Management Response and Action Plan - Audit of Internal Control over Financial Reporting

Download the alternative format
(PDF format, 187KB, 4 pages)

Management Response and Action Plan - June 6, 2017
Recommendation Management Response and Planned Management Action Deliverables Expected Completion Date Responsibility

Recommendation 1

It is recommended that the Chief Financial Officer (CFO) ensures that the Internal Control over Financial Reporting (ICFR) Framework is refreshed to include and refine ICFR specific roles and responsibilities of the Office of the Chief Financial Officer (OCFO) and Internal Controls Directorate (ICD) under the Shared Services Partnership (SSP), including: the engagement of OCFO in the development of testing and monitoring strategies, procedures and formalization of related reporting requirements.

 

Management agrees with this recommendation.

Management will refresh the ICFR Framework and accompanying documents to include and refine ICFR specific roles and responsibilities of OCFO and ICD under the SSP including formalizing the sharing of testing and monitoring results.

1.1 An updated ICFR framework defining ICFR specific roles and responsibilities of OCFO and ICD under the SSP.

October 31, 2017

CFO in collaboration with Health Canada Chief Financial Officer Branch (CFOB)

Recommendation 2

It is recommended that the CFO, in conjunction with business process owners, ensure that:

  1. Risk-control matrices of business processes and sub-processes include the documentation and ranking of specific risks to Financial Statements; and,
  2. business processes and related risk-control matrices are formally validated by process owners on an annual basis.

Management agrees with this recommendation.

Management will review existing risk-control matrices to ensure specific risks to financial statements are documented and ranked and will ensure that business process owners review and formally approve process maps including key controls annually.

2.1 The Risk-control matrices of business processes and sub-processes will be reviewed to include the risk description and ranking related to financial statements. Updated risk-control matrices will be shared.

May 31, 2018

CFO in collaboration with Health Canada CFOB

2.2 The processes to validate business processes including key controls on an annual basis will be formalized and the requirement will be communicated to business process owners during the annual validation exercise.

 

May 31, 2018

CFO in collaboration with Health Canada CFOB

Recommendation 3

It is recommended that the CFO reviews ICFR testing strategies and methodologies, and ensures that, when needed:

  1. testing methodologies are aligned with the objective of the test, and adequately leverage and document reliance on existing system functionalities and compensating controls; and,
  2. there is a documented process for the quality assurance of testing activities.

Management agrees with this recommendation.

As part of the review of existing risk-control matrices, management will ensure that testing methodologies are aligned with the objective of testing and opportunities for efficiencies in testing are realized to the extent possible. Further, management will ensure that there is a formal process in place for peer or supervisor review over testing activities.

3.1 Risk-control matrices will be reviewed and updated, as necessary, to align testing methodologies with the objective of testing and key controls.

Opportunities where efficiencies may be gained in the design of testing methodologies will be identified as appropriate.

March 31, 2018

CFO in collaboration with Health Canada CFOB

3.2 A sign-off process over testing activities including a quality assurance checklist will be formalized and implemented for testing occurring in 2017-18 and onwards.

March 31, 2018

CFO in collaboration with Health Canada CFOB

Page details

Date modified: