Language selection

Government of Canada / Gouvernement du Canada

Search

Annex to the statement of management responsibility including internal control over financial reporting Treasury Board of Canada Secretariat Fiscal Year 2017–18

On this page

  1. Introduction
  2. Departmental system of internal control over financial reporting
  3. Departmental assessment results during 2017–18
  4. Departmental action plan for the next fiscal year and subsequent years
  5. Common dervice providers annual assessment results during 2017–18

1. Introduction

This document provides a summary of the measures taken by the Treasury Board of Canada Secretariat (the Secretariat) to maintain an effective system of internal control over financial reporting (ICFR), which includes information on internal control management, assessment results and related action plans.

Detailed information on the Secretariat’s authority, mandate and programs can be found in its most recent Departmental Plan and Departmental Results Report.

2. Departmental system of internal control over financial reporting

In this section
  1. Internal control management
  2. Service arrangements relevant to financial statements

2.1 Internal control management

The Secretariat has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. This structure is formalized in the Secretariat’s Financial Management and Internal Control Framework, approved by the Secretary, and includes the following:

  • organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for internal control management
  • a Values and Ethics Office, which provides educational and awareness programs and has developed a departmental code of conduct
  • ongoing communication and training on the legislative and policy requirements for sound financial management and control
  • a group dedicated to ICFR under the direction of the Chief Financial Officer, with a primary focus on maintaining internal control documentation and conducting assessments to support management and oversight of the system of ICFR
  • monitoring of, and regular updates on, internal control management, as well as provision of related assessment results and action plans to the Secretary, departmental senior management and the Secretariat’s Government of Canada Audit Committee (GCAC)

The GCAC is an independent and objective advisory committee to the Secretary. It is responsible for providing advice to the Secretary on the adequacy and functioning of the Secretariat’s risk management, control and governance frameworks and processes, including the review of key departmental financial reports and financial disclosures.

The GCAC comprises the Secretary, the Associate Secretary and four members who are external to the federal public administration. An external member chairs the committee. Given the independent nature of the committee, it plays an essential role in ensuring the integrity of corporate reporting and in providing an objective and broader perspective on risks and controls. The Secretariat’s Chief Financial Officer, the Chief Audit Executive and the Comptroller General of Canada attend all GCAC meetings, and the Chief Human Resources Officer is also a frequent participant. GCAC meets in person approximately four times a year and convenes teleconferences as required.

2.2 Service arrangements relevant to financial statements

As a department, the Secretariat relies on other organizations to process certain transactions that are recorded in its financial statements. The two types of service arrangements used by the Secretariat are common arrangements used by most departments and specific arrangements, as detailed below:

Common service arrangements
  • Public Services and Procurement Canada (PSPC) centrally administers the payment of salaries and the procurement of goods and services in accordance with the Secretariat’s Delegation of Authority and provides accommodation services
  • The Secretariat, a central agency, provides services related to insurance plans for federal public service employees and centrally administers payment of the employer’s share of contributions to statutory employee benefit plans (the Public Service Pension Plan, Employment Insurance Plan (EI), Canada/Québec Pension Plan (CPP/QPP) and the Supplementary Death Benefit Plan) on behalf of other departments and agencies
  • The Department of Justice Canada provides legal services to the Secretariat
  • Shared Services Canada (SSC) provides information technology (IT) infrastructure services to the Secretariat in the areas of data centre and network services. The scope and responsibilities are addressed in the interdepartmental arrangement between SSC and the Secretariat

Readers of this Annex may refer to the Annexes of the above-noted organizations for a greater understanding of the systems of ICFR related to these specific services.

Specific arrangements
  • PSPC performs the day-to-day administration of the Public Service Pension Plan
  • The Office of the Chief Actuary within the Office of the Superintendent of Financial Institutions Canada prepares a triennial actuarial valuation of the Public Service Pension Plan
  • PSPC performs the day-to-day administration of some centrally funded expenses, such as the employer’s share of CPP/QPP contributions, EI premiums and provincial payroll taxes. These types of expenses are recorded on the Secretariat’s financial statements as government-wide funds and reflect the Treasury Board’s role as the employer of the public service

In addition, the Secretariat relies on external service providers for the processing of certain transactions or information recorded in its financial statements. Specifically, the Secretariat relies on the internal controls of a number of insurance companies (at present, Sun Life Assurance Company of Canada, Great West Life Assurance Company, Industrial Alliance and Manulife), which provide specific services to the Secretariat as a central agency, such as health care plan administration, dental plan administration and insurance services. As external service providers, pursuant to contracts with the Government of Canada, these insurance companies have the authority and responsibility to ensure that these services are managed in accordance with the terms and conditions set out by the Secretariat’s Pensions and Benefits Sector.

The Secretariat also provides certain corporate services (for example, accounting services and financial systems) to several departments on a cost-recovery basis, including:

  • the Department of Finance Canada
  • the Privy Council Office
  • the Canada School of Public Service
  • the Canadian Transportation Agency
  • the Immigration and Refugee Board of Canada
  • the Office of the Superintendent of Financial Institutions Canada
  • Administrative Tribunals Support Services of Canada
  • the Canadian Grain Commission
  • the Financial Consumer Agency of Canada
  • the Security Intelligence Review Committee
  • the National Security and Intelligence Committee of Parliamentarians

The Secretariat provides these services under interdepartmental service arrangements that are administered through individual memoranda of understanding in accordance with section 29.2 of the Financial Administration Act. These services are therefore not considered to be common services under the Policy on Financial Management.

3. Departmental assessment results during 2017–18

In this section
  1. New or significantly amended key controls
  2. Ongoing monitoring program

The Secretariat reached the ongoing monitoring stage in 2015–16 upon completing its first full assessment of the whole departmental system of ICFR. Since then, the Secretariat has been performing rotational ongoing monitoring activities in accordance with approved plans while concurrently addressing any new remediation required in response to ongoing monitoring activities. In 2017–18, all activities were carried out as planned.

Table 1 summarizes the status of ongoing monitoring activities carried out by the Secretariat for its corporate business processes, according to the previous year’s rotational plan. A similar summary of the Secretariat’s ongoing monitoring activities as a common service provider is provided in section 5.

Table 1. Progress Summary During 2017–18
Previous Year’s Rotational Ongoing Monitoring Plan for Current Year Status
IT General Controls (ITGCs) under departmental management: 
  • operating effectiveness testing
 		 2017–18 activities completed as planned:
  • documentation updated
  • design and operating effectiveness testing completed
Payroll and Benefits (assessed over 2years, from 2017–18 through 2018–19):
  • design effectiveness
  • operating effectiveness testing
2017–18 activities completed as planned:
  • documentation of updated Payroll and Benefits processes completed
  • design effectiveness testing in progress
  • operating effectiveness testing pending

In addition to the progress made in 2017–18 on ongoing monitoring activities as detailed in section 3.2, the Secretariat also made the following improvements to its control framework: 

  • The Secretariat uses a common SAP financial system that is part of the Central Agency Cluster Shared Systems (CAC-SS) administered by the Office of the Comptroller General on behalf of cluster departments. An external audit of IT General Controls (ITGC) for this common financial system was conducted by Ernst and Young in 2017–18 in accordance with the Canadian Standard on Assurance Engagements for Reporting on Controls at a Service Organization, as set out by the CPA Canada Handbook – Assurance. This audit covered only ITGCs that are common to all cluster departments; it did not cover department-specific controls because CAC-SS departments separately assess the ITGCs that they are individually responsible for as part of their own ongoing monitoring plans (see section 3.2). Similarly, Shared Services Canada (SSC) provides network and infrastructure management services for the CAC-SS, and the ITGCs associated with these services were also not covered in this audit because they are assessed separately by SSC as a common service provider. The audit identified control deficiencies related to change management, user access and operations management, and the business process owner has developed an action plan for remediation.
  • The Internal Audit and Evaluation Bureau (IAEB) initiated a department-wide fraud risk assessment, including a review of roles and responsibilities related to governance for fraud-related administrative investigations. This assessment has involved consultations with stakeholders from across the Secretariat, including functional experts from program areas and internal services (for example, Finance, Human Resources, Security, Procurement and IT). The assessment is raising awareness and renewing emphasis on the importance of managing fraud risks effectively. The assessment is expected to be completed by fall 2018.
  • In response to a 2016–17 IAEB audit of Low-Dollar-Value (LDV) Contracting, the Secretariat established and implemented a three-year management action plan that will enhance the oversight and performance measurement of LDV contracting. This action plan was in addition to activities undertaken in 2016–17 and reported in that year’s Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting.
  • In 2017–18, IAEB completed a targeted review of contracting to assess higher-risk transactions based primarily on data analysis. The review concluded that there were no significant issues (for example, potential contract splitting or payments exceeding contracted amounts). It noted, however, some data integrity and information management issues, similar to those found in the 2016–17 LDV audit. Because a whole-of-contracting view was taken in addressing the issues identified in the LDV audit, no additional recommendations were made as a result of this review of higher-risk transactions.
  • The Secretariat continued to enhance risk information provided to senior decision makers. Specifically, the Secretariat revised the template for presentations to the Resourcing Committee and drafted related guidance for presenters. The revised template and the new guidance will increase the quantity and quality of the risk information that the committee receives for decisions on Treasury Board submissions, projects and forecasts.
  • In response to a coordinated audit of IT security conducted by the internal audit groups of the Secretariat and SSC in 2016–17, controls over the management of departmental IT security were further strengthened by implementing a responsibilities matrix to clarify Secretariat and SSC accountabilities. In addition, the Secretariat launched the My Profile self-service application in March 2018; this new application is a more efficient way to manage user accounts and access permissions.
  • New functionality for valuated goods receipt and for service entry sheets was implemented in SAP, the Secretariat’s financial system. This functionality will help the Secretariat better align our practices with accrual accounting requirements, improve financial reporting, and strengthen internal control by recognizing expenses when goods are received and services are rendered (as opposed to when invoices are paid).

The key findings and significant adjustments required from the current year’s assessment activities are summarized in sections 3.1 and 3.2.

3.1 New or significantly amended key controls

In the current year, there were no significant amended key controls in existing processes that required a reassessment.

3.2 Ongoing monitoring program

As part of its rotational ongoing monitoring plan for corporate business processes, the Secretariat completed its reassessment of the financial controls related to its departmental ITGCs. In addition, the Secretariat carried out planned 2017–18 activities related to the reassessment, over two years, of financial controls related to the Pay and Benefits business process. Key controls that were tested performed as intended, with remediation (where required) as follows.

Departmental IT general controls

As a member of the Central Agency Cluster Shared Systems (CAC-SS), the Secretariat uses some common systems. Although the Office of the Comptroller General annually audits ITGCs that are common to all cluster departments, the Secretariat is also required to periodically assess those ITGCs that fall under its responsibility as an individual department.

In 2017–18, with the assistance of Ernst & Young, the Secretariat assessed the design and operating effectiveness of key ITGCs for which the Secretariat is responsible related to the SAP financial system and the Cognos Business Intelligence reporting system. The objective of the assessment was to determine whether the controls were designed so as to effectively mitigate risks and whether they operated as designed throughout a period of time. The assessment consisted of detailed walk-throughs with business process owners to help gain an understanding of key ITGCs. Where applicable, sample-based testing was conducted to ascertain the operational effectiveness of key ITGCs. The audit identified control deficiencies related to access and change management, some of which were similar to findings identified during the separate audit of the CAC-SS common SAP financial system (see section 3). The business process owner has developed an action plan for remediation.

Payroll and benefits

The Government of Canada has modernized pay administration by centralizing pay processing at a new pay centre in Miramichi and by implementing a new payroll system (Phoenix) in February 2016. The modernization resulted in significant changes to control activities associated with the payroll and benefits business process. In anticipation of these changes, the Secretariat undertook several activities to help ensure an effective transition and to maintain an appropriate level of internal control.

As the extent of the problems with Phoenix became clear, the Secretariat adapted and strengthened its control and monitoring activities in relation to payroll processing while ensuring ongoing alignment with evolving Phoenix and Pay Centre operations. The Secretariat also provided tools and training for its employees and managers to help ensure that transactions are processed accurately and that employees are paid on time. For example, in order to enhance overall capacity and knowledge, the Secretariat implemented mandatory Phoenix training in 2017–18 for all employees and managers, leveraging courses available on GCpedia. A departmental newsletter was also introduced to provide updates on pay-related matters, guidance was developed to clarify managers’ pay-related responsibilities, and support was provided to employees and managers on the use of pay system functionality. In addition, pay-related transactions exceeding a risk-based financial threshold of $10,000 were subjected to a pre-payment verification to reduce the risk of overpayments.

In 2017–18, the Office of the Comptroller General completed updates to the TBS Guideline on Financial Management of Pay Administration to provide guidance to departments on their pay-related processes in the context of pay modernization. The new guideline provides a model for departmental pay administration processes, including a common internal control framework (ICF).

The Secretariat performed a preliminary assessment of its departmental control environment for pay administration in spring 2017 to ensure that critical controls were in place while the ICF was under development. After the new guideline was released in October 2017, the Secretariat launched an end-to-end assessment of its departmental pay administration business process. Because of the extensive changes to pay-related processes and controls as part of the pay modernization initiative, the documentation for all departmental pay-related activities and controls must be updated, and a full cycle of design effectiveness and operating effectiveness testing is required, to ensure alignment with the common ICF. This work will be carried out over two years, through 2019, as a partnership between key stakeholders in the financial management and human resources management communities. To date, documentation has been updated and preliminary walk-throughs have been conducted with the primary business process owners. Operating effectiveness testing is expected to begin in early 2019, subject to the remediation of any material control deficiencies identified during the design effectiveness testing stage.

4. Departmental action plan for the next fiscal year and subsequent years

The Secretariat’s rotational ongoing monitoring plan for the next three years, presented in Table 2, is based on an annual validation of the assessed level of risk related to the Secretariat’s corporate financial processes and controls, with adjustments to the ongoing monitoring plan as required. The Secretariat’s activities related to ICFR are carried out under the direction of the Chief Financial Officer. The ongoing monitoring activities that the Secretariat carries out in its capacity as a common service provider are reported separately in section 5.

The new Policy on Financial Management puts greater emphasis on the importance of internal control over financial management (ICFM). Although the policy contains no specific new monitoring or reporting requirements in relation to ICFM, departments are encouraged to incorporate ICFM into their internal control activities. The Office of the Comptroller General is developing guidance to help departments do this. The Secretariat already regularly assesses several key ICFM activities under its ongoing monitoring plan, specifically, the business processes related to budgeting, forecasting, financial reporting and the financial closing cycle.

The Secretariat has also added salary overpayments to the ongoing monitoring plan as a new sub-activity under the Revenues and Accounts Receivable business process to strengthen the Secretariat’s control framework and provide additional assurance with respect to pay-related activities. The Revenues and Accounts Receivable business process will be assessed as part of ongoing monitoring activities in 2018–19.

Table 2. Rotational Ongoing Monitoring Plan
Key Control Areas Fiscal Year
2018–19		 Fiscal Year
2019–20		 Fiscal Year
2020–21

Table 2 Notes

Table 2 Note 1

IT General Controls (ITGC) related to Central Agency Cluster Shared Systems (CAC-SS) are out of scope for the Secretariat’s ongoing monitoring plan. The SAP system is audited annually by the Office of the Comptroller General based on client needs and service arrangements.

Return to table 2 note 1 referrer

Entity level controls Yes No No
IT general controls under departmental management (ITGC)table 2 note 1 No No Yes
Financial reporting and closing cycle No Yes No
Budgeting and forecasting No Yes No
Payroll and benefits Yes No No
Operating expenses and accounts payable No Yes 
Travel, Acquisition Cards and Financial Signing Authorities		 Yes
Contracting
Revenues and accounts receivable Yes No No
Capital assets Yes No No

5. Common service providers annual assessment results during 2017–18

The new Treasury Board Policy on Financial Management came into effect on . The policy strengthens the management of the Government of Canada’s financial resources.

With the introduction of the new Policy on Financial Management, the Policy on Internal Control (PIC) was rescinded and existing policy requirements from the PIC were incorporated into the new policy. Most changes to the internal control requirements related to the definition of key stakeholder responsibilities and the clarification of assurances provided by chief financial officers with respect to internal control over financial reporting (ICFR) and internal control over financial management (ICFM).

In addition to these changes, the Policy on Financial Management introduced a new requirement for common service providers to report, in their annual Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting, the results of their assessment of common services as part of their annual assessment of the departmental system of internal control.

The Secretariat provides common services related to the administration of public service insurance plans (TBS Vote 20) and administration of the cost-recovery process for statutory employee benefit plans (EBP). Because the Secretariat manages government-wide funds and public service employer payments, other government departments and agencies rely on the Secretariat to process transactions that impact their financial statements with respect to the insurance, employee benefits and statutory pay-related transactions outlined in Table 3.

Key business processes related to the provision of these common services are included in the Secretariat’s rotational ongoing monitoring plan. In accordance with the Policy on Financial Management, the Secretariat assesses its departmental system of internal control over a rolling five-year period and conducts an annual risk-based assessment of individual business processes. Therefore, the internal controls for all common services are assessed at least once every five years, with the frequency of assessment determined according to the risk level assessed for each. The Secretariat assesses risk for each business process annually and adjusts the risk rating and assessment schedule accordingly.

In delivering these common services, the Secretariat uses data produced by federal pay systems, including Phoenix which is centrally administered by PSPC. Significant interdependencies exist between PSPC’s and the Secretariat’s pay administration processes because many of the key controls related to the processing of insurance premiums, employee benefits and other pay-related transactions are automated in the pay system. Although the Secretariat carries out ongoing monitoring activities for controls that are under its responsibility, it must rely on the PSPC control environment for assurance as to the integrity of the data it uses in delivering common services. Compensating controls are also in place to mitigate risk, and the Secretariat is working with PSPC to strengthen the control environment as pay administration processes continue to evolve. Readers may refer to the Annex of PSPC for a greater understanding of their control environment related to the central administration of pay.

In 2017–18, the Secretariat, as a common service provider, completed a risk-based assessment of internal controls related to these services. Specifically, it reassessed, with the assistance of Ernst & Young, the operational effectiveness of financial controls for the Public Service Management Insurance Plan and Provincial Payroll Taxes as part of its rotational ongoing monitoring plan. During the period examined, all of the tested key controls were found to be operating as designed, and no new deficiencies or remediation activities were identified. These positive results are due, in large part, to the formalization and documentation of key control activities. The Secretariat will continue to work with PSPC to strengthen the internal controls associated with these business processes. 

Table 3. Status of Assessment of Common Services
Key Control Areas Ongoing monitoring rotationtable 3 note 1
Fiscal Year
2017–18		 Fiscal Year
2018–19		 Fiscal Year
2019–20		 Fiscal Year
2020–21		 Fiscal Year
2021–22
Public Service Health Care Plan (PSHCP) No No No No Yes
Public Service Dental Care Plan (PSDCP) No No No No Yes
Pensioners’ Dental Care Plan (PDCP) No No No No Yes
Disability Insurance Plan (DIP) No Yes No Yes No
Public Service Management Insurance Plan (PSMIP) Completed No No Yes No
Provincial Payroll Taxes (PPT) Completed No No No No
Provincial Health Insurance Plan Premiums (PHIP) No No Yes No No
Québec Parental Insurance Plan (QPIP) No No Yes No No
Public Service Pension Plan (PSPP) No Yes No No No
Supplementary Death Benefit (SDB) No Yes No No No
Canada/Québec Pension Plan (CPP/QPP) No No Yes No No
Employment Insurance Premiums (EI) No No Yes No No

Table 3 Notes

Table 3 Note 1

The frequency of formal assessments for ongoing monitoring of key control areas is risk-based over a five year cycle.

Return to table 3 note 1 referrer

In addition to the Secretariat’s ongoing monitoring activities, a new process was implemented in 2017–18 to strengthen controls related to the administration of payments for employer contributions to the Public Service Pension Plan. This new process was developed in consultation with internal and external stakeholders, including PSPC, to enhance oversight on charges to the Public Service Pension Plan.

Central agency mandate

In addition to common services provided to other government departments and agencies, the Secretariat also provides information and guidance in its capacity as a central agency, as follows:

  • The Secretariat provides departments and agencies with percentage ratios derived from the actuarially determined liability for severance benefits for the entire public service population. Departments and agencies may use these ratios when calculating their severance pay liability for the purposes of their departmental financial statements.
  • The Secretariat provides departments and agencies with a percentage amount that allows them to calculate an annual dollar figure for the services they receive without charge for the centrally funded public service insurance and benefit plans.
  • The Secretariat provides departments and agencies with details regarding the calculation required for departments to determine their portion of the employer’s share of statutory employee benefit plans. These plans include costs to the government for the employer’s contributions to public service superannuation, the supplementary death benefit, employment insurance accounts and the Canada/Québec Pension Plan.

Page details

Date modified: