Description for Figure 1 - Integrated Strategic Planning Process (ISPP)

The chart is a flow chart description of the Integrated Strategic Planning Process (ISPP) which consists of six steps. The first four steps of the ISPP are known as the LTP process which is the first phase of the ISPP, and steps five and six take place during Project Implementation, which is the second phase of the ISPP.

The flow chart begins with the first column that is labeled the LTP process. The first box in the LTP process column in Stage 1: Idea Generation shows that the first step of the ISPP starts in April in each year with a Strategic Direction session to align strategic direction with priorities and emerging issues and that the second step of the ISPP is from May to June, when managers develop a high level business proposal to request funding through the LTP process. Proposals are grouped into three main categories for decision- Corporate Business Architecture (CBA) improvements and initiatives; Continuity and Quality maintenance (CQM) of existing programs; and, New Initiatives / Enhancements. Proposals supported for further consideration by Senior Management Review Board move to the second box in the LTP process column. The second box in the LTP process in Stage 2: Project Assessment shows that the third step of the ISPP is from July to October, when programs develop investment proposals which are presented in Step 4 in November at the Senior Management Review Conference for approval. This marks the end of the LTP process.

Projects approved in November from this point move to the Project Implementation column which is the second phase of the ISPP. The first two boxes in the Project Implementation column in Stage 3: Project Initiation and Stage 4: Project Planning show that the fifth step of the ISPP is from December to March when programs initiate, plan and communicate with the stakeholders about the new LTP projects. The last two boxes in the Project Implementation column in Stage 5: Project Execution and Stage 6: Project Close-out show that the sixth and final step of the ISPP is the on-going monitoring of the LTP projects.

Description for Figure 2 - Stages of the LTP Process

This chart illustrates the two stages of the LTP process that falls within the Integrated Strategic Planning Process (ISPP).The first four steps of the ISPP are known as the LTP process. These four steps have been divided into two stages in the flow chart. The first two steps correspond to the first stage of the LTP process which is the Idea Generation stage and the two other steps correspond to the second stage of the LTP process which is the Project Assessment stage.

The flow chart begins with the Stage 1 Idea Generation where CBA and non-CBA business proposals are prepared by programs for review and approval. The chart illustrates that Corporate Business Architecture (CBA) proposals go through an approval process by both the CBA management committee and Field Planning Boards (FPBs). The flow chart shows that non-CBA projects only go through the FPBs for approval. Both CBA and non-CBA proposals that have been approved flow to the SMRB for gate 1 approval and consideration for funding. Proposals approved for consideration, move to Stage 2 Project Assessment. In this stage, programs must prepare a Project Complexity and Risk Assessment (PCRA), a Business Case, and Business Case Costing (BCC) template for all CBA and non-CBA proposals. The chart illustrates that CBA proposals separate from non-CBA proposals and must go back to the CBA Management Committee for approval. Once this approval is given then CBA proposals merge back with non-CBA proposals and then move to the FPBs to have the Business case and BCC forms approved. Those approved proceed to SMRB Gate 2 for approval and funding. All approved LTP proposals are recorded in the Agency’s Decision Record known as the Blue Book.

 
 

Audit of Data Sharing Agreement:
British Columbia Ministry of Health

Audit Report

April 22, 2013
Project Number: 80590-77

Executive Summary

Data Sharing Agreements (DSAs) are a key Statistics Canada business process. In recent years, data sharing has become a growing and increasingly complex area to manage. Ensuring confidentiality of data is a challenge. Health Statistics Division (HSD) enters into DSAs with provincial Health Ministries under the authority of section 12 of the Statistics Act. The DSAs currently in place with the British Columbia Ministry of Health (the Ministry) allow for sharing of statistical health survey information obtained through the Canadian Community Health Survey (CCHS) and the National Population Health Survey (NPHS).

Currently, Statistics Canada is replacing its existing DSAs with an Omnibus data sharing agreement governing the collection and sharing of information from several selected health surveys with the British Columbia Ministry of Health. The Omnibus DSA includes terms and conditions (T&Cs) governing the use, confidentiality, access, monitoring and compliance of information, and physical and information technology security. This audit was conducted as the Ministry prepares to implement the T&Cs of the Omnibus DSA, in order to assess the extent to which practices are in place to meet the requirements set forth in the Omnibus DSA.

The objective of this audit is to provide assurance to the Chief Statistician (CS) and Statistics Canada's Departmental Audit Committee (DAC) that:

  • The Terms and Conditions of the Omnibus data sharing agreement between Statistics Canada and the British Columbia Ministry of Health are met.

The audit was conducted by Internal Audit Services in accordance with the Government of Canada's Policy on Internal Audit.

Key Findings

Authorities, responsibilities and accountabilities for the management and handling of Statistics Canada health survey information are appropriately segregated and formally defined, documented and communicated at the Ministry's Senior Management level; however further work is required to ensure functional roles and responsibilities are documented, communicated and understood at the operational level.

The Ministry has established appropriate internal protocols to meet the requirements set out in the Omnibus data sharing agreement. The Ministry has transferred responsibility for the management of Statistics Canada health survey information out of the program area (where it previously resided), and into the Ministry's Health Sector Information Management and Information Technology Division. The Ministry has designed a set of practices for protection and safeguarding of Statistics Canada health survey information that is housed within the Ministry.

The Ministry has yet to put in place revised third party agreement templates reflective of the requirements set forth in the Omnibus data sharing agreement. This is an important activity for the Ministry to undertake, to ensure that appropriate safeguards are in place over the full lifecycle of Statistics Canada health survey information.

Effective controls for physical access to the Ministry's premises and physical storage have been designed. The Ministry's Policies and Procedures Manual provides prescriptive guidance and direction in the areas of physical and electronic access;identification and authentication safeguards, IT storage and transmission; and information copying, retention and records management to meet the requirements set out in Statistics Canada's Omnibus data sharing agreement. It is important to note that at the time of the audit, the Ministry was implementing these requirements.

Overall Conclusion

Statistics Canada is replacing its existing DSAs with an Omnibus data sharing agreement governing the collection and sharing of information from several selected health surveys with the British Columbia Ministry of Health. The Omnibus DSA includes terms and conditions governing the use, confidentiality, access, monitoring and compliance of information, and physical and information technology security.

An examination of the adequacy and, where possible, the effectiveness of the processes and practices put in place by the Ministry to comply with the requirements set out in the Omnibus data sharing agreement revealed that the Ministry has taken steps to design practices, policies and procedures to meet the requirements set forth in the Omnibus data sharing agreement. However, further work is required in two areas, prior to the release of statistical health survey information to the BC Ministry of Health: (1) Functional roles and responsibilities for the management and handling of Statistics Canada health survey information need to be clearly defined and communicated to staff at the operational level. (2) Third party agreement templates must fully reflect the requirements of the Omnibus data sharing agreement that is being implemented between Statistics Canada and the BC Ministry of Health.

Conformance with Professional Standards

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) Internal Standards for the Professional Practice of Internal Auditing.

Introduction

Background

The Health Statistics Division (HSD) at Statistics Canada has the mandate to provide accurate, timely and relevant information regarding the health of Canadians. HSD provides statistical information about the health of the population, the determinants of health, and the scope and utilization of Canada's health care resources. This information is used to assist and support health planners and decision-makers at all levels of government, to sustain demographic and epidemiological research, and to report to the Canadian public about their collective health and health care system. The HSD works in partnership with provincial and territorial vital statistics registrars and cancer registries as well as data providers and users at the federal level (Health Canada and the Public Health Agency of Canada), provincial level (provincial ministries of health), and the regional level (health authorities).

To achieve its mandate, Statistics Canada may, pursuant to section 12 of the Statistics Act (the Act),enter into an agreement for the exchange of information collected from a Respondent, and the Chief Statistician may, pursuant to paragraph 17(2)(a) of the Act, disclose information collected by persons, organizations or departments for their own purposes and communicated to Statistics Canada. These agreements cover a majority of household surveys, and enjoy certain exceptions regarding the release of confidential respondent information provided that the legal requirements for the provision of data-sharing information, consent rights, and confidentiality protection are respected by all parties.

Statistics Canada is replacing its existing data sharing agreements (DSAs) with the British Columbia Ministry of Health (the Ministry) with an Omnibus data sharing agreement for the collection and sharing of information from several selected health surveys, including the Canadian Community Health Survey (CCHS) and the National Population Health Survey (NPHS).

The Canadian Community Health Survey (CCHS) is a cross-sectional survey which collects information related to health status, health care utilization and health determinants for the Canadian population. It is an annual survey which relies upon a large sample of respondents and is designed to provide reliable estimates at the health region level. The uniqueness of these surveys arises from the regional nature of both content and survey implementation. These aspects allow for analysis of health data at a regional level, across Canada.

The National Population Health Survey (NPHS) collects information about the health of the Canadian population and related socio-demographic information. Every two years, the same individuals provide current and in-depth information on their physical and mental health status, use of health care services, physical activities, life in the workplace and social environment. The NPHS has now been discontinued.

The data collected through CCHS and NPHS are used extensively by the research community and other health professionals. Federal and provincial departments of health and human resources, social service agencies, and other types of government agencies use the information collected to plan, implement and evaluate programs to improve health and the efficiency of health services. Non-profit health organizations and academic researchers use the information for research on ways to improve health.

Audit Objectives

The objective of the audit is to provide assurance to the Chief Statistician (CS) and Statistics Canada's Departmental Audit Committee (DAC) that:

  • The Terms and Conditions of the Omnibus data sharing agreement between Statistics Canada and the Ministry are met.

Scope

Under the Omnibus data sharing agreement, the Ministry may share the data with third party recipients such as Health Authorities (HAs) within its jurisdiction; recognized provincial or university Research Institutes or Organizations; and researchers under contract to the Ministry. To protect the confidentiality and sensitive nature of the information collected by Statistics Canada, the agreement contains Terms and Conditions (T&Cs) to ensure that confidentiality of the information is not compromised.

The scope of this audit included an examination of the adequacy and, where possible, the effectiveness of the processes and practices put in place by the Ministry to comply with the requirements set out in the Omnibus data sharing agreement. The audit focused on the confidentiality and security (physical access, IT storage and transmission, physical storage, information copying, retention, and records management) safeguards that have been put in place by the Ministry to ensure data is protected and confidentiality is maintained.

Approach and Methodology

A site visit was conducted in December 2012 to assess the processes and procedures the Ministry has put in place to ensure the T&Cs of the new Omnibus data sharing agreement between Statistics Canada and the Ministry are met in preparation for receiving Statistics Canada confidential health survey information. The approach consisted of interviews with key Senior Management and personnel, and review of the processes, procedures and guidelines developed by the Ministry to meet the T&Cs of the agreement between Statistics Canada and the Ministry.

This audit was conducted following the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and in accordance with the TBS Policy on Internal Audit.

Authority

This audit was conducted as a result of a risk-based senior management request.

Findings, Recommendations and Management Responses

Objective:  The Terms and Conditions of the Data Sharing Agreement (DSA) between Statistics Canada and the Ministry are met.

Control Environment for the Management of the Agreement

Canada health survey information are appropriately segregated and formally defined, documented and communicated at the Ministry's Senior Management level; however further work is required to ensure functional roles and responsibilities are documented, communicated and understood at the operational level.

Authorities, responsibilities and accountabilities should be clearly defined and understood at all levels, to support effective management of the T&Cs of the Omnibus data sharing agreement. Monitoring of practices as outlined in the Omnibus data sharing agreement T&Cs should be in place to detect errors or potential errors which would otherwise increase operational risk.

Authority

Statistics Canada exercises its mandate to enter into statistical data sharing agreements with other organizations under the authority of sections 11 and 12 of the Statistics Act. The statistical health survey information provided to the BC Ministry of Health supports the Ministry in policy development, evaluating programs to improve health and the efficiency of health services, and sustaining demographic and epidemiological research.

Under section 12 of the Statistics Act, Statistics Canada is replacing its existing DSAs with the Ministry with an Omnibus data sharing agreement for the collection and sharing of information from several selected health surveys.

Roles and Responsibilities

The audit determined that roles and responsibilities for the management and handling of Statistics Canada health survey information are formally defined in two key documents: the CCHS Secure Lab Process document and the Ministry of Health Statistics Canada Health Survey Information: Policies and Procedures Manual.

Three levels of signing authority have been defined for the handling of Statistics Canada health survey information: the Assistant Deputy Minister, the Chief Data Steward, and the Data Custodian.

The Chief Data Steward and Executive Director, Information Management & Knowledge Services (IMKS) branch of the Ministry's Health Sector Information Management and Information Technology Division (HSIMT) will be the designated "Receiving Party's Official", responsible for ensuring processes and procedures are in place to fulfill the requirements set out in the DSA, and for ensuring that adequate protection is in place to provide for the security of the health survey information.

The Data Access and Stewardship Director, as the Data Custodian will be responsible for receipt and distribution of Statistics Canada health survey information. The Data Custodian will assume the responsibilities set out in Appendix 'C' of the Omnibus DSA for the whole lifecycle of Statistics Canada health survey information: data receipt, handling, storage, and transmission. As well, the Data Custodian will assume the responsibilities set out in the Ministry's information management policies, procedures and practices.

The Data Access and Stewardship group is supported in the handling and management of Statistics Canada health survey information by Data Warehouse Operations. The Director, Data Warehouse Operations serves as back-up for the Data Custodian. Data Warehouse Operations provides information technology support to IMKS branch, and will provide support for the secure lab housing Statistics Canada health survey information. This support includes the physical set-up of the secure lab, and performance of data processing and handling activities on an on-going basis.

At the operational level, responsibility for the management of third party contracts resides with the Data Access and Stewardship group. One team lead within the Data Access and Stewardship group will handle provincial university research institutes and British Columbia Health Authorities, and the second team lead will handle Information Sharing Agreements (ISAs) for researchers requested by the program areas. Members of the teams will deal with all the requests the Ministry receives from recognized provincial or university Research Institutes or Organizations, Health Authorities, and researchers. The team will review and adjudicate data requests, working with subject matter experts within program areas to determine whether information being requested is only that which is required to perform the work.

The audit found that while roles and responsibilities are defined and understood at the senior level within the Ministry, the same level of clarity and understanding is not in place at the operational level.  Functional roles and responsibilities for the team leads and team members in Data Access and Stewardship are not clearly defined and documented. Team members are not certain of how their roles will evolve once the Omnibus data sharing agreement is in place, and Statistics Canada confidential health survey information is received.

Lack of clearly defined and documented functional roles and responsibilities at the operational level may result in the prescribed T&Cs not being met, and Statistics Canada confidential health survey information not being adequately and effectively protected.

Monitoring

Clauses with respect to monitoring are prescribed by Statistics Canada in the Omnibus data sharing agreement. The Omnibus DSA states that

"Statistics Canada shall have the right, when it determines necessary, to perform reviews of compliance with this Agreement". The DSA also prescribes that third party agreements entered into by the Ministry "shall contain a clause stipulating the right of Statistics Canada or the Ministry (the Receiving Party) to review compliance with the terms of this Agreement".

The audit found that the Ministry has not engaged in monitoring of agreements entered into with third parties in the past.

Interviews revealed that the Ministry intends to include a clause pertaining to monitoring of third parties when it revises its third party agreement templates. However, at the time of the audit, these revisions had not been completed. As a result, the audit team could not review the third party agreement templates to confirm whether or not a monitoring clause has been included. (This finding is addressed through the recommendations made under Data Stewardship.)

Recommendation:

The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field should communicate with the Ministry to ensure the following is implemented:

  • Functional roles and responsibilities at the operational level, related to the handling of Statistics Canada Health Survey Information are defined, documented and communicated.

Management Response:

Management agrees with the recommendation.

  • The Director, HSD will request a list of all employees and their roles and responsibilities in terms of handling Statistics Canada Health Survey Information.

    Deliverable and Timeline: Letter to the Ministry, by April 2013.
  • As part of the Health Statistics process for on-going monitoring of access that will be implemented, the Ministry will be required to provide a list of employees with access to Statistics Canada Health Survey Information, including their roles and responsibilities.

    Deliverable and Timeline: A list of employee names with access to Statistics Canada Health Survey Information, including their roles and responsibilities, every six months.

Data Stewardship

The Ministry has established appropriate internal protocols to meet the requirements set out in the Omnibus data sharing agreement. The Ministry has transferred responsibility for the management of Statistics Canada health survey information out of the program area (where it previously resided), and into the Ministry's Health Sector Information Management and Information Technology Division. The Ministry has designed a set of practices for protection and safeguarding of Statistics Canada health survey information that is housed within the Ministry.

The Ministry has yet to put in place revised third party agreement templates reflective of the requirements set forth in the Omnibus data sharing agreement. This is an important activity for the Ministry to undertake, to ensure that appropriate safeguards are in place over the full lifecycle of Statistics Canada health survey information.

The Ministry has established an appropriate framework to manage the requirements set out in the Omnibus data sharing agreement. Internal protocols for the sound management of data should be in place to ensure the protection and safeguarding of Statistics Canada health survey information over the full lifecycle of the information.

Data Management

The BC Ministry of Health has transferred responsibility for the management of Statistics Canada health survey information from the Population and Public Health Division to the Health Sector Information Management and Information Technology (HSIMT) Division. This is a key control, as HSIMT is the Ministry's dedicated group for the management of health data, and not the ultimate users of the data.

Within HSIMT, responsibility for the administration and management has been appropriately segregated between two areas: Data Access and Stewardship, and Data Warehouse Operations.

As described under the Control Environment for the Management of the DSA, the Director of Data Access and Stewardship will be the designated Data Custodian and recipient, and will act as the liaison between Statistics Canada and the Ministry. Three Research Officers (ROs) reporting to the Data Custodian will be authorized to use the secure lab facility to work with the Statistics Canada confidential information. The ROs' role will include initial record linkage for survey respondents who have agreed to have their information linked; validation work; information maintenance; implementation of study specifications, and working in the secure lab to prepare research extracts.

Three Data Base Analysts (DBAs) reporting to the Director, Data Warehouse Operations group, will be authorized to use the secure lab facility, where they will provide the technical skills needed to prepare data files for use by the ROs.

Third Party Sharing

The Ministry can provide access to Statistics Canada confidential health survey information to:

  • Researchers working under contract directly for the Ministry to provide a Survey-related product or service for the sole benefit of the Ministry.
  • Provincial/territorial or university research institutes working under contract directly for the Ministry to provide a Survey-related product or service for the sole benefit of the Ministry.
  • Six British Columbia regional Health Authorities. However, Statistics Canada health survey information can only be provided to HAs if respondents were notified that their Survey Reponses would be provided to HAs in their province of residence. Otherwise, the HA can only work under contract for the Ministry to provide a Survey-related product or service for the sole benefit of the Ministry.

The Ministry confirmed that the above-stated third party recipients will only have access to Statistics Canada confidential health survey information from which Personal Identifiers (i.e. person's name, address, telephone number or other direct means of identifying an individual) have been removed as prescribed in the Omnibus agreement. The Ministry also confirmed that these third parties will not have access to the Ministry secure lab housing Statistics Canada confidential health survey information.

If Statistics Canada health survey information access is provided on the premises of the university research institutes or HAs, then the Ministry is required to include in their agreements the physical and IT security measures as set out in the Omnibus data sharing agreement, which states:

"The Receiving Party (the Ministry) shall ensure that the terms and conditions of this Agreement respecting the use, confidentiality, protection and security of the Information are included in all agreements and arrangements the Receiving Party (the Ministry) enters into, under the terms of which any other organization is granted access to the Information in accordance with subsection 6.2 of this Agreement".

Interviews revealed that the Ministry is currently in the process of revising its third party agreement templates. However, at the time of the audit, these revisions had not been completed. As a result, the audit team could not review the third party agreement templates to confirm whether or not the requirements respecting the use, confidentiality, protection and security of Statistics Canada health survey information have been reflected in the templates.

Recommendations:

The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field should communicate with the Ministry to ensure the following is implemented:

  • Third party agreement templates are developed and reflect the requirements set out in Statistics Canada Omnibus data sharing agreement.

Management Response:

Management agrees with the recommendation.

  • The Director HSD, will request from the Ministry their proposed templates for third party agreements to ensure that they reflect the requirements set out in Statistics Canada Omnibus data sharing agreement.

    Deliverable and Timeline: The Director HSD, to request from BC Ministry of Health their proposed third party agreement templates, by April 2013.
  • The Director, HSD will monitor on a regular basis, third party access privileges to ensure that third party templates are being used appropriately.

    Deliverable and Timeline: Report from the Ministry on third party access privileges, every six months.

The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field should ensure that:

  • A review of the third party agreement templates is conducted to ensure that they include the terms and conditions contained in the Omnibus data sharing agreement respecting the use, confidentiality, protection and security of the information, and monitoring clauses, before providing Statistics Canada confidential health survey information to the Ministry.

Management Response:

Management agrees with the recommendation.

  • Statistics Canada Health Survey information will only be provided after a thorough and satisfactory review of the proposed third party agreement templates by the Director HSD, to ensure that they meet the terms and conditions of the Omnibus data sharing agreements.

    Deliverable and Timeline: The Director HSD will inform the Ministry of any gaps in their templates, and will notify Statistics Canada senior management once the templates are compliant, immediately upon receipt of the templates.

Physical and Information Technology (IT) security

Effective controls for physical access to the Ministry's premises and physical storage have been designed. The Ministry's Policies and Procedures Manual provides prescriptive guidance and direction in the areas of physical and electronic access; identification and authentication safeguards, IT storage and transmission; and information copying, retention and records management to meet the requirements set out in Statistics Canada's Omnibus data sharing agreement. It is important to note that at the time of the audit, the Ministry was implementing these requirements.

Information provided to the Ministry is designated as 'Protected B' information as defined in the federal Policy on Government Security. The Ministry is required to ensure that the control and protection of the information, either physically or electronically, is carried out in a manner that protects against loss, theft, compromise or improper disclosure.

Physical Access to the Ministry's Premises and Physical Storage

A physical inspection was conducted of the Ministry's site during the examination phase of the audit. The audit noted that the Ministry's policy allows visitors with unaccompanied visitor card access once signed into the building, with the exception of access to the Ministry's server room and the secure lab housing Statistic Canada health survey information. There is a card scanner outside each secured area. Staff and visitors must swipe their access card through the card scanner to enter the secured area.

Statistics Canada health survey information will be stored, accessed, used, linked and analyzed in a secure lab room located in the Ministry's HSIMT division. A motion sensor-activated security camera that can operate on an uninterrupted power supply in the event of a power failure is located facing the lab door, to record all activity occurring in front of the lab door. Facilities Management is responsible for monitoring the camera, and the tapes can only be accessed by the Chief Data Steward and Executive Director.

Access to the secure lab is permitted only to 'Identified' persons. Persons holding visitor cards cannot access the lab independently; visitors to the lab must be escorted by an 'Identified' person. A visitor log book noting name, date, time in and out, is required to be signed by escorted visitors accessing the secure lab.

The audit verified if only 'Identified' persons could access the secure lab. Three employees determined not to have access to the secure lab were asked to swipe their access cards at the card scanner located outside the lab. Their access cards did not allow them to access the secure lab. The auditors also tested their visitor access card, and the visitor access card did not allow access to the secure lab.

The audit also verified if the security camera placed outside the lab was operating as intended. The audit team viewed the camera tape for the activity of the 3 employees asked by the audit team to access the lab. The audit noted that the motion sensor-activated security camera recorded the activity of the 3 employees at the lab door.

Physical and Electronic Access to Health Survey Information Data Files

The Ministry has a formal process in place for requesting access to the secure lab from the Data Custodian. A Request for Access to Secure Area Form has to be completed and signed by every 'Identified' person, and then signed by the Data Custodian signifying authorization of that person's access to the secure lab.

As well, every 'Identified' person has to agree in writing to comply with the terms of the DSA by signing an acknowledgement. The acknowledgement states they have read, understood and agree to comply with the T&Cs of the DSA between the Ministry and Statistics Canada, as highlighted in the Ministry's Policy and Procedures Manual, and by signing a 'Protection of Confidential Information Agreement for Ministry of Health Employees', as required by appendix 'C' of the DSA. The Ministry stated that the Policy and Procedures Manual will be mandatory reading for all 'Identified' persons.

The secure lab has been set up as an isolated network with a stand-alone Oracle server on a desk-top computer and two workstations which are connected to the server by a port and Ethernet Cable. There is no internet access, as required by appendix 'A' of the DSA, and electrical cables are the only external cables in the lab. Statistics Canada information will be stored on the Oracle server and only 'Identified' persons can access the information either from the server or the two workstations.

A secured cabinet with a key lock is located in the lab to store transportable media and print-outs of Statistic Canada health survey information. The data custodian holds the key for this cabinet.

Identification and Authentication Safeguards, IT Storage and Transmission

The stand-alone Oracle server housing Statistics Canada health survey information and the two desk-top computers will have "named user accounts" for each 'Identified' person. 'Identified' persons will be required to provide their named user account ID and Oracle username ID and complex password (minimum 8 alphanumeric characters with at least one upper case letter, one lower case letter and one number) to log in and access Statistics Canada health survey information.

The card scanner outside the lab and the visitor log book will create an audit trail on physical access to the lab. As well, the named user account ID and Oracle username ID will be tracked to provide an audit trail on the two desk-top computers and the server.

The Ministry's Policies and Procedures Manual states that health survey files transmitted by Statistics Canada to the Ministry by electronic file transfer (e-FT) will be downloaded on a portable hard drive by the Data Custodian, and then saved on the Oracle server in the secure lab. No other type of transportable media such as flash memory stick, laptops, etc will be used to transport the downloaded files. The portable hard drive will utilize full encryption and require password to access. After the transport has finished, it will be securely overwritten, to prevent recovery efforts by unauthorized individuals. The portable hard drive will not be used to store Statistics Canada health survey information. When not in use, the drive will be stored in the key locked cabinet.

If survey files are transported by CDs, then information will be downloaded on the server and the CDs will be stored in the locked cabinet in the secure lab. The Policies and Procedures Manual states that backup of the Oracle server will not be maintained. If the server drives are damaged in an incident and are not recoverable, then brand new data will be requested from Statistics Canada. As well, electronic transmission by facsimile or e-mail is not allowed.

Information Copying, Retention and Records Management

The Ministry's Policies and Procedures Manual does not allow paper copies or electronic extracts of Statistics Canada health survey information. At the time of the audit, the secure lab did not have a printer. Printing outside the secure lab will not be permitted. A policy statement directing printer use will be prominently displayed in the lab and communicated to 'Identified' persons when they are granted access privileges. Statistics Canada information will only be held in the secure lab, and its transmission or transport elsewhere will not be permitted. Electronic transmission by facsimile or e-mail will not be allowed.

The DSA requires the Data Custodian to maintain a register of all data files received from Statistics Canada. The audit noted that the Ministry's Policies and Procedures Manual lists this as one of the responsibilities of the Data Custodian. The audit corroborated this understanding with the Data Custodian via interview.

Effective controls for physical access to the Ministry's premises and physical storage are in place. The Ministry's Policies and Procedures Manual provides prescriptive guidance and direction in the areas of physical and electronic access;identification and authentication safeguards, IT storage and transmission; and information copying, retention and records management to meet the requirements set out in Statistics Canada's Omnibus data sharing agreement. It is important to note that at the time of the audit, the Ministry was implementing these requirements.

Recommendation:

The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field should ensure that:

  • A follow-up audit is conducted if and when the new Omnibus data sharing agreement is signed and data has been shared with the Ministry.

Management Response:

Management agrees with the recommendation.

  • The Assistant Chief Statistician (ACS) Social, Health and Labour Statistics Field, will inform Statistics Canada's Policy Committee once the Omnibus data sharing agreement is signed and data has been shared with the Ministry.

    Deliverable and Timeline: Decision by Policy Committee members on if and when a follow-up audit should be conducted.

Appendices

Appendix A: Audit Criteria

The table in Appendix A identifies the Audit Criteria, audit sub-criteria as well as the policy instrument used as the source of these criteria.
Objective / Core Controls / Creteria Sub-Criteria Policy Instrument
1.1 Authorities, responsibilities and accountabilities, are defined, communicated, and the segregation of duties is appropriately established. 1.1.1 Responsibilities are formally defined and clearly communicated.

1.1.2 Authority is formally delegated and delegated authority is aligned with individual's responsibilities. Where applicable, incompatible functions are not combined.
TBS Core Management Controls

Omnibus data sharing agreement
1.2 Management at the Ministry identifies, assesses the appropriateness of existing controls to effectively manage its risks, and responds to the risks that may preclude the achievement of its objectives. 1.2.1 Risks are identified at both the program and regional levels, respectively, and take into consideration the internal and external environments of the RDC Program.

1.2.2 Formal processes and guidelines exist to assess the controls in place to manage the identified risks.
1.3 Assets are protected at the Ministry. 1.3.1 Access to data is limited to authorized individuals and is appropriately secured in compliance with privacy legislation.

1.3.2 Access is physically restricted.

1.3.3 Procedures to safeguard the shared data upon change of duties of an employee exist and are adhered to.

1.3.4 Procedures exist to protect the use of data from abuse or fraud.

1.3.5 Logical access controls exist to ensure access to systems and data, is restricted to authorized users, e.g., systems require users to logon using unique user name and password.

1.3.6 Authentication and access procedures and mechanisms exist for and are applied in order to keep authentication and access mechanisms effective.

1.3.1 Access to data is limited to authorized individuals and is appropriately secured in compliance with privacy legislation.

1.3.2 Access is physically restricted.

1.3.3 Procedures to safeguard the shared data upon change of duties of an employee exist and are adhered to.

1.3.4 Procedures exist to protect the use of data from abuse or fraud.

1.3.5 Logical access controls exist to ensure access to systems and data, is restricted to authorized users, e.g., systems require users to logon using unique user name and password.

1.3.6 Authentication and access procedures and mechanisms exist for and are applied in order to keep authentication and access mechanisms effective.
1.4 Management monitors actual performance against planned results, and adjusts course as needed, to better address the requirements/ needs of the program. 1.4.1 Responsibility for monitoring is clear and communicated and results are reported to required authority levels.

1.4.2 Active monitoring is demonstrated.

Appendix B: Acronyms

Appendix B Acronym
Acronym Description
ACS Assistant Chief Statistician
CCHS Canadian Community Health Survey
CD Compact Disk
CS Chief Statistician
DAC Departmental Audit Committee
DBA Data Base Analyst
DSA Data Sharing Agreement
e-FT Electronic File Transfer
HA Health Authority
HSD Health Statistics Division
HSIMT Health Sector Information Management and Information Technology Division
ID Identification
IIA Institute of Internal Auditors
IMKS Information Management & Knowledge Services
ISA Information Sharing Agreement
IT Information Technology
LOE Line of Enquiry
NPHS National Population Health Survey
RO Research Officer
TBS Treasury Board Secretariat
T&Cs Terms and Conditions

Description for Assessment of ICFR

Key financial controls: Process Overview

The chart is a flow chart description of the process of Assessment of Internal Controls over Financial Reporting (ICFR) presenting the 4 core activities involved and their outputs described just below each activity. Activities and results/outputs are differentiated by colors and forms. The flow chart is set up in 5 key steps aligned with arrows from left to right. A box groups the 4 core activities for the assessment of ICFR. The flow chart begins with the first step on the left, which is Planning & scoping. Outputs from this activity are Strategic Plans for ICFR & ITGC and work plans. From this point, the process moves at right to Documentation of in-scope business processes. Outputs from this activity are Process Narratives or Flow Charts. Going right onto the third step, the process progresses to the activity of Tests of Design of Key Controls and involves, when required, Letters of Recommendations (LoR) regarding Design. Finally, Tests of Effectiveness of Key Controls is the last activity performed within the process of Assessment of ICFR. LoRs are also an output shown for this step. With arrows from top to bottom, the chart demonstrates that ongoing monitoring and risk management are performed at each step throughout the assessment process. Once the process of the Assessment of ICFR is fully completed, there is a resulting step described outside the box, at right. Reporting to the CS, CFO and Field Senior Management includes progress towards implementing PIC, results of the assessment of ICFR, and the state of audit readiness. Finally, an arrow showing an output from reporting, which is the Statement of Management Responsibility including ICFR labelling the signatures of the CS and CFO.

Data accuracy Vital Statistics – Death Database

(Survey number 3233)

Coverage

Since the registration of deaths is a legal requirement in each Canadian province and territory, reporting is virtually complete. Under-coverage is thought to be minimal, but is being monitored. Under-coverage may occur because of late registration, but this is much less common than in birth registration. Death registration is necessary for the legal burial or disposal of a body, as well as for settling estate matters, so there is a strong incentive for relatives or officials to complete a registration in a timely manner. Some deaths are registered by local authorities, but the paperwork is not forwarded to provincial or territorial registrars before a cut-off date. These cases for 2000 represent approximately 200 deaths, 7 years after the year of death (accumulated late records), or less than one-tenth of one percent of the total records.

Other late or missing registrations may occur with unidentified bodies, or for Canadians who die outside of Canada. By long-standing practice, the date of death for unidentified remains is defined as the date of discovery. These deaths of unidentified persons typically represent less than ten cases per year. For out-of-country deaths, only deaths in the United States are regularly reported to Statistics Canada, and of these, Statistics Canada receives abstracted death records from approximately 20 American states. The National Center for Health Statistics (NCHS) in the United States reveals that in 2004 there were 572 deaths of Canadian residents in the United States, compared with 259 death records received by Statistics Canada via the state registrars. Health Statistics Division is working with provincial, territorial, and state registrars to increase the inter-jurisdictional exchanges of records for statistical and administrative purposes.

Under-coverage is also present for deaths of serving members of the Canadian military. Deaths of Canadians who died overseas while serving in the Armed Forces are not included in the Statistics Canada databases because they are not registered by the provinces and territories.

Over-coverage is minimal. Deaths of non-residents of Canada are registered but are excluded from most tabulations. Duplicate death registrations are identified as part of the regular processing operations on each provincial and territorial subset, as well as by additional inter-provincial checks. Possible duplicate registrations are verified against microfilmed registrations or optical images, or by consulting with the provinces and territories.

Response rates

Item response

In 2006, the response rates were 100% for most of the demographic and geographic variables on the death database (age, sex, date of birth, province and census division of residence). The birthplace of deceased and marital status have response rates around 95% to 98% nationally. Underlying cause of death response rates was 99.4% in 2006. The reporting of postal codes has improved to 95% in 2006. The birthplace of the decedent’s mother and father remain poorly reported, at only 35% of deaths nationally. Both Quebec and Ontario collect the information on the registration forms, but do not include the variable in the electronic files forwarded to Statistics Canada.

Other Accuracy Issues

Age at death of persons over 100 years old

The demographers Bourbeau and Lebel have compared Canadian mortality and census data with other countries, and determined that the number of centenarians appears quite high in relation to other industrialized countries. In the absence of civil registration in Canada before 1921 and high levels of immigration to Canada, it is difficult to determine if the number of persons aged 100 and older is overestimated. On the death file, age and date of birth outliers are annually reviewed for capture errors. Reconciliation with other data sources is difficult, especially in the case of immigrants. Where birth certificates are unavailable, the overestimated age may have been used consistently on other documents such as health care registration, income tax, and census.

Cause of death certification

When a person dies, the medical certificate of cause of death is completed by the medical doctor in attendance, or the coroner, or medical examiner or other certifier. The certificate elicits the direct antecedent and underlying causes of death, other significant conditions, manner of death (for example, natural, accidental, suicide, homicide), and further information on injuries.

Balance of Payments Division

Survey Guide

Purpose of the Survey

The purpose of the Survey of Canadian Portfolio Investment is to determine the amount and types of securities owned by Canadians. The survey is conducted on a security by security basis.

The data will be used to compile the portfolio investment of Canada's balance of payments and international investment position statistics. The survey is being conducted in co-ordination with other countries to facilitate international data comparability. The survey is also designed to generate feedback on Investment Fund strategies related to industrial distribution, type of financial instrument and geographical distribution.

Collection Authority

The information requested is collected under the Statistics Act, Revised Statutes of Canada, 1985, Chapter S19. The survey is conducted on an annual basis.

Confidentiality

Information collected under the Statistics Act is treated in strict confidence and is specifically exempt from being released under the Access to Information Act.

How to report

Data would preferably be submitted through electronic mail in a single file using Excel or ASCII with delimiters. To assist respondents in identifying the information requested, Statistics Canada developed a standard record layout (see next page: ’Recommended table structure’).

Warning: Information sent via facsimile or electronic mail, when in transit, may encounter risk of disclosure. Upon receipt, Statistics Canada will confirm the reception of your submission. Thereafter, Statistics Canada will assure the confidentiality of the information.

What to report

Update of the list of funds as well as contact name and details (pre-print information).
Detailed holdings of your funds in a single electronic file.

Please return the required information to:

Statistics Canada
Balance of Payments Division
Survey of Canadian Portfolio Investment (SCPI) 22nd floor, R.H. Coats Building
Ottawa, Ontario K1A 0T6
Attention: Francis Salifu or Éric Boulay
E-mail cpiabop@statcan.gc.ca
Fax 1-613-951-9031

If there are questions regarding the survey, please contact Francis Salifu at (613) 951-2428 or Éric Boulay at (613) 951-1872 or use our toll free number (866) 765-8143.

Recommended Table Structure

** For more information about the content of the fields, see instructions on the following pages. **

Field, Field Name Data Type
Field Field Name Data Type Width Decimals
1 Code or name of the Fund (M) Alphanumeric 6  
2 Sequence Number Numeric 6  
3 Security Identification Code Alphanumeric 12  
4 Stock Market Symbol Alphanumeric 10  
5 Security Type (M) Numeric 2  
6 Name of Issuer (M) Character 65  
7 Security Description Character 65  
8 Industrial Description Character 40  
9 Market Value (M) Numeric 12  
10 Market Price Numeric 12 4
11 Quantity (M) Numeric 12  
12 Average Cost Numeric 12  
13 Exchange Rate Numeric 7 4
14 Currency of Denomination (M) Character 3  
15 Amount on Loan Numeric 12  
16 Country of Issuer (M) Character 3  
17 Issue Date Date (MMDDYYYY) 8  
18 Maturity Date (M) Date (MMDDYYYY) 8  
19 Type of Coupon Character 1  
20 Coupon or Dividend Numeric 7 4
21 Status Character 1  
(M): Mandatory Field Total 234 12

Content of fields

Field 1: Code or name of the fund - Enter the name or code of the fund.

Field 2: Sequence Number - Starting at 1, sequentially number each record. The last record should have the same sequence number as the total number of records.

Field 3: Security Identification Code - Enter the security identification code. For example, enter the CUSIP, SEDOL, or ISIN code. Please refrain from using internally generated codes.

Field 4: Stock Market Symbol - If available, enter the stock market symbol of the security.

Field 5: Security Type - Indicate the type of security according to the following code-set1:

  1. Equity (including warrants and rights)
  2. Debt and debentures
  3. Money market instruments
  4. Options
  5. Futures
  6. Forwards
  7. Cash
  8. Mortgages
  9. Real estate
  10. Units of pooled, mutual and investment funds
  11. SWAPS

Field 6: Name of Issuer - Enter the name of the issuer of this security.

Ex: Government of Canada
Ex: ABC Corporation

Field 7: Security Description - Provide pertinent descriptive information. Examples follow:

For equities:

  • Ex: ADR, Subordinate voting
  • Ex: Preferred convertible shares
  • Ex: Partly paid shares.
  • Ex: IBM Common shares

For debts:

  • Ex: Convertible debenture
  • Ex: Floating rate bond

For money market instruments:
Ex: Treasury bill
For options:

  • Ex: Call or Put

For futures: Not needed
For forwards: Ex: Buy British Pounds, Sell US

Field 8: Industrial Description - Pertinent descriptive information. If possible, please use code-set below:

Sector Description

A Food, Beverage and Tobacco
B Wood and Paper
C Energy
D Chemicals, Chemical Products and Textiles
E Metallic Minerals and Metal Products
F Machinery Equipment (except electrical machinery)
G Transportation Equipment
H Electrical and Electronic Products
I Construction and Related Activities
J Transportation Services
K Communications
L Finance and Insurance
M General Services to Business
N Government Services
O Education, Health and Social Services
P Accommodation, Restaurants and Recreation Services
Q Food Retailing
R Consumer Goods and Services

Field 9:  Fair (Market) Value - in Canadian dollars

For equities (including warrants and rights), enter the price (field 10) times the number of shares (field 11) converted in Canadian dollars.

For debts and the money market instruments, enter the price expressed as a percentage (field 10) times the face value (field 11).

When reporting a negative position for a security, enter "R" in field 21. A negative position occurs when securities acquired under repurchase or security-lending arrangements are subsequently sold to a third party.

For options, enter the number of contracts times the contract size times the premium. Option on stock

Example: 50 IBM Call Jan 09 at 130 at 8¾ (market price at date of survey) Calculation: Number of contracts (50) X contract size ($100) X premium 50*100*(8¾) = $43,750 US$ → 59,763 Cdn$ (43,750*1.366)

Option on index

Example: 20 S&P 500 Call May 655 at 14½ (market price at date of survey)
Calculation: Number of contracts (20) X contract size ($500) X premium
20*500*(14½) = $145,000 US$ → 198,070 Cdn$ (145,000*1.366)

Option on currency

Example: Trading on Philadelphia Exchange
100 Call British Pounds Dec 166 at .70 (market price at date of survey)
Calculation: Number of contracts (100) X contract size ($31,250) X premium 100*31,250*(.0070) = $21,875 US$ → 29,881 Cdn$ (21,875*1.366)

For futures :

Bond contracts: Enter the number of contracts times the contract size times spot price less exercise price (strike price).

Example: 20 / 5 year US treasury.

Strike price or exercise price = 98.25 spot price = 97.75

Calculation: number of contracts (20) X contract size ($100,000) X (spot-strike)
20*100,000*(.9775-.9825) = -$10,000 US$ → 13,660 Cdn$ (10,000*1.366)

Index contracts: Enter the number of contracts times’ future value multiplier times’ spot price less exercise price (strike price).

Example: 50 S&P 500

Calculation: Number of contracts (10) X future value multiplier ($500) X (spot-strike) 10*500*(655.86- 659.60) = -18,700 US$ -25,544 Cdn$ (18,700*1.366)

Currency: Enter the number of contracts times’ future value multiplier times’ spot price less exercise price (strike price).

Example: 20 Euro 1.4877

Calculation: Number of contracts (20) X future value multiplier ($125,000) X (spot-strike) 20*125,000*(1.5821- 1.5754) = 16,750 Euro  →  27,185 Cdn$ (16,750*1.6230)

For forwards :

Enter the market value in excess of (less than) settlement amount in Cdn$.

For cash:

Enter the Canadian dollar value of your holdings.

Field 10: Market Price

For equities, enter the market price per share, warrant or right in Cdn$.
For debts and money market instruments, enter the market price as a percentage of the security's face value.
For options, enter the market price times the multiplier in Cdn$.
For futures, enter market price in Cdn$.
For forwards, leave this field empty.
For cash, leave this field empty.

Market price should be used to report all holdings of securities. All securities should be converted to Canadian dollars using the exchange rate prevailing at the close of business of the surveyed period. Please indicate any fund not converted into Canadian dollars in the confirmation of funds form.

For equities ( including warrants and rights):

For stock listed companies, the market price of your holding should be calculated using the market price prevailing on the stock exchange at the close of the surveyed period.

For unlisted enterprises, if a market price is not available at the close of the business of the surveyed period, estimate the market price of your holding of equity securities by using one of the following methods:

  • a recent transaction price;
  • director's valuation; or
  • net asset value (net asset value is equal to total assets, including intangibles, less non-equity liabilities and the paid up value of non-voting shares. Assets and liabilities should be recorded at current, rather than historical value).

For debts and money market instruments:

Debt securities should be recorded (as a percentage) using one of the market valuation methods listed below:

  • a quoted traded market price at the close of the business of the surveyed period;
  • the net present value of the expected stream of future payments/receipts associated with the securities;
  • for unlisted securities, the price used to value securities for accounting or regulatory purposes, etc.; or
  • for discount, deep discount or zero coupon securities, the issue price plus amortisation of the discount.
  • Comparative security valuation approach

For options:

For exchange traded options, the market price of your holding is the market price prevailing on the exchange at the close of the surveyed period.

For OTC options and exchange-traded options, if a market price is not available at the close of the business of the surveyed period, estimate the market price of your holding by using one of the following methods:

  • a recent transaction price;
  • director's valuation

For futures:

For futures, provide the market price. The market price is obtained by taking the spot price of the underlying asset minus the strike price (or exercise price.) As per the example shown in field 9 for futures, the spot price less the exercise price must be expressed like this: .9775 (spot)-.9825 (exercise) = -.005

For forwards:

Leave this field blank.

For cash:

Leave this field blank.

Field 11: Quantity

For equities (including warrants and rights), enter the number of shares.

For units of pooled, mutual and investment funds, enter the number of units held rounded to the nearest unit.

For debts, enter the face value held in the currency of denomination. For asset-backed securities, enter the remaining face value of principal still outstanding.

For money market instruments, enter the face value at maturity.

For options, and futures, enter the number of contracts.

For forwards, enter the amount receivable at the expiration of the contract in original currency.

For cash, leave this field blank

Field 12: Average Cost - Enter the average cost (historical cost) of the security held.

Field 13: Exchange Rate - Enter the exchange rate used to convert the currency of denomination in field 9. This rate should be the one prevailing at the close of the surveyed period. Ex: Market value of US stock converted in CDN$ (field 9) over market value of US stock in US$ denomination currency.

Field 14: Currency of denomination - Currency codes appear in Appendix 2.

Field 15: Amount on loan - Face value or share units of field 11 (in Cdn$) sold under loan repurchase                   agreements or lent under security lending arrangements.

For debt, enter the face value of field 11 sold under repurchase agreements and security lending arrangements.

For stocks, enter the number of shares of field 11 sold under security lending arrangements.

Field 16: Country of Issuer - Enter the code from Appendix 2 for the country of residence of the issuing entity of the security.

Field 17: Issue Date - Enter the original date of issue for this security in the following format: MMDDYYYY.

Field 18: Maturity Date - Enter the date on which this security matures in the format: MMDDYYYY. For a security with a call provision, enter the final maturity date, not the call date.

Field 19: Type of coupon - Fixed (F) or Variable (V)

Enter "F" for fixed rate or "V" for variable or floating rate.

Field 20: Coupon or Dividend

Forbonds enter the annual coupon rate. For variable rate, enter the rate that prevailed at the end of the surveyed period rounded to four decimal places.

Forequities, enter the annual value of the dividend. For zero coupon bonds, enter 0.0000.

Field 21: Status - Enter "D" if security is in default.

Enter "R" when securities acquired under repurchase or security lending arrangements are subsequently sold to a third party.

Appendix 1 - Security Types

Equity securities = Security type 1

  • ordinary shares;
  • stocks (class A, class B);
  • depository receipts, e.g., American depository receipts (ADR), should be attributed to the country of residence of the issuer of the security underlying the depository receipt;
  • equity securities that have been sold under repurchase agreements; and
  • equity securities that have been lent under securities lending arrangement

i) Securities acquired under repurchase or securities lending arrangements are to be excluded from the report;
ii) Securities acquired under repurchase or security lending arrangements and subsequently sold to a third party should indicate it by entering the letter "R" in item 21.

  • warrants and rights

i) subscription rights to securities;
ii) subscription or share warrants; and
iii) currency warrants

Debt securities (with an original term to maturity of over 1 year) = Security type 2

  • bonds, zero coupon or stripped bonds, deep discounted, currency linked (e.g., dual-currency), floating rate, equity related (e.g., Convertible bonds, Eurobonds);
  • asset-backed securities such as mortgage backed bonds, collateralized mortgage obligations (CMO);
  • receivable securitization;
  • index-linked securities (e.g., property index certificates);
  • preference shares (participating, non-participating, convertibles);
  • floating rate notes (FRN), such as perpetual notes (PRN), variable rate notes (VRN), structured FRN, reverse FRN, collared FRN, step up recovery FRN (SURF), range/corridor/accrual notes;
  • medium term notes;
  • Bunds (German), Gilts (United Kingdom), OAT’s (France), JGB’s (Japan);
  • bonds with optional maturity dates, the latest of which is more than one yearto maturity;
  • debentures;
  • negotiable certificates of deposits with contractual maturity of more than one year;
  • other long term securities;
  • bearer depository receipts (BDR) denoting ownership of debt securities, should be attributed to the country of residence of the issuer of the security underlying the depository receipt;
  • debt securities that you have sold under repurchase agreements; and
  • debt securities that you have lent under a securities lending arrangement

i) Securities acquired under repurchase or securities lending arrangements are to be excluded from the report;
ii) Securities acquired under repurchase or security lending arrangements and subsequently sold to a third party should indicate it by entering the letter "R" in item 21.

Money market instruments (with an original term to maturity of less than 1 year) = Security type 3

  • bonds, zero coupon or stripped bonds, deep discounted, currency linked (e.g., dual-currency), floating rate, equity related (e.g., Convertible bonds, Eurobonds);
  • asset-backed securities such as mortgage backed bonds, collateralized mortgage obligations (CMO);
  • index-linked securities (e.g., property index certificates)
  • non-participating preference shares;
  • receivable securitization (with less then one year to maturity);
  • discount notes;
  • commercial paper;
  • floating rate notes (FRN),such as perpetual notes (PRN), variable rate notes (VRN), structured FRN, reverse FRN, collared FRN, step up recovery FRN (SURF), range/corridor/accrual notes;
  • medium term notes;
  • Bubill (German), Conventional Gilts (United Kingdom), BTF’s (France) ;
  • bonds with optional maturity dates, the latest of which is less than one year to maturity; debentures;
  • negotiable certificates of deposits with contractual maturity of less than one year;
  • other long term securities (with a remaining term to maturity of less than one year);
  • bearer depository receipts (BDR) denoting ownership of debt securities, should be attributed to the country of residence of the issuer of the security underlying the depository receipt;
  • debt securities (with a remaining term to maturity of less than one year) that you have sold under repurchase agreements; and
  • debt securities (with a remaining term to maturity of less than one year) that you have lent under a securities lending arrangement;

i) Securities acquired under repurchase or securities lending arrangements are to be excluded from the report;
ii) Securities acquired under repurchase or security lending arrangements and subsequently sold to a third party should indicate it by entering the letter "R" in item 21.

Derivatives

Options = Security Type 4:

Options on stocks, indexes, currency, futures and commodity.

Characteristics

  • Call, Put;
  • Long or short;
  • American or European type.

Futures = Security Type 5:

Futures on currency, indexes, interest rates, metals, petroleum. Characteristics

  • Long or short

Forwards = Security Type 6:

All types of Forwards

Cash = Security Type 7

  • Cash and other deposits
  • Other portfolio investment assets

Appendix 2 - Country and Currency Codes

In reporting the geographical distribution of foreign countries, and currency of payments, please use the codes provided below:

Appendix 2 - Country and Currency Codes
Country Code Currency Code
Afghanistan AF Afgani AFA
Albania AL Lek ALL
Algeria DZ Algerain Dinar DZD
Andorra AD Euro EUR
Angola AO Kwanza AOK
Antigua and Barbuda AG East Caribbean dollar XCD
Argentina AR Argentina Peso ARS
Armenia AM Dram AMD
Australia AU Australian dollar AUD
Austria AT Euro EUR
Azerbaidjan AZ Manat AZM
Bahamas BS Bahamas dollar BSD
Bahrain BH Bahraini dinar BHD
Bangladesh BD Taka BDT
Barbados BB Barbados dollar BBD
Belarus BY Rouble BYR
Belgium BE Euro EUR
Belize BZ Belize dollar BZD
Benin BJ Cfa Franc Bceao XOF
Bermuda BM Bermuda dollar BMD
Bhutan BT Ngultrum BTN
Bolivia BO Boliviano BOB
Bosnia-Hercegovina BA Marka BAM
Botswana BW Pula BWP
Brazil BR Real BRL
British Virgin Islands VG United States dollar USD
Brunei BN Brunei dollar BND
Bulgaria BG Lev BGL
Burkina Faso BF Cfa Franc Bceao XOF
Burundi BI Burundi Franc BIF
Cameroon CM Cfa Franc Beac XOF
Canada CA Canadian dollar CAD
Cape Verde CV Cape Verde Escudo CVE
Cayman Islands KY Cayman Islands dollars KYD
Central African Republic CF Cfa Franc Beac XOF
Chad TD Cfa Franc Bceao XOF
Chile CL Chilean Peso CLP
China CN Yuan Renminbi CNY
Columbia CO Colombian Peso COP
Congo, Democractic Republic CG Cfa Franc Beac XOF
Costa Rica CR Colòn CRC
Croatia HR Kuna HRK
Cuba CU Cuban Peso CUP
Cyprus CY Cyprus Pound CYP
Czech Republic CZ Czech Koruna CZK
Denmark DK Danish Krone DKK
Djibouti DJ Djibouti Franc DJF
Dominica DM East Caribbean dollar XCD
Dominican Republic DO Dominican Peso DOP
East Timor TP Rupiah IDR
Ecuador EC Sucre ECS
Egypt EG Egyptian Pound EGP
Equatorial Guinea GQ Cfa Franc Beac XOF
Estonia EE Estonia Kroon EEK
Ethiopia ET Birr ETB
Falkland Islands FK Falkland Islands Pound FKP
Fiji FJ Fiji dollar FJD
Finland FI Euro EUR
France FR Euro EUR
Gabon GA Cfa Franc Beac XOF
Gambia GM Dalasi GMD
Georgia GE Lari GEL
Germany DE Euro EUR
Ghana GH Cedi GHC
Gibraltar GI Gibraltar Pound GIP
Greece GR Euro EUR
Guadeloupe GP Euro EUR
Guatemala GT Quetzal GTQ
Guernsey GG Pound Sterling GBP
Guinea GN Guinea Franc GNF
Guinea-Bissau GW Peso GWP
Guyana GY Guyana dollar GYD
Haiti HT Gourde HTG
Honduras HN Lempira HNL
Hong Kong HK Hong Kong dollar HKD
Hungary HU Forint HUF
Iceland IS Icelandic Krona ISK
India IN Indian Rupee INR
Indonesia ID Rupiah IDR
International Organisation XX    
Iran IR Rial IRR
Iraq IQ Iraqi Dinar IQD
Ireland IE Euro EUR
Israel IL Shekel ILS
Italy IT Euro EUR
Ivory Coast CI Cfa Franc Bceao XOF
Jamaica JM Jamaican dollar JMD
Japan JP Yen JPY
Jordan JO Jordanian Dinar JOD
Kazakhstan KZ Tenge KZT
Kenya KE Kenian Shilling KES
Kiribati (Canton & Enderbury) KI Autralian dollar AUD
Korea (North) KP Won KPW
Korea (South) KR Won KRW
Kuwait KW Kuwaiti Dinar KWD
Kyrghyzstan KG Som KGS
Laos LA Kip LAK
Latvia LV Lats LVL
Lebanon LB Lebanese Pound LBP
Lesotho LS Loti LSM
Liberia LR Liberian dollar LRD
Libyan LY Libyan Dinar LYD
Liechtenstein LI Swiss Franc CHF
Lithuania LT Litas LTL
Luxembourg LU Euro EUR
Macao MO Pataca MOP
Macedonia MK Denar MKD
Madagascar MG Malagasy Franc MGF
Malawi MW Kwacha MWK
Malaysia MY Ringgit MYR
Maldives MV Rufiyaa MVR
Mali ML Cfa Franc Bceao XOF
Malta MT Maltese Lira MTL
Mauritania MR Ouguiya MRO
Mauritius MU Mauritius Rupee MUR
Mexico MX Mexican Peso MXN
Moldova MD Leu MDL
Monaco MC Euro EUR
Mongolian MN Tugrik MNT
Montenegro ME Euro EUR
Morocco MA Dirham MAD
Mozambique MZ Metical MZM
Namibia NA Namibien dollar NAD
Nepal NP Nepalese Rupee NPR
Netherlands NL Netherlands Guilder NLG
Netherlands Antilles AN Netherlands Antilles Guilder ANG
New Zealand NZ New Zealand dollar NZD
Nicaragua NI Còrdoba NIC
Niger NE Cfa Franc Bceao XOF
Nigeria NG Naira NGN
Norway NO Norwegian Krone NOK
Oman OM Riyal Omani OMR
Pakistan PK Pakistani Rupee PKR
Panama PA Balboa PAB
Papua New Guinea PG Kina PGK
Paraguay PY Guarani PYG
Peru PE Sol PEN
Philippines PH Peso PHP
Poland PL Zloty PLZ
Portugal PT Euro EUR
Puerto Rico PR United States dollar USD
Qatar QA Riyal QAR
Romania RO Leu ROL
Russian Federation RU Ruble RUR
Rwanda RW Rwanda Franc RWF
Saint Lucia LC East Caribbean dollar XCD
Saint Pierre And Miquelon PM Euro EUR
Samoa WS Tala WST
Sao Tome And Principe ST Dobra STD
Saudia Arabia SA Riyal SAR
Senegal SN Cfa Franc Bceao XOF
Serbia RS Dinar RSD
Seychelles SC Seychelles Rupee SCR
Sierra Leone SL Leone SLL
Singapore SG Singapore dollar SGD
Slovenia SI Tolar SIT
Somalia SO Shilling SOS
South Africa ZA Rand ZAR
Spain ES Peseta ESP
Sri Lanka LK Sri Lanka Rupee LKR
Sudan SD Soudan Pound SDD
Suriname SR Suriname Guilder SRG
Swaziland SZ Lilangeni SZL
Sweden SE Swedish Krona SEK
Switzerland CH Swiss Franc CHF
Syrian SY Syrian Pound SYP
Tajikistan TJ Rouble TJR
Taiwan TW Taiwan dollar TWD
Tanzania TZ Shilling TZS
Thailand TH Baht THB
Togo TG Cfa Franc Bceao XOF
Trinidad and Tobago TT Trinidad dollar TTD
Tunisia TN Tunisian Dinar TND
Turkey TR Turkish Lira TRL
Turkmenistan TM Manat TMM
Uganda UG Uganda Shilling UGS
Ukraine UA Hryvna UAH
United Arab Emirates AE Dirham AED
United Kingdom GB Pound Sterling GBP
United States US United States dollar USD
Uruguay UY Uruguayo Peso UYU
Us Virgin Islands VI United States dollar USD
Uzbekistan UZ Rouble UZR
Venezuela VE Bolivar VEB
Vietnam VN Dong VND
Yemen YE Yemeni Rial YER
Zaire ZR Zaire ZRN
Zambia ZM Kwacha ZMK
Zimbabwe ZW Zimbabwean dollar ZWD

 

RECORD LAYOUT DATA ENTRY (EXAMPLES) (M) - Mandatory field
FIELD 1 FIELD 2 FIELD 3 FIELD 4 FIELD 5 FIELD 6 FIELD 7 FIELD 8 FIELD 9 FIELD 10 FIELD 11 FIELD 12 FIELD 13 FIELD 14 FIELD 15 FIELD 16 FIELD 17 FIELD 18 FIELD 19 FIELD 20 FIELD 21
Code of the Fund (M) Sequence Number Security Identification Code Stock Market Symbol Security Type (M) Name of Issuer (M) Security Description Industrial Description Market Value $CAD (M) Market Price Quantity (M) Average Cost Exchange Rate Currency of Denomination (M) Amount on Loan Country of Issuer (M) Issue Date Maturity Date (M) Type of Coupon Coupon or Dividend Status
Alphanumeric Numeric Alphanumeric Alphanumeric Numeric Character Character Character Numeric Numeric Numeric Numeric Numeric Character Numeric Character Date (MM/DD/YYYY) Date (MM/DD/YYYY) Character Numeric Character
Decimal:                 4     4             4  
FUND 01 1 135087VQ4   2 GOVT OF CANADA GOVT OF CANADA BONDS Government 2,763,900 92.1300 3,000,000 2,760,400   CAD 1,000,000 CA   06/01/2024 F 6.5000  
FUND 01 2 36962FW77 GE 2 GENERAL ELECTRIC CAPITAL CO. MTN Private 6,307,462 141.7407 4,450,000 6,257,459 1.3708 USD   US   05/06/2036 F 6.8000  
FUND 01 4   BMO.PR.D 2 BANK OF MONTRÉAL PREFERRED SHARE D Private 3,425,000 27.4000 125,000 3,550,400   CAD   CA     F 8.2500  
FUND 01 5   TEE.DB 2 TEE-COM DEBENTURES Private (101,520) 101.5200 100,000     CAD   CA   06/06/2010 F 5.2500 R
FUND 01 7     3 MEXICAN GOVERNMENT MEXICAN CETES Government 2,022,016 18.1170 11,160,874 2,030,200 0.1830 MXN   MX   01/11/2019      
FUND 01 8 878742204 TEK.B 1 TECK CORP. CLASS B SUB. VOTING Mines & Metals 14,872,000 25.9909 572,200 14,015,265 1.3660 USD   CA       0.2011  
FUND 02 1 500631106 KEP 1 KOREA ELECTRIC POWER CORP ADR Electronics 1,530,000 51.0000 30,000 1,425,600 1.3660 USD   KP          
FUND 02 3 IT9276A1043   1 TELECOM ITALIA MOBILE SPA COMMON (IL50 PAR) Communications 75,000 3.0000 25,000 74,890 0.0009 ITL   IT          
FUND 02 4     1 FRASER AND NEAVE LTD COMMON   630,000 10.5000 60,000 630,450 0.5346 SGD   SG          
FUND 02 5   IBM 4 IBM CALL, IBM JAN 08, 130 Computers 59,763 11.9525 50   1.3660 USD   US 12/21/2008        
FUND 02 6   OEX 4 S & P 500 CALL, S&P 500, MAY 07, 655 Index 198,070 19.8070 20   1.3660 USD   US 05/21/2007        
FUND 02 7     4 BRITISH POUND CALL B POUND, DEC 166 Currency 29,881 0.9562 100   1.3660 USD   GB 12/21/2005        
FUND 02 8     6 PAY CDN$ RECEIVED GBP1-10 FORWARD ON CURRENCY   (7,271)   645,000   2.0368 GBP   GB 04/11/2008 07/15/2008      
FUND 02 10     5 US 5 YEAR TREASURY MAY 2006, 98.5   (13,600) (0.6830) 20   1.3660 USD   US 10/12/2005 05/15/2006      
FUND 02 11     5 S & P 500 MAY 2007, 659.60   (25,544) (5.1088) 10   1.3660 USD   US 01/01/2007 05/05/2007      
FUND 02 12     5 EURO EURO MAY 2007. .6685   22,881 0.0060 20   1.3660 USD   DE 12/05/2006 5/18/2007      
FUND 02 13     9 COMMERCIAL REAL ESTATE   Real estate 25,000                        
FUND 02 14     7 CASH US $ US $   1,400,000       1.3660 USA              
FUND 02 15   TEE.DB 2 TEE-COM DEBENTURES Private (101,520) 101.52 100,000     CAD   CA   06/06/2009 F 5.25 R
FUND 02 16     10 Pooled fund - Beutel Unit of fund Finance 1,000,000 10 100,00012   1.0000 CAD   CA          

1. Equity (including warrants and rights)
2. Debt and debentures
3. Money market instruments
4. Options
5. Futures
6. Forwards
7. Cash
8. Mortgages
9. Real estate
10. Pooled, mutual and investment funds
11. Swaps
12. Negative position: When reporting a negative position for a security, enter 'R' (for repurchase) in field 21.

*A survey guide is available upon request.

Note: Please include any tables of concordance for country codes, industry codes and currency codes if different from the BP-54 requested codes.


Notes

1. Please see Appendix 1 for a more detailed description of these categories.

 

Audit of Key Financial Controls
Statement of Management Responsibility Including Internal Control over Financial Reporting (ICFR)

Audit Report

April 22, 2013
Project Number: 80590-74

Executive summary

The Treasury Board of Canada (TB) Policy on Internal Control took effect on April 1, 2009 and is issued pursuant to Section 7 of the Financial Administration Act (FAA). The objective of the Policy is to ensure that risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting. The Policy requires the Chief Statistician (CS) and the Chief Financial Officer (CFO) of Statistics Canada to sign an annual Statement of Management Responsibility Including Internal Control over Financial Reporting attesting that an effective risk-based system of internal control is in place and operating within the Agency.

The objective of this audit was to provide assurance to the CS and Statistics Canada's Departmental Audit Committee (DAC) on the adequacy of the activities supporting the framework in place for the Finance Branch's annual risk-based assessment of the effectiveness of the system of internal control over financial reporting in support of the Statement of Management Responsibility Including Internal Control over Financial Reporting (the Statement).

This audit was conducted following the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and in accordance with the TB Policy on Internal Audit.

Key findings

Statistics Canada has met the requirements for the implementation of a framework supporting the Policy on Internal Control. The Agency's project charter and overall process for assessing the effectiveness of ICFR integrates all major components of the Diagnostic Toolkit developed by the Office of the Comptroller General.

Statistics Canada has developed a key strategy document titled: "Proposed Strategy to Address Requirements of Policy on Internal Controls (March 2010)", which forms the basis of the Agency's approach to implementing the PIC. It includes all of the main components recommended in the Diagnostic Toolkit. Over the past two years, Finance has adjusted certain governance components of its framework for assessing ICFR; however Statistics Canada's strategic plan for PIC compliance has not been revised or updated for continued operational relevance since it was first developed.

The provision of ongoing assurance regarding the full system of ICFR is required to meet policy requirements. Finance has completed all activities related to Tests of Operating Effectiveness (TOE) according to testing schedule established in its PIC strategy, with the exception of processes and systems that are planned to be changed or in the process of being changed. Compensatory controls have not been tested by Finance during transition periods.

Statistics Canada has established processes for monitoring and reporting PIC compliance. The PIC team monitors the level of completion of remediation action plans resulting from each cycle of Tests of Design (TOD) and TOE; however in some cases, to the timing of validation activities does not permit the PIC team to provide ongoing assurance regarding ICFR. Audit testing of completed remediation actions for two business processes' action plans confirmed that recommendations had been implemented.

In accordance with the Policy, the Agency has completed its first Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting for fiscal year 2011-2012, and is currently working towards the preparation of its second statement for fiscal year 2012-2013. The Statement follows the structure per the OCG's Diagnostic Toolkit, however areas requiring corrective actions in order to achieve the state of audit readiness, and areas where assurance was not attained for a given period are not explicitly reported.

Overall conclusion

Statistics Canada has implemented a comprehensive framework in support of its annual risk-based assessment of the effectiveness of the system of internal control over financial reporting.

While the activities supporting the framework in place are adequate, opportunities exist to ensure the Agency can sustain its ICFR assessment process cycle and remain current as continuous progress towards audit readiness evolves. Particular attention should be devoted to updating the Agency's strategy, and clearly communicating areas requiring corrective actions and areas where assurance was not attained.

Conformance with professional standards

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) Internal Standards for the Professional Practice of Internal Auditing.

Patrice Prud'homme
Chief Audit Executive

Introduction

Background

The Treasury Board of Canada (TB) Policy on Internal Control (PIC) took effect on April 1, 2009 and is issued pursuant to Section 7 of the Financial Administration Act (FAA). The objective of the Policy is to ensure that risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting (ICFR).

The Policy requires the deputy head (Chief Statistician) and the Chief Financial Officer (CFO) of Statistics Canada to sign an annual Statement of Management Responsibility Including Internal Control over Financial Reporting (the Statement). The Statement prefaces the Agency's financial statements, and includes the following:

  • Acknowledgement of management's responsibility to ensure that an effective system of internal control over financial reporting is maintained;
  • Acknowledgement of the conduct of an annual risk-based assessment of the effectiveness of the system of internal control;
  • Acknowledgement of the establishment of an action plan; and
  • A summary of the results of the assessment and the actions taken in response to issues.

The expected results of the Policy are the following:

  • An effective risk-based system of internal control is in place in departments and is properly maintained, monitored and reviewed, with timely corrective measures taken when issues are identified; and
  • An effective system of internal control over financial reporting is operating in departments as demonstrated by the Departmental Statement of Management Responsibility Including Internal Control over Financial Reporting.

The Office of the Comptroller General (OCG) has developed the 2010 Policy on Internal Control – Preliminary Draft Diagnostic Tool for Departments and Agencies (Diagnostic Toolkit), which provides departments with a practical step-by-step approach for planning and conducting a risk-based assessment of the effectiveness of the systems of ICFR as required under the PIC. It states that implementation of the PIC does not require an assessment of all controls, but rather an assessment of key controls based on risks. The proposed approach involves multi-year assessment planning, taking into account departmental capacities.

The Financial and Administrative Services Division (FASD) (formally Financial Management Operations and Systems Division) is responsible for developing a framework for the assessment of operating effectiveness of ICFR and Information Technology General ControlsFootnote 1 (ITGC). Staff assigned to these responsibilities (the PIC team) include: one full-time FTE responsible for the coordination of testing activities carried out by external contractors and tracking follow-up activities. Two levels of supervision oversee activities supporting PIC compliance on a part-time basis, including a Chief and Assistant-Director. The PIC team reports to the Acting Director (A/Director), FASD, and to the Director General of Finance (the Deputy CFO). The Finance team started the initial stages of the planning and scoping process in 2009. Since then, the first full cycle of assessment of ICFR has been completed. The Agency issued its first Statement of Management Responsibility for the fiscal year ending March 31, 2012. From that point on, the project of implementing the PIC has evolved to a sustained process which requires monitoring and maintenance of documentation in collaboration with process owners, testing ICFR and reporting on the state of audit readiness.

At Statistics Canada, Assistant Chief Statisticians (ACSs) are required to sign a Statement of Management Responsibility for their respective fields. This initiative was implemented by the Finance team as a best practice. By signing this statement, ACSs agree to provide full cooperation and support through the annual assessment of ICFR within their area.

The assessment of ICFR involves four (4) core activities, which are undertaken according to an established schedule, as per a strategy defined by the Agency. A brief description of each activity is outlined below. Processes within each activity are further detailed throughout the findings section of this report.

Figure 1: Assessment of ICFR

Figure 1: Assessment of ICFR

Planning and Scoping is the first step in conducting an assessment of an Agency's ICFR. Strategic Plans for ICFR and ITGC and related work plans outline the scope of the ICFR that will be covered and the frequency of testing. It presents the results of a risk assessment exercise from which decisions on the selection of in-scope business processes are made.

Documenting processes and controls within each in-scope business process is the approach used to identify key controls in place to mitigate risks to an acceptable level. Ultimately this will help to ensure that control testing efforts are appropriately focused on areas of greatest risk.

The assessment of control design involves identifying the key controls in place to prevent or detect a material misstatement in the financial statements and mitigate key risks. Testing of Design is intended to confirm alignment of these key controls related to the key risks to the financial statements they aim to mitigate.

The assessment of control operating effectiveness involves assessing the extent to which a key control has been operating as intended over a specified period of time. Tests of operating effectiveness are intended to demonstrate the reliability of the controls over a period of time in reducing financial reporting risks.

Key controls requiring improvements are communicated to each business process owner through Letters of Recommendation (LOR). Finance's ongoing monitoring and reporting activities, as well as sound risk management practices ensure continued progress towards audit readiness.

Audit objective

The objective of this audit was to provide assurance to the Chief Statistician (CS) and Statistics Canada's Departmental Audit Committee (DAC) on the adequacy of:

  • The activities supporting the framework in place for the Finance Branch's annual risk-based assessment of the effectiveness of the system of internal control over financial reporting in support of the Statement of Management Responsibility Including Internal Control over Financial Reporting.

Scope

The scope of this audit included an examination of processes and mechanisms in place for selected key steps within the PIC implementation process, as described in the Office of the Comptroller General's Diagnostic Toolkit. The audit included interviews with management and staff within the Finance Branch and other divisions having an impact on PIC compliance. The scope of the audit included an examination of processes and mechanisms in place during fiscal years 2011-2012 and 2012-2013 up to December 2012.

Approach and methodology

The audit was conducted following the Standards for the Professional Practice of Internal Auditing as per the Institute of Internal Auditors (IIA) and in accordance with the TB Policy on Internal Audit. The audit work consisted of examination of documents, interviews with key Senior Management and personnel of Statistics Canada, review of processes and procedures with respect to internal controls and testing of the completion of a sample of remediation actions. The audit approach was inspired by the TB Policy on Internal Control and the 2010 Policy on Internal Control – Preliminary Draft Diagnostic Tool for Departments and Agencies issued by the Office of the Comptroller General in July 2010.

Authority

The audit was conducted under the authority of Statistics Canada Multi-Year Risk-Based Audit Plan 2012/13-2016/17, approved April, 2012 by the Departmental Audit Committee.

Findings, recommendations and management responses

Objective: Adequacy of the activities supporting the framework in place for the Finance Branch's annual risk-based assessment of the effectiveness of the system of internal control over financial reporting in support of the Statement of Management Responsibility Including Internal Control over Financial Reporting.

Framework supporting the assessment of the effectiveness of ICFR

Statistics Canada has met the requirements for the implementation of a framework supporting the Policy on Internal Control. The Agency's project charter and overall process for assessing the effectiveness of ICFR integrates all major components of the Diagnostic Toolkit developed by the Office of the Comptroller General.

Statistics Canada has developed a key strategy document titled: "Proposed Strategy to Address Requirements of Policy on Internal Controls (March 2010)", which forms the basis of the Agency's approach to implementing the PIC. It includes all of the main components recommended in the Diagnostic Toolkit. Over the past two years, Finance has adjusted certain governance components of its framework for assessing ICFR; however Statistics Canada's strategic plan for PIC compliance has not been revised or updated for continued operational relevance since it was first developed.

The provision of ongoing assurance regarding the full system of ICFR is required to meet policy requirements. Finance has completed all activities related to TOE according to testing schedule established in its PIC strategy, with the exception of processes and systems that are planned to be changed or in the process of being changed. Compensatory controls have not been tested during transition periods.

The process of assessing the effectiveness of ICFS starts from early planning, including financial statement decomposition, through the identification of key risks and key controls, the documentation requirements to support adequate assessments and the design and operating effectiveness testing up to the completion of remediation and on-going monitoring activities with periodic risk-based testing over time. This process is intended to enable departments to better understand their state of audit readiness and level of compliance with the PIC.

Project charter

Based on the approach described in the OCG's Diagnostic Toolkit; activities, schedules, and resources needed to achieve PIC compliance objectives should be documented and sufficient resources should be secured to support compliance to the PIC. Responsibilities for the implementation of ICFR should be clearly identified and assigned. As part of this process, the Agency should have a documented plan in place for the assessment of ICFR effectiveness required by the PIC. The documented plan should include scope, timing, milestones, costs/capacity, and cover the steps required to assess the effectiveness of ICFR. An independent oversight mechanism should be in place to deal with cases concerning values and ethics that allows for anonymous reporting of suspected improprieties.

Statistics Canada has developed two key guiding PIC strategy documents: The first is titled the "Proposed Strategy to Address Requirements of Policy on Internal Controls (March 2010)" and the second is the "Proposed Strategy to Address Requirements of Policy on Internal Controls - ITGCs (January 2012)", which is specific to Information Technology General Controls. These two strategy documents form the basis of the Agency's approach to implementing the PIC, and include all the main components recommended in the Diagnostic Toolkit, with the exception of costs and capacity, which are covered in the work plan developed annually to execute on the ICFR and ITGC strategy documents.

Responsibilities for PIC compliance are clearly identified and assigned within the "Proposed Strategy to Address Requirements of Policy on Internal Controls document (March 2010)". The strategy document identifies four stakeholders within the Agency having significant roles and responsibilities: the CS, the CFO, the DAC and Financial Management Operations Systems Division (now the FASD). Described roles and responsibilities are in-line with the Policy. In addition, the Annex to the Statement of Management Responsibility Including ICFR describes the roles of three committees involved in monitoring the PIC compliance program:

  • DAC is an advisory committee that provides objective views on the Agency's risk management, control and governance frameworks;
  • The Corporate Policy Committee (CPC) is chaired by the CS and is the most senior executive committee in the Agency, providing broad strategic direction. It acts as the body for all decision-making related to corporate-level management of the Agency including strategic corporate planning, resource allocation, financial management, human resources management, communications and dissemination, program evaluation and information management/information technology; and
  • Administrative Practices Committee (APC) oversees the development, implementation and application of administrative, financial management, risk management and evaluation practices.

Statistics Canada also has an independent oversight mechanism in place that allows for anonymous reporting of suspected improprieties. Should employees come across information or evidence that could potentially involve suspected improprieties, they can report any such concerns through the values and ethics framework established within Statistics Canada.

The Agency's project charter is in line with the PIC and follows the approach described in the OCG's Diagnostic Toolkit.

Risk management

Management should have adequate risk management practices in place, to consider and mitigate risks associated with the implementation of ICFR, and achieving PIC compliance. Implementing and maintaining a framework for PIC has inherent risks that may preclude the achievement of compliance with the Policy.

Interviews revealed PIC compliance is subject to four main dependencies: 1) Services provided by an external consultant; 2) Finance staff assigned to activities related to PIC; 3) The collaboration of business process owners for the documentation of processes, the identification of key controls and implementation of remediation actions where control weaknesses are identified; and 4) The support of senior management across the Agency.

Risks to the implementation of ICFR have been considered and mitigated within Finance. FASD has identified a number of short and long-term mitigation strategies to manage risks associated to these dependencies, including, but not limited to:

  • Securing a professional services contract for resources to carry out the PIC work plan;
  • Oversight activities to ensure quality over the consultants work;
  • Access to a pool of rotational staff within Finance to address current and future knowledge resource needs for activities related to the PIC;
  • Formal letters of acknowledgement of responsibility towards the implementation of PIC signed by the ASCs in each field; and
  • Presentations to senior management across the Agency explaining the requirements of the policy as well as their respective roles and responsibilities.

From its first year of operation, Finance has monitored the effectiveness of mitigation strategies in place, and is in the process of developing additional strategies to increase the level of collaboration of business process owners. As a result, FASD has identified certain challenges with respect to follow-up activities and is considering implementing a steering committee involving key stakeholders at the Director and Director General (DG) levels to increase the support and engagement of management with respect to PIC compliance across the Agency. This new initiative is expected to be implemented in 2013.

Finance has an adequate approach to managing the inherent risks associated with implementing a framework for the annual risk-based assessment of the effectiveness of the system of ICFR.

Planning and scoping

As Statistics Canada's process to assess ICFR has evolved from an initial implementation project to a sustained process, the strategic plan for PIC compliance and work plan should be reviewed periodically and validated by the CFO and CS to ensure continued relevance. As required by the PIC, DAC should be consulted on the risk-based assessment plans for the annual assessment of the effectiveness of the departmental system of internal control.

Statistics Canada has mechanisms in place to plan and scope its strategy for PIC compliance, to address significant issues, and ensure continuous improvement. The two PIC strategy documents describe the approach to be used for the testing of ICFR, roles and responsibilities, reporting requirements, next steps, a work plan with defined timelines, and detailed risk assessments for each in-scope business process.

To develop the strategy documents and associated work plan, the Agency has identified the key risks facing the integrity of the financial statements (F/S), the significant accounts within the F/S, and has determined which business processes are considered in-scope.

The business processes considered in-scope are the following:

  • Financial Close and Reporting;
  • Payroll and Benefits;
  • Census Pay;
  • Interviewer's Pay;
  • Revenues;
  • Operating Expenditures;
  • Capital Assets;
  • Entity Level Controls, including Budgeting and Forecasting; and
  • General Computer Controls (GCCs).

For each in-scope business process, the Agency has identified the significant business units, systems, and entity level controls that are reported in the F/S. The planning documents specify the area to be tested, the inherent risks, the rationale for the inherent risk areas to be tested, the control objectives, the extent of testing, and the frequency of testing.

In March 2013, Statistics Canada will have completed its second year of assessment of ICFR following the original PIC compliance strategy. The strategy guides decision-making regarding which processes, financial statement accounts, and risks are most relevant for consideration in the testing strategy, and the allocation of resources. Over the past two years, Finance has adjusted certain governance components of its framework for assessing ICFR; however Statistics Canada's strategic plan for PIC compliance has not been revised or updated for continued operational relevance since it was first developed. Revisiting and updating the strategy and risk environment on a periodic basis will ensure that the strategy remains relevant, by being reflective of the Agency's operating environment.

At the end of each fiscal year, the CS and CFO are responsible for signing the Statement of Management Responsibility. Therefore, once the testing strategy has been updated, formally validating it with the CS and the CFO would ensure they have an opportunity to review and provide input into the proposed plans. The outlines of the strategy and the Statement were presented to the CFO, senior management and DAC in March 2012, but the testing strategy document was not presented in its entirety. As a result, actual completed testing cannot be compared to planned testing activities. Signing the annual Statement requires an acknowledgement of the conduct of annual risk-based assessment of ICFR, including any deviations from the PIC strategy.

Documentation of in-scope business processes

An adequate process should be in place to document in-scope business processes and identify process-level controls that mitigate risks to the integrity of the financial statements. Business process narratives and flowcharts are used to identify key controls, and map these controls to F/S risks. Documentation maintained for in-scope business processes should be evergreen, reflecting significant changes in processes and/or systems that have an impact on ICFR.

Statistics Canada has completed its initial round of documentation for each in-scope business process. A review of the business process documentation for four in-scope business processes (Pay, Financial Close Reporting, Revenues and GCC-Change Management) found that the Agency follows a standardized approach to documentation (process narratives), which include a description of the process and sub-processes, related systems, key controls and identification of the process owners accountable for each in-scope business process. Key control points and accountabilities were identified in the narratives, or directly within the testing matrices, and linked with key risks. For three out of the four in-scope business processes reviewed, process narratives were prepared using a standard format. The GCC-Change Management process was documented using a process flowchart, with specific sub-processes documented in the testing matrices. This is an acceptable alternative to process narratives.

Process owners develop their own process narrative documentation, which is then validated by the PIC team. Process documentation should be evergreen and as such, should be periodically validated with process owners to ensure documentation remains up-to-date. This practice helps ensure that Statistics Canada is working with an accurate and up-to-date understanding of business processes when identifying and monitoring key controls, risk factors, and determining areas of ICFR testing. Currently, reliance is placed upon process owners to communicate changes in processes to the PIC team, and significant follow-up is required as business process owners do not systematically communicate changes to the PIC team. Accurate and up-to-date information is essential for decisions regarding approach and methodology for testing.

Tests of design (TOD) of key controls

Assessing the design of key controls involves identifying key controls, aligned with the key risks, and completing tests of design. Tests of design are conducted to verify that key controls in place are implemented as described in process narratives.

Statistics Canada has identified key controls that exist within in-scope business processes, has mapped these controls to the risks they mitigate, and has completed tests of design. The audit selected three sub-processes for each of the four selected in-scope business processes for review. The audit confirmed that each sub-process had a key control identified and was aligned to each key control. For those controls that were found to be ineffective through TOD, the finding/weakness was included in a Letter of Recommendation (LOR), and a management response was developed to address the specific finding/weakness.

Tests of operating effectiveness (TOE) of key controls

A process should be in place to assess the extent to which key controls, including ITGC and entity level controls, have been operating as intended over a specified period of time. This process is referred to as a Test of Operating Effectiveness (TOE). The testing strategy should be documented, and include sampling techniques, locations, timing, and the IT application controls to be tested.

Statistics Canada has developed and documented its strategy for completing tests of effectiveness of key controls. The testing strategy describes the scope, approach, methodology, basis for sampling, frequency and lists the application controls to be assessed. Statistics Canada's two PIC strategy documents include sections on the Agency's approach for TOE. The approach to testing contained in each PIC strategy document adequately details key information, including risk information, the degree of reliance on controls, a testing strategy for each in-scope business process, a testing plan with timelines, and sample sizes. The testing matrices further document the testing and sampling strategies for each key control to be tested, and where applicable, identifies the various locations where testing is to take place.

In this regard, the Agency has met the PIC requirements. Processes that are in place are in line with the approach recommended in the Diagnostic Toolkit.

Change management

The Policy on Internal Control requires ongoing assurance on the system of ICFR. In order to meet this requirement, the Agency must follow its strategy for the assessment key controls for in-scope business processes, according to the established timelines. The strategy should include coverage and testing in situations when processes and systems are scheduled to be changed or are in the process of change. Testing activities should be adapted in such cases to ensure compensatory controls are monitored for effectiveness during this time. In the event that testing for an in-scope business process is suspended or cancelled, such decisions should be communicated to the CS and CFO, as it impacts the Agency's ability to monitor the effectiveness of the full system of ICFR on an ongoing basis, as is required by the PIC.

Interviews with management and the review of documentation revealed that there are a number of projects underway that involve significant changes in processes and systems affecting ICFR. Some initiatives originate from within the Agency, while others are initiated by third parties who provide services to the Agency. Examples of significant changes are:

  • Business processes affected by Administrative Processes Review and Automation (APRA);
  • Transfer of technology to Shared Services Canada (SSC);
  • Public Works & Government Services Canada's changes to the Common Departmental Financial System (CDFS), with the implementation of a Capital Assets module;
  • Business process changes resulting from letters of recommendations to address weaknesses in key financial controls (e.g. IT Change Management process, HR's system change from GLOBAL to GALAXY).

Where process or system changes are initiated within the Agency, the PIC team proactively reviews the design of processes under development to ensure key controls are imbedded. Interviews revealed that some testing activities had been cancelled for 2012-2013, as they relate to business processes impacted by APRA.

When process or system changes are initiated by third-party service providers, the PIC team monitors the evolution of these initiatives by attending meetings, or through on-going communication with designated Statistics Canada representatives who are part of steering committees.

In the event that significant process or system changes are planned or are being changed by third-party service providers, the ability to provide ongoing assurance regarding the full system of ICFR should be maintained in order to meet the requirements of the policy. In these situations, the current practice has been to suspend, defer or cancel testing. For example, the Capital Assets business process was last tested in 2009, and was scheduled for the next round of testing in the 2011-2012 fiscal year. Due to planned changes to CDFS, testing of Capital Assets has been deferred to the 2014-2015 fiscal year. When testing is cancelled in an area, the PIC team has not been confirming whether the system of internal control has remained the same or if it continues to be effective. If ongoing assurance cannot be provided for a period of time, this situation should be clearly stated in the Statement.

For the transition of technology to SSC, Finance and SSC are engaged in discussions to determine how Statistics Canada will obtain assurance on ICFR from SSC. Departments across the Federal Government are affected by this transition of services to SSC, and it is expected that each department will engage in negotiations with SSC to attain the level of assurance deemed necessary by each department. As expected, timelines for including assurance over ICFR on business processes managed by SSC have not yet been set.

A review of the PIC Follow-up Action Plan revealed that certain key controls scheduled to be tested during the last round of testing had not been tested. Interviews with Finance staff confirmed that testing of certain key controls had been delayed in instances where processes or systems were planned to be changed. Compensatory controls in place during transition periods were not tested. Postponing or cancelling testing of key controls may impact the Agency's ability to monitor the effectiveness of the full system of ICFR on an ongoing basis, as is required by the PIC.

Recommendations:

It is recommended that the Assistant Chief Statistician Corporate Services and CFO ensure that:

  • The PIC strategy is periodically updated and validated by the CFO and CS.
  • Compensatory controls in place during process and system changes are considered for testing as part of providing ongoing assurance on ICFR.

Management response:

Management agrees with the recommendations.

  • The Director, Financial Reporting Division will ensure that the PIC strategy is updated and validated by the CFO, CS and DAC annually.

    Deliverables and Timeline: Annual presentation of the PIC strategy to Policy Committee and DAC, in March/April of each year.
  • The Director, Financial Reporting Division will ensure that compensatory controls are considered and included in the testing strategy as required, on a risk basis.

    Deliverables and Timeline: Completed testing of compensatory controls as planned in the testing strategy, as required.

Ongoing monitoring and reporting on the state of ICFR

Statistics Canada has established processes for monitoring and reporting PIC compliance. The PIC team monitors the level of completion of remediation action plans resulting from each cycle of TOD and TOE; however in some cases, to the timing of validation activities does not permit the PIC team to provide ongoing assurance regarding ICFR. Audit testing of completed remediation actions for two business processes' action plans confirmed that recommendations had been implemented.

In accordance with the Policy, the Agency has completed its first Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting for fiscal year 2011-2012, and is currently working towards the preparation of its second statement for fiscal year 2012-2013. The Statement follows the structure per the OCG's Diagnostic Toolkit, however areas requiring corrective actions in order to achieve the state of audit readiness, and areas where assurance was not attained for a given period are not explicitly reported.

Based on the approach suggested in the OCG's Diagnostic Toolkit regarding ongoing monitoring and reporting on the state of ICFR and progress towards audit readiness, management needs to consider the potential impact that control weaknesses may have on the integrity of the financial statements and monitor the implementation of remedial actions required to address specific control deficiencies. As part of the process, there should be timely reports to the CFO and senior management on the nature of the results of the assessments and with attention on the associated action plans. At appropriate times, the DACs should be engaged for advice on the findings and responses.

The following sections provide an assessment of monitoring and reporting activities in place within Finance, and are from the first full cycle of assessing control effectiveness through testing, implementation of remediation actions and reporting results within the Agency.

Monitoring progress towards audit readiness

Following the completion of TOE, Finance obtains proposed remediation actions from respective business process owners and outstanding actions are flagged for follow-up. The PIC team monitors the level of completion of remediation action plans resulting from each cycle of TOD and TOE. To do so, the state of completion of remediation actions is assessed by the business process owner, and communicated to the PIC team, where it is tracked in the PIC Follow-up Action Plan spreadsheet.

Remediation plans were reviewed by the audit team and interviews were conducted with business process owners to verify that remediation actions had been completed, and updates to the plan had been communicated to the PIC Finance team. The audit found that in some cases, the timelines for implementing remediation actions extended past the next scheduled testing. As a result, TOE for those processes had been delayed.

The audit team also selected two completed remediation actions from the Revenues and the GCC-Change Management business processes action plans to verify that changes to the process had been implemented. A sample of 11 control transactions was selected for each of these two business processes:

  • The first control tested was the approval process for monthly reconciliations between the cash receipts recorded in the Common Departmental Financial System (CDFS) and the Corporate Sales Support System (CSSS) using the Non Salary Information Management System (NSIMS). The result of our test confirmed that the recommended control was implemented within the process. The completion of this remediation action had also been validated by the PIC team in the last round of testing.
  • The second control tested was the approval process for system changes identified in the Team Foundation Server (TFS). Results confirmed that the recommended control over change requests was implemented within the process.

Timely completion of remediation actions is essential to ensuring an effective system of ICFR is operating in the Agency. In both cases, the recommended controls had been implemented and the remediation actions had been completed.

The PIC team's current approach for validating the state of completion of remediation actions is to carry out testing during the next scheduled round of testing established in the Strategy's testing schedule; which could represent a three year time lapse between tests. As a result, it may not be possible for the PIC team to provide assurance on the effectiveness of the changes implemented by the business process owner, as required for annual reporting purposes.

Timely validation of completed remediation actions will enable the PIC team to provide ongoing assurance regarding ICFR.

Reporting on the state of ICFR and progress towards audit readiness

To fulfill their responsibilities as stated in the Policy, it is essential that the CS and the CFO have a clear picture of the overall state of internal control at Statistics Canada, and that their attention is drawn to areas requiring corrective actions. According to the Diagnostic Toolkit,

"there should be timely reports to the CFO and senior management on the nature of the results of the assessments, with attention on the associated action plans. At appropriate times, the DACs should be engaged for advice on the findings and responses".

The PIC team is responsible for reporting to senior management and the DAC on the results of ICFR testing and progress towards the completion of testing plans and remediation actions. The PIC team has made a number of presentations to DAC, CPC and APC for its first PIC reporting exercise. Information presented focussed on the requirements of the Policy and contained high-level information on results of testing.

In accordance with the Policy, the Agency has completed its first Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting (the Statement) for fiscal year 2011-2012, and is currently working towards the preparation of its second statement for fiscal year 2012-2013. The Annex, which was attached to the Departmental Financial Statements for the fiscal year ending March 31, 2012, follows the same structure that is suggested in the OCG's Diagnostic Toolkit. The section pertaining to the Agency's progress provides information on which elements of the testing schedule have been completed.

The intent of the Statement, as stated in the Diagnostic Toolkit, is

"to report to the Departmental Audit Committee, senior management and central agencies on the status of ICFR management; communicate the importance of continuous improvement in internal controls within the organization; and serve as input into the ICFR assessment plans for future years".

In order to achieve this objective, information presented in the Annex should speak to the nature of the work that is required to achieve audit readiness, as it pertains to outstanding remediation items. This process enables decision-makers to have sufficient information to ensure corrective measures are implemented in a timely fashion.

Conversely, when testing of ICFR is not possible during transition periods, the Annex should clearly communicate what in-scope business processes or periods were not assessed. The audit team analysed the information communicated in the Agency's first Statement, issued for the fiscal year 2011-2012. The Statement includes a section pertaining to next steps, in which general information on processes and systems in transition is provided. Decisions to postpone or cancel ICFR testing were not clearly communicated in the Statement. The CFO, CS, and the DAC rely on information from the Statement as it may influence decisions pertaining to areas where assurance was not attained for any given period.

The Statement follows the structure per the OCG's Diagnostic Toolkit, however areas requiring corrective actions in order to achieve the state of audit readiness, and areas where assurance was not attained for a given period are not explicitly reported.

Recommendations:

It is recommended that the Assistant Chief Statistician Corporate Services and CFO ensure that:

  • The monitoring process include timely validation on the state of completeness of remediation actions reported by business process owners, and formal guidelines and protocols for communicating issues of significance such as a deviation from legislation or TB policy related to ICFR
  • The Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting clearly communicates the areas requiring corrective actions in order to achieve the state of audit readiness, and areas where assurance was not attained for any given period.

Management response:

Management agrees with the recommendations.

  • A PIC Steering Committee was created with as membership the DGs of Finance, IT, HR, Procurement and Assets Management and Census. The Director, Financial Reporting Division will ensure that this core management group provides leadership and oversight on the state of completeness of all reported remediation actions and for communicating issues of significance.

    Deliverables and Timeline: Regular meetings of PIC Steering Committee and timely validation on the state of completeness of remediation actions through review of evidence of actions taken by business process owners and/or testing to ensure controls have been implemented. Meetings and validation activities will be held quarterly or as required depending on status of remediation actions, in accordance with PIC reportring timelines. First PIC Steering Committee meeting is planned for May 2013.
  • The Director, Financial Reporting Division will ensure that the status of the ICFR strategy and all relevant information in describing the organization's state of audit readiness are clearly communicated.

    Deliverables and Timeline: As part of the Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting, which is issued annually, in accordance with PIC reporting timelines.

Appendices

Appendix A: Audit criteria

This table displays the results of appendix a. The information is grouped by objective / core controls / criteria (appearing as row headers), sub-criteria and policy instrument (appearing as column headers).
Objective / Core Controls / Criteria Sub-Criteria Policy Instrument
1) Adequacy of the activities supporting the framework in place for the Finance Branch's annual risk-based assessment of the effectiveness of the system of internal control over financial reporting in support of the Statement of Management Responsibility Including Internal Control over Financial Reporting.
1.1 Monitoring Compliance to PIC

Management has adequate monitoring processes and risk management practices over the department's progress towards its Strategy for PIC compliance.
1.1.1 The progress towards the proposed strategy to address requirements of PIC is assessed regularly and any identified challenges are dealt with on a timely basis.

1.1.2 Responsibilities for implementation of ICFR have been clearly identified and assigned in the department.

1.1.3 Project governance has been documented to monitor the PIC program.

1.1.4 Risks to implementation of ICFR have been considered, documented and mitigated.

1.1.5 Management has a documented process for monitoring the activities of the PIC compliance strategy and related work plan, which includes any challenges found, the action items required to remedy those challenges, who will be responsible for the action items, and timelines for action items completion.

1.1.6 The risk identification process is rigorous and risk events are identified at the entity and activity levels, such as the process used to scope, plan, and execute the PIC compliance regime.
Policy on Internal Control (PIC)

Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010.

Management Accountability Framework (MAF)
1.2 Overall Process of assessment of effectiveness of Internal Controls over Financial Reporting (ICFR)

Activities, schedules and resources needed to achieve PIC compliance objectives have been documented and integrated into the corporate budget.
1.2.1 The department has a documented project plan in place that includes scope, timing, milestones, and costs/capacity, and that covers the various steps towards assessing the effectiveness of ICFR as recommended by the Diagnostic Toolkit. Policy on Internal Control (PIC)

Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010.
1.3 Planning and Scoping

The department has an adequate process in place for planning and scoping its strategy for ensuring compliance with PIC.
1.3.1 There is a plan with timelines in place to address significant issues and ensure continuous improvement.

1.3.2 The department has identified the key risks facing the integrity of the financial statements (F/S) and identified the significant F/S accounts.

1.3.3 The department has identified the significant business units, systems, and business processes and entity level controls related to the significant accounts that are reported in the F/S.

1.3.4 The department has documented its planning and scoping for ICFR.

1.3.5 The assessment plan has been validated with senior management, CFO and CS.

1.3.6 The strategic plan for PIC compliance and work plan progress are reviewed from time to time for continued relevance.
Policy on Internal Control (PIC)

Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010.
1.4 Documentation

The department has an adequate process in place for documenting the business processes and identifying the process level risks that have an impact on the integrity of the financial statements.
1.4.1 The department has documented the business process for each in-scope process.

1.4.2 The department has followed a standardized approach to document the business processes.

1.4.3 The documentation identified the key control points and accountabilities.

1.4.4 The department has identified F/S reporting risks for each in-scope business process, documented and prioritized these risks.

1.4.5 The documented processes have been validated by the process owners to acknowledge accuracy of the documentation and controls.

1.4.6 Identification of key risks has been validated by senior management.
Policy on Internal Control (PIC)

Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010
1.5 Test of Design (TOD)

The department has an adequate process in place to identify key controls at all levels and align them with key risks to the integrity of the financial statements.
1.5.1 The department has identified the key controls;

1.5.2 The department has aligned the risks with the key controls that are in place to mitigate the risk;

1.5.3 The department has completed a Test of Design using walk-throughs for the key controls;

1.5.4 The results of the test of design have been reported to the appropriate senior management forum and the DAC;

1.5.5 The identified significant elements of the remediation plans have been identified and completed.

1.5.6 Prompt and appropriate remedial action is taken by management in response to departures from approved policies, procedures or codes of conduct. Disciplinary actions taken as a result of violations are communicated across the organization.
Policy on Internal Control (PIC)

Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010.
1.6 Test of Operating Effectiveness (TOE)

The department has an adequate process in place to assess the extent to which key controls, including IT general controls (ITGC) and entity level controls, have been operating as intended over a specified period of time.
1.6.1 The department has developed and documented its testing strategy, including sampling techniques, locations and timing and IT application controls, for completing the TOE of its key controls.

1.6.2 The department has completed TOEs for all key controls, including ITGCs and entity level controls, of all in-scope business processes.

1.6.3 A report on the results of this testing and associated action plan has been developed and shared with senior management and reported to the DAC.

1.6.4 The department is monitoring or has the capacity to monitor the completion of the necessary remediation that may be required for any weaknesses identified during the testing.

1.6.5 The remediation actions are completed.
Policy on Internal Control (PIC)

Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010.
1.7 Reporting

The department has an adequate process in place for reporting on results of the assessment of effectiveness of ICFR and related action plans, and formal channels of communication exist for people to report suspected improprieties.
1.7.1 The department has established a central group to provide the focus on management of departmental ICFR through the oversight of the departmental assessment process, results and action plans in support of the CFO and CS, and to capture and report the results of all departmental testing;

1.7.2 The DAC has been engaged on the risk-based assessment plans and results of the annual assessment of the effectiveness of the departmental system of internal control;

1.7.3 The department has a process in place to update process documentation, conduct ongoing testing (TOD and TOE) and provide ongoing reporting on the results of the testing;

1.7.4 The department monitors control remediation items through its formal approved action plan;

1.7.5 The department has completed its summary annex to be attached to the departmental Statement of Management Responsibility including Internal Control over Financial Reporting.

1.7.6 The Agency has in place an independent oversight mechanism to deal with cases concerning ethics and values that allows for anonymous reporting of suspected improprieties.
Policy on Internal Control (PIC)

Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010.
1.8 Change Management

The organization has in place a process to identify change opportunities/requirements with respect to the PIC compliance framework.
1.8.1 A strategy for coverage and testing is in place when processes and systems are scheduled to be changed or are in the process of change.

1.8.2 Additional work is conducted to ensure compensatory controls are working during this time.

1.8.3 Where coverage/testing of IC is not possible during transition periods, the Statement clearly communicates what areas or periods were not covered.

1.8.4 Results of testing when control is not functioning
Management Accountability Framework (MAF)

Policy on Internal Control (PIC)

Preliminary Draft Diagnostic Tool for Departments and Agencies. July 2010.

Appendix B: Acronyms

Appendix B: Acronyms
Acronym Description
SC Statistics Canada
ICFR Internal Controls over Financial Reporting
TB Treasury Board
PIC Policy on Internal Control
FAA Financial Administration Act
ITGC Information Technology General Controls
CS Chief Statistician
DAC Departmental Audit Committee
IIA Institute of Internal Auditors
CFO Chief Financial Officer
MAF Management Accountability Framework
OCG Office of the Comptroller General
DCFO Deputy Chief Financial Officer
APC Administrative Practices Committee
CPC Corporate Planning Committee
LOR Letters of Recommendation
CDFS Common Departmental Financial System
ACS Assistant Chief Statisticians
CAE Chief Audit Executive
TOE Testing of Operating Effectiveness
TOD Testing of Design & Implementation
GCC General Computer Controls
IT Information Technology
DG Director-General
FMOSD Financial Management Operations and Systems Division
APRA Administrative Processes Review and Automation
CSSS Corporate Sales Support System
NSIMS Non Salary Information Management System
TFS Team Foundation Server
SSC Shared Services Canada

Note

Footnotes

Footnote 1

Information Technology General Controls are considered part of the system of Internal Control over Financial Reporting. Subsequent references made to ICFR in this report include ITGCs.

Return to footnote 1 referrer