Audit Report
April 22, 2013
Project Number: 80590-74
- Executive summary
- Introduction
- Background
- Audit objective
- Scope
- Approach and methodology
- Authority
- Findings, recommendations and management responses
- Framework supporting the assessment of the effectiveness of ICFR
- Ongoing monitoring and reporting on the state of ICFR
- Appendices
- Appendix A: Audit criteria
- Appendix B: Acronyms
- List of figures
- Figure 1: Assessment of ICFR
Executive summary
The Treasury Board of Canada (TB) Policy on Internal Control took effect on April 1, 2009 and is issued pursuant to Section 7 of the Financial Administration Act (FAA). The objective of the Policy is to ensure that risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting. The Policy requires the Chief Statistician (CS) and the Chief Financial Officer (CFO) of Statistics Canada to sign an annual Statement of Management Responsibility Including Internal Control over Financial Reporting attesting that an effective risk-based system of internal control is in place and operating within the Agency.
The objective of this audit was to provide assurance to the CS and Statistics Canada's Departmental Audit Committee (DAC) on the adequacy of the activities supporting the framework in place for the Finance Branch's annual risk-based assessment of the effectiveness of the system of internal control over financial reporting in support of the Statement of Management Responsibility Including Internal Control over Financial Reporting (the Statement).
This audit was conducted following the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and in accordance with the TB Policy on Internal Audit.
Key findings
Statistics Canada has met the requirements for the implementation of a framework supporting the Policy on Internal Control. The Agency's project charter and overall process for assessing the effectiveness of ICFR integrates all major components of the Diagnostic Toolkit developed by the Office of the Comptroller General.
Statistics Canada has developed a key strategy document titled: "Proposed Strategy to Address Requirements of Policy on Internal Controls (March 2010)", which forms the basis of the Agency's approach to implementing the PIC. It includes all of the main components recommended in the Diagnostic Toolkit. Over the past two years, Finance has adjusted certain governance components of its framework for assessing ICFR; however Statistics Canada's strategic plan for PIC compliance has not been revised or updated for continued operational relevance since it was first developed.
The provision of ongoing assurance regarding the full system of ICFR is required to meet policy requirements. Finance has completed all activities related to Tests of Operating Effectiveness (TOE) according to testing schedule established in its PIC strategy, with the exception of processes and systems that are planned to be changed or in the process of being changed. Compensatory controls have not been tested by Finance during transition periods.
Statistics Canada has established processes for monitoring and reporting PIC compliance. The PIC team monitors the level of completion of remediation action plans resulting from each cycle of Tests of Design (TOD) and TOE; however in some cases, to the timing of validation activities does not permit the PIC team to provide ongoing assurance regarding ICFR. Audit testing of completed remediation actions for two business processes' action plans confirmed that recommendations had been implemented.
In accordance with the Policy, the Agency has completed its first Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting for fiscal year 2011-2012, and is currently working towards the preparation of its second statement for fiscal year 2012-2013. The Statement follows the structure per the OCG's Diagnostic Toolkit, however areas requiring corrective actions in order to achieve the state of audit readiness, and areas where assurance was not attained for a given period are not explicitly reported.
Overall conclusion
Statistics Canada has implemented a comprehensive framework in support of its annual risk-based assessment of the effectiveness of the system of internal control over financial reporting.
While the activities supporting the framework in place are adequate, opportunities exist to ensure the Agency can sustain its ICFR assessment process cycle and remain current as continuous progress towards audit readiness evolves. Particular attention should be devoted to updating the Agency's strategy, and clearly communicating areas requiring corrective actions and areas where assurance was not attained.
Conformance with professional standards
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) Internal Standards for the Professional Practice of Internal Auditing.
Patrice Prud'homme
Chief Audit Executive
Introduction
Background
The Treasury Board of Canada (TB) Policy on Internal Control (PIC) took effect on April 1, 2009 and is issued pursuant to Section 7 of the Financial Administration Act (FAA). The objective of the Policy is to ensure that risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting (ICFR).
The Policy requires the deputy head (Chief Statistician) and the Chief Financial Officer (CFO) of Statistics Canada to sign an annual Statement of Management Responsibility Including Internal Control over Financial Reporting (the Statement). The Statement prefaces the Agency's financial statements, and includes the following:
- Acknowledgement of management's responsibility to ensure that an effective system of internal control over financial reporting is maintained;
- Acknowledgement of the conduct of an annual risk-based assessment of the effectiveness of the system of internal control;
- Acknowledgement of the establishment of an action plan; and
- A summary of the results of the assessment and the actions taken in response to issues.
The expected results of the Policy are the following:
- An effective risk-based system of internal control is in place in departments and is properly maintained, monitored and reviewed, with timely corrective measures taken when issues are identified; and
- An effective system of internal control over financial reporting is operating in departments as demonstrated by the Departmental Statement of Management Responsibility Including Internal Control over Financial Reporting.
The Office of the Comptroller General (OCG) has developed the 2010 Policy on Internal Control – Preliminary Draft Diagnostic Tool for Departments and Agencies (Diagnostic Toolkit), which provides departments with a practical step-by-step approach for planning and conducting a risk-based assessment of the effectiveness of the systems of ICFR as required under the PIC. It states that implementation of the PIC does not require an assessment of all controls, but rather an assessment of key controls based on risks. The proposed approach involves multi-year assessment planning, taking into account departmental capacities.
The Financial and Administrative Services Division (FASD) (formally Financial Management Operations and Systems Division) is responsible for developing a framework for the assessment of operating effectiveness of ICFR and Information Technology General ControlsFootnote 1 (ITGC). Staff assigned to these responsibilities (the PIC team) include: one full-time FTE responsible for the coordination of testing activities carried out by external contractors and tracking follow-up activities. Two levels of supervision oversee activities supporting PIC compliance on a part-time basis, including a Chief and Assistant-Director. The PIC team reports to the Acting Director (A/Director), FASD, and to the Director General of Finance (the Deputy CFO). The Finance team started the initial stages of the planning and scoping process in 2009. Since then, the first full cycle of assessment of ICFR has been completed. The Agency issued its first Statement of Management Responsibility for the fiscal year ending March 31, 2012. From that point on, the project of implementing the PIC has evolved to a sustained process which requires monitoring and maintenance of documentation in collaboration with process owners, testing ICFR and reporting on the state of audit readiness.
At Statistics Canada, Assistant Chief Statisticians (ACSs) are required to sign a Statement of Management Responsibility for their respective fields. This initiative was implemented by the Finance team as a best practice. By signing this statement, ACSs agree to provide full cooperation and support through the annual assessment of ICFR within their area.
The assessment of ICFR involves four (4) core activities, which are undertaken according to an established schedule, as per a strategy defined by the Agency. A brief description of each activity is outlined below. Processes within each activity are further detailed throughout the findings section of this report.
Figure 1: Assessment of ICFR
Planning and Scoping is the first step in conducting an assessment of an Agency's ICFR. Strategic Plans for ICFR and ITGC and related work plans outline the scope of the ICFR that will be covered and the frequency of testing. It presents the results of a risk assessment exercise from which decisions on the selection of in-scope business processes are made.
Documenting processes and controls within each in-scope business process is the approach used to identify key controls in place to mitigate risks to an acceptable level. Ultimately this will help to ensure that control testing efforts are appropriately focused on areas of greatest risk.
The assessment of control design involves identifying the key controls in place to prevent or detect a material misstatement in the financial statements and mitigate key risks. Testing of Design is intended to confirm alignment of these key controls related to the key risks to the financial statements they aim to mitigate.
The assessment of control operating effectiveness involves assessing the extent to which a key control has been operating as intended over a specified period of time. Tests of operating effectiveness are intended to demonstrate the reliability of the controls over a period of time in reducing financial reporting risks.
Key controls requiring improvements are communicated to each business process owner through Letters of Recommendation (LOR). Finance's ongoing monitoring and reporting activities, as well as sound risk management practices ensure continued progress towards audit readiness.
Audit objective
The objective of this audit was to provide assurance to the Chief Statistician (CS) and Statistics Canada's Departmental Audit Committee (DAC) on the adequacy of:
- The activities supporting the framework in place for the Finance Branch's annual risk-based assessment of the effectiveness of the system of internal control over financial reporting in support of the Statement of Management Responsibility Including Internal Control over Financial Reporting.
Scope
The scope of this audit included an examination of processes and mechanisms in place for selected key steps within the PIC implementation process, as described in the Office of the Comptroller General's Diagnostic Toolkit. The audit included interviews with management and staff within the Finance Branch and other divisions having an impact on PIC compliance. The scope of the audit included an examination of processes and mechanisms in place during fiscal years 2011-2012 and 2012-2013 up to December 2012.
Approach and methodology
The audit was conducted following the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and in accordance with the TB Policy on Internal Audit. The audit work consisted of examination of documents, interviews with key Senior Management and personnel of Statistics Canada, review of processes and procedures with respect to internal controls and testing of the completion of a sample of remediation actions. The audit approach was inspired by the TB Policy on Internal Control and the 2010 Policy on Internal Control – Preliminary Draft Diagnostic Tool for Departments and Agencies issued by the Office of the Comptroller General in July 2010.
Authority
The audit was conducted under the authority of Statistics Canada Multi-Year Risk-Based Audit Plan 2012/13-2016/17, approved April, 2012 by the Departmental Audit Committee.
Findings, recommendations and management responses
Objective: Adequacy of the activities supporting the framework in place for the Finance Branch's annual risk-based assessment of the effectiveness of the system of internal control over financial reporting in support of the Statement of Management Responsibility Including Internal Control over Financial Reporting.
Framework supporting the assessment of the effectiveness of ICFR
Statistics Canada has met the requirements for the implementation of a framework supporting the Policy on Internal Control. The Agency's project charter and overall process for assessing the effectiveness of ICFR integrates all major components of the Diagnostic Toolkit developed by the Office of the Comptroller General.
Statistics Canada has developed a key strategy document titled: "Proposed Strategy to Address Requirements of Policy on Internal Controls (March 2010)", which forms the basis of the Agency's approach to implementing the PIC. It includes all of the main components recommended in the Diagnostic Toolkit. Over the past two years, Finance has adjusted certain governance components of its framework for assessing ICFR; however Statistics Canada's strategic plan for PIC compliance has not been revised or updated for continued operational relevance since it was first developed.
The provision of ongoing assurance regarding the full system of ICFR is required to meet policy requirements. Finance has completed all activities related to TOE according to testing schedule established in its PIC strategy, with the exception of processes and systems that are planned to be changed or in the process of being changed. Compensatory controls have not been tested during transition periods.
The process of assessing the effectiveness of ICFS starts from early planning, including financial statement decomposition, through the identification of key risks and key controls, the documentation requirements to support adequate assessments and the design and operating effectiveness testing up to the completion of remediation and on-going monitoring activities with periodic risk-based testing over time. This process is intended to enable departments to better understand their state of audit readiness and level of compliance with the PIC.
Project charter
Based on the approach described in the OCG's Diagnostic Toolkit; activities, schedules, and resources needed to achieve PIC compliance objectives should be documented and sufficient resources should be secured to support compliance to the PIC. Responsibilities for the implementation of ICFR should be clearly identified and assigned. As part of this process, the Agency should have a documented plan in place for the assessment of ICFR effectiveness required by the PIC. The documented plan should include scope, timing, milestones, costs/capacity, and cover the steps required to assess the effectiveness of ICFR. An independent oversight mechanism should be in place to deal with cases concerning values and ethics that allows for anonymous reporting of suspected improprieties.
Statistics Canada has developed two key guiding PIC strategy documents: The first is titled the "Proposed Strategy to Address Requirements of Policy on Internal Controls (March 2010)" and the second is the "Proposed Strategy to Address Requirements of Policy on Internal Controls - ITGCs (January 2012)", which is specific to Information Technology General Controls. These two strategy documents form the basis of the Agency's approach to implementing the PIC, and include all the main components recommended in the Diagnostic Toolkit, with the exception of costs and capacity, which are covered in the work plan developed annually to execute on the ICFR and ITGC strategy documents.
Responsibilities for PIC compliance are clearly identified and assigned within the "Proposed Strategy to Address Requirements of Policy on Internal Controls document (March 2010)". The strategy document identifies four stakeholders within the Agency having significant roles and responsibilities: the CS, the CFO, the DAC and Financial Management Operations Systems Division (now the FASD). Described roles and responsibilities are in-line with the Policy. In addition, the Annex to the Statement of Management Responsibility Including ICFR describes the roles of three committees involved in monitoring the PIC compliance program:
- DAC is an advisory committee that provides objective views on the Agency's risk management, control and governance frameworks;
- The Corporate Policy Committee (CPC) is chaired by the CS and is the most senior executive committee in the Agency, providing broad strategic direction. It acts as the body for all decision-making related to corporate-level management of the Agency including strategic corporate planning, resource allocation, financial management, human resources management, communications and dissemination, program evaluation and information management/information technology; and
- Administrative Practices Committee (APC) oversees the development, implementation and application of administrative, financial management, risk management and evaluation practices.
Statistics Canada also has an independent oversight mechanism in place that allows for anonymous reporting of suspected improprieties. Should employees come across information or evidence that could potentially involve suspected improprieties, they can report any such concerns through the values and ethics framework established within Statistics Canada.
The Agency's project charter is in line with the PIC and follows the approach described in the OCG's Diagnostic Toolkit.
Risk management
Management should have adequate risk management practices in place, to consider and mitigate risks associated with the implementation of ICFR, and achieving PIC compliance. Implementing and maintaining a framework for PIC has inherent risks that may preclude the achievement of compliance with the Policy.
Interviews revealed PIC compliance is subject to four main dependencies: 1) Services provided by an external consultant; 2) Finance staff assigned to activities related to PIC; 3) The collaboration of business process owners for the documentation of processes, the identification of key controls and implementation of remediation actions where control weaknesses are identified; and 4) The support of senior management across the Agency.
Risks to the implementation of ICFR have been considered and mitigated within Finance. FASD has identified a number of short and long-term mitigation strategies to manage risks associated to these dependencies, including, but not limited to:
- Securing a professional services contract for resources to carry out the PIC work plan;
- Oversight activities to ensure quality over the consultants work;
- Access to a pool of rotational staff within Finance to address current and future knowledge resource needs for activities related to the PIC;
- Formal letters of acknowledgement of responsibility towards the implementation of PIC signed by the ASCs in each field; and
- Presentations to senior management across the Agency explaining the requirements of the policy as well as their respective roles and responsibilities.
From its first year of operation, Finance has monitored the effectiveness of mitigation strategies in place, and is in the process of developing additional strategies to increase the level of collaboration of business process owners. As a result, FASD has identified certain challenges with respect to follow-up activities and is considering implementing a steering committee involving key stakeholders at the Director and Director General (DG) levels to increase the support and engagement of management with respect to PIC compliance across the Agency. This new initiative is expected to be implemented in 2013.
Finance has an adequate approach to managing the inherent risks associated with implementing a framework for the annual risk-based assessment of the effectiveness of the system of ICFR.
Planning and scoping
As Statistics Canada's process to assess ICFR has evolved from an initial implementation project to a sustained process, the strategic plan for PIC compliance and work plan should be reviewed periodically and validated by the CFO and CS to ensure continued relevance. As required by the PIC, DAC should be consulted on the risk-based assessment plans for the annual assessment of the effectiveness of the departmental system of internal control.
Statistics Canada has mechanisms in place to plan and scope its strategy for PIC compliance, to address significant issues, and ensure continuous improvement. The two PIC strategy documents describe the approach to be used for the testing of ICFR, roles and responsibilities, reporting requirements, next steps, a work plan with defined timelines, and detailed risk assessments for each in-scope business process.
To develop the strategy documents and associated work plan, the Agency has identified the key risks facing the integrity of the financial statements (F/S), the significant accounts within the F/S, and has determined which business processes are considered in-scope.
The business processes considered in-scope are the following:
- Financial Close and Reporting;
- Payroll and Benefits;
- Census Pay;
- Interviewer's Pay;
- Revenues;
- Operating Expenditures;
- Capital Assets;
- Entity Level Controls, including Budgeting and Forecasting; and
- General Computer Controls (GCCs).
For each in-scope business process, the Agency has identified the significant business units, systems, and entity level controls that are reported in the F/S. The planning documents specify the area to be tested, the inherent risks, the rationale for the inherent risk areas to be tested, the control objectives, the extent of testing, and the frequency of testing.
In March 2013, Statistics Canada will have completed its second year of assessment of ICFR following the original PIC compliance strategy. The strategy guides decision-making regarding which processes, financial statement accounts, and risks are most relevant for consideration in the testing strategy, and the allocation of resources. Over the past two years, Finance has adjusted certain governance components of its framework for assessing ICFR; however Statistics Canada's strategic plan for PIC compliance has not been revised or updated for continued operational relevance since it was first developed. Revisiting and updating the strategy and risk environment on a periodic basis will ensure that the strategy remains relevant, by being reflective of the Agency's operating environment.
At the end of each fiscal year, the CS and CFO are responsible for signing the Statement of Management Responsibility. Therefore, once the testing strategy has been updated, formally validating it with the CS and the CFO would ensure they have an opportunity to review and provide input into the proposed plans. The outlines of the strategy and the Statement were presented to the CFO, senior management and DAC in March 2012, but the testing strategy document was not presented in its entirety. As a result, actual completed testing cannot be compared to planned testing activities. Signing the annual Statement requires an acknowledgement of the conduct of annual risk-based assessment of ICFR, including any deviations from the PIC strategy.
Documentation of in-scope business processes
An adequate process should be in place to document in-scope business processes and identify process-level controls that mitigate risks to the integrity of the financial statements. Business process narratives and flowcharts are used to identify key controls, and map these controls to F/S risks. Documentation maintained for in-scope business processes should be evergreen, reflecting significant changes in processes and/or systems that have an impact on ICFR.
Statistics Canada has completed its initial round of documentation for each in-scope business process. A review of the business process documentation for four in-scope business processes (Pay, Financial Close Reporting, Revenues and GCC-Change Management) found that the Agency follows a standardized approach to documentation (process narratives), which include a description of the process and sub-processes, related systems, key controls and identification of the process owners accountable for each in-scope business process. Key control points and accountabilities were identified in the narratives, or directly within the testing matrices, and linked with key risks. For three out of the four in-scope business processes reviewed, process narratives were prepared using a standard format. The GCC-Change Management process was documented using a process flowchart, with specific sub-processes documented in the testing matrices. This is an acceptable alternative to process narratives.
Process owners develop their own process narrative documentation, which is then validated by the PIC team. Process documentation should be evergreen and as such, should be periodically validated with process owners to ensure documentation remains up-to-date. This practice helps ensure that Statistics Canada is working with an accurate and up-to-date understanding of business processes when identifying and monitoring key controls, risk factors, and determining areas of ICFR testing. Currently, reliance is placed upon process owners to communicate changes in processes to the PIC team, and significant follow-up is required as business process owners do not systematically communicate changes to the PIC team. Accurate and up-to-date information is essential for decisions regarding approach and methodology for testing.
Tests of design (TOD) of key controls
Assessing the design of key controls involves identifying key controls, aligned with the key risks, and completing tests of design. Tests of design are conducted to verify that key controls in place are implemented as described in process narratives.
Statistics Canada has identified key controls that exist within in-scope business processes, has mapped these controls to the risks they mitigate, and has completed tests of design. The audit selected three sub-processes for each of the four selected in-scope business processes for review. The audit confirmed that each sub-process had a key control identified and was aligned to each key control. For those controls that were found to be ineffective through TOD, the finding/weakness was included in a Letter of Recommendation (LOR), and a management response was developed to address the specific finding/weakness.
Tests of operating effectiveness (TOE) of key controls
A process should be in place to assess the extent to which key controls, including ITGC and entity level controls, have been operating as intended over a specified period of time. This process is referred to as a Test of Operating Effectiveness (TOE). The testing strategy should be documented, and include sampling techniques, locations, timing, and the IT application controls to be tested.
Statistics Canada has developed and documented its strategy for completing tests of effectiveness of key controls. The testing strategy describes the scope, approach, methodology, basis for sampling, frequency and lists the application controls to be assessed. Statistics Canada's two PIC strategy documents include sections on the Agency's approach for TOE. The approach to testing contained in each PIC strategy document adequately details key information, including risk information, the degree of reliance on controls, a testing strategy for each in-scope business process, a testing plan with timelines, and sample sizes. The testing matrices further document the testing and sampling strategies for each key control to be tested, and where applicable, identifies the various locations where testing is to take place.
In this regard, the Agency has met the PIC requirements. Processes that are in place are in line with the approach recommended in the Diagnostic Toolkit.
Change management
The Policy on Internal Control requires ongoing assurance on the system of ICFR. In order to meet this requirement, the Agency must follow its strategy for the assessment key controls for in-scope business processes, according to the established timelines. The strategy should include coverage and testing in situations when processes and systems are scheduled to be changed or are in the process of change. Testing activities should be adapted in such cases to ensure compensatory controls are monitored for effectiveness during this time. In the event that testing for an in-scope business process is suspended or cancelled, such decisions should be communicated to the CS and CFO, as it impacts the Agency's ability to monitor the effectiveness of the full system of ICFR on an ongoing basis, as is required by the PIC.
Interviews with management and the review of documentation revealed that there are a number of projects underway that involve significant changes in processes and systems affecting ICFR. Some initiatives originate from within the Agency, while others are initiated by third parties who provide services to the Agency. Examples of significant changes are:
- Business processes affected by Administrative Processes Review and Automation (APRA);
- Transfer of technology to Shared Services Canada (SSC);
- Public Works & Government Services Canada's changes to the Common Departmental Financial System (CDFS), with the implementation of a Capital Assets module;
- Business process changes resulting from letters of recommendations to address weaknesses in key financial controls (e.g. IT Change Management process, HR's system change from GLOBAL to GALAXY).
Where process or system changes are initiated within the Agency, the PIC team proactively reviews the design of processes under development to ensure key controls are imbedded. Interviews revealed that some testing activities had been cancelled for 2012-2013, as they relate to business processes impacted by APRA.
When process or system changes are initiated by third-party service providers, the PIC team monitors the evolution of these initiatives by attending meetings, or through on-going communication with designated Statistics Canada representatives who are part of steering committees.
In the event that significant process or system changes are planned or are being changed by third-party service providers, the ability to provide ongoing assurance regarding the full system of ICFR should be maintained in order to meet the requirements of the policy. In these situations, the current practice has been to suspend, defer or cancel testing. For example, the Capital Assets business process was last tested in 2009, and was scheduled for the next round of testing in the 2011-2012 fiscal year. Due to planned changes to CDFS, testing of Capital Assets has been deferred to the 2014-2015 fiscal year. When testing is cancelled in an area, the PIC team has not been confirming whether the system of internal control has remained the same or if it continues to be effective. If ongoing assurance cannot be provided for a period of time, this situation should be clearly stated in the Statement.
For the transition of technology to SSC, Finance and SSC are engaged in discussions to determine how Statistics Canada will obtain assurance on ICFR from SSC. Departments across the Federal Government are affected by this transition of services to SSC, and it is expected that each department will engage in negotiations with SSC to attain the level of assurance deemed necessary by each department. As expected, timelines for including assurance over ICFR on business processes managed by SSC have not yet been set.
A review of the PIC Follow-up Action Plan revealed that certain key controls scheduled to be tested during the last round of testing had not been tested. Interviews with Finance staff confirmed that testing of certain key controls had been delayed in instances where processes or systems were planned to be changed. Compensatory controls in place during transition periods were not tested. Postponing or cancelling testing of key controls may impact the Agency's ability to monitor the effectiveness of the full system of ICFR on an ongoing basis, as is required by the PIC.
Recommendations:
It is recommended that the Assistant Chief Statistician Corporate Services and CFO ensure that:
- The PIC strategy is periodically updated and validated by the CFO and CS.
- Compensatory controls in place during process and system changes are considered for testing as part of providing ongoing assurance on ICFR.
Management response:
Management agrees with the recommendations.
- The Director, Financial Reporting Division will ensure that the PIC strategy is updated and validated by the CFO, CS and DAC annually.
Deliverables and Timeline: Annual presentation of the PIC strategy to Policy Committee and DAC, in March/April of each year. - The Director, Financial Reporting Division will ensure that compensatory controls are considered and included in the testing strategy as required, on a risk basis.
Deliverables and Timeline: Completed testing of compensatory controls as planned in the testing strategy, as required.
Ongoing monitoring and reporting on the state of ICFR
Statistics Canada has established processes for monitoring and reporting PIC compliance. The PIC team monitors the level of completion of remediation action plans resulting from each cycle of TOD and TOE; however in some cases, to the timing of validation activities does not permit the PIC team to provide ongoing assurance regarding ICFR. Audit testing of completed remediation actions for two business processes' action plans confirmed that recommendations had been implemented.
In accordance with the Policy, the Agency has completed its first Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting for fiscal year 2011-2012, and is currently working towards the preparation of its second statement for fiscal year 2012-2013. The Statement follows the structure per the OCG's Diagnostic Toolkit, however areas requiring corrective actions in order to achieve the state of audit readiness, and areas where assurance was not attained for a given period are not explicitly reported.
Based on the approach suggested in the OCG's Diagnostic Toolkit regarding ongoing monitoring and reporting on the state of ICFR and progress towards audit readiness, management needs to consider the potential impact that control weaknesses may have on the integrity of the financial statements and monitor the implementation of remedial actions required to address specific control deficiencies. As part of the process, there should be timely reports to the CFO and senior management on the nature of the results of the assessments and with attention on the associated action plans. At appropriate times, the DACs should be engaged for advice on the findings and responses.
The following sections provide an assessment of monitoring and reporting activities in place within Finance, and are from the first full cycle of assessing control effectiveness through testing, implementation of remediation actions and reporting results within the Agency.
Monitoring progress towards audit readiness
Following the completion of TOE, Finance obtains proposed remediation actions from respective business process owners and outstanding actions are flagged for follow-up. The PIC team monitors the level of completion of remediation action plans resulting from each cycle of TOD and TOE. To do so, the state of completion of remediation actions is assessed by the business process owner, and communicated to the PIC team, where it is tracked in the PIC Follow-up Action Plan spreadsheet.
Remediation plans were reviewed by the audit team and interviews were conducted with business process owners to verify that remediation actions had been completed, and updates to the plan had been communicated to the PIC Finance team. The audit found that in some cases, the timelines for implementing remediation actions extended past the next scheduled testing. As a result, TOE for those processes had been delayed.
The audit team also selected two completed remediation actions from the Revenues and the GCC-Change Management business processes action plans to verify that changes to the process had been implemented. A sample of 11 control transactions was selected for each of these two business processes:
- The first control tested was the approval process for monthly reconciliations between the cash receipts recorded in the Common Departmental Financial System (CDFS) and the Corporate Sales Support System (CSSS) using the Non Salary Information Management System (NSIMS). The result of our test confirmed that the recommended control was implemented within the process. The completion of this remediation action had also been validated by the PIC team in the last round of testing.
- The second control tested was the approval process for system changes identified in the Team Foundation Server (TFS). Results confirmed that the recommended control over change requests was implemented within the process.
Timely completion of remediation actions is essential to ensuring an effective system of ICFR is operating in the Agency. In both cases, the recommended controls had been implemented and the remediation actions had been completed.
The PIC team's current approach for validating the state of completion of remediation actions is to carry out testing during the next scheduled round of testing established in the Strategy's testing schedule; which could represent a three year time lapse between tests. As a result, it may not be possible for the PIC team to provide assurance on the effectiveness of the changes implemented by the business process owner, as required for annual reporting purposes.
Timely validation of completed remediation actions will enable the PIC team to provide ongoing assurance regarding ICFR.
Reporting on the state of ICFR and progress towards audit readiness
To fulfill their responsibilities as stated in the Policy, it is essential that the CS and the CFO have a clear picture of the overall state of internal control at Statistics Canada, and that their attention is drawn to areas requiring corrective actions. According to the Diagnostic Toolkit,
"there should be timely reports to the CFO and senior management on the nature of the results of the assessments, with attention on the associated action plans. At appropriate times, the DACs should be engaged for advice on the findings and responses".
The PIC team is responsible for reporting to senior management and the DAC on the results of ICFR testing and progress towards the completion of testing plans and remediation actions. The PIC team has made a number of presentations to DAC, CPC and APC for its first PIC reporting exercise. Information presented focussed on the requirements of the Policy and contained high-level information on results of testing.
In accordance with the Policy, the Agency has completed its first Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting (the Statement) for fiscal year 2011-2012, and is currently working towards the preparation of its second statement for fiscal year 2012-2013. The Annex, which was attached to the Departmental Financial Statements for the fiscal year ending March 31, 2012, follows the same structure that is suggested in the OCG's Diagnostic Toolkit. The section pertaining to the Agency's progress provides information on which elements of the testing schedule have been completed.
The intent of the Statement, as stated in the Diagnostic Toolkit, is
"to report to the Departmental Audit Committee, senior management and central agencies on the status of ICFR management; communicate the importance of continuous improvement in internal controls within the organization; and serve as input into the ICFR assessment plans for future years".
In order to achieve this objective, information presented in the Annex should speak to the nature of the work that is required to achieve audit readiness, as it pertains to outstanding remediation items. This process enables decision-makers to have sufficient information to ensure corrective measures are implemented in a timely fashion.
Conversely, when testing of ICFR is not possible during transition periods, the Annex should clearly communicate what in-scope business processes or periods were not assessed. The audit team analysed the information communicated in the Agency's first Statement, issued for the fiscal year 2011-2012. The Statement includes a section pertaining to next steps, in which general information on processes and systems in transition is provided. Decisions to postpone or cancel ICFR testing were not clearly communicated in the Statement. The CFO, CS, and the DAC rely on information from the Statement as it may influence decisions pertaining to areas where assurance was not attained for any given period.
The Statement follows the structure per the OCG's Diagnostic Toolkit, however areas requiring corrective actions in order to achieve the state of audit readiness, and areas where assurance was not attained for a given period are not explicitly reported.
Recommendations:
It is recommended that the Assistant Chief Statistician Corporate Services and CFO ensure that:
- The monitoring process include timely validation on the state of completeness of remediation actions reported by business process owners, and formal guidelines and protocols for communicating issues of significance such as a deviation from legislation or TB policy related to ICFR
- The Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting clearly communicates the areas requiring corrective actions in order to achieve the state of audit readiness, and areas where assurance was not attained for any given period.
Management response:
Management agrees with the recommendations.
- A PIC Steering Committee was created with as membership the DGs of Finance, IT, HR, Procurement and Assets Management and Census. The Director, Financial Reporting Division will ensure that this core management group provides leadership and oversight on the state of completeness of all reported remediation actions and for communicating issues of significance.
Deliverables and Timeline: Regular meetings of PIC Steering Committee and timely validation on the state of completeness of remediation actions through review of evidence of actions taken by business process owners and/or testing to ensure controls have been implemented. Meetings and validation activities will be held quarterly or as required depending on status of remediation actions, in accordance with PIC reportring timelines. First PIC Steering Committee meeting is planned for May 2013. - The Director, Financial Reporting Division will ensure that the status of the ICFR strategy and all relevant information in describing the organization's state of audit readiness are clearly communicated.
Deliverables and Timeline: As part of the Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting, which is issued annually, in accordance with PIC reporting timelines.
Appendices
Appendix A: Audit criteria
Objective / Core Controls / Criteria | Sub-Criteria | Policy Instrument |
---|---|---|
1) Adequacy of the activities supporting the framework in place for the Finance Branch's annual risk-based assessment of the effectiveness of the system of internal control over financial reporting in support of the Statement of Management Responsibility Including Internal Control over Financial Reporting. | ||
1.1 Monitoring Compliance to PIC Management has adequate monitoring processes and risk management practices over the department's progress towards its Strategy for PIC compliance. |
1.1.1 The progress towards the proposed strategy to address requirements of PIC is assessed regularly and any identified challenges are dealt with on a timely basis. 1.1.2 Responsibilities for implementation of ICFR have been clearly identified and assigned in the department. 1.1.3 Project governance has been documented to monitor the PIC program. 1.1.4 Risks to implementation of ICFR have been considered, documented and mitigated. 1.1.5 Management has a documented process for monitoring the activities of the PIC compliance strategy and related work plan, which includes any challenges found, the action items required to remedy those challenges, who will be responsible for the action items, and timelines for action items completion. 1.1.6 The risk identification process is rigorous and risk events are identified at the entity and activity levels, such as the process used to scope, plan, and execute the PIC compliance regime. |
Policy on Internal Control (PIC) Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010. Management Accountability Framework (MAF) |
1.2 Overall Process of assessment of effectiveness of Internal Controls over Financial Reporting (ICFR) Activities, schedules and resources needed to achieve PIC compliance objectives have been documented and integrated into the corporate budget. |
1.2.1 The department has a documented project plan in place that includes scope, timing, milestones, and costs/capacity, and that covers the various steps towards assessing the effectiveness of ICFR as recommended by the Diagnostic Toolkit. | Policy on Internal Control (PIC) Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010. |
1.3 Planning and Scoping The department has an adequate process in place for planning and scoping its strategy for ensuring compliance with PIC. |
1.3.1 There is a plan with timelines in place to address significant issues and ensure continuous improvement. 1.3.2 The department has identified the key risks facing the integrity of the financial statements (F/S) and identified the significant F/S accounts. 1.3.3 The department has identified the significant business units, systems, and business processes and entity level controls related to the significant accounts that are reported in the F/S. 1.3.4 The department has documented its planning and scoping for ICFR. 1.3.5 The assessment plan has been validated with senior management, CFO and CS. 1.3.6 The strategic plan for PIC compliance and work plan progress are reviewed from time to time for continued relevance. |
Policy on Internal Control (PIC) Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010. |
1.4 Documentation The department has an adequate process in place for documenting the business processes and identifying the process level risks that have an impact on the integrity of the financial statements. |
1.4.1 The department has documented the business process for each in-scope process. 1.4.2 The department has followed a standardized approach to document the business processes. 1.4.3 The documentation identified the key control points and accountabilities. 1.4.4 The department has identified F/S reporting risks for each in-scope business process, documented and prioritized these risks. 1.4.5 The documented processes have been validated by the process owners to acknowledge accuracy of the documentation and controls. 1.4.6 Identification of key risks has been validated by senior management. |
Policy on Internal Control (PIC) Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010 |
1.5 Test of Design (TOD) The department has an adequate process in place to identify key controls at all levels and align them with key risks to the integrity of the financial statements. |
1.5.1 The department has identified the key controls; 1.5.2 The department has aligned the risks with the key controls that are in place to mitigate the risk; 1.5.3 The department has completed a Test of Design using walk-throughs for the key controls; 1.5.4 The results of the test of design have been reported to the appropriate senior management forum and the DAC; 1.5.5 The identified significant elements of the remediation plans have been identified and completed. 1.5.6 Prompt and appropriate remedial action is taken by management in response to departures from approved policies, procedures or codes of conduct. Disciplinary actions taken as a result of violations are communicated across the organization. |
Policy on Internal Control (PIC) Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010. |
1.6 Test of Operating Effectiveness (TOE) The department has an adequate process in place to assess the extent to which key controls, including IT general controls (ITGC) and entity level controls, have been operating as intended over a specified period of time. |
1.6.1 The department has developed and documented its testing strategy, including sampling techniques, locations and timing and IT application controls, for completing the TOE of its key controls. 1.6.2 The department has completed TOEs for all key controls, including ITGCs and entity level controls, of all in-scope business processes. 1.6.3 A report on the results of this testing and associated action plan has been developed and shared with senior management and reported to the DAC. 1.6.4 The department is monitoring or has the capacity to monitor the completion of the necessary remediation that may be required for any weaknesses identified during the testing. 1.6.5 The remediation actions are completed. |
Policy on Internal Control (PIC) Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010. |
1.7 Reporting The department has an adequate process in place for reporting on results of the assessment of effectiveness of ICFR and related action plans, and formal channels of communication exist for people to report suspected improprieties. |
1.7.1 The department has established a central group to provide the focus on management of departmental ICFR through the oversight of the departmental assessment process, results and action plans in support of the CFO and CS, and to capture and report the results of all departmental testing; 1.7.2 The DAC has been engaged on the risk-based assessment plans and results of the annual assessment of the effectiveness of the departmental system of internal control; 1.7.3 The department has a process in place to update process documentation, conduct ongoing testing (TOD and TOE) and provide ongoing reporting on the results of the testing; 1.7.4 The department monitors control remediation items through its formal approved action plan; 1.7.5 The department has completed its summary annex to be attached to the departmental Statement of Management Responsibility including Internal Control over Financial Reporting. 1.7.6 The Agency has in place an independent oversight mechanism to deal with cases concerning ethics and values that allows for anonymous reporting of suspected improprieties. |
Policy on Internal Control (PIC) Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010. |
1.8 Change Management The organization has in place a process to identify change opportunities/requirements with respect to the PIC compliance framework. |
1.8.1 A strategy for coverage and testing is in place when processes and systems are scheduled to be changed or are in the process of change. 1.8.2 Additional work is conducted to ensure compensatory controls are working during this time. 1.8.3 Where coverage/testing of IC is not possible during transition periods, the Statement clearly communicates what areas or periods were not covered. 1.8.4 Results of testing when control is not functioning |
Management Accountability Framework (MAF) Policy on Internal Control (PIC) Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010. |
Appendix B: Acronyms
Acronym | Description |
---|---|
SC | Statistics Canada |
ICFR | Internal Controls over Financial Reporting |
TB | Treasury Board |
PIC | Policy on Internal Control |
FAA | Financial Administration Act |
ITGC | Information Technology General Controls |
CS | Chief Statistician |
DAC | Departmental Audit Committee |
IIA | Institute of Internal Auditors |
CFO | Chief Financial Officer |
MAF | Management Accountability Framework |
OCG | Office of the Comptroller General |
DCFO | Deputy Chief Financial Officer |
APC | Administrative Practices Committee |
CPC | Corporate Planning Committee |
LOR | Letters of Recommendation |
CDFS | Common Departmental Financial System |
ACS | Assistant Chief Statisticians |
CAE | Chief Audit Executive |
TOE | Testing of Operating Effectiveness |
TOD | Testing of Design & Implementation |
GCC | General Computer Controls |
IT | Information Technology |
DG | Director-General |
FMOSD | Financial Management Operations and Systems Division |
APRA | Administrative Processes Review and Automation |
CSSS | Corporate Sales Support System |
NSIMS | Non Salary Information Management System |
TFS | Team Foundation Server |
SSC | Shared Services Canada |
Note
Footnotes
- Footnote 1
-
Information Technology General Controls are considered part of the system of Internal Control over Financial Reporting. Subsequent references made to ICFR in this report include ITGCs.