Annex A: Assessment of internal controls over financial management for year ended March 31, 2025

On this page

• 1. Introduction
• 2. Departmental system of internal control over financial management
• 3. Departmental assessment results for the fiscal year ending March 31, 2025
• 4. Departmental action plan for next fiscal year and subsequent years

1. Introduction

This annex provides a summary of measures taken by Public Services and Procurement Canada (PSPC) to maintain an effective system of internal control over financial management (ICFM), assessment results for fiscal year ending March 31, 2025, and related action plans for future years.

Detailed information on the department’s authority, mandate and program activities can be found in its most recent Departmental plan and Departmental results report.

2. Departmental system of internal control over financial management

2.1 Internal control management

PSPC has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. This structure is formalized in the Departmental Internal Control Framework, which includes:

• organizational accountability and oversight structures to support sound financial management, including roles and responsibilities of departmental senior managers, for internal control management in their areas of responsibility
• semi-annual monitoring of, and regular updates on, internal control management to the Departmental Audit Committee (DAC), by the Internal Control Directorate (ICD), on:
  • related internal control assessment results
  • management action plans
• values and ethics, which provide educational and awareness programs, and a departmental code of conduct
• reference to and reliance on the work of audit and advisory services, which include internal audits on the effectiveness of risk management, control, and governance processes, where appropriate
• risk-based management practices

The DAC provides advice to the deputy head on the adequacy and functioning of the department’s risk management, control and governance frameworks and processes. It meets at least 4 times a year, and is comprised of the deputy minister, the associate deputy minister and 4 members external to the federal public administration, 1 of whom is the chair. The chief financial officer and the chief audit executive also attend its meetings.

To provide reasonable assurance that financial controls are in place and operating as intended, PSPC conducts risk-based assessments, leverages ongoing monitoring programs, and conducts specific year-end reviews, including:

• information technology general controls (ITGCs) monitoring, for the financial management systems, including feeder systems
• reviews of program management budgets and forecasts by financial management advisors
• performance management assessments based on the Financial Management Framework
• awareness and monitoring of internal financial control audits and assessments performed by program management
• results of control audits and the management accountability framework assessments, for fiscal year ending March 31, 2024, by the Office of the Comptroller General
• documentation and assessment of internal controls by common service provider entities

These activities help ensure that:

• financial arrangements or contracts are entered into only when sufficient funding is available
• payments for goods and services are made only when the goods and services are received, or the conditions of contracts or other arrangements have been satisfied
• payments have been properly authorized

In addition, PSPC leverages results and findings from audits performed by external auditors, audits performed by the Office of the Auditor General, and the Office of the Chief Audit, Evaluation and Risk Executive, as input in its assessments of the control environment.

2.2 Service arrangements relevant to financial statements

PSPC relies on other organizations for processing certain transactions that are recorded in its financial statements as follows:

Common service arrangements

PSPC provides common services to other organizations for processing certain transactions that are recorded in their financial statements. In addition, PSPC relies on services provided by other organizations, such as:

• the Treasury Board of Canada Secretariat (TBS), which provides services related to public sector insurance for employees of PSPC, and centrally administers payment of the employer’s share of contributions toward statutory employee benefits plan (including, the Public Service Pension Plan, Employment Insurance Plan, Canada Pension Plan, Quebec Pension Plan and Public Service Supplementary Death Benefit Plan) on behalf of PSPC
• the Department of Justice Canada, which provides legal services to PSPC
• Shared Services Canada (SSC), which provides information technology infrastructure services to PSPC, in the areas of data centre and network services (the scope and responsibilities are addressed in the interdepartmental arrangement between SSC and PSPC)
• Employment and Social Development Canada (ESDC), which provides services of Worker’s Compensation Coverage for employees of PSPC

Readers of this annex may refer to the annexes of the annual consolidated financial statements of the above-noted organizations, for a greater understanding of the systems of internal controls over financial management related to these specific services.

PSPC provides common services in the areas of procurement, federal real property and infrastructure, contract security, translation, and interpretation, as well as pay and pension administration to other federal government departments, agencies, and public service pensioners. In addition, the Receiver General of Canada provides treasury and banking services and administers several systems on behalf of the Government of Canada, including the Standard Payment System, Payroll System-General Ledger, and Receiver General-General Ledger.

Specific arrangements

PSPC relies on other external service providers for the processing of certain transactions or information recorded in its financial statements, as follows:

• PSPC provides facilities management and services through a contract with an external service provider responsible for property and facility management government-wide:
  • it also establishes third-party leases and agreements
  • it provides lease administration and project delivery for all PSPC Crown-owned and leased sites across Canada
  • the external service provider is responsible for their own internal controls to help ensure compliance
• PSPC provides SSC with an external service provider system, which is a SAP based financial management system platform, to capture and report all financial transactions
• external service providers, pursuant to a contract with the Government of Canada, support the administration of various information technology systems, such as for pay services, and the relocation program for federal public service employees
• PSPC has several SaaS (Software as a service) applications to deliver its services, such as the:
  • GClingua used by the Translation Bureau
  • Electronic Procurement Solution (EPS)

3. Departmental assessment results for the fiscal year ending March 31, 2025

PSPC’s ongoing financial control monitoring program assesses, on a multi-year rotational basis, the state of key financial control processes performed by PSPC’s Finance Branch, and the financial control activities conducted directly by branches delivering services and programs. This combined approach leads to a more robust and holistic view of the department’s overall financial control environment, and further supports assertions made in the Statement of Management Responsibility.

As in previous years, for this fiscal year, we have not identified significant deficiencies in the operation of the internal controls of sub-processes which could have a material impact on PSPC’s consolidated departmental financial statements.

For mature processes and sub–processes, testing is conducted on a multi-year rotational cycle. Annually, a risk assessment of the business processes for key financial reporting controls is performed, to identify residual risks of material misstatement, if any. This risk-based approach supports PSPC’s decisions as to the scope and extent of design and operational effectiveness testing required.

PSPC is now at ongoing monitoring for Internal Controls over Financial Reporting (ICFR) and Internal Controls over Financial Management (ICFM). In the current fiscal year, efforts were concentrated on Internal Controls over Common Services (ICCS), as it will continue in the coming years until they reach maturity. Documentation and design effectiveness testing were completed for new ICCS business processes, followed by operation effectiveness testing. PSPC anticipates completing documentation, design effectiveness testing and operation effectiveness testing for all ICCS processes by March 31, 2030.

As part of ongoing monitoring, sub-processes documentation is reviewed, and design effectiveness and operation effectiveness testing are conducted on selected key controls. In addition to the ongoing monitoring of the financial controls processes, and operating effectiveness testing, corroborative procedures are performed, in all the control environments, to obtain sufficient reliable evidence to support PSPC’s assertion that the financial control environment in place is sound.

3.1 Mature financial reporting business processes

The following table summarizes the progress of the ongoing monitoring activities performed as part of the internal control review of mature business processes, for the fiscal year ending March 31, 2025. This review is consistent with the previous year’s rotational plan.

Table 1: Mature business processes for internal controls over financial reporting, 100% completed and at ongoing monitoring

Key control areas	Number of sub-processes	Number of sub-processes tested this fiscal year
Entity level controls	5	2
Information technology general controls (ITGCs)	19	6
Sales to settlement	15	3
Procurement to payment and Contracting	19	4
Departmental payroll	15	2
Capital assets and capital leases	11	2
Departmental Public Accounts Receiver General of Canada	10	0
Other significant financial statements items	13	2
Departmental year-end financial close and Financial Statement Presentation	7	2

Summary of recommended improvements

As a result of design and operation effectiveness testing of key controls for ICFR business processes assessed, no significant control deficiency, which would expose the department to an elevated risk of material misstatement of its consolidated financial statements, has been identified. There are, however, areas that could be strengthened, for which additional actions will be taken and monitored over the next fiscal year for improvement.

For information technology general controls

• access management and exit procedures: strengthen and clearly communicate access controls, ensuring timely removal of access for terminated employees and strict verification of access approvals to prevent unauthorized use
• privileged access and shared accounts: regularly review and document the use of shared and privileged accounts, with proper sign-offs to ensure accountability and appropriate usage
• segregation of duties and change management: enforce clear separation between development and production environments, supported by compensating controls and formalized access management processes
• security configuration and incident handling: document password settings and mitigation measures with senior management acknowledgment, and ensure incident management includes detailed error and resolution documentation before ticket closure

For sales to settlement processes

• billing and receivables at year end (RAYE) Validation: ensure documented validation of post-billing translation services and clarify RAYE approval forms for accurate review and sign-off
• contract monitoring standards: establish clear policies for managing accommodation contracts, including automatic acceptance of unsigned Occupancy Instruments after 30 days

For procurement to payment and contracting processes

• procurement and delegation oversight: centralize procurement documents, implement clear retention and approval policies, and ensure consistent commitment authority procedures through updated guidance and regular training
• compliance and monitoring: strengthen delegation management with supervisory workflows, timely authority activation, and monitoring mechanisms to uphold service standards and policy adherence

For capital assets and capital leases and other significant financial items

• documentation and knowledge sharing: maintain records of instruction reviews, and hold lessons learned sessions, to support audit readiness and continuous learning

3.2 Mature financial management business processes

As required by the April 1, 2017 Treasury Board Policy on Financial Management, PSPC has several business processes which are significant to its financial management, or that of other departments for which PSPC provides common services.

PSPC is now at ongoing monitoring for ICFM processes and will continue to monitor these processes on a 5-year rotational basis.

Table 2: Mature business processes for internal controls over financial management, 100% completed and at ongoing monitoring

Key control areas	Number of sub-processes	Number of sub-processes tested this Fiscal year
Financial Planning and Budgeting	6	0
Forecasting	2	0
Costing	5	2
Cabinet Submissions & CFO Attestation	3	0
Financial Reporting	3	0

Summary of recommended improvements

As a result of design and operation effectiveness testing of key controls for ICFM processes assessed, no significant control deficiency, which would expose the department to an elevated risk of material misstatement of its consolidated financial statements and reports, has been identified. There were no recommendations issued for ICFM processes.

3.3 Common services business processes

As a common service provider of pay, pension, treasury, banking, procurement, translation and interpretation, federal real property and infrastructure, and security in contracting, PSPC provides several services to other departments. PSPC continues to identify, document and test the processes related to these services. Status of ICCS processes and improvements required in these areas are presented below:

Table 3: Business processes for internal controls over common services, approximately 65% completed and at ongoing monitoring

Key control areas	Number of sub–processes	Number of sub–processes tested this fiscal year	Percentage of processes completedtable 3 note 1
Pension Servicestable 3 note 2, Receiver General of Canada	13	2	93%
Treasury and other services, Receiver General of Canada	23	0	22%
Translation and Interpretation Services	1	0	100%
Pay Administration Services	20	7	88%
Contract Security Services	2	0	100%
Federal Real Property and Infrastructure Services	6	1	17%
Procurement and Contracting Servicestable 3 note 3	7	2	71%
Table 3 Notes Table 3 Note 1 A process is considered completed when it has been documented, and the testing for design effectiveness and operation effectiveness have been performed at least once. Return to table 3 note 1 referrer Table 3 Note 2 The pension services include 3 distinct plans as follows: the Public Service Pension Plan, Canadian Armed Forces Pension Plan and Royal Canadian Mounted Police Pension Plan. Return to table 3 note 2 referrer Table 3 Note 3 Procurement and Contracting Services are divided in six major processes, and each one includes several procurement sub-processes or line of business. Detailed information on Procurement and Contracting Services offered by PSPC as a common service provider is available on PSPC website. Return to table 3 note 3 referrer

Summary of recommended improvements

As a result of design and operation effectiveness testing of key controls for ICCS business processes assessed, no significant control deficiency, which would expose the department to an elevated risk of material misstatement of its consolidated financial statements, has been identified. There are, however, areas that could be strengthened, for which additional actions will be taken and monitored over the next fiscal year for improvement, as described below.

For pension and treasury services

• communication and information sharing: the Receiver General and Pension Branch should standardize and document all communications to members and survivors, and maintain them as part of the audit trail

For pay administration services

• case management and oversight: improve accuracy and documentation in the Case Management Tool, enhance classification and processing, and apply standardized templates with stronger supervisory oversight, especially for hiring cases
• controls, compliance and risk management: strengthen conflict of interest controls, segregation of duties, and Phoenix monitoring. Update quality assurance procedures and risk frameworks to align with Treasury Board policies, and implement structured feedback and action plans
• financial processing and documentation: ensure proper training, delegation, and certification for financial officers. Maintain thorough documentation for remittances, invoice adjustments, and tax slips. Establish Standard Operating Procedures and secondary reviews to enhance accountability and audit readiness

For federal real property and infrastructure services

• compliance and monitoring: clear standards and timelines should be established for monitoring and accepting signed contracts to ensure timely acknowledgement and compliance

For procurement and contracting services

• no recommendation issued for Procurement and Contracting Services processes

4. Departmental action plan for next fiscal year and subsequent years

4.1 Ongoing internal control monitoring for financial reporting processes

For the fiscal year ending March 31, 2026, multi-year rotational reviews of mature internal control processes will continue, along with ongoing improvement of internal controls assessment methodology for enhanced effectiveness. For the future, PSPC’s plan is to prioritize assessments for processes evaluated at a medium to high risk level, on a 5-year rotational basis. This approach leverages risk-based assessments to identify the best mitigation strategies, and internal control testing techniques for greater cost efficiency and assurance.

As part of its ongoing ITGCs assessment, PSPC will continue to evaluate and prioritize assessments and monitor remediation strategies for PSPC central systems which are used to prepare financial reporting documents. This prioritization reflects PSPC’s commitment to ensure strong ITGCs in response to the Auditor General Commentary on the 2022-2023 Financial Audits.

Furthermore, remediation strategies identified in management action plans for previous fiscal years will continue to be monitored with the recommendations issued for fiscal year ending March 31 2025.

For fiscal year 2025 to 2026, PSPC plans to assess 20 sub-processes, covering all ICFR processes listed in section 3.1, focusing on entity level controls, ITGCs, payroll, and procurement to payment and contracting.

4.2 Ongoing internal control monitoring for financial management processes

Since PSPC reached ongoing monitoring for ICFM on March 31, 2024, for the upcoming fiscal year ending March 31, 2026, a multi-year rotational reviews of mature ICFM sub-processes will apply, focusing on sub-processes evaluated at a medium to high risk level, on a 5 year rotational basis.

For fiscal year 2025 to 2026, PSPC plans to assess 5 sub-processes, covering most of the ICFM processes listed in section 3.2, focusing on financial planning and budgeting, forecasting, and costing.

4.3 Common service processes

As a common service provider of pay, pension, treasury, banking, procurement, translation and interpretation, federal real property and infrastructure and security in contracting, PSPC annually completes a risk-based assessment of the internal controls related to these services. The results of the assessments of certain sub-processes are provided in section 3.3.

The planned annual assessment of internal controls over common services, for the next and subsequent years is detailed below:

Table 4: Common service processes planning by fiscal year

Key control areastable 4 note 1	Planning and documentation to be completed by fiscal year ending March 31	Design effectiveness testing and remediation to be completed by fiscal year ending March 31	Operational effectiveness testing and remediation to be completed by fiscal year ending March 31	Ongoing monitoring rotationtable 4 note 2 starts/started in fiscal year ending March 31
Pay Administration Services	2026	2026	2027	2028
Pension Services, Receiver General of Canada	2026	2026	2027	2028
Treasury and other services, Receiver General of Canada	2026	2026	2030	2031
Procurement and Contracting Services	2026	2026	2026	2027
Contract Security Services	Completed	Completed	Completed	2023
Federal Real Property and Infrastructure Services	2027	2027	2029	2030
Translation and Interpretation Services	Completed	Completed	Completed	2023
Table 4 Notes Table 4 Note 1 All key control areas will include an assessment of ITGCs when applicable. Return to table 4 note 1 referrer Table 4 Note 2 The frequency of the ongoing monitoring of key control areas is risk-based and may occur over a multi-year cycle. Return to table 4 note 2 referrer

For fiscal year 2025 to 2026, PSPC plans to assess 13 sub-processes, covering most of the ICCS processes listed above, except for translation and interpretation services, contract security services, which are mature processes.