2013–14 Annex to the Statement of Management Responsibility, Including Internal Control over Financial Reporting

2013–14 Annex to the Statement of Management Responsibility, Including Internal Control over Financial Reporting

Note to the reader

The Treasury Board Policy on Internal Control requires that organizations demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).

As part of this policy, organizations are expected to conduct annual assessments of their system of ICFR, establish action plans to address any necessary adjustments, and attach a summary of their assessment results and action plan to their Statement of Management Responsibility.

Effective systems of ICFR aim to produce reliable financial statements and to provide assurance that:

• transactions are appropriately authorized;
• financial records are properly maintained;
• assets are safeguarded from risks such as waste, abuse, loss, fraud, and mismanagement; and
• applicable laws, regulations, and policies are complied with.

The system of ICFR is not designed to eliminate risks, but rather to mitigate risks to a reasonable level, with controls that are balanced with and proportionate to the risks they aim to mitigate.

The maintenance of an effective system of ICFR is an ongoing process designed to identify and prioritize risks and the controls to mitigate these risks, as well as to monitor the system’s performance in support of continuous improvement. As a result, the scope, pace, and status of organizations’ assessments of the effectiveness of their systems of ICFR varies from one organization to another, based on risks and each organization’s unique circumstances.

1 Introduction

This document is attached to the Office of the Auditor General’s (OAG) Statement of Management Responsibility, including Internal Control over Financial Reporting, for the 2013–14 fiscal year. As required by the Treasury Board Policy on Internal Control, this document provides summary information on the measures taken by the OAG to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the OAG’s assessment as of 31 March 2014, including progress, results, and related action plans along with some financial highlights pertinent to understanding the control environment unique to the OAG.

1.1 Authority, mandate, and program activities

Detailed information on the OAG’s authority, mandate, and program activities can be found in its Departmental Performance Report and Report on Plans and Priorities.

1.2 Financial highlights

The OAG’s annual audited financial statements for the fiscal year ended 31 March 2014 can be found in its Departmental Performance Report. Financial information can also be found in the Public Accounts of Canada.

• The OAG is financially dependent on Parliament for its funding, and some services are provided without charge by Public Works and Government Services Canada (PWGSC). The appropriations provided by Parliament ($84.2 million) fund 87 percent of the total cost of operations.
• Approximately 14 percent of total costs of operations are services provided without charge by PWGSC, made up of accommodations ($8.2 million) and the employee insurance plans ($5.1 million).
• Salaries and employee benefits, excluding employee insurance plan costs ($70.5 million), account for 73 percent of the OAG’s total cost of operations.
• The remaining expenses (13 percent or $13.5 million) are for rentals, professional services, travel, communication and other equipment and supplies.
• Tangible capital assets comprise 89 percent, or $2.5 million, of the total non-financial assets of $2.8 million. Financial assets are composed mostly of an amount due from the Consolidated Revenue Fund of $6.7 million.
• Post-employment benefits and compensated absences ($9.8 million) account for 50 percent of total liabilities.
• Accounts payable and accrued liabilities ($9.9 million) comprise the remaining 50 percent of total liabilities. The accrued liabilities include accruals for salary, overtime and vacation pay.
• The OAG has information systems that are critical to its operations and financial reporting, such as its financial system, GX Financials.

1.3 Service arrangements relevant to financial statements

The OAG relies on other organizations for processing certain transactions recorded in its financial statements:

• PWGSC centrally administers the payment of salaries as well as the payment of invoices to suppliers through the Standard Payment System. PWGSC also provides the OAG with information on accommodation provided without charges.
• The Treasury Board of Canada Secretariat provides the OAG with information to validate calculations for various accruals, allowances and expenditures, such as the accrued severance liability and services provided without charges.

1.4 Material changes in the fiscal year 2013–14

Changes in operations

In the fiscal year 2013–14, there have been no significant changes to the OAG’s authorities and no changes in its operations that would have an impact on the financial statements, which continue to be prepared in accordance with Canadian Public Sector Accounting Standards.

Changes in key personnel

The Auditor General, Michael Ferguson made the following appointments:

• A new Commissioner of the Environment and Sustainable Development was appointed on 5 February 2014 and assumed the position on 24 March 2014.
• A new Chief Financial Officer (CFO) was appointed and assumed the position on 1 April 2014.

There were no other changes in key personnel during the fiscal year.

Changes to the terms and conditions of employment

There were no changes to the terms and conditions of employment.

2 The Control Environment Relevant to ICFR

The OAG recognizes the importance of setting the tone, starting with senior management, to help ensure that staff at all levels understand their role in maintaining effective systems of ICFR and are well equipped to exercise their responsibilities effectively. The Executive Committee provides overall direction and oversight for the OAG. It is supported by the Finance and Corporate Services committees, which conduct due diligence and provide advice on the development and implementation of OAG policies and controls, as well as other matters. An independent audit committee oversees key aspects of values and ethics, risk management, internal controls, external audit of our financial statements, quality management, practice review and internal audit function, and accountability reporting.

The OAG’s organizational structure is clearly defined, and the lines of authority and responsibility are well established. Staff members are qualified and trained, and formal job descriptions are in place. An OAG code of values, ethics, and professional conduct sets out (in detail) the values and the ethical, professional, and other standards that guide staff in their work.

An integrated risk management framework is in place based on the enterprise risk management model of the Committee of Sponsoring Organizations of the Treadway Commission. The framework is monitored and updated regularly.

The OAG’s Practice Review and Internal Audit function, which reports directly to the Auditor General, prepares an annual internal audit plan. The plan is based on a systematic assessment of business risk, which is developed using the risk management framework and other inputs. Internal audits assess significant administrative systems on a rotational basis. Practice reviews of audit practitioners assess the implementation of our System of Quality Control and make recommendations to improve the conduct of our audits. They may also make observations to improve the system’s design.

2.1 Key positions, roles, and responsibilities

The following are the key positions and committees with responsibilities for maintaining and reviewing the effectiveness of the OAG’s system of ICFR:

Auditor General (AG). As the OAG’s Accounting Officer, the AG assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. The AG chairs the Executive Committee.

Chief Financial Officer (CFO). The CFO reports directly to the Auditor General and provides leadership for the coordination, coherence, and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment.

Chief Information Officer (CIO). The CIO is responsible for leading our Information Technology and Security, and Knowledge Management groups, as well as special IT projects.

Senior Managers. Senior managers are responsible for maintaining and reviewing the effectiveness of their system of ICFR that falls within their mandate.

Chief Audit Executive (CAE). The CAE reports directly to the Auditor General and provides assurance through periodic practice reviews and internal audits, which are instrumental to the maintenance of an effective system of ICFR.

OAG Audit Committee. The Audit Committee is an independent advisory committee that provides the Auditor General with objective views on the OAG risk management, control, and governance frameworks. The Audit Committee also recommends for approval the annual Report on Plans and Priorities and the Departmental Performance Report (including audited financial statements) to the Executive Committee. The Auditor General is a member of the Audit Committee.

Executive Committee. The Executive Committee is the central decision-making body; it approves and monitors the OAG Risk Management Framework and the system of internal control, including the assessment and action plans related to ICFR. The committee, which includes the Auditor General, the Commissioner of the Environment and Sustainable Development, assistant auditors general, the Senior Principal responsible for Communications, and the Senior Legal Counsel, sets policy and provides overall professional administrative direction for the OAG.

2.2 Key measures taken

The OAG’s control environment equips its staff to manage risks well by raising awareness, providing appropriate knowledge and tools, and developing skills. Key control measures include the following:

• All OAG staff formally acknowledges compliance with the OAG code of values, ethics, and professional conduct annually; they are required to disclose any potential conflict of interest or holdings of certain assets, liabilities, or other interests.
• Staff in key financial management positions hold accounting designations.
• All OAG policies and procedures are available to staff on the OAG’s INTRAnet site, and references are provided to Treasury Board policies. Awareness programs include group awareness sessions, bulletins, emails, orientation sessions for new employees, and reminders on the INTRAnet homepage.
• The detailed financial signing authority, which is updated regularly, is available on the INTRAnet.
• Main business processes and related key control points are documented to support the management and oversight of ICFR.
• Secure financial processing systems, with access limited to appropriate staff, are in place to ensure the integrity of financial data and processing of transactions.

3 Assessment of the OAG’s System of ICFR

3.1 Assessment baseline

The external auditors conduct an annual controls-based audit and are actively engaged (at least twice per year) through their attendance at audit committee meetings. As part of the requirements of the Treasury Board’s Policy on Internal Control, the OAG is to annually assess both the design and operating effectiveness of key controls over financial reporting in support of continuous improvement.

Design effectiveness is the assurance that key control points are in place and that they are identified, documented, and aligned with the risks (that is, controls are balanced with and proportionate to the risks they aim to mitigate). This includes the mapping of key processes to the main accounts.

Operating effectiveness means that key controls have been tested over a defined period and that any remediation is addressed. Such testing covers all OAG control levels that include entity, general computer, and business process controls.

Ongoing monitoring means that a system is in place to ensure that risks are mitigated continuously within the main business processes and corrective actions are taken in a timely manner when required.

3.2 Assessment method

This is the fourth annual assessment of the effectiveness of internal controls over financial reporting (ICRF). The review involves testing samples of transactions in each of the main process areas to assess the design and operating effectiveness of the controls. The focus is on the following main processes:

• Payroll (National Capital Region)
• Operating expenditures
  • Contracting and procurement (professional services, goods, and other services) (National Capital Region and four regional offices)
  • Travel (National Capital Region and four regional offices)
  • Tangible capital assets (National Capital Region)
• Revenues (National Capital Region)
• Year-end reporting (National Capital Region)

As part of the ongoing annual testing, the team reviews the key IT General Controls, specifically the access and security controls for each of the main processes in the OAG financial system. This ensures that access is only provided to the appropriate staff and that the processes are monitored in a timely manner.

This year, we documented the Budget Review and Cost Monitoring process to ensure the reasonableness of costing OAG products and the related accuracy of time reporting. Next year, we will begin to review this process on a rotational basis.

Each year, the results of the assessment are reported in the Annex to the Statement of Management Responsibility, Including Internal Control over Financial Reporting, and includes an action plan outlining the work to be done in the following year. In the fiscal year 2013–14, the work to be done is as follows:

• Follow up on areas for improvement identified in the fiscal year 2012–13.
• Reconfirm design effectiveness for all identified key controls in the main business processes.
• Reconfirm the general IT controls for the Office’s financial system. Limited testing will be performed, unless significant changes to systems have occurred.
• Update and test the OAG Business Continuity Plan.
• Carry out the rotational testing of the operating effectiveness of ICFR for Operating expenditures.

4 Assessment Results

In the 2013–14 fiscal year, the OAG’s assessment of internal controls was in large part a continuation of the first three assessments, supplemented with additional in-depth reviews of the Operating expenditures business process.

4.1 Design effectiveness

When assessing key controls, the OAG reviews whether processes continue to follow the documented procedures. If changes are identified, process descriptions are updated and controls are re-examined to ensure that they continue to be designed in a way that mitigates any associated risks. Our control evaluations performed in the 2013–14 fiscal year confirmed that the identified key controls have not changed significantly and are still appropriately aligned with the risks they aim to mitigate.

4.2 Operating effectiveness

As was the case for the previous assessments, the OAG put together a review team that drew upon the experience of staff who work in audit operations. The team established a work plan, selected sample transactions (following audit methodology used by the OAG), and tested the transactions to ensure that the controls work effectively. The team also reviewed the sample transactions to ensure coverage of key components of the business processes over the entire fiscal year. The sample transactions covered sub-categories of transactions within each cycle and also included a review of ongoing management and monitoring controls applicable to all cycles. The following summarizes what was done for each of the main business processes:

• Salaries are paid by PWGSC. Testing payroll involved reviewing the various pay actions initiated by compensation staff, including those related to new hires, terminations, promotions, and transfers. Detailed reviews of files were performed to ensure appropriate documentation of controls.
• Within operating expenditures, transactions reviewed included travel, hospitality, contracting, and purchase of supplies and services as well as transactions with other government departments. The focus of this testing was to ensure that proper approvals for the expenditures were done and documentation supporting the transactions was on file.
• The revenue cycle consists of external revenues from the OAG’s international audit engagements and other sources. The testing involved ensuring that billing was in line with established agreements.
• For the year-end reporting, a review of year-end procedures was done, covering the working papers, reviews, and sign-offs used in preparing the audited financial statements and public accounts submissions.

4.3 Conclusion

The internal control system over financial reporting is well designed and functioning effectively. While no significant weaknesses were found, areas of improvement were identified for which follow-up actions have either been completed or are under way.

5 The Action Plan

5.1 Progress made during the fiscal year ending 31 March 2014

In addition to assessing design and operating effectiveness of key controls in the main business processes, the Office addressed the action plan items identified in the fiscal year 2012–13 as follows:

• Last year an evaluation of information technology and financial systems controls identified the following areas for improvement:
  • The Business Continuity Plan (BCP) is not kept up to date. It should be tested and updated annually. The BCP has been updated and is expected to be approved by the end of summer 2014. A formal test will be performed during the course of 2014.
  • The Disaster Recovery Plan (DRP) has also been updated and will be tested.
  • Authorities for committing funds, approving payments, and approving invoices in GX Financials are maintained by the Financial Systems team. Dates of access are granted and removed manually, which can affect the accuracy of the information and may not leave an audit trail. This issue is now resolved, the Financial Systems team has implemented a manual documentation process and reviews it at least once per year.
• As part of the rotational assessment of the different business cycles, the focus for the fiscal year ending 31 March 2014 was on the controls surrounding the Operating Expenditures process. Transactions for travel, hospitality, professional services, maintenance, tangible capital asset purchases and transactions with other government departments were examined in more depth.
• Key controls along with the segregation of duties were tested and found to be working as intended. There have been improvements made to some of the documentation related to transaction payments (i.e. improved evidence that work is performed).

5.2 Action plan for future years

Over the last few years, the OAG has taken several important steps to ensure that an effective system of internal control over financial reporting is in place. That being said, on-going efforts to maintain strong controls over the long term are necessary to build on the work already done. The following describes the actions that the OAG plans to take over the next two years:

2014–15

• Follow up on areas of improvement identified in the fiscal year 2013–14.
• Reconfirm design effectiveness of all identified key controls in the main business process.
• Verify that the OAG Business Continuity Plan and Disaster Recovery Plan have been approved and tested.
• Carry out the rotational testing of the operating effectiveness of internal controls over financial reporting for revenue and year-end reporting.

2015–16

• Follow up on areas of improvement identified in the fiscal year 2014–15.
• Reconfirm design effectiveness of all identified key controls in the main business process.
• Carry out the rotational testing of the operating effectiveness of internal controls over financial reporting for Budget Review and Cost Monitoring process.