Report on the Audit of the Monitoring of the System of Internal Control Over Financial Reporting
Treasury Board Policy
The Treasury Board Policy on Internal Control (PIC) states that Parliament and Canadians expect the federal government to be well managed with the prudent stewardship of public funds, the safeguarding of public assets, and the effective, efficient and economical use of public resources. It further states that Parliament and Canadians expect reliable reporting that provides transparency and accountability for how government spends public funds to achieve results for Canadians.
The PIC came into effect on April 1, 2009, and requires that Deputy Ministers and Chief Financial Officers sign an annual Statement of Management Responsibility Including Internal Control Over Financial Reporting (Statement). The Statement prefaces a department’s annual financial statements and acknowledges management’s responsibility for maintaining an effective system of internal control over financial reporting (ICFR). In support of the Statement, the PIC requires that departments conduct an annual risk-based assessment of the system of ICFR to determine its ongoing effectiveness. The results of this assessment are then reported in a separate annex to the financial statements.
Departments move through three stages of a maturity model to achieve compliance with the PIC; the design effectiveness stage, the operating effectiveness stage, and the ongoing monitoring stage. The design effectiveness stage requires that departments identify and document their key controls over financial reporting, and assess whether they are aligned with the risks they aim to mitigate. In the operating effectiveness stage, departments assess the extent to which key controls over financial reporting are operating as intended over a specified period of time, such as a year or six months. Once this first full assessment of ICFR is complete and any identified weaknesses have been remediated, departments move to the ongoing monitoring stage. In this stage, departments conduct periodic, risk-based retesting of key control effectiveness to determine the ongoing effectiveness of the system of ICFR.
While a department may be operating in the ongoing monitoring stage, process and environmental changes may occur and new risks may emerge. To the extent that new risks and key controls to mitigate these new risks are identified, the design and operating effectiveness of these key controls must be assessed as part of the ongoing monitoring stage.
Internal Controls over Financial Reporting
Internal controls over financial reporting are the procedures and activities put in place by a department to provide reasonable assurance that:
- records which fairly reflect all financial transactions are maintained;
- recording of financial transactions permits the preparation of internal and external financial information, reports, and statements in accordance with policies, directives and standards; and
- revenues received and expenditures made are in accordance with delegated authorities and unauthorized transactions that could have a material effect on financial information and financial statements are prevented or detected in a timely manner. This includes providing reasonable assurance that financial resources are safeguarded against material loss due to waste, abuse, mismanagement, errors, fraud, omissions and other irregularities.
As illustrated below, a department’s system of ICFR is a subset of its system of Internal Controls over Financial Management, which is in turn a subset of its overall system of Internal Controls.
Department’s system of ICFR
A department’s system of ICFR is a subset of its system of Internal Control over Financial Management which in turn is a subset of the overall system of Internal Controls.
The Deputy Minister as accounting officer has oversight of the system of Internal Control across the Department.
The CFO has oversight of the system of Internal Control over Financial Management (ICFM) including the system of Internal Control over Financial Reporting (ICFR)
Senior Departmental Managers have oversight over the systems of internal controls for both financial management and financial reporting in their respective areas of responsibility
Controls can be categorized into one of three levels: entity level controls (ELCs); information technology general controls (ITGCs); and business process level controls (PLCs).
- ELCs are high-level controls that concern the overall operating environment of the department and include tone at the top, ethics, risk management, communications, and human resources.
- ITGCs are controls that impact the overall department-wide IT environment, such as access to computer programs and data, program changes, program development and computer operations.
- PLCs are those controls embedded in specific business processes used for the processing of specific financial transactions (e.g. account verification, accounts payable, accounts receivable). The effectiveness of these controls is directly and indirectly influenced by the effectiveness of the ELCs.
All three levels of control operate together in an integrated manner to collectively reduce, to an acceptable level, the risk of not achieving an objective.
Monitoring of the System of ICFR at Justice Canada
The Financial Policy and Controls Division (FPCD) within the Finance and Planning Branch (FPB) supports the Department’s Assistant Deputy Minister, Management Sector and Chief Financial Officer (ADM/CFO) and the Deputy Chief Financial Officer (DCFO) in discharging their responsibilities for the system of ICFR, including ensuring departmental compliance with the PIC. Reporting directly to the DCFO, FPCD plans and conducts the annual risk-based assessment of the system of ICFR and prepares the annex to the annual financial statements.
The Department completed its initial design effectiveness (DE) and operating effectiveness (OE) testing in 2008-09, through an audit readiness project and an Auditor General pilot audit of the 2007-08 financial statements. The Auditor General subsequently issued an unqualified opinion on the 2008-09 financial statements, noting that Justice Canada was the first department to undergo an external audit of their financial statements and congratulating management on its commitment to the initiative. Justice Canada was among the first departments to enter the ongoing monitoring stage, achieving this milestone on April 1, 2009. This remains a notable accomplishment, as only 15 of 34 departments were identified as having attained the ongoing monitoring stage in the 2014-15 Treasury Board Secretariat Management Accountability Framework assessment. In fiscal year 2014-15, the Department completed its first three-year ongoing monitoring program.Monitoring the ongoing effectiveness of the system of ICFR is essential in ensuring that control weaknesses that might potentially impact the reliability of financial information are identified and corrected.
- Date modified: