2010-2011 Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting (unaudited)

1. Introduction

This document is attached to the Office of the Information Commissioner of Canada’s Statement of Management Responsibility Including Internal Control over Financial Reporting for the fiscal year 2010–2011. As required by the Policy on Internal Control, this document lists the measures taken by the Office to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides a summary of the assessments conducted by the Office as at March 31, 2011, including progress, results and related action plans, along with some financial highlights pertinent to understanding the Office’s unique control environment.

The Information Commissioner of Canada is an Agent of Parliament and therefore not subject to monitoring by the Comptroller General of Canada for compliance with the Policy on Internal Control (see Section 2 of the policy). Instead, the Commissioner as deputy head is responsible for compliance and responding to any instance of non-compliance. As a result, the Office of the Information Commissioner is being extra vigilant in ensuring it has the controls in place to ensure proper governance and in assessing their effectiveness.

1.1 Authority, mandate and program activities

The Office of the Information Commissioner was created under the Access to Information Act, which came into force on July 1, 1983. The Information Commissioner is an Agent of Parliament appointed by the Governor-in-Council following approval by resolution of the Senate and the House of Commons. The Office is listed under Schedule I.1 of the Financial Administration Act and is funded through annual appropriations. The Commissioner is accountable for, and reports directly to Parliament on, the results achieved.

Detailed information on the Office’s authority, mandate and program activities can be found in its Report and Plans and Priorities, Departmental Performance Report and Strategic Plan 2011–2014.

1.2 Financial highlights

Below is key financial information for 2010–2011. Additional information can be found in the Office’s audited Financial Statements and Notes to Financial Statements. Information can also be found in the Public Accounts of Canada (under the Department of Justice Canada).

  • Total expenses were $14.5 million. Salaries and benefits comprised the majority of expenses (73 percent or $10.5 million).

  • Tangible capital assets comprised 51 percent of total assets ($2 million), while accounts receivables accounted for 3 percent.

  • Total liabilities were $3.2 million. Employee severance benefits represented the largest portion of liabilities (57 percent). Accounts payable (including salaries, vacation and overtime) made up the remaining 43 percent.

  • The Office lapsed only $148,000, or 1.2 percent of total authorities, in 2010–2011. In 2009–2010, the Office lapsed $182,000, or 1.5 percent of total authorities.

  • The Office received $400,000 through a special-purpose allotment to fund its work on litigation and complex cases. The Office used the funds to acquire specialized legal and investigative services to carry out ongoing court proceedings and complex cases, and to prepare for upcoming litigation.

  • The Office had 98 employees as at March 31, 2011.

  • The Office’s primary financial system is Freebalance.

1.3 Service arrangements

The Office relies on other organizations to process various transactions that are recorded in its financial statements:

  • Public Works and Government Services Canada (PWGSC) centrally administers the payment of salaries and the procurement of some goods and services, and provides cheque-issuing services as well as accommodations for the Office.

  • Treasury Board of Canada Secretariat (TBS) provides information used to calculate various accruals and allowances, such as the accrued severance liability and the Employee Benefits Plan, and pays the employer’s share of health and dental insurance premiums.

  • The Office relies on figures from other organizations for services received, including accommodation from PWGSC, employee benefits from TBS, and Workers’ Compensation benefits from Human Resources and Skills Development Canada.

  • The Office of the Auditor General (OAG) provides audit services to the Office.

  • For the purposes of the Financial Administration Act, the Office of the Information Commissioner and the Office of the Privacy Commissioner (OPC) must submit their trial balances jointly to PWGSC. It was agreed that the OPC would host the servers that include the financial and salary management systems.

1.4 Material changes in 2010–2011

The following significant changes within the Office occurred in 2010–2011:

  • Suzanne Legault was appointed Commissioner on June 30, 2010.

  • The Office underwent a reorganization at the end of the fiscal year in order to fully follow the CFO model. In particular, the former Policy, Communications and Operations Branch (now known as Corporate Services) was streamlined with a view to enhancing controls and accountability for all corporate functions.

  • The Office produced its first future-oriented financial statements.

  • The Office received $400,000 through a special-purpose allotment to fund its work on litigation and complex cases.

2. OIC’s control environment

The Office, although a small entity with very low risk associated with its system of internal control, recognizes the importance of senior management leadership in ensuring that staff at all levels understand their role in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities effectively. The Office’s focus is to ensure risks are well managed through a responsive and risk-based control environment that enables continuous improvement and innovation.

2.1 Key positions, roles and responsibilities

Deputy Head: The Commissioner assumes the duties of deputy head. As the Office’s accounting officer, the Commissioner has overall responsibility for the stewardship, management and oversight of the Office’s resources, as well for the measures taken to maintain an effective system of internal control. The Commissioner is assisted by the Assistant Commissioner, Complaints Resolution and Compliance, the Director General, Corporate Services, and the Office’s General Counsel and Director, Legal Services. The Commissioner is a member of the Office’s Audit Committee and meets weekly with the Senior Management Team.

Chief Financial Officer (CFO): The CFO—the Director General, Corporate Services—reports directly to the Commissioner and provides, among other things, leadership for the coordination, coherence and focus of the design and eventual maintenance of an effective and integrated system of ICFR, including its annual assessment.

Chief Audit Executive (CAE): It is not practical for the Office to have a full-time Chief Audit Executive, due to the organization’s size, risk profile and resources. For this reason, the function is split between a management consulting firm and the Director, Strategic Planning, Finance, and Administration. The firm prepared the Office’s most recent risk-based audit plan and will carry out the subsequent audits under the plan. The Director, Strategic Planning, Finance, and Administration, has assumed administrative responsibility for the internal audit function and in this capacity reports directly to the Commissioner.

Audit Committee: This Audit Committee provides the Commissioner with independent, objective advice, guidance and assurance on the adequacy of the risk management, control and accountability processes. It has three members: two who are external to the federal government, including the Chairperson, and the Commissioner. The committee reviews the Office’s audited financial statements and its system of internal control, including internal audit reports, and the assessments and action plans related to the system of ICFR. It also reviews draft audit reports of the OAG and other central agencies. The committee presented its first annual report in 2010–2011 to both the Comptroller General of Canada and the House of Commons Standing Committee on Access to Information, Privacy and Ethics.

Senior Management Team (SMT): SMT is the Office’s central decision-making body, and is made up of the Office’s senior managers and chaired by the Commissioner. As the Office develops and assesses its system of ICFR, SMT will become involved in reviewing, approving and monitoring the associated controls.

2.2 Key measures taken by the Office

The Office has a comprehensive internal control framework for financial management that is aligned with the federal government’s expenditure management process.

The Office’s funding is controlled through a budgeting and commitment control process in its integrated financial system, and the Office emphasizes the segregation of duties in the context of common, systematized business processes.

Expenditures are approved at the initiation, contracting, performance certification and payment approval stages. Payments are subject to a quality control process that tailors verification processes to risk. Controls over payments are tested for effectiveness on a monthly basis.

Financial results are monitored through a monthly financial reporting process, and validated and approved by management.

The Office’s control environment also includes measures and structures to equip staff to be able to manage risks well, including the following:

  • established governance structure and strategic direction through SMT and supported by the Audit Committee;

  • strategic planning unit that coordinates and supports Office-wide planning, including integrated business planning and risk management;

  • finance unit and CFO portfolio dedicated to internal control of financial reporting;

  • regular reporting of financial performance to SMT and at Audit Committee meetings, including clearly setting out financial management responsibilities;

  • training program and communications in core areas of financial management;

  • periodic review and update of the delegation of financial signing authorities;

  • documentation of main business processes and related key risk and control points to support the management and oversight of the Office’s system of ICFR;

  • certification process, introduced in 2010–2011, requiring managers to attest to the reliability of the financial information in their area of responsibility;

  • complete range of human resources, financial and contracting policies tailored to the Office’s control environment and departing from requirements under the Policy on Internal Control when appropriate, due to the Office’s exemption from the policy as an Agent of Parliament;

  • multi-year, risk-based internal audit plan;

  • preliminary assessment of key financial processes that were in place from April 1 to September 30, 2010;

  • strategic plan for information management and information technology;

  • three-year strategic plan; and

  • security guidelines related to the overall security program, including elements on information and personnel security.

3. Assessment of the Office’s system of ICFR

3.1 Baseline

In 2004, the Government of Canada launched an initiative to determine the ability of organizations to sustain control-based audits of their financial statements, thus relying on well-functioning internal controls.

The requirement to annually assess the system of ICFR, establish action plans to address any necessary adjustments, and attach to their Statements of Management Responsibility a summary of their assessment results and action plans was formalized in April 2009, when the Policy on Internal Control came into effect. Departments may tailor the scope and pace of their annual assessments, including developing multi-year assessment plans. As noted, the Commissioner, as an Agent of Parliament, is solely responsible for the Office’s compliance with the Policy on Internal Control and for responding to any instance of non-compliance.

Whether it is to support control-based audit requirements or those of the Policy on Internal Control, an effective system of ICFR aims to provide reasonable assurance of the following:

  • Transactions are appropriately authorized.

  • Financial records are properly maintained.

  • Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement.

  • Applicable laws, regulations and policies are followed.

Over time, this includes assessment of the ongoing monitoring, continuous improvement and testing of internal controls at all levels (entity, IT general, and business process).The maintenance of an effective system of ICFR is an ongoing process designed to identify, assess effectiveness and adjust, as required, key risks and associated key controls, as well as to monitor system performance in support of continuous improvement. As a result, the scope, pace and status of the assessments of the effectiveness of a system of ICFR will vary from one organization to the other based on risks and taking into account their unique circumstances.

3.2 Assessment method

In preparing for the review of its system of ICFR, the Office has taken measures to assess the system, starting with documenting and assessing its entity-level controls. Entity-level controls refer to those controls and practices that permeate the organization and set the “tone from the top.”

The Office will continue its assessment based on the identification of key accounts in the financial statements that will be subject to the ICFR assessment process. This assessment will consider both quantitative and qualitative factors. For each significant account, the Office will complete the following steps:

  • gather information pertaining to existing business processes, risks and controls, including associated policies and procedures;

  • map key business processes with key risks and controls on the basis of materiality, volume, complexity, susceptibility to losses/fraud, areas subject to audit observations, past history, external attention and reliance on a third-party; and

  • test the design and operating effectiveness of key business process controls.

The Office is also committed to documenting and assessing its general controls for information technology (IT) infrastructure. IT general controls are controls that affect the organization-wide IT environment, such as access to computer programs and data. The Office is responsible for assessing all of the key controls for systems that it fully manages. In cases in which the Office acquires the services from another organization (i.e. Freebalance, the Human Resources Information System and the Regional Pay System), the assessment will be limited to the components of the system the Office maintains and controls; assessment of all other components is the responsibility of the organizations that provide them.

Finally, the Office will take into account new information available from recent audits.

4. Assessment results

The preparation of internal controls documentation and subsequent assessment of the efficiency of controls is part of a continuous improvement process that will allow the Office to implement healthy financial management practices and to comply with key requirements of the Policy on Internal Control. As a result of observations and recommendations made, management will develop action plans to address any opportunity for improvement noted.

Controls are designed to address significant risks and presume the good faith of the individuals that apply the processes and controls. The Office must be aware of the inherent risk related to the effectiveness of internal controls. Many internal and external factors increase the risk that controls may fail to prevent or detect simple errors or fraud. The continuous monitoring of records, controls and processes will help identify and evaluate new risks, and implement mitigating controls accordingly.

The Office has documented the following significant processes and controls: salary expenditures, purchase of goods and services and payment to suppliers, management of assets and inventories, and accounting period closing processes and controls.

The preparation of the internal controls documentation consisted of conducting interviews and walking through the processes with various stakeholders. Narrative descriptions and flowcharts of individual processes were prepared, and the processes in place were compared with Office and TBS policy requirements.

Although the effectiveness of controls was not tested, a preliminary assessment of them was done for the period from April 1 to September 30, 2010. The assessment found several areas needing minor or immediate improvement and led to seven recommendations based on professional judgment, discussions with Office personnel and the information obtained.

Since 2003–2004, the OAG has conducted an annual audit of the Office, including an assessment of the overall control environment and the control activities relevant to the audit. The OAG has adopted a controls-reliant approach for the cycle of expenses other than payroll. The Office has received unqualified or unmodified opinions on all financial statements audited by the OAG to date.

As described in Section 2, the Office has a well-established governance model and an enabling environment to support staff at all levels. The Audit Committee is instrumental in providing independent advice on the Office’s system of internal control. The Office’s finance division monitors the internal controls for financial reporting.

Looking ahead, as shown in Section 5, the Office will seek opportunities to further strengthen its entity-level controls, taking into account results from annual assessments and audits. This will include ensuring that there is a well-integrated monitoring program in place to raise awareness and understanding of the Office’s system of ICFR at all levels, and equip people with the knowledge, skills and tools required.

5. Action plan

5.1 Progress as at March 31, 2011

During 2010–2011, the Office continued to make significant progress in assessing and improving its key controls, as summarized below.

  • ensured that recurring salary payments are properly verified and approved under section 33 of the Federal Administration Act (FAA): this control activity is part of the post-payroll quality assurance process under the responsibility of the finance division;

  • ensured that human resource officers are receiving the appropriate delegation of financial authority in order to conduct FAA section 34 certification of pay-related transactions, in accordance with the Guideline on Common Financial Management Business Process for Pay Administration and the FAA;

  • ensured that managers are conducting the second part of the FAA section 34 certification for salary expenditures and providing evidence of their approval of those expenditures: this is achieved during the monthly budget review process; the manager doing the certifying signs an attestation approving salary expenditures and stating that data on items such as overtime, vacation and leave is up-to-date;

  • enabled formal reporting through a new procurement database, making it possible for senior management to review all contracting activities;

  • put controls and systems in place to ensure inventory items, including capitalized assets, are properly recorded, managed and tracked: the Office is about to implement a structured materiel management program that will identify the roles and responsibilities, accountability and processes related to the management of assets and inventory; and

  • ensured that key month-end and year-end accounting processes and procedures are being formally documented.

5.2 Action plan for the next fiscal year and future years

The action plans for 2011–2012 and subsequent years will include a formalized and ongoing monitoring program of the effectiveness of the system of ICFR. This will involve monitoring and testing the operating effectiveness of key financial internal controls, doing periodic follow-up reviews of entity-level and general IT controls, tracking the status of management action plans in response to audit and other recommendations, and reviewing and testing the effectiveness of new controls. The Office will also do a compliance check with various TBS policies to ensure that there are no gaps in coverage.

The Office will ensure the ongoing monitoring of key controls is based on risk. Senior management is committed to sustaining and continuously improving its sound framework of effective ICFR, including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.

The Office will amend its Program Activity Architecture and Management, Resources and Results Structures for the 2012–2013 reporting year. The amendments include a slightly reworded program activity and more robust performance indicators that the Office expects will help it continue to improve its internal controls.

Finally, the Commissioner and senior office staff will be making themselves available to parliamentary committees that may wish to discuss the system of internal control at the Office or for Agents of Parliament in general.

Date modified:
Submit a complaint