ARCHIVED - Audit Report - Financial Management Framework

 

For readers interested in the PDF version, the document is available for downloading or viewing:

Audit Report - Financial Management Framework (PDF document - 107 KB - 28 pages)

Approved by Chief Public Health Officer on March 28, 2012

Table of Contents

Executive Summary

1. The Public Health Agency of Canada’s (PHAC or the Agency) has identified, in its Risk-Based Audit Plan, the audit of the Financial Management Framework as a priority for 2011-12. This audit was carried out in part to proactively assess the readiness of the Agency to implement the requirements of the Treasury Board (TB) Policy on Internal Control.

2. The objective of this audit was to assess the current state and adequacy of the Agency’s Financial Management Framework. The audit examined the approach taken to implement the requirements of the TB Policy Framework for Financial Management, the Policy on Financial Management Governance and the Policy on Internal Control with a focus on Internal Control over Financial Reporting. The Policy on Internal Control states that the Agency is expected to complete its first Annex to the Financial Statements for fiscal year 2011-12, with the Statement of Management Responsibility Including Internal Control over Financial Reporting.

3. The Policy on Financial Resource Management, Information and Reporting, which directs departments and agencies to effectively manage public funds, has been excluded from the audit scope as this policy will be examined as part of a future Audit of Financial Resource Allocation.

4. The Policy on the Stewardship of Financial Management Systems, which aims at ensuring that financial management systems deliver more accurate, reliable, accessible and timely financial information, has also been excluded from this audit as PHAC receives their financial system (SAP) support services from Health Canada.

5. The audit did not examine the validity, completeness and accuracy of the financial transactions reported in the departmental financial statements nor the effectiveness of the financial controls in place.

6. The audit criteria were derived from the TB Policy Framework for Financial Management, as well as from the Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors issued in March of 2011 and produced by the Office of the Comptroller General.  The audit work was carried out between June and October 2011.

Findings

7. A governance structure for financial management is in place and is currently being reviewed. We did not find a documented Agency financial management framework that establishes specific roles, responsibilities and accountabilities for individuals involved in financial management. An organization-specific financial management framework is a requirement under the TB Policy on Financial Management Governance. Such a framework is important because, although the Chief Financial Officer (CFO) has the overall responsibility for financial management in the Agency, the CFO must rely extensively on Agency managers who are responsible for ensuring effective financial management for all the activities falling with their respective area of responsibility. An Agency financial management framework would provide guidance regarding the policies which managers should be following, and related responsibilities.

8. Training for PHAC managers and staff in financial management, including internal controls, does occur, but in a piecemeal fashion in the absence of an Agency-wide formal training plan for financial management. Such a plan would help support managers and employees in the discharge of their financial management responsibilities. Moreover, while a series of financial management policies have been developed, the majority of the policies remain to be approved.

9. There has been limited progress on documenting the key financial management processes as well as identifying key internal controls. The Agency has not developed a multi-year comprehensive implementation plan that would include major milestones, resources required, and timelines for the activities linked to implementation of the TB Policy on Internal Control.   Moreover, there is no formal mechanism to support and oversee the implementation of this Policy.

10. While ongoing dialogue is maintained between PHAC and Health Canada, the interdepartmental arrangement for financial services has not been revised since its implementation in 2004. Furthermore, no formal mechanism has been defined for obtaining assurance about the effectiveness of internal controls with respect to financial management processes handled by Health Canada on behalf of the Agency. 

Conclusion

11. The Agency is in its early stages of implementing the requirements of the TB Policy on Internal Control.  The implementation of the TB Policy of Internal Control involves multi-year assessments, taking into account risks, current state of readiness and capacities of departments. The Chief Public Health Officer and Chief Financial Officer are now responsible to disclose a summary of the results of the assessments of the system of Internal Control over Financial Reporting that the Agency has conducted as at March 31, 2012.  This annual disclosure includes progress and related action plans to address significant issues found as a result of these assessments. Thus, substantial progress will be required in this regard.

12. Management attention is required to:

  • define, document and implement a financial management framework that will clearly describe roles, responsibilities and accountabilities of individuals involved in financial management;
  • develop a multi-year comprehensive implementation plan, assign required resources and establish a structure to support and meet TB Policy on Internal Control requirements;
  • seek approval of draft financial management policies, directives and guidelines, disseminate them to the Agency’s managers and staff on a timely basis; and,
  • seek amendments to the current interdepartmental arrangement with Health Canada regarding the provision of financial services, including formal assurance mechanisms on financial management processes handled by Health Canada on behalf of the Agency.

Statement of Assurance

13. In the professional judgment of the Director General, Audit and Evaluation, sufficient and appropriate audit procedures have been performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of October 25, 2011, against established audit criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

Shelley Borys
Director General, Audit and Evaluation

Management Response

14. The Agency’s management agrees with our findings and recommendations.  A Management Action Plan including introductory remarks by the CFO is presented in Appendix B.

Background

15. The Treasury Board (TB) has introduced a Policy Framework for Financial Management and related policy instruments that set out an integrated approach for the practice of public sector financial management to improve the quality of financial management and internal controls. Key changes resulting from this initiative include the requirement for all departments and agencies to have auditable annual financial statements1. As well, Deputy Heads are required to sign an annual Statement of Management Responsibility Including Internal Control over Financial Reporting which prefaces the Agency financial statements.

16. As per a requirement of the TB Policy Framework for Financial Management, the Chief Public Health Officer (CPHO), as accounting officer, is accountable to Parliament for the management of the Agency, including financial management.  He is supported in this activity by the Chief Financial Officer (CFO) who provides objective strategic advice for business and financial management and acts as a key steward with respect to relevant legislation, regulations, policies, directives and standards related to financial management. 

17. The overall TB Policy Framework consists of a Policy Framework for Financial Management (June 1, 2010) and four new policies which are the:

  • Policy on Financial Management Governance (April 1, 2009)
  • Policy on Internal Control (April 1, 2009)
  • Policy on Financial Resource Management, Information and Reporting (June 1, 2010) 2
  • Policy on the Stewardship of Financial Management Systems (January 1, 2010) 3

Each policy document describes an element of the overall Financial Management Framework. This audit includes the Policy on Financial Management Governance and the Policy on Internal Control and focuses on Internal Control over Financial Reporting. 

18. The Policy Framework for Financial Management sets out an integrated approach for the practice of public sector financial management and clarifies the roles and responsibilities of Deputy Heads, the Comptroller General of Canada, CFOs and senior departmental managers. The Policy on Financial Management Governance sets responsibilities with respect to financial management governance and capabilities. 

19. Deputy Heads are designated as the accounting officers for their organizations under the Financial Administration Act (s.16.3) (FAA).  As such, under the requirement of the TB Policy on Internal Control, they are responsible for ensuring the establishment, maintenance, monitoring and review of the departmental system of internal control over financial management, including financial reporting and departmental accounts. As part of this policy, departments are expected to:

  • conduct annual assessments of their systems of internal controls;
  • establish action plans to address any necessary adjustments; and
  • attach to their Statement of Management Responsibility Including Internal Control over Financial Reporting, a summary of their assessment results and an action plan to address any significant issues found as a result of this assessment. 

20. The Chief Public Health Officer and Chief Financial Officer are thus now responsible to disclose this summary of assessments conducted as at March 31, 2012, including progress and related action plans.

21. Internal controls operate at all levels throughout an organization and are an integral part of an organization’s risk management framework.  At the most basic level, internal controls are simply good business practices that enable an organization to achieve its objectives, ensuring efficient and effective operations, compliance with policies and regulations, and the safeguarding of assets.  Examples of internal controls are:

  • financial management policies and authorities that are appropriately designed to mitigate financial risks and that are communicated;
  • compliance with financial management laws, policies and authorities that is monitored regularly; and
  • transactions that are coded and recorded accurately and in a timely manner to support accurate and timely information processing.

22. In order to effectively manage the implementation of the TB Policy on Internal Control, TB created three cluster groups, based on Departmental (Agency) appropriation size, with the largest departments being assigned to the first cluster group. The rationale behind this was that the smaller departments could leverage work completed by the cluster groups that went before them. PHAC is part of the third cluster group of smaller departments (and agencies) required to prepare its first Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting  to accompany its 2011-12 Financial Statements. 

1 Auditable financial statements: financial statements that can withstand a controls-based audit.

2 The Policy on Financial Resource Management, Information and Reporting directs departments and agencies to effectively manage public funds by planning, budgeting and making decisions on the allocation, reallocation and use of financial resources based on reliable information and sound analysis of that information.

3 The Policy on the Stewardship of Financial Management Systems aims at ensuring that financial management systems deliver more accurate, reliable, accessible and timely financial information.

About the Audit

Authority

23. The Agency identified, in its Risk-Based Audit Plan for 2011-14, the audit of the Financial Management Framework as a priority for 2011-12.  This audit will contribute to assessing the Agency’s readiness to implement the policy requirements for an assessment of internal control over financial reporting.

Objective

24. The objective of this audit was to assess the current state and adequacy of the Agency’s Financial Management Framework. 

Scope

25. The audit examined the approach taken to implement the requirements of the TB Policy Framework for Financial Management, the Policy on Financial Management Governance and the Policy on Internal Control with a focus on Internal Control over Financial Reporting.  Under the requirements of the Policy on Internal Control, the Agency is expected to complete its first Annex to the Financial Statements for fiscal year 2011-12, with the Statement of Management Responsibility Including Internal Control over Financial Reporting.

26. The Policy on Financial Resource Management, Information and Reporting, which directs departments and agencies to effectively manage public funds, has been excluded from the audit scope as this policy will be examined as part of a future Audit of Financial Resource Allocation.

27. The Policy on the Stewardship of Financial Management Systems, which aims at ensuring that financial management systems deliver more accurate, reliable, accessible and timely financial information, has also been excluded from this audit as PHAC receives their financial system (SAP) support services from Health Canada.

28. The audit did not examine the validity, completeness and accuracy of the financial transactions reported in the departmental financial statements nor the effectiveness of the financial controls in place.

Approach and Methodology

29. This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

30. The audit criteria and sub-criteria (Appendix A) were derived from the TB Policy Framework for Financial Management, as well as from the Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors issued in March 2011 by the Office of the Comptroller General. The audit work was carried out between June and October 2011, and included:

  • reviewing relevant documentation in support of financial management framework and internal controls related to the new TB Policy Framework for Financial Management  including policies, processes, procedures, practices, and others;
  • interviewing key personnel directly or indirectly involved in the financial management and internal controls related to the new TB Policy Framework for Financial Management, as well as Health Canada representatives from the CFO Branch and the Audit and Accountability Bureau; and
  • conducting a site visit to the Winnipeg office.

Audit Findings and Recommendations

Governance

31. We expected that an appropriate governance structure for financial management had been established, communicated and monitored, and that a clear organizational structure and roles and responsibilities would be established and documented.

32. The Agency has established governance committees and provided them with mandates and terms of reference. The Agency governance structure, including that for financial management, is currently being reviewed in order to enhance the effectiveness and efficiency of the decision-making process. The terms of reference for the committee dealing with financial management under the revised governance are expected to be aligned with best practices and the requirements of TB Policy Framework for Financial Management.

33. Under the current governance structure, the Resource Planning and Management Committee (RPMC), a sub-committee of the Executive Committee (EC), is the Agency’s primary senior executive forum for discussions, recommendations and decisions concerning planning, budgeting, and resource allocation, including monitoring and reporting and other asset management policy activities.

34. We noted that the requirements set out in the TB Policy Framework for Financial Management have not been formally discussed at the EC and RPMC. As a result, senior management may not be well informed of the requirements of the TB Policy, challenges associated with its implementation and potential implications for senior management. However, we noted that the OCFO has been communicating on a periodic basis with Health Canada in order to build on their work on internal controls and with TB Secretariat and other government departments that are required to prepare their first Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting to accompany their 2011-12 Financial Statements.

35. Under the current OCFO organizational structure, the CFO reports to both the Chief Public Health Officer and the Associate Deputy Minister. Three Directors report to the CFO: the Director, Resource Management and Analysis, the Director, Financial Policy, Systems and Operations, and the Director, Centre for Grants and Contributions.  Key financial management responsibilities of each of the OCFO Directorates are described under Appendix C.

36. The TB Policy on Financial Management Governance gives CFOs the overall responsibility to support and advise the deputy head on departmental financial management.  Specifically, this includes, among other things, designing and maintaining an appropriate departmental financial management framework and related systems of internal control.

37. A departmental financial management framework would articulate context, expectations and requirements for sound financial management, including internal control, across all level of management within the Agency, consistent with the FAA and TB policies. We did not find a documented Agency financial management framework. Such a framework is important because, although the CFO has overall responsibility for financial management in the Agency, the CFO must rely extensively on Agency managers who are responsible for ensuring effective financial management for all the activities falling with their respective areas of responsibility.  An Agency financial management framework would provide guidance regarding the policies which managers should be following, and related responsibilities.

38. In July 2011, the OCFO developed two draft documents to clarify the roles and responsibilities of all individuals4 involved in PHAC’s system of internal controls to ensure that they adequately understand and address the requirements related to internal controls. These documents are: the Internal Control over Financial Reporting Policy and the Internal Control Framework. The Internal Control over Financial Reporting Policy objective is to ensure that risks related to the stewardship of PHAC’s resources are adequately managed through effective internal controls, including internal controls over financial reporting. The objective of the Internal Control Framework is to address the requirements relating to internal control over financial reporting. They have not yet been formally approved by the CFO and senior management, and limited consultation has taken place.

39. In conclusion, a governance structure is in place and currently being reviewed. We have not found a documented Agency financial management framework that establishes roles, responsibilities and accountabilities for individuals involved in financial management.

4 CPHO, CFO, senior managers, managers, and financial officers

Recommendation

40. The Chief Financial Officer should define, document and implement a financial management framework that is consistent with the Treasury Board Policy on Financial Management Governance and that addresses the specific roles, and responsibilities of all  those involved in financial management, including senior management. 

People and Tools

41. We expected that the Agency would provide its employees with the necessary training, tools, and information to support the discharge of their financial management responsibilities in the area of internal control over financial reporting. We also expected that policies, guidelines, directives and procedures would be developed, communicated and reviewed regularly and that financial management support would be provided to managers with respect to the Agency’s financial management policies and directives.

42. The OCFO has drafted financial policies, directives and guidelines on various topics such as internal controls, hospitality, account verification, travel, acquisition cards and petty cash. Even though completed, they have yet to be approved by the CFO and by the EC as appropriate.  The Agency relies on TB and HC Financial Management Policies in the absence of Agency specific policies. The lack of approved instruments could result in non-compliance with elements of the TB Policy Framework for Financial Management

43. As required by the Agency, it is important to note that managers do participate in mandatory training to obtain financial delegation of authorities. In addition, further training in financial management is provided for those employees with assigned responsibilities for implementing of one or more elements of the TB Policy Framework for Financial Management.

44. Training in financial management for Agency managers and staff was identified as a high priority at the OCFO Spring Retreat and is occurring, but in a piecemeal fashion in the absence of an Agency-wide formal training plan in financial management. Such a plan would help in the identification of financial management training needs and priorities and support managers and employees in the discharge of their financial management responsibilities. 

45. We concluded that an Agency formal training plan in financial management for managers and employees would help support them in the discharge of their financial management responsibilities. Furthermore, while a series of financial management policies have been developed, the majority remain to be approved.

Recommendation

46. The Chief Financial Officer should, as appropriate, seek approval of the draft financial management policies, directives and guidelines, disseminate them to the Agency’s managers and staff on a timely basis and then prepare, in collaboration with the Director General, Human Resources, an overarching continuous learning plan to support the managers and employees in the implementation of these instruments.

Risk Management and Stewardship

47. We expected that risk management mechanisms would be in place to identify, assess, monitor, mitigate and report on financial management risks and that senior management formally responded to key financial management risks related to internal control over financial reporting.

48. We also expected that the Agency would have initiated the documentation of its key financial management processes as well as the identification of key internal controls, and that these processes would be regularly updated by process owners.  We also expected that monitoring and reporting processes would have been developed for key processes and internal controls, and corrective action undertaken when necessary.

49. With the introduction of the TB Policy on Internal Control, Deputy Heads and CFOs now have to disclose evidence that their systems of internal control are well managed.  They are required to annually assess, based on the risks present in their environment, the effectiveness of their systems of internal control over financial reporting to ensure that:

  • financial transactions are appropriately authorized;
  • financial records are properly maintained;
  • risks of fraud, abuse, loss or mismanagement are properly mitigated; and,
  • applicable laws, regulations, and policies are complied with.

50. The Agency is required to disclose a summary of its assessment results with its action plan to address any significant issues found as a result of this assessment. These summaries are provided with the annual financial statements and an overall Statement of Management Responsibility.

51. The TB Policy on Internal Control identifies four broad steps required to complete its implementation. These steps are:

  • documenting key financial management processes and internal controls;
  • conducting design testing of key controls;
  • conducting operational testing of key controls; and,
  • implementing an ongoing monitoring program or oversight process to sustain the effectiveness of internal control over financial reporting.

A draft diagnostic tool was developed by TB to provide departments and agencies with a practical step by step approach to help plan and conduct a risk-based assessment of the effectiveness of their systems of internal controls over financial reporting as required under the TB Policy on Internal Control. In addition, it provides information on key activities, normal level of effort and approximate timing to complete the implementation.

52. The OCFO is in its early stages of implementing the requirements of the TB Policy on Internal Control.

53. During the spring of 2009, the Agency retained the services of consultants to assist in planning for a project to address the assessment, improvement and maintenance of internal controls within the Agency.  This would help the Agency in supporting a control-based audit of its financial statements and management sign-off on the effectiveness of internal controls. That initial assessment indicated the need for the Agency to initiate work in relation to documentation and testing of its key financial management processes and controls related to internal control over financial reporting.

54. From the results of the above risk assessment, and having consulted Health Canada, and colleagues from the third cluster group, the OCFO prioritized, in early summer of 2011, four key financial management processes for initial documentation namely: materiel management (procurement and contracting); materiel management (assets); payroll; and grants and contributions. The prioritization of these processes was based on an assessment of their significance and materiality in relation to the Agency’s financial statements.  As several elements of the HC financial management processes and related controls are applied by the Agency, the OCFO requested that PHAC process owners5 review the related HC processes and controls documentation and make any adjustments to reflect an accurate and complete description of processes and controls used at PHAC.

55. We noted a lack of clear instructions with respect to the validation process and timelines. As of the date of the report, limited progress had been made on the validation of the four financial management processes by the process owners.   

56. A lack of structure for managing the whole Internal Control over Financial Reporting assessment process prevails at this time and this may impact the effectiveness and efficiency of the implementation of the TB Policy on Internal Control requirements. For instance:

  • a multi-year comprehensive implementation plan has not been developed that includes: all processes and sub-processes to be documented, major milestones, resources required, and timelines to guide the various activities that would lead the Agency toward implementation of the Policy’s requirements;
  • one employee has been assigned on a part time basis to manage this project; and,
  • there are only informal oversight mechanisms in place to coordinate, approve and oversee the implementation and progress of the TB Policy on Internal Control.

57. In describing its expectations, TB expressed that the size of the department or agency, its complexity and other pertinent factors would influence the implementation and completion of the assessment of internal controls, the identification of gaps and related action plans and that this assessment might take place over many years. TB therefore expected that the Agency would develop a multi-year comprehensive implementation plan and would assign necessary resources to this project.

58. In conclusion, the lack of a multi-year comprehensive implementation plan for managing the whole Internal Control over Financial Reporting assessment process may impact the effectiveness and efficiency of the implementation of the TB Policy on Internal Control. 

5 Process owners are managers responsible for financial management processes which involve internal controls over financial reporting such as procurement, contracting, assets, payroll and Grants and Contributions.

Recommendation

59. The Chief Financial Officer should develop a multi-year comprehensive implementation plan, assign required resources and establish a structure to manage and oversee this initiative in order to meet the requirements set out in the Treasury Board Policy on Internal Control.

Accountability

60. We expected that the OCFO would have implemented the necessary framework to support the statement requirements of the TB Policy Framework for Financial Management, including the Annual Statement of Management Responsibility. We also expected that an appropriate and current interdepartmental arrangement would be in place for shared financial services provided by Health Canada to the Agency.

Framework to Support the Statement

61. The TB Policy on Internal Control requires the deputy head and the CFO to sign an annual Statement of Management Responsibility Including Internal Control over Financial Reporting, which prefaces the financial statements.

62. Regarding the requirement to produce an Annual Statement of Management Responsibility, the OCFO developed the first draft of a pro forma Annex to the Statement of Management Responsibility for fiscal year 2011-12. The pro forma Annex included elements required by the TB Policy on Internal Control and included an ambitious agenda to meet those requirements. The document was presented at the PHAC Audit Committee’s September 2011 meeting. 

63. The OCFO also intends to present the Annex to TB to seek advice.  Since its initial drafting, the OCFO has indicated that it has not progressed as rapidly as reported in the action plan included in this Annex. The OCFO expects that one financial management process will be documented by the end of this fiscal year.

Interdepartmental Arrangement

64. We expected to see progress on a revised interdepartmental arrangement for shared financial services that would articulate the responsibilities of both the Agency and Health Canada with respect to the documentation and testing of common processes and controls including assurance mechanisms to inform each other of the effectiveness of their internal controls.

65. The Agency and Health Canada signed an interdepartmental arrangement in 2004 to share certain corporate services, including finance, which are based on a cost recovery formula. While changes in services have occurred since implementation of this arrangement, this document has not been modified to reflect those changes. Health Canada remains responsible to process financial transactions for PHAC in the following regions: British Columbia, Alberta, Ontario, National Capital Region, Quebec and Atlantic. Health Canada is also responsible for the financial system and the preparation of the Public Accounts and Financial Statements of the Agency.

66. No meeting has taken place yet between the two CFOs of PHAC and Health Canada to address changes required in the interdepartmental arrangement, and more specifically those related to the implementation of the Policy on Internal Control.  Meetings have occurred at the working level, to leverage each other’s work with respect to this Policy. At this time, the existing arrangement make no reference to expected service standards, the roles and responsibilities of both organizations with respect to the development or changes in financial applications and systems or response time. Moreover, it does not include a statement that would provide assurance to the Agency on the effectiveness of internal controls over financial management processes carried out by Health Canada on behalf of the Agency such as account verification (s. 33 of the FAA).

67. The Agency has repatriated some financial management processes and introduced its own specific financial management processes.  The greater the customization to the processes, the less potential exists for leveraging on related Health Canada’s work. Only when the Agency completes the documentation of its own financial management processes and internal controls will it know whether common grounds remain in the processes of the two organizations and opportunities exist to leverage from the work done at Health Canada.

68. In conclusion, while ongoing dialogue is maintained between PHAC and Health Canada, the interdepartmental arrangement for financial services has not been revised since its inception and no formal mechanism has been defined for obtaining assurances on the effectiveness of internal controls with respect to the financial management processes handled by Health Canada on behalf of the Agency. 

Recommendation

69. The Chief Financial Officer should seek amendments to the interdepartmental arrangement with Health Canada with respect to financial services, including formal assurance mechanisms on financial management processes handled by Health Canada on behalf of the Agency. 

Conclusion

70. The Agency is in its early stages of implementing the requirements of the TB Policy on Internal Control.  The implementation of the TB Policy of Internal Control involves multi-year assessments, taking into account risks, current state of readiness and capacities of departments. The Chief Public Health Officer and Chief Financial Officer are now responsible to disclose a summary of the results of the assessments of the system of Internal Control over Financial Reporting that the Agency has conducted as at March 31, 2012.  This annual disclosure includes progress and related action plans to address significant issues found as a result of these assessments. Thus, substantial progress will be required in this regard.

71. Management attention is required to:

  • define, document and implement a financial management framework that will clearly describe roles, responsibilities and accountabilities of individuals involved in financial management;
  • develop a multi-year comprehensive implementation plan, assign required resources and establish a structure to support and meet TB Policy on Internal Control requirements;
  • seek approval of draft financial management policies, directives and guidelines, disseminate them to the Agency’s managers and staff on a timely basis; and,
  • seek amendments to the current interdepartmental arrangement with Health Canada regarding the provision of financial services, including formal assurance mechanisms on financial management processes handled by Health Canada on behalf of the Agency.

Acknowledgments

72. We wish to express our appreciation for the cooperation and assistance afforded to the audit team by management and staff during the course of this audit.

Appendix A:  Audit Criteria

The audit criteria and sub-criteria are derived from the TB Policy Framework for Financial Management as well as from the Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors issued in March 2011 by the Office of the Comptroller General.

Governance
# Sub-Criteria Link to MAF6
6 Management Accountability Framework

1.1

An appropriate governance structure is established, communicated and monitored.

A governance committee is in place and functioning to assist the Agency in meeting its financial management objectives.

Governance and Strategic Direction

1.2

A clear organizational structure has been established and documented for each essential element of the financial management framework. 

The CFO’s organization is structured to meet policy requirements and is adequately resourced.

Governance and Strategic Direction

 

People and Tools
# Sub-Criteria Link to MAF

2.1

The organization provides employees with the necessary training, tools, and information to support the discharge of their financial management responsibilities in the area of internal control over financial reporting.

Financial policies, guidelines, directive and procedures are complete, communicated and reviewed regularly; and Financial Management support is provided to managers.

People

 

Risk Management
# Sub-Criteria Link to MAF

3.1

Risk management mechanisms exist to identify, assess, monitor, mitigate and report on financial management risks related to internal control over financial reporting.

Risk Management

3.2

Management formally responds to its key financial management risks related to internal control over financial reporting.

Risk Management

 

Stewardship
# Sub-Criteria Link to MAF

4.1

Key financial management processes have been documented identifying key financial controls and are regularly updated by process owners.

Stewardship

4.2

Monitoring and reporting takes place for key processes and controls of the financial management framework and corrective actions are taken.

The Office of the CFO has a formal structure and has developed a documented plan to test the design and operational effectiveness of its key financial controls.

Stewardship

 

Accountability
# Sub-Criteria Link to MAF

5.1

The CFO has put in place the necessary framework to support the certifications included in the Annual Statement of Management Responsibility including internal controls over financial reporting.

Accountability

5.2

The Interdepartmental arrangement in place for shared financial services provided by Health Canada to PHAC address:

  1. Governance and processes;
  2. Responsibilities of both Health Canada and PHAC to avoid duplication of efforts; and
  3. Reporting mechanisms to inform each other of issues that may happen from time to time.

Accountability

Appendix B: Management Action Plan

Management Action Plan
Recommendation Management Action Plan Officer of Prime Interest Target Date
 

Introduction:

By way of background, it is noted that, in response to need for improvement, the Agency focused on several specific areas over the last few years. Examples include: aligned financial delegations with budget responsibilities and improved administration of signature cards; strengthened processes for Payables at Year End, interdepartmental accounts and suspense accounts to improve the accuracy of financial statements; implemented several Standard Operating Procedures and other tools in response to the Blue Ribbon Panel on Grants and Contributions; improved the management and administration of travel by, among other things, implementing the Expense Management Tool to control the processes from approval of a travel event to approval of the final travel claim; and made steady improvements in forecasting and budget management, including the implementation of the Multi-Year Financial Planning System that enables us to track appropriations and budgets.

   

Governance

40. The Chief Financial Officer should define, document and implement a financial management framework that is consistent with the Treasury Board Policy on Financial Management Governance that addresses the specific roles, and responsibilities of all  those involved in financial management, including senior management. 

Agree. The CFO has two examples of such a framework, one provided by another agency in the Portfolio and one provided by the audit team. The CFO will tailor one of those to the circumstances of PHAC, including the addition of sections on grants and contributions, which represent some 33% of Agency expenditures.

CFO

May 2012

People and Tools

46. The Chief Financial Officer should seek approval, as appropriate, of the draft financial management policies, directives and guidelines, disseminate them to the Agency’s managers and staff on a timely basis and then prepare, in collaboration with the Director General, Human Resources, an overarching continuous learning plan to support the managers and employees in the implementation of these instruments.

Agree. a) PHAC has largely relied on Health Canada and Treasury Board Policies since 2004. Policies on delegation of financial signing authorities and on travel are posted on the Agency intranet site. Some PHAC specific policies, directives and guidelines have been drafted. The CFO will develop a plan to prioritize finalization of these policies and discuss with senior management.

CFO

 

March 2012

b) The four or five priority policies will be reviewed by the CFO and, as required, with the appropriate governance committee(s). Once approved, all staff will be informed and the policies will be posted to the Agency intranet site. (On an ongoing basis, financial policies will be developed, approved and disseminated according to a risk-based plan.) CFO September 2012
c) In collaboration with the Director General, Human Resources, the learning plan to support managers and employees in the implementation of approved policies will be developed as they are approved.  We will leverage the work done at Health Canada and elsewhere to the extent possible.  CFO September 2012 – start of training

Stewardship

59. The Chief Financial Officer should develop a multi-year comprehensive implementation plan, assign required resources and establish a structure to manage and oversee this initiative in order to meet the requirements set out in the Treasury Board Policy on Internal Control.

Agree.  The OCFO will develop a multi-year plan for implementing the Policy on Internal Control that will include tasks, timelines and resources for review by the Executive and Audit Committees.

The OCFO has completed the initial work on the implementation of the Policy on Internal Control, namely:

  • Identify significant accounts from financial statements and related locations, processes and IT applications
  • Document and validate four critical business processes, including controls, namely:
    • Grants and contributions
    • Payroll
    • Procurement and contracting
    • Capital assets

We have benefited greatly by using work available from Health Canada (HC), whose financial systems we use and who has been a leader in government in implementing the Policy on Internal Control. As recommended by TBS, we will rely on HC for the management of IT General Controls. Next steps include:

  1. Identification of key risks and related key controls;
  2. Assessment of design and operating effectiveness of Entity Level Controls in the context of the new organization and governance structures;
  3. Test the design effectiveness of all key controls in the four major business processes and identify remediation activities; and
  4. Test the operating effectiveness of all key controls in the four major business processes and identify remediation activities.

Ongoing activities will include: monitoring remediation work, monitoring all key controls and reporting as required, and expanding the work to other business processes such as travel.

CFO

June 2012

Accountability

69. The Chief Financial Officer should seek amendments to the interdepartmental arrangement with Health Canada with respect to financial services, including formal assurance mechanisms on financial management processes handled by Health Canada on behalf of the Agency. 

Agree. At the time of writing the OCFO is working closely with colleagues at HC to redefine our service relationships. We anticipate that a TB Directive on the provision of internal support services (such as finance, HR, IM, etc.) between departments and agencies will be promulgated. That Directive will include requirements for written agreements between departments and will guide the development of a new agreement. Important features are expected to include:

  • description of the services to be provided
  • roles and responsibilities of the parties
  • mechanisms for decision making and dispute resolution
  • period of the agreement and the notice required for withdrawal or termination
  • service levels and performance expectations
  • basis for charging for the services provided

 

CFO

September 2012

 

Appendix C: OCFO Financial Management Structure

The following diagram represents the organizational structure of the OCFO.
Organizational structure of the OCFO

Text Equivalent

The diagram represents the organisational chart of the Office of the Chief Financial Officer at the time of the audit. The Chief Financial Officer, which is comprised of 4 FTE’s, reports directly to the Chief Public Health Officer and Associate Deputy Minister. Positions reporting to the Chief Financial Officer are: Director, Resource Management Analysis, Director, Financial Policy, Systems & Operations and Director, Centre for Grants and Contributions, which are comprised of 22, 19 and 21 FTE’s respectively.

The OCFO’s key financial management responsibilities are as follow:

Appendix D:  List of Acronyms

  • Agency - Public Health Agency of Canada
  • CFO - Chief Financial Officer
  • CPHO - Chief Public Health Officer
  • EC - Executive Committee
  • FAA  - Financial Administration Act
  • FTE - Full Time Equivalent
  • G&C  - Grants and Contributions
  • HC - Health Canada
  • MAF -  Management Accountability Framework
  • NCR - National Capital Region
  • OCFO  - Office of the Chief Financial Officer
  • PHAC  - Public Health Agency of Canada
  • PDP - Professional Development Plan
  • RPMC - Resource Planning and Management Committee
  • TB  - Treasury Board
  • TBS - Treasury Board Secretariat

Page details

Date modified: