2013-2014 Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting (unaudited)
1. Introduction
This document provides summary information on the measures taken by the Office of the Information Commissioner of Canada’s (OIC) to maintain an effective system of internal control over financial reporting, including information on internal control management, assessment results and relation action plans.
Detailed information on the OIC’s authority, mandate and program activities can be found in its Report on Plans and Priorities, Departmental Performance Report, Annual Report and Strategic Plan 2011–2014.
2. Departmental system of internal control over financial reporting
2.1 Internal control management
The OIC has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. A departmental internal control management framework, approved by the Deputy Head, is in place and includes:
- Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas or responsibility for control management;
- Values and ethics;
- Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
- At least semi-annual monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Deputy Head and departmental senior management and, as applicable, the Departmental Audit Committee.
The Departmental Audit Committee provides advice to the Deputy Head on the adequacy and functioning of the department’s risk management, control and governance frameworks and processes.
2.2 Service arrangements relevant to the financial statements
The OIC relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:
Common Arrangements
- Public Works and Government Services Canada (PWGSC) centrally administers the payment of salaries and the procurement of some goods and services, and provides cheque-issuing services, in accordance with the OIC’s Delegation of Authority, and provides accommodation services.
- Treasury Board of Canada Secretariat (TBS) provides information used to calculate various accruals and allowances, such as the accrued severance liability and the Employee Benefits Plan, and pays the employer’s share of health and dental insurance premiums.
- The Office of the Auditor General (OAG) provides audit services.
- Shared Services Canada provides information technology (IT) infrastructure services to the OIC in the areas of internet connectivity and email security. The scope and responsibilities are addressed in the interdepartmental arrangement between Shared Services Canada and the OIC.
- For the purposes of the Financial Administration Act, the OIC and the Office of the Privacy Commissioner (OPC) submit their trial balances jointly to PWGSC.
- The OIC has engaged the Shared Services unit at PWGSC to provide human resources services, including compensation and staffing.
- The OIC and the other tenants at 30 Victoria Street, Gatineau, have entered into a Memorandum of Understanding with PWGSC to provide base building and multi-tenant security services. Note 1
- The OIC and the other tenants at 30 Victoria Street, Gatineau share facility and services related to the mailroom. Note 1
Specific Arrangements
- The OPC provides the OIC with a Freebalance financial and salary management systems platform to capture all financial and salary transactions. Note 2
3. Departmental assessment results during fiscal year 2013-2014
The key findings and significant adjustments required from the current year’s assessment activities are summarized below.
New or significantly amended key controls: The OIC reviewed and updated all documentation related to human resources internal controls and processes in light of the outsourcing of the human resources function to the Shared Services unit at PWGSC and as part of the HR Quality Assurance Framework. This arrangement led to some changes in processes and control points.
Ongoing monitoring program: The OIC has a comprehensive internal control framework for financial and HR management that is aligned with the federal government’s expenditure management process. The OIC manages its funding through budgeting and commitment control process in its integrated financial and salary budgeting systems. Appropriate segregation of duties is done in the context of common, systematized business processes. Expenditures are approved at the initiation, contracting, performance certification and payment approval stages. Payments are subject to a quality control process that tailors verification processes to risk. Controls over payments are tested for effectiveness on a monthly basis. Financial results are monitored through a monthly financial reporting process, and validated and approved by management.
4. Departmental action plan
4.1 Progress during fiscal year 2013-2014
The OIC continues to conduct its ongoing monitoring according to the previous fiscal year’s rotation plan as shown in the following table.
Progress during fiscal year 2013-2014
Previous year’s rotational ongoing monitoring plan for current year | Status |
---|---|
Management action plan to implement improved salary controls. | The action was completed and approved by OIC Senior Management. |
OIC develop a process to ensure that there is auditable evidence demonstrating that certification of pay under S. 33 has taken place. | Process prepared and documented including use of statistical sampling as part of the S.33 review. |
Development of a formal quality assurance framework to ensure data in departments Human Resource database is reviewed on an ongoing basis by Responsibility Centre Managers. | Final process documented and implemented. Includes certification of accuracy of HR data in conjunction with the quarterly financial S.34 review. |
In 2013-2014, the OIC conducted the following work in addition to the progress made in ongoing monitoring:
- Testing of the operating effectiveness and verification process of payroll and human resources systems.
- Implementation of a new asset inventory system to provide for more effective asset control and reporting.
4.2 Action plan for the next fiscal year and subsequent years
Through its internal audit program, the OIC will do a compliance check against various TBS policies to ensure that there are no gaps in coverage.
The OIC will continue to ensure that the ongoing monitoring of key controls is based on risk. Senior management is committed to sustaining and continuously improving its sound framework of effective ICFR, including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.
Finally, the Commissioner and senior managers will make themselves available to parliamentary committees that may wish to discuss the system of controls at the OIC.
The OIC’s rotational ongoing monitoring plan over the next three years, based on an annual validation of the high-risk processes and controls are related adjustments to the ongoing monitoring plan as required, is shown in the following table.
Rotational Ongoing Monitoring Plan
Key control areas | Fiscal Year 2014-2015 |
Fiscal Year 2015-2016 |
Fiscal Year 2016-2017 |
---|---|---|---|
Entity-level controls (Note 1) | Ongoing | Ongoing | Ongoing |
IT general controls under departmental manager (Note 1) |
Ongoing | Ongoing | Ongoing |
Asset Management | Update of asset management processes and controls. | None planned | None planned |
Operating expenditures | None planned | Analysis by type of Operating expenditure to be undertaken with recommendations for other control mechanisms (if required) to be provide to senior management. | None planned |
Capital expenditures | Capital Policy to be reviewed and updated. Inventory processes for capital assets to be reviewed and updated. | None planned | None planned |
Master data on vendors and customers | None planned | Review of vendor and customer lists to be undertaken. Update of vendor list to align with implementation of Direct Deposit payments. | None Planned |
Payroll (Note 3) | Ongoing | Ongoing | Ongoing |
Implementation of new PeopleSoft HR system. | The OIC will be implementing the PeopleSoft HR system. As part of this implementation a review of HR controls will be done to ensure system and process controls align properly. | Analysis and review of any post implementation issues with corrective measures as requires. | None planned. |
NOTES:
Note 1 – MOUs will be reviewed on an ongoing basis for clear service levels, roles, responsibilities and controls for shared services. In addition, the OIC will review its own controls in the area of security to ensure that necessary controls are in place for both those offering shared services to the OIC and those receiving services from the OIC.
Note 2 - In 2013-2014, a security incident occurred and resulted in the loss of personal information from the OPC hosted financial and salary management system. The loss of data occurred during the move from 112 Kent Street to 30 Victoria Street when the OPC lost a back-up hard drive that contained data from the Performance Budgeting for Human Capital (PBHC) system. The OPC is reviewing and updating its security controls to prevent future incidents. The OIC continues to monitor its own internal security controls.
Note 3 – These processes are reviewed on an ongoing basis as part of the yearly review of OIC Financial and Administrative processes.