Audit of Internal Controls over Financial Reporting

Global Affairs Canada
Office of the Chief Audit Executive

April 10, 2017

Acronyms

ADM

Assistant Deputy Minister

CFO

Chief Financial Officer

CSAE

Canadian Standard on Assurance Engagements

DAC

Departmental Audit Committee

DM

Deputy Minister

ELC

Entity Level Controls

ICFR

Internal Controls over Financial Reporting

IFI

International Financial Institutions

ITGCs

Information Technology General Controls

KCoSR

Key Controls over Significant Risk

MCO

Management Consular Officer

OAG

Office of the Auditor General

OCAE

Office of the Chief Audit Executive

PIC

Policy on Internal Control

SMD

Financial Operations

SMO

Corporate Accounting, Financial Policies and Controls Division

SMOC

Internal Control Team

Executive summary

In accordance with Global Affairs Canada’s 2016-2019 - Risk Based Audit Plan, the Office of the Chief Audit Executive conducted the Audit of Internal Controls over Financial Reporting.

The primary objective of this audit was to assess whether the internal controls over financial reporting (ICFR) processes are effective. The secondary objective was to assess if progress had been made in response to the recommendations made in the Office of the Auditor General’s 2013 Follow-up Audit on Internal Controls over Financial Reporting.

In 2009, Treasury Board introduced the Policy on Internal Control (PIC), the objective of which is to ensure that “risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting.” The PIC identifies the Deputy Heads (Deputy Ministers) as being responsible for ensuring the establishment, maintenance, monitoring and review of the departmental system of internal controls to mitigate risks. The PIC also requires that the Deputy Ministers and the Chief Financial Officer sign a Statement of Management Responsibility Including Internal Control over Financial Reporting. This document accompanies the annual departmental Financial Statements and acknowledges the responsibility of management for ensuring the maintenance of an effective system of ICFR. Responsibility is addressed by conducting an annual risk-based assessment and the development of action plans to address any significant issues identified.

The Department of Foreign Affairs, Trade and Development’s (now Global Affairs Canada) Framework for Internal Control over Financial Reporting Management came into effect January 1, 2014. This framework establishes the approach and defines roles and responsibilities regarding the system of ICFR at Global Affairs Canada.

Why is it important?

Effective internal controls over financial reporting serve to safeguard public resources against material loss due to waste, abuse, mismanagement, errors, fraud, omissions, or other irregularities. Effective internal controls also ensure reliable and transparent reporting of how Global Affairs Canada uses public funds to achieve the government’s stated objectives for Canadians. Further, they provide a means by which management and users of financial statements can have confidence that the financial statements fairly reflect financial transactions.

What we examined

The audit team examined the policy, governance, and processes specific to ICFR practices at Global Affairs Canada for fiscal year 2015-2016 (Appendix B provides information about the audit). The scope also included internal control operating effectiveness testing and the internal control ongoing monitoring program.

In addition, the audit assessed the progress made by the Department in implementing the recommendations from the 2013 Report of the Auditor General of Canada: Follow-up Audit on Internal Controls Over Financial Reportin.

The audit was conducted from August 16, 2016 to December 6, 2016.

What did we find?

Overall, the audit team found that the system of ICFR at Global Affairs Canada is compliant with the PIC. Testing of the ICFR process was conducted as required and action plans were developed for the control deficiencies identified. Moreover, the recommendations stemming from the 2013 Office of the Auditor General (OAG) audit were also found to have been completed.

The audit team identified that additional effort would be needed to further engage departmental senior executives and communicate with business process owners with regard to their roles and responsibilities as they relate to ICFR.

Audit conclusion

The overall conclusion of the audit team is that the process of internal controls over financial reporting is generally effective in identifying and mitigating the risk that the departmental financial statements may be materially misstated. The Department utilizes a risk-based approach when assessing the effectiveness of the system of internal controls at the Department. Improvements are needed to increase senior management’s awareness and knowledge of the status of ICFR through enhanced reporting and communication. Additionally, improvements are needed to proactively involve business process owners through effective communication to ensure they understand and fulfil their roles and responsibilities in the ICFR process.

With the completion of the last operating effectiveness testing and the commencement of the ongoing monitoring process in fiscal year 2015-16, the management action plans addressing recommendations from the OAG’s 2013 audit are completed.

Audit recommendations:

1. The Chief Financial Officer should provide sufficient and detailed information to the oversight bodies on the operation and effectiveness of ICFR to ensure that their roles and responsibilities as they pertain to the Policy on Internal Control are fulfilled.
2. The Chief Financial Officer should establish a communication plan for proactively engaging process owners throughout the full cycle of the ICFR process to assist  process owners to clearly understand what it is expected from their involvement in the ICFR process, including their roles and responsibilities as they relate to the Policy on Internal Control.

Statement of conformance

In my professional judgment as the Chief Audit Executive, this audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.  Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report, and to provide an audit level of assurance. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management and are only applicable to the entity examined and for the scope and time period covered by the audit.

Brahim Achtoutal
Chief Audit Executive

Introduction

The audit of Internal Controls over Financial Reporting was identified as part of the Risk-Based Audit Plan for 2016-2019. The plan was recommended by the Departmental Audit Committee on September 27, 2016 and subsequently approved by the Deputy Minister of Foreign Affairs on October 17th, 2016.

In 2009, Treasury Board introduced the Policy on Internal Control (PIC). Its objective is to ensure that “risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting.”^{Footnote 1} The PIC states that the Deputy Heads (Deputy Ministers (DMs)) are responsible for ensuring the establishment, maintenance, monitoring and review of the departmental system of internal controls to mitigate risks in the following broad categories:

• The effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets;
• The reliability of financial reporting; and
• Compliance with legislation, regulations, policies and delegated authorities.

Internal Controls over Financial Reporting (ICFR) provide a means by which management and users of financial statements can have confidence that the financial statements fairly reflect financial transactions. The PIC requires that the DMs and Chief Financial Officers (CFO) sign a Statement of Management Responsibility Including Internal Control over Financial Reporting. This document accompanies the departmental Financial Statements and acknowledges the responsibility of management for ensuring the maintenance of an effective system of ICFR.

Additionally, ICFR provides information that aids in the preparation of internal and external financial reports and statements in accordance with policies, directives and standards. Finally, ICFR helps to provide assurance that revenues received and expenditures made are in accordance with delegated authorities, and unauthorized or erroneous transactions that could have a material effect on financial information and financial statements are prevented or detected in a timely manner.

ICFR at Global Affairs Canada

The Department of Foreign Affairs, Trade and Development’s (now Global Affairs Canada) Framework for Internal Control over Financial Reporting Management (the Framework) came into effect January 1, 2014. This Framework establishes the approach and defines roles and responsibilities regarding the system of ICFR at Global Affairs Canada. The Deputy Minister of Foreign Affairs assumes overall responsibility and leadership for the measures taken to maintain an effective system of ICFR. It is the role of the CFO to provide the DMs with reasonable assurance that appropriate measures are taken to maintain an effective system of internal control, including leading the establishment and execution of an assessment plan. Senior Departmental Managers are responsible for ensuring that a system of ICFR within their branch is well managed and effective. Heads of Mission are responsible for ensuring that a system of ICFR within their respective Mission is well managed and effective. Managers at all level of the Department are also accountable for the effective operations of controls in their respective business processes. Lastly, the Internal Control team, within the Corporate Accounting, Financial Policies, and Controls Division (SMO), is responsible for the development and maintenance of the Framework and for the annual assessment of ICFR.

The ICFR process

The ICFR process is a documented series of activities that demonstrate that an effective system of internal controls is in place and operational. It ensures that due diligence required of the DMs and CFO to sign the Statement of Management Responsibility Including Internal Control over Financial Reporting, which accompanies the departmental Financial Statements (the Annex), has been completed. The ICFR process consists of three main phases: risk assessment, control testing, and reporting. For a visual representation of the ICFR process, refer to Appendix A.

1. Risk assessment

The first step of the ICFR process is to conduct a risk assessment. The risk assessment helps in the development of the annual plan, determining which processes will be examined. The Internal Control team completed a risk assessment for all business processes based on the Department’s 2013-14 financial statements. It involved allocating the financial statement values between the Department’s business processes and determining the most material business processes within the Department. The assessment on whether the Department had an effective system of internal controls was based on the most material business processes grouped as follows:

1. Entity Level Controls (ELCs) – present across the Department and include measures taken by management to equip staff to adequately manage risks through raising awareness, providing appropriate knowledge and tools as well as developing skills.
2. Information Technology General Controls (ITGCs) - relative to the Department’s general IT infrastructure and systems.
3. Business Process Controls - both manual and automated, are embedded in business processes applicable to financial transactions. These controls may change over time due to changes in the Department’s business processes.

It is expected that a risk assessment will be conducted on a periodic basis to ensure that the most material business processes are being assessed.

2. Control testing

Following the risk assessment, the Internal Control team conducts control testing on each of the processes to assess if they are operating effectively. Control testing encompasses three components: design effectiveness testing, operating effectiveness testing, and ongoing monitoring.

Design effectiveness testing

The first step of control testing is design effectiveness testing. This testing determines whether the organization’s controls are designed to satisfy the organization’s control objectives, including preventing or detecting errors or fraud that could result in material misstatements in the financial statements. This step requires that the Internal Control team identifies the highest risk activities in the business processes and the key controls that would mitigate these risks.
Prior to fiscal year 2015-16, all material processes at the Department were assessed for design effectiveness.

Operating effectiveness testing

Once the design effectiveness testing has been satisfied, each process undergoes operating effectiveness testing. Operating effectiveness testing assesses if the key controls (identified during design effectiveness testing) are operating as intended. Operating effectiveness testing is used to demonstrate the reliability of the key controls over a period of time, reducing risks related to financial reporting. Any significant control deficiencies identified will require a management action plan to address the control weaknesses. All operating effectiveness testing must be completed before commencing ongoing monitoring of the processes.

Prior to fiscal year 2015-16, all material processes at the Department were assessed for operating effectiveness, with the exception of the Transfer Payments for Development Programs process, which was completed in fiscal year 2015-16.

Ongoing monitoring

Once the design and operating effectiveness testing have both been completed on the business processes, the processes can enter into the ongoing monitoring phase of the control testing. Ongoing monitoring is defined by the Framework as “periodic risk-based assessments as per a multi-year monitoring plan”. Ongoing monitoring testing includes: the validation of the risks that need to be mitigated; a refresh of the process flowcharts and narratives to ensure that they represent the processes as they are currently functioning; and, an evaluation of the key control activities to confirm that they are still relevant and operating as intended.

3. Reporting

Following the testing of controls, a report is produced to conclude on the effectiveness of the system of controls of the business process. If control weaknesses were identified during testing, they are reported to the process owners with recommended actions to mitigate them.

Observations and recommendations

The audit team examined the management practice for the ICFR based on the audit criteria described in Appendix B. Audit results were derived from the examination of: related policies and documentation; methodologies and tools used by the Internal Control team for selecting and assessing key business processes and controls; and, interviews with key individuals responsible for implementing ICFR. Based on this work, observations and recommendations were made under the following themes: governance of the ICFR process; a risk-based approach to business process selection and key control identification and assessment; and, communication with stakeholders.

2.1 Governance of the ICFR process

The governance of the ICFR process is the combination of processes and structures implemented in order to direct, manage and monitor the activities of the Department to adhere to the PIC. At Global Affairs Canada, these responsibilities are held by senior management (including the DMs, ADMs, and CFO) and operationally by the Internal Control team. To evaluate governance of the ICFR process at the Department, the audit team reviewed departmental and Government of Canada documentation, committee records of decision, and communications with key stakeholders. From this work, it was concluded that while sufficient processes and structures exist within the Department to meet the governance requirement of the PIC, improvement in communications from the CFO would be needed to further engage and obtain support from senior management and the process owners for the implementation of the ICFR process.

ICFR policy framework

The Internal Control team developed the Framework for the Management of Internal Control over Financial Reporting (the Framework), which is an overall guidance document that was approved by the Deputy Minister of Foreign Affairs on February 12, 2014. The Framework defines ICFR-related roles and responsibilities for key individuals (including executives, senior managers, and employees). It also describes in greater detail the process to be followed to prepare the Financial Statements’ Annex, as well as the principles, control structure, assessment and the corrective actions process that should be followed.

The audit team confirmed that policies and documents in support of ICFR are available for all staff on the Department's intranet. On the intranet page entitled ‘Internal Control’, the Internal Control team provides an overview of the PIC, benefits to the Department, challenges the Department faces, the control processes to be covered, and the assessment process to be followed. Relevant documents, including the Framework, the PIC, and the Department’s financial statements, are also found on this intranet page.

ICFR governance structure

The Framework designates the Departmental Audit Committee (DAC) as the main body responsible for providing objective advice and recommendations to the Deputy Ministers regarding the adequacy and functioning of the Department’s risk management, and control and governance frameworks, including the assessment of the departmental system of ICFR. The DAC mandate includes a requirement to provide advice on “departmental internal control arrangements, and be informed on all matters of significance”^{Footnote 2}. A review of the DAC records of discussion for fiscal year 2015-16 and 2016-17 shows that the departmental Financial Statements with the associated Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting (the Annex) were presented to the DAC in August of 2015 and 2016. No other discussions on ICFR were noted in the DAC records of decision.

In addition to the reporting requirements to the DAC, the Framework states that the CFO is to present an update on ICFR twice a year to the Executive Board. Though management indicated that verbal presentations were made to Executive Board, there is no evidence in the records of decision of Executive Board meetings from March 2015 to September 2016 that such updates on ICFR were made. Without periodic updates, there is a risk that members of the Executive Board will have limited opportunity to be apprised of their roles and responsibilities pertaining to ICFR. The audit team also reviewed the terms of reference and records of decision in fiscal year 2015-16 for all other departmental executive committees. It was found that there was no direct reference to, or discussion on, the PIC, ICFR, or internal controls in general.

Reporting on the effectiveness of ICFR to oversight bodies

Communicating the state of effectiveness of ICFR is a key aspect of the ICFR process. The departmental senior executives and oversight bodies require timely reporting to stay informed of the ICFR monitoring and compliance activities. However, as mentioned above, a review of all departmental executive committees’ records of decision revealed that only one formal annual report, the Financial Statements’ Annex, was presented to one executive committee (the DAC). Though the 2015-2016 testing for the transfer payments process concluded that the controls were not operating effectively, these results were not clearly communicated to DAC. There is no evidence that these testing results were shared with the departmental executive committees, or that testing results were presented in detail in the departmental Financial Statements’ Annex. Not clearly reporting significant findings to members of the Executive Board may limit their ability to properly conduct their roles and responsibilities pertaining to ICFR.

By not being fully informed of the results of the risk-based assessment results related to the effectiveness of the departmental system of ICFR, there is a risk that the oversight bodies may not be able to effectively discharge their assigned responsibilities defined by the Framework, including providing support and communicating periodically to the process owners and staff.

Recommendation #1

The Chief Financial Officer should provide sufficient and detailed information to the oversight bodies on the operation and effectiveness of ICFR to ensure that their roles and responsibilities as they pertain to the Policy on Internal Control are fulfilled.

2.2 Risk-based approach for process selection, control identification and control assessment

As required by the PIC, a risk-based approach must be used to assess the effectiveness of the system of internal controls. The audit team examined the Internal Control team’s processes to determine if the work was completed using a risk-based approach. This included examining if a risk-based approach was used to select the key business processes to be reviewed as part of the ICFR process and to identify the key controls used to mitigate the processes’ risks. Assessment methodology and testing results were also reviewed to ensure that there was evidence to support the system of controls that are operating effectively. From this work, it was concluded that a risk-based approach was used for process selection, control identification and control assessment.

2015-16 ICFR process at Global Affairs Canada

In fiscal year 2015-16, the Internal Control team completed operating effectiveness testing on the Transfer Payments for Development Programs process. In addition, they implemented the Department’s ongoing monitoring program.

1. Operating effectiveness testing

Risk-based process selection

In fiscal year 2015-16, full-scope operating effectiveness testing was conducted on the Transfer Payment for Development Programs process by the Internal Control team. Due to amalgamation-related priorities, this process was the last to require operating effectiveness testing. It was the most material business process identified in the financial risk assessment and was therefore included as a key business process by the Internal Control team. The audit team concludes that this process was chosen using a risk-based approach.

Key controls identification and testing

Based on validated process documentation, the Internal Control team conducted a risk assessment on the Transfer Payments process and identified 21 key controls (14 manual and 7 automated) that were the highest risk to the process. The audit noted that 13 of the 14 key manual controls were applicable for the sample selected and therefore tested. For the 13 manual controls tested, the audit concluded that detailed testing matrices were prepared and completed in a satisfactory manner by the Internal Control team for the operating effectiveness testing of Transfer Payments for Development Programs.

A special review was completed by contracted resources on the 7 key automated controls. The objective of this review was to support the Department’s compliance with the PIC, by assessing the design and operating effectiveness of the automated controls. The detailed testing results were presented in a final report to the Internal Control team. The audit team noted that two of the seven key automated controls were not tested as part of this review as they were deemed to be operating effectively in the design effectiveness phase.

In conclusion, the audit examination confirmed that the key controls were identified based on a risk assessment. Testing results demonstrated that not all controls were operating effectively and therefore not mitigating the risks identified.

2. Ongoing monitoring program

The ongoing monitoring program implemented by the Internal Control team in fiscal year 2015-16 includes monitoring activities for the following: (1) Selected key business processes; (2) Mission-specific processes; and (3) Key controls over significant risks.

(1) Selected key business processes monitoring

Risk-based process selection

As part of the Internal Control team’s ongoing monitoring program, a three-year rotational testing plan for the key business processes identified in the risk assessment was developed. For fiscal year 2015-16, the ongoing monitoring plan included the following key business processes: Revenues, Investments, and Advances to International Financial Institutions, Loans to Developing Countries and International Financial Institutions, and Entity Level Controls. The audit team concludes that the business process selection for the ICFR ongoing monitoring program was through risk assessment.

Key controls identification and testing

The audit team noted that the business process documents (e.g. process flowchart and narratives) were validated with the process owners. These documents were used to update the key controls for each business process identified in the design and operating effectiveness testing. The key controls were identified based on the areas of highest risk related to each of the current processes. Detailed testing matrices were prepared and completed to demonstrate how the control activities were functioning and mitigating the risks identified.

(2) Mission-specific processes monitoring

Risk-based mission selection

Ongoing monitoring of missions’ business processes occurs annually as part of the ongoing monitoring program because they were identified in the ICFR risk assessment as a high risk control area. The Internal Control team visits at least one mission per fiscal year to conduct ongoing monitoring of the controls. To select the mission(s), a mission financial assessment was conducted by the Internal Control team on four key business processes found in each mission: Locally Engaged Staff Payroll, Capital Assets, Revenues, and Payments. As a result of this risk assessment, the 15 highest risk missions (from a materiality perspective) were identified. The Internal Control team uses this list to select the mission(s) they will visit each fiscal year.

In fiscal year 2015-16, the Internal Control team assessed Canada’s mission in Mexico City; this was one of the missions identified as being high risk in the assessment. Additional risk factors that were considered in the selection of Mexico City include the fact that the mission had a new Financial Management Officer and Management Consular Officer (MCO), and that it was becoming a Common Service Delivery Point that will provide financial services to multiple surrounding missions. Based on these factors, including the mission financial risk assessment, the audit team is in agreement with Mexico City’s inclusion in the ongoing monitoring plan.

Key controls identification and testing

Due to the complex and differing operating environments of Canada’s missions abroad, the Internal Control team identified 43 common key controls across different processes that each mission is expected to have in place. The 43 common key controls were chosen by identifying the common business processes found at each mission and determining the highest risk areas of the process that required mitigating controls. These controls, in the form of the Mission Inventory of Risks and Key Controls, are sent to all Heads of Mission and MCOs.

The audit examination confirmed that the 43 key controls were identified based on a risk assessment. Detailed testing matrices were prepared and completed by the Internal Control team to demonstrate how controls in Mexico City were functioning and mitigating the risks identified.

(3) Key controls over significant risks monitoring

Risk-based selection

As part of the Department’s risk-based ongoing monitoring program, there will be annual reviews and testing of Key Controls over Significant Risks (KCoSR) for those processes determined to be either high or medium risk. This annual review is based on the Internal Control team’s risk assessment that identifies the risk level for each process and associated sub-process(s). KCoSRs of medium and high risk processes should be assessed on an annual basis to provide assurance that the Department’s system of internal controls are operating as intended. With the introduction of the ongoing monitoring program, the Internal Control team only needs to test the key controls over significant risks that are not tested through an existing testing mechanism, if the mechanism is operating as intended.

For fiscal year 2015-16, two processes that had high or medium risk sub-processes containing KCoSRs were selected for testing: Payments at Headquarters and Year-End Procedures. For each of the processes, two KCoSRs (four in total) were selected based on a detailed risk assessment and tested. However, the audit team was not able to obtain evidence to explain the selection of these two processes.

Key controls identification and testing

Testing activities were prepared and performed for the four KCoSR activities identified. The testing conducted on the key risks was performed using a defined testing methodology similar to the ongoing monitoring methodology.

Overall, the audit team concludes that a risk-based approach is used by the Department to identify the business processes to be assessed as part of the ICFR process. A risk-based approach is also used to determine if the business processes are operating as intended. Better documentation of the process selection for KCoSR would help provide clarity and assist decision making with respect to the ongoing monitoring program.

2.3 Communication of ICFR with business process owners

Communication with stakeholders is a key aspect of the ICFR process. Effective communication ensures that process owners understand their roles and responsibilities, which in turn supports an effective and well managed ICFR system within their business unit. Instances where communication is key are: during the annual risk & control assessment and on-going business process update; while conducting the ongoing monitoring plan and assessment activities to determine if the system of internal control over financial reporting is effective; upon obtaining the results of the assessments; and, for the development and follow-up on implementation status of the management action plan. From this work, it was concluded that improvement is required in communicating ICFR roles and responsibilities to process owners, and communicating testing results to senior management and oversight bodies.

2.3.1 ICFR roles and responsibilities communication

Senior management has overall responsibility for the management of the department, including the design, implementation, and monitoring of ICFR and internal controls more broadly. Managers at all levels of the department are accountable for the effective operation of controls in their areas. Each business process is subject to controls designed to provide reasonable assurance that the process operates effectively and that records accurately reflect individual transactions. With a clear understanding of the roles and responsibilities for internal controls related to their processes, business process owners can play a proactive role to ensure the effectiveness of the internal controls.

The documentation review and interviews with identified process owners demonstrated that the Internal Control team communicates with process owners when required at different stages of the ICFR process. In most cases the communication relates directly to the process assessments that the Team performs. Nevertheless, interviews with six out of nine process owners identified a need to clarify their roles, responsibilities, obligations under ICFR, and to be sufficiently informed of ICFR. For example, the audit observed that there is a lack of consistent and clear understanding of the internal controls they are responsible for and how these control activities fit into the annual PIC reporting.

2.3.2 Testing result communication

Once the testing of a business process is complete, the Internal Control team prepares a summary report with key observations and recommendations for the business process that was tested. The report is shared with the director-level process owner who is provided with an opportunity to respond to the findings. Feedback received from the process owner is incorporated into the final report which is then sent by the Director General of SMD to the Director General(s) of the process, along with a Management Action Plan for completion.

The audit team reviewed all ICFR assessment reports prepared for operating effectiveness and ongoing monitoring testing, including reports on the testing of key automated controls. All reports, which included management action plans, were shared with the process owners. In addition, the audit team noted that the conclusions presented in each of the final testing reports were supported by the testing that was performed by the Internal Control team or contracted resources.

The Internal Control team has developed a follow-up plan for fiscal years 2015-16 and 2016-17 to ensure that management action plans addressing control deficiencies were tracked and implemented in a timely fashion. The need for remediation of control deficiencies is also prioritized according to the highest risk identified during the annual key control over significant risk assessment.

While reports are being produced for each business process, it is not clear if or how the results of these tests are communicated with the departmental senior executives and oversight bodies. The assessment results of the business processes are included at a high-level in the Annex; however, there is no evidence to support that detailed results are being disseminated to senior management. Senior management is not provided the opportunity to see the complete assessment results and determine if any remedial action is required based on the control deficiencies’ level of risk.

Recommendation #2

The Chief Financial Officer should establish a communication plan for proactively engaging process owners throughout the full cycle of the ICFR process to assist process owners to clearly understand what it is expected from their involvement in the ICFR process, including their roles and responsibilities as they relate to the Policy on Internal Control.

2.4 Progress update on 2013 OAG audit recommendations

In the fall of 2013, the Department received a report from the Office of the Auditor General (OAG) on their Follow-up Audit on Internal Controls over Financial Reporting^{Footnote 3}. The OAG determined that the Department was not on track to complete its assessments of internal controls, including addressing gaps and weaknesses, within the identified timelines. At that time, a commitment was made by the Department to ensure that the requirements of the PIC would be fully implemented in order to address the OAG’s recommendations to that end.

The Department fully implemented the PIC requirements in fiscal year end 2015-16, with the completion of operating effectiveness testing of the Transfer Payments for Development Programs and the implementation of a risk-based ongoing monitoring program.

Overall conclusion

The overall conclusion of the audit team is that the process of internal controls over financial reporting is generally effective in identifying and mitigating the risk that the departmental financial statements may be materially misstated. The Department utilizes a risk-based approach when assessing the effectiveness of the system of internal controls. Improvements are identified to increase senior management’s awareness and knowledge of the status of ICFR through enhanced reporting and communication. Additionally, improvements are needed to proactively involve business process owners through effective communication to ensure they understand and fulfil their roles and responsibilities in the ICFR process.

With the completion of the last operating effectiveness testing and the commencement of the on-going monitoring process in fiscal year 2015-16, the management action plans addressing recommendations from OAG’s 2013 audit are fully implemented.

Appendix A: ICFR process at Global Affairs Canada

Appendix B: About the audit

Objective

The objective of this audit was to assess whether the internal controls over financial reporting (ICFR) process is effective, which ensures that key control gaps are identified and mitigated as needed. The other objective of this audit was to assess if progress had been made in response to the OAG’s 2013 audit recommendations.

Scope

The scope of the audit included:

• Operating effectiveness testing – Transfer Payments for development programs
• Ongoing monitoring of the:
  • Entity-level controls process
  • Revenues process
  • Loans to developing countries and International Financial Institutions (IFIs)
  • Investments and advances to IFIs
• Ongoing monitoring of Mission specific processes
• Ongoing monitoring of key controls over significant risks

The audit also assessed the progress made in implementing the recommendations from the Fall 2013 OAG report.

Criteria

The following criteria were developed following the completion of the detailed risk assessment and considered the Audit Criteria related to the Management Accountability Framework developed by the Office of Comptroller General of the Treasury Board Secretariat. The audit criteria were discussed and agreed upon with the auditees. The following table outlines the audit criteria developed to meet the stated audit objective and audit scope:

Criteria 1.0: Accountabilities, roles and responsibilities for the ICFR process are formally defined, communicated, exercised, and are supported by an appropriate level of governance structure.

Sub-criteria:

• 1.1 Senior management, including the Deputy Minister, is aware of and responsive to their ICFR requirements, as per the Policy on Internal Control (PIC).
• 1.2 A governance structure is defined, implemented, and followed to comply with the PIC requirements.
• 1.3 Communication to the Department is key with a clear “tone from the top” leading to success.
• 1.4 Roles and responsibilities for ICFR are defined for, communicated to and followed by Business Process Owner.

Criteria 2.0: Thorough risk assessments to identify and assess relevant risks are completed, monitored and updated.

Sub-criteria:

• 2.1 An annual risk assessment of the overall ICFR process is conducted to ensure highest risk areas are being monitored on an ongoing basis.
• 2.2 A process-level risk assessment was conducted for all processes under the audit scope.

Criteria 3.0: An adequate testing methodology for the ICFR process exists and is applied consistently across all processes.

Sub-criteria:

• 3.1 A testing methodology for the ICFR process exists.
• 3.2 Testing methodology is applied correctly for processes under audit scope.

Criteria 4.0: Results of key controls testing are documented and communicated to business process owners and senior management for decision/action.

Sub-criteria:

• 4.1 Follow-up activities were identified and communicated with the process owners
• 4.2 A follow-up process is being implemented by the Internal Control team.

Approach and Methodology

In order to conclude on the above criteria, and based on identified and assessed key risks and internal controls associated with the related business processes, the audit was completed according to the Treasury Board Policy on Internal Audit and the audit standards of the Institute of Internal Auditors.

The audit was identified as an audit priority and an area of high risk to Global Affairs Canada in 2016-2019 RBAP. A risk assessment was completed based on a review of documentation and interviews with stakeholders, including the Internal Control team (SMOC) and a selection of process owners. As well, a review of policies, past audit work, previous fraud risk assessment work, and other documentation related to financial controls was conducted. Overall, the assessment concluded that the main risks to Global Affairs Canada are related to compliance with the Policy on Internal Control (PIC) in-terms of governance of the activity as whole, adequate risk assessments, effective testing, and sufficient follow-up on the gaps identified. The engagement provides an adequate overview of the subject area, which is of value to the organization. In order to achieve the intended outcomes, the following approach was used:

• Initial study – gathering and examination of baseline information on PIC initiatives, including but not limited to: analyzing non-financial information; and, policies, guidelines and procedures. The information obtained was used to prepare for the preliminary meetings with senior management.
• Preliminary meetings – interviews with the Department’s senior management to obtain information related to challenges and delivery of the expected results from a perspective of ensuring that Internal Audit had a correct understanding of the current state of the process and, importantly, identifying areas of greatest management concern.
• Detailed information gathering – the purpose of this approach was to:
  1. Record, through interviews and documentation review, the Department’s accountability requirements related to the PIC and Annex;
  2. Assess through interviews, walkthroughs and documentation review, the level of over-all compliance to the PIC;
  3. Review through interviews and documentation review management’s response to weaknesses identified; and,
• At the conclusion of the audit, specific areas of interest will be considered for inclusion in the next annual Risk-based Audit Plan. The observations will assist management to identify potential risks in Internal Controls over Financial Reporting the Department.

Appendix C: Definitions

As per the Department’s Framework for the Management of Internal Control over Financial Reporting:

Internal control: a set of means to mitigate risks and provide reasonable assurance in the following categories:

• The effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets;
• The reliability of financial reporting; and,
• Compliance with legislation, regulations, policies, and delegated authorities.

Internal control over financial reporting: the subset of internal control that allows management and users of financial statements to have reasonable assurance that:

• Transactions are appropriately authorized;
• Financial records are properly maintained;
• Assets are safeguarded; and
• Applicable laws, regulations, and policies are followed.

Key Control: a control that provides reasonable assurance that material errors will be prevented or detected in a timely manner. The documentation of key controls is done through flowcharts, narratives and control matrices (risk based by business process).

Materiality: extent to which a misstatement or an error of an item of information might reasonably be expected to influence the decision of the user of the financial information.

Process owner: ultimately responsible for managing and overseeing the objectives and performance of a process through key performance indicators. A process owner has the authority and ability to make required changes related to achieving process objectives.

Risk: In the context of financial activity, is an event or condition that can negatively affect the ability of an organization to produce timely and reliable financial reporting.

Appendix D: Management action plan