Internal Management
Oversight:
CERTIFICATION AND INTERNAL
CONTROL REGIME FOR
CROWN CORPORATIONS
Crown Corporation Guidance
This document is intended as advice or guidance and as a source of considerations and
resource materials on the subject of certification and internal control regimes for Crown
corporations. This document does not constitute a Crown corporation legal or policy
requirement nor does it establish monitoring obligations on the part of Treasury Board
Secretariat.
For more information on this guidance document and related Crown corporation
guidance materials please refer to the Treasury Board of Canada Secretariat,
Governance Directorate website http://www.tbs-sct.gc.ca/gov-gouv/index-eng.asp or
contact us directly at gd-dg@tbs-sct.gc.ca.
© Her Majesty the Queen in Right of Canada,
represented by the President of the Treasury Board, 2010
Catalogue No. BT33-4/3-2010E-PDF
ISBN 978-1-100-17342-9
This document is available on the Treasury Board of Canada Secretariat
website at http://www.tbs-sct.gc.ca
This document is available in alternative formats upon request.
Table of Contents
1.0
Introduction ................................................................................ 3
2.0
Background ................................................................................ 3
3.0
Overall Approach to Certification and Internal Controls...................... 5
3.1
Financial statement risk assessment – scoping ......................... 5
3.2
Certification and internal control regime strategy...................... 7
4.0
Documentation and Testing of Internal Controls over
Financial Reporting ...................................................................... 8
5.0
Sustaining Effective Internal Controls Over Financial Reporting......... 11
6.0
Annual Statement of Management Responsibility............................ 12
7.0
Conclusion ................................................................................ 13
8.0
References................................................................................ 13
Executive Summary: Certification and Internal Control
Regime for Crown Corporations
The Treasury Board Secretariat has not made certification of financial statements mandatory for
Crown corporations. The question of whether or how far to proceed with the implementation of a
certification and internal control regime is a decision that each Crown corporation can make
based on an assessment of its operations’ business and accounting requirements, stakeholder
needs and perspectives, and risks.
An appropriate Crown corporation certification and internal control regime sufficiently addresses
the corporation’s own specific risks and operating environment, recognizing that a “one size fits
all” approach is not realistic given the varied nature of Crown corporations.
The overall objective of an effective certification and internal control regime is to support
management of an entity and to provide assurance that financial information and financial
reports are reliable. This assurance means that transactions are properly authorized, financial
records are properly maintained, assets are safeguarded from the risk of waste, loss, abuse, fraud
or mismanagement, and that applicable laws, regulations and policies are complied with.
The first step a Crown corporation should undertake when establishing a certification and
internal control regime is to review its financial statements to identify key risk areas and
associated key controls that should be assessed as part of the internal control regime. This
financial statement risk assessment is typically accomplished through a scoping exercise which
provides a risk-ranked listing of potential control areas for inclusion in the internal
control regime.
Based on the results of this scoping exercise and the types of risks being mitigated, a
corporation’s management will normally be able to propose to the board of directors the nature
and number of entity-level key control areas, business process key controls, general computer
key control processes, and disclosure key control processes and their associated risks which
might be included in its internal control regime. It is also suggested that management develop
and align a potential risk rating for each such control process for discussion with the
corporation’s board.
A Crown corporation may then decide to document its proposed certification and internal control
regime strategy and its identified key controls and key risks that will be incorporated into the
strategy (i.e., what will be included in the in-scope exercise and covered by the Crown
corporation’s planned approach for internal control). Based on standard practice in private sector
1
businesses, the following three areas should be assessed in a Crown corporation internal
control regime:
 Entity-level controls;
 Financial statement closing and reporting process; and
 Disclosure controls in relation to information to be provided in the annual report (including
financial statements), the corporate plan and quarterly financial reports.
It is also suggested that each Crown corporation document and assess the key control activities in
high risk processes (either business processes or general computer control processes) identified
through its scoping exercise.
For these in-scope processes, Crown corporations may document (typically through a
combination of process narrative/flowchart descriptions and a detailed accompanying control
matrix) and assess the effectiveness of the key control activities in each process. The
documentation and assessment approach taken by the Crown corporation may be indicated in its
internal control regime strategy.
A Crown corporation that implements a certification and internal control regime may decide to
insert a statement of management responsibility in its annual report, in which the chief executive
officer (CEO) and chief financial officer (CFO) attest to the financial statements and the
presence and effectiveness of a system of internal controls over financial reporting and
disclosure controls and processes.
Depending on the unique circumstances of the corporation, a board of directors has the
prerogative to determine the nature of the certification and internal control strategy and regime to
be instituted.
2
1.0 Introduction
Certification of the effectiveness of internal controls over financial reporting (ICFR) is not
mandatory for Crown corporations. Federal Crown corporations that decide to implement a
certification-based approach through an internal control regime may find this document useful.
The question of whether, or how far, to proceed with the implementation of a certification and
internal control regime is a decision that each Crown corporation board of directors will make
for itself based on an assessment of its operations’ business and accounting requirements,
stakeholder needs and perspectives, and risks. Depending on the organization’s individual
circumstances, a tailored regime (which ensures, for example, that risks are regularly reviewed
and mitigation strategies updated as necessary) could be used.
2.0 Background
Parliament and Canadians expect the federal government to be well managed with prudent
stewardship of public funds, safeguarding of public assets, and effective, efficient and
economical use of public resources. They also expect reliable reporting that provides
transparency and accountability for how government spends public funds to achieve results for
Canadians or, in the case of non-appropriated organizations, how effectively they manage their
operations and earn income.
The overall objective of an effective certification and internal control regime is to support
management of an entity and to provide assurance that financial information and financial
reports are reliable. This assurance involves determining whether the organization’s transactions
are properly authorized, financial records are properly maintained, assets are safeguarded from
the risk of waste, loss, abuse, fraud or mismanagement, and that applicable laws, regulations and
policies are complied with.
Certification refers to the requirement that senior officers (usually the CEO and CFO) of a
corporation certify or attest, by signature, that they have discharged certain responsibilities,
which include confirmation of the effectiveness of internal controls over financial reporting.
Normally such certifications are included in a statement of management responsibility that is
disclosed with the financial statements of an entity.
For departments and agencies, one way the Canadian government ensures reliable reporting is
through the use of the Policy on Internal Control, 1 which details the roles and responsibilities of
1.
Policy on Internal Control, Treasury Board. This policy applies to all departments as defined by section 2 of the
Financial Administration Act. Thus, it does not apply to Crown corporations.
3
various federal players in ensuring that risks relating to the stewardship of public resources are
adequately managed.
In the private sector, certification of the effectiveness of ICFR has been adopted by both the
United States (Sarbanes-Oxley Act and Securities Exchange Commission regulations) and the
Canadian Securities Administrators 2 (National Instrument 52-109, Certification of Disclosure of
Issuers’ Annual and Interim Filings).
The Review of the Governance Framework for Canada’s Crown Corporations, published in
2005, makes the following statements of principle and commitment:
Measure #24
In principle, the government supports the use of a certification regime adapted to
the reality of public institutions. The Treasury Board of Canada Secretariat will
examine, in consultation with Crown corporations, the development of a
certification regime that would be applicable to all Crown corporations.
Consultations with Crown corporations highlighted their widely different perspectives and
requirements in relation to certification, depending on the size and complexity of each
organization’s operations. A number of the larger Crown corporations had already begun a
process potentially leading to the introduction of a certification and internal control regime and
eventually determined that the costs outweighed the benefits for their particular organizations.
Other smaller organizations perceived little need at that time to spend the additional resources
required to implement a certification regime. A few Crown corporations adopted different
approaches, for example, a cyclical, risk-based review approach to the management of their
internal controls. Based on input from Crown corporations and the Auditor General, TBS
determined not to make it mandatory for Crown corporations to introduce a certification and
internal control regime.
The board of directors and management of each Crown corporation have a fundamental
responsibility to achieve effective and efficient operations and reliable financial reporting.
Reasons why Crown corporations might wish to implement a certification and internal control
regime include:
 To meet the expectations of Canadians that public resources are used in an efficient, effective
and economical manner;
2.
4
The Canadian Securities Administrators (CSA) is a voluntary umbrella organization of Canada’s provincial and
territorial securities regulators whose objective is to improve, coordinate and harmonize regulation of Canadian
capital markets.
 To strengthen management’s responsibility for the accuracy, completeness and reliability of
Crown corporation financial reporting;
 To encourage the development, documentation and maintenance of effective internal controls
over financial reporting; and
 To encourage the development of effective disclosure controls and procedures related to other
key Crown corporation financial reporting requirements.
It is a best practice of boards of directors (and/or audit committees) to review and challenge the
reasonableness of the Crown corporation’s certification and internal control regime in light of the
risks, context and business needs of the Crown corporation.
3.0 Overall Approach to Certification and Internal
Controls
An appropriate certification and internal control regime is one that addresses a Crown
corporation’s own specific risks and operating environment, recognizing that a “one size fits all”
approach would not be realistic given the varied nature of Crown corporations.
To decide what measures will be taken as part of a certification and internal control regime, a
Crown corporation should first determine the nature of the assessments required in order to
provide the CEO and CFO with sufficient assurance so that they can attest to the financial
statements in the statement of management responsibility. (see section 6.0 below).
This document describes the key elements of a risk-based approach to managing internal controls
that Crown corporations may wish to consider once the corporation decides to establish an
internal control regime.
3.1 Financial statement risk assessment – scoping
The first step that a Crown corporation should take if it decides to establish an internal control
regime is to review its financial statements to identify and assess key risk areas that could be
covered within the scope of the regime. This financial statement risk assessment is typically
accomplished through a scoping exercise, with the anticipated output being a risk-ranked listing
of potential control areas for inclusion in the internal control regime. Using this risk-ranked
listing, a Crown corporation can identify the higher risk areas that would be covered within its
internal control regime.
5
When scoping is undertaken, it is suggested that Crown corporations consider the following
four areas for internal control purposes:
1.
Entity-level controls
Entity-level controls support the “tone at the top” for an organization. They include controls
related to the control environment, risk assessment process, information/communication and
monitoring activities of the organization. During scoping, a Crown corporation identifies
relevant entity-level controls to be included in its internal control regime. Typically, this
encompasses organization-wide controls that could affect or influence the reliability of financial
information that forms a part of business and general computer processes. As part of scoping
entity-level controls, the Crown corporation also considers identifying the level of monitoring
controls that exist across the Crown corporation, as this information may provide valuable
insight when determining which types of higher level monitoring controls can be relied upon
within the internal control regime.
2.
Business process control
Scoping of business process controls, including application controls, typically begins with the
financial statements and supporting trial balance of the organization. The goal of scoping is to
identify the financial statements’ material classes of transactions, which are often grouped into
business processes. A variety of quantitative and qualitative factors may be considered to
determine whether or not the material classes of transactions/business processes should be “in
scope” for internal control:
 Quantitative – The dollar value of the financial statement line items/material classes of
transactions may be considered to determine the significance/criticality of the related business
processes. To assess the dollar value, a percentage of financial statement audit materiality is
typically used.
 Qualitative – In addition to the quantitative value of classes of transactions, other factors may
be considered when assessing which business processes to include as part of the in-scope
exercise for internal control efforts. These factors include the complexity of related
accounting policies/procedures, susceptibility of the process to manipulation or fraud, extent
of judgments or estimates required within the process, degree of change in the process, history
of errors and potential exposure to public scrutiny.
After assessing the classes of transactions/business processes for both quantitative and
qualitative factors, it is suggested that an overall risk rating be given to each. This rating can be
used to determine which classes of transactions/business processes may be assessed as part of the
internal control regime.
6
3.
General computer controls
For each of the applications/systems identified as supporting the business processes that are inscope (see section 1.2 above), Crown corporations would determine the general computer control
processes that are in place corporation-wide to support these applications/systems. Typical areas
of general computer controls include program development, program changes, access to
programs and data, and computer operations. 3 Once identified, an overall risk rating can be
determined for each unique general computer control process. This rating may be used to
determine the priority for addressing general computer control processes within the Crown
corporation’s internal control regime.
4.
Disclosure controls
A Crown corporation’s internal control regime should cover disclosure controls related to the
Crown corporation’s annual report (including financial statements), the corporate plan and
quarterly financial reports. Crown corporations may scope in the processes and internal controls
that are used to ensure the appropriate disclosure and reliability of information in these
documents.
3.2 Certification and internal control regime strategy
Based on the results of scoping, the entity-level control areas, business processes, general
computer control processes and disclosure control processes which should or should not be
included in the internal control regime will be more apparent. Board members may ask the
corporation’s management to develop initial risk ratings for each of these processes.
In light of the data, each Crown corporation should be well placed to document its proposed
internal control regime strategy (i.e. what will be in scope and what the Crown corporation’s
planned approach for the internal control program will be). Based on experiences in the private
sector and other areas with similar internal control regimes, at least, the following three areas
should be assessed in a Crown corporation’s internal control regime:
 Entity-level controls;
 Financial statement closing and reporting process; and
 Disclosure controls over the annual report (including financial statements), corporate plan and
quarterly financial reports.
3.
Program Development, Program Changes, Access to Programs and Data, and Computer Operations are the
four general computer control areas identified in Control Objectives for Information and related Technology
(COBIT) with respect to the Sarbanes Oxley Act (SOX).
7
In addition, unless there are mitigating circumstances, Crown corporations would document and
assess control activities in other high risk processes (either business processes or general
computer control processes) identified through their scoping exercises. Of course, higher risk
business processes will vary depending on the nature of the Crown corporation, so each Crown
corporation may wish to document its rationale for inclusion or exclusion of business processes
in its internal control strategy. Higher risk general computer control processes typically include
access to programs and data, program development and program changes, but these could also
vary between Crown corporations, depending on the nature of the Crown corporation’s systems
environment and the reliance thereon for financial reporting.
For processes that are not deemed to be high risk through the scoping exercise, Crown
corporations can determine what measures, if any, are required to support the internal control
regime. Instead of completely documenting and assessing key controls that are anticipated for
higher risk areas, different approaches may be considered for lower risk areas, such as:
 Documenting key controls but adopting a reduced assessment approach (e.g., more limited
testing or sampling of internal controls or testing over a multi-year rotation plan); or
 Relying on higher level or centralized, corporate level monitoring controls that management
may use (these may have been identified through entity-level control scoping or within the
higher risk business processes).
4.0 Documentation and Testing of Internal Controls over
Financial Reporting
For in-scope business, general computer control, entity-level control and disclosure control
processes, Crown corporations may choose to document (i.e. typically through a combination of
process narrative/flowchart descriptions and a detailed accompanying control matrix) and assess
the key control activities in each process. The documentation and assessment approach taken by
a Crown corporation should be set out in its internal control regime strategy.
In the private sector, a top-down approach (i.e. starting at the entity-level and then moving down
to the general computer controls and lastly to the detailed business processes) has been found to
be a resource efficient strategy in assessing internal controls. Note that other organizations have
found it worthwhile to complete a review of the design effectiveness of entity controls and to
implement a pilot project with one or more processes before documenting and assessing all
in-scope processes. In situations where entity level controls are found to be strong, this should
reduce the overarching risks to be managed in relation to the reliability of financial statements
and perhaps reduce the levels of testing and sampling in business processes. Use of a pilot
project allows for a better understanding of the required process and time implications for
completing the required documentation and assessment activities. Drawing on lessons learned
8
from assessing the design effectiveness of entity level controls, a Crown corporation may be
better positioned to efficiently identify where key controls need to be comprehensively
documented and assessed.
The documentation and assessment approach that a Crown corporation uses for its internal
control regime ideally, would satisfy the following:
 The CEO and CFO have sufficient evidence of rigour in the management of internal controls
over financial reporting to enable them to sign the statement of management responsibility,
including where the statement includes explicit certification of the effectiveness of ICFR;
 The board of directors (and/or audit committee) has sufficient assurance that the Crown
corporation’s internal control regime adequately addresses the risks faced by the corporation;
and
 An efficient, effective and ongoing internal control monitoring program is in place.
An important objective of the assessment process is to ensure that the nature of the identified
risks aligns appropriately with the associated control or control activity. Usually, this alignment
can be validated by documenting the key controls and control processes and considering the
design effectiveness of the control environment. This confirmation is a fundamental basis for
determining whether an internal control regime is effective, is maintaining control and is
mitigating risks.
An assessment of the effectiveness of internal controls over financial reporting normally includes
an assessment of both the design of these controls and their operating effectiveness. These are
the sequential steps of standard assessments of effectiveness of internal controls as practiced in
the private sector and other areas.
If deficiencies are identified in the documentation and design and operating effectiveness
assessment process, Crown corporations should undertake a process to identify the
severity/importance of the deficiencies and put in place appropriate remediation plans to address
material weaknesses, which are defined as follows:
A material weakness means a deficiency, or a combination of deficiencies, in internal
control over financial reporting, such that there is a reasonable possibility that a material
misstatement of the reporting corporation’s financial statements will not be prevented or
detected in a timely manner.
As noted in the statement of management responsibility, material weaknesses and management’s
corresponding remediation plans (including timelines for remediation) may be disclosed.
9
Reporting
As previously noted, a Crown corporation should identify any significant scope exclusions from
its internal control regime (e.g. subsidiaries, locations, variable interest entities). In addition, any
material weaknesses may be disclosed along with management’s action plans and timelines for
resolving the deficiencies, addressing control issues or mitigating the risks caused by the
deficiencies.
It is also suggested that a Crown corporation provide, along with the statement of management
responsibility, a brief description of the overall approach taken by the corporation for its internal
control regime. This can be attached to the statement of management responsibility along with its
financial statements.
Roles and responsibilities
It is the board of directors that ultimately determines whether the introduction of a certification
and internal control regime is necessary and, if so, identifies the overall requirements of the
system. In such cases, the board is expected to exercise an oversight role in relation to the plans
and results of effectiveness assessments, including any necessary adjustments to the regime. At
key strategic points in the process, the Crown corporation’s board of directors (and/or audit
committee) would review management’s approach to internal control to determine whether they
are satisfied that the scope and approach adequately support the statement of management
responsibility, given the context and operating realities of the Crown corporation, and that the
results appropriately reflect the internal control environment of the corporation.
Typically, a chief financial officer is expected to lead and coordinate the management of the
corporation’s certification and internal control regime as a strategic advisor and in support of the
executive management role of the CEO. Both the CEO and CFO are responsible for signing a
statement of management responsibility instituted as part of the certification and internal
control regime.
Other senior managers who have program responsibilities would also be key contributors to the
management of the internal control regime within their area of responsibility. In addition,
specific expertise should be leveraged to ensure the overall integrity of the assessment of the
effectiveness of internal controls, including in the areas of internal audit and information
technology.
Ultimately, the Crown corporation’s CEO and CFO need to decide when they are ready to sign
off on a statement of management responsibility (see section 6.0 below) if the board of directors
decides to establish a certification and internal control regime. In this regime, Crown
corporations may also consider implementing lower level or additional internal sign-offs on the
10
effectiveness of internal controls in which the organization’s key managers also certify the
effectiveness of internal controls within their area of responsibility. This is emerging as a best
practice in the private sector.
Control framework
It is suggested that a Crown corporation identify, within its internal control regime strategy, the
overall control framework that is being used for its internal control regime. The control
framework provides a structure that enables a Crown corporation’s internal control efforts to be
undertaken in an organized and efficient manner.
In other sectors and areas, the COSO 4 framework has been widely accepted as the standard for
similar certification initiatives. This normally encompasses five areas or components related to
internal control, including: 1) control environment; 2) risk assessment; 3) control activities;
4) information and reporting; and 5) monitoring. Similarly, COBIT 5 has become the de-facto
standard for IT-related controls in an internal control regime. Given the approach, supporting
information and tools related to these frameworks, it would be worthwhile for a Crown
corporation to explore the benefits of using these frameworks.
5.0 Sustaining Effective Internal Controls Over Financial
Reporting
Once the initial year’s internal control work (i.e. scoping, documentation and testing of controls
and reporting) is completed, there will be an ongoing need to ensure documentation is kept upto-date and that retesting is conducted periodically to support ongoing internal control reporting.
To that end, a Crown corporation may wish to consider a program of ongoing maintenance/
sustainability activities as part of its internal control strategy (note that a Crown corporation may
be better positioned to develop its maintenance/sustainability strategy after completion of the
initial year’s internal control activities).
4.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a voluntary private-sector
organization, established in the United States, dedicated to providing guidance to executive management and
governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise
risk management, fraud, and financial reporting. COSO has established a common internal control model against
which companies and organizations may assess their control systems. Executive Summaries of COSO guidance
are available.
5.
The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for
information technology (IT) management created by an IT governance professional association, the Information
Systems Audit and Control Association (ISACA), and an IT think tank, the IT Governance Institute. COBIT
provides manager, auditors, and IT users with a set of generally accepted measures, indicators, processes and
best practices to assist them in maximizing the benefits derived through the use of information technology and
developing appropriate IT governance and control in a company. Further information on COBIT can be found on
the ISACA website.
11
Common maintenance strategies include ensuring that accountability for periodic (e.g., annual or
semi-annual) review and update of the control documentation is assigned to a designated lead or
“process owner.” In addition, conducting targeted risk-based testing throughout the year
(e.g. quarterly) is a common sustainability strategy. Some organizations are using technology to
maintain control documentation, track testing and report on progress/results to address their
ongoing oversight in this area. Finally, to support sustainability, many organizations seek to
integrate aspects of their internal control projects with, and leverage the results of, the
organization’s enterprise risk management and internal audit processes.
6.0 Annual Statement of Management Responsibility
A Crown corporation that implements a certification and internal control regime may decide to
include a statement of management responsibility with its financial statements in its annual
report. Ideally, the CEO and CFO would certify the following in the statement:
 That the CEO and CFO have reviewed the financial statements, and based on their knowledge
and having exercised reasonable diligence, the financial statements fairly present in all
material respects the position, results of operations and cash flows of the Crown corporation,
as of the date specified, and for the periods presented in the financial statements;
 That the CEO and CFO have established and maintain effective internal controls over
financial reporting, which includes safeguarding assets and ensuring compliance with
applicable laws and regulations; and that the Crown corporation has designed internal controls
over financial reporting and disclosure controls and procedures (for its annual report,
corporate plan and quarterly financial reports) that are appropriate to the circumstances of the
Crown corporation
 That the CEO and CFO conducted an assessment of the effectiveness of the corporation’s
internal controls over financial reporting and disclosure controls and procedures. Based on the
results of this assessment, there is reasonable assurance that internal controls over financial
reporting, as of the date specified, were effective and no material weaknesses were found in
the design or operation of the internal controls over financial reporting, with the exception of:
 Description of a material weakness;
 Description of the remediation plan to address the material weakness; and
 The completion date or expected completion date of the remediation plan.
Any significant scope exclusions from a Crown corporation’s certification and internal control
regime (e.g. subsidiaries, locations, variable interest entities) may be identified.
12
It should be noted that alternate types of management disclosure statements may be used by
Crown corporations depending on the form of internal control over financial reporting
they adopt. 6
Any additional summary information to be disclosed related to the assessment and management
of the internal control regime can be attached to the statement of management responsibility.
7.0 Conclusion
The introduction of a certification and internal control regime requires additional outlays of
resources and effort on the part of the organization, particularly in the short term when such a
system is being designed and implemented. However, in the medium to long term, such a regime
can provide the board of directors and management with substantial assurance that the financial
statements fairly present the corporation’s operational results and that any weaknesses in
financial reporting have been identified.
Thus far, most Crown corporations have not introduced a certification and internal control
regime, based on an assessment that the risks of financial misstatement are relatively minor in
relation to the costs associated with putting the regime in place. However, recent financial
disclosure requirements may augment the desire to reduce such risks still further. For example,
the Standard on Quarterly Financial Reports for Crown Corporations, which takes effect on
April 1, 2011, requires the CEO and CFO to sign a statement that the quarterly financial reports
present fairly in all material respects the financial position, results of operation and cash flows of
the corporation. The implementation of some form of internal controls over financial reporting
and disclosure controls and procedures is one way to minimize the risk of financial
misstatements.
8.0 References
National Instrument 52-109: Certification of Disclosure in Issuers’ Annual and Interim Filings,
Ontario Securities Commission. October 2008.
Sarbanes-Oxley Act of 2002, H.R. 3763-2.
Policy on Internal Control (for federal departments and agencies), Treasury Board Secretariat.
6.
The 2009 Canada Deposit Insurance Corporation Annual Report is an example of an alternate disclosure format.
13