Public Services and Procurement Canada
Annex A: Assessment of internal controls over financial management for year ended March 31, 2020

1. Introduction

This document provides a summary of measures taken by Public Services and Procurement Canada (PSPC) to maintain an effective system of internal control over financial management (ICFM), which includes information on internal control over financial reporting (ICFR), assessment results and related action plans.

Detailed information on the department's authority, mandate and program activities can be found in its most recent Departmental Plan and Departmental Results Report.

2. Departmental system of internal control over financial management

2.1 Internal control management

PSPC has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. This structure is formalized in the Departmental Internal Control Framework, which includes:

• organizational accountability and oversight structures to support sound financial management, including roles and responsibilities of departmental senior managers in their areas of responsibility for internal control management
• semi-annual monitoring of, and regular updates on, internal control management, as well as provision of related control assessment results and action plans to the Departmental Audit Committee (DAC)
• values and ethics, which provide educational and awareness programs and have developed a departmental code of conduct
• leveraging the work of audit and advisory services for internal audits on the effectiveness of risk management, control and governance processes, where appropriate
• risk-based management practices

The DAC provides advice to the deputy head on the adequacy and functioning of the department's risk management, control and governance frameworks and processes. It meets at least 4 times a year, and is comprised of the deputy minister, the associate deputy minister and the 4 members external to the federal public administration, one of whom is the chair. Its meetings are also attended by the chief financial officer and the chief audit executive.

To provide reasonable assurance that financial controls are in place and operating as intended and adequately, PSPC conducts risk-based assessments, leverages ongoing monitoring programs and conducts specific year-end reviews, including:

• information technology general controls (ITGCs) monitoring, for the financial management system, including feeder systems
• financial advisor reviews of program management budgets and forecasts
• performance management assessments based on the Financial Management Framework
• awareness and monitoring of internal financial control audits and assessments performed by program management
• results of control audits and management accountability framework assessments by the Office of the Comptroller General
• documentation and assessment of internal controls by common service provider entities

These activities help ensure that:

• financial arrangements or contracts are entered into only when sufficient funding is available
• payments for goods and services are made only when the goods and services are received or the conditions of contracts or other arrangements have been satisfied
• payments have been properly authorized

In addition, PSPC leverages results and findings from audits performed by external auditors, and the Office of Audit and Evaluation, as input in its assessments of the control environment, as follows:

• annual financial statement audits of the revolving funds performed by an independent auditor
• public accounts audits performed by the Office of the Auditor General

2.2 Service arrangements relevant to financial statements

PSPC relies on other organizations for processing certain transactions that are recorded in its financial statements as follows:

Common service arrangements

PSPC provides common services to other organizations for processing certain transactions that are recorded in their financial statements. In addition, PSPC relies on services provided by other organizations:

• the Treasury Board of Canada Secretariat provides services related to public sector insurance for employees of PSPC, and centrally administers payment of the employer's share of contributions toward statutory employee benefit plans (in other words, the Public Service Pension Plan, Employment Insurance Plan, Canada Pension Plan, Quebec Pension Plan and Public Service Supplementary Death Benefit Plan) on behalf of PSPC
• the Department of Justice Canada provides legal services to PSPC
• Shared Services Canada provides information technology infrastructure services to PSPC in the areas of data centre and network services. The scope and responsibilities are addressed in the interdepartmental arrangement between Shared Services Canada and PSPC

Readers of this annex may refer to the annexes of the above-noted organizations for a greater understanding of the systems of internal control over financial reporting related to these specific services.

PSPC provides common services, in the areas of procurement, accommodation, contract security, and translation, as well as pay and pension administration to other federal government departments, agencies and public service pensioners. In addition, the Receiver General for Canada administers several systems on behalf of the Government of Canada, including: Standard Payment System, Payroll System—General Ledger, and Receiver General—General Ledger.

Specific arrangements

PSPC relies on other external service providers for the processing of certain transactions or information that are recorded in its financial statements, as follows:

• PSPC provides facilities management and services through a contract with an external service provider responsible for property and facility management government-wide. It also establishes third-party leases and agreements, and provides lease administration and project delivery for all PSPC Crown-owned and leased sites across Canada. The external service provider is responsible for their own internal controls to help ensure compliance
• PSPC provides Shared Services Canada with a System, Applications and Products (SAP) based financial management system platform to capture and report all financial transactions
• an external service provider, pursuant to a contract with the Government of Canada, administers the travel management application used by PSPC to provide shared travel services to various departments
• an external service provider, pursuant to a contract with the Government of Canada, administers the relocation program provided to public service employees across the federal public service

3. Departmental assessment results for the fiscal year ending March 31, 2020

PSPC's ongoing financial control monitoring program assesses, on a cyclical basis, the state of key financial control processes performed by PSPC's Finance and Administration Branch, and the financial control activities conducted directly by branches delivering programs. This combined approach leads to a more robust and holistic view of the department's overall financial control environment, and further supports assertions made in the Statement of Management Responsibility.

For the mature processes and sub-processes, testing is conducted on a 5 year cycle. Annually, a risk assessment of the business processes for key financial reporting controls is performed, which indicates if there is a residual risk of material misstatement. This risk-based approach supports PSPC's decisions as to the scope and extent of operational effectiveness testing that is required. In the current fiscal year, efforts were concentrated on sub-processes for which a medium or high risk of material misstatement was assessed, prior to controls or mitigation strategies.

As part of ongoing monitoring, sub-processes documentation is reviewed, and design effectiveness and operations effectiveness testing is conducted on selected key controls. In addition to the ongoing monitoring of the financial controls processes, and operating effectiveness testing, corroborative procedures are performed in all of the control environments to obtain sufficient reliable evidence to support PSPC's assertion that the financial control environment in place is sound.

3.1 Mature business processes

The following table summarizes the progress of the ongoing monitoring activities performed as part of the internal control review of mature business processes, for the fiscal year ending March 31, 2020. This review is consistent with the previous year's rotational plan.

Table 1: Ongoing monitoring activities of mature business processes

Key control areas	Number of sub-processes	Number of sub-processes tested	Remedial action required
Internal control over financial reporting
Entity level controls	5	5	Yes
Information technology general controls	10	4	Yes
Sales to settlement	12	2	Yes
Procurement to payment	13	4	Yes
Departmental payroll	13	3	Yes
Capital assets and capital leases	11	2	Yes
Other significant financial statements items	8	2	Yes
Year-end financial close and financial statement presentation	8	1	Yes
Common services
Pension servicestable 1 note 1	22	1	Yes
Receiver general services	To be determined	2	Yes
Translation services	To be determined	1	Yes
Contract security services	2	1	Yes
Other common servicestable 1 note 2	To be determined	1	Yes
Table 1 Notes Table 1 Note 1 The pension services include 3 distinct plans as follows: the Public Service Pension Plan, Canadian Armed Forces Pension Plan and Royal Canadian Mounted Police Pension Plan. Return to table 1 note 1 referrer Table 1 Note 2 Although accommodation is considered mature processes, it was not completely assessed during the fiscal year ending March 31, 2020, given its scope. We will continue the assessment in the March 31, 2021 fiscal year end. Return to table 1 note 2 referrer

Due to the coronavirus pandemic, the operational effectiveness assessment of 2 sub-processes was only partially completed, the remainder will be completed in the fiscal year ending March 31, 2021.

Remedial action summary

As a result of design and operating effectiveness testing of key controls for mature business processes reviewed, no significant control deficiencies, which would expose the department to an elevated risk of material misstatement of its financial statements, have been identified. There are, however, areas that continue to require remediation:

• roles and responsibilities need to be clearly defined, documented and communicated to ensure accountability and adherence to the established processes and procedures
• training and up-to-date standardized tools/procedures are needed to support responsibility center managers and staff in performing their work more effectively and efficiently
• service standards need to be developed and implemented for enhanced quality of client service
• documentation of the performance of certain key controls needs to be improved
• reviews, monitoring and reporting of information to senior management needs to be reinforced

3.2 New business processes

Consistent with the requirements of the April 1, 2017 Treasury Board Policy on Financial Management, PSPC adds several areas of review due to their significance on its financial management or that of other departments for which PSPC provides common services.

Table 2: Ongoing monitoring activities of new business processes

Key control areas	Number of sub-processes	Number of sub-processes tested	Remedial action required
Other significant financial management control areas
Financial planning and budgeting	To be determined	1	Yes
Financial reporting	To be determined	1	No
Cabinet submissions	To be determined	2	Yes
Costing	To be determined	1	Yes
Integrated investment plan	6	4	Yes
Common services
Pay administration services	To be determined	2	Yes

Summary of work performed and results

As a result of the assessment of the new business processes, the following remedial actions have been identified:

• more consistent documentation on the performance of key controls
• additional training to clarify the roles and responsibilities among key stakeholders
• enhanced controls relating to large or complex data sets to ensure accuracy, completeness and integrity of data
• design and implementation of certain key validation controls, such as review by manager, to ensure the accuracy and completeness of information to meet legislative requirements
• stabilization of certain business processes and update of the control framework and guidelines to reflect changes to processes and controls
• enhanced monitoring controls for program activities including pay services
• updates or upgrades to human resources and pay-related systems, where possible, to ensure timely and accurate processing

PSPC is leading a significant effort to address and resolve pay issues. Progress is ongoing as it continues to work closely with other departments, central agencies, bargaining units and stakeholders. Given the current context, the departmental payroll process has been enhanced to address the challenges of reporting pay expenditures resulting from Phoenix Pay System issues. PSPC implemented significant additional internal controls, such as:

• a pre and post-payment account verification process for pay
• enhanced analytical review procedures to corroborate pay expenditures and associated assets and liabilities at year-end

4. Departmental action plan for next fiscal year and subsequent years

4.1 Ongoing monitoring for mature business processes internal control reviews

For the fiscal year ending March 31, 2021, cyclical reviews of mature internal control processes will continue, along with ongoing improvement of internal controls assessment methodology for enhanced effectiveness. The approach leverages risk-based assessments to identify best mitigation strategies, and internal control testing techniques for greater cost efficiency and assurance. Particular attention will be given to the coronavirus impact during our risk assessment, with an aim to scope in for assessment sub-processes which would be significantly affected.

Furthermore, remediation strategies identified in management action plans for the fiscals year ending March 31, 2019 and March 31, 2020 will continue to be monitored.

4.2 Other significant financial management processes

The plan for the assessment of the other significant financial management processes will be determined after a risk-based assessment is completed. The current 5 year plan is as follows:

Table 3: Other significant financial management processes planning

Key control areas	Planning and documentation Fiscal year ending March 31	Design effectiveness testing and remediation Fiscal year ending March 31	Operational effectiveness testing and remediation Fiscal year ending March 31	Ongoing monitoring rotationtable 3 note 1 Future years
Budgeting	2021 and 2022	2021 and 2022	2023	2024
Forecasting	2021	2021	2023	2024
Investment planning	2022	2022	2023	2024
Costing	2021 and 2022	2021 and 2022	2023	2024
Cabinet submissions	2021	2021	2022	2023
Chief financial officer attestation	No planned assessment	No planned assessment	2022	2023
Financial reporting	2022 and 2023	2022 and 2023	2023	2024
Table 3 Notes Table 3 Note 1 The frequency of the ongoing monitoring of key control areas is risk-based and may occur over a multi-year cycle. Return to table 3 note 1 referrer

4.3 Common service processes

As a common service provider of pay, pension, treasury, banking, procurement, translation and interpretation, accommodations and security in contracting, PSPC completes annually a risk-based assessment of the internal controls related to some of these services. The results of the assessment of certain sub-processes within the Pay Administration service are provided in sections 3.1 Mature business processes and 3.2 New business processes.

The action plan for this annual assessment for the next and subsequent years is detailed below, and could be modified once we assess the risk impact related to the coronavirus pandemic.

Table 4: Common service processes planning

Key control areastable 4 note 2	Planning and documentation Fiscal year ending March 31	Design effectiveness testing and remediation Fiscal year ending March 31	Operational effectiveness testing and remediation Fiscal year ending March 31	Ongoing monitoring rotationtable 4 note 1 Future years
Pay administration servicestable 4 note 3	2021	2021	2021	Annual
Receiver General—Pension Services	2021	2021	2021	Annual
Receiver general—Treasury	2021	2021	To be determined	To be determined
Procurement	2021 and 2022	2021 and 2022	To be determined	To be determined
Contract security	No planned assessment	No planned assessment	No planned assessment	2025 or 2026
Accommodations	2021 or 2022	2021 or 2022	To be determined	To be determined
Table 4 Notes Table 4 Note 1 The frequency of the ongoing monitoring of key control areas is risk-based and may occur over a multi-year cycle. Return to table 4 note 1 referrer Table 4 Note 2 All key control areas will include a review of information technology general controls (ITGCs) when applicable. Return to table 4 note 2 referrer Table 4 Note 3 Each year, as new pay administration processes become stabilized, they will be added to the review process. Return to table 4 note 3 referrer