Public Safety Canada Audit of Internal Control over Financial Reporting

March 2017

Executive Summary

Background

In 2009, Treasury Board (TB) introduced the Policy on Internal ControlFootnote1 (PIC or the Policy) requiring all risks relating to public finances be adequately managed through:

The ICFR, which is a sub-set of the Policy on Internal Controls, provides further assessments in that:

Public Safety Canada (PS or the Department) has completed its initial identification, documentation, testing and remediation of the key ICFR and has established a rotational monitoring plan that has been ongoing since April 1, 2014.

As indicated in the Policy and the PS Risk-based Internal Control Framework, the Chief Financial Officer (CFO) and the other senior departmental managers are responsible in meeting the requirement for an effective system of ICFR.

Through its policy reset, TB has issued a draft of the new Policy on Financial Management. This policy is scheduled to take effect on April 1, 2017 and will replace all financial management policies, including the Policy on Internal Control. Notwithstanding the implementation of this new policy, the development, monitoring and maintenance of a risk-based departmental system of internal control over financial management will still be required.Footnote2

The Deputy Minister approved this audit as part of the Risk-Based Audit Plan for 2015-16.

Audit Objective and Scope

The objective of this audit was to provide reasonable assurance that the monitoring process of key financial processes is appropriate and effective in support of the Department's annual Statement of Management Responsibility Including Internal Controls over Financial Reporting.

The audit scope focused specifically on ICFR as this was identified as the highest risk during the planning phase. The remaining departmental internal controls will be assessed / reviewed through future audit and advisory engagements.

The audit examined the Department's governance framework to establish an effective ICFR system. The audit did not evaluate: whether operating effectiveness of controls had been achieved; processes and controls outside the CFO's responsibilities; and, processes in place within central agencies to assess the system of ICFR for controls impacting the Department's financial statements.

The audit covered the 18-month period from April 1, 2014 to December 31, 2015, which included the March 31, 2015 Statement of Management Responsibility Including Internal Controls over Financial Reporting. The period of audit coverage also included recent ongoing monitoring and follow-up activities that took place in the first three quarters of fiscal year 2015-16 and related supporting documents as at March 31, 2016. Furthermore, additional policy documents and information regarding Information Technology General Controls (ITGCs) were considered as at January 20, 2017.

Summary of Findings

It was noted that the Department has met the set expectations in the following areas:

Based on procedures such as documentation review, interviews with key personnel, and sample testing, the audit noted two areas where improvement should be considered to support the Department's ICFR:

Audit Opinion

Two minor improvementsFootnote3 related to the monitoring process of key financial processes are required to strengthen the system of ICFR in support of the Department's annual Statement of Management Responsibility Including Internal Controls over Financial Reporting.

Statement of Conformance and Assurance

Sufficient and appropriate audit procedures were conducted and evidence was gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management. The opinion is applicable only to the entity examined and within the scope described herein. The evidence was gathered in compliance with the Treasury Board Policy and the Directive on Internal Audit. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program. The procedures used meet the professional standards of the Institute of Internal Auditors (IIA). The evidence gathered is sufficient to provide Senior Management with proof of the opinion derived from the internal audit.

Recommendations

  1. The Assistant Deputy Minister, Corporate Management Branch (CMB) should:
    • Identify and document the SAP application controls upon which PS relies.
    • Highlight the SAP controls that are supported by the RCMP.
    • Communicate with the RCMP to identify the specific SAP automated application controls that they are monitoring.
    • Evaluate whether the key controls identified are sufficient to address the risks identified by the Department.
    • Establish additional controls where RCMP coverage is deemed insufficient.
  2. The Assistant Deputy Minister, CMB, should:
    • Review and align ELCs that apply to ICFR.
    • Implement an ongoing monitoring approach and cycle for the mapped ELCs to be included in PS' overall ICFR monitoring program.

Management Response

Management accepts the recommendations of Internal Audit.

The 'Management Response and Action Plan' section of the report outlines the actions that management will take to address the audit findings and recommendations.

_______________________
CAEE Signature

Audit Team Members

Denis Gorman, Chief Audit and Evaluation Executive
Gabrielle Duschner, Director, Internal Audit and Evaluation Division
Sonja Mitrovic, Internal Audit Project Leader
Sophie Carrier, Senior Auditor
Cathy Kwan, Auditor
PricewaterhouseCoopers, consultants 

Acknowledgements

Internal Audit would like to thank all those who provided advice and assistance during the audit.

1 Introduction

1.1 Background

The 2009 Treasury Board Policy on Internal Control (PIC or the Policy) expects reporting that provides transparency and accountability on how the Government spends public funds to achieve results for Canadians. The Policy calls for:

The Deputy Minister is responsible for establishing, maintaining and monitoring the departmental system of internal control over financial management. In addition, by signing the annual departmental Statement of Management Responsibility Including Internal Control over Financial Reporting, the Policy requires the Deputy Minister to:

As indicated in section 3.6 of the Policy: “the Chief Financial Officer (CFO) supports the Deputy Head by establishing and maintaining a system of internal controls related to financial management including financial reporting and departmental accounts. Other senior departmental managers establish and maintain a system of internal controls for their areas of responsibility and within the departmental system of internal controls”Footnote4.

In accordance with the Policy, Public Safety (PS) has established a Risk-based Internal Control Framework that outlines these responsibilities as described in the following graphFootnote5:

Graph 1

Levels of departmental internal controls
Image Description

The Deputy Minister (DM), as the accounting officer, is responsible for the broad system of internal control. The Chief Financial Officer (CFO) supports the Deputy Head by establishing and maintaining a system of internal controls related to financial management including financial reporting and departmental accounts. Assistant Deputy Ministers (ADM) establish and maintain a system of internal controls for their areas of responsibility and within the departmental system of internal controls, the system of Internal Control Financial Management (ICFM) and the system of Internal Control over Financial Reporting (ICFR). New policy requirements focus on the ICFR.

The PS Risk-based Internal Control Framework addresses the Internal Control over Financial Reporting (ICFR), which “provides assurance to management and the reader of the financial statements that assertions made in the report can be relied upon and enables comparison to similar organizations.”Footnote6 To ensure the integrity of financial information, the ICFR provides further assessment that:

As indicated in the PS System of Internal Control graph below, the ICFR is comprised of the following key controls: Information Technology General Controls (specifically SAP), Grants and Contributions, Operating Expenditures, Capital Expenditures, Financial Close, Payroll, and Revenue/Accounts Receivable Management.

Graph 2

Text
Image Description

Internal Control Framework

This document acknowledges Public Safety's responsibility to maintain an effective system of internal control and guides the Departments when performing required assessments of the effectiveness of its system of internal controls over financial reporting. This document details the framework for the Department's risk-based approach to Internal Controls over Financial Reporting (ICFR) and its ongoing processes designed to identify, prioritize and establish controls to mitigate these risks.

Internal Controls over Financial Reporting

Are controls to enhance the reliability of financial statements by reducing the risk of material errors or misstatements in order to produce reports that are fairly presented in conformity with Treasury Board (TB) policies and the Financial Administration Act (FAA)?

Control Environment: Entity Level Controls

Information Technology General Controls

SAP

SAP is hosted by RCMP and many of the responsibilities of the ITGCs rests with the RCMP as system host, and this is consistent with the government-wide system clustering initiative. Only the controls that are responsibility of PS are tested for operating effectiveness.

  • System Access
  • Access Termination
  • Manage Vendors
  • Application Controls

Control Activity: Grants and Contributions

Control Activity: Operating Expenditures (Procure to Payment)

Capital Expenditures

Internal Control Monitoring Assessments

Public Safety Canada (PS) has implemented a process to monitor internal controls over financial reporting as part of its response to the PIC. This provides assurance to PS's Deputy Minister on the effectiveness of the system of internal controls over financial reporting.

Senior Management Certifications of ICFR

Statement of Management Responsibility including ICFR

Provides users of financial statements with summary information that demonstrates how well the departmental system of ICFR is being managed through monitoring assessments and associated remediation plans. It is signed by the Deputy Minister and Chief Financial Officer, prefaces the departmental financial statements and acknowledges the following:

  • Acknowledges the responsibility of management for ensuring the maintenance of effective departmental system of ICFR;
  • Acknowledges the conduct of an annual risk-based assessment of the system of ICFR to determine its on-going effectiveness;
  • Acknowledges the establishment of an action plan to address any significant issues found as a result of the annual assessment of effectiveness of the system of ICFR; and
  • Includes a summary of the results of the assessment of the system of ICFR reporting along with the actions taken in response to any significant issues (section 6.1.2).

Annual Financial Statements

Financial Close

Payroll

Revenue/Accounts Receivable Management

In addition to establishing the governance and the appropriate management control frameworks, PS has completed its initial identification, documentation, testing, and remediation of key ICFR controls and has established a rotational monitoring plan that has been ongoing since April 1, 2014. The Internal Control Unit (ICU) that resides within the Financial Services and Systems and Resource Management Directorate, within the Corporate Management Branch, is responsible for ongoing monitoring. The ICU submits the results of ongoing monitoring to management in order to establish action plans. The Departmental Audit Committee (DAC) provides oversight and advice on the results and associated action plans. A summary of the ongoing monitoring activities and results are included in the Annex to the Statement of Management Responsibility within the departmental financial statements.

Through its policy reset, TB has issued a draft of the new Policy on Financial Management. This policy is scheduled to take effect on April 1, 2017 and will replace all financial management policies, including the Policy on Internal Control. Notwithstanding the implementation of this new policy, the development, monitoring and maintenance of a risk-based departmental system of internal control over financial management will still be required.Footnote7

1.2 Audit Objective

The objective of the audit was to assess that the monitoring process of key financial processes is appropriate and effective in support of the Department's annual Statement of Management Responsibility Including Internal Controls over Financial Reporting.

1.3 Scope and Methodology

The audit scope focused specifically on ICFR as this was identified as the highest risk during the planning phase. The remaining departmental internal controls will be assessed / reviewed through future audit and advisory engagements.

The audit examined the Department's governance framework to establish an effective system of ICFR. It covered an 18-month period from April 1, 2014 to December 31, 2015 which included the March 31, 2015 Statement of Management Responsibility Including Internal Controls over Financial Reporting. The period of audit coverage also included recent ongoing monitoring and follow-up activities that took place in the first three quarters of fiscal year 2015-16 and related supporting documents as at March 31, 2016. Furthermore, additional policy documents and information regarding Information Technology General Controls (ITGC) were considered as at January 20, 2017.

Exceptions:

The audit scope did not include:

The Deputy Minister approved this audit as part of the Risk-Based Audit Plan for 2015-16.

1.4 Audit Opinion

Two minor improvementsFootnote8 related to the monitoring process of key financial processes are required to strengthen the system of ICFR in support of the Department's annual Statement of Management Responsibility Including Internal Controls over Financial Reporting.

1.5 Statement of Conformance and Assurance

Sufficient and appropriate audit procedures were conducted and evidence was gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management. The opinion is applicable only to the entity examined and within the scope described herein. The evidence was gathered in compliance with the Treasury Board Policy and Directive on Internal Audit. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program. The procedures used meet the professional standards of the Institute of Internal Auditors. The evidence gathered is sufficient to provide Senior Management with proof of the opinion derived from the internal audit.

2 Findings, Recommendations and Management Responses

2.1 The Departmental framework and processes have been developed in support of Internal Controls over Financial Reporting

An established framework, documented financial processes, the identification of all key controls, and the ongoing assessment of their effectiveness and appropriateness in support of internal controls over financial reporting are required to meet the policy expected results. This included established processes for oversight bodies to review the results of monitoring activities and perform follow-ups on recommendations.

PS has implemented a formal governance structure to ensure sound financial management, including ICFR. The key oversight bodies include the Departmental Management Committee (DMC), which the Deputy Minister (DM) chairs, and the Departmental Audit Committee (DAC), chaired by an external member. DMC's terms of reference outline their oversight responsibilities for the Department's internal controls related to the annual financial cycle. The DAC's charter includes the responsibility to review the annual Statement of Management Responsibility Including Internal Controls over Financial Reporting and to provide advice to the Deputy Minister on the effectiveness of ICFR.

DMC has received presentations on all ICFR monitoring results with related actions documented in Records of Decision. Further, the DAC received periodic updates on all remediation activities stemming from ongoing monitoring testing/results. The DAC reviews the Annex in the Statement of Management Responsibility Including Internal Control over Financial Reporting, which outlines the details of the progress made during the year, the results and the planned activities for the upcoming year.

PS has established a Risk-based Internal Control Framework that includes Internal Control Financial Management (ICFM) and Internal Control over Financial Reporting (ICFR). The Framework outlines the main principles for identifying risk and criteria for conducting a risk assessment. It also provides guidelines on monitoring based on funding thresholds.

ICU has established a risk-based approach for ongoing monitoring of ICFR. “High risk” financial processes are monitored as often as annually whereas others are tested every three years.

PS has developed flowcharts and related narratives to document and highlight key controls in order to support the accuracy of financial statements. Business owners validate and update, as necessary, the flowcharts and narratives. ICU then establishes a test plan and examines a sample of transactions. In the case of a control weakness, recommendations are provided to the process owners who develop action plans with target dates. The ICU tracks implementation and follows-up to ensure action plans are completed. For all processes tested in 2014-15 and 2015-16, ICU communicated the results for which action plans were established.

PS has an established governance structure, an internal control framework and a formal monitoring program to identify and monitor the state of ICFR.

2.2 The relevant automated application controls supported by the RCMP have neither been documented nor confirmed

The Systems, Applications & Products (SAP) is the Department's enterprise financial system. It is the source system for key financial processes, including procurement to payment and payroll (based on information provided from central agencies) and is financially relevant for ICFR. As part of the audit, we expected to find a monitoring program that includes an established process to test and report on the automated application controls related to SAP. Considering that the RCMP hosts the Department's SAP, we expected that an approach would be in place to rely on the host's automated application controls.

As noted in the Annex of the departmental financial statements, a Memorandum of Understanding (MOU) exists between PS and the RCMP outlining roles and responsibilities in support of the Department's use of SAP. Specifically, the RCMP is obligated to provide Help Desk functions and “train the trainer” sessions for any upgrades or releases. According to the interviews conducted, PS has direct and timely access to the RCMP support team. Furthermore, PS has full control of SAP user-access and vendor management (see Graph 2). To provide PS users with access and support to SAP, the department's financial systems group has developed training and service standards, which are currently under revision.

In reviewing the sampled processes and associated monitoring activities, we noted that no documentation exists for SAP application controls. Our analysis confirmed that PS relies on the RCMP to test SAP controls as part of its monitoring program.

According to the MOU covering the fiscal year 2016-17, the RCMP is to submit an annual attestation letter to PS providing reasonable assurance of the existence and effective functioning of its system controls. The MOU does not specifically identify which controls the RCMP will address. To date, PS has not received an attestation letter or equivalent document providing the state of controls related to SAP, as the RCMP has not completed the relevant control testing to date. However, we were advised that the RCMP will prepare the attestation letter at the end of fiscal year 2016-17.

Without identifying the application controls to mitigate existing risks and confirming monitoring coverage, PS does not have the assurance that the required controls are being tested and monitored to support ICFR. However, PS was informed that RCMP is assessing the design and operating effectiveness of Information Technology General Controls. Furthermore, they have provided their testing plan against which they will start monitoring the key automated controls. The results will be the focus of the attestation letter for 2016-17.

Recommendation

  1. The Assistant Deputy Minister, Corporate Management Branch (CMB) should:
    • Identify and document the SAP application controls upon which PS relies.
    • Highlight the SAP controls that are supported by the RCMP.
    • Communicate with the RCMP to identify the specific SAP automated application controls that they are monitoring.
    • Evaluate whether the key controls identified are sufficient to address the risks identified by the Department.
    • Establish additional controls where RCMP coverage is deemed insufficient.

2.3 Entity-Level Controls in support of financial reporting require testing and monitoring on an appropriate cycle

Entity-level controls (ELCs) are departmental controls that include tone at the top, ethics, risk management, communications, and human resources. The COSO framework is used to support organizations in establishing and maintaining systems of internal controls that “can enhance the likelihood of achieving the entity's objectives and adapt to changes in the business and operating environments.”Footnote9   As indicated in the Risk-based Internal Control Framework the identification and monitoring of internal control over financial management, which includes ELCs, is shared between the Chief Financial Officer and the branch Assistant Deputy Ministers (ADMs).

PS has established an approach for ongoing monitoring that includes consultations with process owners to review and update documentation, and to ensure the design and operating effectiveness of key controls. This is completed over a three-year rotation based on risk. The ICU more frequently tests the financial processes or controls deemed higher risk. The results of these tests are formally reported to management, which include recommendations, as applicable.

The audit confirmed that the financial processes targeted to be subject to ongoing monitoring in 2014-15 and 2015-16, as outlined in the Annex to the Statement of Management Responsibility, were completed and reported on during the fiscal years to which they were committed.

The results found in the Annex to the Statement of Management Responsibility for March 31, 2015 accurately reflected the monitoring activities. PS reported that the ELCs supporting financial management were re-assessed and monitoring activities were completed with no remedial actions required.

Documentation provided during the audit confirmed that ICU identified, documented and tested the ELCs relevant to financial management as part of the Department's original implementation of PIC in 2013. The schedule of cyclical monitoring outlines that ELCs are examined on an ongoing basis.  Although some of the ELCs are subject to the sub-certification signed by each Senior Departmental Manager, according to the ICU, monitoring activities for the identified ELCs have been limited to documentation updates. ICU has not formally assessed ELCs since 2013. Furthermore, the monitoring schedule does not provide the scope of the testing that is completed in line with the organizational accountability structure presented in the Risk-based Internal Control Framework.

We also noted that the existing ELC documentation aligns with an older version of the COSO Framework. In 2013, COSO released a more updated version of its framework by introducing 17 principles as fundamental concepts associated with the components of internal control (as compared to the “key concepts” outlined in the previous Framework). While a transition to the 2013 Framework would not significantly affect the design of ELCs, mapping them to the 2013 Framework may reduce the number of key controls to assess in order to ensure the most efficient approach to monitoring.

Recommendation

  1. The Assistant Deputy Minister, CMB, should:
    • Review and align ELCs that apply to ICFR
    • Implement an ongoing monitoring approach and cycle for the mapped ELCs to be included in PS' overall ICFR monitoring program.

2.4 Overall Conclusion

An effective governance structure is in place to monitor the state of ICFR. In addition, PS has established a framework for documenting and periodically updating key ICFR. The Department has also implemented a risk-based monitoring program that is being consistently applied and reported on, including a process to agree upon, monitor and report periodically on remediation actions resulting from ongoing monitoring activities. Two minor improvements related to the monitoring of the key ELCs and automated controls were identified that would strengthen the Department's system of ICFR.

2.5 Management Response and Action Plan

Management accepts the recommendations of Internal Audit. The recommendations recognize that all Departmental Managers share the accountability for ICFR and the implementation of PIC.

#

Management Action Plan

Target Completion Date

1

Recommendation:

The Assistant Deputy Minister, Corporate Management Branch (CMB) should:

  • Identify and document the SAP controls upon which PS relies.
  • Highlight the SAP controls that are supported by the RCMP.
  • Communicate with the RCMP to identify the specific SAP automated application controls that they are monitoring.
  • Evaluate whether the key controls identified are sufficient to address the risks identified by the Department.
  • Establish additional controls where RCMP coverage is deemed insufficient.

CMB will identify and document the SAP application controls supported by the RCMP and relied upon.

July 31, 2017

CMB will contact the RCMP to identify the SAP automated application controls that they are monitoring.

July 31, 2017

CMB will evaluate the attestation and testing documentation received from the RCMP to determine that the key controls monitored mitigate departmental risk identified and that they are functioning effectively.

August 30, 2017

If necessary, compensating controls will be established if RCMP coverage is not deemed sufficient.

August 30, 2017

2

Recommendation:

The Assistant Deputy Minister, CMB, should:

  • Review and align ELCs that apply to ICFR
  • Implement an ongoing monitoring approach and cycle for the mapped ELCs to be included in PS' overall ICFR monitoring program.

CMB will review and identify ELC's that apply to ICFR.

September 30,  2017

CMB will implement a formal ongoing monitoring approach and cycle for key ELCs, to be included in PS' overall ICFR monitoring program.

June 30, 2017

Annex A: Audit Criteria

Audit Criteria

Criterion 1:

Appropriate and effective oversight bodies and clear roles, responsibilities and accountabilities for key personnel/oversight bodies have been established to ensure continued compliance with ICFR requirements within the TB Policy on Internal Control.

Criterion 2:

A framework and a formal process was established for the documentation of all key financial processes, the identification of all key controls and the ongoing assessment of their effectiveness and appropriateness.

Criterion 3:

Processes and resources for monitoring the state of the system of internal controls over financial reporting have been established.

Criterion 4:

The Statement of Management Responsibility Including Internal Control over Financial Reporting is supported by an Annex that accurately reflects the activities and assessment results of the Department's system of ICFR.

Annex B: Internal Audit and Evaluation Directorate Opinion Scale

The following is the Internal Audit and Evaluation Directorate audit opinion scale by which the significance of the audit collective findings and conclusions are assessed.

Audit Opinion Ranking

Definition

Well Controlled

  • well managed, no material weaknesses noted; and
  • effective

Minor Improvement

  • well managed, but minor improvements are needed; and
  • effective

Improvements Required

Improvements are required (at least one of the following two criteria are met):

  • control weaknesses, but exposure is limited because likelihood of the risk occurring is not high
  • control weaknesses, but exposure is limited because impact of the risk is not high

Significant Improvements Required

Significant improvements are required (at least one of the following criteria are met):

  • Financial adjustments material to line item or area or to the department
  • Control deficiencies represent serious exposure
  • Major deficiencies in overall control structure

Footnotes

  1. 1

    TB, Policy on Internal Control, 2009

  2. 2

    Draft Policy on Financial Management, Treasury Board, 2017.

  3. 3

    Audit opinion assessment scale can be found in Annex B.

  4. 4

    Policy on Internal Control, Treasury Board Secretariat, April 1, 2009.

  5. 5

    Risk-based Internal Control Framework, Public Safety, July 2015.

  6. 6

    Risk-Based Internal Control Framework: Public Safety Canada, August 2014.

  7. 7

    Draft Policy on Financial Management, Treasury Board, 2017.

  8. 8

    Audit opinion assessment scale can be found in Annex B.

  9. 9

    Internal Control – Integrated Framework; Committee of Sponsoring Organizations of the Treadway Commission; May 2013.

Date modified: