2015–16 Annex to the Statement of Management Responsibility, Including Internal Control over Financial Reporting
2015–16 Annex to the Statement of Management Responsibility, Including Internal Control over Financial Reporting
1 Introduction
This document provides summary information on the measures taken by the Office of the Auditor General of Canada to maintain an effective system of internal control over financial reporting (ICFR), including information on internal control management, assessment results, and related action plans.
Detailed information on the Office’s authority, mandate, and program activities can be found in the 2015–16 Departmental Performance Report and the 2016–17 Report on Plans and Priorities.
2 Departmental system of internal control over financial reporting
2.1 Internal control management
The Office has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. A departmental framework for internal control management is in place and includes
- organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their control management areas;
- values and ethics that guide and support employees in their professional activities;
- ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
- regular monitoring and updates on internal control management, as well as the provision of related assessment results and action plans to the Auditor General, departmental senior management, and, as applicable, the departmental audit committee.
The Office’s Audit Committee meets quarterly and provides advice to the Auditor General on the adequacy and functioning of the Office’s risk management, control, and governance frameworks and processes.
2.2 Service arrangements relevant to financial statements
To process certain transactions recorded in our financial statements, the Office relies on Public Services and Procurement Canada, which centrally administers the payment of salaries and invoices, and provides accommodation services.
3 Departmental assessment results during the 2015–16 fiscal year
3.1 Previous fiscal year’s areas for improvement
As part of our 2015–16 assessment, we followed up on areas for improvement identified in the 2014–15 assessment. We found that remedial actions were taken on many areas for improvement identified in the 2014–15 fiscal year. Additional work is under way to address outstanding observations mainly related to information technology (IT) general controls.
3.2 Assessment results
The work performed, key findings, and areas for improvement identified as part of the 2015–16 assessment of ICFR are as follows:
New or significantly amended key controls. In the 2015–16 fiscal year, there were no new or significantly amended key controls in existing processes requiring reassessment.
Ongoing monitoring program. The Office conducted ongoing monitoring according to the previous fiscal year’s rotational plan. As part of this work, the Office evaluated entity level controls and IT general controls. We tested the operating effectiveness of payroll processing controls and the design and implementation of controls for other business processes.
Areas for improvement
- Processing controls. Some improvements are being made to address the observations noted in our evaluation of processing controls relating to payroll, operating expenses, and year-end reporting. The observations related to documenting the commitment of funds for staffing actions and the payroll payment verifications, to segregating journal entry duties in GX Financials, and to the timeliness of the vendor master file reviews.
- IT general controls. As a result of a detailed review, many areas for improvement were identified related to two applications that support the financial system. All observations were related to access provisioning (for example, audit logging and monitoring, use of generic accounts, and password parameters). Remedial actions have begun, and management will evaluate and develop a plan in the fall of 2016 to determine how best to address the recommendations, as many are similar to those raised last year.
Despite the areas for improvement identified in the 2015–16 fiscal year, the Office did maintain an effective system of ICFR, as effective mitigating controls are in place to reduce the risk of material misstatement in financial reporting to an appropriately low level.
4 Action plan for the next three fiscal years
The following table shows the Office’s rotational ongoing monitoring plan over the next three fiscal years. This plan will be revisited annually based on the validation of high-risk processes and controls.
| Key control areas | 2016–17 | 2017–18 | 2018–19 |
|---|---|---|---|
| Entity level controls |  |
|
|
| IT general controls | |
|
|
| Payroll | |
|
|
| Operating expenses | |
||
| Revenues | |
||
| Year-end reporting | |