Add to collection(s) Add to saved
  1. Business
  2. Accounting
  3. Financial Accounting

Audit of Compliance to the Treasury Board Policy on Internal Control

advertisement 
Audit of Compliance to the Treasury Board
Policy on Internal Control – Phase 1
Office of the Chief Audit and Evaluation Executive
Audit and Assurance Services Directorate
October 31, 2011
Cette publication est également disponible en français.
This publication is available upon request in alternative
formats.
This publication is available in PDF and HTML formats
on the Internet at http://www.pch.gc.ca/
© Her Majesty the Queen in Right of Canada, 2011
Catalogue No. ch6-9/2011E-PDF
ISBN: 978-1-100-20344-7
Table of Contents
Executive Summary........................................................................................................................1
1.
Introduction and Context ......................................................................................................4
1.1
1.2
Authority for the Project ......................................................................................................................... 4
Background ...........................................................................................................................................4
2.
Objective .................................................................................................................................6
3.
Scope ......................................................................................................................................6
4.
Approach and Methodology .................................................................................................6
5.
Observations and Recommendations .................................................................................7
5.1
Governance and Accountability and Risk Management ........................................................................7
5.1.1 Observation #1 ......................................................................................................................................7
5.1.2 Observation # 2 .....................................................................................................................................8
Appendix A – Audit Criteria ........................................................................................................ 10
Appendix B – Management Action Plan .................................................................................... 15
Executive Summary
Introduction
The Audit of Compliance to the Treasury Board Policy on Internal Control-Phase 1 was
included in the 2011-12 to 2013-14 Risk Based Audit Plan to support the Deputy
Minister in his accounting officer role when signing the annual Departmental Statement
of Management Responsibility Including Internal Control over Financial Reporting. The
objective of this audit is to provide assurance that an adequate management control
framework is in place to effectively implement the Policy on Internal Control.
The Treasury Board Policy on Internal Control took effect on April 1, 2009. The
objective of the Policy is to ensure that risks relating to the stewardship of public
resources, including reliability of financial reporting, are adequately managed through the
maintenance of effective risk-based departmental systems of internal control.
Within the Department of Canadian Heritage (PCH), the Accounting Operations,
Financial Policy and Systems Directorate of the Financial Management Branch, is
responsible for the implementation of the Policy on Internal Control, and managing the
internal control over the financial reporting framework in support of the Statement of
Management Responsibility Including Internal Control Over Financial Reporting.
Key Findings
Strengths
During the audit fieldwork, the audit team identified strengths that resulted in positive
findings, including:
An Internal Control over Financial Reporting (ICOFR) Framework for
implementing the Policy on Internal Control (PIC) has been developed and
established following the guidelines published by the Office of the Comptroller
General (OCG).
Roles, responsibilities and accountabilities for internal controls, including over
financial reporting, are documented.
Procedures, guides, tools and resources are identified and/or developed to support
the implementation of the Policy on Internal Control.
Long-term and annual risk-based strategies are developed, communicated,
monitored and reported on as part of the implementation of the Policy on Internal
Control.
A risk analysis was done of the financial account and area level and is consistent
with OCG expectations.
Expected results related to the implementation have been defined, monitored and
adjusted as needed.
1
Observations
The audit team also identified areas where management practices and processes can be
improved. The following are observations made by the audit team that highlight areas of
improvement that should be addressed by PCH.
1. The Five-Year Plan on Internal Control, including its risk assessment, has to be
updated on a yearly basis.
2. An annual project plan for 2011-12 that includes defined accountabilities, timelines,
deliverables and outputs has yet to be developed to supplement the five year highlevel plan by AOFPS.
Recommendations
1. The Director General of Financial Management Branch should ensure that the
Five-Year Plan on Internal Control is revised to include a requirement to perform
an annual update to the ICOFR Framework including its risk assessment.
2. The Director General of the Financial Management Branch should ensure that a
detailed annual project plan including defined accountabilities, timelines,
deliverables, and outputs for the year related to the implementation of the Policy
on Internal Control is established, communicated, monitored and adjusted as
needed.
Statement of Assurance
In my professional judgment as Chief Audit and Evaluation Executive, sufficient and
appropriate audit procedures have been conducted and evidence gathered to support the
accuracy of the opinion provided and contained in this report.
Audit Opinion
In my opinion, an adequate management control framework is in place to effectively
implement the Policy on Internal Control and support the development of the Statement
of Management Responsibility. The audit has identified some minor control weaknesses
that require management attention related to an annual update to the ICOFR Framework
including its risk assessment to support the implementation of the Five-Year Plan on
Internal Control and the development of a detailed annual project plan.
__________________________________________________
Richard Willan, CGA
Chief Audit and Evaluation Executive
Department of Canadian Heritage
2
Audit Team Members
Maria Lapointe-Savoie
Dylan Edgar
Joelle Huneault, CIA
Joanna Chorabik, CA
Director, Audit and Assurance Services
A/Audit Manager
A/Team Leader
Auditor
With the assistance of external resources
3
1.
Introduction and Context
1.1
Authority for the Project
The Audit of Compliance to the Treasury Board Policy on Internal Control-Phase 1 was
included in the 2011-12 to 2013-14 Risk-Based Audit Plan to support the Deputy
Minister in his role as accounting officer when signing the annual Departmental
Statement of Management Responsibility Including Internal Control over Financial
Reporting.
1.2
Background
The Treasury Board Policy on Internal Control (PIC) took effect on April 1, 2009 and is
issued pursuant to section 7 of the Financial Administration Act. The policy will be
phased-in over a period of three years based on department’s state of readiness. The
objective of this policy is for risks relating to the stewardship of public resources to be
adequately managed through effective internal controls, including internal controls over
financial reporting. Internal controls over financial reporting are divided into three
categories: entity-level, transaction-level, and information technology controls. Reviews
of entity-level controls were undertaken in 2008 and for Information Technology
Application Controls in 2009.
The Policy requires the Deputy Minister and Chief Financial Officer of Canadian
Heritage to sign an annual Statement of Management Responsibility Including Internal
Control over Financial Reporting. This Statement prefaces the Departmental financial
statements, and includes the following:
acknowledgement of management’s responsibility to ensure that an effective
system of internal controls over financial reporting is maintained;
acknowledgement of the conduct of an annual assessment of the effectiveness of
the system of internal controls;
acknowledgement of the establishment of an action plan; and
a summary of the results of the assessment and the actions taken in response to
issues.
The expected results of the Policy are the following:
An effective risk-based system of internal control is in place in departments and is
properly maintained, monitored and reviewed, with timely corrective measures
taken when issues are identified; and
An effective system of internal control over financial reporting is operating in
departments as demonstrated by the Departmental Statement of Management
Responsibility Including Internal Control over Financial Reporting.
4
The Accounting Operations, Financial Policy and Systems (AOFPS) Directorate of the
Financial Management Branch has developed an Internal Control over Financial
Reporting (ICOFR) Framework (2010). This framework documents the state of
implementation of the Policy on Internal Control, the procedures, tools and resources
used in the assessment of ICOFR, and the current gaps. The ICOFR states that the focus
of control effectiveness for the purposes of the Policy on Internal Control will be on key
control activities within the various business processes at PCH and not on entity-level
controls as it is more effective to rely on business process control activities. At the
foundation of the ICOFR is a maturity model that facilitates a common and objective
view of the robustness of controls across PCH. This maturity model is used to monitor
the status of each area identified during the planning phase of this compliance audit based
on PCH’s operations and its financial statements, and illustrates where the Department
needs to be to achieve certification of internal controls. The maturity model comprises
five levels and the Department must reach Level 4 to meet the requirements of the Policy
on Internal Control. Level 4 is where periodic testing is conducted on standardized
controls to ensure effective design and operation with reporting to PCH management, and
is the level required for PCH to be ready for a controls-reliant audit. The self-assessment
conducted by management has determined PCH to be at Level 4.
Between 2008 and 2010, various presentations were made to PCH Governance
Committees on financial matters such as Updates on the Audited Financial Statements
Initiative (May 2009) to the Operations and Management Committee; presentation of the
Policy on Internal Control to the Deputy Minister and Associate Deputy Minister
(January 2010), and presentation of the new financial requirements to the Executive
Committee (April 2010) and the Finance Committee (October 2010). The presentations
specific to the ICOFR Framework were made to the Finance Committee in April 2010
and to the Departmental Audit Committee in June 2010. In May 2011, the Finance
Committee endorsed the Five-Year Plan on Internal Control for 2011-12 to 2015-16
which was subsequently presented to the Departmental Audit Committee in June 2011 for
review purposes.
The AOFPS has also prepared a Five-Year Plan on Internal Control which highlights the
current status of the control activities, walkthroughs, and testing of controls, and
identifies the work that will be done for each key business process.
The Audit of Compliance to the Treasury Board Policy on Internal Control will be
divided into three phases, completed over three years. Phase 1 will focus on the
management control framework used in the implementation of the Policy on Internal
Control, while Phases 2 and 3 will focus on the processes and controls in place to ensure
compliance with the Policy on Internal Control.
5
2.
Objective
The overall objective of this three-phase audit is to provide assurance that Canadian
Heritage is in compliance with the Policy on Internal Control.
The objective of phase 1 is to provide assurance that an adequate management control
framework is in place to effectively implement the Policy on Internal Control.
The objective of Phases 2 and 3 is to provide assurance that adequate processes and
controls are in place to ensure compliance with the Policy on Internal Control and PCH
policies and procedures.
3.
Scope
The Audit of Compliance to the Treasury Board Policy on Internal Control – Phase 1
began in May 2011 and was completed in October 31, 2011. The scope of Phase 1
includes the governance, accountability, risk management, and results and performance
related to the management control framework that has been established within the
Financial Management Branch to implement the Policy on Internal Control.
The scope of Phases 2 and 3 will focus on the testing of the adequacy of the processes
and internal controls.
4.
Approach and Methodology
All audit work was conducted in accordance with the Treasury Board Secretariat’s
Internal Auditing Standards for the Government of Canada, and Policy on Internal Audit.
The audit criteria were developed using OCG guidance on internal controls and the audit
methodology included:
a review of the organization’s documentation, guidelines, procedures, policies,
and relevant legislation;
a review of the implementation of the Policy on Internal Control as per OCG
guidance;
a review of the process mapping/flowcharting exercise to demonstrate
organization processes and accountability obligations; and,
collection of data through interviews and observations with the organization’s
personnel to examine processes, procedures and practices.
6
5.
Observations and Recommendations
Based on evidence gathered through an examination of documentation, interviews
conducted and analysis, each audit criterion was assessed by the audit team. Conclusions
for each criterion are provided in Appendix A. During the course of the audit, minor
findings were communicated through a Management Letter.
5.1
Governance and Accountability and Risk Management
5.1.1 Observation #1
The Five-Year Plan on Internal Control, including its risk assessment, has to be
updated on a yearly basis.
Analysis
A risk assessment was completed as part of the development of the Internal Control over
Financial Reporting (ICOFR) Framework and divided into two parts: A macro-level risk
analysis and a risk analysis of the financial account and area level.
The macro-level risk analysis identifies potential macro risks but it does not provide
supporting documentation on how the risks were identified or how they were used to
assess the impact on the Department’s internal controls, financial statement accounts,
disclosures and business processes for ICOFR purposes. Without a clear explanation
of the macro-risk assessment methodology and results, the links with the detailed risk
analysis of the financial accounts and areas are unclear.
A risk analysis of the financial account and area level was completed and is consistent
with OCG expectations. The portion of the risk assessment relating to financial
statement decomposition is also consistent with the expectations of the OCG
diagnostic tool.
The ICOFR Framework and the risk assessments are undated as to when they were
completed. The update of the ICOFR Framework, including its risk assessment, is not
listed as one of the planned activities included in the Five-Year Plan on Internal Control.
Therefore, it is unclear how often the ICOFR Framework and its risk assessment will be
reviewed and updated.
As per the Policy on Internal Control (p.3) and indicated in the ICOFR (p.36), the Deputy
Minister needs to have reasonable assurance of the effectiveness of the ICOFR, that it is
maintained and monitored on an annual basis and includes the conduct of an annual risk
assessment. Additionally, significant issues need to be addressed in a timely manner
before the Deputy Minister signs the annual Statement of Management Responsibility
7
Including Internal Control over Financial Reporting. The results of this annual work
could have an impact on the Five-Year Plan on Internal Control.
Risk Assessment
Without periodic reviews, the ICOFR Framework which supports PCH’s implementation
of the Policy on Internal Control can become out-dated and may not reflect the risks and
state of internal controls. This increases the risk that PCH is non-compliant with the
Policy on Internal Control.
Recommendation
The Director General of Financial Management Branch should ensure that the Five-Year
Plan on Internal Control is revised to include a requirement to perform an annual update
to the ICOFR Framework including its risk assessment.
5.1.2 Observation # 2
An annual project plan for 2011-12 that includes defined accountabilities,
timelines, deliverables and outputs has to be developed to supplement the by 5year high-level plan by AOFPS.
Analysis
The Accounting Operations, Financial Policy and Systems Directorate (AOFPS)
developed a Five-Year Plan on Internal Control for 2011-12 to 2015-16. This high-level
risk based plan provides the current status of the control activities, walkthroughs, and
testing of controls, and identifies the work that will be done for each key business process
over the next five years. The status of work is monitored via the Five-Year Plan on
Internal Control. This plan has been adjusted to reflect the current status of activities and
was presented to the Finance Committee (May 2011) for endorsement prior to its
presentation to the Departmental Audit Committee (June 2011).
AOFPS directorate performs design testing, operating effectiveness testing of key
business processes, and risk-based account verification/sampling of financial
transactions. Remediation plans are developed and adjustments are made based on the
results of testing. For example, changes to account verification were made based on
operating effectiveness outcomes.
Risk Assessment
Without a detailed annual project plan that is shared and communicated with
stakeholders, there is a risk that key activities, such as testing/reporting, may not be
performed as required by the long term plan resulting in non-compliance with the policy.
8
Recommendation
The Director General of the Financial Management Branch should ensure that a detailed
annual project plan including defined accountabilities, timelines, deliverables, and
outputs for the year related to the implementation of the Policy on Internal Control is
established, communicated, monitored and adjusted as needed.
9
Appendix A – Audit Criteria
The conclusions reached for each of the audit criteria used in the audit were developed
according to the following definitions.
Numerical
Categorization
10
Conclusion
on Audit
Criteria
1
Well
Controlled
2
Controlled
Definition of Conclusion
well managed, no material weaknesses noted;
and
effective.
well managed, but minor improvements are
needed; and
effective.
Has moderate issues requiring management focus (at
least one of the following two criteria needs to be
met):
control weaknesses, but exposure is limited
because likelihood of risk occurring is not
high;
control weaknesses, but exposure is limited
because impact of the risk is not high.
3
Moderate
Issues
4
Requires significant improvements (at least one of the
following three criteria needs to be met):
financial adjustments material to line item or
Significant
area or to the department; or
Improvements
Required
control deficiencies represent serious
exposure; or
major deficiencies in overall control structure.
The following are the audit criteria and examples of key evidence and/or observations
noted which were analyzed and against which conclusions were drawn.
Criteria #
1
Audit Criteria
Conclusion
on Audit
Criteria
An adequate framework
for implementing the
Policy on Internal
Control is established,
communicated and
approved by the CFO and
senior management.
1
2
Roles, responsibilities
and accountabilities for
internal controls,
including over financial
reporting, are
documented,
communicated and
understood by
stakeholders.
1
Examples of Key Evidence /
Observation
The PCH “Internal Control
over Financial Reporting
framework” for
implementing the Policy
on Internal Control is
established and contains
the expected elements.
The ICOFR was not
presented to the Operations
and Management
Committee and to the
Executive Committee for
review/endorsement.
However, it was presented
to the Finance Committee
and the DAC in 2011.
No formal documented
approval by the CFO and
Senior Management on the
ICOFR Framework.
The Annex to the
Statement of Management
Responsibility contains the
documentation of roles,
responsibilities, and
accountabilities for internal
controls. It was presented
to the Finance Committee
and the Departmental
Audit Committee but not
to the Operations and
Management and
Executive Committees.
The audit team found that
no additional training
requirement was identified
for Managers following the
implementation of the
Policy on Internal Control.
11
3
4
Procedures, guides, tools
and resources are
identified and/or
developed to support the
implementation of the
Policy on Internal
Control.
1
A risk assessment was
completed and
documented to identify
the financial risk
environment, the
riskiness of material
financial processes and
the high-risk areas.
2
12
Procedures, guides and
tools developed by AOFPS
include procedures for
testing operating
effectiveness and account
verification, procedures for
financial statement account
preparation, procedures for
administrative personnel
for year end, and
guidelines for the
recording and management
of commitments.
The financial statement
decomposition risk
assessment assessed the
key risks facing the key
financial statement
accounts in sufficient detail
and was consistent with the
expectations of the
guidance provided by the
OCG.
For the macro risk
assessment, as described in
the ICOFR Framework, no
documentation was
available to support the
methodology used and the
conclusions drawn.
The risk assessments are
not dated as to when they
were completed. In
addition, it is unclear how
often the risks will be
reviewed and updated as
they are not identified as
activities in the Five-Year
Plan on Internal Control.
5
A long-term and annual
risk based strategies are
developed,
communicated,
monitored and reported
on as part of the
implementation of the
Policy on Internal
Control.
2
The strategies identified in
the ICOFR and Five-Year
Plan on Internal Control
are risk based because they
focus first on the highest
risk business processes
(grants and contributions,
purchases and payables).
A long-term (Five year)
plan on internal controls
was recently developed
and endorsed by the
Finance Committee (May
2011) and approved by the
Departmental Audit
Committee (June 2011).
The Five-Year Plan on
Internal Control has yet to
be presented to the
Operations and
Management Committee
and to the Executive
Committee for
review/endorsement.
Reporting on the
implementation activities
completed within the year
and planned over the next
5 years is done as part of
the Annex to the Statement
of Management
Responsibility on an
annual basis.
An annual plan on internal
controls that details the
activities, timing, and
resources required to
complete the required
actions as per the five-year
plan has yet to be
developed.
13
6
Expected results related
to the implementation of
the Policy on Internal
Control have been
defined, communicated,
monitored and are
adjusted as needed.
1
14
The expected results
related to the
implementation have not
been properly
communicated.
AOFPS directorate
performs design testing,
operating effectiveness
testing of key business
processes, and risk-based
account
verification/sampling of
financial transactions.
Remediation plans are
developed and adjustments
are made based on the
results of testing.
The status of work is
monitored via the FiveYear Plan on Internal
Control. This is a highlevel plan which provides
the current status of the
control activities,
walkthroughs, and testing
of controls, and identifies
the work that will be done
for each key business
process over the next 5
years.
Appendix B – Management Action Plan
Project Title: Audit of Compliance to the Treasury Board Policy on Internal Control – Phase 1
MANAGEMENT ACTION PLAN
5.1 Governance and Accountability and Risk Management
Recommendation
Actions
Who
Target Date
The Director General of Financial Management Branch should ensure that
the Five-Year Plan on Internal Control is revised to include a requirement
to perform an annual update to the ICOFR Framework including its risk
assessment.
Agreed
Manager,
Financial
Policies &
Internal Control
April 2012 for
ICOFR
Recommendation
Actions
Who
Target Date
The Director General of the Financial Management Branch should ensure
that a detailed annual project plan including defined accountabilities,
timelines, deliverables, and outputs for the year related to the
implementation of the Policy on Internal Control is established,
communicated, monitored and adjusted as needed.
Agreed
Manager,
Financial
Policies &
Internal Control
April 2012
ICOFR Framework will be updated
annually starting in fiscal year 2011-12.
Risk assessment will be done as part of
the Department’s Corporate Risk
Profile exercise once the Office of the
Comptroller General (OCG) provides
guidance to departments via
workshops. The OCG workshops are
scheduled to take place during the 2012
calendar year.
In addition, the FMB will document the
approval of ICOFR and keep the DM
and senior management informed on an
annual basis.
An annual project plan will be
developed starting in fiscal year 201213.
May 2013 for risk
assessment
15
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
Title: Audit
Title: Audit
CIS 349 – Information Technology Audit and Control
CIS 349 – Information Technology Audit and Control
INTERNAL CONTROLS OVER FINANCIAL REPORTING
INTERNAL CONTROLS OVER FINANCIAL REPORTING
Download
advertisement