Audit of Internal Controls Over Financial Reporting

Notice

This website will change as a result of the dissolution of Indigenous and Northern Affairs Canada, the creation of Indigenous Services Canada and the eventual creation of Crown-Indigenous Relations and Northern Affairs Canada. During this transformation, you may also wish to consult the updated Indigenous and Northern Affairs home page.

Date: November 2014
Project #: 14-05

PDF Version PDF Version of Audit of Internal Controls Over Financial Reporting (357 Kb, 37 Pages)

 

Acronyms

AANDC
Aboriginal Affairs and Northern Development Canada

CAMM
Corporate Accounting and Materiel Management

CARD
Corporate Accounting and Reporting Directorate

CFO
Chief Financial Officer

COSO
Committee of Sponsoring Organizations of the Treadway Commission

FMC
Financial Management Committee

ICFR
Internal Controls Over Financial Reporting

OAG
Office of the Auditor General

OGD
Other Government Department

PIC
Policy on Internal Control

TB
Treasury Board


Executive Summary

Background

On April 1, 2009, the Treasury Board (TB) introduced the Policy on Internal Control (PIC), which applies to all departments and agencies as defined by the Financial Administration Act, to strengthen public sector financial management and reporting, and internal controls. The policy is intended to promote the integrity of financial reporting, and to acknowledge management's responsibility for maintaining an effective system of internal controls. It includes a requirement for the Deputy Head and the Chief Financial Officer (CFO) to sign a Statement of Management Responsibility Including Internal Controls over Financial Reporting (ICFR). Compliance with the policy and its directives and standards are monitored by the Deputy Head of each respective department and agency that is subject to the PIC.

In 2011 the Office of the Auditor General (OAG) published its Status Report on progress of select department towards its recommendations and observations identified in the 2003 - Integrated Risk Management and 2006 - Managing Government: Financial Information audits.  In addition, the 2011 OAG Status Report assessed the progress of departments towards meeting the requirements of the Policy on Internal Controls. Findings specific to AANDC were identified at that time and further reported in the OAG's 2013 Follow-up Audit on Internal Controls over Financial Reporting, which included weaknesses in the Department's overall implementation of ICFR, including controls over contingent liabilities.

In January 2014, TB introduced a Guideline on Chief Financial Officer Attestation for Cabinet Submissions. This guideline identifies the six assertions of a CFO and provides guidance on CFO attestation conclusions and their communication. Under this new guidance and based on the criteria developed to support each assertion, the CFO is required to conduct a robust due diligence review prior to issuing a final assertion through a formal Attestation Letter that is to accompany all Cabinet and TB submissions. While the CFO Attestation requirements are forward looking, some of the financial analyses contained in future cabinet submissions will likely use historical data from financial statements, the accuracy of which are supported by existing financial controls.

Audit Objective and Scope

The objective of the audit was to assess the Department's: (i) readiness to achieve operating effectiveness of (ICFR) and sustain a financial statement auditFootnote 1; and (ii) ability to support the CFO attestation process for Cabinet and TB submissions.

The scope of the audit included the period from the date of the first control design assessment November 2007 to June 30, 2014 and included an examination of the processes and mechanisms in place to implement PIC, as well as the progress toward compliance by the March 31, 2015 deadline. The audit assessed the extent to which the following assertions are supported:

  • There is an appropriate and effective level of governance and oversight currently in place to support AANDC's compliance with ICFR;
  • Work completed to date on the implementation of ICFR was carried out effectively and appropriately;
  • Work planned for completion in the current fiscal year (i.e. for the year ending March 31, 2015) addresses control gaps, both identified in the Office of the Auditor General's (OAG) report as well as items resulting from subsequent changes in AANDC's processes or systems; and,
  • The planned monitoring and oversight strategy for the ongoing assessment of ICFR over the next five years is reasonable and complete.

With regard to the processes and mechanisms in place to implement the TB Guideline on CFO Attestation for Cabinet Submissions, the scope of the audit was limited to an examination of the work completed to date, as well as the reasonableness of the action plan and associated timelines to complete any remaining work.

Statement of Conformance

The audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

Observed Strengths

The following strengths were observed during the audit:

  • Processes were thoroughly and consistently documented using flowcharts and narratives. Process flowcharts and narratives are an important tool used to capture the key controls, steps, and stakeholders involved in a process. These flowcharts and narratives serve as a roadmap for understanding key inputs and outputs of each process, including the identification of key controls, roles and responsibilities.
  • Operating effectiveness controls and methodology was developed. A detailed methodology for assessing operational effectiveness of internal controls was developed and applied consistently by the CFO Sector's Internal Controls Unit in 2013-14. Findings were reported to control owners and recommendations for improvement were created for management consideration.
  • An effective process was developed for CFO attestations. A process documenting all relevant evidence to support the requirements of the six assertions, as required under the new TB Guideline on CFO Attestation for Cabinet Submissions, has been developed and implemented by the Financial Planning, Analysis and Estimates Directorate of the CFO Sector, starting in January 2014.    

Conclusion

The audit found that:

  • An appropriate and effective level of governance and oversight is currently in place to support AANDC's compliance with ICFR. Formalization of reporting requirements for updating and reporting progress to management and to the established governing bodies will further strengthen this process;
  • Work completed to date on the implementation of ICFR was carried out effectively and appropriately in accordance with defined AANDC ICFR methodology. However, the audit noted several opportunities to align AANDC's methodology with leading practices for ICFR assessments;
  • Work planned for completion in the current fiscal year (i.e. for the year ending March 31, 2015) appears to address control gaps identified by the OAG; however, the development and implementation of AANDC's plan for ongoing monitoring and oversight does not appear feasible for completion by March 31, 2015, based on current and planned progress; and,
  • The monitoring and oversight strategy framework for the ongoing assessment of ICFR over the next five years appears reasonable and complete.

The Department appears to be positioned to achieve operating effectiveness of ICFR in order to enable it to sustain a financial statement auditFootnote 2 by March 31, 2015 contingent upon the Internal Controls Unit completing the remaining planned activities during the 2014-15 fiscal year. Specifically the audit has identified: (i) plan for ongoing monitoring and oversight as requiring increased attention if AANDC is to meet the communicated timeline for completion, (ii) the Internal Controls Unit must conclude on the effectiveness of key controls in the environmental liabilities process.

The audit found that a process and mechanism is in place to support the CFO attestation process for Cabinet Submissions; however, the design and operational effectiveness of these controls have yet to be tested by the Internal Controls Unit.

Management Response

Management is in agreement with the findings, has accepted the recommendations included in the report, and has developed a management action plan to address them. The management action plan has been integrated in this report.

Recommendations

The audit team identified areas where management control practices and processes could be strengthened, resulting in the following six recommendations:

  1. The Chief Financial Officer should formalize and communicate protocols for both reporting progress to stakeholders and the reporting of process and control changes to the Internal Controls Unit.
  2. The Chief Financial Officer should ensure that a complete assessment, including conclusions over the effectiveness of all identified key controls, is performed by March 31, 2015, in order to meet AANDC's commitments and to better inform a risk-based approach for the on-going monitoring phase. Specifically, individual control effectiveness conclusions on key controls identified in the environmental liabilities process should be clearly documented and reviewed for completeness by the Internal Controls Unit. Additionally, leading practice for entity level control assessments would include the testing of all identified key controls at least once before taking a risk based approach to testing in future years.
  3. The Chief Financial Officer should provide guidance on the management of performance and reporting by external consultants retained to support AANDC's Internal Controls over Financial Reporting framework, to ensure alignment with the Internals Control Unit's Operating Effectiveness Approach and Methodology.
  4. The Chief Financial Officer should ensure that a process is developed and implemented to allow the Internal Controls Unit to identify and assess third party service providers' impact on departmental financial reporting (i.e. valuations performed by external third parties experts used to inform accounting judgements such as contaminated site liabilities). Additionally, while an informal process is in place to identify other government departments (OGDs) providing third party services, assurance on the effectiveness of internal controls being performed by OGDs should be obtained by AANDC through review of publically available statements of management responsibility and/or third party service auditor reports for private organizations.
  5. The Chief Financial Officer should prioritize its five-year on-going monitoring and oversight plan based on the approved framework to ensure its completion. This will allow the Department to meet its requirements under the Policy on Internal Controls and address concerns raised by the OAG in its Fall 2013 Follow-up Audit on Internal Controls over Financial Reporting.
  6. The Chief Financial Officer should ensure that the new process/controls for the Chief Financial Officer Attestation for Cabinet and Treasury Board submissions are assessed for design and operational effectiveness.

1. Background

Parliament and Canadians expect the federal government to be well managed with the prudent stewardship of public funds, the safeguarding of public assets, and the effective, efficient and economical use of public resources. They also expect reliable reporting that provides transparency and accountability for how the government spends public funds to achieve results.

Aboriginal Affairs and Northern Development Canada (AANDC or "the Department") is a large department within the Government of Canada. The Department employs approximately 4,703 full-time equivalents and has planned budgeted expenditures of more than $8.0 billion for the 2014-15 fiscal year. The breakdown of planned spending within the Department includes $7.8 billion allocated to four strategic outcomes (The Government, The Land and Economy, The People, and The North) and $243 million allocated to internal services that support all of the strategic outcomesFootnote 3.

In 2011 the Office of the Auditor General (OAG) published its Status Report on progress of select department towards its recommendations and observations identified in the 2003 - Integrated Risk Management and 2006 - Managing Government: Financial Information audits.  In addition, the 2011 OAG Status Report assessed the progress of departments towards meeting the requirements of the Policy on Internal Controls.  Findings specific to AANDC were identified at that time and further reported in the OAG's 2013 Follow-up Audit on Internal Controls Over Financial Reporting which included weaknesses in the Department's overall implementation of ICFR, including controls over contingent liabilities.

An Audit of Internal Controls over Financial Reporting (ICFR) was included in Aboriginal Affairs and Northern Development Canada's 2014-2015 to 2016-2017 Risk-Based Audit Plan, approved by the Deputy Minister on February 6, 2014. The audit was identified as a priority area as federal departments and agencies are required to take measures to ensure that they can sustain a control-based audit of their annual financial statementsFootnote 4.

Internal Controls over Financial Reporting

On April 1, 2009, the Treasury Board (TB) introduced the Policy on Internal Control (PIC), which applies to all departments and agencies as defined by the Financial Administration Act, to strengthen public sector financial management and reporting, and internal controls. The policy is intended to promote the integrity of financial reporting, and to acknowledge management's responsibility for maintaining an effective system of internal controls. It includes a requirement for the Deputy Head and the Chief Financial Officer (CFO) to sign an annual Statement of Management Responsibility Including Internal Controls over Financial Reporting (ICFR). Compliance with the policy and guidelines are monitored by the Deputy Head of each respective department and agency that is subject to the PIC.

A system of ICFR includes consideration of controls at three levels: entity level, transaction level; and, Information Technology (IT) level.

  • Entity level controls are defined as those controls which impact the organization at the highest level and impact the overall effectiveness of the system of internal controls. They are often referred to as the "tone from the top" controls.
  • Transaction level controls (business process controls) cover those controls embedded in the day to day recording of financial information (e.g. accounts payable, accounts receivable, revenue, and expenses). The effectiveness of these controls is directly and indirectly influenced by the effectiveness of the entity level controls.
  • IT level controls are comprised of two pieces, IT general controls and IT application controls. IT general controls (ITGCs), similar to entity level controls, set the tone for the IT environment as a whole. The primary focus is on logical access and change management controls within systems critical to financial reporting. Application controls are embedded within the various applications used to process transactions and are evaluated as part of the transaction level control review.

The implementation of the PIC is the responsibility of the CFO and is carried out by the CFO Sector's Corporate Accounting and Materiel Management (CAMM) Branch. One component of CAMM's responsibilities is to provide advisory and support services through the issuance of policies, directives and other activities in the areas of accounting, contracting and procurement, assets, and materiel management in support of the Department's mandate. The Branch is also responsible for the functional improvement and maintenance of integrated financial management systems for the Department.

In implementing the PIC, the Financial Policy, Training and Internal Controls Unit (hereon referred to as the ‘Internal Controls Unit') has been progressing through the following key phases:

  • Identification and documentation of significant business processes:

    Entity level controls - Using the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework as a guide, identify using a risk based approach, direct and indirect entity level controls that address risks within the five COSO components and sub-components.

    Transaction level controls - Identify the significant financial accounts on a judgment basis using inherent risk and materiality, and the significant business processes that impact the financial statement assertions.Footnote 5

    IT general controls - Once the significant business processes are identified, it is determined if any of the processes rely on a system or system-generated information. These systems are then considered in scope for design and operating effectiveness assessments.
  • Design assessment:

    The design of an internal control includes consideration of the information used to perform the control, the experience and knowledge of the identified individuals to effectively perform the control, the timeliness and nature of the control as well as the anticipated output or evidence from the control operation.
  • Operational effectiveness:

    The operation of a control is the consistency of application without exception of an effectively designed control. The Internal Controls Unit has tested the operating effectiveness of the identified key controls at the entity level and transaction level (e.g. Guaranteed Loans, Environmental Liabilities and Revenue Management and Guarantee Deposits). As AANDC has recently transitioned financial systems to SAP (effective April 1, 2014), hosted by Health Canada, IT general controls were not included in this assessment of operational effectiveness testing.

    It is important to consider that in performing the design assessment and operational effectiveness testing, findings may require remediation actions to address the gaps and/or weaknesses identified.
  • On-going Monitoring:

    A multi-year on-going monitoring plan is developed and implemented to identify and re-assess significant processes to be assessed for design and operational effectiveness. This multi-year on-going monitoring plan should be re-assessed to ensure high risk processes, new processes or processes that have undergone significant change are assessed on a timely basis.

The Office of the Auditor General (OAG) conducted a follow-up audit on ICFR in the fall of 2013, and found that while AANDC had made satisfactory progress toward addressing two recommendations from the OAG's previous 2011 audit, satisfactory progress was not made toward implementing the requirements of the TB PIC.

CFO Attestation for Cabinet Submissions

In January 2014, TB introduced a Guideline on Chief Financial Officer (CFO) Attestation for Cabinet Submissions. This guideline identifies the six assertions of a CFO and provides guidance on CFO attestation conclusions and their communication. Under this new guidance and based on the criteria developed to support each assertion, the CFO is required to conduct a robust due diligence review prior to issuing a final assertion through a formal Attestation Letter that is to accompany all Cabinet and TB submissions. While the CFO attestation requirements are forward looking, some of the financial analyses contained in future cabinet submissions will likely use historical data from financial statements, the accuracy of which are supported by existing financial controls.


2. Audit Objective and Scope

2.1 Audit Objective

The objective of the audit was to assess the Department's: (i) readiness to achieve operating effectiveness of internal controls over financial reporting and sustain a financial statement auditFootnote 6 and, (ii) ability to support the CFO attestation process for Cabinet and TB submissions.

2.2 Audit Scope

The scope of the audit included the period from the date of the first control design assessment November 2007 to June 30, 2014 and included an examination of the processes and mechanisms in place to implement the PIC, as well as the progress toward compliance by the March 31, 2015 deadline. The audit assessed the extent to which the following assertions are supported:

  • There is an appropriate and effective level of governance and oversight currently in place to support AANDC's compliance with ICFR;
  • Work completed to date on the implementation of ICFR was carried out effectively and appropriately;
  • Work planned for completion in the current fiscal year (i.e. for the year ending March 31, 2015) addresses control gaps, both identified in the OAG's report as well as items resulting from subsequent changes in AANDC's processes or systems; and,
  • The planned monitoring and oversight strategy for the ongoing assessment of ICFR over the next five years is reasonable and complete.

With regard to the processes and mechanisms in place to implement the TB Guideline on CFO Attestation for Cabinet Submissions, the scope of the audit was limited to an examination of the work completed to date, as well as the reasonableness of the action plan and associated timelines to complete any remaining work.


3. Approach and Methodology

The Audit of Internal Controls over Financial Reporting was planned and conducted in accordance with the requirements of the TB Policy on Internal Audit and followed the Internal Auditing Standards for the Government of Canada.

The audit team examined sufficient, reliable and relevant evidence to provide a reasonable level of assurance in support of the audit conclusion. The principle audit techniques used included:

  • Interviews and walkthroughs with key individuals across the Department. Individuals selected to participate in interviews and walkthroughs represented both Headquarters and hub activity and had responsibilities in CFO Attestation, Revenue Management, Environmental Liabilities, and Guaranteed Loans processes related to ICFR;
  • Review of process documentation, design assessments, operating effectiveness testing documentation, reports, remediation plans, progress updates, internal control frameworks, approaches and methodologies and other relevant documentation related to entity level controls, Revenue Management, Environmental Liabilities, Guaranteed Loans, Tangible Capital Assets, On-going Monitoring Framework and the CFO Attestation; and,
  • Re-performance of operating effectiveness testing completed by the Internal Controls Unit to validate approach and findings.

The approach used to address the audit objective included the development of audit criteria, against which observations and conclusions were drawn. The audit criteria developed for this audit are included in Appendix A.

Additionally, relevant policies and directives referenced throughout the audit process are listed in Appendix B. Definitions for key terms referenced throughout the report, as well as the roles and responsibilities of key project stakeholders, are detailed in Appendix C.

4. Conclusion

The audit found that:

  • An appropriate and effective level of governance and oversight is currently in place to support AANDC's compliance with ICFR. Formalization of reporting requirements for updating and reporting progress to management and to the established governing bodies will further strengthen this process;
  • Work completed to date on the implementation of ICFR was carried out effectively and appropriately in accordance with defined AANDC ICFR methodology. However, the audit noted several opportunities to align AANDC's methodology with leading practices for ICFR assessments;
  • Work planned for completion in the current fiscal year (i.e. for the year ending March 31, 2015) appears to address control gaps identified by the OAG; however, the development and implementation of AANDC's plan for ongoing monitoring and oversight does not appear feasible for completion by March 31, 2015, based on current and planned progress; and,
  • The monitoring and oversight strategy framework for the ongoing assessment of ICFR over the next five years appears reasonable and complete.

The Department appears to be positioned to achieve operating effectiveness of ICFR in order to enable it to sustain a financial statement auditFootnote 7 by March 31, 2015 contingent upon the Internal Controls Unit completing the remaining planned activities during the 2014-15 fiscal year. Specifically, the audit has identified (i) plan for ongoing monitoring and oversight as requiring increased attention if AANDC is to meet the communicated timeline for completion, (ii) the ICU must conclude on the effectiveness of key controls in the environmental liabilities process.

The audit found that a process and mechanism is in place to support the CFO attestation process for Cabinet Submissions; however, the design and operational effectiveness of these controls have yet to be tested by the Internal Controls Unit.


5. Findings and Recommendations

Each audit criterion, which established the expectations against which the audit was conducted, was assessed by the audit team using a combination of documentation review, analysis and detailed testing and interview procedures. A conclusion for each audit criterion was documented based on the results of applying the relevant audit procedures. Where gaps were identified between expected and actual practices, the associated risk was evaluated to develop a conclusion and to document recommendations for improvement.

5.1 Governance and Oversight

The audit examined whether an effective governance and oversight framework was in place to support AANDC's reporting on ICFR progress, achievements and next steps. This includes clearly defined roles and responsibilities, regular meetings, and updated and consistent procedures for documenting and remediating issues. In reviewing the governance framework in place for ICFR, it was evident that a number of formal and informal oversight and reporting functions are currently in place.  

5.1.1 Roles and responsibilities

There are formally established roles and responsibilities outlined in AANDC's Internal Control Management Framework and the Operational Effectiveness Testing Approach and Methodology. These are the key framework documents that form the basis not only for the implementation of ICFR at AANDC but also for its overall governance and oversight. Roles and responsibilities, as they related to ICFR, are defined for the Deputy Minister, CFO, Director General (DG) of Corporate Accounting and Materiel Management (CAMM), Director of Corporate Accounting and Reporting Directorate (CARD), senior management of programs and the Internal Controls Unit.

  • Deputy Minister - Assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal controls. This role is primarily performed through participation on the Department's Audit Committee and Financial Management Committee.
  • CFO - Reports directly to the Deputy Minister and provides oversight for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of internal controls, including its annual assessment. Additionally, the CFO provides the approval of action plans to remediate weaknesses in the system of internal controls.
  • DG CAMM - Reports directly to the CFO on status, reliability and weaknesses in the system of internal controls and reviews progress and provides instruction to the Director, Corporate Accounting and Reporting, and the Internal Controls Unit on addressing weaknesses to the system of ICFR.
  • Director, CARD - Reports directly to the CFO and DG CAMM on the status, reliability and weaknesses in the system of internal controls; provides instruction to the Internal Controls Unit on developing and implementing the approach, methodology and ongoing monitoring for ICFR; and, oversees the development of the draft annex to the Statement of Management Responsibility including Internal Controls over Financial Reporting for the DG CAMM and the CFO.
  • Senior management of programs - Provides documentation and support as needed to complete operational effectiveness testing and implement recommendations and action plans approved by the CFO in their areas of responsibility.
  • Internal Controls Unit - Reports directly to the CFO, DG CAMM and Director, Corporate Accounting and Reporting Directorate on the status, reliability and weaknesses in the system of internal controls; develops and implements the approach, methodology and ongoing monitoring for ICFR; develops and maintains all documentation related to the design and operational effectiveness for ICFR and develops the draft annex to the Statement of Management responsibility including Internal Controls over Financial Reporting for the DG CAMM and the CFO.

While the framework clearly outlines roles and responsibilities and these roles and responsibilities are well understood, responsibilities regarding the identification of changes to processes and controls could be better defined in the framework to enable more timely updating of processes and controls. Refer to Section 5.4.1 for more information on identifying changes to processes and controls and updating documentation.

5.1.2 Reporting progress

Reporting of progress occurs formally and informally between key individuals with responsibilities for the implementation and oversight of ICFR as well as the two main oversight bodies, the Department's Audit Committee and Financial Management Committee (FMC).

Formally, ICFR progress is reported to the Audit Committee and the FMC, and, as a member of both committees, to the Deputy Minister. As per our review, ICFR progress has been reported in all Audit Committee meetings and select FMC meetings over the past year due to the concerns identified by the OAG in its Fall 2013 Follow-up Audit on ICFR. Progress is reported using the Internal Control Action Plan, which outlines the status of the action plan, what has been achieved, and the next steps. Table 1 below demonstrates the Internal Control Action Plan work plan, which was presented to the Audit Committee and the FMC in April 2014, and outlines the ICFR controls/processes, their current status and for those controls/processes not yet completed, the expected period of completion. Prior to Audit Committee and the FMC, the DG CAMM and CFO are updated on the progress of ICFR work by the Internal Controls Unit using the Internal Control Action Plan. The DG CAMM and CFO are able to provide insight, recommendation and advice based on that plan.

Table 1 - Example Internal Control Action Plan for April 2014

Work Plan for 2014-2015
  AANDC ICFR Action Plan - Estimated Year of Completion
AANDC ICFR Areas of Focus ICFR Approach - Activity
Workstream - Control Level Scope Testing Location 1. Document 2. Assess Design
Effectiveness
3. Remediation Plan
Completed
4. Assess Operational
Effectiveness
5. Remediation Plan
Completed
Financial Transactions Grants and Contributions ALL REGIONS          
  Purchases, Payables and Payments ALL REGIONS          
  Payroll ALL REGIONS          
  Trust Accounts ALL REGIONS          
  Direct Loans ALL REGIONS          
  Guaranteed Loans ALL REGIONS       2013/14 April 30, 2014
  Revenue Management & Guarantee Deposits NCR and NWT       2013/14 April 30, 2014
  Tangible Capital Assets NCR and NWT       2014/15 2014/15
  Comprehensive Claims ALL REGIONS          
  Specific Claims ALL REGIONS          
Financial Reporting Environmental Liabilities ALL REGIONS       2013/14 2013/14
  General Litigation Liabilities ALL REGIONS          
  Financial Reporting NCR          
Information Technology OASIS NCR          
General Controls FNITP/GLMM NCR          
(Access management RIMS NCR and Alberta          
Quality Assurance and Testing OSMS/RPS NCR          
Change Management TFMS NCR          
Disaster Recovery)
Entity Level Controls Control Environment NCR       2013/14 2013/14
  Risk Assessment NCR       2013/14 2013/14
  Control Activities NCR       2013/14 2013/14
  Information and Communication NCR       2013/14 2013/14
  Monitoring NCR       2013/14 2013/14
On going Monitoring 5 year on going monitoring plan   2014/15  
       
Colour Code Status    
  Completed    
  In Progress    
  Plan for 14/15    
       

Updates are produced upon completion of a process assessment, an ad-hoc status update request, or a regular bi-lateral meeting.

Informally, additional progress reporting and oversight at the DG and Director levels occurs informally through regular bi-lateral discussions between the Director and DG CAMM. These bi-lateral discussions occur on a monthly basis, with more frequent discussions occurring around key project milestones.

While progress against ICFR objectives is being reported formally and informally to Audit Committee, FMC and senior management, the frequency at which progress is reported is not formally documented within the framework.

Finding

While a governance framework is in place and progress against the Internal Control Action Plan is effectively communicated, no formal documentation exists to outline the frequency at which progress is to be reported to the Audit Committee, the FMC, and the CFO. Additionally no formal process is in place to support the timely identification of changes and updates to processes and controls. For example, there has been no identification and assessment of how the transition to SAP or the new CFO Attestation for Cabinet Submissions will impact processes and controls.

Recommendation:

1. The Chief Financial Officer should formalize and communicate protocols for both reporting progress to stakeholders and the reporting of process and control changes to the Internal Controls Unit.

5.2 ICFR implementation completed to date

The audit examined whether work completed to date on the implementation of ICFR was carried out effectively and appropriately. This included reviewing process documentation to ensure accuracy, reviewing design assessments, re-performing operating effectiveness testing to validate approach, application of methodology and findings, reviewing AANDC's methodology  against the PIC, and reviewing the process for identifying and assessing third party service providers that impact financial reporting (i.e. expert third party service providers providing valuations for use in accounting judgements such as  contaminated site liabilities).

5.2.1 Completeness and accuracy of documentation

Completed design assessments are comprised of three documents: (i) a control matrix; (ii) a process flowchart; and, (iii) a process narrative. The control matrix identifies the risks, controls, frequency of control operation, relevant assertion and other control details (detect/prevent, automated/manual, control owner, etc.). The process flowchart is a visual depiction of the process broken down by step, location of control and control owner. The flowchart is accompanied by a process narrative which is a written description to provide added detail and context to the process / controls.

Once the process is documented walkthroughs are performed. Walkthroughs consist of following a process from start to finish using a transaction. Walkthroughs are an important component of the design assessment as it provides the Internal Controls Unit the ability to validate the accuracy of the process documentation as well as assess the design of the control, and evidence to support its operation.

The purpose of the design assessment is to determine if the control is designed effectively (appropriate information, individual performing the control, frequency of control, nature of control) to mitigate the risk (identified in the control matrix).

Once the design assessment is completed and any identified design weaknesses are remediated and in operation for an appropriate period of time (depending on the frequency of control), operational effectiveness testing can be performed. Typically, prior to performing operational effectiveness testing another walkthrough would be performed to ensure the remediation has taken place and to validate the accuracy of the process against existing process documentation and where required, update the process documentation.  

During the audit, we reviewed the design and operating effectiveness assessment and related documentation completed by Internal Controls Unit, and we performed walkthroughs to validate the accuracy and completeness of process documentation, including the identification of Headquarters/Regions, Business Management Units, and hubs. With the exception of recent organizational and system changes, the assessment and documentation of processes that were completed by the Internal Controls Unit in the 2013-14 fiscal year appears reasonable. Current process documentation indicates OASIS as the financial system; however, as of April 1, 2014, this was no longer accurate as SAP was implemented. This inconsistency was the result of a financial system change that has not yet been assessed for its impacts on processes/controls. This inconsistency and the timely identification and assessment of changes to processes/control would be addressed through implementation of recommendation 1 described above.

5.2.2 Validation of operating effectiveness approach and findings

Through the re-performance of operating effectiveness testing for those process assessments completed by the Internal Controls Unit in the 2013-14 fiscal year, it was observed that testing was performed in accordance with AANDC's documented methodology. Opportunity exists to further strengthen the methodology/approach to better align with leading practice around ICFR, as follows:

Entity level controls - The Internal Controls Unit's entity level control approach and methodology is based on the framework developed by COSO in developing their entity level approach. The COSO Framework is structured around five components of internal control: Control Environment; Risk Assessment; Control Activities; Information and Communication; and, Monitoring Activities. Within each component, there are between two and seven sub-components. It was observed that the Internal Controls Unit assessed the sub-components based on their relevance to ICFR-related risks. This resulted in 10 of the 21 sub-components (and 20 of 36 key controls) being identified as high risk and subsequently assessed for design and operating effectiveness. While risk assessments can be an important component of identifying key controls at the entity level, the Internal Controls Unit did not use a risk assessment to rank control, but instead to rank sub-components. The result is that 11 sub-components and 16 key controls have not yet been tested for design and operating effectiveness.

While the PIC does not specifically outline how entity level controls are to be identified and assessed, in the first year of assessment, all key controls and ultimately, all sub-components, should be assessed for design and operating effectiveness. This would also enable the Internal Controls Unit to more accurately perform a risk assessment in the following years to determine the frequency at which key controls are to be tested and represents leading practice of others implementing the Policy on Internal Controls.

Guaranteed Loan / Revenue Management - The Internal Controls Unit developed an Operational Effectiveness Testing Approach and Methodology with the help of an independent contractor. This Approach and Methodology was consistently applied but, in doing so, two types of variances were identified that resulted in inconsistencies in findings.

  1. Internal Controls Unit - If a control is rated as having a medium or low risk level and there are 0 < 5% exceptions, no further testing is required.

    Leading Practice - For a control to be operating effectively, it should operate without exception. If there is one exception and there is a reasonable explanation, testing should be expanded. If no further exceptions are identified, the control can pass; however, if another exception is identified, the control fails and it is concluded not to be operating effectively. The design of the control itself should dictate whether or not it is considered to be key (i.e. expected to work consistently without exception).
  2. Internal Controls Unit - If a control exception is identified but there is a compensating control in place, and if the compensating control is operating effectively, both controls can be concluded to be operating effectively.

    Leading Practice - If a control exception is identified and a compensating control is identified and assessed separately, only the compensating control can be concluded to be operating effectively.  Consideration must then be given to the impact of the ineffective control and whether its failure, despite the presence of a compensating control, increases the overall risk to the process.

Environmental Liabilities - This process was assessed by an external contractor and, at the time of the conduct phase, the Internal Controls Unit was not in possession of the supporting documentation to substantiate the findings of the external contractor. The supporting documentation was provided to the audit team following the completion of audit fieldwork. As part of the audit, we reviewed the process documentation, testing documentation, and reporting and it was observed that, while the independent contractor followed most of AANDC's methodology, unlike the processes assessed by the Internal Controls Unit, there were no conclusions on the operating effectiveness of the individual controls tested. This could be the result of either:

  1. The Internal Controls Unit not appropriately ensuring that the external contractor followed AANDC's methodology, including providing a conclusion on the operating effectiveness of the controls; or,
  2. The external contractor did not provide conclusions over the effectiveness of each identified key control.  Equally, the Internal Control Unit itself had not concluded over the effectiveness of the individual controls and therefore the assessment remains incomplete.

Finding:

While the entity level controls have been identified as "completed as planned" by the Internal Controls Unit, the plan consisted of performing operating effectiveness testing on high risk controls, leaving medium and low risk controls un-tested. The result is that not all entity level controls have been tested as would be expected for the first assessment. Additionally, as no conclusions over the effectiveness of each identified key controls have been provided the assessment remains incomplete.

Recommendation:

2. The Chief Financial Officer should ensure that a complete assessment, including conclusions over the effectiveness of all identified key controls, is performed by March 31, 2015, in order to meet AANDC's commitments and to better inform a risk-based approach for the on-going monitoring phase. Specifically, individual control effectiveness conclusions on key controls identified in the environmental liabilities process should be clearly documented and reviewed for completeness by the Internal Controls Unit. Additionally, leading practice for entity level control assessments would include the testing of all identified key controls at least once before taking a risk-based approach to testing in future years.

Finding:

When leveraging the work of external consultants for areas such as environmental liabilities, the Internal Controls Unit has not mandated the same approach to testing and documentation as they employ internally. This includes retention and ownership of working papers and the provision of testing conclusions.

Recommendation:

3. The Chief Financial Officer should provide guidance on the management of performance and reporting by external consultants retained to support AANDC's Internal Controls over Financial Reporting framework, to ensure alignment with the Internals Control Unit's Operating Effectiveness Approach and Methodology.

5.2.3 Methodology and application

The PIC outlines the responsibilities of Deputy Heads for monitoring and reporting on their department's/agency's system of internal controls. In reviewing AANDC's methodology documents, the Whitepaper on the Status of INAC AFS Projects (Design Assessment), the Operational Effectiveness Testing Approach and Methodology (Operational Effectiveness), and the Internal Controls Management Framework, it was observed that these documents address the broad requirements outlined in the PIC and therefore, AANDC's methodology for ICFR aligns with the PIC.

Furthermore, the methodology has been consistently applied by the Internal Controls Unit throughout the design and operating effectiveness testing, with the exception of missing control conclusions for Environmental Liabilities.

5.2.4 Third party service providers

Service providers external to AANDC have the potential to impact/inform AANDC's financial statements as a result of reliance on information provided by those parties. These service providers include other government departments (OGDs) and external (to government) third party service providers that provide advice, valuations and opinions.

AANDC relies on OGD and external third party service providers to provide operational services (i.e. payroll), advice, valuations and other sources of information. As a result of this reliance, there is an expectation that AANDC has a robust process in place to identify and assess the impact(s) of third party service providers on the financial statements.

While an informal process currently exists to identify OGDs that are providing services to AANDC, there is no process in place to assess the related risk and impacts of all third parties (including those external to government) as well as the service providers' own internal assessments of internal control operation.

Finding:

There is no formal process in place to identify and assess how third party service providers (including those external to the government) impact departmental reporting requirements. This may result in inappropriate reliance on third party information and/or lack of understanding around the controls governing the generation and use of that information.

Recommendation:

4. The Chief Financial Officer should ensure that a process is developed and implemented to allow the Internal Controls Unit to identify and assess third party service providers' impact on departmental financial reporting (i.e. valuations performed by external third parties experts used to inform accounting judgements such as contaminated site liabilities). Additionally, while an informal process is in place to identify other government departments (OGDs) providing third party services, assurance on the effectiveness of internal controls being performed by OGDs should be obtained by AANDC through review of publically available statements of management responsibility and/or third party service auditor reports for private organizations.

5.3 ICFR Plan for Completion by 2014-15

The audit examined whether work planned for completion in the current fiscal year (i.e. for the year ending March 31, 2015) addresses control gaps, both identified by the OAG in its 2013 report as well as items resulting from subsequent changes in AANDC's processes or systems.

5.3.1 System Changes

AANDC implemented SAP as the new financial system of record, effective April 1, 2014. This audit examined Internal Controls Unit's process to assess how the implementation of SAP was anticipated to impact existing processes and controls. The Internal Controls Unit noted that no process is currently in place to identify the changes, to assess the impacts on processes/controls and to perform any follow-up testing as required/needed to reflect the change in the core financial system.

The Tangible Capital Asset process that is undergoing operational effectiveness testing in the 2014-15 fiscal year has not being updated to reflect the impact of SAP controls. The Internal Controls Unit has elected to test the operational effectiveness of Tangible Capital Assets based on controls within the previous financial system, OASIS, due to the timing of SAP implementation. This results in both design and operational effectiveness testing which is not relevant to the current process (i.e. using SAP).

The need to create a course of action for updating of significant processes for the impact of SAP is included in Recommendation #1 in section 5.1.2 above. The process by which significant changes in the control environment, such as SAP, are identified and updated in a timely manner should be revisited by the CFO and the Internal Controls Unit.

5.3.2 Progress to actuals to completion deadline

In reviewing processes completed by the Internal Controls Unit in the 2013-14 fiscal year, progress reported to the Audit Committee and the FMC in April 2014 through the formal Internal Control Action Plan, and to senior management through informal and formal updates, was observed to be accurate. The audit observed, however, that entity level controls, which have been reported as "Completed" or Completed as Planned", have been tested at a level inconsistent with leading practice for ICFR evaluations (see Section 5.2.2 - Entity level controls).

There are two processes that are identified to be completed in the 2014-15 fiscal year, Tangible Capital Assets and the On-going Monitoring Plan.

Tangible Capital Assets - Based on a review of  the documentation completed to date, the work remaining to be completed, the project schedule, and the resources allocated to the process, it appears reasonable that the operating effectiveness testing and remediation plan can be completed by March 31, 2015. However, while the plan to complete appears reasonable, it should be noted that if challenges arise during the testing phase, if process/control owners challenge the findings and recommendations, or if the Internal Controls Unit temporarily or permanently loses resources, the Internal Controls Unit may have difficulties completing the Tangible Capital Asset process, as planned.

On-going monitoring - After reviewing the approved On-going Monitoring Framework, the project schedule, and resources allocated to the application of the Framework, the On-going Monitoring Plan may not be completed for the end of the 2014-15 fiscal year, as planned. Completion of the On-going Monitoring Plan may be challenging due to the limited capacity, complexity of applying the On-going Monitoring Framework, and the amount of consultation that may be required. As noted for Tangible Capital Assets, other variables could negatively impact the completion of the On-going Monitoring Plan, in addition to the aforementioned challenges.

Finding:

There are concerns that the On-going Monitoring Plan may not be implemented in time for the March 31, 2015 deadline given the limited capacity, the complexity of applying the On-going Monitoring Framework, and the amount of consultation that may be required.

 Recommendation:

5. The Chief Financial Officer should prioritize its five-year on-going monitoring and oversight plan based on the approved framework to ensure its completion. This will allow the Department to meet its requirements under the Policy on Internal Controls and address concerns raised by the OAG in its Fall 2013 Follow-up Audit on Internal Controls over Financial Reporting.

5.3.3 Remediation

During the audit, it was noted that remediation plans have been prepared for the processes that were completed during the 2013-14 fiscal year. These plans include dates to complete remediation actions and assigned responsibilities for completion. The monitoring approach for remediation actions includes follow-up emails, face-to-face meetings, and a review of the remediation actions to determine satisfaction with results. The Internal Controls Unit has updated the remediation plan to reflect when the remediation was completed and the evidence of completion. Process/control owners are also encouraged to proactively inform the Internal Controls Unit when remediation actions have been completed. While the remediation monitoring is in place, follow-up assessment/testing may not occur until the process is re-examined under the On-going Monitoring Plan.

5.3.4 Liabilities

Environmental Liabilities and Guaranteed Loans have structured accounting approaches; however, both processes are experiencing challenges with consistency of operation as follows:

Environmental Liabilities - Documentation and testing performed by the external consultant does not contain conclusions on the operating effectiveness of the controls. Additionally, the accounting approach to determine liabilities was not fully implemented and therefore, was not being consistently applied by the programs and regions.

Guaranteed Loans - While a process is in place, there have been challenges in applying it consistently due to discrepancies and completeness of financial information used to develop the liabilities. Discrepancies are the result of reports such as the Lender Confirmation of Actuals Reports, which are incomplete, not current, or inaccurate. This impacts the overall accuracy of the National Housing Authority Report which informs the contingent liability for the Guaranteed Loans Program.  

The challenges surrounding the implementation of the accounting processes have been identified in the Operational Effectiveness testing and remediation plans.

5.4 On-going monitoring

The audit examined whether a planned monitoring and oversight strategy for the ongoing assessment of ICFR over the next five years is reasonable to meet the sustainability requirements of the PIC.

5.4.1 Ongoing sustainability

Roles and responsibilities are clearly communicated and understood by the key stakeholders responsible for the ongoing sustainability of the PIC. However, with respect to identification of changes in the internal control environment (i.e. processes/controls), further work should be done to strengthen the process for ensuring timely communication of those changes to the Internal Controls Unit and modification to existing process/control documentation.

Currently, changes are only identified and documentation updated when the Internal Controls Unit validates the process/controls through walkthroughs prior to Operating Effectiveness testing as part of planned assessments, and not immediately after a change has occurred. This delays the operational effectiveness testing as unplanned time is required to validate and update process documentation before testing can commence.  Additionally, this impacts the Internal Controls Unit' ability to accurately prioritize the processes and controls to be assessed in the current and future periods

5.4.2 On-going Monitoring Framework

The On-going Monitoring Framework outlines the annual re-assessment process, including the risk factors that are considered for each existing and new process.

The eight risk factors are:

  • AANDC Corporate Risk Profile (and stakeholder concerns);
  • New Program or Legislation;
  • Organizational Change;
  • Data Analysis for Trends;
  • Size of Program;
  • Adequacy and Effectiveness of Internal Controls;
  • Prior Findings; and,
  • Last Coverage.

These risk factors should allow for the organization to appropriately re-assess processes on an annual basis and ensure that the plan is monitoring the highest risk processes.

Finding:

No additional findings identified. Refer to finding and Recommendation #1 in section 5.1.2 above for on-going sustainability.

5.5 CFO Attestation

The audit examined whether or not a process and mechanism is in place to implement the TB Guideline on CFO Attestation for Cabinet Submissions.

5.5.1 Development and Implementation

Based on our interview and walkthrough with stakeholders in the Financial Planning, Analysis and Estimates Directorate of the CFO Sector, it was noted that a checklist was developed based on Appendix B of the TB Guideline on CFO Attestation for Cabinet Submissions. The checklist aligns with the six assertions outlined in the TB Guideline and provides a basis for the due diligence to be completed and documented by the CFO Sector. The checklist was reviewed and supported internally by the Director of Financial Planning, Analysis and Estimates, the DG Planning and Resource Management, and the CFO.

The TB Guideline went into effect on January 1, 2014. AANDC since has developed 13 TB Submissions. Of these 13 TB Submissions, two were reviewed in detail as part of this audit, to determine if the checklist was completed and supporting documentation was present to support the six assertions. In both cases the checklists were complete, supporting documentation was on file to support the six assertions, and the Attestation was signed by the CFO.

Roles and responsibilities, while not formally documented in AANDC's internal process, are outlined in the TB Guideline on CFO Attestation for Cabinet Submissions.

5.5.2 Assessment for design and operating effectiveness

Based on interviews during the audit, it was noted that the Internal Controls Unit was not involved in the development of the checklist or in the implementation of the process. Furthermore, this process has not been documented, assessed for design and operating effectiveness.

Finding:

No design or operational assessments have been performed on the AANDC CFO Attestation process for TB Submissions, which was implemented on January 1, 2014, as required by the TB Guideline on CFO Attestation for Cabinet Submissions

 Recommendation:

6. The Chief Financial Officer should ensure that the new process/controls for the Chief Financial Officer Attestation for Cabinet and Treasury Board submissions are assessed for design and operational effectiveness.


6. Management Action Plan

Recommendations Management Response / Actions Responsible Manager (Title) Planned Implementation Date
1. The Chief Financial Officer should formalize and communicate protocols for both reporting progress to stakeholders and the reporting of process and control changes to the Internal Controls Unit. A) To formalize and communicate reporting to stakeholders, including senior management, the CFO will request that internal controls be added as a standing item on the agendas of relevant committees, such as Financial Management Committee and Audit Committee, as appropriate. Chief Financial Officer A) October 2014
Completed
B) For the reporting of process and control changes to the Internal Control Unit, we will define Programs' roles and responsibilities including process requirements. This information will be added to our Internal Control Management Framework and will be communicated to all Programs. B) March 2015
2. The Chief Financial Officer should ensure that a complete assessment, including conclusions over the effectiveness of all identified key controls, is performed by March 31, 2015, in order to meet AANDC’s commitments and to better inform a risk-based approach for the on-going monitoring phase.  Specifically, individual control effectiveness conclusions on key controls identified in the environmental liabilities process should be clearly documented and reviewed for completeness by the Internal Controls Unit. Additionally, leading practice for entity level control assessments would include the testing of all identified key controls at least once before taking a risk based approach to testing in future years. A) To ensure the completeness of assessments of all key controls, the Internal Control Unit will review its action plan to determine whether sufficient resources are in place and that contingencies are considered in order to ensure that the action plan is finalized by end of fiscal year. Chief Financial Officer A) March 2015
B) Concerning the documentation and review of the individual control effectiveness conclusions identified in the environmental liabilities, we will review and validate the information contained in the working documents to be assured that the assessments were done according to best practices and that conclusions are accurate.  In the future, we will continue to ensure that such documents comply with our policy instruments. B) December 2014
Completed
C) For the testing of all identified key controls and as per Treasury Board's Policy on Internal Control, we will review and validate the assessments that were completed to be assured that all key controls have been tested.  Over the course of the next five years, during our ongoing monitoring, we will re-assess all appropriate key controls on a risk based approach. C) March 2015
Completed
3. The Chief Financial Officer should provide guidance on the management of performance and reporting by external consultants retained to support AANDC’s Internal Controls over Financial Reporting framework, to ensure alignment with the Internals Control Unit’s Operating Effectiveness Approach and Methodology. We will modify our Statement of Work template in order to ensure that the work performed by external consultants aligns with our policy instruments, framework, methodology and approach and that the roles and responsibilities of both parties (i.e., the ICU and the contractor) are clearly defined.  In the future, upon the signature of new contracts, these documents will be shared by the Internal Control Unit and reviewed in detail with the external consultants. Chief Financial Officer December 2014
Completed
4. The Chief Financial Officer should ensure that a process is developed and implemented to allow the Internal Controls Unit to identify and assess third party service providers’ impact on departmental financial reporting (i.e. valuations performed by external third parties experts used to inform accounting judgments such as contaminated site liabilities). Additionally, while an informal process is in place to identify other government departments (OGDs) providing third party services, assurance on the effectiveness of internal controls being performed by OGDs should be obtained by AANDC through review of publically available statements of management responsibility and/or third party service auditor reports for private organizations. A) The ICU will review design documentation to identify programs that rely on third party service providers for financial estimate. Once identified, the ICU will validate that controls have been established to ensure estimates comply with Government of Canada and Public Sector Accounting Standards. As part of this exercise, the ICU will develop a process requiring programs to develop a list of all such third party service providers, which will allow the ICU to appropriately assess the reliance and related controls for sufficiency. Chief Financial Officer A) March 2016
B) Concerning assurance on the effectiveness of internal controls being performed by OGDs, we will formalize a process to review the statements of management responsibility of OGD’s the Department relies on in order to assess the effectiveness of the controls that have been documented and tested, the resulting observations and recommendations and the controls to be tested in the future.  Our review and assessment will be documented and communicated to the CFO annually and incorporated as part of presentations to senior management where appropriate, in accordance with established schedule developed as part of our response to recommendation 1 (a). B) March 2016
5. The Chief Financial Officer should prioritize its five-year on-going monitoring and oversight plan based on the approved framework to ensure its completion. This will allow the Department to meet its requirements under the Policy on Internal Controls and address concerns raised by the OAG in its Fall 2013 Follow-up Audit on Internal Controls over Financial Reporting. The ICU will document its timelines, including key milestone dates to ensure that the five-year on-going monitoring plan is prioritized and completed in accordance with the ongoing monitoring framework by the end of this fiscal year. As part of this exercise, target dates will be set for final approval by the CFO and its presentation to the Financial Management Committee / Operations Committee members (as required) well in advance of year-end to ensure sufficient time for their comments and feedback. Chief Financial Officer March 2015
6. The Chief Financial Officer should ensure that the new process/controls for the Chief Financial Officer Attestation for Cabinet and Treasury Board submissions are assessed for design and operational effectiveness. We will review CFO attestations completed to date for all Cabinet and Treasury Board submissions to ensure that expected effectively designed controls are in place and that they are operating effectively. Chief Financial Officer March 2015
 

Appendix A: Audit Criteria

To ensure an appropriate level of assurance to meet the audit objectives, the following audit criteria were developed to address the objective.

Audit Criteria Sub-criteria
Governance
1. An effective governance framework is in place, which includes clearly defined roles and responsibilities, regular meetings and updates, and consistent procedures for documenting and remediating issues. 1.1 A governance framework exists for  oversight and reporting of ICFR progress
1.2 Reported ICFR progress aligns with actual progress. Remediation identified during the design and operating effectiveness assessments are monitored and reported to the CFO, Deputy Minister, FMC, and Audit Committee on a timely basis.
Completed ICFR Work
2a. Controls performed in HQ/Hubs, BMUs, and regions are appropriately included in the business process documentation. 2.1 For processes/control assessments completed to date, documentation exists outlining which processes/controls occur in each HQ Sector, Region, BMU and Hub.
2.2 For processes/control assessments completed to date, design assessments and operating effectiveness testing is performed regularly and include HQ/Regions, BMUs, and Hubs.
2b. A methodology and application exist and align with ICFR standards and the PIC requirements. 2.3.1 For processes/control assessments completed to date, AANDC's ICFR methodology and approach is clearly defined and aligns with the PIC.
2.3.2 For processes/control assessments completed to date, the ICFR methodology is consistently applied across the entity, business process, and IT general controls levels.
2c. A signed Memorandum of Understanding (MOU) is in place which documents third party service standards and an assessment of how a third party service provider impacts departmental financial reporting requirements has been conducted. 2.4 For processes/control assessments completed to date, an MOU is in place, which includes service standards for all third party arrangements.
2.5 For processes/control assessments completed to date, design assessments and operating effectiveness testing has been performed on processes impacted by third party service providers.
2.6 For processes/control assessments completed to date, a process has been developed and is in place to monitor and report on third party service provider standards.
2014-15 Plan to Complete
3a. Identification of controls and process weaknesses and a detailed remediation plan has been conducted to address gaps between existing processes/controls and post-SAP implementation processes/controls 3.1 A formal risk management methodology is in place and well documented.
3.2 The risk management methodology ensures the regular capture, reporting, analysis, and mitigation of risks.
3b. An effective monitoring and oversight process is in place to ensure that progress against the work plan is occurring in a timely and effective manner. 3.3 An oversight and monitoring process is in place.
3.4 Progress against the ongoing plan/strategy is monitored and reported against.
3.5 Processes identified to be completed for this current year will support AANDC in meeting their PIC requirements.
3.6 Remediation approach is being applied consistently to weaknesses identified during design assessment and operational effectiveness testing.
3c. A structured, informed, and consistent approach for addressing accounting judgement is in place to ensure a consistent and structured approach in order to meet year-end requirements. 3.7 The approach for addressing accounting judgement, including environmental liabilities, contingent liabilities, and guaranteed loans, has been designed and is operating effectively.
On-going Sustainability Plan
4a. Roles and responsibilities are established and communicated with regard to identifying, updating documentation, and assessing processes/controls in a timely and complete manner. 4.1 Roles and responsibilities for the ongoing sustainability of the PIC are established and clearly communicated, and understood by process/control owners.
4.2 Process/control changes are identified, documentation is updated, changes are communicated to Internal Controls and assessed in a timely and complete manner.
4b. An effective ongoing monitoring framework is established and includes an annual re-assessment to address issues identified within the past year, significant changes to the organization or emerging risks that will affect ICFR. 4.3 The ongoing monitoring framework exists (i.e. Five year plan) and is well defined, and considers the results of testing in a given year to inform future years (i.e. responds to assessment results).
CFO Attestation
5. A process to effectively implement the TB Guideline on CFO attestation for Cabinet Submissions is established, a plan is in place and is regularly monitored and progress is reported. 5.1 An implementation plan is in place to meet the TB Guideline on CFO attestation for Cabinet Submissions.
5.2 Progress against the implementation plan is being monitored and reported internally.
5.3 Processes/controls related to the six financial related attestations required from the CFO for Cabinet Submissions have been documented, assessed for design effectiveness, tested for operational effectiveness, and remediation plans are in place.
 

Appendix B: Relevant Policies/Directives

The following authoritative sources (i.e. Policies/Directives) were examined and used as a basis for this audit:

  • Treasury Board Policy on Internal Control
  • Treasury Board Guideline on Chief Financial Officer Attestation for Cabinet Submissions
  • Financial Administration Act
  • AANDC Internal Control Management Framework
  • AANDC Operational Effectiveness Testing Approach and Methodology
  • AANDC Whitepaper on the Status of INAC AFS Projects

Appendix C: Key Terms and Definitions

These key terms and definitions are used throughout the report. This appendix is intended to facilitate the common and consistent understanding of terminology as it applies to ICFR, CFO Attestations and this audit.

Aboriginal Affairs and Northern Development Canada (AANDC)

AANDC is a large federal government department, responsible and accountable for the overall success of the departmental implementation of the Policy on Internal Control (PIC). Within AANDC, the Chief Financial Officer (CFO) is responsible for overseeing the successful implementation of the PIC, which is carried out by the CFO Sector's Corporate Accounting and Materiel Management Branch.

Business Management Unit (BMU)

BMUs are responsible for the financial, human resource planning and reporting, IM/IT, security and accommodations support functions performed within a given Sector/Corporate Function.

CFO Assertions

In January 2014, TB introduced a Guideline on Chief Financial Officer Attestation for Cabinet Submissions. Six fundamental assertions were identified to characterize the elements of CFO attestation (defined below) and to convey the CFO's attestation conclusions in support of decision making. These assertions are rooted in the CFO's roles and responsibilities as defined by the TB financial management policies.

The six assertions are as follows:

  1. The nature and extent of the proposal is reasonably described and material assumptions having a bearing on the associated financial requirements have been disclosed and are supported.
  2. Significant risks having a bearing on the financial requirements, the sensitivity of the financial requirements to changes in key assumptions, and the related risk-mitigation strategies have been disclosed.
  3. Financial resource requirements have been disclosed and are consistent with the assumptions stated in the proposal, and options to contain costs have been considered.
  4. Funding has been identified and is sufficient to address the financial requirements for the expected duration of the proposal.
  5. The proposal is compliant with relevant financial management legislation and policies, and the proper financial management authorities are in place or are being sought through the proposal.
  6. Key financial controls are in place to support the implementation and ongoing operation of the proposal.Footnote 8

CFO Attestation

In January 2014, TB introduced a Guideline on Chief Financial Officer Attestation for Cabinet Submissions. This guideline identifies the six assertions of a CFO and provides guidance on CFO attestation conclusions and their communication. Under this new guidance and based on the criteria developed to support each assertion, the CFO is required to conduct a robust due diligence review prior to issuing a final assertion through a formal Attestation Letter that is to accompany all Cabinet and Treasury Board submissions.

Corporate Accounting and Materiel Management (CAMM) Branch

CAMM is situated within the CFO Sector and, among other responsibilities, is charged with carrying out the implementation of the PIC. One component of CAMM's responsibilities is to provide advisory and support services through the issuance of policies, directives, and other activities in the areas of accounting, contracting and procurement, assets, and materiel management in support of the Department's mandate. CAMM is also responsible for the functional improvement and maintenance of integrated financial management systems for the Department.

Design effectiveness

The design of an internal control includes consideration of the information used to perform the control, the experience and knowledge of the identified individuals to effectively perform the control, the timeliness and nature of the control, as well as the anticipated output or evidence from the control operation.

Entity level controls

Entity level controls are defined as those controls which impact the organization at the highest level and impact the overall effectiveness of the system of internal controls. They are often referred to as the "tone from the top" controls.

Financial Administration Act

An Act of Parliament, designed to provide for the financial administration of the Government of Canada, the establishment and maintenance of the accounts of Canada, and the control of Crown corporations.Footnote 9

Financial Planning, Analysis and Estimates Directorate

A group situated within AANDC's Chief Financial Officer Sector that oversees financial planning, analysis and estimates. This group is responsible for acting as the challenge function to programs submitting TB Submissions and for responding to the Treasury Board regarding any questions or concerns related to TB Submissions from AANDC.

Financial Statement Assertions

There are five different financial statement assertions used to justify each item in the financial statements. 

The five assertions are as follows:

  1. Existence/Occurrence: The asset or liability exists at a given date and the underlying transaction has occurred in the specified time period.
  2. Completeness: All valid transactions have been reflected in the financial statements.
  3. Valuation: Value associated with the asset/liability is accurately recorded.
  4. Rights and Obligations: Rights for assets recorded in the financial statements and obligations for liabilities recorded in the financial statements are those of the reporting organization.
  5. Presentation and Disclosure: Financial statements, including relevant disclosures are presented in accordance with the relevant accounting principles and guidance (i.e. IFRS, GAAP).

Hubs

In September 2012, AANDC consolidated its accounting, procurement and human resources into service centres ("hubs") in support of the Deficit Reduction Action Plan. Previously, these functions were decentralized to all regions.

Internal control

Internal control is generally recognized as a set of means that organizations put in place to mitigate risks and provide reasonable assurance in the following broad categories:

  • The effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets;
  • The reliability of financial reporting; and,
  • Compliance with legislation, regulations, policies and delegated authorities.

In practice, the set of means that represent internal controls can include those elements of an organization such as its resources, systems, processes, culture, structure, and tasks that, taken together, support people in managing risks in order to achieve an organization's objectives. The Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a generally accepted framework in this area (see TB Guideline on Internal Controls Over Financial Reporting.Footnote 10

Internal Controls over Financial Reporting

Internal Controls over Financial Reporting comprise a set of means that allows management and users of financial statements to have reasonable assurance that:

  • Records which fairly reflect all financial transactions are maintained;
  • Recording of financial transactions permits the preparation of internal and external financial information, reports, and statements in accordance with policies, directives, and standards; and,
  • Revenue received and expenditures made are in accordance with delegated authorities, and unauthorized transactions that could have a material effect on financial information and financial statements are prevented or detected in a timely manner. This includes providing reasonable assurance that financial resources are safeguarded against material loss due to waste, abuse, mismanagement, errors, fraud, omissions and other irregularities.Footnote 11

IT level controls

IT level controls are comprised of two pieces, IT general controls and application controls. IT general controls, similar to entity level controls, set the tone for the IT environment as a whole. The primary focus is on logical access and change management controls within systems critical to financial reporting. Application controls are embedded within the various applications used to process transactions and are evaluated as part of the transaction level control review.

Operational effectiveness

The operation of a control is the consistency of application without exception of an effectively designed control. A control is deemed effective when it is operating consistently as intended.

Regions

AANDC has offices at Headquarters in the National Capital Region, as well as in the following regions: Atlantic, Quebec, Ontario, Manitoba, Saskatchewan, Alberta, British Columbia, Northwest Territories, Nunavut and Yukon. Additionally, Indian Oil and Gas Canada, located in Alberta, is a special operating agency situated within AANDC.

Policy on Internal Control

The Policy on Internal Control (PIC) was developed by Treasury Board and took effect in April 2009. The objective of the PIC is to ensure that "risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting".Footnote 12

Transaction level controls

Transaction level controls, or business process controls, cover those controls embedded in the day-to-day recording of financial information (i.e. accounts payable, accounts receivable, revenue, and expenses). The performance and effectiveness of these controls is a factor of the entity level control effectiveness.

Treasury Board

Treasury Board is the federal central agency that introduced the Policy on Internal Control, which applies to all departments and agencies, as defined by the Financial Administration Act.

Footnotes

Footnote 1

Per the TB Policy on Financial Resource Management, Information and Reporting, "the Deputy Head is responsible for ensuring that measures are taken so that the department can sustain a control-based audit of its annual financial statements in whole or in part".

Return to footnote 1 referrer

Footnote 2

Per the TB Policy on Financial Resource Management, Information and Reporting, "the Deputy Head is responsible for ensuring that measures are taken so that the department can sustain a control-based audit of its annual financial statements in whole or in part".

Return to footnote 2 referrer

Footnote 3

2014-15 AANDC Report on Plans and Priorities

Return to footnote 3 referrer

Footnote 4

Per the TB Policy on Financial Resource Management, Information and Reporting, "the Deputy Head is responsible for ensuring that measures are taken so that the department can sustain a control-based audit of its annual financial statements in whole or in part".

Return to footnote 4 referrer

Footnote 5

Each financial statement account is comprised of financial statement assertions: Existence/Occurrence, Completeness, Valuation, Presentation and Disclosure, and Rights and Obligation. (Refer to Annex C for more information on financial statement assertions.)

Return to footnote 5 referrer

Footnote 6

Per the TB Policy on Financial Resource Management, Information and Reporting, "the Deputy Head is responsible for ensuring that measures are taken so that the department can sustain a control-based audit of its annual financial statements in whole or in part".

Return to footnote 6 referrer

Footnote 7

Per the TB Policy on Financial Resource Management, Information and Reporting, "the Deputy Head is responsible for ensuring that measures are taken so that the department can sustain a control-based audit of its annual financial statements in whole or in part".

Return to footnote 7 referrer

Footnote 8

Guideline on Chief Financial Officer Attestation for Cabinet Submissions, 2014

Return to footnote 8 referrer

Footnote 9

Financial Administration Act, 1985

Return to footnote 9 referrer

Footnote 10

TB Policy on Internal Control, April 2009

Return to footnote 10 referrer

Footnote 11

TB Policy on Internal Control, April 2009

Return to footnote 11 referrer

Footnote 12

TB Policy on Internal Control, April 2009

Return to footnote 12 referrer