Audit of Internal Control over Financial Reporting at the Public Health Agency of Canada

Download the alternative format
(PDF format, 609 KB, 26 pages)

Organisation:
Public Health Agency of Canada

Publication Date: 2017-09-25

June 2017

Table of Contents

Executive summary

The Treasury Board Policy on Internal Control (PIC) came into effect in 2009 requiring Deputy Ministers, as designated accounting officers for their organizations under the Financial Administration Act, to establish and maintain a system of internal control related to financial management including financial reporting and departmental accounts.

To comply with PIC requirements and improve the quality of financial management and reporting, Public Health Agency of Canada (PHAC) has developed an Internal Control over Financial Reporting (ICFR) framework that included initial ‘implementation’ of the system of ICFR and a PHAC Risk-Based Monitoring Strategy for its ongoing monitoring. With the implementation stage of ICFR complete, PHAC is now entering into the monitoring stage of the cycle.

It should be noted that as of April 1, 2017 (subsequent to substantial completion of the conduct phase of this audit), the PIC requirements have been integrated into the new Treasury Board Policy on Financial Management. The requirements of the new Policy on Financial Management were considered in this report.

The objective of this audit was to assess the effectiveness of the implementation and ongoing operation of the ICFR management control framework established by the Office of the Chief Financial Officer (OCFO).

The scope of the audit was risk-based and included the examination of key aspects of the ICFR system during the 2015-16 and 2016-17 fiscal years. The audit focused on governance, risk management and internal controls and processes related to the design, testing and monitoring of ICFR.

As a result of interviews, documentation review and re-performance of select testing procedures, sufficient and appropriate audit evidence was obtained to support the conclusion of the audit. The audit concluded that there is an adequate management control framework in place including governance, risk management processes, and related internal controls to support the ongoing operation and monitoring of an effective system of ICFR. Specifically, the audit found that:

  • ICFR roles and responsibilities are defined and documented in the associated Framework and Monitoring Strategy documents to support effective governance;
  • Results of ICFR assessments are reported by the CFO to the Departmental Audit Committee (DAC) in support of oversight;
  • A risk-based process has been undertaken to define and document the design of the ICFR system and a risk-based monitoring strategy is in place that provides a strong platform for on-going monitoring;
  • Testing strategies and methodologies have been developed for the periodic assessment of the system of controls; and,
  • There is a framework in place for the reporting and follow-up of identified control deficiencies.

The audit also identified opportunities for further improvements to the system of ICFR and makes the following recommendations:

  1. It is recommended that the CFO ensures that the ICFR Framework is refreshed to include and refine ICFR specific roles and responsibilities of OCFO and Internal Control Division (ICD) under the Shared Services Partnership (SSP), including: the engagement of OCFO in the development of testing and monitoring strategies, procedures and formalization of related reporting requirements.
  2. It is recommended that the CFO, in conjunction with business process owners, ensure that:
    1. risk-control matrices of business processes and sub-processes include the documentation and ranking of specific risks to Financial Statements; and,
    2. business processes and related risk-control matrices are formally validated by process owners on an annual basis.
  3. It is recommended that the CFO reviews ICFR testing strategies and methodologies, and ensures that, when needed:
    1. testing methodologies are aligned with the objective of the test, and adequately leverage and document reliance on existing system functionalities and compensating controls; and,
    2. there is a documented process for the quality assurance of testing activities.

Management agrees with the recommendations in this report and has provided an action plan addressing the agreed upon recommendations to further strengthen the management control framework supporting internal controls over financial reporting.

A - Introduction

1. Background

Reliable financial reporting supports decision-making, policy development, and program and service delivery. It also provides transparency and accountability on the spending of public funds to achieve results for Canadians.

Treasury Board Policy

In 2009, Treasury Board introduced the Policy on Internal Control (PIC), which requires departments to establish, maintain, monitor and review the departmental system of internal control to mitigate risks and provide reasonable assurance in the following broad categoriesFootnote 1:

  • The effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets;
  • The reliability of financial reporting; and
  • Compliance with legislation, regulations, policies and delegated authorities.

The PIC emphasizes the importance of internal controls over financial reporting (ICFR) by requiring Deputy Heads and Chief Financial Officers (CFO) to sign an annual departmental Statement of Management Responsibility including Internal Control over Financial Reporting (the Statement). This Statement acknowledges management’s responsibility for maintaining an effective system of internal controls to ensure reliable financial information, safeguarding of assets, and ensuring transactions are properly authorized and recorded. Since 2012, in addition to the Statement, departments are required to include an annex summarizing the results of the annual assessment of the effectiveness of the system of internal controls, and an action plan that outlines the implementation of improvements in the next and subsequent fiscal years.

The PIC specifically defines ICFR as a part of a larger framework of internal controls, and states that ICFR helps to ensure that:

  • records fairly reflecting all financial transactions are maintained;
  • recording of financial transactions permits the preparation of internal and external financial information, reports, and statements in accordance with policies, directives and standards;
  • revenues received and expenditures are made in accordance with delegated authorities and unauthorized transactions that could have a material effect on financial information and financial statements are prevented or detected in a timely manner; and
  • reasonable assurance can be provided so that financial resources are safeguarded against material loss due to waste, abuse, mismanagement, errors, fraud, omissions and other irregularities.

To meet the expectations of the PIC and support the signing of the Statement, departments must conduct an annual risk-based assessment of the system of internal control over financial reporting to determine its on-going effectiveness. They must also establish and report on action plans that have been prepared to address any significant issues identified as a result of the annual assessment.

It should be noted that as of April 1, 2017 (subsequent to substantial completion of the conduct phase of this audit), the PIC requirements have been integrated into the new Treasury Board Policy on Financial Management. The requirements of the new Policy on Financial Management were considered in this report.

Fundamental to developing and maintaining an effective system of ICFR are the following: scoping of financial statement accounts and business processes; design effectiveness testing; operational effectiveness testing; and on-going monitoring (see Appendix C). An effective system of ICFR includes internal controls categorized as:

  • Entity Level Controls (ELCs): high level controls that address the organization’s overall environment. Examples include tone from the top, commitment to competence, and commitment to integrity and ethics.
  • Information Technology General Controls (ITGCs): controls over the organization’s information technology systems. Examples include restricting access to programs and data, or changes to programs.
  • Business Process Level Controls (PLCs): controls applicable to specific business processes such as the grants and contributions, procurement, or accounts payable. Responsibility for effectiveness of these controls may fall under senior management of branches outside of finance.

Public Health Agency of Canada

Since 2012, in accordance with the PIC, PHAC has produced financial statements accompanied with the Statement of Management Responsibility including Internal Controls over Financial Reporting and the associated annex. PHAC has also taken steps to implement the other requirements of the PIC. The Office of the Chief Financial Officer (OCFO) developed a framework in 2013, which specifies responsibilities for internal control, including internal controls over financial reporting. Scoping of processes supporting financial statement accounts and related control activities was undertaken and related testing was completed in 2015-16 and the established cycle for on-going monitoring and testing commenced in 2016-17. The audit was timed to provide independent assurance and advice on the effectiveness of the implementation and ongoing operation of ICFR at this key time of transition from implementation to on-going monitoring.

PHAC works with Health Canada in a shared services environment. This means that while accountability for ICFR rests with PHAC senior management, responsibility for the identified key business processes and related testing is divided between PHAC and Health Canada (see Appendix D) under the Shared Services Partnership agreement. Specifically, the responsibility for the establishment, maintenance, monitoring and review of the PHAC’s system of internal control is divided between the Resource Management and Analysis Division, OCFO within PHAC, and the Internal Control Division of Health Canada (see Appendix E).

2. Audit objective

The objective of the audit was to assess the effectiveness of the implementation and ongoing operation of the ICFR management control framework established by the OCFO.

3. Audit scope

The audit assessed the framework and related processes in place at PHAC during the 2015-16 and 2016-17 fiscal years for purposes of monitoring and reporting on the effectiveness of the system of ICFR.  

The following are key elements and related processes included as part of the assessment:

  • Governance structure in place to support ICFR, including accountability, responsibility and oversight mechanisms;
  • Risk assessments and the design of related internal controls over ICFR with emphasis on key business processes;
  • Approach(es) implemented for conducting control testing and ongoing monitoring(strategies and methodologies); and,
  • Reporting and monitoring of identified deficiencies and related management action plans.

The audit does not provide an opinion on the accuracy of the balances presented in the financial statements of PHAC.

4. Audit approach

During the planning phase of the audit, a review of relevant documentation was undertaken to gain an understanding of the current environment related to ICFR at PHAC and form a basis for audit work to be conducted. Documentation reviewed included prior related audit reports and assessments within PHAC, Health Canada and other government departments; the Treasury Board Policy on Internal Control and supporting guidance; and, PHAC reports and presentations related to monitoring efforts recently undertaken. Based on the knowledge gained, a risk assessment was undertaken and appropriate criteria developed to address the audit objective.

Under the Shared Services Partnership agreement, both PHAC and Health Canada share responsibilities for the monitoring of ICFR impacting PHAC’s financial statements.  As such, the scope of the conduct phase of the audit included processes within both organizations. The conduct phase activities included: the review and analysis of reports and documentation related to ICFR; interviews with key stakeholders; the review of assessment, testing and monitoring activities; and, the re-performance of a sample of the testing of controls undertaken by both PHAC and Health Canada.

Specific lines of enquiry and audit criteria are presented in Appendix A.

5. Statement of conformance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

B. Findings, recommendations and management responses

This chapter presents key audit findings and associated recommendations for each audit criterion. A summary ranking of conclusions for all criteria is provided in Appendix B.

1. Governance

1.1 Governance

Audit criterion:

PHAC has established an effective governance process to oversee the implementation and monitoring of an effective system of internal control over financial reporting (ICFR).

Observations:

The audit expected to find that accountability and responsibilities for ICFR are clearly defined, documented and sufficiently communicated to key stakeholders. It was also expected that there is an effective process in place for the oversight of the system of ICFR and related monitoring activities.

Oversight bodies

Oversight bodies require regular reporting to keep them informed of ICFR monitoring activities and to support them in fulfilling their ICFR responsibilities. Based on requirements outlined in the TBS Policy on Internal Control (PIC) and the PHAC ICFR framework, the key oversight bodies for ICFR are the Departmental Audit Committee (DAC) and senior management committees.

The two senior management committees considered in this audit were the: PHAC Executive Committee (PHAC-EC) and the Partnership Executive Committee (PEC) Financial Operations Co-Management Committee. PHAC-EC is chaired by the President and membership includes the Chief Public Health Officer, ADMs/Branch heads, and the CFO amongst others. The committee meets on a weekly basis to discuss horizontal issues requiring strategic direction, and issues that have implications for the Minister amongst other things. The PEC Financial Operations Co-Management Committee has no formal terms of reference. Membership includes the Department’s and PHAC’s CFOs and meetings are held on an ad-hoc basis. The audit work included the review of meeting minutes and records of decisions for the 2015-16 and 2016-17 fiscal years, up to January 2017. It was observed that annual reporting to the DAC has taken place, in the form of high level summary presentation comprised of: assessment results; the status of testing activities against the plan; and actions plans to address deficiencies.

In the past, in addition to information provided by the CFO, the DAC has had the benefit of being informed though results of annual audits of Key Financial Controls conducted by that the Office of Audit and Evaluation (OAE). The OAE has no plans to continue these audits on a regular basis. In light of this and the fact that the DAC has recently added two new members, it may be of benefit for the CFO to consult with the DAC members and ascertain if the frequency and nature of the current high level reporting provided to DAC meets the committees information requirements with regards to ICFR.

Review of the minutes of PHAC EC meetings and the meeting agendas for the PEC Financial Operations Co-Management Committee, established that ICFR has not been an agenda item or a topic of discussion.

Defining and formalizing ICFR related information and reporting requirements for the senior management committees would further enhance oversight within the governance framework and better support these oversight bodies in making decisions related to the implementation and monitoring activities of ICFR.

ICFR governance framework:

A framework document, the PHAC Internal Control over Financial Reporting Framework (the framework), has been developed and was approved by the President and CFO in November 2013. The stated objectives of the framework include: the maintenance of an effective risk-based system of internal control including ICFR to manage risks related to the stewardship of public resources; and, that roles and responsibilities related to internal controls are communicated and well understood. The framework provides an overview of ICFR within the context of the Policy on Internal Control (PIC) and defines, at a general level, ICFR-related accountabilities and responsibilities for key individuals including the: President, CFO, Chief Audit Executive (CAE), DAC members and PHAC’s senior management.

The audit identified areas where opportunities for improvement exist with regards to the framework and its underlying governance structure:

There is an opportunity to clarify the framework to help ensure a clearer distinction between the broad system of internal control as described in the PIC and the system of ICFR. The framework’s stated objectives are broad and encompass the overall system of internal control including ICFR. Defining the objective in broad terms could result in the inefficient design of testing activities and/or reaching an incorrect conclusion, based on the results of testing a broader set of controls rather than those specific to ICFR.

The framework document does not outline key elements (such as risk assessments, sampling strategies and methodologies, monitoring and reporting mechanisms, and ICFR roles and responsibilities) in sufficient detail, including roles and responsibilities under the Shared Services Partnership (SSP). However, the audit found that a separate document, the PHAC Risk Based Monitoring Strategy to Address Requirements of PIC, has been developed, which does outline ICFR roles and responsibilities in greater detail and addresses key elements, including risk assessments, approaches for ongoing testing, and, monitoring and reporting processes. However, the PHAC Risk Based Monitoring Strategy document although more detailed in outlining roles and responsibilities, does not clearly define PHAC’s level of engagement and input into the testing and reporting process under the SSP that relate to processes and controls affecting PHAC. Interviews revealed that the PEC Financial Operations Co-Management committee is a forum where issues impacting SSP and ICFR may be discussed. However, interviews also established that such discussions at the committee have been infrequent and/or at a high level. Further, it was established that interaction at the working level, between Office of the Chief Financial Officer (OCFO) and Health Canada’s (HC) Internal Control Division (ICD) is also limited and occurs largely on an informal basis and typically at the time of reporting to the DAC.

Finally, there was no evidence of adequate communication of the framework and strategy document to the appropriate parties to whom ICFR responsibilities have been assigned.

Defining and communicating responsibilities and related processes addressing ICFR activities under the SSP, would minimize the risk that PHAC specific controls may not be adequately monitored and tested, or that monitoring results may not be adequately communicated to and considered by PHAC’s management and staff.

Recommendation 1
It is recommended that the CFO ensures that ICFR Framework is refreshed to include and refine ICFR specific roles and responsibilities of OCFO and ICD under the SSP, including: the engagement of OCFO in the development of testing and monitoring strategies, procedures and formalization of related reporting requirements.

Management response

Management agrees with this recommendation.

Management will refresh the Internal Control over Financial Reporting Framework (ICFR) and accompanying documents to include and refine ICFR specific roles and responsibilities of OCFO and ICD under the SSP including formalizing the sharing of testing and monitoring results.

2. Risk management

2.1 Risk assessment

Audit criterion:

Risks associated with the delivery of the ICFR are identified, assessed and managed.

Observations:

The implementation of the PIC requires that the Deputy Head in conjunction with the CFO sign off on the Statement of Management Responsibility, which includes the acknowledgement to conduct an annual risk-based assessment of the system of ICFR to determine its on-going effectiveness.

The audit team expected that, in compliance with the PIC requirements, adequate management practices would be in place to address risks in the areas of: methodologies for identifying and assigning risk to financial statement accounts, underlying business processes, and related controls; developing and undertaking testing methodologies; and, capacity to sustain effective support and monitoring of the system of ICFR.

Risk management practices:

PHAC’s key guiding document for implementing risk management in regards to ICFR is PHAC’s Risk Based Monitoring Strategy to Address Requirements of PIC. The strategy document identifies key elements of the ICFR system; presents an overall approach to monitoring; assigns roles and responsibilities for key stakeholders; and, outlines risk-based methodologies employed in identifying financial statement accounts and supporting business processes to be included in the scope of testing.

Results of the initial risk assessment exercises have been documented and an appropriate strategy and schedule have been developed to conduct on-going monitoring and related testing. The strategy also outlines the requirements for reporting on annual monitoring and test results to PHAC’s senior management, President and the DAC.

The audit reviewed the key supporting tools and documentation of the risk assessment, which included process control matrices, risk assessments, testing methodologies and reported results. The review confirmed that risk management activities are aligned and undertaken in accordance with PHAC’s Risk Based Monitoring Strategy, and as required, PHAC’s management and DAC are involved in the process.  

Capacity to sustain ICFR activities

PHAC is currently progressing into the monitoring stage of the PIC / ICFR cycle. During the implementation stage, and in particular in the formulation of strategies and tools and initial undertaking of assessments, PHAC relied on the expertise and services of external contractors to a significant degree. In regards to on-going testing of a majority of the identified business processes, PHAC relies, in part, on ICD to complete this work under the SSP. Within PHAC, ICFR monitoring and testing is the responsibility of two individuals within the Resources Management and Analysis Division (RMAD) of OCFO who are not exclusively dedicated to this effort.

Although the above resourcing issues pose some challenges to future maintenance and continued operation of an effective system of ICFR, senior management confirmed that any underlying risks have been assessed as low and that a need for additional resources would not likely be immediate and/or critical. Management is confident that should the need arise, there is adequate capacity to contract external expertise.

Overall, the PHAC Risk Based Monitoring Strategy to Address Requirements of PIC, provides PHAC with an adequate platform for assessing and monitoring risks in regards to ICFR.

3. Internal controls

3.1 Scoping

Audit criterion:

PHAC has identified key financial accounts, and documented business processes and the relevant control points.

Observations:

Scoping is the identification of significant accounts of the financial statement that will be subject to the ICFR assessment process, and a key first step in applying a risk- based approach.

PHAC has undertaken a scoping exercise to identify financial processes that support the identification of key controls. The exercise considered individual line item accounts of the financial statements and applied materiality as the sole criterion for scoping accounts in or out of the assessment. A process-level risk assessment was then undertaken to establish the frequency at which the processes would be assessed. This process considered relevant risk factors for assessing inherent and control risk, including among others: materiality, extent of judgement required, accounting changes, complexity, and history of control failures.

The audit identified a few areas where opportunities for improvement exist.

A number of factors were appropriately considered in the ranking of in-scope business processes for purposes of assessing the frequency of testing for each process and related controls. However, the audit found that the scoping of financial statement accounts was based exclusively on materiality of the account balances relative to the overall expenditures of PHAC. Consideration of qualitative factors, in addition to materiality, would reduce the risk that accounts with greater susceptibility to misstatement and related process controls may be excluded from assessment. Qualitative factors could include: complexity and homogeneity of individual transactions, history of exposure to losses represented by the account, susceptibility of loss due to errors or fraud; and, percent change in account balance from prior year(s). Another consideration in scoping of financial accounts is Materiality for Planning Purposes (MPP). MPP considers the risk of the cumulative effect for potential misstatement in multiple accounts and thus may be a more appropriate measure in identifying financial statement items for inclusion in the scope of the assessment.

The audit also identified instances where certain PHAC financial statement accounts scoped-in and associated with a business process under the responsibility of SSP, were not addressed in the design of monitoring and testing undertaken activities by ICD. Accounts where this was evidenced include Due from Consolidated Revenue, Vacation Pay and Compensatory Leave and Employee Future Benefits.

The above indicates that there is a risk that adequate monitoring and testing of controls related to certain PHAC accounts may not be undertaken. Consideration and incorporation of the above into future refinements of the account scoping process would benefit the overall monitoring of the system of ICFR. Actions to mitigate this risk are identified by Recommendation 1 which addresses requirements for adequate engagement of OCFO in the testing and monitoring strategies undertaken on behalf of PHAC under the SSP.

3.2 Design effectiveness testing

Audit criterion:

PHAC has developed and implemented a process that ensures control points are aligned with the risks they aim to mitigate.

Observations:

Once risks to financial statements have been identified, development and alignment of key controls with the key risks to the financial statements they aim to mitigate (the design of ICFR) is the next fundamental step in the overall system. Design effectiveness testing assesses whether controls exist for identified risks and whether they are designed in such a manner that, if properly implemented and executed, they would be effective in mitigating the identified risks related to financial reporting.

Development of “risk-control matrices” and validation of their design is an accepted best practice as a key output of the test of design process. Key attributes of a well-designed risk-control matrix include: identification of the risk to the financial statement and linking to financial statement assertion(s); an assessment of the ranking of individual identified risks; identification of the control(s) that address the specific risk and clear definition of related control activities; the person / position or system exercising the control; the nature of the control (preventative or detective); and the frequency at which the control is exercised. Additional attributes include identification of the type of control (reconciliation, review, authorization, access, segregation of duty) and where the control is exercised (if applicable, i.e., region, headquarter).

A well designed risk-control matrix demonstrates that management has a global view of risks and has considered the types of mitigating controls in place by identifying “key” or critical controls in the management of the related risks and for the development of effective and efficient testing strategies.

The audit team found that risk-control matrices have been developed for all scoped-in business processes as identified in Appendix D. The matrices have been documented in a standard format that is consistent with best practices and demonstrate control alignment with underlying risks. The matrices identify: controls and related control activities, the financial statement assertions addressed, the nature and type of the control and how often the control is exercised.

Overall, matrices are adequately supported by a documented description of the business process. Design effectiveness testing has been carried out and documented for all in-scope processes.

The audit also made the following observations that present opportunities to further improve and standardize the approach to developing and documenting risk-control matrices:

  • Controls have been linked to financial statement assertions, however specific financial reporting risks, including risks related to fraud, have not been explicitly identified. The identification and documentation of specific risks better defines the control environment around ICFR and enhances the determination and ranking of key risks and related controls.

  • There is no evidence to support that the timely review and validation of business processes by process owners occurs. ICD noted that updates of business processes are synchronized with the timetable for assessment of the related controls, so that for medium and low risk processes the updates would only take place every two and three years respectively.

    A more formal and timely approach to validation of business processes by the process owners would mitigate the risk that significant changes do not go un-noticed, and would enhance accountability by formalizing the process and obtaining positive, documented confirmation from process owners.

Recommendation 2

It is recommended that the CFO, in conjunction with business process owners, ensure that:

  1. risk-control matrices of business processes and sub-processes include the documentation and ranking of specific risks to Financial Statements; and,
  2. business processes and related risk-control matrices are formally validated by process owners on an annual basis.

Management response

Management agrees with this recommendation.

Management will review existing risk-control matrices to ensure specific risks to financial statements are documented and ranked and will ensure that business process owners review and formally approve process maps including key controls annually.

3.3 Operational effectiveness testing

Audit criterion:

PHAC has implemented a process to ensure key controls are operating as intended.

Observations:

Testing the operational effectiveness of internal controls is a requirement of the PIC and is a critical element of the system of ICFR. The results of the testing provide the bases for the extent of reliance on the system of controls and for taking appropriate actions to address deficiencies.

Operational effectiveness testing is a shared responsibility between PHAC’s RMAD and Heath Canada’s ICD under SSP (for specific areas of responsibility refer to Appendix D).

The audit expected that:

  • the overall strategy for operating effectiveness testing is documented and is risk based;
  • testing methodologies are aligned to control activities and objectives;
  • key business processes controls are adequately tested / assessed at a frequency that is consistent with the associated risk level; and,
  • evidence is obtained in support of testing results and conclusions.

The audit included a review of the testing methodology and results, and re-performance of the testing of select business process controls. The audit confirmed that, overall, appropriate testing processes are in place to assess ongoing effectiveness of controls. Specifically, the audit team found that:

  • testing undertaken reflects the status of implementation of the PIC and ICFR, and the frequency of testing is guided by the respective risk-based monitoring strategies. HC is in the monitoring phase of the ICFR while PHAC has completed initial design and effectiveness testing of all identified business process controls and are entering the monitoring phase;
  • Entity level controls were assessed by PHAC in fiscal 2016-17 with no major deficiencies identified;
  • Information technology general controls are under the scope of the SSP and were assessed in fiscal year 2015-16 by ICD; and,
  • A testing strategy has been developed for each control identified in the risk-control matrix of business processes. The risk-control matrices also serve as a tool for capturing results of testing of individual controls including identified deficiencies, where applicable.

The audit identified the following areas where opportunities for improvements exist to further strengthen the testing of controls:

For certain business processes and related controls, efficiency may be gained by refining testing strategies to leverage results of related or compensating controls found to be effective. For example, performing a test on the maintenance of specimen signature cards and associated system control may, in part, limit the extent of testing conducted to confirm sections 32, 33 and 34 of the Financial Administration Act, for multiple sample items.

Review of the testing methodologies and re-performance of related procedures identified that there are instances where the testing strategy and evidence obtained did not fully align with the testing objective. Examples include:

  • testing of controls where reliance was placed on QA activities was limited to only confirming that the QA was performed. However, there was no re-performance of the procedural steps of the QA control or the key control itself to ensure the required control activities were undertaken effectively;
  • testing of control activity that specified detailed requirements such as preparation and review of supporting reporting packages and related analyses. However, the testing methodology and evidence obtained was limited to a review of signatures on statements and related approval slips; and,
  • for one business sub-process reviewed, the random sampling approach resulted in sample primarily consisted of low risk transactions. These sample items were not subjected to full testing procedures. Targeted sampling approach may be more efficient in directing the effort to high risk transitions, which will provide more testing coverage of associated controls.  

Moreover, for certain controls, the testing strategies employed by ICD were identified as a HC specific control only. It would be expected that a similar control should exist and be tested for PHAC. Examples include testing related to: year over year comparison and variance analyses of quarterly reports and, review of final financial statements. There is no documented evidence that PHAC undertakes its own testing of these controls for ICFR purposes.

Finally, there is no documented evidence of quality assurance / review of testing procedures and working papers by a peer and/or supervisor.

Addressing the above points would enhance the effectiveness and efficiency of testing; minimize risks related to the misinterpretation of testing results; and, minimize the risk of exclusion of testing of key PHAC controls.

Recommendation 3

It is recommended that the CFO reviews ICFR testing strategies and methodologies, and ensures that, when needed:

  1. testing methodologies are aligned with the objective of the test, and adequately leverage and document reliance on existing system functionalities and compensating controls; and,
  2. there is a documented process for the quality assurance of testing activities.

Management response

Management agrees with this recommendation.

As part of the review of existing risk-control matrices, management will ensure that testing methodologies are aligned with the objective of testing and opportunities for efficiencies in testing are realized to the extent possible. Further, management will ensure that there is a formal process in place for peer or supervisor review over testing activities.

3.4 Monitoring

Audit criterion:

Reporting and monitoring of the ICFR framework has been implemented, which includes performance metrics and timely information that allows for the identification and resolution of issues.

Observations:

A critical component of the PIC and the system of ICFR is the effective and timely monitoring and reporting of identified deficiencies. Within this context, when deficiencies are identified, business process owners are required to identify corrective actions to address them. RMAD and ICD are responsible to monitor and report on progress regarding the implementation of corrective actions addressing identified deficiencies.

The Draft PHAC Risk Based Monitoring Strategy to Address Requirements of the PIC sets out a plan for monitoring controls on a risk-based rotational basis. The monitoring plan sets out a realistic timeline for the assessment of all business process and related controls over a three-year period.

The audit team found that deficiencies are documented in the testing result summary sheets for individual business processes and are reported by the CFO to the DAC. Among the items included in these high-level reports is a status on the progress of actions taken to address corrective actions, and a summary of control assessment results and related actions. However, they do not provide an assessment of the level of risk posed by the identified deficiency(ies); do not identify the process owner responsible for taking action; and, do not indicate the length of time the corrective action has been outstanding.

Overall, there is effective monitoring of ICFR, consistent with PHAC’s strategy. The CFO and DAC are adequately informed of the progress of ongoing monitoring efforts and of key deficiencies identified. The monitoring and reporting process would however benefit from further refinement and formalization including:

  • assessment of the risk associated with individual identified deficiencies;
  • documentation of responsibility and timelines for corrective actions; and,
  • enhanced definition of the level of detail and frequency of reporting requirements for ICFR activities and results including those undertaken by ICD (see recommendation 1).

C - Conclusion

Based on the audit findings, the overall conclusion is that there is an adequate management control framework in place including governance, risk management processes, and related internal controls to ensure the ongoing operation and monitoring of an effective system of Internal Control over Financial Reporting (ICFR).

Effective governance is supported by defined and documented ICFR roles and responsibilities for the maintenance, monitoring and oversight of the system of controls. A risk-based approach has been employed to implement and document the system, and a risk-based monitoring strategy is in place that provides a strong platform for ongoing maintenance and monitoring. Testing strategies and methodologies have been developed for the undertaking of control assessments and oversight is supported by reporting of the results to the DAC.

However, there are opportunities for improvement to further strengthen PHAC’s system of ICFR in the areas of:

  • formalization and communication of roles and responsibilities related to ICFR activities and processes under scope of the Shared Services Partnership;
  • refinements and enhancements to the design and documentation of risk-control matrices with emphasis on:
    • explicit identification and ranking of specific risks to financial statement assertions; and,
    • validation of business processes and related risk-control matrices by process owners on an annual basis.
  • refinements and enhancements to the testing strategies and methodologies with emphasis on:
    • improving alignment of certain control activities and testing strategies to the control objectives, and further considering and integrating compensating controls for purposes of realizing efficiencies; and,
    • documenting the process for quality assurance of testing activities.

Appendix A – Lines of enquiry and criteria

Audit of Internal Controls over Financial Reporting
Criteria Title Audit Criteria
Line of Enquiry 1: Governance
1.1 Governance PHAC has established an effective governance process to oversee the implementation and monitoring of an effective system of internal control over financial reporting (ICFR).Footnote 2
Line of Enquiry 2: Risk management
2.1 Risk Assessment Risks associated with the delivery of the ICFR are identified, assessed and managed.Footnote 3
Line of Enquiry 3: Internal controls
3.1 Scoping PHAC has identified key financial accounts, and documented business processes and the relevant control points.Footnote 4
3.2 Design Effectiveness Testing PHAC has developed and implemented a process that ensures control points are aligned with the risks they aim to mitigate.Footnote 5
3.3 Operational Effectiveness Testing PHAC has implemented a process to ensure key controls are operating as intended.Footnote 6
3.4 Monitoring A monitoring framework of ICFR has been implemented, which includes performance metrics and timely information that allows for the identification and resolution of issues.Footnote 7

Appendix B – Scorecard

Audit of Internal Controls over Financial Reporting
Criterion Rating Conclusion Rec #
Governance
1.1 Governance Needs Moderate Improvement There is an adequate governance framework in place supported by an ICFR specific framework document. However, the framework should be refreshed to include and refine ICFR specific roles and responsibilities of OCFO and ICD under the SSP. Further, there is a need for identification and formalization of ICFR related information and reporting requirements for senior management committees and the DAC. 1
Risk Management
2.1 Risk Assessment Needs Minor Improvement Risks associated with the delivery of the ICFR are identified, assessed and managed. -
Internal Control
3.1 Scoping Needs Minor Improvement PHAC has identified key financial accounts, and documented business processes and the relevant control points. Improvements can be made in considering both quantitative and qualitative factors in scoping of financial statement accounts. Further, refinements should be made in appropriately linking certain financial statement accounts to associated business process and related control activities. -
3.2 Design Effectiveness Testing Needs Minor Improvement A process is in place to align control points to risks they aim to mitigate. However, there are opportunities to enhance the risk-control matrices and the process for ensuring their review and validation in a timely manner. 2
3.3 Operational Effectiveness Testing Needs Minor Improvement An appropriate testing process is in place to assess ongoing effectiveness of controls. However, instances have been identified were the testing methodologies were not fully aligned to the testing objective. Also, opportunities exist to further incorporate complimentary testing activities and compensating controls for purposes of enhancing effectiveness and efficiencies in testing. 3
3.4 Monitoring Needs Minor Improvement A monitoring plan for ICFR has been implemented. Improvements can be made by assigning a level of risk to identified deficiencies; documenting timelines and the responsibilities for corrective actions; and, defining reporting requirements for ICFR activities and results undertaken by ICD. -

Appendix C – Steps to ensuring an effective system of internal controlsFootnote 8

Text equivalent

Il y’a quatre étapes clés dans la mise en œuvre d’un système efficace de contrôles internes. La première étape, la délimitation de l’audit, comprend l’identification de tous les processus d’affaires et les comtes financiers clés qui ont une incidence importante sur les états financiers, la documentation des processus d’affaires (en se servant d’organigrammes et d’exposés de faits) et l’identification  de contrôles au niveau de l’entité, de contrôles généraux de la technologie de l'information (CGTI) et de points de contrôle importantes pour tous les processus d’affaires et les comtes financiers clés.

La deuxième étape comprend la mise en essai de l’efficacité de la conception du système des contrôles en assurant que les point de contrôle sont alignés aux risques qu’ils visent à atténuer et remédier les faiblesses de contrôle si nécessaire.

La troisième étape comprend l’essai de l’efficacité opérationnel du système par la mise en essai des contrôles clés pour une période désignée, afin de déterminer s’ils fonctionnent comme prévu, et remédier les faiblesses de contrôle si nécessaire.

La quatrième étape comprend la surveillance continue du système de contrôles internes à l'égard de l'information financière (CIIF). Ceci implique la réévaluation du risque selon les changements dans les processus ou l’environnement d’affaires, des nouveaux examens périodiques des contrôles clés axés sur les risques afin d’évaluer leur efficacité continu (qui pourrait impliquer des examens de l’efficacité de la conception), et remédier les faiblesses de contrôle si nécessaire. 

Appendix D – Internal control within the shared services model

Internal Control Environment

(Significant Responsibility for Controls with PHAC unless marked)

  1. Entity Level Controls
    • Control Environment
    • Risk Assessment
    • Information and Communication
    • Monitoring of Controls
  2. Business Process Controls
    • Budget
    • Financial Statements, Year End and ReportingFootnote *
    • Revenues, Receivables and Receipts
    • Purchasing, Payables and PaymentsFootnote *
    • Grants and Contributions
    • PayrollFootnote *
    • Capital AssetsFootnote *
    • Inventory
  3. Information TechnologyFootnote *
    • IT General Controls
      • Systems Development
      • Change Management
      • Logical Access
      • Physical controls
      • Service & Support Processes
      • Backup & Restore
      • Security
    • Applications
      • SAP
      • GCIMS
      • PeopleSoft
    • Application Controls
      • Authorization
      • Integrity
      • Availability
      • Confidentiality
      • Segregation of duties
Footnote *

Responsibility for Controls primarily with Health Canada

Return to footnote * referrer

Appendix E – PHAC Organizational Chart

Text equivalent

The Resource Management and Analysis Division (RMAD) reports to the Office of the Chief Financial Officer (OCFO) of the Agency.  Under the Shared Services Partnership between Health Canada and the Public Health Agency of Canada, the Internal Control Division, Financial Operations Directorate (ICD-FOD), at Health Canada also provides information to OCFO on certain aspects of Business Process Controls and Information Technology.

Footnote 1

Treasury Board Policy on Internal Control, section 5.2

Return to footnote 1 referrer

Footnote 2

TBS Policy on Internal Control (April 2009).

Return to footnote 2 referrer

Footnote 3

COSO (the Committee of Sponsoring Organizations of the Treadway Commission) 2013 Framework on Internal Control Prepare for the Changes.

Return to footnote 3 referrer

Footnote 4

Ibid.

Return to footnote 4 referrer

Footnote 5

Ibid.

Return to footnote 5 referrer

Footnote 6

Ibid.

Return to footnote 6 referrer

Footnote 7

Office of the Controller General – Core Controls.

Return to footnote 7 referrer

Footnote 8

OCG Overview of ICFR process

Return to footnote 8 referrer

Page details

Date modified: