RDIMS 1113156 Policy on Internal Control the federal perspective Presentation to the Ontario Chapter - Financial Management Institute September 19th, 2012 Sharon Smith Director, Financial Management Policy Office of the Comptroller General of Canada Purpose • Provide an overview of the Policy on Internal Control (PIC) • Provide an update on its status and implementation • Provide an overview of how to do an assessment of effectiveness of internal controls 2 Background • The Policy on Internal Control (PIC) flows from the Federal Accountability Action Plan to strengthen accountability and transparency in financial controls, reporting and disclosure: Supporting Deputy Heads (DHs) as Accounting Officers who are responsible for the “measures taken to maintain effective systems of internal controls” (section 16.4 of the FAA) Clarifying DHs responsibilities and expectations in this area Maintaining Canada’s position as a leader in financial reporting and disclosure • The PIC is a foundational component of the new TB FM framework articulated around four policies: Policy on Financial Management Governance (effective April 2009) Policy on Internal control (effective April 2009) Policy on Stewardship of Financial Management Systems (effective January 2010) Policy on Financial Resource Management, Information and Reporting (effective June 2010) Note there are about 25 new Directives and 12 standards in this suite plus a Policy Framework on Financial Management 3 Drivers for the Policy on Internal Control • Position Canada among leading jurisdictions -Lessons learned from Sarbanes-Oxley -New developments and practices in the private sector • Alignment with Accounting Officer responsibilities under the Financial Administration Act and commitment of the Federal Accountability Action Plan (2006) • Support accountabilities of key players and CFO Model • Next step in government commitment to control-based audits of departmental financial statements • Provide necessary oversight of controls to manage key risks and mitigate against errors, fraud, mismanagement or other irregularities to safeguard public resources - Alignment with increasingly risk-based management approaches Policy on Internal Control - requirements • Reaffirms the responsibility of Deputy Heads, as accounting officers, for ensuring the maintenance of effective risk-based systems of internal control • With a focus on internal controls over financial reporting requires that Deputy Heads: – ensure the completion of an annual risk-based assessment of the departmental system of internal control over financial reporting (ICFR) – ensure the establishment of an action plan to address any necessary adjustments – include a summary of the assessment results and action plan to be attached as an Annex to a revised Statement of Management Responsibility accompanying the annual financial statements and signed by the DH and the Chief Financial Officer (CFO) – engage the Departmental Audit Committee or equivalent as appropriate on assessment plans and associated results 5 Internal Control over Financial Reporting • Internal Controls over Financial Reporting (ICFR) aim at mitigating risks over reliability of departmental annual financial statements • Effective ICFR aim to provide reasonable assurances that: – Transactions are appropriately authorized – Financial records are properly maintained – Assets are safeguarded against fraud, abuse, waste, loss and mismanagement – Applicable laws, regulations and policies are followed 6 Levels of departmental internal controls DM as accounting officer Broad system of internal control System of IC ADMs CFO System of ICFM System of internal control in their area of responsibility System of internal control over financial management System of ICFR Policy requirements focus on ICFR Roles and responsibilities • Deputy Heads (DH) – – • Chief Financial Officers (CFOs) – – – • Lead departmental role for internal audit (incl. a key source of expertise) No internal audit required under the PIC PIC assessment results can inform future internal audit plans Internal audit findings can be leveraged to support the assessment under the PIC Chief Information Officers (CIO) – – • Responsible for maintaining effective systems of ICs in the programs for which they are responsible Contribute to the assessment of key risks and controls in their area of responsibility Chief Audit Executives (CAE) – – – – • Lead departmental role for financial management (incl. a key source of expertise) Lead and coordinate the planning and execution of the assessments and the Annex Sign the Statement of Management of Responsibility which includes the Annex Senior Departmental Managers – – • As accounting officer, the DH is responsible for measures taken to maintain effective systems of ICs Sign the Statement of Management of Responsibility which includes the Annex Lead departmental role for IT infrastructure and system applications (incl. a key source of expertise) Contribute to assessments of IT systems and application controls Departmental Audit Committees (where applicable) – – Provide objective advice and recommendations to Deputy Heads Timing and scope of engagement to be determined by the Deputy Head 8 What the policy means • The policy is not about advocating for more controls (often too many controls) - rather that the right controls are in place and working properly • It is not about assessing all controls - rather it focuses on key controls based on risks as well as ensuring that these controls are proportionate to and balanced with the risks they aim to mitigate • It is not about audits - rather it is a self-assessment by management taking into account risks • It is not about certifying that all risks related to financial reporting have been eliminated - rather it is about demonstrating that key controls over financial reporting are well managed in support of continuous improvement What well managed means Financial Statements Start with annual financial statements - Identify key accounts - key risks and materiality Set scope and develop assessment plan Testing 3 levels of controls Design effectiveness: – key controls documented – in place as designed – aligned with risks Entity level (tone from the top) General IT level Operational effectivenesss: – key controls functioning over time Business process level Statement of Management of Responsibility • “Management is also responsible for maintaining an effective system of ICFR designed to provide reasonable assurance that financial information is reliable, assets are safeguarded and that transactions are properly authorized” • “The system of ICFR is designed to mitigate risks to a reasonable level based on an on-going process to identify key risks, to assess effectiveness of associated key controls, and to make any necessary adjustments” • “an assessment for the year ended March 31,20XX was completed in accordance with the Policy on Internal Control and the results and action plan are summarized in the annex” 11 Annex to the Statement of Management Responsibility • Annex enables readers to understand the organization’s overall environment and demonstrates the measures taken to maintain an effective system of ICFR within this context • Provides an overarching perspective on the department’s status in assessing their system of ICFR, any remedial actions required and planned future assessments Sections: 1. Introduction – departmental overview, financial highlights and key organizational changes 2. Control Environment - Key positions and responsibilities as well as measures taken to set the “tone from the top” 3. Assessment Approach - Assessment scope and methodology 4. Assessment Results - Significant findings 5. Action Plan - Significant actions to be taken and timelines 12 Government-wide implementation plan • A 3 year phased-in approach for the new Statement of Management Responsibility and its summary document (annex) – 2009-10: Largest departments that have completed readiness assessments for undertaking control-based audits of their financial statements – 2010-11: Departments that already have audited financial statements – 2011-12: Other departments • Departments can tailor the scope and pace of their annual assessments, including developing multi-year assessment plans 13 OCG-TBS enabling role • Chair DCFO Advisory Committees – – – – • • • • • Sharing best practices Address strategic issues Policy clarity and specific challenges Co-Chair PIC managers’ Working Group Guidelines on developing the Annex Practical Toolkit on Assessments Workshop Strategy for Small Departments Use of GCPedia (Wiki style resource) Status and context after 3 years • • Completed 3 year transitional implementation Maturity advanced across government – OAG Spring 2011 Chapter on Financial Management, Control and Risk Management concluded that TBS and the 7 selected large departments audited on their progress under the PIC had made satisfactory overall progress and that more work remained to be completed. • • • • Upcoming 5 year review of the FM policy suite opportunity to consider future adaptations Cost containment and savings – effective controls key to reliable financial information for tough decisions Consolidation of services – Alternative Service review – Shared Services Canada is first new delivery hub Small departments capacity 15 CCA/PIC Approach for Small Departments • Objective is to support small departments by leveraging core control audits in support of sound management of internal controls / core controls • This approach aims to: a) b) c) Add value and consistency to management’s oversight of its controls Streamline process to gain efficiencies Minimize reporting burden Note that the PIC continues to apply 16 Leveraging: What does it mean? • CCA and PIC use different methods but both support sound and efficient management of internal controls • Policy on Internal Control does not mandate the details of “annual risk-based assessments” → ability to use CCA • For sound management oversight departments consider risk from both PIC and CCA perspective which is informed by: – Corporate risk framework and risk history; – Nature of mandate and complexity; and – Composition and materiality of the financial accounts. • Additional oversight under the PIC can be tailored as needed 17 Service arrangements • Service arrangements becoming more prominent as departments and the federal government seek to generate efficiencies, leverage expertise and manage risks – Recent examples: establishment of Shared Services Canada, Budget 2012 “Modernizing and Reducing the Back Office” initiatives, implementation of the Directive on Internal Support Services • Adds complexities on accountabilities for internal controls • Starting Point: The entity is responsible for the design and effectiveness of the controls that they directly manage 18 Service arrangements Two typical scenarios: 1. Services from other government departments: Recipients departments draw assurance from the annex of the service provider concerning the management of their control areas 2. Service arrangement with external (non–federal government) third party: Departments can require a CSAE 3416 report to obtain an independent opinion of the design and operating effectiveness on the internal controls related to the services provided 19 Highlights from a practical workshop: How to do a risk-based assessment A. B. C. D. E. Executing a risk assessment (scoping) Developing an assessment plan Documenting key controls and processes Design effectiveness testing Operating effectiveness testing 20 Assessment of ICFR - Process Overview Financial Statement decomposition Key BP Identification Identify Key risks and key accounts Assessment planning and scoping Documentation Documentation Validation of documentation with process owners Address documentation gaps and issues Identify key controls at all level and alignment with risks Test of Design Process Walkthroughs Remediation O.E.T Operating Effectiveness testing Remediation Monitoring Ongoing Monitoring and periodic risk-based retesting Note: Reporting - Develop summary of results and Action Plan to SoMR 21 Scoping A—Internal control over financial reporting Decomposing the financial statement into key accounts (cont’d) Factor Definition Account size Dollar value in relation to MPP Business volume Number of transactions in a given period Transaction complexity and uniformity Nature of transactions, similarities between transactions IT dependencies Account requires computer systems to perform automated calculations and controls. 22 Scoping A—Internal control over financial reporting Decomposing the financial statement into key accounts (cont’d) Factor Definition Decentralized process Account transactions and controls are performed in multiple locations, business units and divisions by various people or systems Level of judgment required Calculations, analyses or provisions require the use of judgment-based assumptions. Likelihood of error Account has a history of error and reprocessing, or is susceptible to error by its nature. Vulnerability to fraud Account is by its nature vulnerable to fraud (e.g. cash transactions). 23 Scoping Information technology general controls (ITGCs) ITGCs relationship to application controls – ITGCs are used to manage and control a company’s information technology activities. – ITGCs are pervasive controls. The degree to which an organization can rely on the integrity of information processing and the effectiveness of application controls (automated) in computer applications (e.g. SAP, GX, Freebalance) depends on the effectiveness of the ITGCs. 24 Scoping Entity-level controls (ELCs) • Main components – Directions set by senior management – Organizational culture – Organizational values and ethics – Governance mechanisms – Tools and activities that enable employees to effectively manage risk (communication, training and professional development) 25 Documentation A – How to document controls? • To be considered complete and to ensure a proper understanding by all potential readers, the following items must be included in the description of a control: – When, Who, What, How? – Preventative or detective? – Manual or automated? – Evidence of the control performed (signature, initials, mark, date, etc.) 26 Documentation C – Walkthrough • Once the controls have been documented, their design must be validated by means of a walkthrough. • The walkthrough is a control occurrence test used to verify that the documentation describes what actually happens in the course of daily operations. • Usually, for an internal control project, 20% to 30% of control descriptions require some modification following a walkthrough. 27 Key success factors – – – – Tone at the top (have senior management involved); Dedicated project lead and solid plan; Access to key people (process and control owners); Team members with experience in assessment of internal control. Do not underestimate the time required: • for the documentation validation with the control and process owners; • for the documentation adjustment following the validation with the walkthroughs; and • for the remediation phase. 28 S1-3: Process Overview Process Overview Design Effectiveness Testing (DET) Operating Effectiveness Testing (OET) Reporting Identification of Key controls at all level and alignment with risk to financial reporting Conclusion & Remediation Process Walkthroughs(DET) Testing Strategy Sampling Strategy Remediation Results /Conclusion Result Reporting Action Plan 29 Session 1: Design Effectiveness Testing Design effectiveness refers to whether controls are properly designed to achieve control objectives and if they operate as designed. INTERNAL CONTROL OBJECTIVES • Desired conditions which, if achieved, minimize loss, unauthorized use or misappropriation to occur. In relation to control’s ability to preserve validity of the financial statement assertions. RISK • Likelihood and impact of an event that would result in material misstatement. • Need to consider Financial Statement Assertions. KEY CONTROL ACTIVITY • Key controls activities are processes that if not operating appropriately could potentially cause a material misstatement in the financial statements. 30 Design Effectiveness Testing Overview 1.0 Starting Point Identify Control Objectives based on Process Descriptions 1.1 Assess Risks to Financial Reporting for each Financial Statement Assertion 1.3 Test of Design (DET) Procedures 1.2 Identify Key Control Activities 1.4 Perform Walkthrough 1.5 Conclusion Ending Point 1.6 Remediation Plan 31 1. Assess Risks to Financial Reporting OBJECTIVE Assess risks related to various financial statement assertions to identify areas where key internal controls will need to be validated.. Existence/ Occurrence • Only valid or authorized transactions are processed (policies, procedures, delegation) Completeness • All transactions have been processed and are reported (i.e., no omissions) Valuation & Allocation • Transactions or account balances are valued using an appropriate methodology Presentation & Disclosure • Components of financial statements are properly classified (by account) & described Rights & Obligations • Assets represent the rights of the entity, and liabilities its obligations, as of a given date. Accuracy • All valid transactions are accurate, & consistent with originating transaction data. 32 1. Assess Risks to Financial Reporting Assess Risks as High, Medium, or Low IMPACT LIKELIHOOD potential effect on the organization if it arises probability that a risk can occur Factors Factors Materiality •Financial resources •Human resources •Physical resources IMPACT Significance •Corporate objectives •Relationships •Central agencies •Parliament •Public •Media •Obligations to others •Sensitive information •Third party oversight MED MED/ HIGH MED/ HIGH HIGH HIGH LOW/ MED MED MED/ HIGH HIGH HIGH LOW/M ED MED MED MED/ HIGH MED/ HIGH LOW LOW/ MED MED MED MED/ HIGH LOW LOW LOW/ MED LOW/ MED MED Inherent •Past performance •Time since last review •Economic condition •Competence •Morale •Complexity •Liquidity of assets •Extent of automation •Pressure to meet objectives Change •Roles and responsibilities •Staff levels •Operation methods •Budgets •Turnover of staff •Automation •Changes in funding levels LIKELIHOOD 33 2. Key Control Activities Identification Application Controls vs. ITGCs ITGCs IT General Controls apply to all systems components, processes, and data for a given organization. Intended to ensure the proper infrastructure and implementation of applications, as well as the integrity of program, data files, and computer operations. Application controls relate to transactions and data pertaining to each system. Intended to ensure completeness and accuracy of records and validity of the entries made resulting from programmed processing activities. Application Controls 34 2. Key Control Activities Identification Identify key control activities that could be relied upon to reduce the assessment risks to financial reporting. Enable achievement of key control objectives, such as compliance, reliability of reporting, etc. Enable achievement of an essential internal control objective A control activity is «key» if Directly manages important risks to the achievement of financial statement assertions objectives (CSPS) 35 3.2 Design Effectiveness Testing - Walkthrough Review of audit trail (e.g. Walk Through ) validate the application of controls such sign-off by the appropriate authority of key documents, existence of control documents such as checklist, mandatory forms, etc. Get understanding of process (inquiry) Confirm understanding and operation of controls Confirm flow of information and transactions Examine, gather and file documentation 36 3.3 Design Effectiveness Testing – Potential Issues 1. 2. • Control apparently exists but cannot be evidenced • There is extensive access to the system for some users 3. • Some individual have incompatible responsibilities (S.34 and S.33 of FAA) – Segregation of duties 4. • IT system and some controls are under the responsibility of a third party 5. • Key control activities did not catch error during walkthrough 37 3.4 DET - Remediation Plan Identify any remediation plan to address any gaps or issues of design identified to this point including missing details on who, what, where, when and how How is the conduct of the control in evidence? When is the control carried out, i.e. what is the frequency (annual, monthly, daily etc.)? Who is responsible for the exercise of the control? HOW WHO WHEN WHAT WHERE Where is the control carried out, i.e. HQ, Region, specific location, etc. What is the nature of the control, i.e. reconciliation, management review and approval etc.? 38 Session 2: Operating Effectiveness Testing Tests of operating effectiveness are intended to demonstrate the reliability of the controls over a period of time in reducing related financial reporting risks. Important to gather sufficient documented evidence to enable a conclusion whether or not the controls are operating in practice. Objectives: • Effective controls are expected to prevent or detect and correct material misstatements. • This means that after all internal control testing is completed, there remains a lower risk of undetected material control weaknesses. • In that case, effective controls are expected to lower the risk of material misstatement in the financial statements. 39 S1-3: Process Overview Operating Effectiveness Testing Overview DEVELOP A TESTING PLAN DEVELOP SAMPLE STRATEGY PERFORM TESTING RESULTS AND REMEDIATION PLAN 40 S1-3:Effectiveness Process Overview 4.1 Operating Testing - Methods Testing Plan depends on type of controls ITGCs and Application controls can be tested during Design Effectiveness Testing phase for operating effectiveness (See Matrix B2) ITGCs testing Program changes and User Access IT Application Testing Processing of data – 1 test Testing of other controls Dependent on frequency (slide 34) 41 4.2 Operating Effectiveness Testing - Sampling PLAN FOR OVERALL SAMPLING Key locations where there may be high risk, high levels of complexity or other factors; Numbers of tests of specific key controls; Testing frequency and time period; and Random sampling strategy on risk basis. Sampling refers to the process of selecting some units from a population, with two main steps: 1) How many to select 2) Which ones to select 42 4.4 Operating Effectiveness Testing - Steps If errors are showing up after a small number of sample items STOP TESTING Is it isolated/unique or is it the result of a true control breakdown? If control is operationally ineffective = Re-test only when remedied for a sufficient period of time For isolated/unique errors = Perform test on 2 additional sample items Brief and validate initial findings with process owners/business partners 43 5.1 Operating Effectiveness Testing – Deficiencies • Isolated error found in control test 1. • Non-Isolated error found in control test 2. 3. • Reliability of controls for part of the year cannot be confirmed 44 5.3 Operating Effectiveness Testing – Report 2.4 Conclusion & Reporting= 1. Analyze results and identify need of remediation, as necessary 6. Monitor the implementation of the action plan until resolved 5. Prepare and send report to senior management Summary annex to the departmental statement of management responsibility 4. Update flowchart and matrix as necessary 2. Brief and validate results with process owners 3. Have process owner prepare action plan for implementing the remediation 45 Expected benefits of the PIC • Opportunity to showcase how well the department is being managed as well as to demonstrate progress and improvements • More effective and efficient departmental systems of internal controls, with potential for economies and reduced risks • Opportunity to engage and collaborate at all levels in support of continuous improvement related to risk management • Foundational to other initiatives such as quarterly financial reports and potential controls-based audits of financial statements • Instrumental to support Deputy Heads as accounting officers • Increase public confidence and trust through strengthened accountability and transparency, including reliability of financial statements – maintaining Canada’s position as a leader in financial reporting and disclosure. 46 More information Sharon Smith, Director Sharon.Smith@tbs-sct.gc.ca Margaret Cross, Senior Analyst Margaret.Cross@tbs-sct.gc.ca Olga Dupuis, Senior Analyst Olga.Dupuis@tbs-sct.gc.ca GCPedia http://www.gcpedia.gc.ca/wiki/PIC