Audit of Internal Controls over Financial Reporting

September 2022
Internal Audit Report
Prepared by: Audit and Assurance Services Branch

PDF Version (567 KB, 30 Pages)

Acronyms
Executive Summary
1. Context
2. About the Audit
3. Key Findings and Recommendations
4. Conclusion
5. Management Action Plan
Annex A: Audit Criteria

Acronyms

CIRNAC: Crown-Indigenous Relations and Northern Affairs Canada
ISC: Indigenous Services Canada
TB: Treasury Board
ICFR: Internal Controls over Financial Reporting
CFRDO: Chief Finances, Results and Delivery Officer

Executive Summary

Context

Canadians expect that the financial resources of the Government of Canada are well-managed and safeguarded through balanced internal controls that enable flexibility and manage risk. Additionally, reliable financial reporting is expected to demonstrate transparency and accountability to Canadians on how public funds were spent to achieve results. An organization's system of internal controls over financial reporting (ICFR) is intended to meet these expectations. The system of ICFR is designed to mitigate risks based on a process to identify and prioritize key risks, assess effectiveness of associated key controls and implement any corrective action.

In the Government of Canada's Financial Administration Act, the deputy head is designated as the accounting officer with the accountability to maintain an effective system of internal control. The Treasury Board (TB) Policy on Financial Management also states that the Chief Financial Officer supports the deputy head in fulfilling their financial management responsibilities and accountabilities by leading and managing the departmental financial management function and has the responsibility for establishing, monitoring, and maintaining a risk-based system of ICFR.

The effectiveness of the year-round internal control processes that make up the system of ICFR is established in the Statement of Management Responsibility Including ICFR. Appended to the financial statements, the Annex to the Statement of Management Responsibility Including ICFR provides assurance that internal control activities undertaken by the department maintained an effective ICFR system through internal control monitoring activities and action plans.

Crown-Indigenous Relations and Northern Affairs Canada (CIRNAC) and Indigenous Services Canada (ISC) have separate Statements of Management Responsibility Including ICFR. The work to support the Statement of Management Responsibility and its Annex is performed by ISC's Chief Finances, Results and Delivery Officer (CFRDO) Internal Control Team. Services are provided to CIRNAC's CFRDO via a service level agreement between the two departments which identifies the responsibilities for internal control activities within both departments, including: the planning, execution and monitoring of the internal control plan reported upon in the Statement of Management Responsibility Including ICFR and the preparation of the Statement of Management Responsibility Including ICFR. CIRNAC's Financial Operation team provides a liaison and challenge function for CIRNAC on the services provided by ISC.

Why it is important

This audit was identified as a priority because the ICFR process had not been audited since 2015 and the operating environment had changed with the creation of ISC and CIRNAC. In addition, the policy requirements changed with the implementation of the 2017 TB Policy on Financial Management that replaced the TB Policy on Internal Control.

What we examined

The audit objective was to provide assurance that the processes supporting the Internal Control Plan in ISC and CIRNAC are aligned with the ICFR requirements of the TB Policy on Financial Management and meet the coverage and oversight needs of each department.

What we found

Positive Observations

During the audit, some positive observations were identified, including the following:

The audit found that ICFR processes included the results of annual assessments for those that were completed during the year of the assessment. As well, the status of completion on the results of the annual assessments were communicated in the departmental financial statement update presentations.
As part of the assessments being completed, recommendations were made following the identification of control deficiencies and business owners developed management action plans to address these deficiencies.

Opportunities for Improvement

Areas where management control practices and processes could be improved were identified, resulting in the following recommendations:

The Chief Finances, Results and Delivery Officers of ISC and CIRNAC should update the Internal Control Management Framework to ensure that it reflects all TB Policy on Financial Management requirements and that it reflects the operational context of each Department.
The Chief Finances, Results and Delivery Officers of ISC and CIRNAC should monitor the implementation of outstanding management action plans once the tracking system is fully implemented.
The Chief Finances, Results and Delivery Officer of ISC and CIRNAC should strengthen the risk assessment process to include a defined set of risk criteria, risk scales with details for each criteria and supporting narratives for the risk ratings that reflect both quantitative and qualitative input.
The Chief Finances, Results and Delivery Officer of ISC and CIRNAC should perform a risk assessment or an environmental scan that considers the specific financial reporting risks of each department and supports the related ICFR Monitoring Plan.
The Chief Finances, Results and Delivery Officers of ISC and CIRNAC should ensure that a conclusion on the overall strength of the system of internal controls over financial reporting is provided for internal briefing purposes. This conclusion should consider testing that was not completed as planned, control deficiencies that have not been fully addressed by action plans and their potential impacts.
The Chief Finances, Results and Delivery Officers of ISC and CIRNAC should update the monitoring plan to address high risk business processes that have not been tested within the required timelines.

Overall conclusion

The Internal Controls Team within ISC CFRDO provides ICFR services to ISC as well as to CIRNAC. The scope of the audit examined the key activities performed for both Departments from 2018-2019 to 2021-2022 which included the work performed under the operational challenges of the COVID-19 pandemic.

The key departmental guidance for the ICFR activities is the Internal Control Management Framework that was developed in 2015. While it does still include guidance on key ICFR activities, it does not reflect the operational changes from the creation of the 2 new Departments. It only partially complies with the requirements of the TB Policy on Financial Management.

Two key elements of the ICFR process are the ICFR Monitoring Plans and the risk assessments or environmental scan that inform them. There were gaps in the performance of the risk assessments or environmental scans. A decision had been made to shift from individual departmental monitoring plans to a common monitoring plan. Key business processes related to each Department's financial reporting were incorporated into the common business processes in the common monitoring plan. It was not clear if the planned testing for the common business processes would be detailed enough to reflect the testing needs of the original business processes or if the testing frequency efficiently reflected the risk of the individual business processes within the common groupings.

The results of the ICFR activities was shared with the Departments. It included the results of the business process testing, identified deficiencies and the corrective actions required to address them. What was not present in the reporting was a conclusion on the overall strength of the system of internal controls over financial reporting, the impact of planned testing not being performed, and an update of the implementation of corrective actions for previously identified deficiencies.

Statement of conformance

The audit conforms with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the Government of Canada's Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

Management's response

Management is in agreement with the findings, has accepted the recommendations included in the report and has developed a management action plan to address them. The management action plan has been integrated into this report.

1. Context

Departmental Perspective

Crown-Indigenous Relations and Northern Affairs Canada (CIRNAC) and Indigenous Services Canada (ISC) have separate Statements of Management Responsibility Including ICFR. The work to support the Statement of Management Responsibility and its Annex is performed by the Internal Control Team of ISC's Chief Finances, Results and Delivery Officer (CFRDO) through the internal control plan and testing activities. Services are provided to CIRNAC's CFRDO via a service level agreement between the two departments. The agreement identifies the responsibilities for internal control activities within both departments which includes the planning, execution and monitoring of the internal control plan reported upon in the Statement of Management Responsibility Including ICFR. CIRNAC's Financial Operation team provides a liaison and challenge function on the services provided by ISC.

ICFR Process

Business owners are responsible for the design and implementation of controls to ensure that the TB Policy on Financial Management requirements are being meet. The CFRDO is responsible for establishing, monitoring and maintaining a risk-based system of internal controls over financial reporting and to provide reasonable assurance that the TB Policy on Financial Management requirements are being met.

Figure 1 illustrates the ICFR process as described by the TB Policy on Financial Management. A risk assessment or environmental scan should be conducted to identify and assess the risk level of the financial controls within business processes. Based on the identified risk level, a multi-year ICFR ongoing monitoring plan should be developed. It should outline the planned schedule to conduct assessments to ensure that key controls are functioning as intended and that control risks are mitigated. Based on the results of these assessments, management action plans should be created and business process owners should be held accountable to remediate the identified deficiencies. The assessment results, corrective actions and potential gaps should be collectively reported in the annual financial statements for both ISC and CIRNAC.

**Figure 1 Description of the ICFR process**

2. About the Audit

The Audit of Internal Controls over Financial Reporting is part of the Crown-Indigenous Relations and Northern Affairs Canada and Indigenous Services Canada Risk-Based Audit Plan for 2021-22 to 2022-23, which was presented to the Departmental Audit Committee and approved by the Deputy Ministers in June 2021.

2.1 Why it is important

2.2 Audit objective

The audit objective was to provide assurance that processes supporting the Internal Control Plan in ISC and CIRNAC are aligned with the ICFR requirements of the 2017 TB Policy on Financial Management and meet the coverage and oversight needs of each department.

2.3 Audit scope

The scope of the audit included ICFR activities for both ISC and CIRNAC including risk assessments, the ICFR plan, execution of the plan, reports on results and follow-ups on corrective actions. The audit included ICFR activities for the period from April 2018 to November 2021.

The audit focused on the process in place to perform ICFR work such as the completion of risk assessments to support the development of ICFR Ongoing Monitoring Plans and reporting on the result. The audit did not re-perform the design and operating effectiveness testing of key business processes that was done by CFRDO ISC's Internal Controls team. The audit also excluded the Internal Controls Over Financial Management activities because the work to establish, monitor, and maintain a risk-based system of Internal Controls Over Financial Management was still being implemented by the Departments.

2.4 Audit approach and methodology

The audit was conducted in accordance with the requirements of the TB Policy on Internal Audit and followed the Institute of Internal Auditors International Professional Practices Framework. The audit examined sufficient, relevant evidence and obtained sufficient information to provide a reasonable level of assurance in support of the audit conclusion.

The audit fieldwork was performed from October 2021 to February 2022 and consisted of three phases: planning, conduct and reporting. The main audit techniques used included:

Interviews with key stakeholders;
Process walkthroughs;
Review of relevant documentation, including policies, operational procedures and guidelines; and,
File testing to evaluate how the assessment process was implemented.

The approach used to address the audit objective included the development of audit criteria, against which observations and conclusions were drawn. The audit criteria can be found in Annex A.

3. Key Findings and Recommendations

3.1 Established System of Internal Controls Over Financial Reporting

Background

Under the 2017 TB Policy on Financial Management there are requirements for the development of processes to provide reasonable assurance that public resources are used prudently and in an economical manner, and that relevant legislation, regulations and financial management policy instruments are being complied with.

It was expected that the Departments would have in place a risk-based system for the effective and consistent implementation of internal controls over financial reporting. This system of ICFR would be aligned to the TB Policy on Financial Management. Also, it was expected that the system of ICFR would include the results of the annual assessment of internal controls and that corrective actions addressing control deficiencies would be monitored and tracked until full implementation.

Risk

There is a risk that risk-based ICFR systems are not in place to address financial reporting requirements and that the Departments are not compliant with the TB Policy on Financial Management.

Finding

3.1.1 Risk Based System and Processes of ICFR

In 2015, an Internal Control Management Framework was implemented to support the oversight of the system of ICFR. It has been used as the primary reference document for ICFR activities.

The Internal Control Management Framework provided high-level guidance on the key activities and responsibilities of the Internal Control Team in supporting the oversight of the system of ICFR for ISC and CIRNAC. These included:

Performing a risk assessment or environmental scan to validate the high-risk processes and adjust the multi-year monitoring plan;
Conducting the annual risk-based assessment of ICFR through testing of the operating effectiveness of key controls;
Following-up on management actions on areas of improvement identified during the assessment; and,
Reporting results of the annual testing to Senior Management including the Chief Financial Officer (now called Chief Finances, Results and Delivery Officer).

While the key activities listed in the Internal Control Management Framework were still applicable, the 2015 document was outdated and did not fully reflect operational and policy changes. It did not account for the organizational changes associated with the creation of ISC and CIRNAC or the new financial reporting processes that support their separate financial statements. There were no clear linkages to the management oversight processes described in the 2017 TB Policy on Financial Management that ensure that internal controls requirements were being properly performed. These management oversight processes would certify that:

Records were maintained that support and fairly represented all financial transactions;
Recording of financial transactions allowed for the preparation of internal and external financial information, reports and statements;
Expenditures were made in accordance with delegated authorities, and material unauthorized transactions were prevented or detected in a timely manner; and
Financial resources were safeguarded against material loss due to mismanagement, fraud or omissions.

The weaknesses in the Internal Control Management Framework were the result of not having conducted a detailed review of the system of ICFR to identify gaps and weaknesses and to make updates to the processes that reflect changes in the policy and operating environment. Without an up to date and effective oversight system in place, the ability of the Departments' to provide reasonable assurance that the TB Policy on Financial Management requirements are met may be impacted.

3.1.3 Follow-Up on Control Deficiencies

The Internal Control Team conducted annual assessments of ICFR for specific business processes. These assessments were intended to provide assurance that the internal controls in place were operating effectively and aligned to the TB Policy on Financial Management. Furthermore, the assessments ensured that when deficiencies were noted, recommendations were made to address them.

The audit reviewed three completed assessments: 2018-2019 Contingent Liabilities, 2019-2020 Grants and Contributions and 2020-2021 Payroll. The audit found that for each assessment reviewed, recommendations were made following the identification of control deficiencies. Business owners developed management action plans to address the deficiencies.

While corrective actions were identified and tracked in the year of the assessment, they were not actively monitored in subsequent years to ensure that the management action plan had been fully implemented. As a result, the lack of processes to monitor the implementation of the management action plans could result in ongoing control deficiencies impacting the strength of the system of ICFR.

During the audit, the Internal Control Team began designing a tracking system that would monitor the implementation of the corrective actions in the management action plans since 2018-19. The Internal Control Team reached out to ISC and CIRNAC business owners to obtain status updates to populate the tracker. The tracking document was in its preliminary phase and had not been fully populated.

Recommendation

The Chief Finances, Results and Delivery Officers of ISC and CIRNAC should update the Internal Control Management Framework to ensure that it reflects all TB Policy on Financial Management requirements and that it reflects the operational context of each Department.
The Chief Finances, Results and Delivery Officers of ISC and CIRNAC should monitor the implementation of outstanding management action plans once the tracking system is fully implemented.

3.2 Design of the ICFR Ongoing Monitoring Plan

Background

The TB Policy on Financial Management requires that departments establish a risk-based system of ICFR which includes a risk assessment every three to five years and to perform annually a documented environmental scans in intervening years between risk assessments. The environmental scans include the same activities of a full risk assessment but it may be less intense or comprehensive. An environmental scan involves determining whether there have been significant changes to the personnel, process or systems to ensure that internal controls remain effective and whether the ongoing monitoring plan needs to be updated.

It was expected that the risk assessment or annual environmental scan would consider the specific risks of each Department and would be reflected in the ICFR Ongoing Monitoring Plan. Additionally, it was expected that a set of criteria would be established to support the prioritization and selection of business processes in the ICFR Ongoing Monitoring Plan.

Risk

There is a risk that risk assessment procedures, including defined risk criteria, have not been established, increasing the likelihood that high-risk business processes are not being identified and appropriately mitigated. There is a risk that the prioritization of ICFR assessments of business processes does not take into consideration the unique risks of both Departments, increasing the likelihood that control deficiencies leading to financial misstatements are not being proactively identified and corrected.

Finding

3.2.1 Frequency of Risk Assessment

It was found that risk assessments or environmental scans were not conducted annually as required by TB policy. When risk assessments were conducted, the monitoring plans were also updated. There was an exception in 2019-2020 when the Monitoring Plan in place at that time was updated without risk assessments or documented environmental scans being performed. There was no documented evidence on the criteria used or the rationales for the changing risk levels and subsequent changes to the plan. Table 1 illustrates how often risk assessments and monitoring plans were updated.

Table 1 Risk assessments and monitoring plan updates
Fiscal Year	Risk Assessment		ICFR Monitoring Plan
Fiscal Year	ISC	CIRNAC	ISC	CIRNAC
2018-2019	Comprehensive risk assessment	Comprehensive risk assessment	ISC Monitoring Plan for 2019-2024	CIRNAC Monitoring Plan for 2019-2024
2019-2020	No risk assessment or environmental scan	No risk assessment or environmental scan	Monitoring Plan revised but no documented support for the revision	Monitoring Plan revised but no documented support for the revision
2020-2021	High level risk assessment		ISC and CIRNAC Monitoring Plan for 2021-2026
2021-2022	No risk assessment or environmental scan		A revised 2022-2023 Monitoring Plan had not been approved at the time of the audit.

The 2018-19 risk assessment was completed for each department and it included defined risk criteria with corresponding risk scales (i.e. high, medium and low risk). It also detailed the current business conditions and supporting rationales for risk levels reflecting quantitative and qualitative factors. The next time the risk assessment was updated was in 2020-21. The risk criteria were reduced and risk scales were not provided to define high, medium or low risk. There were no rationales to support the assessed risk ratings. In the intervening years between risk assessments, there were no documented environmental scans completed to support the changes made to the monitoring plans.

3.2.2 Departmental monitoring plans

The ICFR Ongoing Monitoring Plan for 2019-2024 outlined a five-year plan for the assessment of internal controls within the highest risk business processes. Each Department had their separate ICFR Ongoing Monitoring Plan 2019-2024 that reflected their specific business processes and financial reporting risks.

The subsequent ICFR Ongoing Monitoring Plan for 2021-2026 adopted a common approach for both Departments. The plan included grouping the different business processes into common business processes for both Departments. Table 2.1 identifies the CIRNAC and Table 2.2 identifies the ISC business processes that were incorporated into common business processes.

There was no documentation to explain how this common approach would be operationalized. There was no documentation to explain the rationale for grouping these different business processes into common business processes. There was no documentation to determine if the same level of testing would continue for the different business processes once they were grouped into common business processes.

Furthermore, it was not clear if the common approach efficiently assessed the risk of different business processes. For example, in the CIRNAC Monitoring Plan for 2019-2024, Guaranteed Loans was ranked as Medium risk but the Liabilities group that it was incorporated into it was ranked as High risk in the ISC and CIRNAC Monitoring Plan for 2021-2026. There was no documentation to determine if the change in risk level was a function of the highest risk level in the grouped business processes or if the risk had evolved between monitoring plans.

Table 2.1 CIRNAC specific business processes vs common monitoring plan
CIRNAC Monitoring Plan for 2019-2024		CIRNAC Monitoring Plan for 2021-2026
Processes	Risk Level	Processes	Risk Level
Contingent Liabilities - Comprehensive Claims	Medium	Liabilities	High
Contingent Liabilities - General Litigation	Medium	Liabilities	High
Contingent Liabilities - Specific Claims	High	Liabilities	High
Environmental Liabilities	Medium	Liabilities	High
Guaranteed Loans	Medium	Liabilities	High
Entity Level Controls	Low	Entity level controls	High
Financial Close and Reporting	High	Financial Close and Reporting	Medium
Grants & Contributions	High	Transfer payments	High
Direct Loans	Low	Assets	Medium
Tangible Capital Assets	Low	Assets	Medium
Information Technology General Controls	Medium	IT General Controls	High
Pay Administration	High	Salaries and benefits	High
Purchases, Payables and Payments	Medium	Operating Expenses	High
Revenue Management & Guarantee Deposits	Low	Revenue	Medium

Table 2.2 ISC specific business processes vs common monitoring plan
ISC Monitoring Plan for 2019-2024		ISC Monitoring Plan for 2021-2026
Processes	Risk Level	Processes	Risk Level
Trust Accounts	Medium	Liabilities	High
Entity Level Controls	Low	Entity level controls	High
Financial Close and Reporting	High	Financial Close and Reporting	Medium
Grants & Contributions	High	Transfer payments	High
Non-Insured Health Benefits (NIHB) - Express Script Canada (ESC)	Medium	Transfer payments	High
Tangible Capital Assets	Low	Assets	Medium
Information Technology General Controls	Medium	IT General Controls	High
Pay Administration	High	Salaries and benefits	High
Purchases, Payables and Payments	Medium	Operating Expenses	High
NIHB non-ESC	Medium	Operating Expenses	High

The changes in the approach for performing risk assessments or environmental scans and updating the ICFR Monitoring Plans and the lack of documented risk assessments or environmental scans were the results of staff turnover and the subsequent loss of corporate knowledge in the Internal Control Team. The operational challenges during the COVID-19 pandemic also impacted the work of the Internal Controls Team.

The lack of risk assessments or environmental scans may limit the Departments' ability to identify significant changes in their risk environment. It also limits the ability of the monitoring plan to target the business processes with the highest financial reporting risks.

Moreover, without considering the specific risks from each Department when updating the ICFR Monitoring Plan, the risks may not be effectively mitigated through internal controls and potentially lead to financial misstatements.

Recommendations

The Chief Finances, Results and Delivery Officer of ISC and CIRNAC should strengthen the risk assessment process to include a defined set of risk criteria, risk scales with details for each criteria and supporting narratives for the risk ratings that reflect both quantitative and qualitative input.
The Chief Finances, Results and Delivery Officer of ISC and CIRNAC should perform a risk assessment or environmental scan that considers the specific financial reporting risks of each department and supports the related ICFR Monitoring Plan.

3.3 Reporting on Results

Background

For the CFRDOs of both Departments to provide assurance on the strength of the ICFR system, the full breadth of information on the strength of the system of ICFR and any deficiencies would be needed in the internal briefings. This would include the results of testing, testing that was not completed as well as identified control deficiencies and their associated corrective actions.

It was expected that comprehensive information packages were developed to support the conclusion on the strength of internal controls in each Department.

Risk

There is a risk that reporting on ICFR activities, results and corrective action may lack the required level of detail to establish the strength of the systems of ICFR in each Department.

Finding

3.3.1 Completion of Planned Business Process Testing

The Internal Control Team prepared the required Statement of Management Responsibility Including ICFR for external reporting purposes. This information in the statement is prescribed by TB guidance.

A presentation deck to brief management internally was the key document used to share the results of the ICFR activities. The presentation included high-level information on the financial figures, a summary of the internal control plan, the completed business process testing and any identified control deficiencies from those assessments. While the information provided in the presentation was accurate, the reporting was not complete. For example, the presentation did not include the results of other key ICFR activities such as whether the risk assessment or environmental scan had been performed, the business process testing that were not completed as planned and the status of management action plans from previous years.

The audit reviewed the planned business process testing for 2018-19, 2019-20 and 2020-21 that was described in the monitoring plans in place for those years. The planned testing was compared to the completed business process testing. The review found that the planned testing was not always fully implemented. In 2018-19, 100% (6 of 6) of the planned assessments were completed but then the completion rate decreased in subsequent years. In 2019-20, 43% (3 of 7) of the planned assessments were completed and in 2020-21, 50% (2 of 4) of the planned assessments were completed. The Internal Control Team stated that the operational challenges during the COVID-19 pandemic impacted their ability to complete the planned assessments.

The assessments that were not completed were carried forward to subsequent years. For example, the planned testing of the Payroll and Grants and Contributions business processes was not completed in 2019-2020 but was performed in 2020-2021. The planned assessments for 2020-2021 were then pushed to subsequent years and this can be seen in the testing for the Entity Level Controls being delayed to 2021-22 and the testing for the IT General Controls being delayed to 2022-23.

This delay in testing and subsequent rescheduling had an impact on the completion of the testing of high-risk processes. In 2019-20 there was a departmental requirement to complete testing of high-risk processes every two years, medium risk every three and low risk every four. There was no testing frequency stated in the current 2021-22 to 2025-26 ICFR Ongoing Monitoring Plan so the previous requirement was used as a reasonable baseline for the timing to complete testing to ensure adequate coverage. Table 3 outlines several business processes noted as high risk in the ICFR Ongoing Monitoring Plan that have not had an assessment every two years as required.

Table 3 Frequency of Testing for High-Risk Business Processes
Business Process	Risk Level	Last Testing	Current Planned Testing Date	Years Between Last and Planned Testing
Contingent Liabilities - General Litigation	High	2018-19	2023-24	5 Years
Contingent Liabilities - Environmental	High	2017-18	2023-24	6 Years
Contingent Liabilities - Comprehensive and Specific Claims	High	2016-17	2023-24	7 Years
Entity Level Controls	High	2015-16	2021-22	6 Years
IT General Controls	High	2017-18	2022-23	5 Years

3.3.2 ICFR Processes Include the Results of Annual Assessments

A complete and accurate ICFR system, as outlined in the TB Policy of Financial Management, should include the results of annual assessments of internal controls over financial reporting, actions taken and future plans, including common services.

The audit found that the results of the annual assessment of the system of ICFR were included in the ICFR Ongoing Monitoring Plans, for those completed during that year, as well as the results of annual assessment of the system of internal controls over common services. Additionally, the status of completion on the results of the annual assessments were being reported for ISC and CIRNAC in the Departmental financial statement update presentations.

The internal reporting did not include information that would be relevant to the overall assessment of the system of internal controls over financial reporting. This would include the planned testing that was not performed and the impact of that testing gap. It would also include the status of the corrective actions of deficiencies identified in previous years.

The lack of assessments of high-risk business process for an extended period of time and the lack of reporting on the impact of the incomplete management action plans may limit the Internal Control Team's ability to conclude on the overall strength of the internal control processes. It is the responsibility of the Internal Control Team to inform Senior Management and demonstrate the strength of the system of internal control by communicating all relevant information including these key elements. Without this information, it may be challenging to establish the full picture of the status of activities being done and not done as well as the resulting risk and impacts on the strength of the system of ICFR. The Internal Control Team explained that reporting was streamlined based on operational considerations at the time; however, it had not been documented.

Recommendation

The Chief Finances, Results and Delivery Officers of ISC and CIRNAC should ensure that a conclusion on the overall strength of the system of internal controls over financial reporting is provided for internal briefing purposes. This conclusion should consider testing that was not completed as planned, control deficiencies that have not been fully addressed by action plans and their potential impacts.
The Chief Finances, Results and Delivery Officers of ISC and CIRNAC should update the monitoring plan to address high risk business processes that have not been tested within the required timelines.

4. Conclusion

Two key elements of the ICFR process are the ICFR Monitoring Plans and the risk assessments or environmental scans that inform them. There were gaps in the performance of the risk assessments or environmental scans. A decision had been made to shift from individual departmental monitoring plans to a common monitoring plan. Key business processes related to each Department's financial reporting were incorporated into the common business processes in the common monitoring plan. It was not clear if the planned testing for the common business processes would be detailed enough to reflect the testing needs of the original business processes or if the testing frequency efficiently reflected the risk of the individual business processes within the common groupings.

5. Management Action Plan

Management's Detailed Response and Action Plan

The internal control team within the Corporate Accounting, Policy and Internal Control directorate of ISC provides internal control services to both ISC and CIRNAC. In recent years, there has been a significant amount of staff turnover in the unit that has resulted in a loss of both corporate knowledge and documentation of processes. The impacts of COVID-19 have also resulted in a shift of focus to assess the impacts of the pandemic on the control environment.

Though it has not been possible to perform some assessments of high risk processes within the time frame set out (two years) in recent years, there are many compensating controls that have been relied upon to provide assurance that the internal controls are effective and the risk of material misstatement is low. For example, for contingent liabilities, the methodologies used to assess the liability have remained stable in recent years with the exception of the methodology for specific claims which was modified in 2017-18. The updated specific claim methodology was reviewed by Ernst & Young in 2017-18, which concluded that the methodology was appropriate, and the management action plan for recommended improvements to the process was implemented in 2018-19. The contingent liability process has been further strengthened by the implementation of a Director General level committee with membership from CFRDO sector, program sectors as well as central agencies including the Office of the Comptroller General and Department of Finance, who review the quarterly contingent liability submission as well as any significant claims to support the accounting treatment. The liability for contingent liabilities for both ISC and CIRNAC and environmental liabilities for CIRNAC are audited by the Office of the Auditor General every year as a part of their audit of the Public Accounts of Canada due to materiality. The 2020-21 OAG audit did not note any issues with regards to contingent or environmental liabilities for ISC and CIRNAC.

Management is in agreement with the recommendations made by Internal Audit and will prioritize the implementation of recommendations with additional efforts to document processes, findings and briefings to senior management.

To date, the actions to address the recommendations have been fully implemented by the CFRDO sector with the exception of the Internal Control Framework which is currently underway and expected to be completed by December 31, 2022.

Although Management agrees with the recommendations resulting from Internal Audit's review and has diligently worked to implemented them in advance of the signing of the 2021-22 Departmental Financial Statements, Management would like to clarify that the audit did not examine the effectiveness of the internal controls themselves nor have there been any concerns by the Office of the Auditor General with the quality of ISC's or CIRNAC's financial information in recent years audits of the public accounts plates and forms.

Additional context is also needed in regards to the meaning of a risk based system of internal control. A risk based systems implies that internal control assessments will be planned based on assessed level of risk and resource availability. The planned assessments may be modified in order to respond to emerging risks, such as the impact of COVID on the system of internal controls. This may result in delayed testing for other business processes which is acceptable from a policy perspective. Management does recognize that any changes to the ongoing monitoring plan and delays in testing should be properly documented and approved.

Recommendations	Management Response / Actions	Responsible Manager (Title)	Planned Implementation Date
1. The Chief Finances, Results and Delivery Officers of ISC and CIRNAC should update the Internal Control Management Framework to ensure that it reflects all TB Policy on Financial Management requirements and that it reflects the operational context of each Department.	Corporate Accounting, Policy and Internal Control (CAPIC) drafted an updated of the Internal Control Framework in 2021-22. The Framework will be finalized in 2022-23 and will include the requirements in the TB Policy on Financial Management including the process to monitor the implementation of outstanding management actions plans and the operational context of both ISC and CIRNAC.	Director, Corporate Accounting, Policy and Internal Control	December 31, 2022
2. The Chief Finances, Results and Delivery Officers of ISC and CIRNAC should monitor the implementation of outstanding management action plans once the tracking system is fully implemented.	In Q3 and Q4 of 2021-22, CAPIC monitored the implementation of the management actions plans completed during the preceding year (Payroll & Salary and G&Cs) by reaching out to the Offices of Primary Interest and reporting on progress to senior management (DCFO on a quarterly basis and CFRDO on an annual basis). CAPIC will continue monitoring the implementation on a quarterly basis until all Management Action Plans (MAPs) are fully implemented. A consolidated management action plan tracking tools has been developed and operationalized. MAPs from all previous internal control assessments have been added and the status of unresolved MAPs have been updated through consultation with the OPIs. The MAPs from new assessments will be added to ensure that all MAPs are contained within this central repository. All high risk MAPs have been fully resolved or are in progress of being resolved. The internal control team will follow up with the OPIs on a quarterly basis until the MAPs are fully implemented and will report to senior management on the status and any potential risks of MAPs that remain unresolved beyond the planned implementation date.	Director, Corporate Accounting, Policy and Internal Control	July 31, 2022
3. The Chief Finances, Results and Delivery Officer of ISC and CIRNAC should strengthen the risk assessment process to include a defined set of risk criteria, risk scales with details for each criteria and supporting narratives for the risk ratings that reflect both quantitative and qualitative input.	ISC engaged an external consulting firm with expert knowledge of public sector internal controls to review ISC's and CIRNAC's risk assessment process. The risk assessment process from 2018 was reviewed. This risk assessment process was developed internally at ISC in 2018. It was developed based on industry standards and best practices including guidance and tools from the Institute of Internal Auditors. The consulting firm confirmed that our approach to risk assessment is aligned with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, TBS policy, is comparable to other departments and is sufficient to meet the needs of ISC and CIRNAC. Their overall conclusion was that this risk assessment process was robust. During this review, the risk assessment process was improved to further strengthen its results. The following improvements were implemented: Separated ISC and CIRNAC into two comprehensive risk assessments with unique business processes and risk ratings for each department; Expanded review of documentation; reviewed all control self-assessments prepared by the business process owners, financial statements, previous audits & evaluations, OAG audits, previous Internal Control assessments and most recent CRPs; Updated weights in risk scales, based on discussion with internal controls teams to improve overall accuracy in risk ratings; Updated the time between assessments to align to resource capacity and OGD processes; Focused on residual risk, looking at the impact and effectiveness of controls in place rather than solely assessing inherent risk; Included all internal controls over financial management (ICFM) processes (which must be assessed by 2023-24 for MAF) not just the traditional ICFR accounts and processes.	Director, Corporate Accounting, Policy and Internal Control	July 31, 2022
4. The Chief Finances, Results and Delivery Officer of ISC and CIRNAC should perform a risk assessment or an environmental scan that considers the specific financial reporting risks of each department and supports the related ICFR Monitoring Plan.	While an annual risk assessment or environmental scan has been completed most years, CAPIC will improve the documentation of the process in order to support general conclusions on the strength of the risk based system of internal controls and the risks of the material misstatement and resulting updates to the ongoing monitoring plan. CAPIC has performed a full and distinct risk assessments for ISC and CIRNAC following the review and strengthening of its 2018 process, and has updated the 2022-23 to 2026-27 ongoing monitoring plans. The 2022 Risk Assessment followed the following methodology: Conducted interviews and surveys/questionnaires with Business Process Owners to identify risk drivers; Reviewed detailed documentation associated with the risk drivers, per the categories below: Materiality - Significance to Public Accounts and Departmental Financial Statements Reviewed the 2020/21 financial statements for materiality of each of the key processes against the Public Accounts of Canada as well as ISC and CIRNAC's own final statements Organizational, Program, Legislation, Policy, Personnel and IT Changes: Collected information via interviews and control self-assessment questionnaires regarding each of the key processes for ICFR – determined whether processes were for CIRNAC or ISC or both and then separating the information by Department Complexity of Business Process / Control Environment - Reviewed the complexity of the process, how many processes feed into it and its controls environment for any additional risks Time since and Results of Last Assessments - Determined the time since last Internal Control assessment, with higher risk associated to a longer time since last assessed and significance of findings linked to risk rating Prior internal/external audit findings - Reviewed audits and OAG findings on financial statements to identify any areas for improvement Corporate Risk Profile - Reviewed the most recent CRP to determine whether any key risks impact the process. Added the ICFM processes to the assessment; Held working sessions with key stakeholders to validate the risk assessment for each of the Departments; Drafted the five-year plan, considering both ICFR and ICFM processes. The final risk assessments were reviewed and approved by senior management. The result was two distinct risk assessments for ISC and CIRNAC that consider each departments financial reporting risks and updated five year ongoing monitoring plans that considers the risk level and time since last assessment.	Director, Corporate Accounting, Policy and Internal Control	July 31, 2022
5. The Chief Finances, Results and Delivery Officers of ISC and CIRNAC should ensure that a conclusion on the overall strength of the system of internal controls over financial reporting is provided for internal briefing purposes. This conclusion should consider testing that was not completed as planned, control deficiencies that have not been fully addressed by action plans and their potential impacts.	CAPIC has provided an annual conclusion on the strength of the risk based system of internal control over financial reporting in the presentation to DAC as well as the briefing note to the Deputy Minister that accompanies the Departmental Financial Statements and updated letter of Representation. It should be noted that the system of internal control over financial management (including reporting) is risk based and is designed to provide reasonable assurance, not absolute assurance. For this reason, the conclusion can only provide assurance that the system of internal control is operating effectively. This is consistent with the requirements in the TBS Policy on Financial Management and Guide to Internal Control over Financial Management. The conclusion that the risk-based system of internal control over financial reporting is operating effectively and considers the following: The planned assessments in the 2021-22 ongoing monitoring plan were fully completed and no significant deficiencies were noted; Outstanding MAPs from previous year assessments were monitored and were substantially implemented; A full and distinct ICFM risk assessment was completed for ISC and CIRNAC resulting in updated five-year ongoing monitoring plans; CFRDO sector continues to perform continuous monitoring activities such as the quarterly Post Payment Verification, implementation of a salary quality assurance program and updating of account certification processes to monitor, inform and mitigate risk.	Director, Corporate Accounting, Policy and Internal Control	August 31, 2022
6. The Chief Finances, Results and Delivery Officers of ISC and CIRNAC should update the monitoring plan to address high risk business processes that have not been tested within the required timelines.	In the 2022-23 to 2026-27 ongoing monitoring plans for ISC and CIRNAC, the planned assessment were outlined based on the updated full and distinct risk assessment for ISC and CIRNAC. The assessments were prioritized by considering the assessed level of risk and the timing since the last assessment. The plan tests high risk processes every two year, medium risk processes every four years and low risk processes every six years. This is a change in the time between assessments from previous years ongoing monitoring plans which was made to align to resource capacity is compliant with TBS guidance and is consistent with other government departments internal control practices. The ongoing monitoring plan results in the assessment of five to six business processes per year. This will be achieved by leveraging a large multiyear umbrella contract which will allow CAPIC to engage multiple accounting firms to conduct the required assessments.	Director, Corporate Accounting, Policy and Internal Control	August 31, 2022

Annex A: Audit Criteria

To ensure an appropriate level of assurance to meet the audit objectives, the following audit criteria were developed to address the objectives.

Audit Criteria

1. A risk-based system of ICFR has been established, monitored and maintained.

1.1 ICFR processes are in place to ensure that records are maintained that support and fairly represent all financial transactions.

1.2 ICFR processes are in place to ensure that recording of financial transactions allows for the preparation of internal and external financial information, reports, and statements.

1.3 ICFR processes are in place to ensure that expenditures are made in accordance with delegated authorities, and material unauthorized transactions are prevented or detected in a timely manner.

1.4 ICFR processes are in place to ensure that financial resources are safeguarded against material loss due to mismanagement, fraud, or omissions.

1.5 ICFR processes include the results of the annual assessment of the system of internal controls over financial reporting, actions taken and future plans.

1.6 ICFR processes include the results of the annual assessment of the system of internal controls over common services.

1.7 Corrective action are established for implementation when control deficiencies and unmitigated risks are identified.

2. The Internal Control Plan is risk-based and prioritizes the financial reporting requirements of each department.

2.1 The risk-based Internal Control Plan reflects the financial reporting risks of each department.

2.2 A set of criteria was established to support the prioritization and selection of processes in the Internal Control plan.

3. The CFRDOs of ISC and CIRNAC receive sufficient information to provide their oversight.

3.1 The conclusion on the strength of the internal control processes tested in the Internal Control Plan are accurate and complete. This includes the testing that was not completed, any identified control deficiencies and the associated corrective actions.

3.2 The conclusion on the strength of the internal control processes includes the status of control deficiencies identified in previous years and if the corrective actions have addressed them.

Did you find what you were looking for?

What was wrong?

I can't find the information

The information is hard to understand

There was an error or something didn't work

Other reason

Please provide more details

You will not receive a reply. Don't include personal information (telephone, email, SIN, financial, medical, or work details).
Maximum 300 characters

Date modified:: 2023-05-05