Audit Report
April 28, 2014
Project Number: 80590-85
- Executive Summary
- Introduction
- Background
- Audit Objectives
- Scope
- Approach and Methodology
- Authority
- Findings, Recommendations and Management Response
- Follow-up from the Audit of Key Financial Controls
- CFO Attestation and Due Diligence Review
- Appendices
- Appendix A: Audit Criteria
- Appendix B: Assertions and Details from the Guideline to CFO Attestation
- Appendix C: Acronyms
Executive Summary
Senior management made a proactive risk based request for an audit to be conducted to ensure that recommendations from the 2011-2012 Audit of Key Financial Controls have been addressed; and to assess the current framework and processes in place to support the CFO attestation process in accordance with the new Guideline, which came into effect January 1, 2014.
The objective of this audit is to provide assurance to the Chief Statistician, the Chief Financial Officer (CFO) and the Agency's Departmental Audit Committee (DAC) on the adequacy and effectiveness of examination and oversight activities undertaken within the Finance Branch in support of:
- The implementation of the Management Response Action Plan (MRAP) following recommendations pertaining to the Statement of Management Responsibility including Internal Control over Financial Reporting (ICFR) that resulted from the Audit of Key Financial Controls (April 2013); and
- Due diligence review process supporting the CFO Attestation for Cabinet Submissions.
Key Findings
The Policy on Internal Controls (PIC) Team's revised practices are effective in ensuring that its PIC strategy is periodically updated, that compensatory controls in place during process and system changes will be considered for testing as part of providing ongoing assurance on ICFR, that evidence of the implementation of remediation actions are gathered and documented, and that the adequacy of remediation actions are evaluated by the PIC team within a 12-month testing cycle.
The implementation of a PIC Steering Committee is an effective means to ensure that issues are reported and dealt with at the appropriate level of management, and can be considered a leading practice. Information pertaining to unresolved remediation actions from prior years' testing has not been disclosed in the current year's Annex.
The Finance Branch is involved early in the development of Cabinet/TB submissions. The Director, Financial Planning Division (FPD), and finance officers provide advice and support to programs, attend program meetings throughout the process to ensure that information is prepared to support various costs, in anticipation of potential internal and external due diligence challenges. This participation improves the quality of the submission and is a good practice, but the objectivity required to perform the due diligence review process should be strengthened.
Two teams (Costing team & PIC team) within the Financial Reporting Division (FRD) also support the development of Cabinet/TB submissions by providing recommendations for policy and conclusions on the effectiveness of internal controls. The audit found that the support provided for the development of Cabinet/TB submissions is adequate.
The audit found that the current design of the checklist template is not totally aligned with the assertion sub-criteria included in Annex B of the Guideline. During the file review, a number of gaps were noted in the documentation collected for the due diligence review process and challenge function, as a result, a number of assertion criteria could not be assessed. A sufficient management record documenting the due diligence process and challenge function, from which a third party can understand the scope of the review and testing of the assertions and assess how the CFO reached his conclusions and observations in the Attestation Letter, is needed in order to meet the requirements of the Guideline.
Overall Conclusion
The implementation of a PIC Steering Committee is an effective governance and oversight tool, and a leading practice. All four recommendations from the 2012-2013 Audit of Key Financial Controls have been implemented, but remediation actions from prior years' testing should be disclosed in the current year's Annex.
There are a number of good practices in place which improve the quality of Cabinet Submissions at Statistics Canada. To strengthen the business practices and meet the requirements of the new Guideline on CFO Attestation, the CFO's Office is encouraged to increase the independence of the review process and challenge function and improve the documentation to support the assertions.
Conformance with Professional Standards
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.
Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined and for the scope and time period covered by the audit.
Patrice Prud'homme
Chief Audit Executive
Introduction
Background
The Policy on Financial Management Governance took effect on April 1, 2009 and was last amended June 1, 2010. The objective of this policy is to strengthen public sector financial management and its leadership thereby contributing to appropriate stewardship of public resources, effective decision-making, and efficient policy and program delivery. This policy sets out responsibilities with respect to financial management governance and capabilities and is designed to ensure strong financial management of public resources, to reinforce the principles of probity and prudence and to contribute to better decision-making. According to this policy, the Chief Financial Officer (CFO) is responsible for:
- Signing financial management representations and disclosures such as the Departmental financial statements, including the Statement of Management Responsibility including Internal Control over Financial Reporting, and providing reasonable assurance that appropriate measures are taken to maintain an effective system of internal controls; and
- Signing off on all financial and related reports, submissions and disclosures of the department requiring approval of the Chief Statistician, by providing a challenge function on financial management matters and use of public resources across Statistics Canada.
In 2012, the Internal Audit Division conducted an audit related to Key Financial Controls. Four recommendations resulted from this audit, pertaining to: periodic revision of the Policy on Internal Controls (PIC) Strategy framework, testing compensatory controls, timely follow-up of remediation actions and clarity of the Statement of Management Responsibility including ICFR.
Further, the Treasury Board Secretariat has issued a new Guideline on CFO Attestation for Cabinet Submissions (the Guideline), effective January 1, 2014. The purpose of this guideline is to provide a framework and practical guidance for the CFOs in the due diligence review and attestation they provide on the financial management aspects of Cabinet submissions. Under this guideline, the CFO is mandated to provide objective and independent advice to the Chief Statistician who is the accounting officer for the department. Six fundamental assertions have been identified to characterize the elements of the attestation and to convey the CFO's attestation conclusions in support of decision making.
Two divisions within the Finance Branch assume responsibilities for compliance to the PIC and the CFO Attestation. The Financial Reporting Division (FRD) coordinates activities for the assessment of internal controls and provides a framework for the CFO Attestation. The Financial Planning Division (FPD) provides financial expertise and support to programs in the preparation of Cabinet/Treasury Board (TB) submissions through its Financial Officers and Advisors, and acts as a contact liaison for all matters related to the approval process for TB submissions, both internally, and with other departments and central agencies.
Audit Objectives
The objective of this audit was to provide assurance to the Chief Statistician, the CFO and the Agency's DAC on the adequacy and effectiveness of examination and oversight activities undertaken within the Finance Branch in support of:
- The implementation of the MRAP following recommendations pertaining to the Statement of Management Responsibility including ICFR that resulted from the Audit of Key Financial Controls (April 2013); and
- Due diligence review processes supporting the CFO Attestation for Cabinet Submissions.
Scope
The scope of this audit included an examination of:
- The implemented action plans resulting from recommendations from the April 2013 Audit of Key Financial Controls.
- The current framework and processes in place to support the CFO attestation for Cabinet Submissions in accordance with the new Guideline, which came into effect January 1, 2014.
Approach and Methodology
The audit approach was inspired by the Treasury Board Policy on Internal Control and Policy on Internal Control – Preliminary Draft Diagnostic Tool for Departments and Agencies issued by the Office of the Comptroller General in July 2010, and by the new Treasury Board Guideline for CFO Attestation which came into effect January 1, 2014.
The audit work consisted of an examination of documents, interviews with key Senior Management and personnel of Statistics Canada; a review of processes and procedures with respect to ICFR, and of the current due diligence review process for two Cabinet Submissions prepared in 2013 which was prior to the January 1, 2014 effective date of the new Guideline.
This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.
Authority
This audit was conducted as a result of a risk-based management request.
Findings, Recommendations and Management Response
Objective 1: To assess the adequacy/effectiveness of examination and oversight activities undertaken within the Finance Branch in support of the MRAP regarding recommendations pertaining to the Annex to the Statement of Management Responsibility including ICFR that resulted from the 2012-2013 Audit of Key Financial Controls.
Follow-up from the Audit of Key Financial Controls
The PIC Team's revised practices are effective in ensuring that its PIC strategy is periodically updated, that compensatory controls in place during process and system changes will be considered for testing as part of providing ongoing assurance on ICFR, that evidence of the implementation of remediation actions are gathered and documented, and that the adequacy of remediation actions are evaluated by PIC team within a 12-month testing cycle.
The implementation of a PIC Steering Committee is an effective means to ensure that issues are reported and dealt with at the appropriate level of management, and can be considered a best practice. The information pertaining to unresolved remediation actions from prior years' testing has not been disclosed in the current year's Annex.
In April 2013, Statistics Canada's Internal Audit Division reported on its Audit of Key Financial Controls - Statement of Management Responsibility Including Internal Control over Financial Reporting (ICFR). The audit concluded that while the activities supporting the framework in place were adequate, opportunities existed to ensure the Agency could sustain its ICFR assessment process cycle. It was recommended that the Agency's strategy be updated, and that areas requiring corrective actions and areas where assurance was not attained be clearly communicated.
The PIC strategy is periodically updated though an annual review process
During the previous audit of Key Financial Controls, there were a number of circumstances in which the testing schedule was not being followed. To ensure continued relevance of the strategy, the Internal Audit Division recommended that the PIC strategy be periodically updated and validated by the CFO and Chief Statistician.
The PIC team has implemented an annual review process. The testing strategy to assess compensatory controls is determined by reviewing business processes to ensure that planned system changes are identified. The annual review process is driven by the PIC team; Business Process Owners (BPOs) are consulted and are provided the opportunity to communicate any planned system changes. The impact of system changes on internal controls are then assessed by the PIC team through the annual review process. Once the annual review of business processes is completed, the PIC team will review and discuss the impact of system changes identified, and determine if the testing plan requires adjustment.
The 2015-2019 ICFR Risk Based Testing Plan replaces the PIC Strategy. It is updated annually, can be further adjusted as required, and is based on the assessment of results, changes and the impact of remediation actions.
The PIC Team's revised approach is effective in ensuring its PIC strategy is periodically updated.
Compensatory controls in place during process and system changes are considered for testing as part of providing ongoing assurance on ICFR
The previous audit of Key Financial Controls recommended that compensatory controls in place during process and system changes are considered for testing as part of providing ongoing assurance on ICFR.
In 2013-14, the PIC Team tested compensatory controls for all processes where testing had been postponed due to upcoming system changes. These processes were: Capital Assets, Salary Reconciliations for Payroll and Benefits, Operating Expenditures and Revenues.
The PIC Team's testing results showed that all compensatory controls were operating effectively with the exception of Payroll and Benefits. These results have been communicated to the appropriate business owners. As a result of the review and update of all ICFR business processes by the PIC team during 2013-14, no additional testing of controls were postponed due to system changes.
On the premise that process controls must continue to exist and be effective before and after changes are made and that in most cases, process controls and control objectives do not change even when accountability or tools are changing, the PIC team's approach going forward will be to follow the testing plan schedule, and not postpone testing. Should key controls become ineffective due to major systems changes, then the decision can be made to postpone regular testing and test compensatory controls. This will ensure that testing of compensatory controls is limited to instances where regular controls are no longer effective.
The PIC Team's revised approach ensures that compensatory controls in place during process and system changes will be considered for testing as part of providing ongoing assurance on ICFR.
The implementation of remediation actions are validated by the PIC team in a timely fashion
In the past, the PIC Team gathered information on the status of implementation of remediation actions through enquiry to the BPOs. The PIC team uses remediation follow-up templates to monitor the progress of the implementation of remediation plans. BPOs are asked to provide an update on the status of remediation plans to the PIC team on a quarterly basis in order to update the follow-up template.
The business process reviews conducted in 2013-14, and the annual review process described in the 2015-2019 ICFR Risk Based Testing Plan, combined with the assessment of PIC issues discussed during PIC team meetings is adequate to ensure that evidence of the implementation of remediation actions are gathered and documented, and that the adequacy of remediation actions are evaluated by the PIC team within a 12-month testing cycle.
The implementation of the PIC Steering Committee is an effective governance and oversight tool, and a leading practice
The new Guideline for PIC requires that internal controls be managed through formal oversight and effective governance, including regular reporting to senior management, the deputy head and the DAC.
During 2013-14, the Financial Reporting Division (FRD) created the PIC Steering Committee. Three meetings have been held as of January 2014. Roles and responsibilities of the PIC Steering Committee have been established and approved at the July 15th, 2013 meeting. Membership includes DGs that oversee areas where process controls are included and tested as part of the PIC framework. The purpose of the Committee is to inform members of proposed changes to the testing strategy and the progress made in various areas of PIC. The expected outcome of this new committee is to increase awareness and buy-in from BPOs' of the importance of PIC.
PIC Committee members receive information on the status of the PIC annual process, and propose changes to the testing plan. They are also reminded of the importance of the timely completion of remediation actions during meetings.
The implementation of a PIC Steering Committee is an effective means to ensure that issues are reported and dealt with at the appropriate level of management, and can be considered a leading practice.
Unresolved remediation actions from prior years' testing should be included in the current year's annex
In the past, information presented in the Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting did not specifically outline the nature of the work that was required to achieve audit readiness, as it pertained to outstanding remediation items. The Internal Audit Division made a recommendation to ensure that the Annex clearly communicate the areas requiring corrective actions in order to achieve the state of audit readiness, and areas where assurance was not attained for any given period.
The information outlined in the 2012/13 Annex to the Statement of Management Responsibility including ICFR follows the template included in the new Guideline for the PIC. However, information pertaining to unresolved remediation actions from prior years' testing has not been disclosed in the current year's Annex.
The template provided in the new Guideline for PIC does not specifically address cases where control weaknesses remain unresolved for periods over 12 months. The core of the Guideline states that once the first full assessment has been completed, the department's Annex should reflect the ongoing monitoring stage; in the section pertaining to Status of Assessment, the Guideline requires information on plans to conduct the assessment work where remediation is to be completed in the years to follow.
Reporting annually on control weaknesses that remain unresolved for periods exceeding 12-months will encourage prompt corrective action and ensure they continue to be brought to senior management's attention.
Recommendation:
The Assistant Chief Statistician of Corporate Services (and CFO) should ensure that:
- The information regarding incomplete or pending remediation actions that had been disclosed in the Annex to the Statement of Management Responsibility including ICFR of previous years continue to be disclosed in the Annex in future years until remediation is completed.
Management Response:
Management agrees with the recommendations.
- The Director, Financial Reporting Division will ensure all pending items from prior years are resolved in a timely manner, using the PIC Steering Committee to ensure rigorous follow-ups, and will disclose remaining remediation actions from previous years in the Annex.
Deliverables and Timeline: Incomplete or pending remediation actions from previous years will be disclosed in the 2013-14 Annex to the Statement of Management Responsibility including ICFR which will be presented to the Chief Financial Officer, the Chief Statistician and the Departmental Audit Committee. This Annex will then be published with the Departmental Performance Report and Financial Statements on Statistics Canada's website, by November 2014.
Objective 2: To assess the adequacy/effectiveness of examination and oversight activities undertaken within the Finance Branch in support of the CFO's attestation for Cabinet Submissions.
CFO Attestation and Due Diligence Review
The Finance Branch is involved early in the development of Cabinet/TB submissions. The Director, Financial Planning Division (FPD), and finance officers provide advice and support to programs, attend program meetings throughout the process to ensure that information is prepared to support various costs, in anticipation of potential internal and external due diligence challenges. This participation improves the quality of the submission and is a good practice, but the objectivity required to perform the due diligence review process should be strengthened.
Two teams (Costing team & PIC team) within the Financial Reporting Division (FRD) also support the development of Cabinet/TB submissions by providing recommendations for policy and conclusions on the effectiveness of internal controls. The audit found that the support provided for the development of Cabinet/TB submissions is adequate.
The audit found that the current design of the checklist template is not totally aligned with the assertion sub-criteria included in Annex B of the Guideline. During the file review, a number of gaps were noted in the documentation collected for the due diligence review process and challenge function. As a result, a number of assertion criteria could not be assessed by the auditors or a potential third party review. A sufficient management record documenting the due diligence process and challenge function, from which a third party can understand the scope of the review and testing of the assertions and assess how the CFO reached his conclusions and observations in the Attestation Letter, is needed in order to meet the requirements of the Guideline.
New Guideline for CFO Attestation
The Treasury Board Secretariat has issued a new Guideline on CFO Attestation for Cabinet Submissions (the Guideline), effective January 1, 2014. The purpose of this guideline is to provide a framework and practical guidance for the CFOs in the due diligence review and attestation they provide on the financial management aspects of Cabinet submissions.
As the accounting officer for the department, the Chief Statistician is ultimately responsible for the development and preparation of submissions, and for obtaining the sponsoring minister's sign-off. Both the CFO and senior departmental managers play important roles in developing the submission and in supporting due diligence and attestation. The CFO has a dual role of providing financial expertise to client-programs, and providing objective and independent advice to the Deputy Head.
The CFO's challenge and attestation role is based on corporate financial stewardship and as an objective strategic business adviser on matters such as risk management, the examination of financial options and cost containment.
Six fundamental assertions have been identified to characterize the elements of attestation and to convey the CFO's attestation conclusions in support of decision making. The CFO assertions1 are as follows:
- The nature and extent of the proposal is reasonably described and material assumptions having a bearing on the associated financial requirements have been disclosed and are supported.
- Significant risks having a bearing on the financial requirements, the sensitivity of the financial requirements to changes in key assumptions, and the related risk-mitigation strategies have been disclosed.
- Financial resource requirements have been disclosed and are consistent with the assumptions stated in the proposal, and options to contain costs have been considered.
- Funding has been identified and is sufficient to address the financial requirements for the expected duration of the proposal.
- The proposal is compliant with relevant financial management legislation and policies, and the proper financial management authorities are in place or are being sought through the proposal.
- Key financial controls are in place to support the implementation and ongoing operation of the proposal.
Before providing attestation, CFOs are expected to conduct a robust due diligence review and challenge function in order to attest to the integrity of the financial information and assumptions presented in Cabinet/TB Submissions. The Guideline states that this review should be based at a minimum on the six assertions listed above, and covers a set of criteria and sub-criteria outlined in Annex B of the Guideline (see Appendix B). An objective and independent due diligence review process should be conducted by staff other than those who directly participate in preparing the submission, and reporting relationships should be structured in a way that reduces the potential for influence, subjectivity and partisanship.
It is expected that a management record will be maintained and be sufficiently detailed for a third party to understand the scope of the due diligence and testing of the assertions and assess how the CFO's conclusions and observations in the Attestation Letter are supported. The Office of the Comptroller General encourages the use of a checklist to document the analysis/testing work performed by the CFO Attestation team, for each assertion criteria.
The roles and responsibilities of the due diligence review process and its independence need to be clearly defined
Statistics Canada has two program initiatives which require a Memorandum to Cabinet at the beginning of each five-year cycle and TB Submissions in order to obtain funding. The audit team interviewed key staff within the Finance Branch and program management, and reviewed the Finance Branch's organisational charts and departmental procedures documents in order to identify key employees involved in the preparation of Cabinet/TB submissions and those involved in the conduct of the due diligence review and challenge function. The audit team also assessed whether the roles and responsibilities of the CFO Attestation team and the independent nature of this function have been clearly defined, documented and understood.
At Statistics Canada, financial officers/advisors are directly involved in the preparation of TB Submissions. They are generally FI-02 and FI-03 level staff who functionally report to Financial Planning Division (FPD). They provide strategic financial advice and support to their respective client-program areas and are involved early in the process by providing financial technical assistance, drawing historical information from the departmental financial systems and compiling financial data, and by providing costing services to program managers for the development of financial assumptions for Cabinet/TB submissions. Engaging the finance officers during the development of Cabinet/TB submissions improves the quality of the submission and is considered a good business practice.
Two teams within the Financial Reporting Division (FRD) are also involved in the CFO Attestation process. The Costing Team provides advice to financial advisors/officers on costing methodology and templates to be used for compliance to financial legislation and TB policies. The PIC Team assesses the state of audit readiness for internal controls within programs on an on-going basis. These two teams are not directly involved in the preparation of Cabinet/TB Submissions, and provide an independent and objective outlook on matters related to compliance of the submission and internal controls. The audit found that the support provided for the development of Cabinet/TB submissions is adequate.
The Director FPD attends program meetings throughout the development of the TB Submissions, and performs analysis procedures as required on an on-going basis. Through interviews, it was noted that comparative analysis of information such as the previous project cycle's financial information and the current TB submission had been conducted, and questions had been raised with the program where significant differences/ increases existed. FPD carries out these activities in order to provide advice to the program to ensure that it prepares information to support various costs, in anticipation of potential questioning from TB. While the analysis conducted by FPD is critical, the objectivity required to perform the due diligence review process should be strengthened.
The Finance Branch has developed a checklist which is divided into six sections based on the fundamental assertions. It is to be completed by the program management team and financial staff who are directly involved in the preparation and development of the submission. Once they have compiled and vetted the information, the checklist is signed by various levels of program management, up to the Assistant Chief Statistician (ACS). The results of this exercise yield substantiation binders that are to be used by the Chief, TB Submissions to carry out an independent due diligence review as per the Guideline.
Throughout the TB submission process, the Finance Branch organises debriefing sessions with the ACS and CFO to provide a walk-through of the binder information collected from the program. During this process, the program's management team and assigned financial officers/advisors present information related to key assumptions, costing, financing options, and other details to the CFO, who in turn challenges the information provided.
Currently, reliance is placed on the work performed by the financial officers who compile the financial information for the program in order to meet the requirements of an independent/objective due diligence review. Because they are directly involved in compiling the information for the Cabinet/TB submissions, this impairs their ability to objectively review the information as required by the Guideline. To fully meet the requirements of the new Guideline for CFO Attestation, roles and responsibilities of parties involved in the CFO Attestation need to be clearly defined, and objectivity and independence of the due diligence review process and challenge function should be strengthened.
The Due Diligence Review Process is not sufficiently documented to meet the requirements of the new Guideline
To assess whether a management record supports the due diligence review conducted, as described in section 4.3.4 of the Guideline, the audit team reviewed all available documentation compiled by FPD in support of the CFO Attestation for two recent program initiatives: A Memorandum to Cabinet and one TB Submission. The supporting evidence consisted of substantiation binders which included checklists completed by those involved in preparing the submission, financial and non-financial reports, and tables prepared by the programs.
The audit compared the design of the checklist template developed by the Finance Branch for alignment with the assertion criteria included in Annex B of the Guideline. The audit found that the current design of the checklist template is not totally aligned with the assertion sub-criteria included in Annex B of the Guideline. There are a number of questions where the link to the assertion criteria is not clear. For example, according to Annex B of the Guideline, criteria pertaining to risk management should include:
Key risks have been considered; Likelihood and impact of key risks has been considered; and Risk response and mitigation strategies are clear.
In section 2.1 of the Finance Branch's checklist template, which pertains to risk management, examples of questions that have been included are:
Have all the key stakeholders been consulted? If so, attach a written confirmation from each area; has HR capacity been confirmed? Have resource needs been analysed?
It was not apparent how these questions were linked to risk management in the context of the new Guideline, and how they would yield information that would be useful for the assessment of the assertion criteria on risk management.
During the file review, the audit found a number of gaps in the documentation collected for the due diligence review process and challenge function. There were instances where the program checked-off that the documentation for certain assertions was either not applicable, or that documentation would be available at a later time, or that the information was available but it was not included in the binder. The following are specific examples of criteria for which no documentation had been produced for review: financial sensitivity analysis for cost drivers having a material impact on resource requirements; compliance with relevant financial management legislation and policies; and spending or expenditure authorities. Consequently, a number of assertion criteria could not be assessed by the auditors or a potential third party review.
Through interviews, the audit team was able to corroborate that the Director FPD had raised questions with the program after comparative analysis of the previous project cycle's financial information and the current TB submission. When significant differences existed between the last project cycle and the current financials, the program was directed to prepare sufficient information to support these costs. Conclusions drawn from this analysis are not formally documented through meeting minutes or record of decisions and cannot be linked to results of the CFO Attestation.
Consequently, the audit team could not determine what analysis or testing had been conducted, what rational supporting various costs presented by the program was deemed to be satisfactory, and which conclusions were drawn to support the CFO Attestation.
A sufficient management record documenting the due diligence process and challenge function, from which a third party can understand the scope of the review and testing of the assertions and assess how the CFO reached his conclusions and observations in the Attestation Letter, is needed in order to meet the requirements of the Guideline.
Recommendations:
The Assistant Chief Statistician of Corporate Services (and CFO) should ensure that:
- The roles and responsibilities of staff involved in the CFO Attestation have been refined and documented in a manner that addresses requirements of independence as expressed in the Guideline.
- The maintenance of management records which supports the CFO's analysis, conclusions and Attestation Letter are established and documented, in accordance with section 4.3.4 of the Guideline.
Management Response:
Management agrees with the recommendations.
- The Director, Financial Reporting Division, the Director, Financial Planning Division, the Deputy Chief Financial officer (DCFO) and the CFO will establish, document and communicate clearly the roles and responsibilities of all parties involved in the CFO attestation process, in a manner that addresses requirements of independence as expressed in the Guideline.
Deliverables and Timeline:- The roles and responsibilities of all parties involved in a cabinet document submission process will be developed and documented in a manner that will address the requirements of independence as expressed in the Guideline, by September 2014.
- The roles and responsibilities will be validated with a working group made up of participants from a sample of recent cabinet document submission processes, by October 2014.
- The final proposal will be reviewed and approved by the DCFO and CFO, by November 2014.
- The roles and responsibilities will be published on the Corporate Services Hub, by December 2014.
- The Director, Financial Reporting Division, the Director, Financial Planning Division, the DCFO and the CFO will maintain management records which support CFO's analysis, conclusions and Attestation Letter.
Deliverables and Timeline:- A protocol for recording the analysis and conclusions from the discussions with the DCFO and CFO will be developed, as part of the formalized review and attestation process. To be implemented by September 2014.
- More explicit descriptions of supporting documents, included as evidence for each of the checklist sections, will also be included to improve the comprehension by a third party, of the depth of the analysis completed and analyzed by the CFO and his team. To be implemented by December 2014.
Appendices
Appendix A: Audit Criteria
Control Objective / Core Controls / Criteria | Sub-Criteria | Policy Instrument |
---|---|---|
1) To provide assurance to the Chief Statistician (CS), the Chief Financial Officer (CFO) and the Agency's Departmental Audit Committee (DAC) on the adequacy and effectiveness of examination and oversight activities undertaken within the Finance Branch and in support of:
|
||
1.1 Compensatory controls in place during process and system changes are considered for testing as part of providing ongoing assurance on ICFR. | 1.1.1 Planned system changes are identified and communicated to PIC team. 1.1.2 Impact of system changes on internal controls are assessed by PIC team. 1.1.3 Testing strategy is determined (i.e. testing of compensatory controls) and controls are tested. 1.1.4 PIC strategy is updated, PIC issues are identified and communicated in a timely manner. |
Policy on Internal Control (PIC) Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010. The Policy on Financial Management Governance |
1.2 The monitoring process includes timely validation on the state of completeness of remediation actions reported by business process owners. | 1.2.1 There is a monitoring process to validate the state of completeness of remediation actions reported by business process owners. 1.2.2 Evidences of the implementation of remediation actions are gathered and documented by PIC team. 1.2.3 Adequacy of remediation actions are evaluated by PIC team. 1.2.4 Issues are reported and discussed to PIC steering committee as required. |
|
2) To provide assurance to the Chief Statistician (CS), the Chief Financial Officer (CFO) and the Agency's Departmental Audit Committee (DAC) on the adequacy and effectiveness of examination and oversight activities undertaken within the Finance Branch and in support of:
|
||
2.1 The governance structure in place within the Finance Branch supports the due diligence attestation process. | 2.1.1 Roles and responsibilities have been clearly defined, documented and understood. 2.1.2 Processes and tools have been developed in support of the CFO attestation process. 2.1.3 TB sub approval authorities are clearly established, and followed. 2.1.4 Milestones and timelines have been adjusted and include sufficient time to conduct due diligence. 2.1.5 Responsibilities have been delegated to ensure that the independence/objectivity of the CFO with regards to the preparation Cabinet/TB submissions is maintained. |
Guideline on Chief Financial Officer Attestation for Cabinet Submissions (Effective Jan. 1st, 2014) |
2.2 The CFO has developed a due diligence review process to satisfy himself that the TB sub information is reasonable, complete, reliable and relevant. | 2.2.1 The assessment of the financial information in a TB sub is premised by the 6 assertions contained in Annex B of the Guideline on CFO Attestation. 2.2.2 The CFO Attestation is based on the conduct of a formal due diligence review and challenge process performed by CFO Attestation staff. 2.2.3 Evidence of the work performed during the review process is maintained. 2.2.4 The CFO Attestation staff has the required competencies to perform the due diligence review and challenge function. 2.2.5 The CFO is involved early with the program, reviews TB submission information and addresses any matters identified. |
|
2.3 The CFO Attestation Letter formally communicates the CFO's final observations and overall conclusions over the six assertions at the date of signature. | 2.3.1 If necessary, the Attestation Letter includes observations regarding non-compliance with a specific assertion, or if critical information is missing or inadequate, or if the due diligence has been limited. 2.3.2 The CFO overarching opinion takes in account conclusions and observations made over the 6 assertions. |
Appendix B: Assertions and Details from the Guideline to CFO Attestation
Assertion 1: The nature and extent of the proposal is reasonably described and material assumptions having a bearing on the associated financial requirements have been disclosed and are supported.
Rationale:
In signing off on this assertion, the CFO has undertaken reasonable due diligence to ensure that the proposal is suitably described and that the material assumptions and estimates (usually developed under the authority of the Senior departmental manager) having a significant impact on the associated financial requirements have been disclosed appropriately and are supported by documentation.
The assumptions are the underpinning hypotheses of the proposal on which the financial requirements are based. They are foundational to understanding and reviewing the proposal's financial implications. They may pertain to the scope, timeline, departmental capacity or program design of the proposal, as well as to assumptions regarding client eligibility and uptake, future market conditions, environmental context and other factors specific to the proposal.
Criterion 1.1 Key financial assumptions are clearly documented.
Sub-Criteria
1.1.1 All key assumptions have been documented and have been clearly disclosed in a manner that is understandable.
1.1.2 The impact of key assumptions on the financial requirements is explained.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by the following:
- Documentation related to key assumptions, such as projections, economic and market conditions, client uptake, plans and contingencies.
- Documentation through which a future reader/reviewer would to be able to follow the rationale for the various assumptions.
- Documentation linking the key assumptions to the impacts on the financial requirements.
Criterion 1.2 Key financial assumptions are reliable.
Sub-Criteria
1.2.1 Given the current environment and information available, assumptions are reliable, and those that have a high potential to change have been disclosed.
1.2.2 Consideration has been given to potential future events and to changes that may have material financial impact on the initiative.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by:
- Assumptions that are timely, objective, consistent and based on the best available information at the time and the resources available.
- The identification and disclosure of assumptions that have the highest potential to change prior to, and during, the initiative.
- A consideration of the possible material financial impacts for those assumptions.
Assertion 2: Significant risks having a bearing on the financial requirements, the sensitivity of the financial requirements to changes in key assumptions, and the related risk-mitigation strategies have been disclosed.
Rationale:
In signing off on this assertion, the CFO has undertaken reasonable due diligence to ensure that significant project and initiative risks have been identified and considered, and where there are significant financial implications as a result, that there are risk mitigation and response strategies. The correlation and sensitivity of the financial requirements to the potential risk of the financial assumptions and related information changing is an important aspect of the analysis.
The sound assessment and disclosure of the proposal's financial risks are fundamental to informed decision making. This also includes risk mitigation and risk response, which may include exit strategies and the resulting financial impacts. The correlation and sensitivity of the financial requirements to the potential risk of the financial assumptions and related information changing is an important aspect of clarity.
Criterion 2.1 Key risks have been considered.
Sub-Criteria
2.1.1 Given the current environment and information available, key risks having financial impact are identified, clearly described and disclosed as appropriate.
2.1.2 Risks have been considered in the context of the departmental Corporate Risk Profile.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by:
- The identification and disclosure of key risks that have a material financial impact.
- Due consideration of risk information sources across the department, such as the Corporate Risk Profile; risk register(s); branch, project and program risk profiles, reviews, evaluation reports and program audits, as applicable.
Criterion 2.2 Likelihood and impact of key risks has been considered.
Sub-Criteria
2.2.1 The likelihood and impact of the key risks on the financial requirements, should the risks materialize or the assumptions change, has been considered, assessed and articulated.
2.2.2 The sensitivity of the financial requirements to change, should a key risk materialize, has been considered.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by:
- Assessment, analysis and articulation of changes in financial requirements, should certain risks materialize or the assumptions change.
- Consideration of the magnitude of change, including timing, to the financial requirements for the initiative or department should a key risk materialize.
Criterion 2.3 Risk response and mitigation strategies are clear.
Sub-Criteria
2.3.1 The mitigation strategies for key risks with financial impacts are clear and reasonable.
2.3.2 The risk response and mitigation strategies for key risks with financial impacts are scaled to the likelihood and impact of the risks.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by:
- Clear and reasonable mitigation strategies for key risks with financial impacts.
- Risk response and mitigation strategies for key risks with financial impacts that are scaled to the likelihood and impact of the risks.
- Accountabilities that have been established for the implementation of key risk response and mitigation strategies.
Assertion 3: Financial resource requirements have been disclosed and are consistent with the assumptions stated in the proposal, and options to contain costs have been considered.
Rationale:
In signing off on this assertion, the CFO has undertaken reasonable due diligence to ensure that the costing methodologies are appropriate, given the type of initiative (i.e., legislative, strategic policy, procurement, project, transfer payment) and the stage in the initiative's development. Due diligence also considers whether the future requirements for financial resources have been assessed and communicated with the commensurate level of detail.
Given that over the life of a project or initiative uncertainties will diminish, the CFO considers whether the costing information is consistent with the type of initiative or project, its definition level and the approval authorities being sought. This includes consideration of potential associated costs on other stakeholders (e.g., other federal departments, other levels of government, private sector organizations, recipients of transfer payments), as appropriate. As a strategic business advisor with financial management expertise, the CFO also plays a corporate challenge role to ensure that the containment of costs that complement or augment such considerations are applied; that the proposal reflects effective, efficient and economical resource use; and that other alternatives have been considered. CFOs review the formulation of the proposal's expenditures, revenues and cost reduction strategies to ensure that all relevant financial requirements have been assessed and communicated with the commensurate level of detail.
Criterion 3.1 A costing methodology has been established and used.
Sub-Criteria
3.1.1 The costing methodology has been established and is consistent with the principles and concepts in the TBS Guide to Costing and relevant TB policies, such as the Policy on Investment Planning – Assets and Acquired Services.
3.1.2 The costing methodology used is consistent with the stage of the initiative's development and with the methodology used in prior proposals. Where this is not the case, the costing methodology has been documented and rationalized.
3.1.3 All major costs (e.g., life-cycle or incremental costs, as appropriate) have been considered, incorporated and disclosed in a clear and understandable manner, and broken down.
3.1.4 Departmental delivery and administrative or overhead costs have been separated from direct program costs and have been disclosed as necessary.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by the following:
- A costing methodology, appropriate for the initiative, that is consistent with the TBS Guide to Costing and relevant TB policies, such as the Policy on Investment Planning – Assets and Acquired Services and the Policy on the Management of Projects.
- A methodology that is appropriate for the initiative at this stage of development and for the type of decision being made, which is used and understood by all parties. It should be clear whether indicative or substantive costs, as appropriate, were developed and are being proposed. Note that more than one set of costing and forecasting figures may be required, such as the contract cost as well as the life-cycle cost.
- A costing methodology that has been documented and rationalized, where it is different from the costing methodology used in prior proposals.
- Consideration of all major costs (life-cycle or incremental costs, as appropriate, and direct and indirect costs), which have been incorporated and disclosed in a clear and understandable manner and broken down (e.g., fiscal year, cash and accrual, major components, operating versus capital, transfer payments). The necessary tables in the submission have been completed and numbers can be traced back to assumptions.
- The use of an appropriate methodology to calculate and disclose departmental delivery and administrative or overhead costs separately from direct program costs.
- An appropriate methodology for estimation of Full-Time-Equivalent requirements in the department.
Criterion 3.2 Financial requirements are clear, accurate, complete and consistent with assumptions.
Sub-Criteria
3.2.1 The financial requirements analysis considers all of the proposal's assumptions and risks articulated in assertions 1 and 2.
3.2.2 Calculations that affect financial resource requirements have been reviewed and validated, resulting in accurate financial information.
3.2.3 For procurements and contracts, taxes have been correctly considered.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by the following:
- Financial requirements analysis that considers all of the proposal's assumptions and key risks articulated in the assertions 1 and 2.
- Calculations, spreadsheet data, spreadsheet formulae or calculations, and financial models that have been reviewed and validated. Further, there are no material errors and omissions in the data or calculations.
- Correct exclusion of GST/HST for budgeting and expenditure purposes, and appropriate inclusion of GST/HST for contract limits and approvals. Correct handling of QST, as applicable, and consideration of any import or other duties.
Criterion 3.3 Sensitivity of resource requirements is reflected.
Sub-Criterion
3.3.1 Financial sensitivity analysis, for cost drivers that have a material impact on resource requirements, has been documented.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by the following:
- A documented financial sensitivity analysis, for cost drivers that have a material impact on resource requirements.
Criterion 3.4 The proposal reflects the effective, efficient and economical use of the Government of Canada's resources.
Sub-Criteria
3.4.1 Costs have been challenged, and other options to contain costs have been considered and documented.
3.4.2 Strategic partnerships, alternative delivery mechanisms and other efficiency approaches have been considered.
3.4.3 Efforts have been made to self-fund or re-allocate funding.
3.4.4 The proposal is financially sustainable and will not cause undue pressure on the department, now or in the future.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by the following:
- Costs that have been challenged based on available information, and consideration and documentation of other options to contain costs. This includes innovative options and the status quo scenario.
- Consideration of strategic partnerships, alternative delivery mechanisms and other efficiency approaches. Partnerships and alternative delivery agents could include other government departments, provinces, universities, for-profit corporations and not-for-profit corporations. Public-Private Partnerships, lease purchase, long-term lease, contracting out and use of grants and contributions could be considered.
- Consideration of self-funding or re-allocation of funding and resources within the department or government.
- A financially sustainable proposal, based on the available information, and not expected to cause undue pressure on the department, now or in the future.
Assertion 4: Funding has been identified and is sufficient to address the financial requirements for the expected duration of the proposal.
Rationale:
In signing off on this assertion, the CFO has undertaken reasonable due diligence to ensure that the financial requirements for the government as well as for the department are supported by an appropriate funding and financing strategy.
Sound decision making requires an understanding of the proposal's financial commitment implications for the government as well as for the department. An indication of the sustainability of the financing strategy is fundamental to this understanding. While CFOs are not expected to confirm the source of funds where external to the organization, they do play a key role in ensuring that the financial requirements are supported by an appropriate funding and financing strategy. Further, leveraging the CFO's insights on the sustainability of internal funds is of particular relevance for cost-containment considerations.
Criterion 4.1 A robust financing strategy has been developed.
Sub-Criteria
4.1.1 The funding has been disclosed, and all of the financial requirements have been associated with a source of funds.
4.1.2 As appropriate, applicable financial contributions from strategic partners have been considered, giving a full and complete picture.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by the following:
- Disclosure and documentation of the funding, including the source.
- Sufficient funding for all of the financial requirements necessary for the initiative.
- Consideration of applicable financial contributions from strategic partners, and a level of confidence that the partner has obtained or can obtain this funding, and that the appropriate transfer or spending authorities are in place.
Criterion 4.2 Strategies have been considered in the case of contingencies.
Sub-Criterion
4.2.1 Reasonable funding strategies have been developed to deal with major contingencies or changes arising.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by the following:
- Reasonable funding strategies (e.g., cancellation, reducing project scope or complexity, internal re-allocation, re-profiling, seeking additional funding) to deal with major contingencies or changes arising.
Criterion 4.3 Funding is sustainable.
Sub-Criteria
4.3.1 The human resources and capital assets strategy associated with the proposal is consistent with the funding profile.
4.3.2 Should a proposal's funding sunset in the future, there are appropriate strategies for completing, winding down or sustaining operations.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by the following:
- Reasonable human resources and capital asset strategies and plans. The ramp-up of hiring, contracting, acquisition and systems is achievable and consistent with the funding profile. The exit strategy and provision for winding down activities is appropriate, if the initiative has a planned wind-down or is to sunset. These could include plans and funds for reducing staff levels, disposing or selling assets, and restoring and decontaminating sites.
- The identification of strategies for alternate funding to sustain operations if the initiative is to continue past the period where funding is provided.
- A plan for the department to manage future enquiries, records management and outstanding accounting and for activities such as winding up outstanding legal issues, conducting final audits and program evaluations, issuing a final report and conducting lessons-learned exercises after the termination date, as applicable.
Assertion 5: The proposal is compliant with relevant financial management legislation and policies, and the proper financial management authorities are in place or are being sought through the proposal.
Rationale:
In signing off on this assertion, the CFO has undertaken reasonable due diligence to ensure that proposals have the necessary legislative and policy authorities when being brought forward and are compliant. Non-compliance has been identified, and any financial management exemptions will be brought forward or identified.
The CFO, as the key steward with respect to financial management legislation, policies and authorities, is well positioned to ensure that proposals are compliant and have, or will have, the necessary authorities when being brought forward, or are contingent on having authorities in the future. The CFO will also confirm any financial management authority policy exemptions necessary to support the proposal.
Criterion 5.1 The proposal is compliant with relevant financial management legislation and policies.
Sub-Criteria
5.1.1 The proposal is compliant with relevant financial management legislation and policies, and non-compliance areas have been identified.
5.1.2 In situations of non-compliance, the department already has an exemption, or is seeking or will seek an exemption.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by the following:
- The identification of any areas of financial non-compliance. This includes consideration of relevant financial legislation and regulations and financial policies, directives and standards.
- Full disclosure of finance-related exemptions that have been obtained in the past or are being sought.
- The identification and disclosure of future legislative amendments, policy changes or other actions that will bring non-compliant financial activities into compliance.
Criterion 5.2 The proposal includes the necessary spending or expenditure authorities.
Sub-Criterion
5.2.1 The proposal includes the necessary spending or expenditure authorities, or alternatively they are being identified.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by the following:
- Clear description of the necessary spending or expenditure authorities that are being requested.
- Identification of necessary spending or expenditure authorities from other sources or means.
Assertion 6: Key financial controls are in place to support the implementation and ongoing operation of the proposal.
Rationale:
In signing off on this assertion, the CFO has undertaken reasonable due diligence to ensure that the system of financial controls critical to an initiative's success and oversight are, or will be, in place.
Effective financial controls, which include or are embedded within appropriate governance, business processes, financial systems and reporting mechanisms, are critical to an initiative's success and oversight. The system of financial controls needs to accommodate the implementation and monitoring of the new proposal. The Policy on Internal Control requires an annual risk-based assessment of the system of internal controls over financial reporting.
Criterion 6.1 The internal system of financial controls will continue to operate effectively.
Sub-Criteria
6.1.1 There is, or will be, an effective system of internal financial controls, consistent with the TB Policy on Internal Control.
6.1.2 Relevant concerns from reviews, audits, evaluations and internal control assessments have been considered.
6.1.3 Financial reporting and monitoring will provide reliable financial information to meet oversight needs.
For illustrative purposes, as applicable: Are you comfortable your sign-off is supported by the following:
- An effective system of internal financial controls, consistent with the TB Policy on Internal Control, currently in place to support the implementation and operations of the initiative, or for a new initiative, that will be in place at the appropriate time.
- A plan to manage and correct any relevant concerns in the design, development and operation of this initiative where previous reviews, audits, evaluations and internal control assessments have been conducted on similar programs.
- A plan for the preparation of meaningful financial management information and reports, containing timely and reliable information in order to meet management oversight needs at all levels.
Appendix C: Acronyms
Acronym | Description |
---|---|
ACS | Assistant Chief Statistician |
BPO | Business Process Owner |
CFO | Chief Financial Officer |
DAC | Departmental Audit Committee |
DFCO | Deputy Chief Financial officer |
FPD | Financial Planning Division |
FRD | Financial Reporting Division |
ICFR | Internal Control over Financial Reporting |
IIA | Institute of Internal Auditors |
PIC | Policy on Internal Control |
the Policy | The Policy on Financial Management Governance |
the Guideline | Guideline on Chief Financial Officer Attestation for Cabinet Submissions [Effective: 2014-01-01] |
MRAP | Management Response Action Plan |
TB | Treasury Board |
Note
Footnotes
- Footnote 1
-
Details of CFO assertions can be found in Appendix B of this report.