Report on the Audit of the Monitoring of the System of Internal Control Over Financial Reporting
1. Executive Summary
The Treasury Board Policy on Internal Control (PIC) states that Parliament and Canadians expect the federal government to be well managed with the prudent stewardship of public funds, the safeguarding of public assets, and the effective, efficient and economical use of public resources. It further states that Parliament and Canadians expect reliable reporting that provides transparency and accountability for how government spends public funds to achieve results for Canadians.
The PIC, which came into effect on April 1, 2009, requires that Deputy Ministers and Chief Financial Officers sign an annual Statement of Management Responsibility Including Internal Control Over Financial Reporting (Statement). This Statement prefaces a department’s annual financial statements and acknowledges management’s responsibility for maintaining an effective system of internal control over financial reporting (ICFR). In support of the Statement, the PIC requires that departments conduct an annual risk-based assessment of the system of ICFR to determine its ongoing effectiveness. The results of this assessment are reported in a separate annex to the financial statements.
Departments move through three stages of a maturity model to achieve compliance with PIC; the design effectiveness stage, the operating effectiveness stage, and the ongoing monitoring stage. The Department of Justice Canada (the Department) is in the ongoing monitoring stage.
Monitoring the ongoing effectiveness of the system of ICFR is essential in ensuring that control weaknesses that might potentially impact the reliability of financial information are identified and corrected.
The Financial Policy and Controls Division (FPCD) within the Finance and Planning Branch (FPB) is responsible for planning and conducting the annual risk-based assessment of the system of ICFR and preparing the annex to the annual financial statements.
Justice Canada was among the first departments to enter the ongoing monitoring stage, achieving this milestone on April 1, 2009. This remains a notable accomplishment, as the 2014-15 Management Accountability Framework assessment reported that only 15 of 34 departments have attained this stage.
Other strengths include: an appropriate and effective governance and oversight framework to support the monitoring of the system of ICFR; the use of multi-year plans and annual results reports; and an effective approach to remediating identified control weaknesses and following up on management action plans.
Areas for Improvement
Opportunities for improvement were noted in the identification of key controls related to financial reporting, and in the risk-based planning and conducting of the annual assessment of the system of ICFR. A more rigorous and better-documented approach to this work will help ensure it is repeatable and that the appropriate key controls are tested to achieve PIC objectives.
Audit Conclusion and Opinion
In my opinion, there is room for improvement in the management control framework to monitor the system of ICFR.
An effective governance and oversight is in place, but reporting to oversight bodies should be improved to provide greater level of detail in the testing that is conducted and to better support their decision making. Greater rigour is required in identifying key PLCs, ELC, and ITGCs, and in documenting the risk-based selection of key controls for OE testing each year. Annual OE testing should also be improved to ensure it is sufficient to determine the ongoing effectiveness of the system of ICFR.
Finally, although largely informal, existing processes for reporting and addressing identified control weaknesses appear generally effective and appropriate.
Management ResponseManagement is in agreement with the audit findings, has accepted the recommendations included in this report, and has developed a management action plan to address them. The management action plan has been integrated in this report.
2. Statement of Conformance
In my professional judgment as Chief Audit Executive, the audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.
Original signed by Inanc Yazar
October 7, 2015
Inanc Yazar, CPA CGA, CIA, CRMA
Chief Audit Executive
Department of Justice Canada
The Chief Audit Executive would like to thank the audit team and those individuals who contributed to this engagement and particularly, employees from the Financial Policy and Control Division who provided insights and comments as part of this audit.
- Date modified: