicated.
1.4 CapacityTable 1 footnote 1Table 1 footnote 2 Management has adequate resources aimed at achieving operating effectiveness of ICFR and sustaining a financial statement audit.
Line of Enquiry 2: Risk management
2.1 Risk managementTable 1 footnote 1 Risks that impact the achievement of operating effectiveness of ICFR and financial statements audit readiness are identified, assessed, documented and managed on an ongoing basis.
Line of Enquiry 3: Internal controls
3.1 Monitoring readinessTable 1 footnote 1Table 1 footnote 2 Management has adequate monitoring processes over the departmental preparedness to achieve operating effectiveness of ICFR and to sustain a financial statement audit.
3.2 System of internal controlsTable 1 footnote 1Table 1 footnote 4 - Entity level Management has in place a process to document and assess entity level controls.
3.3 System of internal controlsTable 1 footnote 1Table 1 footnote 4 - Information technology Management has in place a process to document and assess information technology general controls.
3.4 System of internal controlsTable 1 footnote 1Table 1 footnote 4 - Business processes Management has in place a process to document, assess and monitor business process controls.
3.5 Financial reporting  process Management has an effective process for financial statement preparation.
3.6 Documentation, reconciliations and source dataTable 1 footnote 3 - Opening balances Management has reliable and available documentation to support account balances and management estimates for an opening balance audit.
3.7 Documentation, reconciliations and source dataTable 1 footnote 3 - Financial statements Management has reliable and available documentation to support account balances and management estimates for a financial statement audit.
Table 1 footnote 1

Office of the Comptroller General Internal Audit Sector's Audit Criteria Related to the Management Accountability Framework: A Tool for Internal Auditors (March 2011).

Return to table 1 footnote 1 referrer

Table 1 footnote 2

TB Policy on Financial Resource Management, Information and Reporting.

Return to table 1 footnote 2 referrer

Table 1 footnote 3

Best practices for audit preparedness based on audit requirement process detailed as part of the Canadian Auditing Standards published by the Canadian Institute of Chartered Accountants.

Return to table 1 footnote 3 referrer

Table 1 footnote 4

TB Policy on Internal Control.

Return to table 1 footnote 4 referrer

Appendix B - Scorecard

Scorecard
Criterion Rating Conclusion Rec #
Governance
1.1 Oversight S Progress towards achieving operating effectiveness of internal controls over financial reporting (ICFR) and sustaining a financial statement audit has been communicated to the various individuals exercising oversight. -
1.2 Strategic planning S The Chief Financial Officer Branch (CFOB) has put in place plans and directives aimed at achieving operating effectiveness of ICFR and sustaining a financial statement audit.   
1.3 Accountabilities S Authorities, roles and responsibilities have been clearly defined and communicated. -
1.4 Capacity S Management has adequate resources aimed at achieving operating effectiveness of ICFR and sustaining a financial statement audit. -
Risk management
2.1 Risk management S The risks that could impact the achievement of operating effectiveness of ICFR and financial statement audit readiness have been identified, assessed, documented and are being managed.  -
Internal controls
3.1 Monitoring readiness S The Department's progress towards achieving operating effectiveness of ICFR and sustaining a financial statement audit is monitored and communicated. -
3.2 System of internal controls - Entity level S The entity level controls, which are part of the system of internal controls, have been documented through frameworks, policies, activities and procedures. -
3.3 System of internal controls - Information technology NMO Some weaknesses that were identified as part of the re-testing of the information technology general controls have yet to be remediated. The Department plans to initiate discussions to obtain information about the effectiveness of controls for systems hosted by other departments. 1 & Ref. 3
3.4 System of internal controls - Business processes NMO The Department's assessment of the operating effectiveness of ICFR has been completed for all significant business processes by March 31, 2013. Several significant control deficiencies have been identified. Remediation plans have been developed and are being implemented. 2 & 3
3.5 Financial reporting  process S The financial statements are appropriately prepared and supported by a detailed audit binder containing accounting records, lead sheets and detailed schedules. -
3.6 Documentation, reconciliations and source data - Opening balances NMO CFOB demonstrated that there is adequate documentation to support account balances and management estimates for opening balances (based on April 1, 2012 balances) with a few exceptions noted and within materiality. 4
3.7 Documentation, reconciliations and source data  - Financial statements NMO CFOB demonstrated that there is adequate documentation to support account balances and management estimates for the year-end financial statements (based on March 31, 2012 financial statements) with a few exceptions noted, and within materiality. Ref. 4

S = Satisfactory
NMI = Needs Minor Improvement
NMO = Needs Moderate Improvement
NI = Needs Improvement
U = Unsatisfactory
UKN = Unknown / Cannot Be Measured

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: