Audit of Internal Control over Financial Management (ICFM)
Office of the Chief Audit Executive
June 2022
Table of Contents
- About the Audit
- Summary of Assessment
- Background
- Line of Enquiry 1 - Governance
- Line of Enquiry 2 - ICFM System
- Line of Enquiry 3 - Testing Methodology
- Line of Enquiry 4 - Reporting
- Conclusion
- Annex A: Audit Approach
- Annex B: Audit Criteria
- Annex C: Management Response and Action Plan
About the Audit
The objective of the audit is twofold:
- to determine whether the departmental framework to assess, monitor, and report on the system of Internal Control over Financial Management is in compliance with the Policy on Financial Management and operating effectively, and,
- to determine whether the department is on track to have all its business processes reach the ongoing monitoring stage as per the target set by Treasury Board.
The audit scope included relevant processes and activities used to assess, monitor and report on the system of Internal Control over Financial Management (ICFM) for the fiscal years 2019-20, 2020-21, as well as the current year of 2021-22. The 2018-19 risk assessment was also part of the scope, in addition to the ongoing work related to the four (4) non-Internal Control over Financial Reporting (ICFR) business processes.
The audit team did not assess the accuracy of the department’s financial statements, nor the design and operating effectiveness of individual Entity Level Controls, Information Technology General Controls and Business Process controls.
Lines of Enquiry centered on the following areas:
- Governance
- Ongoing monitoring (plans, assessments, and methodology)
- Reporting
Summary of Assessment
| Criteria | Assessment | Findings | ||
|---|---|---|---|---|
| Criterion 1 | Accountabilities, roles and responsibilities for the system of ICFM are formally defined, communicated, exercised, and are supported by an appropriate level of governance and oversight. | Needs Moderate Improvement | Needs Moderate Improvement | Governance committees have limited oversight and engagement with the system of ICFM. |
| Needs Minor Improvement | The departmental ICFM Framework, which includes roles, responsibilities and accountabilities, aligns with the Treasury Board Policy on Financial Management and the Treasury Board Secretariat Guide to Ongoing Monitoring of ICFM. | |||
| Criterion 2 | A system of ICFM is supported by an adequate risk assessment and ongoing monitoring plan. | Needs Improvement | Needs Improvement | Procedures to conduct risk assessments and develop the Ongoing Monitoring Plan were incomplete and not in line with the Treasury Board Secretariat Guide to Ongoing Monitoring of ICFM. |
| Needs Minor Improvement | Measurable progress has been made towards meeting the March 2024 target for bringing the new financial management processes to the ongoing monitoring phase. | |||
| Criterion 3 | Testing methodology for the system of ICFM is effective and applied consistently across all processes. | Needs Minor Improvement | Needs Minor Improvement | An effective methodology has been developed to test the system of ICFM and it was generally applied consistently; however, some opportunities for improvement exist. |
| Criterion 4 | Results of control assessments are captured and communicated to business process owners and senior management through internal and external reports. | Needs Improvement | Satisfactory | There were good practices in place for communicating the results of assessments to the Business Process Owners in a timely and effective manner. |
| Needs Improvement | The process of obtaining, reviewing progress, as well as reporting on the follow-up of action plans, requires significant improvement. | |||
| Needs Improvement | The Annex to the Statement of Management Responsibility, Including ICFR, is completed on an annual basis as required by the Policy. However, there is no regular internal reporting to senior management. | |||
Background
In 2017, Treasury Board introduced the Policy on Financial Management (the Policy). The objective of the Policy is to ensure that financial resources of the Government of Canada are well managed in the delivery of programs to Canadians and safeguarded through balanced controls that enable flexibility and manage risk. As well, departments are to establish a risk-based system of internal controls over financial management (ICFM) that is monitored and maintained. Two Treasury Board Secretariat guides were developed (2019) to support departments and agencies with the ongoing monitoring of internal controls and the maintenance of an effective system of ICFM: the Guide to ICFM and the Guide to Ongoing Monitoring of ICFM.
The system of ICFM refers to the measures and activities that provide reasonable assurance that a department’s financial management activities are effective and efficient. Internal Control over Financial Reporting (ICFR), which is a subset of ICFM, refers to the measures and activities that provide reasonable assurance that the department’s financial statements are accurate and complete. Key roles and responsibilities pertaining to internal controls are detailed in the Policy. While the Deputy Head is responsible for the overall system of internal control across the department, the Chief Financial Officer is responsible for the system of ICFM, including the system of ICFR (see diagram below).
Text version
This image illustrates the specific components within the system of internal control. There are three levels illustrated by three circles, each one within the other to showcase how each component fits within one another. Specifically, the system of internal control is the responsibility of the Deputy Head.
Within the system of internal control is the system of internal control over financial management. It is the responsibility of the Chief Financial Officer and is governed by the Policy on Financial Management.
Within the system of internal control over financial management, there is the system of internal control over financial reporting. It is also the responsibility of the Chief Financial Officer and was previously governed by the Policy on Internal Control.
The Internal Control Team, within the Corporate Accounting Division, is responsible for coordinating the department’s response to the requirements outlined in the Policy. There are currently 2 foundational controls and 16 business processes:
| Controls | Business Processes |
|---|---|
| Foundational Controls | Entity Level Controls |
| Information Technology General Controls | |
| ICFR Business Processes | Transfer Payments – Development Programs |
| Transfer Payments – Other Programs | |
| Salaries and Benefits | |
| Capital Assets at Headquarters | |
| Payments at Headquarters | |
| Loans to developing countries and international Financial Institutions | |
| Investments and Advances to International Financial Institutions | |
| Foreign Service Directives | |
| Revenues | |
| Accounts Receivable | |
| Year End Procedures and Financial Statement Preparation | |
| Mission Specific Processes | |
| Non-ICFR Business ProcessesFootnote 1 | Planning and Budgeting (includes Pay Administration – non-ICFR) |
| Costing | |
| Investment Planning | |
| Chief Financial Officer Attestations (included in Cabinet submissions) |
Ongoing monitoring process
The department has reached the ongoing monitoring stage for Entity Level Controls, Information Technology General Controls and all twelve (12) ICFR business processes. Ongoing monitoring helps to ensure that foundational and ICFR business processes continue to operate effectively and as designed.
The Internal Control Team coordinates the ongoing monitoring, which requires the participation of various departmental stakeholders and comprises five steps:
Text version
This image illustrates each step of the ongoing monitoring process. There are five steps:
Step 1 - First, a risk assessment is conducted. Detailed risk assessments are conducted every four years and annual risk assessments are done to select key controls to assess.
Step 2 - Second, the annual ongoing monitoring plan is completed with a detailed work plan.
Step 3 - Third, ongoing monitoring assessments are completed. This means that either full process reviews or key control reviews of business processes are completed.
Step 4 - Fourth, reports for each assessment are completed with recommendations and management action plans.
Step 5 - Lastly, a summary of assessments and the internal control environment is included in the Annex to the Statement of Management Responsibility.
The four (4) non-ICFR business processes have not yet reached ongoing monitoring (see the section on Non-ICFR Processes for an update on the current status). This means that these processes will need to complete the following stages: documentation (reviewing documentation on the environment and control), design effectiveness testing (identifying the key internal controls that are mitigating the risks) and/or operating effectiveness testing (determining whether the controls are operating as intended). The target implementation date set by Treasury Board is to have all of these processes reach the ongoing monitoring stage by March 31, 2024.
Line of Enquiry 1 - Governance
Criterion 1 - Accountabilities, roles and responsibilities for the system of ICFM are formally defined, communicated, exercised, and are supported by an appropriate level of governance and oversight.
What was expected:
- Regular reports and presentations on the status of the ICFM system to the governance bodies.
- Documented evidence of oversight and monitoring from senior management.
- The Chief Financial Officer discusses with senior managers their roles and responsibilities related to departmental internal controls on an annual basis.
- ICFM related roles, responsibilities and accountabilities are clearly defined and documented for all key stakeholders (including the Chief Financial Officer, senior management, Departmental Audit Committee and Business Process Owners).
- Key stakeholders understand their ICFM related roles, responsibilities and accountabilities.
Context:
- Adequate oversight allows senior management and governance bodies to have confidence that internal controls are sufficiently strong to provide reasonable assurance that results presented in the financial statements are accurate.
- The understanding of roles and responsibilities for key stakeholders supports compliance with the Policy on Financial Management and associated guides.
- Clear, comprehensive and documented roles, responsibilities and accountabilities support stakeholder engagement, during both internal control assessments and the Management Action Plan process.
Findings:
The department has an ICFM Framework, which aligns with the Policy on Financial Management.
Roles, responsibilities, and accountabilities are documented and communicated in the departmental ICFM Framework and Internal Control intranet site, however it is only for the Chief Financial Officer and senior departmental managers. Governance could operate more effectively if documented using a RACI Chart (Responsible, Accountable, Consulted, Informed) so that all stakeholders, including Business Process Owners, are aware of their responsibilities and timing for engagement within the annual ongoing monitoring cycle.
The department’s governance committees had limited oversight or engagement with the system of ICFM during the period under review. Both the Executive Committee and the Departmental Audit Committee could be better used to provide strategic oversight on the system of internal controls. Specifically:
- roles and responsibilities should be presented, at least annually, to Executive Committee, as documented in the departmental ICFM Framework; and
- regular updates of the ongoing monitoring plan, control assessment results and remediation action plans should be tabled to the Departmental Audit Committee and/or senior management.
Conclusion:
The department’s ICFM Framework is documented and communicated; however, it should be strengthened so that all roles/responsibilities are documented and so senior management can exercise leadership and oversight on these activities.
Recommendation:
See recommendation 4 under Line of Enquiry 4.
Line of Enquiry 2 - ICFM System
Criterion 2 - A system of ICFM is supported by an adequate risk assessment and ongoing monitoring plan.
What was expected:
- Written procedures for how the Internal Control Team conducts risk assessments, based on the requirements in the Policy on Financial Management and the associated guides.
- An appropriate methodology is used for both the annual environmental scan and the full risk assessment.
- A full risk assessment is completed every 3-5 years, with annual environmental scans in the intervening years.
- Sufficient details are in both the ongoing monitoring plan and risk assessments to support the rationale behind each scheduled assessment.
- Consultations with stakeholders (such as Business Process Owners) are occurring during the completion of risk assessments and while preparing the ongoing monitoring plan.
- There is a plan with clear deliverables and timelines to reach the ongoing monitoring phase for all new non-ICFR business processes, taking into consideration the capacity needed to monitor the new processes.
- Regular updates are provided by the service provider with sufficient information to monitor the progress towards the implementation of the new non-ICFR business processes.
Context:
- Key risks to financial management must be identified and mitigated in a timely manner.
- Including non-financial business processes during the risk assessment helps to identify new and emerging non-financial and qualitative risks in a timely manner.
- A risk-based approach allows for the effective use of limited resources.
- Treasury Board has set a target implementation date of March 31, 2024 to reach the ongoing monitoring phase for the non-ICFR business processes.
Findings:
Risk Assessment
All significant financial statement accounts identified as high risk in the risk assessment, and most significant accounts with medium risks, were mapped to a business process, which was included in the Ongoing Monitoring Plan. The Internal Control Team also completed a special review of COVID-19 specific expenditures to ensure the Plan included new risks. Moreover, there is an adequate risk-based process in place to identify which missions to select for internal control assessments.
The current risk assessment (full risk assessments and annual environmental scans) procedures are focused primarily on the materiality of financial statement accounts and do not include an overall risk ranking of the key business processes, information technology processes, and the entity-level controls.
Overall, the risk assessment could be strengthened by addressing the following gaps:
- Consultation with Business Process Owners outside of the financial bureaus
- Validation of the risk assessment results by the Chief Financial Officer and other stakeholders
- Inclusion of Information Technology General Controls and Entity-Level Controls; and
- Documented information in terms of scope, consultations, Management Action Plan follow-up and documentation review.
Ongoing Monitoring Plan
The Ongoing Monitoring Plan is documented in the Risk Assessment and the Annex to the Statement of Management Responsibility Including ICFR, however, a standalone Ongoing Monitoring Plan with sufficient detail (e.g., testing frequency, resource requirements), that is updated annually based on the results of the risk assessment process and shared with stakeholders, would better inform Business Process Owners and senior management of the annual plan.
According to the Ongoing Monitoring Plan, each business process undergoes a full review once every four years, with only certain key controls being tested at more frequent intervals. However, by developing a risk-based Ongoing Monitoring Plan, it would provide more flexibility and adaptability for the Internal Control Team to address emerging risks.
Non-ICFR Processes
To meet the March 2024 Treasury Board targetFootnote 2, the department has outsourced the implementation of the four (4) new non-ICFR business processes to a consulting firm. There is a project charter for the completion of the documentation and design effectiveness stages and additional work is scheduled for fiscal year 2022-23 with the same firm to test operating effectiveness for each process. The statement of work in the charter is aligned to the steps documented in the Guide for ICFM.
The Internal Control Team receives regular status updates on the progress of work for the ICFM project. As of mid-March 2022, three of the processes were substantially completed, however one process remains in the early stages of documentation (see diagram below)Footnote 3. The department currently has no resource plan to address the Internal Control Team’s increased workload once these additional processes reach the ongoing monitoring stage. An operational plan outlining resource requirements, milestones and deliverables, as well as senior management oversight, would help to support the sustainability of the project, along with accountability of all stakeholders.
Text version
This image illustrates the progress that the Internal Control Team has made as of March 2022 to reaching the ongoing monitoring phase for its four new non-ICFR business processes.
The investment planning business process has just passed the preliminary phase of documentation and design effectiveness testing.
The business processes planning and budgeting and Chief Financial Officer attestations are almost at the operating effectiveness stage, and the costing business process is not far behind them.
Once business processes pass the operating effectiveness stage, they will move towards meeting the ongoing monitoring stage that has a target deadline of March 2024.
Conclusion:
The department has a risk-based process in place to identify the internal controls to assess. However, procedures to conduct risk assessments and develop the Ongoing Monitoring Plan are incomplete and not in line with the Guide to Ongoing Monitoring of ICFM.
The department is demonstrating measurable progress towards meeting the March 2024 target for bringing the new financial management processes to the ongoing monitoring phase. This initiative could be strengthened with an operational plan that includes consideration for stakeholder accountabilities, key milestones, deliverables and resource requirements.
Recommendations:
- The Assistant Deputy Minister, Corporate Planning, Finance and Information Technology (SCM) should review and update the methodology for conducting risk assessments and preparing the Ongoing Monitoring Plan.
- The Assistant Deputy Minister, Corporate Planning, Finance and Information Technology (SCM) should develop an operational plan that includes a resource analysis to support the ongoing monitoring process for the system of ICFM.
Line of Enquiry 3 - Testing Methodology
Criterion 3 - Testing methodology for the system of ICFM is effective and applied consistently across all processes.
What was expected:
- A documented testing methodology is used (and applied consistently) for the system of ICFM, including scoping of controls/processes to be assessed.
- Common templates and procedures are used throughout the ICFM testing process.
- A sampling methodology is used when testing the effectiveness of controls.
- The Internal Control Team’s testing methodology (including sampling) is aligned with the Guide to Ongoing Monitoring of ICFM.
- Assessments are performed using sound methodology, supported by documented evidence, and findings are consistent with the work performed.
- Documentation indicates the relevant financial assertions for each key control.
Context:
- Standard testing templates for all control assessments support consistent documentation of testing and improve efficiency.
- Concluding on design effectiveness prior to testing for operating effectiveness prevents the testing of a control that is not designed effectively.
- Assessing design effectiveness of controls prior to testing its operating effectiveness allows for greater efficiency.
- The mapping of controls to financial assertions helps stakeholders understand the impact of a control failure on the financial statements.
Findings:
A sound methodology that is in line with the Guide to Ongoing Monitoring has been developed to test the system of ICFM. The testing of operating effectiveness of key controls was generally performed well.
The audit team selected a judgmental sample of four completed internal control assessments from 2019-20 and 2020-21, as well as a random sample of approximately 10% of the available population to re-perform controls tested. The assessments were supported by documented evidence, and the findings and recommendations were aligned with the work performed. However, the Internal Control Team did not document their testing and conclusions on the design effectiveness of controls, nor did they risk-rank assessment findings and include the impact statement for control weaknesses identified, which would help Business Process Owners to prioritize corrective actions.
An exception to the consistent application of the testing methodology was noted where no sample was selected to assess Information Technology General Controls during an assessment of a mission (i.e. a questionnaire was used). This approach to testing Information Technology General Controls at missions may not provide adequate assurance that controls are operating as intended and are mitigating related risks. No justification for the questionnaire approach is documented. In addition, it was not always possible to follow the work performed and determine how certain conclusions were derived when reviewing the testing documentation for mission assessments.
Conclusion:
An effective testing methodology has been developed and it is generally applied consistently. However, some opportunities for improvement exist with respect to consistency of control testing practices, testing of design effectiveness, and risk-ranking findings based on impact.
Line of Enquiry 4 - Reporting
Criterion 4 - Results of control assessments are captured and communicated to business process owners and senior management through internal and external reports.
What was expected:
- The results of internal control assessments, including recommendations, are documented and communicated in a timely and effective manner.
- Management action plans are obtained and monitored by the Internal Control Team, and corrective actions are implemented by Business Process Owners in a timely manner.
- A system is in place to obtain, track and report on the status of Management Action Plans. The frequency of the follow-up review is once or twice annually.
- There are internal and external reports on the system of ICFM, as required by the Policy of Financial Management and outlined in the associated guides.
- There is an approval process in place for the review and dissemination of ICFM reports.
- Information included in ICFM reports cover key findings, risks and control deficiencies requiring follow-up.
Context:
- When assessment reports are shared in a timely manner, the observations and recommendations remain relevant.
- Key financial reporting risks are mitigated when corrective actions are taken in a timely manner to address identified deficiencies.
- Rigorous follow-up on recommendations provides assurance to the Chief Financial Officer that controls are operating effectively.
- Regular reporting to senior management on the status of the system of ICFM helps them fulfill their oversight function.
Findings:
Communicating Results and Management Action Plans
The Internal Control Team prepared reports to communicate assessment results, including control deficiencies and recommendations, to the Business Process Owners (at the Director General level) in a timely and effective manner. The Business Process Owners interviewed indicated their satisfaction with the quality and relevance of the observations and recommendations included in the internal control assessment reports.
The Internal Control Team developed a Management Action Plan Follow-up Tracker to record and track the status of all recommendations. The audit team reviewed this Tracker, specifically the status of 85 recommendations related to ten (10) assessment reports completed during the scope period of 2019-20 and 2020-21.
As of December 2021, Business Process Owners had not provided a management response for recommendations in three (3) of the ten (10) reports (one report dated August 2020 and two reports dated June 2021). Moreover, the Internal Control Team had only completed its follow-up process on one (1) of the ten (10) assessment reports mentioned above.
The Internal Control Team conducted a series of follow-up communications in February 2022 on four (4) additional business processes. See graphic below for a comparison of the progress made between December 2021 and mid-March 2022:
Text version
This image illustrates the progress made between December 2021 and mid-March 2022.
In December 2021, forty-six percent of management action plans did not include a response, twenty-one percent of responses were in progress, and thirty-three percent of management action plans were completed.
In March of 2022, eighteen percent of management action plans did not include a response, twenty-nine percent were in progress and fifty-three percent of management action plans were completed.
In addition to the 85 above mentioned recommendations, there were five (5) recommendations related to individual assessment of key controls for Capital Assets. The Internal Control Team does not always request the completion of a Management Action Plan for recommendations made in these types of assessments. This may limit the value of conducting these types of assessments as there is no timely follow-up on corrective actions to address the deficiencies identified.
During the period under review, the department did not have a rigorous process to track that all internal control assessment recommendations were addressed in a timely manner. Certain high-risk control deficiencies were left unresolved for several months due to non-responsiveness of the Business Process Owners, which may highlight a departmental accountability issue. Furthermore, recommendations were deemed as completed through communication with Business Process Owners and supporting documentation was generally not requested.
Internal and External Reports
The 2020-21 Annex to the Statement of Management Responsibility Including ICFR, was prepared as required by the Policy on Financial Management. Providing further Information, such as identifying sub-processes per business process and number of completed assessments during the year, would show the coverage of testing in the internal control universe.
There is no reporting to senior management, except for the Annex. This document is written at a high-level, focusing only on significant findings. Regular internal reports, such as finding reports, status reports and/or end-of-year reports, as detailed in the Guide to Ongoing Monitoring of ICFM, would be beneficial to inform senior management on the status of internal controls across the department.
Conclusion:
The department has some good practices in place for communicating the results of assessments to the Business Process Owners; however, there were significant weaknesses in obtaining, reviewing progress, as well as reporting on the follow-up of action plans.
The Annex to the Statement of Management Responsibility Including ICFR, is completed on an annual basis as required by the Policy. However, current reporting on the system of ICFM requires greater detail to support senior management and governance committees in fulfilling their ICFM related responsibilities.
Recommendations:
- The Assistant Deputy Minister, Corporate Planning, Finance and Information Technology (SCM) should establish a more rigorous tracking and monitoring system for management action plan follow-up.
- The Assistant Deputy Minister, Corporate Planning, Finance and Information Technology (SCM), should provide an annual update to the appropriate senior departmental management committee(s) and the Departmental Audit Committee on:
- ICFM-related roles and responsibilities;
- the status of the system of ICFM, including risk assessment results and modifications to the ongoing monitoring plan;
- the status of implementation of management action plans; and,
- the results of internal control assessments.
Conclusion
Canadians expect financial resources of the Government of Canada to be well-managed and safeguarded through effective internal controls and reliable and transparent reporting to demonstrate accountability for public funds spent to achieve government objectives.
The department has a framework and practices in place to assess, monitor, and report on the system of Internal Control over Financial Management. Moreover, the methodology applied for testing key internal controls and communicating results was generally effective. The department is also demonstrating measurable progress towards meeting the March 2024 target to bring four new financial management business processes to the ongoing monitoring phase.
Certain areas of improvement were noted to strengthen the overall system and to be better aligned with the Policy on Financial Management and its accompanying guides; specifically:
- risk assessment processes
- Ongoing Monitoring Plan
- follow-up on management action plans
- reporting to senior management and governance committees
Annex A: Audit Approach
| Planning (August to November 2021) | Examination (December 2021 to February 2022) | Reporting (March to June 2022) |
|---|---|---|
|
|
|
Statement of Conformance: The audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit, as supported by the results of the external quality assurance assessment.
Annex B: Audit Criteria
| Criteria | Sub-Criteria |
|---|---|
| 1.0 Accountabilities, roles and responsibilities for the system of ICFM are formally defined, communicated, exercised, and are supported by an appropriate level of governance and oversight. | 1.1 Effective governance structures are in place, including the establishment of an internal control management framework and regular reporting to senior management, the Deputy Head and the Departmental Audit Committee. |
| 1.2 Roles, responsibilities, and accountabilities of key stakeholders (including senior management and business process owners) are clearly defined, documented, and communicated. | |
| 2.0 A system of ICFM is supported by an adequate risk assessment and ongoing monitoring plan. | 2.1 A full risk assessment is performed on a cyclical basis, and environmental scans are conducted in the intervening years. |
| 2.2 An approved ongoing monitoring plan is documented andimplemented in consultation with key stakeholders. | |
| 2.3 The department has developed an implementation plan and is demonstrating measureable progress for reaching the on-going monitoring stage for all ICFM business processes by 2023-24. | |
| 3.0 Testing methodology for the system of ICFM is effective and applied consistently across all processes. | 3.1 An effective methodology has been developed to test the system of ICFM and it is applied consistently, including a process-level risk assessment. |
| 3.2 The testing of design and operating effectiveness of key controls is performed effectively. | |
| 4.0 Results of control assessments are captured and communicated to business process owners and senior management through internal and external reports. | 4.1 Observations identified during ICFM testing, and recommendations for remediation, are communicated to business process owners in a timely manner. |
| 4.2 Management action plans are obtained and monitored by the Internal Control team, and corrective actions are implemented by business process owners, in a timely manner. | |
| 4.3 The information contained in internal and external ICFM reports (including the Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting) is complete and consistent with the results of control assessments. |
Annex C: Management Response and Action Plan
| Audit Recommendation | Management Response | Management Action Plan | Area Responsible | Expected Completion Date |
|---|---|---|---|---|
| 1. The Assistant Deputy Minister, Corporate Planning, Finance and Information Technology (SCM) should review and update the methodology for conducting risk assessments and preparing the Ongoing Monitoring Plan. | We agree with the recommendation to review and update. However, current financial statement risk assessment, which drives Global Affairs Canada’s ongoing monitoring approach, was prepared using a recognized methodology of a four-years cycle which was in line with the Treasury Board Secretariat Guide to Ongoing Monitoring of Internal Control over Financial Management (ICFM) that recommends a cycle of between 3 and 5 years. | The internal control team is engaging a 3rd party accounting firm to perform a detailed risk assessment, using an updated methodology that is in line the Treasury Board Secretariat Guide to Ongoing Monitoring of ICFM, to determine the in-scope processes that will make up the development of the revised Ongoing Monitoring Plan for the next review cycle. | Assistant Deputy Minister (ADM), Corporate Planning, Finance and Information Technology (SCM) | December 31, 2022 |
| 2. The Assistant Deputy Minister, Corporate Planning, Finance and Information Technology (SCM) should develop an operational plan that includes a resource analysis to support the ongoing monitoring process for the system of ICFM. | We agree with this recommendation. | An operational plan, including a resource analysis, will be developed to support the ongoing monitoring process for the system of ICFM. | ADM of SCM | February 28, 2023 |
| 3. The Assistant Deputy Minister, Corporate Planning, Finance and Information Technology (SCM) should establish a more rigorous tracking and monitoring system for management action plan follow-up. | We agree with the recommendation. However, the impact of the pandemic as well as priorities of the department during fiscal years 2019-20 to 2021-22 had been a factor in the internal control team’s ability to obtain responses from Business Process Owners. In certain cases, the internal control team made the conscious decision to defer following-up on recommendations in a few Management Action Plans in an effort to avoid undue pressure on Business Process Owners. | The internal control team will take steps to improve the tracking and monitoring system for management action plan follow-ups. The internal control team will document the frequency of the follow-ups and related reporting as well as developing an escalation process for high risk recommendations that will ensure they are addressed in a timely manner. | ADM of SCM | March 31, 2023 |
4. The Assistant Deputy Minister, Corporate Planning, Finance and Information Technology (SCM), should provide an annual update to the appropriate senior departmental management committee(s) and the Departmental Audit Committee on:
| We agree with this recommendation. | A presentation that includes information on ICFM-related roles and responsibilities, the status of the system of ICFM, the results of internal control over financial management assessments and the status of implementation of management action plans, will be prepared and delivered on a yearly basis to the Departmental Audit Committee, and to the appropriate departmental senior management committee(s). | ADM of SCM | June 30, 2023 |
- Date Modified:
