Audit of Internal Control over Financial Management

Table of contents

• Executive summary
• Conformance with professional standards
• Introduction
  • Background
  • Audit objective
  • Scope
  • Approach and methodology
  • Authority
• Findings, recommendations and management response
  • Governance and oversight
  • Risk assessment and ongoing monitoring plan
  • Control testing
  • Communicating results
  • Internal and external reporting
• Appendices
  • Appendix A: Audit criteria
  • Appendix B: Acronyms
  • Appendix C: 2020/2021 to 2023/2024 internal control over financial management work plan

Executive summary

In 2017, the Treasury Board of Canada (TB) established the Policy on Financial Management, which provides key responsibilities for deputy heads, chief financial officers (CFOs) and senior departmental managers in exercising effective financial management. The policy aims to ensure that the financial resources of the Government of Canada are well managed and safeguarded through balanced controls that allow for flexibility and manage risk. As per the policy, departments and agencies must establish, monitor and maintain a risk-based system of internal control over financial management (ICFM) and internal control over financial reporting (ICFR), which is a subset of ICFM. ICFM is a set of measures and activities that provide reasonable assurance of the effectiveness and efficiency of the financial management activities of the department. ICFR is a set of measures and activities that ensure the validity, accuracy and completeness of financial reporting, such as departmental financial statements. To support departments and agencies in developing and implementing key internal control frameworks and measures, and with the ongoing monitoring of internal controls and the maintenance of an effective system of ICFM, the TB released the Guide to Internal Control Over Financial Management and the Guide to Ongoing Monitoring of Internal Controls Over Financial Management in 2019.

A system of ICFM is structured around three categories of controls: business process controls, information technology general controls (ITGCs) and entity-level controls (ELCs). Business process controls are activities carried out during the initiation, recording, processing and reporting of financial information, as well as control activities related to financial management processes. They are designed to operate at a level of precision that will prevent or detect and correct errors related to ICFM. ITGCs help ensure the reliability of financial data generated by information technology systems and support the assertion that systems operate as intended and that output is reliable. ELCs address the "tone at the top," including an organization's corporate culture and commitment to integrity and ethical values. They establish guidelines for an organization's governance, financial analysis and integrity, and adherence to applicable laws and professional standards.

Within Statistics Canada, there are currently 12 key business processes, consisting of 5 financial management business processes, 6 financial reporting business processes, and 1 business process that pertains to both financial management and reporting (see Appendix C). With respect to ITGCs, the agency has identified 13 systems that have either a direct or an indirect impact on financial transactions or information required for annual reporting. The agency has established a control matrix to conduct monitoring of its ELCs based on the industry standard Committee of Sponsoring Organizations (COSO) framework.^{Footnote 1} The ELC control matrix identifies 79 individual control activities.

The internal controls team within the Procurement, Financial Systems and Internal Controls Division, Corporate Strategy and Management Field, is responsible for supporting the deputy CFO in implementing the Policy on Financial Management. Business process owners (BPOs) are directors and managers for whom a key business process falls under their program responsibility. They are responsible for overseeing the controls associated with a particular business process or an ITGC process.

Why is this important?

Statistics Canada experienced a period of unprecedented growth over the last several years, as demand for its data grew at a rapid pace during the COVID-19 pandemic. In 2022/2023, the agency faced unprecedented financial pressures, and mitigation strategies were implemented to curtail a material deficit that had been forecasted in the mid-year financial situation report.

Consequently, financial stewardship and adherence to established processes are priorities for senior management. A well-established and effective system of ICFM is expected to provide reasonable assurance that public resources are used prudently and economically; that financial management processes are effective and efficient; and that relevant legislation, regulations and financial management policy instruments are being complied with.

Further, systems and practices have been in place for the documentation and assessment of ICFR since 2009.^{Footnote 2} The requirement to document, assess and monitor risks and controls for ICFM business processes was introduced in 2017 through the TB Policy on Financial Management. Since 2019, work has continued to reach the ongoing monitoring stage for all ICFM business processes. Therefore, there is value in providing reasonable assurance that the broader ICFM program is adequate and effective.

Overall conclusion

Statistics Canada has an adequate and effective framework and processes in place to assess, monitor and report on the system of ICFM. The agency was found to be compliant with the TB policy and guidelines in relation to ICFM. Some minor opportunities for improvement were noted in the areas of risk assessments and reporting, which will strengthen and mature the program to meet the agency's needs and risk profile going forward.

Key findings

Governance and oversight

The agency has an appropriate governance structure in place for the system of ICFM, with clear roles, responsibilities and accountabilities for all stakeholders.

Risk assessment and ongoing monitoring plan

An adequate ongoing monitoring plan has been documented and implemented, supported by an annual risk assessment process, which provides the agency with sufficient monitoring, commensurate with the risks of key ICFM business processes.

Control testing

Testing methodologies and activities for control assessments were effective and consistently applied during the period under review. A documented ICFM testing strategy that is aligned with TB guidance and industry best practices is in place. The agency would benefit from mapping all controls being monitored to related risks. This would help identify areas of over-control and areas where risks may not be sufficiently covered by existing controls, indicating where new controls might need to be implemented.

Communicating results

Results of key control testing are documented and communicated to BPOs in a timely and effective manner. Management action plans are obtained with minimal delay, and the action plan tracking and monitoring system was found to be accurate and complete.

Internal and external reporting

The Annex to the Statement of Management Responsibility is compliant with the format prescribed by the TB, and the information contained in the annex, as well as the reports to the Departmental Audit Committee, was found to be accurate. However, the planned regular reporting to the Strategic Management Committee did not occur.

Conformance with professional standards

The audit was conducted in accordance with the Mandatory Procedures for Internal Auditing in the Government of Canada, which include the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

Sufficient and appropriate audit procedures have been conducted, and evidence has been gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined and for the scope and period covered by the audit.

Steven McRoberts
Chief Audit and Evaluation Executive

Introduction

Background

In 2017, the Treasury Board of Canada (TB) established the Policy on Financial Management (the policy), which provides key responsibilities for deputy heads, chief financial officers (CFOs) and senior departmental managers in exercising effective financial management. The policy aims to ensure that the financial resources of the Government of Canada are well managed and safeguarded through balanced controls that allow for flexibility and manage risk. As per the policy, departments and agencies must establish, monitor and maintain a risk-based system of internal control over financial management (ICFM) and internal control over financial reporting (ICFR), which is a subset of ICFM. ICFM is a set of measures and activities that provide reasonable assurance of the effectiveness and efficiency of the financial management activities of the department. ICFR is a set of measures and activities that ensure the validity, accuracy and completeness of financial reporting, such as departmental financial statements. To support departments and agencies in developing and implementing key internal control frameworks and measures, and with the ongoing monitoring of internal controls and the maintenance of an effective system of ICFM, the TB released the Guide to Internal Control Over Financial Management and the Guide to Ongoing Monitoring of Internal Controls Over Financial Management in 2019.

A system of ICFM is structured around three categories of controls: business process controls, information technology general controls (ITGCs) and entity-level controls (ELCs). Business process controls are activities carried out during the initiation, recording, processing and reporting of financial information, as well as control activities related to financial management processes. They are designed to operate at a level of precision that will prevent or detect and correct errors related to ICFM. ITGCs help ensure the reliability of financial data generated by information technology systems and support the assertion that systems operate as intended and that output is reliable. ELCs address the "tone at the top," including an organization's corporate culture and commitment to integrity and ethical values. They establish guidelines for an organization's governance, financial analysis and integrity, and adherence to applicable laws and professional standards.

Within Statistics Canada, there are currently 12 key business processes, consisting of 5 financial management business processes, 6 financial reporting business processes, and 1 business process that pertains to both financial management and reporting (see Appendix C). With respect to ITGCs, the agency has identified 13 systems that have either a direct or an indirect impact on financial transactions or information required for annual reporting. The agency has established a control matrix to conduct monitoring of its ELCs based on the industry standard Committee of Sponsoring Organizations (COSO) framework.^{Footnote 3} The ELC control matrix identifies 79 individual control activities.

The internal controls team within the Procurement, Financial Systems and Internal Controls Division, Corporate Strategy and Management Field, is responsible for supporting the deputy CFO in implementing the policy. This includes

• maintaining internal control documentation
• coordinating annual testing activities
• ensuring adequate follow-up on identified control weaknesses
• supporting the preparation of reports and updates for senior management.

Business process owners (BPOs) are directors and managers for whom a key business process falls under their program responsibility. They are responsible for overseeing the controls associated with a particular business process or an ITGC process. Their responsibilities include

• validating risk assessments and control documentation
• providing documentation and assisting with assessments conducted in their area of responsibility
• carrying out remediation action plans for identified control weaknesses.

A full risk assessment of the agency's system of ICFM was last conducted in 2019/2020, and the next risk assessment is scheduled for 2023/2024.^{Footnote 4}

Audit objective

The objective of the audit was to provide reasonable assurance on the adequacy and effectiveness of the framework and processes in place to support compliance with the TB policy and guidelines in relation to ICFM.

Scope

The audit scope included an assessment of relevant processes and activities used to document, assess, monitor and report on the agency's system of ICFM, including ICFR, for fiscal years 2020/2021 to 2022/2023. This included a review of various internal control assessments within this timeframe that were completed to test the design and operating effectiveness of business process controls, ITGCs and ELCs. In addition, the risk assessment of ICFM from 2019/2020 was included within the audit scope because it is the most recent full risk assessment. The audit also assessed the governance framework in place to oversee the agency's system of ICFM.

The audit team did not assess the accuracy of the agency's financial statements or the design and operating effectiveness of individual business process controls, ITGCs or ELCs. Further, audit work did not include the reperformance of control testing activities. The accuracy of the agency's financial statements is outside the mandate of the internal audit, and assurance on specific business processes may be assessed through future audit or advisory engagements.

Approach and methodology

This audit was conducted in accordance with the Mandatory Procedures for Internal Auditing in the Government of Canada, which include the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

The audit work consisted of

• examination and analysis of relevant internal documentation
• file testing of a selection of internal control assessments
• interviews and walk-throughs with key management and staff.

Authority

The audit was conducted under the authority of the approved Statistics Canada Integrated Risk-based Audit and Evaluation Plan 2023/2024 to 2027/2028.

Findings, recommendations and management response

Governance and oversight

A governance structure is in place for the system of ICFM.

According to the Financial Administration Act and the Policy on Financial Management, the chief statistician (CS), CFO and assistant chief statisticians (ACSs) have roles and responsibilities with regard to implementing, maintaining, assessing and ensuring a risk-based system of ICFM. ACSs should be informed that they are accountable for the system of ICFM within their area of responsibility. In addition, departments and agencies should also report to their Departmental Audit Committee (DAC) on the system of ICFM at least annually and include key risks that impact the system of ICFM, the ongoing monitoring plan and the results of assessments. The DAC provides objective advice and recommendations to the CS about the sufficiency, adequacy, functioning and quality of the agency's management, control and governance of risk frameworks and processes.

The audit team examined the agency's ICFM framework and determined that it was aligned with the current TB policy and the accompanying guides. The audit also observed that ACSs are informed of their ICFM roles, responsibilities and accountabilities annually by including financial management responsibilities in their performance management agreements, as well as requiring them to sign an annual attestation on their field's adherence to the system of internal control.

The primary oversight body for the system of ICFM is the DAC, which receives updates on the status of the ICFM plans and results tri-annually. The agency's DAC charter outlines that the DAC is expected to review and advise the CS on the agency's internal control arrangements. A review of the meeting minutes for the DAC during the period under review indicated evidence of engagement by the DAC members with respect to ICFM, including a challenge function and advice on higher-risk items. The CFO and CS attend the DAC meetings as well.

The Internal Controls Steering Committee, formerly tasked with reviewing periodic updates on internal control activities as outlined in the agency's ICFM monitoring strategy, was discontinued in 2021. According to the 2021/2022 annual work plan of the ICFM monitoring strategy, semi-annual internal control updates were planned to be provided to the Strategic Management Committee (SMC). The CFO and CS, along with the ACSs, are members of the SMC. This inclusive involvement ensures that all key stakeholders are consistently kept informed about the status of the system of ICFM and facilitates prompt communication of any actions that are needed. However, the implementation of these updates for the SMC did not occur.

The DAC's role in reviewing the system of internal controls and advising the CS on it is outlined in the DAC charter, but the SMC's terms of reference (ToR) did not contain any reference to its ICFM responsibilities. In the upcoming update cycle, consideration should be given to incorporating the change in reporting on internal control activities to senior management into the agency's ICFM monitoring strategy, and including the ICFM responsibilities in the SMC's ToR to be in line with the agency's ICFM framework and the TB policy.

Adequate oversight, including clear roles and responsibilities for all key stakeholders and governance bodies, is an essential component of the system of ICFM to support the accountabilities of the CS as the accounting officer of the agency, as described in the Financial Administration Act and the Policy on Financial Management. Given the benefits of SMC involvement, management should consider updating the SMC's ToR to ensure its continued involvement in the ICFM oversight structure.

Recommendation

See Recommendation 2 under the "Internal and external reporting" section.

Risk assessment and ongoing monitoring plan

An adequate ongoing monitoring plan is in place, supported by an annual risk assessment process, which provides the agency with sufficient monitoring, commensurate with the risks of key ICFM business processes.

Pursuant to the TB Guide to Ongoing Monitoring of Internal Controls Over Financial Management, departments and agencies should use a risk-based approach to determine how often processes and controls need to be monitored to ensure that the system of ICFM is effective. A full risk assessment of ICFM is required once every three to five years (Statistics Canada has selected a four-year cycle). Environmental scans should be conducted during the intervening years to determine whether the ongoing monitoring plan requires adjustments based on any significant changes to the personnel, process or systems.

The ongoing monitoring plan is the basis for detailed future ICFM assessment work plans. The plan should be approved by the CFO and presented to the CS, the ACSs and the DAC. The agency's ICFM monitoring strategy for the period of 2020/2021 to 2023/2024 was approved by the CS and the CFO in January 2020. Over the four-year cycle, the plan included testing of 12 key business processes, ITGCs for 13 systems, and ELCs (see Appendix C). The agency's 2020/2021 to 2023/2024 ongoing monitoring plan was effectively implemented during the period. All key business processes were tested during the cycle (including those planned and underway for 2023/2024 at the time of the audit), with only minor deviations and delays from the original testing plan.

The audit team examined the 2019/2020 full risk assessment of ICFM, as well as the environmental scans for each year up to 2022/2023, and determined that the process is appropriate and complete. The internal controls team has a written high-level methodology for conducting its ICFM risk assessments and environmental scans within its monitoring plan. For continuous improvement, the detailed approach and process within the agency could be documented. In particular, the current methodology could be enhanced by specifying which key agency documents should be examined for data gathering (e.g., annual reports, Management Accountability Framework, Corporate Risk Profile, changes to TB policies and relevant reports issued by the Office of the Auditor General of Canada), as well as how key stakeholders, such as BPOs and senior management, will be consulted for the risk assessment process. Both of these would inform the ICFM process of organizational changes, strategic considerations, new priorities, new programs and emerging risks.

In addition, the audit identified some opportunities for improvement in the areas of ITGC and ELC for management's consideration in the future.

• ITGC: As part of the 2019/2020 full risk assessment of ICFM, a specific risk assessment for ITGC was conducted, but annual updates to the ITGC risk rankings during the environmental scan were not performed. While there is an indirect method of capturing system changes by annually surveying financial BPOs (i.e., users of the system), including ITGC system owners in the annual environmental scan process may identify emerging changes and risks related to key systems, as well as strengthen stakeholder relations and awareness of the ICFM program outside of the CFO field.
• ELC: A risk assessment for ELCs was not conducted during the four-year cycle covered by the audit. Although ELC has been deemed low risk for the purposes of ICFM, the internal controls team should periodically review this component of the risk assessment with key stakeholders to ensure that the agency's "tone at the top" continues to support key financial controls.

Ensuring that the risk assessment process is complete and consistent year over year would result in a more effective monitoring plan. This would allow additional risks to financial management and new or emerging non-financial risks to be identified and mitigated in a timely manner.

Control testing

The testing methodologies and activities for the agency's system of ICFM are effective and consistently applied, but additional mapping of controls to related risks would strengthen the ICFM program.

The ongoing monitoring of the design and operating effectiveness of internal controls is a critical aspect of maintaining a sound system of ICFM. The objective of design effectiveness testing is to determine whether the control continues to adequately mitigate the risk. Design effectiveness testing should be conducted before operating effectiveness testing to confirm that the control is working as intended. Testing operating effectiveness involves assessing the control over a certain period, usually one year. Operating effectiveness testing assesses whether controls are operating as designed. Departments and agencies are expected to develop effective and consistent methodologies to test the system of ICFM across key business processes, ITGC processes and ELC.

The audit team reviewed the detailed control testing results and documentation for a judgmental sample of eight control assessments conducted from 2020/2021 to 2022/2023 and determined that the testing methodologies and activities for the agency's system of ICFM are effective and consistently applied. The required documentation for each process, including control matrices and narratives, is kept up to date and is validated with BPOs prior to conducting assessments. Also, when conducting operating effectiveness testing, the internal controls team uses a sampling strategy that is aligned with industry best practices, and the testing conclusions made by the internal controls team are supported by documented evidence.

Design effectiveness relates to assessing the risks associated with a specific business process and ensuring that controls are designed to address the risks. The audit team found that control activities for ICFR business processes are mapped to financial assertions, which include reporting risks such as validity, accuracy and completeness. While the design effectiveness of controls was tested for all processes in the sample, no mapping of related risks was documented for ICFM business processes (i.e., financial management processes that are not directly linked to the financial statements), ITGC and ELC. This risk-mapping exercise would help identify areas where risks are not sufficiently covered by existing controls, indicating where new controls might need to be implemented. It may also help identify areas of over-control and help visualize the risk landscape and how risks are being addressed.  

As the agency's monitoring of ICFM processes continues to mature, additional risk factors should be addressed, such as overspending authorities, lapsing funds or making poor resource allocation decisions, to ensure that appropriate control activities are in place. When controls are not mapped to risks, the system of ICFM may not be able to identify gaps in the design of the agency's internal controls, and some risks may not be sufficiently covered by existing controls.

Recommendation 1

It is recommended that the ACS, Corporate Strategy and Management Field, ensure that a process for identifying risk at the control level and mapping all control activities being monitored to related risks in the control matrices is implemented. Risks should be periodically reviewed for completeness and continued relevance.

Management response

Management agrees with the recommendation.

Statistics Canada's annual internal control plan is adjusted each year to incorporate new risks identified in the annual environmental scan (risk assessment). Going forward, a dedicated section on risk mapping and links to ICFM processes will be added in the annual ICFM plan.

Deliverables and timeline

The director, Procurement, Financial Systems and Internal Controls Division, will ensure that the next annual ICFM plan will include the proper linkage and mapping between the identified risks and the plan to address them by June 1, 2024.

Communicating results

The results of internal control assessments are effectively captured and communicated to appropriate internal stakeholders, and action plans are developed, monitored and implemented in a timely manner.

Following the internal control assessments for each business process, the internal controls team is expected to share the results with the BPOs and request that they prepare a MAP to address any gaps or weaknesses in internal controls. The remediation action plan should include milestones and expected completion dates for the action items. The internal controls team should work with the BPOs to review the implementation progress and status of remediation periodically. The frequency of the review is up to the agency, and Statistics Canada conducts this review tri-annually for the DAC reporting. Both the observations identified during ICFM testing and the completed MAPs should be communicated in a timely manner to ensure that they are relevant and that any control weaknesses are addressed as soon as possible.

The audit found that the results of key control testing are documented and communicated to BPOs in a timely and effective manner. Also, MAPs are obtained from the BPOs and monitored by the internal controls team with minimal delay, and the MAP tracking system was found to be accurate and complete. The follow-up process on the implementation of action plans is performed several times a year, and corrective actions are generally implemented by BPOs in a timely manner. Interviews with BPOs indicated that the findings and recommendations were clear and appropriate and that the internal controls team provided guidance and feedback for preparing the MAP where necessary. The audit observed that the current reporting format mainly contains recommendations and areas where deficiencies were noted. To foster ongoing improvement, a balanced reporting approach to the BPOs could be considered, including a summary of controls that were deemed effective to provide an overall view of the area under assessment.

While the process for communicating results was determined to be effective, some instances of repeat deficiencies were observed in the March 2023 DAC report. The report highlighted five instances of control deficiencies from the "Payroll & Benefits" and "Financial Close and Reporting" business processes that had previously been identified as deficiencies in the 2018/2019 and 2019/2020 assessments, respectively. The audit determined that corrective actions had been reported as "completed" during the prior follow-up cycle in four of the five instances. In one of the five instances, the original recommendation was categorized as "no action required" because of its low risk. The internal controls team only reports follow-up on recommendations that are high and medium risk, so some low-risk recommendations may not be implemented. Some BPOs expressed concern that these MAPs from a prior control assessment had not been fully implemented and that they were not aware until they received the recent assessment results.

When corrective actions are not implemented in a sustainable manner to address identified deficiencies, key financial reporting and financial management risks may not be mitigated in the period between control assessments. BPOs are responsible for implementing the corrective actions and should ensure that these actions are sustainable in the event of staff turnover or a change in the business process.

Internal and external reporting

The information contained in internal and external ICFM reporting is accurate and complete.

Pursuant to the TB policy, departments and agencies must report on their annual assessment of ICFR in the Annex to the Statement of Management Responsibility. The annex provides users of financial statements with summary information that demonstrates how the departmental system of ICFR is being managed through annual assessments, associated action plans and future assessment plans. Departments and agencies should also report to their DAC on the system of ICFM at least annually and include key risks that impact the system of ICFM, the ongoing monitoring plan and the results of assessments.

The audit found that the internal controls team is reporting ICFM results to the DAC tri-annually, exceeding the minimum requirement of annual reporting. The reports to the DAC were found to be accurate, complete and comprehensive. As mentioned in the section above, "Governance and oversight," semi-annual internal control updates were planned to be provided to the SMC. The CFO and CS attend all DAC meetings and, along with the ACSs, are members of the SMC; therefore, all key stakeholders are kept informed of the status of the system of ICFM, as well as any actions that are needed. But regular reporting to the SMC did not occur as planned.

The information contained in the annex was found to be accurate. Going forward, if management intends to augment the transparency of external reporting, the annex could include more comprehensive information, such as completed assessments of key controls, deviations from the previous year's plan, and how new and emerging risks were considered for the plan. A benchmark study of the annex of three comparable departments indicated that all three provide noticeably more details of their ICFR and ICFM program than Statistics Canada regarding findings of control deficiencies, actions being taken and results of the risk assessment.

The Statement of Management Responsibility is a key accountability document for the agency and provides an opportunity for departments and agencies to highlight the effectiveness of their management of ICFR and ICFM. Providing additional details would increase the transparency of the assurance that an effective system of ICFR and ICFM is in place at the agency.

Recommendation 2

It is recommended that the ACS, Corporate Strategy and Management Field, ensure that the planned regular reporting to senior management is executed to contribute to effective governance.

Management response

Management agrees with the recommendation.

To improve effective oversight and communication of necessary actions, the ICFM status reports will be circulated to senior management on a timely basis.

Deliverables and timeline

The director, Procurement, Financial Systems and Internal Controls Division, will ensure that the ICFM status report presentation is circulated to SMC members for comments ahead of DAC meetings by November 22, 2023.

Appendices

Appendix A: Audit criteria

Appendix B: Acronyms

ACS

Assistant chief statistician

BPO

Business process owner

CFO

Chief financial officer

COSO

Committee of Sponsoring Organizations

CS

Chief statistician

DAC

Departmental Audit Committee

ELC

Entity-level control

ICFM

Internal control over financial management

ICFR

Internal control over financial reporting

ITGC

Information technology general control

MAP

Management action plan

SMC

Strategic Management Committee

TB

Treasury Board of Canada

ToR

Terms of reference

Appendix C: 2020/2021 to 2023/2024 internal control over financial management work plan