Annex: Summary of the assessment of effectiveness of the system of internal control over financial reporting and the action plan of the Canada Revenue Agency

Fiscal Year 2018-2019

1. Introduction

This document provides summary information on the measures taken by the Canada Revenue Agency (CRA) to maintain an effective system of internal control over financial reporting (ICFR), including information on internal control management, assessment results, and related action plans.

Detailed information on the CRA’s authority, mandate, and core responsibilities can be found in the Departmental Results Report and the Departmental Plan.

2. CRA system of internal control over financial reporting

2.1 Internal control management

The CRA has a well-established governance and accountability structure to support the CRA’s assessment efforts and oversight of its system of internal control. A CRA internal control management framework, approved by the Commissioner and the Board of Management, is in place and includes:

organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for control management;
a code of values and ethics;
ongoing communication and training on statutory requirements and policies and procedures for sound financial management and control; and
regular updates on internal control management as well as the provision of related assessment results and action plans to the Commissioner, senior management and the Audit Committee of the Board of Management.

The CRA Resource Management Committee provides support to the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) in relation to control activities. It is chaired by the CFO and has representatives from each branch and region at the executive level.

In addition, the Audit Committee of the Board of Management provides advice on the adequacy and functioning of the CRA's risk management, and control and governance frameworks and processes.

2.2 Service arrangements relevant to financial statements

The CRA relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:

Common Arrangements

Public Services and Procurement Canada centrally administers the payments of salaries and the procurement of some goods and services in accordance with the CRA’s Delegation of Authority and provides accommodation services.
Treasury Board of Canada Secretariat provides the CRA with information used to calculate various accruals and allowances.
Department of Justice provides legal services to the CRA.
Shared Services Canada provides information technology (IT) infrastructure services to the CRA in the areas of data centres and network services. The scope and responsibilities are addressed in the interdepartmental arrangement between Shared Services Canada and the CRA.

Specific Arrangements

Revenu Québec is responsible for the joint administration of the goods and services tax and Quebec sales tax for businesses in the Province of Quebec.
Department of Finance Canada provides the CRA with the federal and provincial shares of Goods and Services Tax/Harmonized Sales Tax (GST/HST) revenues that are used to determine provincial payments for the HST.
Canada Border Services Agency provides the CRA with the amount of GST revenues collected from importers, which is used in the calculation of the provincial portion of the HST revenues.
Department of Finance Canada and Employment and Social Development Canada provide estimates of Canada Pension Plan and Employment Insurance revenues respectively for the months of January to March.

Other government departments rely on the CRA for the processing of certain transactions or information that affect financial statements as follows:

Canada Border Services Agency for information technology services which includes testing for general computer controls, as well as collection services on their behalf for duties, taxes, fees, penalties, or other amounts owing under the Customs Act, Customs Tariff, Excise Tax Act, Excise Act 2001, and/or related regulations;
Department of Finance Canada for the determination of tax receivables and payables under Tax Collection Agreements (TCAs) with provincial and territorial governments and First Nations; and
Employment and Social Development Canada for the collection of its accounts receivable and the administration of a number of activities related to the Canada Pension Plan and Employment Insurance Operating Account.

3. CRA assessment results during fiscal year 2018-2019

3.1 Design effectiveness testing of key controls

In 2018-2019, the CRA completed the design effectiveness testing of return collection and entry, assessment and reassessment and master data maintenance of the Individual Income Tax (T1) Program, including the Unapplied Tax Program. The CRA also completed the design effectiveness testing of general computer controls related to the T1, Trust Income Tax (T3) and Benefits Programs. As a result of this testing, no significant issues were noted.

3.2 Operating effectiveness testing of key controls

In 2018-2019, the CRA completed operating effectiveness testing of the return collection and entry, assessing and reassessing and master data maintenance processes for the T3 Program. Furthermore, the CRA completed operating effectiveness testing of the legislation management, reporting management and segregation of duties processes, which are common amongst all tax programs. Operating effectiveness testing was also completed on the common general computer controls, including information security and continuity management.

No significant issues were noted for the T3 Program or common business process controls.

During testing of the common general computer controls, the CRA identified that stronger controls are required with respect to account monitoring and timely removal of access.

The deficiencies above are known to the management and the CRA is taking action to address them.

3.3 Ongoing monitoring of key controls

In 2018-2019, the CRA completed planned ongoing monitoring of the following processes:

Entity-level controls;
IT general computer controls for corporate financial systems; and
All other business processes:
1. Payroll
2. Procurement to pay
3. Capital assets
4. Budgeting and Projections
5. Financial close and reporting

As a result of the ongoing monitoring of key controls, the CRA noted a significant improvement in the processing of payroll-related issues, however, continued improvement is required with regard to addressing payroll and overpayments related issues with the Phoenix pay system in a timely manner.

The deficiencies above are known to the management and the CRA is taking action to address them.

4. CRA Action Plan

4.1 Progress during fiscal year 2018-2019

The CRA continued to make progress in assessing and improving its key controls. The following table summarizes the CRA’s progress based on the plans identified in the previous fiscal year’s Annex.

**Progress during fiscal year 2018-2019**
Element in previous year’s action plan	Status
Agency Activities	Ongoing monitoring testing was completed for entity-level controls, IT general computer controls, and Agency business processes including payroll, procurement to pay, capital assets, budgeting and projections and financial close and reporting.
Individual Income Tax (T1) Program	The control framework was revised to incorporate the changes as a result of T1 System Redesign. Testing of the design and implementation of controls related to return collection and entry, assessing and reassessing and master data maintenance and the related IT general computer controls was completed and action plans were developed to address all findings.
Trust Income Tax (T3) Program	Testing of the operating effectiveness of controls related to return collection and entry, assessing and reassessing and master data maintenance was completed and action plans were developed to address all findings.
Common Tax Program Controls	Testing of the operating effectiveness of controls related to legislation management, reporting management and segregation of duties processes for the tax programs was completed and action plans were developed to address all findings.
Follow-up of activities requiring remediation from previous assessments	The CRA has followed up on action plans from the: 2017-2018 Agency Activities testing as part of ongoing monitoring. Excise Taxes and Duties assessment performed as at October 31, 2017. General computer controls assessment for the Excise Taxes and Duties systems performed as at January 31, 2018. Collections design effective assessment performed as at February 28, 2018. Overall results have been positive and the majority of the recommendations made have been implemented, however, the following item that was identified in prior years remained outstanding in 2018-2019: At the database layer, stronger controls are required to prevent and detect unauthorized access and changes to the systems. The deficiencies above are known to the management and the CRA is taking action to address them.

4.2 Status and action plan for the next fiscal year and subsequent years

The CRA has continued to make progress on assessing its internal controls over financial reporting throughout the numerous programs that the CRA administers. It is recognized that implementation for all its processes requires multi-year initiatives. After design effectiveness and operational effectiveness testing are complete, the CRA will be applying its rotational ongoing monitoring plan to reassess control performance on a risk basis across all control areas.

Status and action plan for the next fiscal year and subsequent years: Administered Activities
Program Areas	Design effectiveness assessment	Operational effectiveness assessment	Ongoing monitoring assessment ^{Table note 1}
Individual Income Tax (T1) (including system redesign) ^{Table note 2}	Complete	2020-2021	Future years
Corporation Income Tax	Complete	Complete	2019-2020/ 2020-2021
Trust Income Tax	Complete	Complete	2021-2022
GST/HST	Complete	2019-2020	Future years
Benefits	Complete	2020-2021	Future years
Disbursements	Complete	2021-2022	Future years
Excise Taxes and Duties	Complete	2019-2020	Future years
Collections / payments	Complete	Future years	Future years
Non-Resident Income Tax ^{Table note 3}	Complete	-	-
Common Tax Program Controls ^{Table note 4}	Complete ^{Table note 4}	Complete	2019-2020
IT general controls ^{Table note 5}	Complete	2019-2020	Future years

Status and action plan for the next fiscal year and subsequent years: Agency Activities
Program Areas	Design effectiveness assessment	Operational effectiveness assessment	Ongoing monitoring assessment ^{Table note 1}
Payroll	Complete	Complete	2019-2020
Procurement to pay	Complete	Complete	2019-2020
Capital assets	Complete	Complete	2019-2020
Budgeting & Projections	Complete	Complete	2019-2020
Financial close and reporting	Complete	Complete	2019-2020
Investment Planning	Complete	2019-2020	2020-2021
Costing & CFO Attestation	Complete	2019-2020	2020-2021
IT general controls ^{Table note 5}	Complete	Complete	2019-2020

Status and action plan for the next fiscal year and subsequent years: Common Controls – Administered and Agency Activities
Program Areas	Design effectiveness assessment	Operational effectiveness assessment	Ongoing monitoring assessment ^{Table note 1}
Entity level controls	Complete	Complete	2019-2020
Common IT general controls ^{Table note 5}	Complete	Complete	2019-2020

Status and action plan for the next fiscal year and subsequent years: Special Projects ^{Table note 3}
Program Areas	Design effectiveness assessment	Operational effectiveness assessment	Ongoing monitoring assessment ^{Table note 1}
Objections/Litigations	2019-2020	-	-
Contingent liabilities	2019-2020	-	-

Note 1

Return to table note 1 Referrer

The frequency of the ongoing monitoring of key control areas is risk-based and occurs over a three-year cycle with the exception of high risk areas, which are tested on an annual basis, or controls with prior year exceptions that have completed action plans, which are tested in the following fiscal year.

Note 2

Return to table note 2 Referrer

The legacy T1 system is being upgraded through the T1 System Redesign initiative. This initiative is a multi-year project resulting in significant modifications to the systems and business processes related to the processing of T1 returns. Due to the magnitude of these changes, the design effectiveness testing of the new processes and systems was undertaken and completed in 2018-2019.

Note 3

Return to table note 3 Referrer

Certain projects are undertaken to address possible areas of concern and do not form part of the regular rotation of programs. The results of the initial design effectiveness testing is used to determine the need for ongoing assessments.

Note 4

Return to table note 4 Referrer

Common tax programs controls are controls that are performed by the same organization, using a common process regardless of the impacted tax program and includes controls over legislation management, reporting management and segregation of duties. The design and implementation of these controls was previously assessed as part of each tax program.

Note 5

Return to table note 5 Referrer

IT general controls include only those IT controls under the responsibility of the CRA. Controls that are performed by Shared Services Canada are outside the scope of these assessments. IT controls are assessed for both the tax systems and the corporate financial systems in place in the CRA. Common IT general controls include IT controls related to the areas of security and continuity management, which do not vary based on the impacted systems.

Page details

Date modified:: 2020-06-11

Language selection

Search

Sign in