2014–15 Annex to the Statement of Management Responsibility, Including Internal Control over Financial Reporting
2014–15 Annex to the Statement of Management Responsibility, Including Internal Control over Financial Reporting
1 Introduction
This document provides summary information on the measures taken by the Office of the Auditor General of Canada (the Office) to maintain an effective system of internal control over financial reporting (ICFR), including information on internal control management, assessment results, and related action plans.
Detailed information on the Office’s authority, mandate, and program activities can be found in the 2014–15 Departmental Performance Report and the 2015–16 Report on Plans and Priorities.
2 Departmental system of internal control over financial reporting
2.1 Internal control management
The Office has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. A departmental internal control management framework is in place and includes
- organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their control management areas;
- values and ethics that guide and support employees in their professional activities;
- ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
- regular monitoring and updates on internal control management, as well as the provision of related assessment results and action plans to the Auditor General, departmental senior management, and, as applicable, the Departmental Audit Committee.
The Office’s Audit Committee meets quarterly and provides advice to the Auditor General on the adequacy and functioning of the Office’s risk management, control, and governance frameworks and processes.
2.2 Service arrangements relevant to financial statements
The Office relies on Public Works and Government Services Canada to process certain transactions that are recorded in its financial statements, as it centrally administers the payment of salaries and invoices, and provides accommodation services.
3 Departmental assessment results during the 2014–15 fiscal year
3.1 Previous year’s areas for improvement
As part of our 2014–15 assessment, we followed up on areas for improvement identified in the 2013–14 assessment. We found that remedial actions were taken in 2014–15 on all items, with the exception of the Business Continuity and Disaster Recovery Plans, which still needed to be tested as at March 31, 2015. We will examine the testing performed on these two plans during our 2015–16 ICFR assessment.
3.2 Assessment results
The work performed, key findings, and areas for improvement identified as part of the current year’s assessment of ICFR are as follows:
New or significantly amended key controls. In the current year, there were no new or significantly amended key controls in existing processes requiring reassessment.
Ongoing monitoring program. The Office conducted its ongoing monitoring according to the previous fiscal year’s rotational plan. As part of this work, the Office focused on the assessment of entity level controls, IT general controls, and financial processing controls within the business processes of revenues and year-end reporting.
Areas for improvement
- Revenues. Secondment agreements were not always approved as per the Human Resources delegation of authorities. The delegation of authorities does not currently reflect changes in business practices. It is being updated.
- IT general controls. As a result of a detailed review, a number of areas for improvement were identified related to the financial and human resources systems (GX Financials and MIS2000). These were in the domains of access provisioning (e.g., granting and removing access to users, password parameters, audit logging and monitoring) and management of system changes (e.g., maintenance activities, authorization and documentation of changes). Remedial actions have begun and are expected to be completed by fall 2016.
Despite the areas for improvement identified in the current year, the ICFR system is well designed and functioning effectively.
4 Action plan for the next fiscal year and subsequent years
The Office’s rotational ongoing monitoring plan over the next three years is shown in the following table. This plan will be revisited annually based on validation of the high-risk processes and controls.
| Key control areas | 2015–16 | 2016–17 | 2017–18 |
|---|---|---|---|
| Entity level controls |  |
|
|
| IT general controls | |
|
|
| Payroll | |
||
| Operating expenses | |
||
| Revenues | |
||
| Year-end reporting | |