This document is an annex to the Department of Justice's Statement of Management Responsibility Including Internal Control Over Financial Reporting which prefaces the financial statements for the fiscal year 2009-10. As required by the new Treasury Board Policy on Internal Control, effective April 1, 2009, this annex provides summary information on the measures taken by the Department of Justice (Department) to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the assessments conducted by the Department as at March 31, 2010, including progress, results and related action plans, along with some financial highlights pertinent to understanding the control environment of the Department.
1.1 Authority, mandate and program activities
Detailed information on the Department of Justice's authority, mandate and program activities can be found in the Departmental Performance Report and in Section I of the Report on Plans and Priorities.
1.2 Financial highlights
Key financial highlights from the 2009-10 financial statements are:
- Total expenses are $1,075M. Salaries comprise the majority at $555M (52%) for over 4,700 employees, followed by transfer payments at $373M (35%).
- Total revenues are $271M, largely from the delivery of legal services ($262M) to federal departments and agencies.
- Amounts due from the Consolidated Revenue Fund to satisfy future cash requirements represent $445M (88%) of total assets ($504M), and tangible capital assets represent $40M (8%).
- Transfer payments payable comprise $400M (68%) of total liabilities ($585M). Accounts payable and accrued liabilities comprise $70M (12%).
- The Family Law account received $168M in garnishments and remitted the same amount to provinces and territories for payment to beneficiaries entitled to family support.
- There is a decentralized finance and accounting function in each of the Department's 6 regional offices that initiate, approve, process and record a significant portion of operating expenses.
- The Department uses the Integrated Financial and Materiel System (IFMS), a SAP-based software, as its primary financial system, as well as several feeder systems that are critical to its operations and financial reporting.
Additional departmental financial information for fiscal year 2009-10 can be found under Section III – Supplementary Information of the Departmental Performance Report and in the Public Accounts of Canada.
1.3 Service arrangements relevant to financial statement
The Department of Justice relies on other organizations for the processing of certain transactions or the provision of information, which impacts its financial statements:
- Public Works and Government Services Canada (PWGSC) centrally administers the payments of salaries and benefits, the procurement of some goods and services, and the provision of accommodations, on behalf of the Department.
- Treasury Board Secretariat (TBS) provides an annual dollar figure for the centrally funded health and dental insurance plans, and provides information used to calculate various accruals and allowances, such as the employee severance benefit.
- Public Prosecution Service of Canada provides certain corporate services for the Department's Northern Region.
Other organizations also rely on the Department of Justice as follows:
- The Department is the common service provider of legal services to federal departments and agencies, and as such, the Department charges these organizations with the cost of providing legal services pursuant to legal services agreements, and provides an annual dollar figure for those legal services it provides without charge.
- The Department provides information on pending litigation cases in order to assist in the reporting of contingencies, to federal departments and agencies.
- The Department provides certain corporate (internal) services to the Public Prosecution Service of Canada.
- The Department assists provinces and territories in the enforcement of family support orders and agreements by providing garnishment assistance through the interception of designated federal moneys payable to individuals owing family financial support.
Further information is available in the financial statements under Note 10 – Family Law account and Note 14 – Related Party Transactions.
1.4 Material changes in fiscal year 2009-10
No significant departmental changes that are relevant to the financial statements occurred during 2009-10 other than the improved governance derived from the introduction of the Chief Financial Officer model and the implementation of the Departmental Audit Committee.
2. Department of Justice's control environment relevant to ICFR
The Department of Justice recognizes the importance of direction from senior management to help ensure that staff at all levels understand their roles in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities effectively. The Department's objective is to continually enhance its internal control environment to ensure risks are managed well through a responsive and risk-based approach that enables continuous improvement and innovation.
2.1 Key positions, roles and responsibilities
Below are the Department of Justice's key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.
- Deputy Minister
- The Deputy Minister, as Accounting Officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the Deputy Minister chairs the Departmental Audit Committee and the Senior Management Board.
- Chief Financial Officer (CFO)
- The CFO reports directly to the Deputy Minister and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment.
- Senior Departmental Managers
- Senior Departmental Managers in charge of services and program delivery are responsible for maintaining and reviewing the effectiveness of their system of ICFR falling within their mandate.
- Chief Audit Executive (CAE)
- The CAE reports directly to the Deputy Minister and provides assurance through periodic internal audits which are instrumental to the maintenance of an effective system of ICFR.
- Departmental Audit Committee (DAC)
- The DAC is an advisory committee that provides objective views on the Department's risk management, control and governance frameworks. The DAC was implemented during 2009-10 and was comprised of the Deputy Minister and two external members (a third member was appointed on April 22, 2010).
- Senior Management Board (SMB)
- As the central decision-making body, the SMB reviews, approves and monitors the corporate risk profile and the departmental system of internal control, including the assessment and action plans relating to the system of ICFR.
- Audit and Evaluation Committee
- This internally based advisory committee assists the Deputy Minister to discharge his responsibilities with respect to internal audit and evaluation. During 2009-10, this committee was dissolved and its functions assumed by the SMB and DAC.
2.2 Key measures taken by the Department of Justice
The Department of Justice's control environment includes a series of measures to equip its staff to manage risks well through raising awareness, providing appropriate knowledge and tools, as well as developing skills. Key organization-wide measures include:
- An established governance structure and provision of strategic direction through the Senior Management Board, standing committees to the SMB, governing council of senior managers, and the Departmental Audit Committee;
- The upholding of public service values through the departmental Office for Integrity and Conflict Management in the Workplace, which is responsible for values and ethics, the code of conduct, informal conflict management, and disclosure protection;
- A Strategic Planning, Risks and Scans division that coordinates and supports department-wide planning, including integrated business planning, risk management, environmental scanning, and preparation of the corporate risk profile approved by the Senior Management Board;
- Regular reporting of financial performance and annual performance agreements with clearly set out financial management responsibilities;
- Human resources management plan and policies that support learning and succession planning;
- Regularly updated delegation of financial authorities instruments;
- Policies and procedures tailored to the Department of Justice's control environment;
- Training and communications in areas of financial management;
- Information technology (IT) processing systems to achieve greater security, integrity, efficiency and effectiveness;
- Documentation of key business processes and related risk and control points to support the management and oversight of the system of ICFR;
- A unit within the CFO Branch dedicated to internal control over financial reporting;
- A risk-based internal audit plan.
3. Assessment of the Department of Justice's system of ICFR
3.1 Assessment baseline
In 2004, the Government of Canada commenced an initiative to determine the ability of departments to sustain control-based audits of their financial statements, thus placing reliance on well-functioning internal controls. As a result, beginning in 2006 and more recently through the implementation of the Policy on Internal Control, the largest departments, including the Department of Justice, are formalizing their approach to managing their systems of ICFR, including readiness assessments and action plans.
Whether it is to support the control-based audit requirements or those of the Policy on Internal Control, the Department of Justice needs to maintain an effective system of ICFR with the objectives to provide reasonable assurance that a) transactions are appropriately authorized, b) financial records are properly maintained, c) assets are safeguarded, and d) applicable laws, regulations and policies are complied with.
Over time, this means the Department of Justice must assess the design and operating effectiveness of its system of ICFR, leading to ensuring the on-going monitoring and continuous improvement of its departmental system of ICFR.
- Design effectiveness
- Means to ensure that key control points are identified, documented, in place and that they are aligned with the risks (i.e. controls are balanced with and proportionate to the risks they aim to mitigate) and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main accounts by location as applicable.
- Operating effectiveness
- Means that the application of key controls has been tested over a defined period and that any required remediation is addressed. Such testing covers all departmental control levels which include corporate or entity, general computer and business process controls.
- On-going monitoring
- Means that a systematic, integrated approach to monitoring is in place, including periodic risk-based assessments and timely remediation.
3.2 Assessment scope and methodology
To prepare for a control-based audit of its financial statements and to review its system of ICFR, the Department of Justice has undertaken a three-stage assessment approach: (1) audit readiness assessment, (2) pilot audit and actual audit of its financial statements, and (3) on-going maintenance and monitoring.
In the first stage, an audit readiness assessment was completed in 2006 with the assistance of an independent external consulting firm. This initial baseline assessment was supplemented by several additional projects conducted between 2006 and 2008 which considered design and operating effectiveness, including:
- Gathering information pertaining to processes, geographic locations, risks and controls relevant to ICFR;
- Mapping out key processes with the identification and documentation of key risk control points on the basis of materiality, volume, complexity, geographic location, susceptibility to losses and frauds, areas subject to audit observations, past history, external attention and reliance on third-parties; specifically, these key processes were mapped for the regional offices and headquarters:
- Operating and maintenance expenses
- Transfer payments
- Legal services revenues
- Capital assets
- Family Law fees and account
- Interdepartmental settlements
- Financial reporting
- Reviewing IT general and application controls of the systems related to financial reporting through enquiry with personnel from the IT and financial services areas, observation of application settings and physical security controls, and through inspection of relevant documentation;
- Performing specified procedures to test the operating effectiveness of key internal controls over financial reporting related to revenue and expenditure transactions.
In the second stage, the Department presented its readiness to undergo a control-based audit of its financial statements to the Office of the Comptroller General (OCG) in July 2008. This readiness was supported by the measures undertaken in the first stage, and by the completion of an audit on the March 31, 2007 closing balances of the Department's assets and liabilities by an independent accounting firm. The Office of the Auditor General (OAG) proceeded to perform a pilot audit on the 2007-08 financial statements, an actual audit on the Department's 2008-09 statements, and an interim audit of the 2009-10 financial statements.
For the third stage, the Department created a unit within the CFO Branch which is dedicated to the maintenance of the ICFR framework, and the on-going monitoring and assessment of the system of ICFR. This unit performs on-going testing of the operating effectiveness of select key controls on a statistical sample basis; reviews proposed policies and processes in the context of ICFR; and is the departmental liaison for audits with any financial implication, including working closely with the OAG financial statement auditors. Through engagement of CFO Branch management and the financial community at large, it follows up on the status of management action plans created in response to the findings of audits, including these performed by the OCG and the Department's Internal Audit Branch:
- Office of the Comptroller General horizontal audits
- Department of Justice internal audits
- Contribution Auditing Process
- Programs Branch
- Ontario Regional Office – Finance and Administration Directorate
4. Department of Justice's assessment results
As the result of the assessment approach described above, the Department of Justice has:
- Documented its ICFR framework for the key processes and IT systems supporting the financial statements;
- Assessed the design and operating effectiveness of its system of ICFR for these key processes;
- Obtained an unqualified audit opinion from an independent accounting firm on the March 31, 2007 closing balances of its assets and liabilities;
- Completed a control-based pilot audit as conducted by the OAG on its 2007-08 financial statements;
- Received an unqualified audit opinion from the OAG on its 2008-09 financial statements, and is the first of the largest departments to do so;
- Participated in an OAG interim audit of its 2009-10 financial statements: and
- Dedicated a unit within the CFO Branch to maintain the ICFR framework, perform testing of controls, liaise with auditors, and follow up on audit findings with management.
The more significant findings from these assessments of the effectiveness of the system of internal control over financial reporting are summarized below.
4.1 Design effectiveness of key controls
When completing design effectiveness testing, the Department of Justice updated business process documentation and validated key processes with the stakeholders. It verified that the documented processes corresponded to actual practices and that adjustments were made to documentation and/or the actual process, as required. These activities covered both headquarters and regional offices. Design effectiveness also included ensuring the appropriate alignment of each key control with risks.
The results from the design effectiveness testing identified the need for the following:
- Greater consistency in the breadth, depth and format of documentation of controls and procedures which varied across headquarters and the regional offices;
- Updating and formalization of the departmental accounting policy for tangible capital assets;
- Documenting and evaluating entity level controls, i.e. those controls that have a pervasive influence throughout an organization and help to ensure management directives pertaining to the entire entity are carried out.
- Analysis of the threshold for recording tangible capital assets, including the application of standards for the capitalization of large projects such as those for IT systems and leasehold improvements;
- Improved tracking and updating of tangible capital asset accounting records and monitoring use of capital assets after acquisition;
- Additional supporting documentation for the sources of account balances and amounts on the financial statements, including working papers, system reports, management estimates, and reconciliations;
IT general system management
- Strengthening of controls related to access to IT programs and data, IT program changes, as well as backup and recovery of data;
- Establishment of compensating controls for the implementation of electronic authorizations for travel requests and expenses processed under the Expense Management Tool (EMT).
- Greater clarity of roles and responsibilities for the corporate accounting and reporting unit, as well as for all branches and programs;
- Improved challenge functions and quality assurance over the trial balance, and the amounts and disclosures in the financial statements.
- Recognition of the reliance on the internal control systems and financial information provided by other government departments such as PWGSC and TBS, and the need for documentation of processes and related discussions with stakeholders where this reliance is necessary.
4.2 Operating effectiveness of key controls
When assessing the operating effectiveness of key controls, the Department of Justice considered the results of the audits of the financial statements by the OAG, of OCG horizontal and departmental internal audits, the review of controls by an independent accounting firm, and of testing by the departmental unit dedicated to ICFR. These audits, reviews and testing covered departmental controls at the entity, IT general system, and business process levels.
The results from the various operating effectiveness assessments identified the need for the following adjustments:
Business process controls
- Complete documentation on file in support of the calculation, review, approval and monitoring of pay actions;
- Clarification on the accounting treatment of annual software licences and maintenance expenses;
- Observance of the use of appropriate financial coding for expenses;
- Strengthening of change controls over vendor information in the accounting system (IFMS);
- Compliance with Sections 32, 33 and 34 authorities under the Financial Administration Act (FAA) for the commitment, payment and approval of expenditures;
- Adherence to the FAA Cheque Issue Regulations on the nature of transactions to be paid through departmental bank accounts.
IT general system controls
- Improved security controls, including user access, password parameters and administration of user IDs, within the regional pay system, IFMS, and the Family Law program's IT system.
Entity level controls
- Coherent and measurable set of performance objectives and indicators for the finance function across regional offices;
- Written policies and procedures to support the maintenance of the delegation of financial authorities instruments.
4.3 On-going monitoring program
Within the CFO Branch, a dedicated unit is responsible for a well-integrated risk-based approach for the on-going assessment of the Department's internal controls over financial reporting. The unit monitored remediation action required on the entity level, IT general system, and business process controls based on audits, management letters and other assessments; reviewed and provided feedback on key controls being developed for new policies and processes; and tested travel and hospitality transactions on a statistical sample basis. During the OAG financial statement audit, the unit, through its liaison role, also attended process walkthroughs conducted by the auditors, updated business process flowcharts, independently reviewed files being sampled, and performed further analysis of concerns identified in regard to controls.
A review of the on-going monitoring program identified the need for the following:
- Development of a formalized risk monitoring framework for the ICFR that will identify key controls to be tested over a defined period of time,including the selection of geographic locations, the test period, as well as the method and frequency of testing;
- A well-integrated monitoring program is in place, to raise awareness and an understanding of the system of ICFR at all levels, to equip people with the knowledge, skills and tools needed, and to reinforce appropriate behaviours.
5. Department of Justice's action plan
5.1 Progress as of March 31, 2010
The Department of Justice has made significant progress in assessing and improving key controls within the system of ICFR, as indicated by its ability to achieve a control-based audit of the 2008-09 financial statements, and to maintain auditable financial statements for 2009-10.
Below is a summary of the progress made by the Department. Remediation requirements to date have been addressed in priority order as assessed by risk as soon as necessary adjustments have been identified.
The Department of Justice has completed the following work to address the adjustments:
- Documented key business processes and related control points for regional offices and headquarters through the use of a common ICFR framework;
- Updated and finalized accounting policy and procedures for tangible capital assets; provided training department wide; established and communicated standards for capitalizing IT systems, software and leasehold improvement projects; analyzed capitalization thresholds, revised the thresholds for certain classes of assets, and adjusted accounting records accordingly;
- Categorized comprehensive working papers that provide support for account balances, variance analyses, and rationale for management estimates within financial statement and audit binders;
- Staff the corporate accounting and reporting unit with additional accounting professionals with clear roles and responsibilities, and who perform stronger challenge and quality assurance functions over the trial balance and financial statements;
- Supported electronic authorizations for travel within the EMT system by the compensating controls which are necessary to be in place at the departmental level;
- Communicated department wide requirements through training, regional visits, and issuance of accounting bulletins to ensure compliance with Sections 32, 33 and 34 authorities under the FAA;
- Issued a corporate compensation directive to security and control officers which outlines the procedures for user access to the regional pay system, management of pay lists, and monitoring of regional pay system security;
- Redefined user access to IFMS programs and data for functional and IT technical staff, and clarified new roles and profiles implemented; and
- Conducted a gap analyses to assess the extent of compliance of the Department's financial activities with the requirements of the TB Financial Management Policy Framework and Policy on Transfer Payments, and the Policy on Stewardship of Financial Management Systems.
The Department of Justice has substantially advanced the following work to address the findings:
- Initiated functionalities for the tracking of system changes within IFMS, resulting in better management, documentation and approval of system changes;
- Analyzed the nature of transactions paid through departmental bank accounts; are in the process of developing a business case to seek exemption from the Cheque Issue Regulations on certain uses of the accounts; and provided training to regional offices;
- Standardized processes and procedures to maintain master vendor records in IFMS which are in the process of being documented and implemented;
- Roles and responsibilities of departmental staff with respect to financial management are being clarified, a matrix drafted, stakeholders consulted, and communications forthcoming;
- Drafted policies and procedures to support the maintenance of the delegation of financial authority instruments; and
- Documented and partially evaluated entity level controls.
The Department of Justice has commenced or partially completed the following work to address the findings:
- Review of the departmental chart of accounts and financial coding structure.
- Creation of a verifications standards working group to address improvements over internal controls and documentation related to pay actions.
- Replacement of the Family Law program's IT system, which provides opportunity for strengthening IT controls.
- Substantiated the existence of some capital assets.
- Establishment of a plan and deliverables for the development of consistent practices and efficiencies for the verification of payments in support of Section 33 of the FAA.
- Development of strategic performance indicators and measures that will form a balanced scorecard for the finance function.
- Participated in an interdepartmental working committee which is considering approaches for reliance on the internal control systems and financial information provided by other government departments.
5.2 Action Plan
The action plan for 2010-11 and subsequent years is to have a formalized on-going monitoring program of the effectiveness of the departmental system of ICFR. This will include monitoring and testing the operating effectiveness of key financial internal controls, periodic follow-up reviews of entity level and IT general system controls, tracking the status of management action plans in response to audit and other recommendations, and reviewing and testing the effectiveness of new controls.
During 2010-11, the Department of Justice plans to:
- Complete the work that has been substantially advanced during 2009-10 with respect to the findings, and continue remediation of the remaining adjustments.
- Develop the ICFR risk assessment framework which, in turn, will support the on-going monitoring program.
- Design tests for assessing operating effectiveness, establish method and frequency of testing, and continue testing of key controls.
In 2011-12 and future years, the Department of Justice plans to:
- Initiate a fraud risk assessment, including the identification of key controls addressing fraud risks.
- Have in place an on-going monitoring program for the assessment of the effectiveness of the departmental system of ICFR;
- Provide the necessary training and communication to enhance the awareness and knowledge of internal controls over financial reporting and associated responsibilities for senior management;
- Date modified: