Audit of Internal Controls over Financial Reporting

October 2015

EXECUTIVE SUMMARY

In 2009, the Treasury Board Policy on Internal Controls (PIC), strengthened the requirements related to internal controls, with the objective of improving the quality of financial management and reporting, and strengthening financial accountability and transparencyFootnote1. The PIC charges Deputy Ministers (DM) with the responsibility to ensure the establishment, maintenance and monitoring of the departmental system of internal control.

To comply with PIC requirements and in support of the annual Statement of Management Responsibility Including Internal Control over Financial Reporting, Transport Canada (TC) management assesses internal controls as they relate to financial information reporting and the departmental financial statements. The Transport Canada Internal Control over Financial Reporting Framework (ICFR Framework) was developed and the Financial Monitoring and Quality Control unit (FMQC) within Corporate Services conducts risk-based assessments of the Internal Controls over Financial Reporting (ICFR) system as part of its ongoing monitoring plan.

The objective of this audit was to provide assurance to the Deputy Minister and the Departmental Audit Committee (DAC) that the ongoing ICFR monitoring process is sound and can be relied upon.

TC has established a sound monitoring process to assess the design and operating effectiveness of ICFR at the business process level, which includes a comprehensive ICFR Framework for Risk-Based Assessment and Monitoring. However, the Framework does not clearly delineate between the objective and scope of ICFR and that of the Department’s broader internal control management framework. This lack of clarity increases the risk of managers misunderstanding their responsibilities for the overall system of internal controls as well as their overreliance on the ICFR monitoring and related assessment results in providing assurance beyond financial misstatements.

With respect to testing controls for external financial reporting, some improvements should be made. Design effectiveness assessment tools and processes need to be further standardized, assessment results better documented and clear direction provided on how to consider fraud. There is a strategy for conducting operational effectiveness testing that includes adequate associated guidance and tools. However, completed assessments could be better documented, sampling methodology terminology standardized, and the need for statistical testing determined.

Overall, we can conclude that senior management and assurance providers can rely on the Department’s monitoring process to assess the effectiveness of the ICFR Framework at the business process level for external financial reporting.

Statement of Conformance

This Audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of an external assessment of Internal Audit’s Quality Assurance and Improvement Program.

Signatures

Dave Leach

Dave Leach (CIA, MPA) Director, Audit and
Advisory Services

08/10/2015

Date

Martin Rubenstein

Martin Rubenstein (CPA, CIA, CFE) Chief Audit and Evaluation Executive

08/10/2015

Date

1. INTRODUCTION

1.1. Purpose

The Treasury Board Policy on Internal Controls (PIC) in 2009 strengthened the requirements related to internal controls, with objectives to improve the quality of financial management and reporting, and to strengthen financial accountability and transparency.

Transport Canada (TC) has developed the Transport Canada Internal Control over Financial Reporting Framework (ICFR Framework) to address ICFR in the context of PIC.

Internal Control Management (ICM), as defined in the ICFR Framework, is a set of means to mitigate risks and provide reasonable assurance in the effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets; the reliability of financial reporting; and, compliance with legislation, regulations, policies and delegated authorities. Internal controls operate at all levels throughout the organization and are an integral part of an organization's risk management framework. In practice, the departmental system of internal control is composed of several internal control systems covering various management areas, such as financial management and financial reporting.

The ICFR Framework defines ICFR as a set of means that allow management and users of financial statements to have reasonable assurance that:

  • Records which fairly reflect all financial transactions are maintained;
  • Recording of financial transactions permits the preparation of internal and external financial information, reports, and statements in accordance with policies, directives and standards; and
  • Revenues received and expenditures made are in accordance with delegated authorities, and unauthorized transactions that could have a material effect on financial information and financial statements are prevented or detected in a timely manner. This includes providing reasonable assurance that financial resources are safeguarded against material loss due to waste, abuse, mismanagement, errors, fraud, omissions and other irregularities.Footnote2

ICFR is a sub-set of the broader departmental system of ICM.

1.2. Background

TC has designed a broad system of internal control as depicted in the following diagramFootnote3:

Diagram A: Transport Canada’s System of Internal Control

Text version of Diagram A: Transport Canada’s System of Internal Control

This diagram contains three nested circles and a fourth circle that intersect the three nested circles.

The largest circle represents the Internal Control Management Framework. This is the broad set of internal controls within TC. The Deputy Minister as Accounting Officer is ultimately responsible for these controls.

The medium sized circle inside the large circle represents Financial Management. This is the system of controls over financial management, which are a subset of the broader controls. The Chief Financial Officer is responsible for these controls.

The small circle inside the medium circle represents Internal Controls over Financial Reporting. This is the system of controls over financial reporting, which are a subset of the financial management controls. The Treasury Board Policy on Internal Controls focuses specifically on ICFR.

The fourth circle that intersects all three nested circles identifies the fact that Assistant Deputy Ministers have some responsibilities across broader controls, financial management controls and ICFR.

An effective internal control management (ICM) oversight regime requires the Deputy Minister, the CFO and senior departmental managers (TMX members), to establish, maintain, support and monitor the departmental system of internal control, including ICFR, by exercising the following functions:

  • Reviewing and approving financial reporting risk assessments, including entity level risk assessments that have an impact on sound financial managementFootnote4 and control;
  • Promoting and enforcing the TC Code of Values and Ethics in the day-to-day conduct of departmental business;
  • Including internal control measures in the senior management performance measurement agreements, and promulgating these measures within their respective organizations;
  • Encouraging and conducting, where appropriate, on-going communication and training on statutory requirements, policies and procedures in support of sound financial management and control;
  • Monitoring regular updates on ICM for ICFR including assessment results and approving corrective management action plans for their areas of responsibility;
  • Providing annual confirmation of ICM results by “signing off” on controls management over ICFR for their areas of program responsibility;
  • Signing the annual Letter of Representation regarding financial information reported in the Public Accounts of Canada; and
  • Specific to the CFO; ensuring annual risk-based assessments on the effectiveness of ICFR and ongoing monitoring of financial controls in the Department are conducted, and approving and signing the annual Statement of Management Responsibility including Internal Control over Financial Reporting that accompanies the departmental Financial Statements for the DM’s signature.

As per Diagram A, ICFR is a subset of the controls for financial management which in turn is a subset of an internal control management framework. While the PIC addresses all internal controls, to date it has only established guidance with respect to ICFR.

Types of Controls

There are various types of controls, which are grouped into three categories:

Entity Level Controls (ELCs)

ELCs refer to those controls and practices in place that permeate across the Department and may have a direct or indirect impact or influence on the integrity of the Department’s financial reporting. Entity-level controls set the tone from the top and broad expectations for the manner in which a department or agency will pursue its objectives, and as such, have a pervasive influence throughout the Department. If these controls are weak, inadequate, or nonexistent, their weakness will have a fundamental impact on the reliability of controls at the process level, and ultimately, impact the Department’s ability to achieve its goals and objectives.

TC is in the process of establishing a three-year cyclical risk-based assessment of the ongoing operating effectiveness of its updated ELCs, while balancing appropriate risks and resource implications. The ELCs are mapped to the COSO Internal Control - Integrated Framework (2013). The first ongoing monitoring assessment year will be 2015-16.

Information Technology General Controls (ITGCs)

As ITGCs support the initiation, recording, processing and reporting of financial transactions, they are an integral part of ICFR. When strong ITGCs exist at the Information Technology system level, ITGCs form the foundation for placing greater reliance on automated application controls embedded within the financial systems.

An external firm assessed the ITGCs and reported on the results in June 2014. The next ongoing monitoring of ITGCs is planned for 2016-17.

Business Process Controls

Business process controls which are comprised of both manual and automated controls are embedded in financial transactions (e.g. account verification, delegated section 32 and 34 approvals, etc.). Automated application controls, which are not ITGCs, are documented as part of the business process.

TC has identified nine key business processes:

  1. Payroll and salary benefits
  2. Capital assets and work in progress
  3. Grants and contributions (transfer payments)
  4. Financial close and reporting
  5. Accruals and other general entries (PAYEs, Pay Accruals, Environmental Liabilities and other Journal Entries)
  6. Travel procurement
  7. Financial budgeting and forecasting
  8. Revenue and receivables
  9. Procurement (operating expenditures, contracting and commitments)

ICFR Framework

TC’s key governance document supporting Internal Control over Financial Reporting is the Internal Control over Financial Reporting Framework for Risk-Based Assessment and Monitoring (ICFR Framework). This document establishes the departmental management control framework for addressing ICFR requirements in the context of PIC as well as provides a structured risk-based assessment and monitoring strategy for sustaining an effective ICFR system.

The ICFR Framework was originally developed, approved and implemented in November 2012. It sets the foundation and establishes accountabilities and a standard approach for the development, implementation, monitoring and management of ICFR in the Department. In November 2014, Transport Canada Executive Management Committee (TMX) approved an updated ICFR Framework that aligns with the 2013 COSO Framework and other improvements.

Methodology for ICFR Testing

Monitoring ICFR involves two types of testing: design effectiveness testing and operating effectiveness. Design effectiveness testing involves identifying the risks to the reliability of financial statement information within key business processes and reviewing the existing controls against those risksFootnote5. Operational effectiveness testing assesses whether key controls are operating as intended over a period of time and identifies weaknesses or gaps in the applicationFootnote6. FMQC reported that design effectiveness testing and operating effectiveness testing have been completed for key business processes.

FMQC reports the findings of its assessments to the business process owners who are responsible for developing management action plans (MAPs) in response to any recommendations. As well, the results of ICFR assessments and MAP monitoring activities are reported, on a semi-annual basis to TMX and the Departmental Audit Committee (DAC).

Transport Canada has established an ongoing monitoring strategy to define its approach to monitoring the effectiveness of ICFR. While some areas of risk are to be assessed on a three-year basis, high-risk processes and/ or controls are to be reviewed on an annual basis.

1.3. Audit objective, scope, approach and criteria

1.3.1. Audit Objective

The objective of this audit was to provide assurance to the Deputy Minister and DAC that the ongoing ICFR monitoring process is sound and can be relied upon.

Additionally, at the June 2015 DAC meeting, IA discussed its plans for an integrated auditing approach, which in the longer term will allow IA to leverage ICFR assessment and monitoring work and prevent duplication of effort.

1.3.2. Audit Scope and Scope Exclusions

IA reviewed the:

  • Governance structure in place to support sound ICFR oversight;
  • Clarity of accountabilities, roles and responsibilities in the implementation and monitoring of ICFR;
  • Appropriateness and consistent application of the ICFR framework and risk-based monitoring plan in determining the ongoing effectiveness of the system of ICFR;
  • Comprehensiveness of the approach used to conduct the design and operating effectiveness testing, and ongoing monitoring assessments (e.g. methodologies, processes and procedures);
  • Monitoring and reporting of control weaknesses and related management action plans; and
  • Risk assessments and the design of related internal controls over financial reporting for the Department’s key business processes.

Internal Controls over Financial Reporting are a subset of all internal controls at Transport Canada. The audit focused on the ICFR work related to business process controls. ELCs and ITGCs will be considered for review in future audits and were excluded from the scope of this audit as were internal controls and related elements that, although important to the operations of the Department, do not address financial reporting concerns.  

The audit does not provide an opinion on the accuracy of balances reported in the financial statements prepared by the Department.

1.3.3. Audit Approach

During the planning phase, the audit team completed detailed testing of the procurement business process, one of the nine business processes, in order to understand how FMQC carries out its work. This enabled the audit team to identify the risks of an effective ICFR framework, define appropriate audit criteria and determine an approach to complete the audit conduct phase. To complete the audit, we interviewed key departmental officials and business process owners both within the NCR and the regions, reviewed documentation and analyzed data.

1.3.4. Audit Criteria

The following criteria were used to assess the effectiveness of the ICFR management control framework:

  1. The actual scope, application, and implementation of the ICFR testing are consistent with those defined in the framework;
  2. ICFR assessments help to ensure financial resources are properly authorized and unauthorized transactions that could have a material effect on financial information and financial statements are prevented or detected in a timely manner to safeguard against material loss due to waste, abuse, mismanagement, errors, fraud, omissions and other irregularities;
  3. Business process owners understand their responsibility for ensuring controls are designed and operating effectively including internal controls that impact financial reporting;
  4. A thorough risk assessment is completed that identifies and assesses all relevant risks to internal controls over financial reporting;
  5. Key controls are designed and implemented to mitigate risks to financial reporting, including pre- and post-payment accounting verification activities of the departmental National Sampling Plan;
  6. There is sufficient information collected to test key controls and provide reliable results;
  7. Operating effectiveness of key controls is adequately tested;
  8. Roles and responsibilities are clearly defined and communicated to business process owners to ensure they understand their responsibility to report significant business process changes that may impact the departmental ICFR ongoing monitoring plan;
  9. Business process maps maintained by FMQC are updated, as necessary, to reflect any significant changes prior to testing/retesting key controls;
  10. Key business processes or controls are assessed on a cyclic basis that is consistent with the level of risk associated with it, and subject to internal resource capacity;
  11. Results of key controls testing are documented and communicated to business process owners and senior management; and
  12. Business process owners develop and implement management action plans based on recommendations identifying weaknesses in key controls.

1.4. Report structure

The report is comprised of three sections:

  1. Internal Controls over Financial Reporting Framework (ICFR Framework)
  2. Design Effectiveness Testing
  3. Operational Effectiveness Testing

For each of the above, we include important contextual information, what we expected to find, and our overall findings supported by specific observations and recommendations.

The last section of the report is management’s action plan to address the audit recommendations.

2. FINDINGS & RECOMMENDATIONS

2.1 Internal Controls over Financial Reporting Framework (ICFR Framework)

Context:

Under the Policy on Internal Control the federal government is expected to be well managed with the prudent stewardship of public funds, the safeguarding of public assets, and the effective, efficient and economical use of public resources. It also sets an expectation for reliable reporting that provides transparency and accountability for how government spends public funds to achieve results for Canadians.Footnote7 While the policy includes all controls, its main focus for direction and accountability is for internal controls over financial reporting. Departments are required to demonstrate that they have an effective system of internal control over financial reporting through the departmental Statement of Management Responsibility Including Internal Control over Financial Reporting that accompanies the financial statements that are linked to and published concurrently with Departmental Performance Reports.

What We Expected:

As a core element in support of an effective and sustainable system of internal controls over financial reporting, Internal Audit expected that the Department would have in place a governing document whereby:

  • The actual scope, application, and implementation of the ICFR testing are consistent with those defined in the framework.
  • ICFR assessments help to ensure financial resources are properly authorized and unauthorized transactions that could have a material effect on financial information and financial statements are prevented or detected in a timely manner to safeguard against material loss due to waste, abuse, mismanagement, errors, fraud, omissions and other irregularities;
  • Roles and responsibilities are clearly defined and communicated to business process owners to ensure they understand their responsibility to report significant business process changes that may impact the departmental ICFR ongoing monitoring plan;
  • Business process owners understand their responsibility for ensuring controls are designed and operating effectively including internal controls that impact financial reporting;

What We Found:  

An ICFR Framework was developed and includes all the key elements expected in a framework. However, the framework does not clearly delineate between the objective and scope of ICFR and that of the Department’s broader internal control management framework.

Strengths

Transport Canada has developed and approved an ICFR framework called the TC Internal Control over Financial Reporting Framework for Risk-based Assessment and Monitoring. The ICFR Framework is a living corporate document that has evolved over the years. It was first developed and implemented in November 2012, and later updated in October 2013 and November 2014 to incorporate better direction and guidance gained from experience in the conduct of ICFR assessments.

The stated purpose of the document is to establish the Department’s framework for addressing the requirements for ICFR in the context of the TBS Policy on Internal Control and to provide an assessment and monitoring strategy to sustain an effective system of ICFR. From our review of the document, we established that key elements of the framework in support of this purpose have been identified and documented, including:

  • a depiction of ICFR relative to the Department’s broad system of internal controls
  • principles underpinning and supporting the ICFR framework
  • the governance structure and oversight mechanisms through the established committee structure in TC Governance under the PAA supplemented by detailed roles and responsibilities outlined in the ICFR framework
  • a description of the levels and types of controls for ICFR and a depiction of their integration in support of financial reporting
  • approaches to assessment and monitoring of internal controls over financial reporting including guidance and methodologies for the conduct of ICFR assessments, and for the development and risk-based implementation of an ongoing monitoring plan including testing of the controls.
  • requirements for reporting of assessments and for corrective measures to be taken and monitored; and,
  • detailed roles and responsibilities for ICFR at all levels of management, with significant roles and responsibilities assigned to:
    • the CFO and delegated stakeholders in Financial Controls and Accounting Services as functional authorities responsible for maintaining, managing, ICFR including testing and monitoring of the system;
    • Directors General (as Business Process Owners), responsible for supporting senior management in conducting risk assessments, designing controls, and taking corrective actions over significant weaknesses identified within their area of responsibility; and,
    • the Chief Audit Executive and the Departmental Audit Committee responsible for supporting senior management and the Deputy Minister through the provision of objective, independent advise on the system of ICFR.

Opportunities for Improvement

The audit team identified opportunities to clarify the ICFR Framework to help ensure roles and responsibilities and the scope and limitations of monitoring activities are well defined and understood amongst the management team.

At TC, the Internal Control Management (ICM) encompasses the management of all controls including those for ICFR. Although there is no documented framework for ICM, business process owners and managers are responsible for ensuring that internal controls within their purview are designed appropriately and are working as intended.

The current ICFR Framework identifies the objective of ICFR as,

“The Department maintains an effective risk-based system of ICFR to ensure that transactions are appropriately authorized, financial records are properly maintained, assets are safeguarded from risks such as waste, loss, fraud and mismanagement, and applicable laws, regulations, directives and policies are followed; and to ensure that risks related to stewardship of public resources are adequately managed through effective internal controls, including ICFR.”

However, this objective overstates what ICFR monitoring is actually assessing.Financial Controls and Accounting Services confirmed that, in practice, the focus of ICFR assessments and related reporting is limited to activities impacting external financial reporting and not financial management or the Department’s overall internal control management framework.

At the end of each fiscal year, senior managers sign off on two attestations: the Senior Departmental Manager ICM Sign Off and the OAG Letter of Representation for Public Accounts.

The ICM Sign Off confirms that:

  • managers in their organization make decisions in light of timely, relevant and reliable integrated financial and non-financial performance information, analysis and advice, consistent with the Department’s strategic Program Alignment Architecture (PAA) framework;
  • cost-effective integrated controls suitable to their organization environment are in place to safeguard assets within the risk and fraud management framework, and to ensure prudence, probity, and sound financial management of assets and liabilities; and,
  • the TC financial management framework within a manager’s organization’s purview of responsibilities is monitored in collaboration with the Financial Management Advisor (FMA) / Regional Chief, Finance and Administration.Footnote8

The Letter of Representation for Public Accounts includes 28 items that could impact the Public Accounts including, Internal Controls, Financial Reporting, Asset Safeguarding, Litigation, and Fraud. Each senior manager is asked to sign off on the letter before the Deputy Minister submits it to the Office of the Auditor General.

We found that the degree to which managers conduct testing prior to their signing off on the two attestations varies. For example, in the Quebec region, staff prepare a report on the state of controls; some staff brief senior managers, and others rely completely on ICFR testing.

The lack of clarity between the ICM and the ICFR Framework increases the risk of managers’ misunderstanding their responsibilities with respect to the broader system of internal controls. Simply put, work performed under the ICFR is not adequate in and of itself for managers to discharge their responsibilities related to the requirements of signing the letter of representation for public accounts.

Recommendation:

  1. 1. ADM Corporate Services should revise the TC Internal Control over Financial Reporting Framework for Risk-based Assessment and Monitoring document to clearly define the objective and scope specific to ICFR testing and to differentiate it from that of Internal Control Management.

2.2. Design Effectiveness Testing

Context:

The design of controls is fundamental to ICFR and involves identifying business processes that impact financial reporting and developing controls to address risks to financial reporting associated with those business processes. In the context of ICFR, design effectiveness testing assesses whether controls exist for identified risks and whether they are designed in such a manner that, if properly implemented and executed, they would be effective in mitigating the identified risks related to financial reporting.

What We Expected:

Internal audit expected that:

  • a thorough risk assessment is completed that identifies and assesses all relevant risks to internal controls over financial reporting; and
  • key controls are designed and implemented to mitigate risks to financial reporting, including pre- and post-payment accounting verification activities of the departmental National Sampling Plan.

What We Found:

Design effectiveness testing includes the necessary documentation and risk assessments and has been validated by the respective process owners.

Strengths

Overall, business processes are documented in adequate detail, are standardized, and are supported by respective process and sub-process maps that provide a visual depiction of each process step and identify control owners, key control points and accountabilities.

The risk-control matrices identify and rank the risks as well as identify the related controls and control activities, the control owner, the nature of the control and the frequency at which it is exercised, and the relevant financial statement assertion(s) it addresses. Process owners have validated their respective documented processes.

Opportunities for Improvement

Risk-Control Matrices

For ICFR assessments, the risk and control matrix is a planning tool used to identify financial reporting risks associated with a business process and then prioritize/rank those risks along with the addressing internal controls. The development of the ICFR risk and control matrices for business processes occurred over a period of two years. The template for the risk and control matrices evolved over time to incorporate changes in the ICFR Framework.

While FMQC continues to update the ICFR Framework to address inconsistencies in its application there is a need to further standardize the approach to completing the risk-control matrices.

We found that the risk-control matrices are not complete for two of the nine business processes. A matrix related to the business process for the Accruals and Other Journal Entries business process had not been completed. For the Grants and Contributions business process matrix, risks are not ranked, key controls and control owners are not identified, and there is no associated column to indicate whether the potential for fraud has been assessed. Management has advised IA that the Grants and Contributions risk and control matrix has not been completed given the resources and level of effort required to complete them; its scope included multiple Grants & Contributions programs involving a number of groups and regions; as well, the conduct of the related ICFR assessments spanned two approved versions of the ICFR framework. Both risk matrices will be completed as part of the next round of testing.

We also found that there are variations in the completed matrices. With respect to materiality, for example, there is no documentation on how materiality is calculated. As a result, there appears to be inconsistency in materiality levels when this is considered in the risk scale. For travel expenditures, a monetary impact of less than $1.25M is considered low whereas for salaries and benefits a monetary impact of greater than $1M is considered significant. It is also not clear how the materiality levels used in the risk assessments relate to the overall materiality indicated in the Framework where the impact of a misstatement of up to $8M is considered negligible.

The control frequency at which specific controls are to be exercised was not documented in one business process (Grants and Contributions) and two sub processes (Revenue Streams related to Medical Certificates and Aviation Safety).

Our review of the risk-control matrices confirmed that risk levels have been assigned for the risks identified and that the majority of the risks have been assigned a low to medium risk score. Even though there may be no direct correlation between the number of key controls and business processes risk ratings, there was no documentation available that helped the reader understand why some business processes with low risks had more key controls than business processes that had higher risks and few key controls. For example, in the Revenue and Receivables business process, the risk of not invoicing for service requests in the Aviation Safety revenue stream is given a score of eight and there is no associated key control, whereas the same risk in the Marine Safety revenue stream is assigned a combined score of 4 and has one associated key control. Without documentation to confirm otherwise, one would expect that the business process with the higher risk would have more key controls.

Completing and further standardizing the approach for completing the risk-control matrices for all business processes would support and promote a common understanding of the processes and would enhance the effective design, application, monitoring and evaluation of controls. It would also help to ensure results are comparable and testing resources are targeted to the areas of highest risk.

Fraud Risk

In the development of the risk and control matrices, key processes where risk of material error and fraud is most likely are considered from the perspective of appropriate segregation of duties and automation/system accesses. The 2013-14 risk and control matrix template was updated to include another attribute column to separately identify areas where there may be a more likely opportunity for fraud. Although the fraud column is in the matrices, for six of the nine processes we reviewed, the controls identified were considered not to be addressing fraud. However, some of these controls may in fact address fraud either directly or indirectly.

There is no documented approach on how to consider the risk of fraud when completing the risk-control matrices. Explicitly identifying fraud scenarios and related risks, and aligning controls to these identified risks would enhance the Department’s ability to demonstrate that fraud is adequately considered in the design and implementation of its ICFR framework.

Recommendation:

  1. 2. As part of the cyclical assessment of ICFR, the ADM Corporate Services should ensure that:
    • tools and processes related to risk control matrices are further standardized and documented; and
    • direction is provided with respect to how fraud is considered when business processes are assessed.

2.3. Operational Effectiveness Testing

Context:

Testing the effectiveness of internal controls is a requirement of the PIC and is a critical element of the framework that supports the maintenance of a departmental ICFR system. Once it has been determined that the design of internal controls is effective, operational effectiveness testing is undertaken to evaluate whether the internal controls are operating as designed - the controls were performed consistently at the frequency required by the designated/authorized persons over a period of time.

At TC, FMQC is responsible for operational effectiveness testing.

What We Expected:

In keeping with our audit criteria, we expected the following:

  • operating effectiveness of key controls is adequately tested;
  • there is sufficient information collected to test key controls and provide reliable results;
  • business process maps maintained by FMQC are updated, as necessary, to reflect any significant changes prior to testing/retesting key controls;
  • key business processes or controls are assessed on a cyclic basis that is consistent with the level of risk associated with it, and subject to internal resource capacity;
  • results of key controls testing are documented and communicated to business process owners and senior management; and
  • business process owners develop and implement management action plans based on recommendations identified from weaknesses in key controls.

What We Found:

There is a monitoring plan in place that is consistent with the strategy outlined in the ICFR Framework. The monitoring plan sets out a realistic timeline for the assessment of all nine business processes and related controls over a three-year period (2014-15 to 2016-17).

Strengths

Operational Effectiveness Testing

By March 31, 2014, FMQC as part of its initial assessment of ICFR, had completed operational effectiveness testing for all business processes (Capital Assets and Work in Progress, Transfer Payments, Payroll and Salary Benefits, Travel, Accruals and Other General Entries, Revenues and Receivables, Financial Close and Reporting, Procurement, and Budgeting and Forecasting) As part of the monitoring phase and consistent with the ongoing Monitoring Plan, FMQC conducted assessments in 2014-15 of controls related to Capital Assets and Work in Progress; Transfer Payments; and, Payroll and Salary Benefits.

Risk assessments are conducted every three years with participation from corporate services and programming staff to inform and validate the monitoring plan. Environmental scans performed in the intervening years between risk assessments identify changes that may impact and require amending the monitoring plan. We reviewed the documentation from the June 2014 risk assessment workshop and did not identify any inconsistencies between the results of the risk assessment and the established monitoring plan.

Our review of FMQC’s work confirmed that there is an overall strategy and a methodology for the conduct of operational effectiveness testing. There is adequate planning, including guidance and tools provided to staff undertaking the work at NCR and in the regions. Direction provided on sampling methods is consistent with industry best practices. FMQC performs quality assurance on the work performed, consolidates observations and develops findings and recommendations. Work is documented and findings are adequately supported.

Results for the 2013-14 and 2014-15 assessments were presented to TMX and DAC in June 2014 and 2015, respectively.

Our review of the assessment results and related reports confirmed that findings resulting from the testing were ranked by risk level, recommendations were put forward, Management Action Plans (MAPs) were developed to address recommendations, and FMQC monitored the implementation of MAPs and reported the status to TMX and the DAC. According to the 2014-2015 ICFR Assessment Results Report, 48 of 51 (94%) of the MAPs from the 2013-14 assessment that related to business processes had been completed and minor delays in the remaining three were being monitored with no immediate attention required.

Opportunities for Improvement

The audit did identify some opportunities to improve operational effectiveness testing.

Sampling Methodology

The framework currently states that a statistical random sampling methodology will be adopted where feasible. However, not all criteria required for the statistical test have been defined in the framework. Moreover, the terminology is not used consistently. For example random sampling, statistical random sampling and statistical sampling are used interchangeable which is confusing for both the individual performing the sampling and those relying on the results. In addition, the sole benefit of performing a statistical test is to be able to provide a statistical conclusion. However, the assessment reports we reviewed did not include any such conclusion.

Inconsistency between the testing methods used and the approved methodology outlined and in terminology used in the ICFR Framework could increase the misinterpretation of results.

Scope of Testing

The ICFR Framework document specifies that the scope of ICFR assessment testing is determined by identifying all key controls for evaluation. However, the rationale for the scope of not testing specific business sub-processes is not adequately documented. For example, the assessment reports for testing related to the Pay and Salary Benefits and the Capital Assets and Work in Progress business processes did not include documentation that explained why certain sub-process were not tested.

Documenting the rationale for the scope and extent of testing of specific sub-processes and controls, would help clarify what conclusions can be drawn from testing and enhance the efficiency of future testing.

Recommendation:

  1. 3. ADM Corporate Services should ensure:
    • the sampling methodology is revised to include the determination of whether a statistical test is required for ICFR assessment reports, standardized statistical terminology, and guidance on acceptable error rates and sample sizes for random sampling; and
    • the rationale for the scope of testing in the cyclical assessment is adequately documented including providing an explanation for the exclusion of certain sub processes within a business process.

3. CONCLUSION

TC has established a sound monitoring process to assess the design and operating effectiveness of ICFR at the business process level, which includes a comprehensive ICFR Framework for Risk-Based Assessment and Monitoring. However, the Framework does not clearly delineate between the objective and scope of ICFR and that of the Department’s broader internal control management framework. This lack of clarity increases the risk of managers misunderstanding their responsibilities for the overall system of internal controls as well as their overreliance on the ICFR system and related assessment results in providing assurance beyond financial misstatements.

With respect to testing for external financial reporting, some improvements should be made. Design effectiveness assessment tools and processes need to be further standardized, assessment results better documented and clear direction provided on how to consider fraud. There is a strategy for conducting operational effectiveness testing that includes adequate associated guidance and tools. However, completed assessments could be better documented, sampling methodology terminology standardized, and the need for statistical testing determined.

Overall, we can conclude that senior management and assurance providers can rely on the Department’s monitoring process to assess the effectiveness of the ICFR Framework at the business process level for external financial reporting.

4. RECOMMENDATIONS AND MANAGEMENT ACTION PLAN

Recommendation Management Action Plan Completion Date
(for each action)
OPI direct report for each specific action
  1. 1. ADM Corporate Services should revise the TC Internal Control over Financial Reporting Framework for Risk-based Assessment and Monitoring document to clearly define the objective and scope specific to ICFR testing and to differentiate it from that of Internal Control Management.

The ICFR Framework document will be updated to clarify the objective and better separate the scope of Internal Control Management and ICFR.

March 2016

Director, Financial Controls and Accounting Services

  1. 2. As part of the cyclical assessment of ICFR, the ADM Corporate Services should ensure that:
    • tools and processes related to risk control matrices are further standardized and documented; and
    • direction is provided with respect to how fraud is considered when business processes are assessed.

Risk Control matrices will be completed for Grants and Contributions business process as well as for the Accruals and Other Journal Entries business process.

Additional guidance and direction will be added to the risk and control matrices, including how fraud is to be considered. This will provide more direction when conducting ongoing monitoring of ICFR assessments.

March 2016

Director, Financial Controls and Accounting Services

  1. 3. ADM Corporate Services should ensure:
    • the sampling methodology is revised to include the determination of whether a statistical test is required for ICFR assessment reports, standardized statistical terminology, and guidance on acceptable error rates and sample sizes for random sampling; and
    • the rationale for the scope of testing in the cyclical assessment is adequately documented including providing an explanation for the exclusion of certain sub processes within a business process.

The ICFR Framework will be updated to:

Identify a sampling approach based on consideration of what approach is needed;

Consistent use of standardized statistical terminology; and

Guidance on acceptable error rates and sample sizes for the sampling approach selected.

The ICFR assessments will include an explanation for the exclusion of certain sub processes. In addition, the ICFR framework will be updated to reflect that key controls are not necessarily present in every business sub-process.

March 2016

Director, Financial Controls and Accounting Services

Date modified: