2012–13 Annex to the Statement of Management Responsibility, Including Internal Control over Financial Reporting

2 The Control Environment Relevant to ICFR

2.1 Key positions, roles, and responsibilities

3 Assessment of the OAG’s System of ICFR

Note to the reader

The Treasury Board Policy on Internal Control requires that organizations demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).

As part of this policy, organizations are expected to conduct annual assessments of their system of ICFR, establish action plans to address any necessary adjustments, and attach a summary of their assessment results and action plan to their Statement of Management Responsibility.

Effective systems of ICFR aim to produce reliable financial statements and to provide assurance that

transactions are appropriately authorized;
financial records are properly maintained;
assets are safeguarded from risks such as waste, abuse, loss, fraud, and mismanagement; and
applicable laws, regulations, and policies are complied with.

It is important to note that the system of ICFR is not designed to eliminate risks, but rather to mitigate risks to a reasonable level, with controls that are balanced with and proportionate to the risks they aim to mitigate.

The maintenance of an effective system of ICFR is an ongoing process designed to identify and prioritize risks and the controls to mitigate these risks, as well as to monitor the system’s performance in support of continuous improvement. As a result, the scope, pace, and status of organizations’ assessments of the effectiveness of their systems of ICFR will vary from one organization to another, based on risks and each organization’s unique circumstances.

1 Introduction

This document is attached to the Office of the Auditor General’s (OAG) Statement of Management Responsibility, Including Internal Control over Financial Reporting for the 2012–13 fiscal year. As required by the Treasury Board Policy on Internal Control, this document provides summary information on the measures taken by the OAG to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the OAG’s assessment as of 31 March 2013, including progress, results, and related action plans along with some financial highlights pertinent to understanding the control environment unique to the OAG.

1.1 Authority, mandate, and program activities

Detailed information on the OAG’s authority, mandate, and program activities can be found in its Departmental Performance Report and its Report on Plans and Priorities.

1.2 Financial highlights

The OAG’s annual audited financial statements for the fiscal year ended 31 March 2013 can be found in its Departmental Performance Report. Financial information can also be found in the Public Accounts of Canada.

The OAG is financially dependent on Parliament for its funding, and some services are provided without charge by Public Works and Government Services Canada (PWGSC). The appropriations provided by Parliament ($88.2 million) fund 88.5 percent of the total cost of operations.
Approximately 15 percent of total costs of operations are services provided without charge by PWGSC, made up of accommodations ($8.7 million) and the employee insurance plan ($5.9 million).
Salaries and employee benefits, excluding employee insurance plan costs ($72.7 million), account for 73 percent of the OAG’s total cost of operations.
The remaining expenses (12 percent or $12.4 million) are for rentals, professional services, travel, communication and other equipment and supplies.
Tangible capital assets comprise 86 percent, or $1.8 million, of the total non-financial assets of $2.1 million. Financial assets are composed mostly of an amount due from the Consolidated Revenue Fund of $8 million.
Post-employment benefits and compensated absences ($10.8 million) account for 51 percent of total liabilities. Accounts payable and accrued liabilities ($10.5 million) comprise the remaining 49 percent of total liabilities. The accrued liabilities include accruals for salary, overtime, vacation pay, pay equity, and severance pay.
The OAG has information systems that are critical to its operations and financial reporting, such as its financial system, GX Financials.

1.3 Service arrangements relevant to financial statements

The OAG relies on other organizations for processing certain transactions recorded in its financial statements:

PWGSC centrally administers the payment of salaries as well as the payment of invoices to suppliers through the Standard Payment System.
The Treasury Board of Canada Secretariat provides the OAG with information to validate calculations for various accruals and allowances, such as the accrued severance liability.

1.4 Material changes in 2012–13

Changes in operations

In 2012–13, there have been no significant changes to the OAG’s authorities and no changes in its operations that would have an impact on the financial statements, which continue to be prepared in accordance with Canadian Public Sector Accounting Standards.

Changes in key personnel

There was no change in key personnel during the fiscal year. The Commissioner of the Environment and Sustainable Development announced his resignation in January 2013 and left in April 2013.

Changes to the terms and conditions of employment

As part of collective agreement negotiations with employee groups and changes to conditions of employment for executives and non-represented employees, the accumulation of severance benefits under the employee severance program has now ceased for all employees. Employees have been given the option to be immediately paid the full or partial value of benefits earned or collect the full or remaining value of benefits on termination from the Office. These changes have been reflected in the calculation of the outstanding severance benefit obligation included in the financial statements.

2 The Control Environment Relevant to ICFR

The OAG recognizes the importance of setting the tone, starting with senior management, to help ensure that staff at all levels understand their role in maintaining effective systems of ICFR and are well equipped to exercise their responsibilities effectively. The Executive Committee provides overall direction and oversight for the OAG. It is supported by the Finance and Corporate Services committees, which conduct due diligence and provide advice on the development and implementation of OAG policies and controls, as well as other matters. An independent audit committee oversees key aspects of values and ethics, risk management, internal controls, external audit of our financial statements, quality management, practice review and internal audit function, and accountability reporting.

The OAG’s organizational structure is clearly defined, and the lines of authority and responsibility are well established. Staff members are qualified and trained, and formal job descriptions are in place. An OAG code of values, ethics, and professional conduct sets out (in detail) the values and the ethical, professional, and other standards that guide staff in their work.

An integrated risk management framework is in place based on the enterprise risk management model of the Committee of Sponsoring Organizations of the Treadway Commission. The framework is monitored and updated regularly.

The OAG’s Practice Review and Internal Audit function, which reports directly to the Auditor General, prepares an annual internal audit plan. The plan is based on a systematic assessment of business risk, which is developed using the risk management framework and other inputs. Internal audits assess significant administrative systems on a rotational basis. Annual practice reviews of all three major product lines assess the implementation of our quality management system for audit operations and make recommendations to improve the system’s design and function.

2.1 Key positions, roles, and responsibilities

The following are the key positions and committees with responsibilities for maintaining and reviewing the effectiveness of the OAG’s system of ICFR:

Auditor General (AG). As the OAG’s Accounting Officer, the AG assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. The AG chairs the Executive Committee.

Chief Financial Officer (CFO). The CFO reports directly to the Auditor General and provides leadership for the coordination, coherence, and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment.

Chief Information Officer (CIO). The CIO is responsible for leading our Information Technology and Security, and Knowledge Management groups, as well as special IT projects.

OAG senior managers. Senior managers are responsible for maintaining and reviewing the effectiveness of their system of ICFR that falls within their mandate.

Chief Audit Executive (CAE). The CAE reports directly to the Auditor General and provides assurance through periodic practice reviews and internal audits, which are instrumental to the maintenance of an effective system of ICFR.

OAG Audit Committee. The Audit Committee is an independent advisory committee that provides the Auditor General with objective views on the OAG risk management, control, and governance frameworks. The Audit Committee also recommends for approval the annual Report on Plans and Priorities and Departmental Performance Report (including audited financial statements) to the Executive Committee. The Auditor General is a member of the Audit Committee.

Executive Committee. The Executive Committee is the central decision-making body; it approves and monitors the OAG Risk Management Framework and the system of internal control, including the assessment and action plans related to ICFR. The committee, which includes the Auditor General, Commissioner of the Environment and Sustainable Development, assistant auditors general, Senior Principal responsible for Communications, and Senior Legal Counsel, sets policy and provides overall professional administrative direction for the OAG.

2.2 Key measures taken

The OAG’s control environment equips its staff to manage risks well by raising awareness, providing appropriate knowledge and tools, and developing skills. Key control measures include the following:

All OAG staff formally acknowledge compliance with the OAG code of values, ethics, and professional conduct annually; they are required to disclose any potential conflict of interest or holdings of certain assets, liabilities, or other interests.
Staff in key financial management positions hold accounting designations.
All OAG policies and procedures are available to staff on the OAG’s INTRAnet site, and references are provided to Treasury Board policies. Awareness programs include group awareness sessions, bulletins, emails, orientation sessions for new employees, and reminders on the INTRAnet homepage.
The detailed financial signing authority, which is updated regularly, is available on the INTRAnet.
Main business processes and related key control points are documented to support the management and oversight of ICFR.
Secure financial processing systems, with access limited to appropriate staff, are in place to ensure the integrity of financial data and processing of transactions.

3 Assessment of the OAG’s System of ICFR

3.1 Assessment baseline

The OAG maintains an effective system of ICFR, with the objectives to provide reasonable assurance that

transactions are appropriately authorized;
financial records are properly maintained;
assets are safeguarded from risks such as waste, abuse, loss, fraud, and mismanagement; and
applicable laws, regulations, and policies are complied with.

The external auditors conduct an annual controls-based audit and are actively engaged (at least twice per year) through their attendance at audit committee meetings. As part of the requirements of the Treasury Board’s Policy on Internal Control, the OAG is to annually assess both the design and operating effectiveness of key controls over financial reporting in support of continuous improvement.

Design effectiveness is the assurance that key control points are in place and that they are identified, documented, and aligned with the risks (that is, controls are balanced with and proportionate to the risks they aim to mitigate). This includes the mapping of key processes to the main accounts.

Operating effectiveness means that key controls have been tested over a defined period and that any remediation is addressed. Such testing covers all OAG control levels that include entity, general computer, and business process controls.

Ongoing monitoring means that a system is in place to ensure that risks are mitigated continuously within the main business processes and corrective actions are taken in a timely manner when required.

3.2 Assessment method

The OAG has taken measures to assess its system of ICFR starting from its financial statements, with a focus on the following main processes:

Payroll (National Capital Region)
Operating Expenditures
- Contracting and procurement (professional services, goods, and other services) (National Capital Region and four regional offices)
- Travel (National Capital Region and four regional offices)
- Capital assets (National Capital Region)
Revenues (National Capital Region)
Year-end reporting (National Capital Region)

The OAG conducted its second annual assessment of the effectiveness of internal controls over financial reporting last year. This involved an assessment of the design and operating effectiveness of the controls through testing samples of transactions in each of the main process areas. The results of the assessment were reported in the Annex to the 2011–12 Statement of Management Responsibility, Including Internal Control over Financial Reporting, which included an action plan outlining the work to be done in 2012–13 as follows:

Streamline the testing of identified key controls.
Reconfirm design effectiveness of all identified key controls in the main business processes.
Reconfirm the general IT controls for the OAG’s financial system. Limited testing will be performed, unless significant changes to systems have occurred.
Update the OAG Security and Information Technology policies.
Establish the rotational assessment of operating effectiveness of the OAG’s internal controls over financial reporting for the payroll business process.

For 2012–13, in addition to addressing the above-noted action plan items (see Section 5.1), and in order to conclude on the effectiveness of internal controls for this reporting year, the OAG reconfirmed the design effectiveness of controls and tested operating effectiveness on a sample of transactions.

4 Assessment Results

In the 2012–13 fiscal year, the OAG’s assessment of internal controls was in large part a continuation of the first two assessments, supplemented with additional in-depth reviews of the payroll business process.

4.1 Design effectiveness

When assessing key controls, the OAG reviews whether processes continue to follow the documented procedures. If changes are identified, process descriptions are updated and controls are re-examined to ensure that they continue to be designed in a way that mitigates any associated risks. Our control evaluations performed in the 2012–13 fiscal year confirmed that the identified key controls have not changed significantly and are still appropriately aligned with the risks they aim to mitigate.

4.2 Operating effectiveness

As was the case for the previous assessments, the OAG put together a review team that drew upon the experience of staff who work in audit operations. The team established a work plan, selected sample transactions (following audit methodology used by the OAG), and tested the transactions to ensure that the controls work effectively. The team also reviewed the sample transactions to ensure coverage of key components of the business processes over the entire fiscal year. The sample transactions covered subcategories of transactions within each cycle and also included a review of ongoing management and monitoring controls applicable to all cycles. The following summarizes what was done for each of the main business processes:

Salaries are paid by PWGSC. Testing payroll involved reviewing the various pay actions initiated by compensation staff, including those related to new hires, terminations, promotions, and transfers. Detailed reviews of files were performed to ensure appropriate documentation of controls.
Within operating expenditures, transactions reviewed included travel, hospitality, contracting, and purchase of supplies. The focus of this testing was to ensure that proper approvals for the expenditures were done and documentation supporting the transactions was on file.
The revenue cycle consists of external revenues from the OAG’s international audit engagements and other sources. The testing involved ensuring that billing was in line with established agreements.
For the year-end reporting, a review of year-end procedures was done, covering the working papers, reviews, and sign-offs used in preparing the audited financial statements and public accounts submissions.
In response to last year’s action plan, a review of key access and security controls and of the financial system was done.

4.3 Conclusion

The internal control system over financial reporting is well designed and functioning effectively. While no significant weaknesses were found, areas of improvement were identified for which follow-up actions have either been completed or are under way.

5 The Action Plan

5.1 Progress made during the fiscal year ending 31 March 2013

In addition to assessing design and operating effectiveness of key controls in the main business processes, the Office addressed the action plan items identified in 2011–12 as follows:

As part of the rotational assessment of the different business cycles, the focus for the fiscal year ending 31 March 2013 was on the controls surrounding the payroll function. In effect, key controls along with the segregation of duties were tested and found to be working as intended. The Compensation and Benefits team is efficiently using payroll controls for all pay actions. The segregation of duties was observed. There have been significant improvements to payment approvals for pay transactions as well as to severance pay payout.
Transactions were examined for travel, hospitality, professional services, capital asset purchases, revenues, and transactions with other government departments. The controls are working as intended; however, some improvements are to be made in the process of approving invoices.
An evaluation of information technology and financial systems controls was performed. It confirmed that the controls in place are improved compared to last year. The following areas for improvements have been identified:
- The GX audit log on unsuccessful attempts was not reviewed in the past. This practice is now in place.
- The Business Continuity Plan is not kept up to date. It should be tested and updated annually.
- Authorities for committing funds, approving payments, and approving invoices in GX Financials are maintained by the Financial Systems team. Dates of access are granted and removed manually, which can affect the accuracy of the information and may not leave an audit trail; a recommendation was made to improve this process.

5.2 Action plan for future years

Over the last few years, the OAG has taken several important steps to ensure that an effective system of internal control over financial reporting is in place. That being said, ongoing efforts to maintain strong controls over the long term are necessary to build on the work already done. The following describes the actions that the OAG plans to take over the next two years:

2013–14

Follow up on areas of improvement identified in 2012–13.
Reconfirm design effectiveness of all identified key controls in the main business process.
Reconfirm the general IT controls for the Office’s financial system. Limited testing will be performed, unless significant changes to systems have occurred.
Update and test the OAG Business Continuity Plan.
Carry out the rotational testing of the operating effectiveness of internal controls over financial reporting for operating expenditures.

2014–15

Follow up on areas of improvement identified in 2013–14.
Reconfirm design effectiveness of all identified key controls in the main business process.
Carry out the rotational testing of the operating effectiveness of internal controls over financial reporting for revenues.