Archived information

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting for 2010-2011

Summary of the assessment of effectiveness of the system of internal control over financial reporting and the action plan of the Canadian International Development Agency for fiscal year 2010-2011

Note to the reader

With the Treasury Board Policy on Internal Control that became effective April 1, 2009, departments are required to demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).

As part of this policy, departments are expected to conduct annual assessments of their system of ICFR, establish an action plan to address any necessary adjustments, and to attach to their Statements of Management Responsibility a summary of their assessment results and action plan.

Effective systems of ICFR aim to achieve reliable financial statements and to provide assurance that:

The system of ICFR is designed to mitigate risks to a reasonable level based on an on-going process to identify key risks, to assess the effectiveness of associated key controls and adjust them as required, as well as to monitor the system in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to another based on risks and taking into account their unique circumstances.

It is important to note that the system of ICFR is not designed to eliminate all risks, but rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.

1. Introduction

This document is attached to the Canadian International Development Agency (CIDA)'s Statement of Management Responsibility Including Internal Control Over Financial Reporting for fiscal year 2010-2011. As required by the Treasury Board Policy on Internal Control, this document provides, for the second time, summary information on the measures taken by CIDA to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the latest assessments conducted by CIDA during fiscal year 2010-2011, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the Agency.

1.1 Authority, Mandate and Program Activities

Detailed information on CIDA's authority, mandate and program activities can be found in the Agency's latest Departmental Performance Report, and in its latest Report on Plans and Priorities.

1.2 Financial highlights

Financial statements (unaudited) of the Canadian International Development Agency for the last fiscal year can be found.

For the 2010-2011 fiscal year, the financial highlights are:

1.3 Service arrangements relevant to financial statements

CIDA's information technology (IT) platform, which supports its IT network and financial and accounting system, currently resides at Agriculture and Agri-Food Canada.

The Agency also relies on other organizations for the processing of certain transactions that are recorded in its financial statements:

1.4 Material changes in fiscal year 2010-2011

Apart from a change in the Chief Financial Officer (CFO), no significant departmental changes that are relevant to the Agency's financial management context and/or financial statements occurred in 2010-2011.

The CFO position was occupied by the following individuals over the course of the year:

Other CIDA senior financial officers filled the position in an acting capacity during the two months that it was officially vacant.

2. The Agency's control environment relevant to ICFR

CIDA management recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective systems of ICFR and are equipped to exercise these responsibilities effectively. The Agency's focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.

2.1 Key positions, roles and responsibilities

Below are CIDA's key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.

President — The Agency's President, as Accounting Officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the President relies on the recommendations received from the Departmental Audit Committee and the advice provided by other members of the Management Board.

Chief Financial Officer (CFO)  — The Agency's CFO reports directly to the President and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment.

Senior Managers  — CIDA's senior managers in charge of program delivery or corporate branches are also responsible for maintaining and reviewing effectiveness of the portions of the system of ICFR falling within their mandate.

Chief Audit Executive (CAE)  — The Agency's CAE reports directly to the President and provides assurance through periodic internal audits, which are instrumental to the maintenance of an effective system of ICFR.

Departmental Audit Committee (DAC) — The DAC is an advisory committee that provides objective advice to the President on the Agency's risk management, control and governance frameworks. It is comprised of four external members and one internal member. As such, it reviews the Agency's Corporate Risk Profile and its system of internal control, including the annual assessment and action plans relating to the system of ICFR.

Management Board  — As the Agency's central decision-making body, the Management Board reviews, approves and monitors the Corporate Risk Profile and the departmental system of internal control, including the annual assessment and action plans relating to the system of ICFR.

2.2 Key measures taken by CIDA

CIDA's control environment also includes a series of measures to equip its staff to manage risks well through raising awareness, providing appropriate knowledge and tools as well as developing skills. Examples of key measures include:

3. Assessment of CIDA's system of internal control over financial reporting

3.1 Assessment Approach

In support of the Policy on Internal Control, an effective departmental system of ICFR must be in place with the objectives to provide reasonable assurance that:

Over time, this includes assessment of the design and operating effectiveness of the system of ICFR, which then leads to the implementation of on-going monitoring and continuous improvement of this system.

A design effectiveness assessment means to ensure that key control points are identified, documented, in place and that they are balanced with and proportionate to the risks they aim to mitigate, that any weaknesses are identified and that any necessary remediation is addressed. This includes the mapping of key IT systems and business processes to the main financial records or accounts, by location as applicable.

An operating effectiveness assessment means that the application of key controls has been tested over a defined period, that any weaknesses are identified and that any necessary remediation is addressed.

Such testing covers all levels of departmental control, which include entity (corporate) level controls, IT general controls and business process controls.

3.2 Scope of Departmental Assessment at CIDA

To satisfy the Policy on Internal Control, the Agency has taken measures to assess its system of ICFR. It used its annual financial statements as a starting point to identify its main accounts or business processes.

Over a period of four years that will end on March 31, 2013, and for each of its main accounts or business processes, the Agency will have prepared system descriptions, financial control matrices, and tested the design effectiveness as well as the operating effectiveness of the key financial controls that are embedded within them. The Agency will also have identified any control weaknesses and taken appropriate corrective actions.

As at March 31, 2011, CIDA has already documented and assessed its entity (corporate) level controls and IT general controls (IT infrastructure). The Agency has also completed the documentation of financial controls that are embedded within the following significant accounts or business processes:

The documentation exercise comprised the following steps for each of the above mentioned significant accounts or business processes:

As well, as at March 31, 2011, CIDA had undertaken to gather information and prepare the system descriptions of the following business processes:

Lastly, as at March 31, 2011, the Agency had completed the operating effectiveness testing of the financial controls embedded within the field expenses business process at six foreign CIDA posts, also in support of its increased decentralization initiative to be implemented over the next three years. Furthermore, it had begun to test the operating effectiveness of the financial controls comprised in the following business processes managed from headquarters:

4. CIDA's assessment results

Based on the assessment approach described above, CIDA is developing baseline architecture of all key control points by main account and/or business process.

The Agency's assessments of entity (corporate) level controls and of IT general controls were completed in previous fiscal years. In 2010-2011, CIDA focused mainly on assessing the design effectiveness of the financial controls that are embedded within its significant accounts or business processes. It also began to test the operating effectiveness of the key controls that are comprised in a few selected business processes, for which the design assessment had already been completed.

4.1 Design effectiveness of key controls

In order to perform design effectiveness testing of the business processes that were assessed before March 31, 2011, the Agency completed all documentation of the processes and verified whether appropriate controls were in place and corresponded to actual practice. Where feasible, remediation requirements were implemented shortly after the necessary adjustments had been identified. Otherwise, management action plans either were or are currently being developed to fully address the control weaknesses within a reasonable timeframe. Design effectiveness testing also included ensuring the appropriate alignment of key controls with the risks they aim to mitigate.

Entity-level controls

When assessed in a previous fiscal year, the entity (corporate) level controls were judged satisfactory.

IT general controls

An assessment of IT general controls performed in a previous fiscal year concluded that weaknesses existed in the IT environment, and CIDA has already adopted appropriate measures to fully remediate most of them. In 2010-2011, the Agency continued to take remedial actions to address the remaining few weaknesses in the IT general controls, and significant progress has been reached in the following areas:

In the upcoming year, CIDA has planned to keep improving the above areas, and also to further enhance the formal monitoring of IT control activities performed by third-party service providers.

Business process controls

In 2010-2011, CIDA completed the documentation and assessment of the design of financial controls that are embedded within the following significant accounts or business processes:

The existence of relevant and strong financial controls was confirmed through the documentation and design assessment of the above significant accounts or business processes. The main control objectives pertaining to each account or business process were generally well supported by appropriate key control activities. Nonetheless, a few design improvement opportunities were identified in the following areas:

Where feasible, specific remediation requirements were implemented shortly after the necessary adjustments had been identified. Otherwise, management action plans either have been or are currently being developed to fully address the control weaknesses within a reasonable timeframe. A follow-up will be performed on each of the remediation measures in 2011-2012 to ensure that they are being implemented as planned.

4.2 Operating effectiveness of key controls

Design effectiveness testing remains a pre-requisite to the operating effectiveness testing of the key financial controls that are integrated to any business process. Also, whenever possible, operating effectiveness testing of controls is more efficient if performed for several business processes at the same time, as some of the key controls (for example, payment issuance controls) are common to all processes.

In 2010-2011, the Agency commenced its assessment of the operating effectiveness of key financial controls that are embedded within the following significant business processes managed from headquarters:

At March 31, 2011, the operating effectiveness testing of the key financial controls comprised in the above business processes had not yet been completed. The results of this assessment will therefore become available and be disclosed in the annual assessment of CIDA's system of ICFR for fiscal year 2011-2012.

Furthermore, in 2010-2011, the Agency assessed the operating effectiveness of the key financial controls that are embedded within the expenditures business process at four foreign CIDA offices. When completing operating effectiveness testing, the Agency assessed whether key controls were well functioning over a 12 month period or a specified period of time during the fiscal year based on risks.

The application of several key financial controls in the field worked effectively throughout the periods that were tested, and all transactions sampled were supported by valid and appropriate documentation. Nonetheless, improvement opportunities with regard to the operating effectiveness of certain key controls were found in the following areas:

Where feasible, specific remediation requirements were implemented shortly after the necessary adjustments had been identified. Otherwise, management action plans are being developed to fully address the control weaknesses within a reasonable timeframe. A follow-up will be performed on each of the remediation measures according to a monitoring program of CIDA's foreign offices that will be established over the next two years, to ensure that they are being implemented as planned.

5. CIDA's action plan

5.1 Progress as of March 31, 2011

During 2010-2011, CIDA has continued to make solid progress in assessing and improving its key financial controls. As of March 31, 2011, the financial controls design effectiveness testing phase has been substantially advanced with regards to significant business processes, while the operating effectiveness testing of key controls has commenced.

The financial controls documentation and design assessment phase was not completed in 2010-2011 as initially anticipated due to a revised and more integrated approach to the re-engineering of CIDA's grants and contributions processes.

Notably, and as planned in 2010-2011, the Agency reached significant progress towards fully addressing the following necessary adjustments:

As well, CIDA commenced or partially completed work to address the following necessary adjustments, most of which will take a few years to fully implement due to their complexity or broader scope:

5.2 Action plan for the next fiscal year and future years

Building on progress to date, the Agency is positioned to substantially complete the assessment of its system of ICFR in 2012-2013.

By the end of 2011-2012, CIDA plans to:

By the end of 2013-2014, CIDA plans to:

CIDA is fully committed to this action plan. However, attainment of the milestones identified above will be contingent on the Agency being able to maintain its current level of resources to implement the requirements of the Policy on Internal Control. Any major changes to the departmental structure could certainly impact on the associated timelines. CIDA will update its action plan on an annual basis.

Date Modified: