Internal audit of the system of internal controls over financial reporting

Internal Audit & Accountability Branch
25 October 2018

I. Background

Introduction

1. The Treasury Board Policy on Financial Management came into effect on April 1, 2017 replacing the 2009 Policy on Internal Control. The objective of the policy is to ensure that the government’s financial resources are well managed in the delivery of programs to Canadians and safeguarded through balanced controls that enable flexibility and manage risk. The policy requires the departments to establish a risk-based system of internal control over financial reporting (ICFR). To be effective, the policy also indicates that the system should include an annual risk assessment and an ongoing Monitoring Program. An Annual Statement of Management Responsibility is also required attesting to the objectivity and integrity of departmental financial information. The policy provides the key responsibilities for Deputy Heads, Chief Financial Officers, Senior Departmental Managers and the Comptroller General of Canada in exercising effective financial management.
2. Immigration, Refugees and Citizenship Canada (IRCC) completed its first full assessment cycle in 2015-16, and put in place a risk-based program to meet the policy requirements to continuously monitor the effectiveness of the Department’s system of ICFR. The program is expected to allow the Department to identify in a timely manner the accounts and associated processes that have the highest risk of causing financial misstatements, and to further establish processes to document, assess and improve key controls.
3. At IRCC, the Financial Policy, Monitoring and Reporting Directorate of the Financial Operations Branch is responsible for establishing mechanisms to conduct ongoing monitoring of ICFR. This provides assurance to the Deputy Minister and Chief Financial Officer on the adequacy and effectiveness of these controls.

Figure 1: Internal financial control ongoing monitoring process for the system of ICFR.

II. Audit objective, criteria, scope and methodology

Audit objective, criteria and scope

4. The objective of the audit is to provide reasonable assurance that IRCC has an effective system of ICFR.
5. The audit criteria are as follows:
   • There is a governance structure that identifies roles and responsibilities to support effective oversight of the Department’s internal controls over financial reporting.
   • Risks related to internal controls over financial reporting are identified, assessed and monitored effectively.
   • The assessment of internal controls over financial reporting is performed in accordance with established standards and guidelines.
   • ICFR assessment results are communicated to business process owners and senior management and timely action is taken to correct identified control weaknesses.
6. The audit assessed the program and related procedures/mechanisms in place at IRCC for the purpose of monitoring and reporting on the effectiveness of the system of ICFR. The audit covered the 2015-16 to 2017-18 fiscal years.
7. The audit did not re-perform the tests that the Internal Financial Controls team had done to assess effectiveness of the design and operation of particular key controls. The audit did not assess the accuracy of IRCC’s financial statements.

Methodology

8. The following audit procedures were performed to support audit findings, recommendations and conclusions:
   • A walkthrough of the ongoing monitoring process;
   • Interviews with Internal Financial Controls team and business process owners;
   • Analysis of a sample of four business process level control assessments and two entity level control assessments;
   • Reviews of selected outstanding corrective action plans resulting from the ongoing monitoring process; and,
   • Review and analysis of key documentation.

Statement of conformance

9. This audit was planned and conducted in conformance with the Institute of Internal Auditors International Professional Practices Framework, as supported by the results of a quality assurance and improvement program.

III. Audit findings and recommendations

Roles, responsibilities and authorities

10. Identifying the key roles, responsibilities and authorities in accordance with the Treasury Board Policy on Financial Management enables relevant stakeholders to perform monitoring and provide oversight on the system’s effectiveness. For example, one of the responsibilities of a senior departmental manager, as identified in the policy, is to “notify the CFO of any material control weaknesses and ensure that prompt corrective action is taken when control weaknesses are identified in their area of responsibility.”
11. At IRCC, the Internal Financial Controls Ongoing Monitoring Program identifies the governance structure, the ongoing monitoring approach and some key stakeholder roles, responsibilities and authorities. The Monitoring Program is updated annually and defines and communicates the key roles and responsibilities of the Chief Financial Officer, Departmental Audit Committee, Chief Audit Executive and the Internal Financial Controls team. Some responsibilities of the senior departmental management are identified. When comparing the TBS policy requirements with the departmental Monitoring Program, the responsibilities as they relate to ongoing risk-based monitoring by the senior departmental management, including business process owners^{Footnote 1}, were not identified in the Internal Financial Control team’s Monitoring Program. Since the senior departmental management, including the business process owners, have an important role in proactive, iterative risk management in their area of responsibility and to support timely reporting of control weaknesses to the Chief Financial Officer, identifying their responsibilities is important.
12. Although the Internal Financial Controls team reviews and monitors the departmental business processes based on the multi-year work plan, an interim and ongoing monitoring by the managers closest to the activities is important to detect errors or potential fraud, implement prompt corrective controls, and responsibly manage their financial management authority and responsibility. This monitoring work, conducted by the business process owner, is identified as the self-assessment and may take the form of a survey of staff regarding the process and status of controls, a desktop review of a sample of transactions to confirm the effectiveness of controls, or a detailed internal controls assessment conducted of their own processes and controls^{Footnote 2}. The Internal Financial Controls team would continue to review the effectiveness of management’s self-assessment processes, in the form of separate evaluations encompassing observations, walk-throughs, and tests of controls through sampling and the examination of the information used by management in their self-assessments. The reviews are intended to provide reasonable assurance regarding the reliability of financial reporting. For example, if a business process is determined to be of medium risk based on certain pre-determined criteria, the Internal Financial Controls team would assess the particular business process level controls every three years. Meanwhile, the business process owner would perform interim, continuous risk-based self-assessment of his or her process and identify changes to controls or risks.
13. IRCC has completed a full assessment cycle and has implemented an ongoing monitoring system of ICFR. Ongoing risk-based monitoring by those responsible for the business process areas will enable the Department to continue to progress and achieve a mature system of ICFR. The self-assessment and ongoing risk-based monitoring will enable risk related discussions and education between business process owners and the Internal Financial Controls team, leading to a more collaborative risk management approach and management excellence.
14. Recommendation 1. The Chief Financial Officer should ensure that the Internal Financial Controls Ongoing Monitoring Program identifies the responsibilities of senior departmental management (including the business process owners) in implementing and maintaining a risk-based system. This should be supported by ongoing risk discussions and related information exchanges between the Internal Financial Controls team and relevant senior management including business process owners.

Ongoing risk-based monitoring system

15. Implementing and maintaining a risk-based system of ICFR, as per the Treasury Board Policy on Financial Management, will support an effective and efficient ongoing monitoring system that identifies any control deficiencies and addresses them in a timely manner. The annual risk review process enables the Internal Financial Controls team to develop an ongoing multi-year work plan based on the preliminary assessment of the Department’s processes and controls. Based on this risk assessment, including fraud risk assessment, all high risk processes are reassessed every two years, medium risk processes every three years, and low risk processes every four years. This has enabled the Internal Financial Controls team to prioritize the level of effort for assessing and monitoring processes based on their level of risk.
16. The audit examined various documents related to the Internal Financial Controls team’s annual risk assessment of departmental processes to facilitate preparation of the multi-year assessment work plan. Information related to the effectiveness testing of six sample processes for 2015-16 to 2017-18 were examined. This included the examination of risk assessment documents and the documents related to the process of selecting, sampling and testing of key controls and reporting of control deficiencies. Two high risk business processes, two medium risk business processes, the entity level controls and the information technology general controls were reviewed. The examination identified that a risk-based approach has been implemented for each step of the assessment and monitoring process currently in place.
17. Overall, a risk-based ongoing Monitoring Program, including an annual risk-based assessment of internal controls has been implemented and maintained by the Department.

Reporting and oversight

18. The Treasury Board Policy on Financial Management requires the Deputy Minister and the Chief Financial Officer to establish, monitor and maintain a risk-based system of ICFR. To continuously support them in fulfilling their responsibilities, timely reporting on the effectiveness of existing controls, control deficiencies and remedial actions is important.
19. The Chief Financial Officer presents a report to the Departmental Audit Committee twice per year. In the spring, he reports on the annual risk assessment results and the resulting multi-year work plan, and in the summer, he informs the Committee of the results of the control assessments. An examination was conducted of the records of decision and meeting materials for the Departmental Audit Committee meetings from January 2016 to June 2018. However, the presentations to the Departmental Audit Committee on the summary of status of action plans did not identify the delays or extensions to the due dates of these action plans. In the Departmental Audit Committee meeting minutes of August 16 2016, the committee emphasized the importance of the implementation of action plans and stated that if any issues arise, they should be brought to the timeliest meeting.
20. For example, the annual Internal Financial Controls Ongoing Monitoring Program identifies that the remedial actions to address high risk deficiencies must be implemented within six months, while those pertaining to medium risks should be addressed within 12 months. As of December 2017, 56 remedial action plans were outstanding. Forty-seven of these, including one high risk deficiency, were delayed. Thirty-one of the 47 deficiencies (including the high risk deficiency) had at least one revision to the initial due date of their action plans.
21. When there is a delay in implementing corrective actions to address a control deficiency, informing the Departmental Audit Committee of the delay and of any interim compensating controls in place will provide confidence to the oversight bodies on the effectiveness of the risk-based monitoring of the system of ICFR.
22. The records of decision for the Executive Committee^{Footnote 3} meeting held from January 2016 to March 2018 and the Risk Management Committee^{Footnote 4} meetings held in 2016 and 2017 were also reviewed. The review identified that apart from the Departmental Audit Committee, there were no discussions related to the control assessment results in any other executive level oversight committees. For example, under the system of ICFR, the assessment of Entity Level Controls tests the effectiveness of Department-wide controls that directly or indirectly impact all underlying controls. Some examples of assessment areas are the roles and responsibilities with regards to establishing departmental values and ethics, establishing performance management standards, and providing employees with training and tools to complete their tasks. Information and updates on the assessment of processes and key controls, on the subsequent control deficiencies identified and on the related remedial actions enables relevant departmental oversight committees to be apprised of the health of the Department-wide controls.
23. Recommendation 2. The Chief Financial Officer should determine which oversight committees should review reports on the effectiveness of the system of ICFR and consult with the relevant oversight committees to determine the level of information required to fulfill their roles and responsibilities.

IV. Conclusion

24. To conclude, IRCC has a system of ICFR in place which is generally effective in identifying and mitigating the risks of material misstatements. A risk-based approach to the testing of key controls and monitoring of the system of ICFR has been put in place by the Chief Financial Officer. It is functioning effectively with the support of multiyear work plans, well documented control assessment activities, and periodic follow-ups on outstanding corrective actions.
25. Opportunities for improvement were identified in the following areas: the involvement of business process owners in the processes so the Department continuously improves in developing a more mature system of ICFR, and providing sufficient information on ongoing monitoring of the system of ICFR to senior oversight bodies.

Management has accepted the audit findings and developed an action plan to address the recommendations.

Appendix A – Management response