Annex to the statement of management responsibility including internal control over financial reporting - 2016–17 Departmental Results Report - Treasury Board of Canada Secretariat

2.1 Internal control management

The Secretariat has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. This structure is formalized in the Secretariat’s Financial Management and Internal Control Framework, approved by the Secretary, and includes the following:

• Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for internal control management
• A Values and Ethics Office, which provides educational and awareness programs and has developed a departmental code of conduct
• Ongoing communication and training on the legislative and policy requirements for sound financial management and control
• A group dedicated to ICFR under the direction of the Chief Financial Officer, with a primary focus on maintaining internal control documentation and conducting assessments to support management and oversight of the system of ICFR
• Monitoring of, and regular updates on, internal control management, as well as provision of related assessment results and action plans to the Secretary, departmental senior management and the Secretariat’s Government of Canada Audit Committee (GCAC)

GCAC is an independent and objective advisory committee to the Secretary. It is responsible for providing advice to the Secretary on the adequacy and functioning of the Secretariat’s risk management, control and governance frameworks and processes, which include reviewing key departmental financial reports and financial disclosures. It also provides advice, as applicable, on risk-based assessment plans and associated results regarding the effectiveness of the departmental system of ICFR.

GCAC comprises the Secretary, the Associate Secretary and four members who are external to the federal public administration. An external member chairs the committee. Given the independent nature of the committee, it plays an essential role in ensuring the integrity of corporate reporting and in providing an objective and broader perspective on risks and controls. The Secretariat’s Chief Financial Officer and the Chief Audit Executive, as well as the Comptroller General of Canada, attend all GCAC meetings. GCAC meets at least four times a year and may convene for additional meetings as required.

2.2 Service arrangements relevant to financial statements

New or significantly amended key controls

In the current year, there were no significant amended key controls in existing processes that required a reassessment.

In February 2016, PSPC implemented a new payroll system (Phoenix) which resulted in significant changes to control activities associated with the payroll and benefits business process. In anticipation of the system deployment, the Secretariat undertook several activities to enable an effective transition to Phoenix while maintaining an appropriate level of internal control. In order to better align with the control frameworks developed by PSPC for the Pay Centre and for the Phoenix payroll system, the Secretariat updated its existing process documentation related to the departmental control framework and modified the control process for signing authorities under Section 33 of the Financial Administration Act (FAA) to reflect the transfer of accountabilities related to payment processing from HR to the Finance function. The Secretariat also developed tools and training for its managers and employees to ensure that transactions are processed accurately and that employees are paid on a timely basis. For example, written procedures were circulated, dedicated expert resources were assigned to support managers, and improved salary forecasting reports were developed to enable managers to effectively monitor their pay-related budgets and expenditures and to promptly identify and resolve any issues or inconsistencies.

As the impact of Phoenix post-implementation issues emerged, the Secretariat further strengthened its control and monitoring activities related to payroll processing, including regular reporting of pay-related overpayments and underpayments to promptly resolve inconsistencies and the establishment of a risk-based financial threshold so that transactions exceeding expected amounts can be automatically flagged for verification before payments are released.

In 2016–17, the Secretariat also participated in the Office of the Comptroller General (OCG) working group that developed a new Pay Administration Control Framework, including an updated Guideline on Pay Administration which will serve as a reference in updating the payroll and benefits process and associated key controls for which the Secretariat is responsible. Operating effectiveness testing of the updated payroll and benefits business process is planned to begin in 2017–18 once these activities have been completed.

Ongoing monitoring program

As part of its rotational ongoing monitoring plan, the Secretariat, as the manager of government-wide funds and public service employer payments, completed its reassessment of the financial controls related to the Public Service Health Care Plan (PSHCP), the Public Service Dental Care Plan (PSDCP) and the Pensioners’ Dental Care Plan (PDCP) with the assistance of Ernst & Young. Key controls that were tested performed as intended, with remediation required as follows:

• “Participating Employers” are government organizations whose employees participate in the PSHCP and PSDCP even though they are not members of the core Public Service. A low-risk design gap was found in terms of the supporting information provided to TBS when Participating Employers remit premiums related to their employees’ participation in these plans. A management action plan has been developed by the business process owner to address this finding
• An additional low-risk design gap was found in the PSDCP process related to supporting information provided with invoices submitted by the insurance company. A management action plan has been developed by the business process owner to address this finding

Other activities were completed during 2016–17 to enable continuing improvements to the Secretariat’s control framework, including:

• An external audit of IT general controls of the Secretariat’s SAP financial system was conducted by Deloitte in 2016–17. Since this financial system is administered by the Office of the Comptroller General (OCG) on behalf of a “cluster” of client departments (including the Secretariat), the scope of this audit only included an assessment of IT general controls that are common to the “cluster” departments, that is, IT controls under the purview of Shared Services Canada (SSC) and user controls specific to individual cluster members were scoped out. The audit results indicated that the controls tested were appropriately designed and implemented, and operated effectively throughout the period covered by the audit, with the exception of one control gap identified in the change management process. An action plan is in place for remediation
• The Internal Audit and Evaluation Bureau (IAEB) reviewed the Secretariat’s risk management practices in 2016 in order to determine their level of maturity. In response to recommendations arising from that review, an updated Integrated Approach to Risk Management (RM) was developed to better support decision-makers and employees at all levels. The updated Integrated Approach to RM will promote intelligent risk-taking by defining key foundational elements (for example, vision, roles and responsibilities, processes, and strategies for learning and development) and by developing a robust methodology and tools to support improved risk assessment, communication, monitoring and reporting practices (for example, risk tool for TBS-sponsored TB Submissions, risk tools integrated into business planning templates and committee presentation templates, corporate risk profile, environmental scans and quarterly project reporting to the Resourcing Committee)
• The Internal Audit and Evaluation Bureau (IAEB) completed an audit of low-dollar-value (LDV) contracting, a targeted control audit of the management of data storage devices, and a coordinated audit of information technology security:
  1. The objective of the audit of low-dollar-value (LDV) contracting was to provide assurance on compliance with related policies and procedures and to determine whether management and practices are efficient and responsive to the needs of the Secretariat. The results of this audit concluded that there were opportunities for improvement, and a management action plan is in place for remediation. Several improvements are being implemented as a result of this audit, including a reduction of the threshold for LDV contracts from $25,000 to $9,999, the creation of a fast-track contracting service for contracts under $25,000, and the update of procedures, guidance and training related to LDV contracting including clarification of roles and responsibilities. In addition, an end-to-end electronic filing system has been established for comprehensive information retention and performance indicators are being developed to ensure that operations are optimized and responsive to client and organizational needs
  2. The targeted control audit of the management of data storage devices assessed key controls in the areas of asset management, physical and information technology security, and incident management. Devices included in the scope were laptops, tablets, smartphones, USB flash keys, desktop computers and multi-functional devices such as printers. A management action plan has been developed to address findings in this area. As a result of this audit, several improvements were made with respect to asset tracking, disposal of devices, response to security incidents involving lost or stolen devices, and return of devices as employees leave the organization. For example, the Secretariat improved its employee onboarding and departure processes, implemented automated asset tracking within the financial system, increased the frequency of periodic inventory counts in order to improve asset tracking, and implemented a formalized process to promptly address lost or stolen assets
  3. The audit of information technology security assessed the adequacy and effectiveness of internal controls over the management of information technology (IT) security, including compliance with applicable policies and standards, with a focus on user access management, incident management, change management and information security risk management. Given the distributed responsibility for IT security controls and the required coordination with Shared Services Canada (SSC), the internal audit groups of the Secretariat and SSC took a coordinated audit approach to provide broader assurance. The audit scope focused on services and business processes that have the highest potential impact on IT security for the Secretariat and for which a high degree of collaboration between SSC and the Secretariat is required. While the audit concluded, with a reasonable level of assurance, that controls over the management of departmental IT security were adequately designed and effective, several improvements were made to further strengthen departmental IT security. For example, the risk-based approach to reviewing and monitoring user access rights was strengthened, a formal Change Advisory Board and improved tracking processes were established to ensure effective implementation of changes to IT systems, and roles and responsibilities related to IT security were clarified and formalized. The Secretariat continues to work collaboratively with SSC to ensure the ongoing effectiveness of its internal controls over the management of IT security
• As part of the Secretariat’s ongoing monitoring activities, a new process to support management’s approval of the payment of the employer’s share of contributions to the public service pension plan (PSPP) was developed in 2016–17. This new process was developed in consultation with multiple internal and external stakeholders in order to enhance oversight on charges to the PSPP, and will be implemented in the first quarter of 2017–18
• The Secretariat updated its policy on capital assets to improve clarity with regard to roles and responsibilities and to provide comprehensive guidance with respect to the capitalization of assets. Updates focused on ensuring the consistent application of legislative and policy requirements

4.1 Progress in fiscal year 2016–17

The Secretariat reached the ongoing monitoring stage in 2015–16 upon completing its first full assessment of the whole departmental system of Internal Control Over Financial Reporting (ICFR).

Since then, the Secretariat has been applying rotational ongoing monitoring activities in accordance with approved plans while concurrently addressing any new remediation required in response to ongoing monitoring activities. In 2016–17, all activities were completed as planned. Table 1 provides a summary of this progress.

4.2 Action plan for the next fiscal year and subsequent years

• The Secretariat’s rotational risk-based ongoing monitoring plan over the next three years is presented in Table 2 and is based on an annual validation of the assessed level of risk related to processes and controls, along with related adjustments to the ongoing monitoring plan as required.
• The Secretariat’s activities related to internal control over financial reporting (ICFR), including ongoing monitoring activities identified in Table 2, are carried out under the direction of the Chief Financial Officer (CFO). In addition, the Internal Audit and Evaluation Bureau (IAEB) plans to conduct a department-wide fraud risk assessment in 2017–18, as well as a review of roles and responsibilities related to governance of fraud-related administrative investigations.