Annex A: Assessment of internal controls over financial management for year ended March 31, 2024
1. Introduction
This annex provides a summary of measures taken by Public Services and Procurement Canada (PSPC) to maintain an effective system of internal control over financial management (ICFM), assessment results and related action plans.
Detailed information on the department’s authority, mandate and program activities can be found in its most recent Departmental plan and Departmental results report.
2. Departmental system of internal control over financial management
2.1 Internal control management
PSPC has a well–established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. This structure is formalized in the Departmental Internal Control Framework, which includes:
- organizational accountability and oversight structures to support sound financial management, including roles and responsibilities of departmental senior managers, for internal control management in their areas of responsibility
-
semi–annual monitoring of, and regular updates on internal control management to the Departmental Audit Committee (DAC), by the Internal Control Directorate, on:
- related internal control assessment results
- action plans
- values and ethics, which provide educational and awareness programs, and a departmental code of conduct
- reference to and reliance on the work of audit and advisory services, which include internal audits on the effectiveness of risk management, control, and governance processes, where appropriate
- risk–based management practices
The DAC provides advice to the deputy head on the adequacy and functioning of the department’s risk management, control and governance frameworks and processes. It meets at least 4 times a year, and is comprised of the deputy minister, the associate deputy minister and 4 members external to the federal public administration, 1 of whom is the chair. Its meetings are also attended by the chief financial officer and the chief audit executive.
To provide reasonable assurance that financial controls are in place and operating as intended, PSPC conducts risk–based assessments, leverages ongoing monitoring programs, and conducts specific year-end reviews, including:
- information technology general controls (ITGCs) monitoring, for the financial management system, including feeder systems
- reviews of program management budgets and forecasts by financial management advisors
- performance management assessments based on the Financial Management Framework
- awareness and monitoring of internal financial control audits and assessments performed by program management
- results of control audits and management accountability framework assessments by the Office of the Comptroller General
- documentation and assessment of internal controls by common service provider entities
These activities help ensure that:
- financial arrangements or contracts are entered into only when sufficient funding is available
- payments for goods and services are made only when the goods and services are received, or the conditions of contracts or other arrangements have been satisfied
- payments have been properly authorized
In addition, PSPC leverages results and findings from audits performed by external auditors, audits performed by the Office of the Auditor General, and the Office of the Chief Audit, Evaluation and Risk Executive, as input in its assessments of the control environment.
2.2 Service arrangements relevant to financial statements
PSPC relies on other organizations for processing certain transactions that are recorded in its financial statements as follows:
Common service arrangements
PSPC provides common services to other organizations for processing certain transactions that are recorded in their financial statements. In addition, PSPC relies on services provided by other organizations, such as:
- the Treasury Board of Canada Secretariat (TBS), which provides services related to public sector insurance for employees of PSPC, and centrally administers payment of the employer’s share of contributions toward statutory employee benefits plan (including, the Public Service Pension Plan, Employment Insurance Plan, Canada Pension Plan, Quebec Pension Plan and Public Service Supplementary Death Benefit Plan) on behalf of PSPC
- the Department of Justice Canada, which provides legal services to PSPC
- Shared Services Canada (SSC), which provides information technology infrastructure services to PSPC, in the areas of data centre and network services (the scope and responsibilities are addressed in the interdepartmental arrangement between SSC and PSPC)
- Employment and Social Development Canada, which provides services of Worker’s Compensation Coverage for employees of PSPC
Readers of this annex may refer to the annexes of the annual consolidated financial statements of the above–noted organizations, for a greater understanding of the systems of internal controls over financial management related to these specific services.
PSPC provides common services in the areas of procurement, federal real property and infrastructure, contract security, translation and interpretation, as well as pay and pension administration to other federal government departments, agencies, and public service pensioners. In addition, the Receiver General of Canada provides treasury and banking services and administers several systems on behalf of the Government of Canada, including the Standard Payment System, Payroll System-General Ledger, and Receiver General-General Ledger.
Specific arrangements
PSPC relies on other external service providers for the processing of certain transactions or information recorded in its financial statements, as follows:
-
PSPC provides facilities management and services through a contract with an external service provider responsible for property and facility management government-wide:
- it also establishes third-party leases and agreements
- it provides lease administration and project delivery for all PSPC Crown-owned and leased sites across Canada
- the external service provider is responsible for their own internal controls to help ensure compliance
- PSPC provides SSC with an external service provider system, which is the SAP based financial management system platform, to capture and report all financial transactions
- external service providers, pursuant to a contract with the Government of Canada, support the administration of various information technology systems, such as for travel services, pay services, and the relocation program for federal public service employees
- PSPC has several SaaS (Software as a service) applications to deliver its services, such as the:
- GC Lingua used by the Translation Bureau
- Electronic Procurement Solution (EPS)
3. Departmental assessment results for the fiscal year ending March 31, 2024
PSPC’s ongoing financial control monitoring program assesses, on a multi-year rotational basis, the state of key financial control processes performed by PSPC’s Finance Branch, and the financial control activities conducted directly by branches delivering services and programs. This combined approach leads to a more robust and holistic view of the department’s overall financial control environment, and further supports assertions made in the Statement of Management Responsibility.
As in previous years, for this fiscal year, we have not identified significant deficiencies in the operation of the internal controls of sub-processes which could have a material impact on PSPC’s consolidated departmental financial statements.
For the mature processes and sub–processes, testing is conducted on a multi-year rotational cycle. Annually, a risk assessment of the business processes for key financial reporting controls is performed, to identify residual risks of material misstatement, if any. This risk–based approach supports PSPC’s decisions as to the scope and extent of operational effectiveness testing required.
PSPC is now at ongoing monitoring for Internal Controls over Financial Reporting (ICFR) and ICFM. In the current fiscal year, efforts were concentrated on Internal Controls over Common Services (ICCS), as it will continue in the coming years until they reach maturity. Documentation and design effectiveness testing were completed for new ICCS business processes, followed by operating effectiveness testing. PSPC anticipates completing documentation, design effectiveness testing and operating effectiveness testing for all ICCS processes by March 31, 2030.
As part of ongoing monitoring, sub–processes documentation is reviewed, and design effectiveness and operating effectiveness testing are conducted on selected key controls. In addition to the ongoing monitoring of the financial controls processes, and operating effectiveness testing, corroborative procedures are performed, in all the control environments, to obtain sufficient reliable evidence to support PSPC’s assertion that the financial control environment in place is sound.
3.1 Mature financial reporting business processes
The following table summarizes the progress of the ongoing monitoring activities performed as part of the internal control review of mature business processes, for the fiscal year ending March 31, 2024. This review is consistent with the previous year’s rotational plan.
| Key control areas | Number of sub–processes | Number of sub–processes tested this fiscal year |
|---|---|---|
| Internal control over financial reporting (ICFR), 100% completed and at ongoing monitoring | ||
| Entity level controls | 5 | 5 |
| Information technology general controls (ITGCs) | 19 | 5 |
| Sales to settlement | 15 | 2 |
| Procurement to payment and Contracting | 19 | 3 |
| Departmental payroll | 15 | 3 |
| Capital assets and capital leases | 11 | 2 |
| Departmental Public Accounts Receiver General of Canada | 10 | 1 |
| Other significant financial statements items | 13 | 2 |
| Departmental year–end financial close and Financial Statement Presentation | 7 | 1 |
Summary of recommended improvements
As a result of design and operating effectiveness testing of key controls for ICFR business processes assessed, no significant control deficiency, which would expose the department to an elevated risk of material misstatement of its financial statements, has been identified. There are, however, areas that could be strengthened, for which additional actions will be taken and monitored over the next fiscal year for improvement:
For ITGCs:
- access, security and change management ITGCs need to be strengthened, to ensure safeguarding of government information, and documentation practices should be enhanced to maintain sufficient audit trail
- controls related to ITGC reporting should be enhanced for transparency purposes
- training should be provided to managers for departing employees’ procedures for enhanced security
- monitoring controls for segregation of duties could be improved to better support management
For sales to settlement processes:
- training and communication of standardized procedures are needed to support responsibility center managers, and staff, in performing their work more effectively and efficiently
For procurement to payment and contracting processes:
- roles and responsibilities, need to be clearly defined, reviewed, documented, communicated, and implemented to ensure proper segregation of duties, accountability, and adherence to the established processes and procedures
- controls related to delegations of authority should be strengthened
- additional training should be provided to employees to improve performance in financial management
For capital assets and capital leases and other significant financial items:
- documentation and evidence of the performance of certain key controls need to be improved to strengthen audit trail
- the recording and filling of documents in financial and information systems should be improved for ease of retrieval and increased security
- monitoring controls could be improved to better support management
3.2 Mature financial management business processes
As required by the April 1, 2017 Treasury Board Policy on Financial Management, PSPC has several business processes which are significant to its financial management, or that of other departments for which PSPC provides common services.
PSPC is now at ongoing monitoring for Internal Controls over Financial Reporting (ICFR) and ICFM. In the current fiscal year, efforts were concentrated on Internal Controls over Common Services (ICCS), as it will continue in the coming years until they reach maturity, and no financial management business processes were assessed in 2023-24.
No assessment has been performed on financial management business processes for this fiscal year. Thus, no recommendation is issued for the current fiscal year.
3.3 Common services business processes
As a common service provider of pay, pension, treasury, banking, procurement, translation and interpretation, federal real property and infrastructure and security in contracting, PSPC provides several services to other departments. PSPC continues to identify, document and test the processes related to this area. Status of ICCS processes and improvements required in these areas are presented below:
| Key control areas | Number of sub–processes | Number of sub–processes tested this fiscal year | Percentage of processes completedtable 2 note 1 |
|---|---|---|---|
| Internal control over common services (ICCS), Approximately 50% completed and at ongoing monitoring | |||
| Pension Servicestable 2 note 2, Receiver General of Canada | 13 | 1 | 90% |
| Treasury and other services, Receiver General of Canada | 19 | 2 | 10% |
| Translation and Interpretation Services | 1 | 0 | 100% |
| Pay Administration Services | 19 | 7 | 60% |
| Contract Security Services | 2 | 0 | 100% |
| Federal Real Property and Infrastructure Services | 12 | 1 | 10% |
| Procurement and Contracting Servicestable 2 note 3 | 6 | 1 | 40% |
Table 2 Note
|
|||
Summary of recommended improvements
For pension and treasury services:
- enhance audit trail in the Case Management Tool by implementing standard templates
- develop communication letters for retirement, severance and similar activities for consistency purposes
For pay administration services:
- enhance documentation practices and audit trail to ensure transparency in the processing of pay cases
- improve job aids to provide better support, and ensure all necessary tasks are completed accurately and efficiently
- enhance monitoring and supervisory reviews to ensure compliance
For federal real property and infrastructure services:
- enhance guidance documentation by clearly specifying best practices and providing detailed instructions to ensure users are well informed
For procurement and contracting services:
- implement appropriate segregation of duties within the contract planning and approval of contract phases
- enhance documentation practices and audit trail to ensure thorough record-keeping and file completeness for all activities
- ensure proper guidance and governance over procurement activities, including proper section 41 certification, for sound procurement practices
4. Departmental action plan for next fiscal year and subsequent years
4.1 Ongoing internal control monitoring for financial reporting processes
For the fiscal year ending March 31, 2025, multi-year rotational reviews of mature internal control processes will continue, along with ongoing improvement of internal controls assessment methodology for enhanced effectiveness. For the future, PSPC’s plan is to prioritize assessments for processes evaluated at a medium to high risk level, on a five (5) year rotational basis. This approach leverages risk-based assessments to identify best mitigation strategies, and internal control testing techniques for greater cost efficiency and assurance.
As part of its ongoing ITGCs work, PSPC will continue to evaluate and prioritize assessments and monitor remediation strategies for PSPC central systems which are used to prepare financial reporting documents. This prioritization reflects PSPC’s commitment to ensure strong IT general controls in response to the Auditor General Commentary on the 2022-2023 Financial Audits.
Furthermore, remediation strategies identified in management action plans for the fiscal years ending March 31 2020, to March 31, 2022, have been addressed, and will continue to be monitored for the March 31, 2023 and 2024 recommendations.
4.2 Ongoing internal control monitoring for financial management processes
The plan for the assessment of the other significant financial management processes will be determined after the annual risk–based assessment is completed, and is as follows:
| Key control areas | Planning and documentation Fiscal year ending March 31, 2024 | Design effectiveness testing and remediation Fiscal year ending March 31, 2024 | Operational effectiveness testing and remediation Fiscal year ending March 31, 2024 | Ongoing monitoring rotationtable 3 note 1 to start in Fiscal year ending March 31 |
|---|---|---|---|---|
| Financial planning and budgetingtable 3 note 2 | Completed | Completed | Completed | 2025 |
| Forecasting | Completed | Completed | Completed | 2025 |
| Costing | Completed | Completed | Completed | 2025 |
| Cabinet submissions and chief financial officer attestation | Completed | Completed | Completed | 2025 |
| Financial reporting | Completed | Completed | Completed | 2025 |
Table 3 Notes
|
||||
4.3 Common service processes
As a common service provider of pay, pension, treasury, banking, procurement, translation and interpretation, federal real property and infrastructure and security in contracting, PSPC completes annually a risk–based assessment of the internal controls related to these services. The results of the assessment of certain sub–processes within the Pay Administration Service are provided in section 3.1.
The planned annual assessment of internal controls over common services, for the next and subsequent years is detailed below:
| Key control areastable 4 note 1 | Planning and documentation to be completed by fiscal year ending March 31 | Design effectiveness testing and remediation to be completed by fiscal year ending March 31 | Operational effectiveness testing and remediation to be completed by fiscal year ending March 31 | Ongoing monitoring rotationtable 4 note 2 starts/started in fiscal year ending March 31 |
|---|---|---|---|---|
| Pay Administration Services | 2025 | 2025 | 2025 | 2026 |
| Pension Services, Receiver General of Canada | 2025 | 2025 | 2026 | 2027 |
| Treasury and other services, Receiver General of Canada | 2025 | 2025 | 2029 | 2030 |
| Procurement and Contracting Services | 2026 | 2026 | 2026 | 2027 |
| Contract Security Services | Completed | Completed | Completed | 2023 |
| Federal Real Property and Infrastructure Services | 2026 | 2026 | 2028 | 2029 |
| Translation and Interpretation Services | Completed | Completed | Completed | 2023 |
Table 4 Notes
|
||||
Page details
- Date modified: