Add to collection(s) Add to saved
  1. Business

Audit of the Test of Design of Entity

advertisement 
Audit of the Test of Design of
Entity-Level Controls
Canadian Grain Commission
Audit & Evaluation Services
Final Report
March 2012
Canadian Grain Commission
0
Entity Level Controls 2011
Table of Contents
1.0 Executive Summary..............................................................................................................2
Introduction ................................................................................................................................... 2
Audit Objective.............................................................................................................................. 3
Conclusion .................................................................................................................................... 3
Statement of Assurance................................................................................................................ 4
Summary of Recommendations and Management Action Plans.................................................. 4
2.0 Audit Report ..........................................................................................................................8
Background................................................................................................................................... 8
Audit Objective.............................................................................................................................. 9
Audit Scope................................................................................................................................... 9
Audit Criteria ................................................................................................................................. 9
Approach and Methodology ........................................................................................................ 10 3.0 Findings and Recommendations ......................................................................................12
Appendix A: Entity Level Control Assessment Summary……………………………………..19
Canadian Grain Commission
1
Entity Level Controls 2011
1.0 Executive summary
Introduction
1.1 The mission of the Internal Audit function of Audit and Evaluation Services is to
provide independent and objective assurance services designed to add value and
improve the Canadian Grain Commission’s operations. Internal Audit helps the
Canadian Grain Commission accomplish its objectives by bringing a systematic,
disciplined approach to assess and improve the effectiveness of risk management,
control and governance processes.
1.2 The audit of entity-level controls was included as part of the 2010-2011 Audit and
Evaluation Services risk-based Audit Plan. The Commission approved the plan
following a recommendation by the Departmental Audit Committee in May 2010.
1.3 The audit was conducted as a joint effort with Finance from November 2010 to March
2011. It consisted of documenting and reviewing the test of design of entity-level
controls in place at the Canadian Grain Commission.
1.4 The Treasury Board Policy on Internal Control which took effect on April 1, 2009 was
introduced to ensure that risks relating to the reliability of financial reporting are
adequately managed through a risk-based system of internal controls over financial
reporting. Under the Policy on Internal Control, organizations are required to
document and assess 3 levels of controls, one being entity-level controls.
1.5 As stated in the Policy on Internal Control – Diagnostic Tool for Departments and
Agencies, entity-level controls
are those controls that are pervasive across a department. They include the
‘tone from the top’ including the organization’s culture, values and ethics,
governance, transparency and accountability mechanisms as well as the
activities and tools put in place across the organization to raise staff
awareness, ensure clear understanding of roles and responsibilities and solid
capacities and abilities in managing risks well.
1.6 The implementation of the Policy on Internal Control does not require an assessment
of all entity-level controls within an organization. Rather, it requires an assessment of
key entity-level controls. For purposes of this report, key entity-level controls are
those controls that best demonstrate a commitment to overall good governance by
Executive Management at the Canadian Grain Commission in ensuring
organizational objectives are met.
1.7 In addition to the requirement under the Policy on Internal Control, Audit and
Evaluation Services undertook the documentation and assessment of entity-level
controls jointly with Finance as part of the 2010-2011 Audit Plan for purposes of
obtaining a sound understanding of the internal controls in place to ensure that
Executive Management expectations pertaining to the entire organization are carried
out.
Canadian Grain Commission
2
Entity Level Controls 2011
1.8 This report contains only those observations, findings, and recommendations
associated with the review of the test of design of the Canadian Grain Commission’s
key entity-level controls.
Audit objective
1.9 The objective of the audit is to document and assess the design of the entity-level
controls in place at the Canadian Grain Commission in order to provide assurance of
their adequacy and to provide recommendations to improve noted deficiencies, if
appropriate.
Conclusion
1.10 Several entity-level controls exist and have been effectively designed to promote
management excellence, good governance and public service management
throughout the Canadian Grain Commission. Some of the key highlights noted
include:
 Executive Management and the Commissioners promote and encourage open
communication throughout the Canadian Grain Commission and effectively
provide information to employees, industry stakeholders and other interested
parties.
 Executive Management is committed to being effective leaders and modelling
behaviours which employees are expected to demonstrate.
 There are 2 levels of governance: the Executive Management Committee and
the Commission. Open communication between the Executive Management
Committee and the Commission ensures that priorities remain realistic and that
organizational objectives are achieved as intended.
 The Executive Management Committee, the Commissioners and the
Departmental Audit Committee are committed to directing the organization in
achieving its operational and strategic objectives.
1.11 The following report contains opportunities for improvement that were identified
during the audit, including:
 Further developments in tracking and monitoring of People Planning and the
Personal Development and Achievement Program in order to strengthen the
Canadian Grain Commission’s ability to maintain a sufficient and representative
workforce with the appropriate mix of skills.
 Further efforts to implement new policies, procedures and processes and to
update existing ones in order to strengthen the Canadian Grain Commission’s
ability to carry out its mandate, programs and activities.
 Further refinements and enhancements to the Integrated Risk Management
Program in order to ensure that risks are well managed throughout the
organization.
Canadian Grain Commission
3
Entity Level Controls 2011
 Future training to educate employees on roles and responsibilities in order to
ensure that effective Internal Controls over Financial Reporting are in place.
Executive Management has indicated that all recommendations contained in this
report will be implemented. Additional details are contained in this report.
Statement of assurance
1.12 In the professional judgment of the Chief Audit Executive, sufficient and appropriate
audit procedures have been conducted and evidence gathered to support the
accuracy of the conclusion provided in this report. The conclusion is based on a
comparison of the conditions as they existed at the time, as described in the Audit
Scope, against pre-established audit criteria that were agreed with management. The
audit was conducted in accordance with the Treasury Board Policy on Internal Audit
and the International Standards for the Professional Practice of Internal Auditing as
established by the Institute of Internal Auditors (IIA).
Summary of recommendations and management action plans
1.13 The following is a summary of recommendations contained in this report with management’s action plans to address the topics identified: Recommendation
reference
numbers
3.10
3.11
Recommendations
Management action plans
We recommend that the Executive
Management Committee and the
Commissioners establish a formal terms of
reference document to specify what
information is to be communicated to the
Commissioners, the Chief Operating Officer or
the Executive Management Committee. The
document should include the timing of such
communication.
The Executive Management Committee
has drafted and approved an Executive
Management Committee terms of
reference. The Commission terms of
reference will be drafted by March 31,
2012.
We recommend that management implement
and approve a formal process to ensure that
divisional people plans are reviewed on a
quarterly basis. A quarterly review would
ensure that identified gaps are addressed and
re-prioritized as necessary in securing human
resources to achieve the Canadian Grain
Commission’s organizational objectives.
A process has been drafted for the
quarterly monitoring of people plans.
Human Resources has developed a
template and instructions to assist in the
quarterly monitoring of divisional people
plans.
Canadian Grain Commission
4
Respondent: Chief Operating Officer
Divisions have submitted progress reports
of their people plans for the first quarter of
2011-2012 for review by Human
Resources. A summary of this review was
prepared for and discussed with the
Executive Management Committee in
August 2011.
Entity Level Controls 2011
Divisions will continue to track their people
plans on a quarterly basis. A review of
quarterly monitoring will be conducted to
identify ways to better consolidate
monitoring mechanisms with other aspects
of the Canadian Grain Commission
integrated planning process by March 31,
2012.
Respondent: Director, Human Resources
3.12
We recommend that management implement a
performance cycle for each Canadian Grain
Commission division to enhance the ability to
formally track and monitor the Performance
Development and Achievement Program
process. In addition, Human Resources should
implement a process to ensure that those
individuals receiving Personal Development
and Achievement Program training are in fact
completing Personal Development and
Achievement Plans in a timely manner.
Human Resources will draft measures
and indicators that can be used to monitor
the quantitative and qualitative aspects of
the effectiveness of Personal
Development and Achievement Program
implementation. Measures will include
those required for all divisions and those
recommended by divisional management.
This will include reviewing measures in the
Public Service Management Dashboard.
Human Resources will also consult with
Employee Services and the administration
officers group on mechanisms to monitor
and track this information efficiently within
divisions. Measures, and the
corresponding monitoring plan, will be
presented to the Executive Management
Committee for approval by March 31,
2012.
Human Resources will meet with each
divisional management team to develop a
plan to select and monitor the Personal
Development and Achievement Program
measures by June 30, 2012. This will also
include determining the performance cycle
for employees within each division.
Human Resources will develop a process
and an accountability mechanism as part
of the Personal Development and
Achievement Program training, to assist
individuals in completing their Personal
Development and Achievement Program
in a timely manner, by June 30, 2012.
Human Resources will review reports
from the Personal Development and
Achievement Program monitoring and
tracking system within three months of the
training to confirm that participants have
initiated their Personal Development and
Achievement Program. Follow-up will
occur for those that have not implemented
Personal Development and Achievement
Canadian Grain Commission
5
Entity Level Controls 2011
Program.
Respondent: Director, Human Resources
3.18
We recommend, in continuing to refine the
Integrated Risk Management process:
a. The Integrated Risk Management sub-group
of the Integrated Planning Working Group and
other key stakeholders be educated on how to
assess residual risk as it relates to the annual
environmental scan and other risks identified.
b. Management develop a timeline to
implement the future plan of assessing residual
risk for each of the 8 risk areas identified as
part of the Canadian Grain Commission’s
corporate risk profile.
c. Management develop an action plan to
determine the position or Canadian Grain
Commission unit that will be accountable for
coordinating and monitoring Integrated Risk
Management on a long-term basis.
a. An option to educate Commissioners,
Executive Management and other key
stakeholders on the nature of residual risk
will be developed by March 31, 2013.
b. The identification of risk owners for
each of the 8 risk areas in the Corporate
Risk Profile will by completed by June 30,
2013. Subsequent to the educational
session, executive management and risk
owners will be expected to apply
information from the learning session in
order to assess the residual risk for each
of the 8 areas of the corporate risk profile.
Completion of residual risk assessment is
anticipated by March 31, 2013.
c. A succession plan is in place for the
Corporate Development Advisor within
Corporate Services. The Corporate
Development Advisor is accountable for
coordinating and monitoring Integrated
Risk Management on a long-term basis.
Respondent: Director, Corporate Services
3.19
We recommend that management develop an
action plan to place greater focus on
integrating the operational planning phase of
the Canadian Grain Commission's annual
planning cycle. This will ensure the resources
required for day-to-day delivery of program
activities (which are essential in achieving the
Canadian Grain Commission's mandate) are
planned and monitored throughout the year.
Canadian Grain Commission
6
Corporate Planner and Project Manager
and Integrated Planning Working Group
to:

Identify and engage leaders for key
Canadian Grain Commission
operational planning processes by
September 30, 2011

Develop an integrated operational
planning calendar that reflects
current operational planning
processes by December 31, 2011

Research best practices in
integrated operational planning at
other government departments by
March 31, 2012

Present a multi-year plan to the
Executive Management Committee
proposing enhancements to
operational planning timelines,
processes and tools by April 30,
2012 and commence
implementation of the plan during
the 2012-13 fiscal year
Entity Level Controls 2011
Respondent: Director, Corporate Services
3.24
We recommend that management establish a
process for ensuring that policies, procedures
and other information necessary in carrying out
Canadian Grain Commission’s mandate,
programs and activities be regularly reviewed
and updated as required. This will ensure that
employees have the most accurate and up-todate information available. Policies and
procedures that are currently under
development or being re-written should be
closely monitored and promptly communicated
to employees upon completion.
An overview of the majority of policies and
procedures has been incorporated into an
easy-to-use tracking chart. This will be
presented to the Executive Management
Committee on October 6, 2011.
Divisional directors will assign their leads
to establish regular reviews. Divisions will
be responsible for tracking updates. Policy
changes will go to the Executive
Management Committee as specified in
the Executive Management Committee
terms of reference. The web site will be
updated by Multimedia Services and
Communications until the web content
management system is in place and then
leads will update their own information.
Respondent: Director, Corporate Services
3.36
We recommend that management develop a
plan to ensure that process owners and control
owners for internal controls over financial
reporting receive proper training so that they
are aware of their roles and responsibilities in
ensuring that internal controls over financial
reporting are appropriately designed and
continue to operate effectively. This training
should be provided to other employees as
required.
Financial risk assessment will be
performed to determine key business
processes required for purposes of
documenting internal controls over
financial reporting. Identification of
process and control owners for all key
business processes will be completed by
March 2012.
Training will be provided once process
and control owners (and other employees
as applicable) have been identified. This
training will ensure that they are aware of
their roles and responsibilities in ensuring
that Internal Controls over Financial
Reporting are appropriately designed and
continue to operate effectively. Training
will occur throughout the project and may
occur in various forms including,
newsletter articles, emails, presentations
or formal training sessions.
Respondent: Chief Financial Officer
Canadian Grain Commission
7
Entity Level Controls 2011
2.0 Audit report
Background
2.1 The Treasury Board Policy on Internal Control, which took effect on April 1, 2009, was
introduced to ensure that risks relating to the reliability of financial reporting are
adequately managed through a risk-based system of internal controls over Financial
Reporting. Under the Policy on Internal Control, organizations are required to document
and assess 3 levels of controls, one being entity-level controls.
2.2 As stated in the Policy on Internal Control: Diagnostic Tool for Departments and
Agencies, entity-level controls
are those controls that are pervasive across a department. They include the ‘tone
from the top’ including the organization’s culture, values and ethics, governance,
transparency and accountability mechanisms as well as the activities and tools
put in place across the organization to raise staff awareness, ensure clear
understanding of roles and responsibilities and solid capacities and abilities in
managing risks well.
2.3 As the first phase of implementing the Policy on Internal Control and conducting the
audit, Finance and Audit and Evaluation Services jointly undertook documentation of the
Canadian Grain Commission’s entity-level controls. They used the most commonly-used
framework for assessing and documenting entity-level controls. The Commission of
Sponsoring Organizations developed this framework.
2.4 The Committee of Sponsoring Organizations of the Treadway Commission is a privatesector organization chartered to research and report on improving the quality of financial
reporting through values and ethics, internal controls and good organizational
governance. In 1992 the Committee of Sponsoring Organizations developed the Internal
Controls - Integrated Framework, which is still widely used in assessing entity-level
controls to this day.
2.5 As part of the Internal Controls - Integrated Framework, the Committee of Sponsoring
Organizations defined the following 5 broad categories. These categories, which were
considered in the documentation and assessment of the Canadian Grain Commission’s
entity-level controls, are:





Control Environment Risk Assessment Control Activities Information and Communication Monitoring A definition for each category has been provided throughout the body of the report. Each
category is further broken down into a varying number of sub-categories. For example,
the Monitoring Category includes 3 separate sub-categories: Ongoing Monitoring,
Canadian Grain Commission
8
Entity Level Controls 2011
Separate Evaluations and Reporting Deficiencies. Refer to Appendix A for further
details.
2.6
Entity-level controls are considered similar to the components of the Management
Accountability Framework. Similar to entity-level controls, the Management
Accountability Framework outlines the Treasury Board’s expectations for good public
service management. It is structured around 10 key sub-categories, essential in ensuring
an organization is well-managed.
2.7 Given that the Canadian Grain Commission is considered to be a small agency, it is
assessed for Management Accountability Framework purposes by the Treasury Board
Secretariat every third year. During the fiscal year 2010-2011, the Canadian Grain
Commission was required to participate in the Management Accountability Framework
Round VIII assessment. The timing of the assessment was beneficial as documentation
prepared by the Canadian Grain Commission for Management Accountability
Framework VIII could be used for certain sub-categories of the Commission of
Sponsoring Organizations Internal Controls - Integrated Framework.
Audit objective
2.8 The objective of the audit is to document and assess the design of the entity-level
controls in place at the Canadian Grain Commission in order to provide assurance of
their adequacy and to provide recommendations to improve noted deficiencies, if
appropriate.
Audit scope
2.9 The Policy on Internal Control came into effect April 1, 2009. While the Policy on Internal
Control requires the documentation and assessment of all 3 levels of controls (entitylevel controls, information technology general controls and process level controls), the
scope of the audit has been limited to the documentation and assessment of the design
of entity-level controls.
2.10 Collection of evidence to support the key entity-level controls from various sources
include: documentation submitted for Management Accountability Framework VIII;
interviews with Commissioners, Executive Management and selected employees;
documentation obtained from selected employees; and information posted on StaffNet,
the Canadian Grain Commission’s internal web site.
2.11 The scope of the audit explicitly excluded the test of operating effectiveness of entitylevel controls in place at the Canadian Grain Commission. Note that the test of
operating effectiveness would provide assurance that the controls continue to operate
as intended over a period of time. Test of design provides assurance that controls are
appropriately designed to mitigate the risks they are intended to address.
Audit criteria
2.12 Each of the sub-categories within the 5 Committee of Sponsoring Organizations
categories described above is further broken down into a series of statements. The
Canadian Grain Commission
9
Entity Level Controls 2011
statements can be directly linked to an identified key entity-level control. There are a total
of 82 statements within the Committee of Sponsoring Organizations framework.
2.13 The Audit Criteria for the assessment of entity-level controls can be simply summarized
as the existence and design effectiveness of key entity-level controls for each of the 82
statements identified as part of the Committee of Sponsoring Organizations Framework.
Approach and methodology
2.14 The audit included interviews and examination of relevant communications, reports and
other documentation related to entity-level controls.
2.15 The detailed examination phase was conducted from November 2010 to March 2011. It
focused on identifying and assessing the design effectiveness of key entity-level
controls. Procedures performed during the examination phase included:
o Reviewing Management Accountability Framework VIII information and
submissions to determine which Management Accountability Framework
documentation could be matched to the Committee of Sponsoring Organizations
Internal Controls - Integrated Framework.
o Assessing information gaps resulting from the inability to directly link Management
Accountability Framework VIII to the Committee of Sponsoring Organizations
Internal Controls - Integrated Framework and determining what further evidence
would be required.
o Developing an entity level control matrix to assess key controls in place for each of
the 82 statements that make up each of the sub-categories within the 5 broad
categories of the Committee of Sponsoring Organizations Internal Controls Integrated Framework.
o Interviewing Executive Management, the Commissioners and other selected
employees to:
 Obtain an understanding of Management’s attitude towards controls at the
entity level on a collective basis
 Corroborate that the entity-level controls identified through review of
Management Accountability Framework VIII documentation are key controls
according to Management
 Provide management with the opportunity to identify what they consider to be
the Canadian Grain Commission’s key entity-level controls which may not have
been covered as part of Management Accountability Framework VIII
2.16 As a result of the information reviewed and testing conducted during the audit, findings
and potential recommendations were developed to allow for strengthening of the
Canadian Grain Commission’s entity-level controls. These were reviewed with the Chief
Operating Officer and Chief Financial Officer. Management Action Plans were obtained
from Canadian Grain Commission management and incorporated into this report. A Final
Canadian Grain Commission
10
Entity Level Controls 2011
Internal Audit Report was prepared to encompass management’s commitments for
improvement. The Final Report was reviewed on February 13, 2012 by the Departmental
Audit Committee, who recommended approval by the Chief Commissioner. The Chief
Commissioner subsequently approved this report.
Canadian Grain Commission
11
Entity Level Controls 2011
3.0 Findings and recommendations
Overall entity-level control assessment
Findings:
3.1 As previously noted, Canadian Grain Commission entity-level controls were assessed
based on the Committee of Sponsoring Organizations Internal Controls - Integrated
Framework based on 5 broad categories. Overall entity-level control ratings for each of
the categories were determined to be as follows:
Committee of Sponsoring
Organizations Category
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
Rating
Acceptable
Acceptable
Opportunity for improvement
Acceptable
Opportunity for improvement
Refer to Entity-level control summary table in Appendix A for further details.
3.2 While certain categories received an overall rating of Opportunity for improvement or
Acceptable, individual Committee of Sponsoring Organizations sub-categories within
each of the 5 categories warrant further discussion. These are described further in each
of 5 category sections below. The sub-categories within each of the 5 categories have
been bolded for purposes of linking to the results in Appendix A. It should be noted that
the following only provides a summary of findings and does not include a description of
all key entity-level controls identified through the assessment process.
Control Environment
Findings:
3.3The control environment is influenced by management’s operating style and the
communication and promotion of values and ethics throughout the organization which
are important factors in designing, administering and monitoring all control components
of an organization.
3.4 Management’s philosophy and operating style
Canadian Grain Commission Management’s philosophy and operating style, including
overall governance (e.g. the Commission, the Executive Management Committee and
Departmental Audit Committee), indicates that the principles of management excellence
are applied throughout the organization. The Executive Management Committee, the
Commission and the Departmental Audit Committee set an appropriate “tone from the
top” in guiding the Canadian Grain Commission in achieving its operational and strategic
objectives. The challenge that could present itself is that there are 2 levels of
Canadian Grain Commission
12
Entity Level Controls 2011
governance: the Executive Management Committee and the Commission. Open
communication between the Executive Management Committee and the Commission
ensures that priorities remain realistic and that organizational objectives are achieved as
intended. However, there is currently no formal guidance on what information should be
presented to the Commissioners, the Chief Operating Officer or the Executive
Management Committee. Such guidance would be beneficial in educating new
Commissioners and new members of the Executive Management Committee or those in
acting assignments.
3.5
Assignment of authority and responsibility
Assignment of authority and responsibility is clearly communicated throughout the
organization. Open communication is encouraged and the Executive Management
Committee is committed to being effective leaders and modelling behaviors which
employees are expected to demonstrate. The Executive Management Committee
Charter demonstrates that the Executive Management Committee is committed to the
current and future direction of the organization.
3.6
Organizational structure
A clear and effective organizational structure that is linked to the Canadian Grain
Commission's Program Activity Architecture is in place and has been communicated to
employees and stakeholders via the Canadian Grain Commission web site. While
effective organizational structures are known and in place, the documentation has not
been updated on the Canadian Grain Commission’s web site. For example, the Chief
Financial Officer and the Chief Audit Executive report directly to the Chief
Commissioner. However, the web site has not be updated to reflect this. Management
has indicated that refinements will be reflected in an updated Governance Structure to
be submitted to Treasury Board during the 2011-12 fiscal year.
3.7
Integrity and ethical values
Management openly communicates the importance of integrity and ethical values
principles. These principles have been integrated into the organization’s programs and
activities. The Canadian Grain Commission has been developing an organizational
Values and Ethics Code throughout 2011. All government departments are required to
have their own code that is consistent with the new Treasury Board code scheduled for
completion by March 31, 2011. However, approval of the Treasury Board code has been
delayed. It is now scheduled for release in April 2012. The Canadian Grain Commission
is planning to publish its Values and Ethics Code shortly after the publication of the
Treasury Board's. In addition, an internal policy on formal disclosure procedures to
report known or suspected wrongdoing is currently under development.
3.8
Commitment to competence
Executive Management’s commitment to competence is demonstrated through a current
project to develop competency frameworks for numerous positions at the Canadian
Grain Commission. In addition, the Canadian Grain Commission has developed a
competency dictionary to assist management in determining competencies required to
perform a specific position’s responsibilities. 3 core competencies required for
Canadian Grain Commission
13
Entity Level Controls 2011
appointment have been identified: Effective Interactive Communication, Adaptability and
Being a Team-Player. Management has also indicated that commitment to competence
is achieved through the People Planning process. However, there are some concerns
that deficiencies exist in the monitoring and tracking of the Canadian Grain Commissionwide people plan and divisional people plans. Monitoring and tracking ensures that gaps
are being addressed throughout the year. People planning is considered during
Canadian Grain Commission’s integrated planning phase. However, input into integrated
planning related to people planning is only relevant and meaningful for the delivery of the
Canadian Grain Commission’s mandate, if people plans continue to be reviewed and
revised on an on-going basis. Discussions with Human Resources indicate that there
are plans to formalize the process wherein divisional teams would meet with Human
Resources on a quarterly basis to go over divisional people plans, perform a variance
analysis and re-prioritize where necessary. Significant variances would then be tabled at
the Executive Management Committee.
3.9
Human resources policies and practices
Several Human Resource policies and practices exist and have been communicated to
employees. They include, but are not limited to, the People Management Framework,
Canadian Grain Commission training requirements, and the Informal Conflict
Management System. In addition, the Canadian Grain Commission has developed the
Performance Development and Achievement Program. However, a more comprehensive
tracking process to monitor implementation is required. Currently the performance cycle
is not aligned with the Canadian Grain Commission’s fiscal year end. Human Resources
rely on each Canadian Grain Commission division to collect information about how many
employees within the division have completed their Performance and Learning
Agreement regardless of the cycle. While directors and their direct reports have
completed their Performance and Learning Agreements, approximately 60% of
Canadian Grain Commission employees (particularly in the regions) have not had the
opportunity to fully participate in the program. The organization continues to roll out
Personal Development and Achievement Program training to educate employees on
how to link their personal performance objectives with the strategic outcome of the
Canadian Grain Commission.
Recommendations:
3.10
We recommend that the Executive Management Committee and the Commissioners
establish a formal Terms of Reference document to specify what information is to be
communicated to the Commissioners, the Chief Operating Officer or the Executive
Management Committee including the timing of such communication.
3.11
We recommend that management implement and approve a formal process to ensure
that Divisional People Plans are reviewed on a quarterly basis to ensure that gaps
identified are addressed and re-prioritized as necessary in securing human resources to
achieve the Canadian Grain Commission’s organizational objectives.
3.12
We recommend that management implement a performance cycle for each division to
enhance the ability to formally track and monitor the Performance Development and
Achievement Program process. In addition, Human Resources should implement a
process to ensure that those individuals receiving Personal Development and
Canadian Grain Commission
14
Entity Level Controls 2011
Achievement Program training are in fact completing Personal Development and
Achievement plans in a timely manner.
Risk Assessment
Findings:
3.13 Every organization faces a variety of risks from external and internal sources that must
be assessed at entity-wide and activity levels throughout its operation. Management’s
approach to managing organizational risk is an essential factor in ensuring the
sustainability of an organization.
3.14 Entity-wide objectives
Entity-Wide objectives have been established and communicated to employees and
industry stake-holders through the Canadian Grain Commission’s mandate, vision,
values and strategic outcome as well as through the Departmental Report on Plans and
Priorities and the Departmental Performance Report. The Canadian Grain Commission’s
plans and priorities are consistent with the Canadian Grain Commission's mandate and
the strategic direction of the organization. Significant efforts have been placed on
strategic planning over the past few years. However, less emphasis has been placed on
operational planning. Management is aware of this issue and has decided to focus more
on operational planning. Plans include closer monitoring of Key Performance Indicators
related to program activities on a quarterly basis and the identification of additional
quantitative program activity Key Performance Indicators.
3.15 Activity-level objectives
Performance against targets of Activity-level Objectives are reported to the Executive
Management Committee through a quarterly tracking tool that captures results
information and challenges and lessons learned related to each of the organization’s
program activities. This tool also captures results, challenges and lessons learned
related to the Canadian Grain Commission’s strategic priorities. Strategic priorities are
identified as part of the annual Strategic Planning Process.
3.16 Risks and change management
The Canadian Grain Commission has taken action to address risks and change
management affecting the organization. A corporate risk profile exists. The Integrated
Risk Management project, started in 2010, resulted in input to the 2011-2012 strategic
planning process. The identified risks have been linked to the organizational Program
Activity Architecture and have been considered as part of the Report on Plans and
Priorities. Likelihood and impact were considered as part of the risk assessment
process; however, residual risk has not been ranked. Currently, the Integrated Risk
Management project remains a work in progress with future plans to enhance the
process as follows:


Identify the level of residual risk for each of the 8 risk areas identified in the
Canadian Grain Commission’s Corporate Risk Profile
The Corporate Risk Profile to be revised, completed and Canadian Grain
Commission staff notified of its completion
Canadian Grain Commission
15
Entity Level Controls 2011
 Risk management training for staff to be undertaken by the Canadian Grain
Commission within the next 2 years
While the Integrated Risk Management project and working group continues to be led by
the Corporate Development Advisor, currently there is no formal plan in place to
transition the coordination and ongoing monitoring of Integrated Risk Management upon
the upcoming retirement of the Corporate Development Advisor. Given that risk
management is an essential component in effectively managing an organization,
responsibility for such a function should be assigned at all times.
3.17 The Policy and Planning Group is responsible for coordinating and preparing the
Canadian Grain Commission’s annual environmental scan which identifies potential and
emerging threats, opportunities and risks that need to be considered by the Canadian
Grain Commission. Risks identified as part of the environmental scan are not necessarily
ranked based on likelihood and impact to the organization. Going forward, the plan is to
integrate the Integrated Risk Management and Integrated Planning Working Groups for
purposes of the planning process. This would enhance the identification of key risks
which are identified as part of the environmental scan.
Recommendation:
3.18 We recommend that in continuing to refine the Integrated Risk Management process:
a. The Integrated Risk Management sub-group of the Integrated Planning Working
Group and other key stakeholders be educated on how to assess residual risk as it
relates to the annual environmental scan and other risks identified.
b. Management develop a timeline to implement the future plan of assessing residual
risk for each of the eight risk areas identified as part of the Canadian Grain
Commission’s corporate risk profile.
c. Management develops an action plan to determine the position(s) or Canadian Grain
Commission unit(s) that will be responsible or accountable for coordinating and
monitoring Integrated Risk Management on a long-term basis.
3.19
We recommend that management develop an action plan to place greater focus on
integrating the operational planning phase of the Canadian Grain Commission's annual
planning cycle. This will ensure the resources required for the day-to-day delivery of
program activities (which are essential in achieving the Canadian Grain Commission's
mandate) are planned and monitored throughout the year.
Control Activities
Findings:
3.20 Control activities
Control activities are policies and procedures for implementing management directives.
Control activities cover a wide spectrum and include but are not limited to delegated
Canadian Grain Commission
16
Entity Level Controls 2011
authorities, verifications, security of assets, segregation of duties and information
systems.
3.21 Several policies and procedures for the program activities within the Canadian Grain
Commission’s Program Activity Architecture have been established and communicated.
Examples of such policies and procedures include:






Industry Services QMS/ISO 9001:2008 Financial Management Licensing Compliance Audits People Management Health and Safety Information Technology 3.22 Several policies and procedures necessary for the Canadian Grain Commission to carry
out its mandate are currently in place. However, there are also policies and procedures
that require further development to ensure that the Canadian Grain Commission
continues to operate as effectively and efficiently as possible. Management is currently
aware of the need to update certain policies and procedures including:





Business Continuity and Information Technology Disaster Recovery Plan
Grain Research Laboratory ISO 17025 Accreditation
Grain Research Laboratory overall program policies and procedures
Information Technology and Non-Information Technology Asset Management
Information Management
3.23 In addition, there is currently no working group or process in place to regularly review
and update financial policies and procedures or other organizational policies and
procedures. Such policies and procedures are reviewed regularly, but on an ad hoc
basis. It is the responsibility of each divisional unit to ensure information is kept current.
Discussions with management suggest that StaffNet needs to be reviewed and updated
to ensure that the most recent policies and procedures are being communicated to staff.
Recommendation:
3.24
We recommend that management establish a process for ensuring that policies,
procedures and other information necessary in carrying out Canadian Grain
Commission’s mandate, programs and activities be regularly reviewed and updated as
required to ensure that employees have the most accurate and up-to-date information
available. Policies and procedures that are currently under development or being rewritten should be closely monitored and promptly communicated to employees upon
completion.
Information and Communication
Findings:
3.25 Information and communication
Canadian Grain Commission
17
Entity Level Controls 2011
An organization needs information and communication at all levels to run the day-to-day
operations, and move towards achievement of its objectives.
3.26 Canadian Grain Commission management proactively communicates financial and nonfinancial information to employees, key stakeholders and other interested parties on a
timely basis. This is seen through the Report on Plans and Priorities, Departmental
Performance Report, the delivery of Odyssey and Leadership sessions to employees,
employee newsletters and announcements and consultation and communication with
external parties.
3.27 The Canadian Grain Commission has developed a 5-year global communications plan
that addresses both external and internal communications which has been approved by
the Executive Management Committee. While the plan’s contents remain a work in
progress, the Canadian Grain Commission web site provides a variety of information for
producers and other industry stakeholders including information about grain quality,
quantity and research, statistical information, legislation and policies and user fees.
3.28 The Canadian Grain Commission has developed several forms and procedures that
support the customer service and service improvement components of ISO 9001:2008.
The Canadian Grain Commission has also established a number of client feedback
committees that involve participation of several key stakeholders including grain
producers, producer groups, industry associations and grain companies.
3.29 The Canadian Grain Commission currently has an Information Management committee
that includes representatives from Statistics, Communications, Information Technology
and Administration to ensure the development of all information components are aligned
with the Records Information Management project. The Records Information
Management project is ongoing and is in stage 4 of the 5-stage project.
3.30 Information Technology Systems strategic and operational plans have been developed
and approved by the Executive Management Committee. The plans include actions to
ensure that records, data and information are properly secured and that controls are in
place to prevent unauthorized access. Given that these plans are relatively new, there is
currently no formal process for ensuring that operational and strategic initiatives are
being met. Management is aware of the issue and will be developing a strategy to track
progress of Information Technology Systems operational and strategic plans going
forward.
3.31 Given the size of the Canadian Grain Commission, resource constraints need to be
considered when allocating financial and human resources to information and
communication management which could in turn result in a lack of integration of
information systems throughout the organization; however management is committed to
providing resources to information and communication management where feasible
given these resource constraints.
Monitoring
Findings:
Canadian Grain Commission
18
Entity Level Controls 2011
3.32 Control systems, policies and procedures tend to change over time and thus monitoring
ensures that organizations continue to operate effectively in light of such changes.
3.33 Separate evaluations
Separate evaluations of organizational effectiveness are provided through various
sources including internal audit, central agency audits (e.g. Public Service Commission),
external audit (financial statements), Management Accountability Framework
assessments and, in the future, program evaluation. Management Action Plans are
identified in response to recommendations provided by internal audit and other external
parties. Discussion with the Executive Management Committee and the Commissioners
provided consistent messaging that before recommendations are agreed to and an
action plan is formulated, management must ensure the recommendations are practical
for the organization. Resource constraints including time, employees and funding need
to be considered when determining the best way to address issues that were identified.
3.34 Reporting deficiencies
The Committee of Sponsoring Organizations sub-category Reporting Deficiencies
focuses on ensuring there are proper mechanisms in place to identify internal control or
reporting deficiencies. It also ensures that appropriate follow-up actions are taken by
management to address any noted deficiencies. There are several controls in place to
identify reporting deficiencies. For example, financial results are presented to the
Commission and the Executive Management Committee for approval on a monthly
basis. The Departmental Audit Committee reviews and recommends financial
statements for approval on a quarterly basis. In addition, all members of the Executive
Management Committee are actively involved in the budgeting process. Re-profiling
requirements made during the year are approved by the Executive Management
Committee and the Commission.
3.35 Ongoing monitoring
From an ongoing monitoring perspective, it should be noted that internal controls over
financial reporting do exist. However, these have not been formally documented. Under
the Policy on Internal Control the Canadian Grain Commission has yet to fully implement
a process to ensure control documentation and processes relevant for internal controls
over financial reporting to remain current and up-to-date. The Canadian Grain
Commission has developed a multi-year action plan in order to comply with the Policy on
Internal Control. The new Statement of Management Responsibility and its annex were
completed by the Canadian Grain Commission within the required timelines for the fiscal
year 2010-2011. In addition, a Policy on Internal Control Steering Committee has been
established and will be meeting on an ongoing basis to determine the next steps of the
project, including risk assessment, scoping and control documentation. Given that the
Canadian Grain Commission is only in the initial phases of the Policy on Internal Control
project, training related to the ongoing monitoring of internal controls over financial
reporting has not been provided. Issues relating to the project will be addressed by the
Policy on Internal Control Steering Committee as the 3-year phased-in approach
continues to evolve.
Recommendation:
3.36
We recommend that management develop a plan to ensure that proper training is
provided to educate owners of the Internal Controls over Financial Reporting process
and control owners (and other employees as required) so that they are aware of their
Canadian Grain Commission
19
Entity Level Controls 2011
roles and responsibilities in ensuring that internal controls over financial reporting are
appropriately designed and continue to operate effectively.
We express our appreciation to the Executive Management Committee and the Commissioners
for their assistance during the course of the audit.
This audit has been reviewed with:
Gordon Miles, Chief Operating Officer
Cheryl Blahey, Chief Financial Officer
Audit & Evaluation Services Contact
Brian Brown, Chief Audit Executive
Canadian Grain Commission
20
Entity Level Controls 2011
Appendix A: Canadian Grain Commission - Entity-level control
assessment summary
Compliant
Partially
compliant
Non
compliant
50%
50%
50%
50%
0%
0%
Weighted
(3)
rating
88%
75%
75%
89%
11%
0%
94%
80%
67%
100%
100%
20%
33%
0%
0%
0%
0%
0%
0%
75%
86%
50%
0%
25%
14%
50%
100%
0%
0%
0%
0%
0%
100%
0%
50%
71%
50%
29%
0%
0%
22%
0%
100%
57%
100%
0%
11%
0%
0%
90%
83%
100%
100%
76%
88%
93%
75%
50%
50%
50%
80%
75%
86%
67%
51%
50%
100%
(3)
(3)
(3)
(1)
CE (Control Environment)
A – Integrity and ethical values
B – Commitment to competence
C – The Commission, the Executive
Management Committee and Department
Audit Committee
D – Management’s philosophy and operating
Style
E – Organizational structure
F – Assignment of authority and responsibility
G – Human Resources policies and practices
(1)
RA (Risk assessment)
A – Entity-wide objectives
B – Activity-level objectives
C – Risks
D – Managing change
(1)
CA (Control activities)
A - Control activities
(1)
IC (Information and communication)
A – Information
B – Communication
(1)
MON (Monitoring)
A – Ongoing monitoring
B – Separate evaluations
C – Reporting deficiencies
Assessment rating
Compliant
Partially compliant
Non-compliant
Total
Note 1: CE, RA, CA IC and MON represent the 5 Committee of Sponsoring Organizations Categories within the Committee of Sponsoring Organizations Internal
Controls-Integrated Framework. Each of the Committee of Sponsoring Organizations Categories is further broken down into the sub-categories noted above.
Note 2: Each of the sub-categories noted within the Committee of Sponsoring Organizations Internal Controls-Integrated Framework has a varying series of
statements that can be directly linked to a key ELC for a total of 82 statements. 32 instances of partial compliance were noted which indicates that while not fully
compliant with 29 of the Committee of Sponsoring Organizations statements; actions are currently underway to achieving full compliance in the future. The one
instance of non-compliance relates to training on Internal Controls over Financial Reporting not yet provided to employees and will be addressed as the Policy on
Internal Controls project continues to evolve.
Canadian Grain Commission
21
Entity Level Controls 2011
the
Committee of
Sponsoring
Organizations
(2)
Statements
49
32
1
%
60%
39%
1%
82
100%
Note 3: Each statement within each sub-category was individually assessed and an overall rating for each sub-category has been assigned.
Canadian Grain Commission
22
Entity Level Controls 2011
Related documents
REVIEW ENGAGEMENT REPORT
REVIEW ENGAGEMENT REPORT
Storm clouds in the “sunny skies” of prosperity and optimism
Storm clouds in the “sunny skies” of prosperity and optimism
Changes in Canada Due to World War One
Changes in Canada Due to World War One
Hamilton Regional Laboratory Medicine Program A Collaborative
Hamilton Regional Laboratory Medicine Program A Collaborative
History 30 Essay Topics
History 30 Essay Topics
Louis Riel Obituary
Louis Riel Obituary
May 15, 2015: Corn Ideas - 81
May 15, 2015: Corn Ideas - 81
The Importance of Vision, Mission and Values
The Importance of Vision, Mission and Values
Grain Bin Safety Week February 22 * 28, 2015
Grain Bin Safety Week February 22 * 28, 2015
Download
advertisement