Annex: Summary of the assessment of effectiveness of the system of internal control over financial reporting and the action plan of the Canada Revenue Agency

Fiscal Year 2019-2020

1. Introduction

This document provides summary information on the measures taken by the Canada Revenue Agency (CRA) to maintain an effective system of internal control over financial reporting (ICFR), including information on internal control management, assessment results, and related action plans.

Detailed information on the CRA ’s authority, mandate, and core responsibilities can be found in the Departmental Results Report and the Departmental Plan.

2. CRA system of internal control over financial reporting

2.1 Internal control management

The CRA has a well-established governance and accountability structure to support the assessment efforts and oversight of its system of internal control. A CRA internal control management framework, approved by the commissioner and the Board of Management, is in place and includes:

organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for control management;
a code of values and ethics;
ongoing communication and training on statutory requirements and policies and procedures for sound financial management and control; and
regular updates on internal control management as well as the provision of related assessment results and action plans to the commissioner, senior management and the Audit Committee of the Board of Management.

The CRA Management Audit and Evaluation Committee endorses the annual plan and reviews significant findings noted as a result of the control assessments. The committee is chaired by the deputy commissioner and comprised of CRA executives.

In addition, the Audit Committee of the Board of Management provides advice on the adequacy and functioning of the CRA's risk management, and control and governance frameworks and processes.

2.2 Service arrangements relevant to financial statements

The CRA relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:

Common Arrangements

Public Services and Procurement Canada centrally administers the payments of salaries and the procurement of some goods and services in accordance with the CRA’s Delegation of Authority and provides accommodation services.
Treasury Board of Canada Secretariat provides the CRA with information used to calculate various accruals and allowances.
Department of Justice provides legal services to the CRA.
Shared Services Canada provides information technology (IT) infrastructure services to the CRA in the areas of data centres and network services. The scope and responsibilities are addressed in the interdepartmental arrangement between Shared Services Canada and the CRA.

Specific Arrangements

Revenu Québec is responsible for the joint administration of the goods and services tax and Quebec sales tax for businesses in the Province of Quebec.
Department of Finance Canada provides the CRA with the federal and provincial shares of Goods and Services Tax/Harmonized Sales Tax (GST/HST) revenues that are used to determine provincial payments for the HST.
Canada Border Services Agency provides the CRA with the amount of GST revenues collected from importers, which is used in the calculation of the provincial portion of the HST revenues.
The Departments of Finance Canada and Employment and Social Development Canada provide estimates of Canada Pension Plan and Employment Insurance revenues respectively for the months of January to March.

Other government departments rely on the CRA for the processing of certain transactions or information that affect its financial statements as follows:

Canada Border Services Agency for information technology services which includes testing for general computer controls, as well as collection services on their behalf for duties, taxes, fees, penalties, or other amounts owing under the Customs Act, Customs Tariff, Excise Tax Act, Excise Act 2001, and or related regulations;
Department of Finance Canada for the determination of tax receivables and payables under Tax Collection Agreements with provincial and territorial governments and First Nations; and
Employment and Social Development Canada for the collection of its accounts receivable and the administration of a number of activities related to the Canada Pension Plan and Employment Insurance Operating Account.

3. CRA assessment results during fiscal year 2019-2020

3.1 Design effectiveness testing of key controls

In 2019-2020, the CRA completed the design effectiveness testing related to contingent liabilities for the Agency Activities. As a result of this testing, no significant issues were noted.

3.2 Operating effectiveness testing of key controls

In 2019-2020, the CRA completed operating effectiveness testing for the GST/HST and Excise Taxes and Duties Programs, which included the return collection and entry, assessing and reassessing and master data maintenance processes. In addition, operating effectiveness testing was completed for the investment planning, costing and CFO attestation processes as well as the general computer controls related to the business suite of tax programs.

As a result of the work performed on these programs, no significant issues were noted.

3.3 Ongoing monitoring of key controls

In 2019-2020, the CRA completed planned ongoing monitoring of the processes common across tax programs, which include legislation management, reporting management and segregation of duties processes. Additionally, ongoing monitoring testing of the common general computer controls was completed, which includes the areas of information security and continuity management.

Furthermore, the CRA completed planned ongoing monitoring of the following processes:

Entity-level controls
IT general computer controls for corporate financial systems
All other business processes:
1. Payroll
2. Procurement to pay
3. Capital assets
4. Budgeting and Projections
5. Financial close and reporting

As a result of the ongoing monitoring of key controls, it was noted that improvements were made in the design of controls to ensure that payroll and overpayment related issues with the Phoenix pay system are processed in a timely manner. However, additional improvements are required to ensure these controls consistently operate as intended.

The deficiencies are known to management and actions are being taken to address them.

The 2019-2020 year-end financial close and reporting processes for both Agency Activities and Administered Activities occurred post COVID-19, however control assessment results are based on the previous year’s process. It was confirmed with the impacted control owners that there were no changes in these controls and as a result, additional control testing was not performed.

4. CRA Action Plan

4.1 Progress during fiscal year 2019-2020

During 2019-2020 the CRA continued to make significant progress in assessing and improving its key controls. The following table summarizes the CRA’s progress based on the plans identified in the previous fiscal year’s Annex.

**Progress during fiscal year 2019-2020**
Element in previous year’s action plan	Status
Agency Activities	Ongoing monitoring testing was completed for entity-level controls, IT general computer controls for corporate financial systems, and Agency business processes including payroll, procurement to pay, capital assets, budgeting and projections and financial close and reporting. Additionally, design effectiveness testing was completed for the contingent liabilities process. Action plans were developed to address all findings.
Investment Planning, Costing and CFO Attestation	Operating effectiveness testing was completed for all objectives.
Excise Taxes and Duties	Testing of the operating effectiveness of controls related to return collection and entry, assessing and reassessing and master data maintenance was completed and action plans were developed to address all findings.
GST/HST	Testing of the operating effectiveness of controls related to return collection and entry, assessing and reassessing and master data maintenance was completed and action plans were developed to address all findings.
Common Tax Program Controls	Ongoing monitoring work was performed to test controls that are common across the various tax programs, including legislation management, reporting management and segregation of duties. Action plans were developed to address all findings.
Common IT General Controls	Ongoing monitoring was completed for general computer controls that are common across all programs, which include the areas of information security and continuity management. Action plans were developed to address all findings.
General Computer Controls – Business Tax Suite	Operating effectiveness testing related to the incident and change management processes for the business suite of tax programs was completed. Action plans were developed to address all findings.
Follow-up of activities requiring remediation from previous assessments	The CRA has followed up on action plans from the: 2018-2019 Agency Activities as part of ongoing monitoring; Common General Computer control assessment for the year ended January 31, 2019; Individual Income Tax Program design & implementation control assessment as at January 31, 2019; General Computer Controls design and implementation control assessment related to the Individual and Trust Tax systems as at January 31, 2019; Trust Income Tax Program operating effectiveness control assessment for the six months ended June 30, 2018; Common Tax Program Controls operating effectiveness assessment for the year ended January 31, 2019. Overall results have been positive and the majority of the recommendations made have been implemented, however, the following items that were identified in prior years remain: Ongoing issues were noted with respect to the timely removal of system access. At the database layer, stronger controls are required to prevent and detect unauthorized access and changes to the systems. This action plan was partially implemented and the remaining phases will be completed as planned in 2021-2022. The deficiencies are known to management and actions are being taken to address them.

4.2 Status and action plan for the next fiscal year and subsequent years

The CRA has continued to make progress on assessing its internal controls over financial reporting throughout the numerous programs that the CRA administers. It is recognized that implementation for all its processes requires multi-year initiatives. After design effectiveness and operational effectiveness testing are complete, the CRA will be applying its rotational ongoing monitoring plan to reassess control performance on a risk basis across all control areas.

**Status and action plan for the next fiscal year and subsequent years: Administered Activities ^{Table note 2}**
Program Areas	Design effectiveness testing	Operational effectiveness testing	Ongoing monitoring testing ^{Table note 1}
Individual Income Tax ^{Table note 3}	Complete	2021-2022	Future years
Corporation Income Tax	Complete	Complete	2020-2021
Trust Income Tax	Complete	Complete	2022-2023
GST/HST	Complete	Complete	Future years
Benefits	Complete	2020-2021	Future years
Disbursements	Complete	2020-2021	Future years
Excise Taxes and Duties	Complete	Complete	Future years
Collections / Payments	Complete	2022-2023	Future years
Common Tax Program Controls ^{Table note 4}	Complete	Complete	2020-2021
IT General Controls ^{Table note 5}	Complete	2020-2021	Future years

**Status and action plan for the next fiscal year and subsequent years: Agency Activities**
Program Areas	Design effectiveness testing	Operational effectiveness testing	Ongoing monitoring testing ^{Table note 1}
Payroll	Complete	Complete	2020-2021
Procurement To Pay	Complete	Complete	2020-2021
Capital Assets	Complete	Complete	2020-2021
Budgeting & Projections	Complete	Complete	2020-2021
Financial close and reporting	Complete	Complete	2020-2021
Investment Planning	Complete	Complete	2020-2021
Costing & CFO Attestation	Complete	Complete	2020-2021
IT General Controls ^{Table note 5}	Complete	Complete	2020-2021

**Status and action plan for the next fiscal year and subsequent years: Common Controls – Administered and Agency Activities**
Program Areas	Design effectiveness testing	Operational effectiveness testing	Ongoing monitoring testing ^{Table note 1}
Entity level controls	Complete	Complete	2020-2021
Common IT General Controls ^{Table note 5}	Complete	Complete	2020-2021

**Status and action plan for the next fiscal year and subsequent years: Special Projects ^{Table note 6}**
Program Areas	Design effectiveness testing	Operational effectiveness testing	Ongoing monitoring testing ^{Table note 1}
Objections/Litigations	2020-2021
Measures under COVID-19 ^{Table note 2}	TBD

Footnote 1

The frequency of the ongoing monitoring of key control areas is risk-based and occurs over a five-year cycle.

Return to footnote1 Referrer

Footnote 2

As a result of COVID-19, some tax program control assessments have been delayed and special work will be undertaken as required to address the risks related to new measures that have been implemented by the CRA.

Return to footnote2 Referrer

Footnote 3

The legacy T1 system was upgraded through the T1 System Redesign initiative. This initiative was a multi-year project resulting in significant modifications to the systems related to the processing of T1 returns.

Return to footnote3 Referrer

Footnote 4

Common tax programs controls are controls that are performed by the same organization, using a common process regardless of the impacted tax program and includes controls over legislation management, reporting management and segregation of duties. The design and implementation of these controls was previously assessed as part of each tax program.

Return to footnote4 Referrer

Footnote 5

IT general controls include only those IT controls under the responsibility of the CRA. Controls that are performed by Shared Services Canada are outside the scope of these assessments. IT controls are assessed for both the tax systems and the corporate financial systems in place in the CRA. Common IT general controls include IT controls related to the areas of security and continuity management, which do not vary based on the impacted systems.

Return to footnote5 Referrer

Footnote 6

Certain projects are undertaken to address possible areas of concern and do not form part of the regular rotation of programs. The results of the initial design effectiveness testing is used to determine the need for ongoing assessments.

Return to footnote6 Referrer

Page details

Date modified:: 2020-12-08

Language selection

Search

Sign in