Audit of Compliance to the Treasury Board Policy on Internal Control – Phase 1 Office of the Chief Audit and Evaluation Executive Audit and Assurance Services Directorate October 31, 2011 Cette publication est également disponible en français. This publication is available upon request in alternative formats. This publication is available in PDF and HTML formats on the Internet at http://www.pch.gc.ca/ © Her Majesty the Queen in Right of Canada, 2011 Catalogue No. ch6-9/2011E-PDF ISBN: 978-1-100-20344-7 Table of Contents Executive Summary........................................................................................................................1 1. Introduction and Context ......................................................................................................4 1.1 1.2 Authority for the Project ......................................................................................................................... 4 Background ...........................................................................................................................................4 2. Objective .................................................................................................................................6 3. Scope ......................................................................................................................................6 4. Approach and Methodology .................................................................................................6 5. Observations and Recommendations .................................................................................7 5.1 Governance and Accountability and Risk Management ........................................................................7 5.1.1 Observation #1 ......................................................................................................................................7 5.1.2 Observation # 2 .....................................................................................................................................8 Appendix A – Audit Criteria ........................................................................................................ 10 Appendix B – Management Action Plan .................................................................................... 15 Executive Summary Introduction The Audit of Compliance to the Treasury Board Policy on Internal Control-Phase 1 was included in the 2011-12 to 2013-14 Risk Based Audit Plan to support the Deputy Minister in his accounting officer role when signing the annual Departmental Statement of Management Responsibility Including Internal Control over Financial Reporting. The objective of this audit is to provide assurance that an adequate management control framework is in place to effectively implement the Policy on Internal Control. The Treasury Board Policy on Internal Control took effect on April 1, 2009. The objective of the Policy is to ensure that risks relating to the stewardship of public resources, including reliability of financial reporting, are adequately managed through the maintenance of effective risk-based departmental systems of internal control. Within the Department of Canadian Heritage (PCH), the Accounting Operations, Financial Policy and Systems Directorate of the Financial Management Branch, is responsible for the implementation of the Policy on Internal Control, and managing the internal control over the financial reporting framework in support of the Statement of Management Responsibility Including Internal Control Over Financial Reporting. Key Findings Strengths During the audit fieldwork, the audit team identified strengths that resulted in positive findings, including: An Internal Control over Financial Reporting (ICOFR) Framework for implementing the Policy on Internal Control (PIC) has been developed and established following the guidelines published by the Office of the Comptroller General (OCG). Roles, responsibilities and accountabilities for internal controls, including over financial reporting, are documented. Procedures, guides, tools and resources are identified and/or developed to support the implementation of the Policy on Internal Control. Long-term and annual risk-based strategies are developed, communicated, monitored and reported on as part of the implementation of the Policy on Internal Control. A risk analysis was done of the financial account and area level and is consistent with OCG expectations. Expected results related to the implementation have been defined, monitored and adjusted as needed. 1 Observations The audit team also identified areas where management practices and processes can be improved. The following are observations made by the audit team that highlight areas of improvement that should be addressed by PCH. 1. The Five-Year Plan on Internal Control, including its risk assessment, has to be updated on a yearly basis. 2. An annual project plan for 2011-12 that includes defined accountabilities, timelines, deliverables and outputs has yet to be developed to supplement the five year highlevel plan by AOFPS. Recommendations 1. The Director General of Financial Management Branch should ensure that the Five-Year Plan on Internal Control is revised to include a requirement to perform an annual update to the ICOFR Framework including its risk assessment. 2. The Director General of the Financial Management Branch should ensure that a detailed annual project plan including defined accountabilities, timelines, deliverables, and outputs for the year related to the implementation of the Policy on Internal Control is established, communicated, monitored and adjusted as needed. Statement of Assurance In my professional judgment as Chief Audit and Evaluation Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. Audit Opinion In my opinion, an adequate management control framework is in place to effectively implement the Policy on Internal Control and support the development of the Statement of Management Responsibility. The audit has identified some minor control weaknesses that require management attention related to an annual update to the ICOFR Framework including its risk assessment to support the implementation of the Five-Year Plan on Internal Control and the development of a detailed annual project plan. __________________________________________________ Richard Willan, CGA Chief Audit and Evaluation Executive Department of Canadian Heritage 2 Audit Team Members Maria Lapointe-Savoie Dylan Edgar Joelle Huneault, CIA Joanna Chorabik, CA Director, Audit and Assurance Services A/Audit Manager A/Team Leader Auditor With the assistance of external resources 3 1. Introduction and Context 1.1 Authority for the Project The Audit of Compliance to the Treasury Board Policy on Internal Control-Phase 1 was included in the 2011-12 to 2013-14 Risk-Based Audit Plan to support the Deputy Minister in his role as accounting officer when signing the annual Departmental Statement of Management Responsibility Including Internal Control over Financial Reporting. 1.2 Background The Treasury Board Policy on Internal Control (PIC) took effect on April 1, 2009 and is issued pursuant to section 7 of the Financial Administration Act. The policy will be phased-in over a period of three years based on department’s state of readiness. The objective of this policy is for risks relating to the stewardship of public resources to be adequately managed through effective internal controls, including internal controls over financial reporting. Internal controls over financial reporting are divided into three categories: entity-level, transaction-level, and information technology controls. Reviews of entity-level controls were undertaken in 2008 and for Information Technology Application Controls in 2009. The Policy requires the Deputy Minister and Chief Financial Officer of Canadian Heritage to sign an annual Statement of Management Responsibility Including Internal Control over Financial Reporting. This Statement prefaces the Departmental financial statements, and includes the following: acknowledgement of management’s responsibility to ensure that an effective system of internal controls over financial reporting is maintained; acknowledgement of the conduct of an annual assessment of the effectiveness of the system of internal controls; acknowledgement of the establishment of an action plan; and a summary of the results of the assessment and the actions taken in response to issues. The expected results of the Policy are the following: An effective risk-based system of internal control is in place in departments and is properly maintained, monitored and reviewed, with timely corrective measures taken when issues are identified; and An effective system of internal control over financial reporting is operating in departments as demonstrated by the Departmental Statement of Management Responsibility Including Internal Control over Financial Reporting. 4 The Accounting Operations, Financial Policy and Systems (AOFPS) Directorate of the Financial Management Branch has developed an Internal Control over Financial Reporting (ICOFR) Framework (2010). This framework documents the state of implementation of the Policy on Internal Control, the procedures, tools and resources used in the assessment of ICOFR, and the current gaps. The ICOFR states that the focus of control effectiveness for the purposes of the Policy on Internal Control will be on key control activities within the various business processes at PCH and not on entity-level controls as it is more effective to rely on business process control activities. At the foundation of the ICOFR is a maturity model that facilitates a common and objective view of the robustness of controls across PCH. This maturity model is used to monitor the status of each area identified during the planning phase of this compliance audit based on PCH’s operations and its financial statements, and illustrates where the Department needs to be to achieve certification of internal controls. The maturity model comprises five levels and the Department must reach Level 4 to meet the requirements of the Policy on Internal Control. Level 4 is where periodic testing is conducted on standardized controls to ensure effective design and operation with reporting to PCH management, and is the level required for PCH to be ready for a controls-reliant audit. The self-assessment conducted by management has determined PCH to be at Level 4. Between 2008 and 2010, various presentations were made to PCH Governance Committees on financial matters such as Updates on the Audited Financial Statements Initiative (May 2009) to the Operations and Management Committee; presentation of the Policy on Internal Control to the Deputy Minister and Associate Deputy Minister (January 2010), and presentation of the new financial requirements to the Executive Committee (April 2010) and the Finance Committee (October 2010). The presentations specific to the ICOFR Framework were made to the Finance Committee in April 2010 and to the Departmental Audit Committee in June 2010. In May 2011, the Finance Committee endorsed the Five-Year Plan on Internal Control for 2011-12 to 2015-16 which was subsequently presented to the Departmental Audit Committee in June 2011 for review purposes. The AOFPS has also prepared a Five-Year Plan on Internal Control which highlights the current status of the control activities, walkthroughs, and testing of controls, and identifies the work that will be done for each key business process. The Audit of Compliance to the Treasury Board Policy on Internal Control will be divided into three phases, completed over three years. Phase 1 will focus on the management control framework used in the implementation of the Policy on Internal Control, while Phases 2 and 3 will focus on the processes and controls in place to ensure compliance with the Policy on Internal Control. 5 2. Objective The overall objective of this three-phase audit is to provide assurance that Canadian Heritage is in compliance with the Policy on Internal Control. The objective of phase 1 is to provide assurance that an adequate management control framework is in place to effectively implement the Policy on Internal Control. The objective of Phases 2 and 3 is to provide assurance that adequate processes and controls are in place to ensure compliance with the Policy on Internal Control and PCH policies and procedures. 3. Scope The Audit of Compliance to the Treasury Board Policy on Internal Control – Phase 1 began in May 2011 and was completed in October 31, 2011. The scope of Phase 1 includes the governance, accountability, risk management, and results and performance related to the management control framework that has been established within the Financial Management Branch to implement the Policy on Internal Control. The scope of Phases 2 and 3 will focus on the testing of the adequacy of the processes and internal controls. 4. Approach and Methodology All audit work was conducted in accordance with the Treasury Board Secretariat’s Internal Auditing Standards for the Government of Canada, and Policy on Internal Audit. The audit criteria were developed using OCG guidance on internal controls and the audit methodology included: a review of the organization’s documentation, guidelines, procedures, policies, and relevant legislation; a review of the implementation of the Policy on Internal Control as per OCG guidance; a review of the process mapping/flowcharting exercise to demonstrate organization processes and accountability obligations; and, collection of data through interviews and observations with the organization’s personnel to examine processes, procedures and practices. 6 5. Observations and Recommendations Based on evidence gathered through an examination of documentation, interviews conducted and analysis, each audit criterion was assessed by the audit team. Conclusions for each criterion are provided in Appendix A. During the course of the audit, minor findings were communicated through a Management Letter. 5.1 Governance and Accountability and Risk Management 5.1.1 Observation #1 The Five-Year Plan on Internal Control, including its risk assessment, has to be updated on a yearly basis. Analysis A risk assessment was completed as part of the development of the Internal Control over Financial Reporting (ICOFR) Framework and divided into two parts: A macro-level risk analysis and a risk analysis of the financial account and area level. The macro-level risk analysis identifies potential macro risks but it does not provide supporting documentation on how the risks were identified or how they were used to assess the impact on the Department’s internal controls, financial statement accounts, disclosures and business processes for ICOFR purposes. Without a clear explanation of the macro-risk assessment methodology and results, the links with the detailed risk analysis of the financial accounts and areas are unclear. A risk analysis of the financial account and area level was completed and is consistent with OCG expectations. The portion of the risk assessment relating to financial statement decomposition is also consistent with the expectations of the OCG diagnostic tool. The ICOFR Framework and the risk assessments are undated as to when they were completed. The update of the ICOFR Framework, including its risk assessment, is not listed as one of the planned activities included in the Five-Year Plan on Internal Control. Therefore, it is unclear how often the ICOFR Framework and its risk assessment will be reviewed and updated. As per the Policy on Internal Control (p.3) and indicated in the ICOFR (p.36), the Deputy Minister needs to have reasonable assurance of the effectiveness of the ICOFR, that it is maintained and monitored on an annual basis and includes the conduct of an annual risk assessment. Additionally, significant issues need to be addressed in a timely manner before the Deputy Minister signs the annual Statement of Management Responsibility 7 Including Internal Control over Financial Reporting. The results of this annual work could have an impact on the Five-Year Plan on Internal Control. Risk Assessment Without periodic reviews, the ICOFR Framework which supports PCH’s implementation of the Policy on Internal Control can become out-dated and may not reflect the risks and state of internal controls. This increases the risk that PCH is non-compliant with the Policy on Internal Control. Recommendation The Director General of Financial Management Branch should ensure that the Five-Year Plan on Internal Control is revised to include a requirement to perform an annual update to the ICOFR Framework including its risk assessment. 5.1.2 Observation # 2 An annual project plan for 2011-12 that includes defined accountabilities, timelines, deliverables and outputs has to be developed to supplement the by 5year high-level plan by AOFPS. Analysis The Accounting Operations, Financial Policy and Systems Directorate (AOFPS) developed a Five-Year Plan on Internal Control for 2011-12 to 2015-16. This high-level risk based plan provides the current status of the control activities, walkthroughs, and testing of controls, and identifies the work that will be done for each key business process over the next five years. The status of work is monitored via the Five-Year Plan on Internal Control. This plan has been adjusted to reflect the current status of activities and was presented to the Finance Committee (May 2011) for endorsement prior to its presentation to the Departmental Audit Committee (June 2011). AOFPS directorate performs design testing, operating effectiveness testing of key business processes, and risk-based account verification/sampling of financial transactions. Remediation plans are developed and adjustments are made based on the results of testing. For example, changes to account verification were made based on operating effectiveness outcomes. Risk Assessment Without a detailed annual project plan that is shared and communicated with stakeholders, there is a risk that key activities, such as testing/reporting, may not be performed as required by the long term plan resulting in non-compliance with the policy. 8 Recommendation The Director General of the Financial Management Branch should ensure that a detailed annual project plan including defined accountabilities, timelines, deliverables, and outputs for the year related to the implementation of the Policy on Internal Control is established, communicated, monitored and adjusted as needed. 9 Appendix A – Audit Criteria The conclusions reached for each of the audit criteria used in the audit were developed according to the following definitions. Numerical Categorization 10 Conclusion on Audit Criteria 1 Well Controlled 2 Controlled Definition of Conclusion well managed, no material weaknesses noted; and effective. well managed, but minor improvements are needed; and effective. Has moderate issues requiring management focus (at least one of the following two criteria needs to be met): control weaknesses, but exposure is limited because likelihood of risk occurring is not high; control weaknesses, but exposure is limited because impact of the risk is not high. 3 Moderate Issues 4 Requires significant improvements (at least one of the following three criteria needs to be met): financial adjustments material to line item or Significant area or to the department; or Improvements Required control deficiencies represent serious exposure; or major deficiencies in overall control structure. The following are the audit criteria and examples of key evidence and/or observations noted which were analyzed and against which conclusions were drawn. Criteria # 1 Audit Criteria Conclusion on Audit Criteria An adequate framework for implementing the Policy on Internal Control is established, communicated and approved by the CFO and senior management. 1 2 Roles, responsibilities and accountabilities for internal controls, including over financial reporting, are documented, communicated and understood by stakeholders. 1 Examples of Key Evidence / Observation The PCH “Internal Control over Financial Reporting framework” for implementing the Policy on Internal Control is established and contains the expected elements. The ICOFR was not presented to the Operations and Management Committee and to the Executive Committee for review/endorsement. However, it was presented to the Finance Committee and the DAC in 2011. No formal documented approval by the CFO and Senior Management on the ICOFR Framework. The Annex to the Statement of Management Responsibility contains the documentation of roles, responsibilities, and accountabilities for internal controls. It was presented to the Finance Committee and the Departmental Audit Committee but not to the Operations and Management and Executive Committees. The audit team found that no additional training requirement was identified for Managers following the implementation of the Policy on Internal Control. 11 3 4 Procedures, guides, tools and resources are identified and/or developed to support the implementation of the Policy on Internal Control. 1 A risk assessment was completed and documented to identify the financial risk environment, the riskiness of material financial processes and the high-risk areas. 2 12 Procedures, guides and tools developed by AOFPS include procedures for testing operating effectiveness and account verification, procedures for financial statement account preparation, procedures for administrative personnel for year end, and guidelines for the recording and management of commitments. The financial statement decomposition risk assessment assessed the key risks facing the key financial statement accounts in sufficient detail and was consistent with the expectations of the guidance provided by the OCG. For the macro risk assessment, as described in the ICOFR Framework, no documentation was available to support the methodology used and the conclusions drawn. The risk assessments are not dated as to when they were completed. In addition, it is unclear how often the risks will be reviewed and updated as they are not identified as activities in the Five-Year Plan on Internal Control. 5 A long-term and annual risk based strategies are developed, communicated, monitored and reported on as part of the implementation of the Policy on Internal Control. 2 The strategies identified in the ICOFR and Five-Year Plan on Internal Control are risk based because they focus first on the highest risk business processes (grants and contributions, purchases and payables). A long-term (Five year) plan on internal controls was recently developed and endorsed by the Finance Committee (May 2011) and approved by the Departmental Audit Committee (June 2011). The Five-Year Plan on Internal Control has yet to be presented to the Operations and Management Committee and to the Executive Committee for review/endorsement. Reporting on the implementation activities completed within the year and planned over the next 5 years is done as part of the Annex to the Statement of Management Responsibility on an annual basis. An annual plan on internal controls that details the activities, timing, and resources required to complete the required actions as per the five-year plan has yet to be developed. 13 6 Expected results related to the implementation of the Policy on Internal Control have been defined, communicated, monitored and are adjusted as needed. 1 14 The expected results related to the implementation have not been properly communicated. AOFPS directorate performs design testing, operating effectiveness testing of key business processes, and risk-based account verification/sampling of financial transactions. Remediation plans are developed and adjustments are made based on the results of testing. The status of work is monitored via the FiveYear Plan on Internal Control. This is a highlevel plan which provides the current status of the control activities, walkthroughs, and testing of controls, and identifies the work that will be done for each key business process over the next 5 years. Appendix B – Management Action Plan Project Title: Audit of Compliance to the Treasury Board Policy on Internal Control – Phase 1 MANAGEMENT ACTION PLAN 5.1 Governance and Accountability and Risk Management Recommendation Actions Who Target Date The Director General of Financial Management Branch should ensure that the Five-Year Plan on Internal Control is revised to include a requirement to perform an annual update to the ICOFR Framework including its risk assessment. Agreed Manager, Financial Policies & Internal Control April 2012 for ICOFR Recommendation Actions Who Target Date The Director General of the Financial Management Branch should ensure that a detailed annual project plan including defined accountabilities, timelines, deliverables, and outputs for the year related to the implementation of the Policy on Internal Control is established, communicated, monitored and adjusted as needed. Agreed Manager, Financial Policies & Internal Control April 2012 ICOFR Framework will be updated annually starting in fiscal year 2011-12. Risk assessment will be done as part of the Department’s Corporate Risk Profile exercise once the Office of the Comptroller General (OCG) provides guidance to departments via workshops. The OCG workshops are scheduled to take place during the 2012 calendar year. In addition, the FMB will document the approval of ICOFR and keep the DM and senior management informed on an annual basis. An annual project plan will be developed starting in fiscal year 201213. May 2013 for risk assessment 15