Internal Audit Report

Audit of Internal Controls over Financial Reporting

Project 6B276
Date: June 17, 2016


TABLE OF CONTENTS



1.0 EXECUTIVE SUMMARY

Treasury Board’s Policy on Internal Control (PIC) took effect on April 01, 2009 and required departments to put in place an effective system of Internal Controls over Financial Reporting (ICFR).

To help meet this requirement, Fisheries and Oceans Canada (Department) has undertaken to mitigate ICFR risks and ensure an effective risk-based system of internal controls is in place, including the establishment of an Internal Control Unit in 2011-12. The Internal Control Unit has since completed the design and operating effectiveness testing of ICFR work segments and is now entering the on-going monitoring phase.

The objective of the audit was to provide additional assurance to the Deputy Head that an adequate management control framework, internal control process and related activities are in place to ensure the ICFR process is operating as intended and in compliance with applicable policies.

The scope of the audit was risk-based and focused on the design of the ICFR Framework and as such, did not assess operating effectiveness of control activities. Operating effectiveness testing examines whether a control system is operating as designed, through testing of the controls, whereas design testing assesses the overall framework in place and the design of control activities.

Based on the audit findings, the overall conclusion is that an adequate management control framework, internal control process and related activities are in place, that the overall governance, risk management and controls for ICFR are generally appropriate for the level of maturity the Department has achieved in the ICFR cycle, and that the ICFR process is in compliance with applicable policies. However, the audit also found opportunities for improvement related to how medium and low risk issues are dealt with, ensuring key decisions within the risk assessment processes are documented and conducting periodic reviews of tools, policies, procedures and controls related to ICFR. The recommended improvements are as follows:

  • Ensure that medium and low risk findings from the ICFR testing be reported within the Chief Financial Officer Sector for decisions on whether to accept, or mitigate, the associated risks and to ensure timely action is taken on those that are to be mitigated.
  • Ensure that additional information related to the risk assessment processes, and decisions made within these processes, is documented to provide additional context and retention of corporate knowledge.
  • Ensure that a documented requirement and process is in place to periodically review key control activities and other ICFR related tools, policies, and procedures as the ICFR process matures to ensure they are relevant, sufficient, aligned with risks and represent current best practices.

Management Response

Management is in agreement with the audit findings, has accepted the recommendations included in this report, and has developed a management action plan to address them. The management action plan has been integrated in this report.

Approvals

The Internal Audit Report “Audit of Internal Controls over Financial Reporting” was presented at the Departmental Audit Committee on June 17, 2016. The Report was recommended for approval by the Departmental Audit Committee and approved by the Deputy Minister.

2.0 BACKGROUND

Treasury Board’s (TB) Policy on Internal Control (PIC), which took effect on April 1, 2009, seeks to ensure that risks are adequately managed through effective internal controls, including Internal Controls over Financial Reporting (ICFR).

A key component of TB’s PIC was management’s responsibly for maintaining an effective system of internal controls as part of the financial statement process. Specifically, in order to mitigate the risks related to financial reporting, deputy heads are required to ensure that internal controls are regularly reviewed and are balanced against, and proportional to, the risks which they mitigate. To demonstrate that this is being carried out, and that public resources are adequately managed, TB’s PIC requires the Deputy Head and the Chief Financial Officer (CFO) to sign an annual departmental Statement of Management Responsibility Including ICFR and expects the Department to have:

  • an effective risk-based system of internal control that is properly maintained, monitored and reviewed, with timely corrective measures taken when issues are identified; and
  • an effective system of ICFR.

Fisheries and Oceans Canada (Department) has undertaken work to remediate ICFR risks and ensure a risk-based system of internal controls is in place. The Department’s Policy on ICFR and Financial Management Framework were developed and implemented in 2011-12. At the same time, a new Internal Control Unit (IC Unit) was established with a mandate to:

  • design, develop and implement the internal control framework and accompanying policies, procedures, processes and mechanisms;
  • evaluate and investigate the effectiveness of internal controls and compliance with existing policies, procedures and practices;
  • produce the annual Statement of Management Responsibility Including ICFR; and
  • engage Senior Management and the Departmental Audit Committee on the assessments and associated results.

The IC Unit has developed internal control strategies and processes based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) international standards. The COSO model requires persuasive information supporting conclusions about the effectiveness of internal control across all five of the COSO componentsFootnote 1.

The ICFR cycle goes through three stages of testing as it matures; design effectiveness, operating effectiveness, and ongoing monitoring. Design effectiveness involves ensuring that key controls are identified, documented, in-place and aligned with risks. Operating effectiveness involves testing key controls to ensure that they are operating as intended and that any required remediation is addressed. Ongoing monitoring is carried out once operating effectiveness testing is complete and involves continued periodic risk-based testing to ensure continuous improvement and timely remediation of any issues.

According to the 2015-16 ICFR Work Plan, the IC Unit has completed design and operating effectiveness testing of all ICFR work segments. Also, in 2014, the IC Unit evaluated the impact of the 2013 COSO Framework Update on Entity Level Controls and completed a detailed scoping and risk assessment of all major business processes, key financial systems, and Information Technology (IT) General Controls. Currently, the IC Unit is in the on-going monitoring phase of the ICFR cycle.

3.0 AUDIT OBJECTIVE

The objective of the audit was to provide additional assurance to the Deputy Head that an adequate management control framework, internal control process and related activities are in place to ensure the ICFR process is operating as intended and in compliance with applicable policies.

4.0 AUDIT SCOPE

The scope of the audit was risk-based and focussed on the design of the ICFR Framework and as such, did not assess operating effectiveness of control activities. Operating effectiveness testing examines whether a control system is operating as designed, through testing of the controls, whereas design testing assesses the overall framework in place and the design of control activities.

The audit criteria were developed based on the COSO standards. These standards were used by the Department as the control framework for the Department’s internal control strategies and processes.

5.0 AUDIT APPROACH

The audit team carried out its mandate in accordance with TB’s Policy on Internal Audit and the Internal Audit Standards for the Government of Canada. The audit employed various techniques including a risk assessment of the audit entity, interviews, as well as reviews and analysis of documentation and information.

6.0 AUDIT FINDINGS

This section provides the observations and recommendations resulting from the audit work carried out. While the audit was conducted based on the lines of enquiry and audit criteria identified in the planning phase, this report is structured along the following main themes:

  • Governance(Control Environment);
  • Risk Management; and
  • Internal Control.

For conclusions by audit criterion, please refer to Appendix A.

Based on the audit work performed and our professional judgment, the risk associated with each observation was rated using a three-point scale. The risk ranking (high, moderate, low) is based on the level of potential risk exposure we feel may have an impact on the achievement of Fisheries and Oceans Canada objectives, and is indicative of the priority Management should give to the recommendations associated with that observation. The following criteria were used in determining the risk exposure level:

risk definitions
High Controls are not in place or are inadequate.
Compliance with legislation and regulations is inadequate.
Important issues are identified that could negatively impact the achievement of program/operational objectives.
Moderate Controls are in place but are not being sufficiently complied with.
Compliance with central agency/departmental policies and established procedures is inadequate.
Issues are identified that could negatively impact the efficiency and effectiveness of operations.
Low Controls are in place but the level of compliance varies.
Compliance with central agency/departmental policies and established procedures varies.
Issues identified are less significant but opportunities that could enhance operations exist.

6.1 Governance (Control Environment)

Governance, or the control environment, is identified in the COSO Framework as “the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.” As such, an effective governance system is essential for achieving the goals and objectives of the IC Unit.

A key component of a strong governance system is having roles and responsibilities that are clearly defined, documented, and understood. For ICFR, this includes ensuring that those involved in the process understand their roles and are accountable for their responsibilities in establishing, maintaining, and correcting gaps in controls. Also, an effective resource strategy is essential for ensuring that there are qualified staff in place and available to maintain and monitor the key components of the ICFR System.

observations 6.1.1
Observations
   Low   

6.1.1 Accountabilities, roles and responsibilities for the identified processes and key controls within ICFR are generally documented and defined. However, the responsibility and accountability for addressing medium and low risk issues identified in the ICFR testing does not currently ensure timely remediation of these issues.

The IC Unit has adequate resource strategies in place to help develop, retain and replace qualified personnel.

Accountabilities, Roles and Responsibilities
The TB’s PIC requires that the CFO and Senior Departmental Managers establish and maintain a system of internal control for their areas of responsibility and within the Departmental system as a whole. The audit determined that at these senior levels, the roles and responsibilities for ICFR are well defined, documented and acknowledged in the Department’s ICFR policy and related guidelines and procedures. Specifically, all Senior Departmental Managers within the Department are required to sign off on an annual attestation regarding the internal controls within their sectors.

Similarly, at the Process Level, in most cases, key controls are assigned to specific positions within the matrixes used by the IC Unit for identifying and testing key controls. This demonstrates that generally roles and responsibilities are documented and defined. However, through interviews and testing of follow-up on control issues identified by the IC Unit, it was found that it is often difficult to obtain acknowledgement of responsibility for, or action on low and medium risk issues. Further, it was found that unlike high risk control issues, which are regularly monitored and reported on to the Departmental Audit Committee, medium and low risk issues within the controls are not being regularly reported to a position or governance committee who has the authority to either accept or require action on these issues.

Without documented decisions on whether to accept the risks related to these low and medium control issues, or to put in place a mitigation plan, there is a risk that time and effort will be put in to mitigating low risk issues that the Department may wish to accept, and/or that issues the Department feels should be mitigated, won’t be. Further, it is possible that while the individual issues are low or medium risk, combined within one process, they could pose a higher overall risk to the process. Ensuring that these are reported to a position or governance committee within the CFO Sector for decision could help ensure timely and appropriate action is taken as needed.

Resourcing Strategy
An established resourcing strategy is essential to ensure the IC Unit, who is responsible for ICFR, has qualified resources available to implement the governance system in place for ICFR.

The audit found that the IC Unit has in place a variety of tools available to it to ensure they can access qualified resources when needed. These tools, including two Financial Officer Pools, a contracting vehicle, training and development opportunities and the use of the Department’s Talent Management Exercise, form part of a resource strategy that allows the IC Unit to respond to both short and long-term resourcing needs. Further, during the audit, the IC Unit demonstrated its willingness to use these tools by adding someone from one of the Financial Officer pools to fill an immediate need.


recommendation and action plan
Recommendation Management Action Plan
R-#1. It is recommended that the CFO ensure that medium and low risk findings from the ICFR testing be reported within the CFO for decisions on whether to accept, or mitigate the associated risks and to ensure timely action is taken on those that are to be mitigated. The CFO sector agrees with the recommendation and will, upon completion of business process reviews, debrief the CFO on the results of the review, including any outstanding action plan items stemming from the review.
Office of Primary Interest: Chief Financial Officer
Due Date: August 31, 2016 and ongoing

6.2 RISK MANAGEMENT

Risk, as defined by COSO, is the possibility that an event will occur and adversely affect the achievement of objectives. In the case of the ICFR, the objective is to ensure that the Financial Statements do not contain any material misstatements. In order to achieve this objective, the IC Unit must identify and analyze the potential significance of a risk in a consistent manner that involves management from the areas being assessed and is supported by documentation and professional judgement.

Within the IC Unit, as part of the ICFR process, risk management occurs in the following areas:

  • Annual risk assessment of the key business processes and IT systems, including identifying the frequency of testing of these systems and processes;
  • Choosing sample sizes for testing; and,
  • Assessing the level of risk and cost-benefit associated with issues found as a result of testing.
observations 6.2.1
Observations
   Low    6.2.1 A risk management system exists that identifies the potential significance of risk, involves appropriate levels of management, and considers how the risk should be managed. However, a lack of documentation of reasoning, choices and professional judgement made within the risk management process creates the appearance of a lack of consistency and could make it difficult to retain corporate knowledge.

Risk Management System
TB’s PIC requires the Deputy Minister and the CFO to sign off on a Statement of Management Responsibility that includes a requirement to conduct an annual risk-based assessment of the system of ICFR.

The Department’s IC unit has developed an ICFR Ongoing Monitoring Framework that includes an annual risk assessment approach to support its monitoring of the effectiveness of its ICFR. Specifically, the IC Unit has identified business processes and IT systems which are risk ranked based on 8 risk factor criteria for each business process, and 6 risk factor criteria for each IT system. Each business process or IT system is then given an overall risk ranking (high, medium, or low) which is used to develop a risk-based multi-year testing plan for these processes and systems.

Based on an examination of recent risk assessments and supporting documentation provided by the IC Unit, the audit confirmed that the Department carries out an annual risk assessment that assigns risk ranking levels, and that the testing strategies identified within the IC Unit’s Ongoing Monitoring Framework have been used.

Further, it was found that the IC Unit provides risk rankings for all control issues identified as a result of their testing of ICFR. This allows the process or system owners to prioritize mitigation measures based on the impact the issue could have on financial reporting.

In examining the risk assessment system, it was noted that the IC Unit has just recently completed its operating effectiveness testing, and as such, the focus to date has been in identifying key gaps in controls and ensuring they are addressed. Now that the Department is entering into the ongoing monitoring phase, it has the opportunity to consider options for additional documentation and guidance that would improve understanding and retention of corporate knowledge.

In relation to the Ongoing Monitoring Framework, it was found that it could be strengthened by; providing further guidance on how to distinguish between a “significant” and “moderate” effect on financial reporting, identifying possible source documents to be used in determining risk factor rankings, providing further guidance on the sampling level to be used, and requiring that consideration of the cost-benefit of recommendations made to address gaps in the controls tested be documented.

Another opportunity for improving documentation was found in the overall risk rankings assigned to business processes and IT systems. Specifically, in a comparative analysis of risk rankings for systems and processes, the overall risk ranking appeared to be inconsistently applied for three business processes and four systems based on the information provided and the individual risk rankings. In a follow-up interview with the IC Unit, the perceived inconsistencies were explained by other factors that had been considered in determining overall risk rankings that had not been documented. By ensuring these other factors are documented, the IC Unit has the opportunity to ensure continued consistency and retention of corporate knowledge.

Involvement of Appropriate Management in Risk Assessment
Business process owners are accountable for the controls within their processes and are best suited to provide input into changes in risk levels within those processes. As such, their involvement in the risk assessment process is crucial to obtain accurate risk rankings.

The audit assessed the involvement of process and control owners in the risk assessment process and found that the IC Unit does contact process and control owners to obtain input on any changes that may have an impact on the annual risk assessment.

recommendations and action plan
Recommendation Management Action Plan
R-#2. It is recommended that as the ICFR Cycle at the Department matures, that the CFO ensure additional information related to the risk assessment processes, and decisions made within these processes, is documented to provide additional context and retention of corporate knowledge.

The CFO sector agrees with the recommendation and will, in the next update of the Ongoing Monitoring Framework document, provide additional information and documentation requirement for risk assessments.

Furthermore, the CFO sector will provide an analysis of the overall risk ranking of the business processes with justification starting with the annual risk assessment for fiscal year 16/17.

Office of Primary Interest: Chief Financial Officer
Due Date: August 31, 2016

6.3 Internal Control

Based on TB’s PIC, internal controls can be defined as an organization’s resources, systems, processes, culture, structure, and tasks that, taken together, support people in managing risks in order to achieve its objectives.

For ICFR, the internal control system includes entity level controls, IT general controls, business processes, the control objectives and related activities within those processes, and the tools, policies and procedures the IC Unit has in place to ensure their objectives are met. Specifically, control activities and objectives should be based on risks identified as being unacceptable to bring the risk to an acceptable level. Further, the processes being tested should cover all material financial statement accounts while a periodic review of the ICFR tools, policies and procedures helps ensure their continued relevance, sufficiency, effectiveness and alignment to risks and corporate priorities.

observations 6.3.1
Observations
   Low   

6.3.1 A risk based assessment of the business processes exists, but there is no documented requirement to test the relevance, sufficiency and effectiveness of the Internal Control system within the processes, or the policies, procedures and tools that support the system.

Key internal controls that could have a material impact on the financial statements are included in the ICFR framework, although continued attention and assessment of inventory is needed.

The ICFR process at the Department is still in an early stage of maturity, having just completed the operating effectiveness testing for all ICFR work segments in 2015-16. As such, it was determined that it would be too early to expect the IC Unit to have completed a review of control activities and objectives, or the policies, procedures and tools that support the ICFR process.

The audit did however note that there is no documented process or requirement for a periodic review of the activities, objectives, policies, procedures and tools to take place. As a result, in order to determine whether such a review may identify improvements to alignment with risks, relevancy, effectiveness and sufficiency, the audit team tested the control activities and objectives for four business processes and the policies, procedures and tools that support the ICFR process.

Control Activities and Objectives
Based on the tests of the control activities and objectives, it was determined that while most of the control activities are aligned with the related control objectives, in some cases there is still an opportunity to improve this alignment. Further, in one of the business processes reviewed, it was not clear how the majority of the control activities supported the objectives, indicating a process that could benefit from a more fulsome review. Similar opportunities for improvement were found in ensuring that there were sufficient control activities in place to cover the objectives.

In testing whether the control objectives and activities were aligned with risks, it was found that the Department does not currently assign a risk level to objectives or activities within the business processes or IT systems. As the Department’s ICFR matures, carrying out a risk assessment of control objectives and activities within the business processes would help the Department ensure testing is more targeted and risk-based. Also, with several of the business processes having in excess of 40 control activities, identifying the risk levels associated with each activity could significantly reduce the amount of testing required in any given year, saving time and effort by ensuring the highest risk areas are tested frequently with lower risk ones less frequently. The IC Unit has already done this to some extent with the Budget and Forecasting Process which they divided into two separate processes based on risk; the Department has a further opportunity to ensure greater efficiency and risk-based testing by continuing with this approach as the ICFR matures.

Policies, Procedures and Tools
To test whether there would be opportunities to improve ICFR tools, policies and procedures, a review of these was carried out, along with a comparison to best practices.

The audit found that control matrixes were updated when major changes were made to a process. However, in some cases the control matrix was updated without a corresponding update to the process map. Similarly, the audit found that the ICFR Framework does not always reflect current practice.

Also, the audit found that the risk assessment of business processes could be improved through adding additional factors to assess, such as reputational risk, in line with best practices.

While a full review of the ICFR tools is not expected to have been done yet, it is important to have a documented requirement to carry out such a review periodically to ensure the accuracy and ongoing effectiveness of the annual risk assessment and other tools that are part of the system of ICFR.

Process Coverage of Material Accounts
The ICFR process at the Department covers eight business processes, the Entity Level Controls and the IT General Controls. To ensure that these processes cover accounts that could cause a material misstatement to the financial statements; testing was carried out to map the accounts to the various processes. As a result, it was found that all material accounts are addressed in the relevant control matrix, either directly or indirectly, except for inventory.

Inventory has been tested as a separate process in the past with the last ICFR Status Update to the Departmental Audit Committee on inventory showing that all five inventory components were ineffective in the design effectiveness testing. As a result of this, and ongoing work to address known issues within inventory, the IC Unit determined that further testing of inventory at this time would not be of added value. To ensure some coverage though, inventory was added to the Financial Close and Reporting process to cover year end balances.

The Department is in the process of assessing inventory through a department-wide initiative led by the CFO Sector and the Canadian Coast Guard. The IC Unit is actively monitoring developments in this area and should continue this monitoring to ensure issues identified in the design testing are addressed and to determine whether there is a need for additional monitoring going forward.

recommendations and action plan
Recommendation Management Action Plan
R-#3. It is recommended that the CFO ensure that a documented requirement and process is in place to periodically review key control activities and other ICFR related tools, policies, and procedures as the ICFR process matures to ensure they are relevant, sufficient, aligned with risks and represent current best practices. The CFO sector agrees with the recommendation. The CFO sector will, in the next update of the Ongoing Monitoring Framework document, specify the requirements for periodic reviews of ICFR tools, policies and procedures.
Office of Primary Interest: Chief Financial Officer
Due Date: August 31, 2016

7.0 AUDIT OPINION

Based on the audit findings, the overall conclusion is that an adequate management control framework, internal control process and related activities are in place, that the overall governance, risk management and controls for ICFR are generally appropriate for the level of maturity the Department has achieved in the ICFR cycle, and that the ICFR process is in compliance with applicable policies. However, the audit also found opportunities for improvement related to how medium and low risk issues are dealt with, ensuring key decisions within the risk assessment processes are documented and conducting periodic reviews of tools, policies, procedures and controls related to ICFR.

8.0 STATEMENT OF CONFORMANCE

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The extent of the examination was planned to provide a reasonable level of assurance with respect to the audit criteria. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with Management. The opinion is applicable only to the entity examined and within the scope described herein. The evidence was gathered in compliance with the Treasury Board Policy and Directive on Internal Audit. The audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program. The procedures used meet the professional standards of the Institute of Internal Auditors. The evidence gathered was sufficient to provide Senior Management with proof of the opinion derived from the internal audit.

APPENDIX A – AUDIT CRITERIA

Based on a combination of the evidence gathered through documentation examination, analysis and interviews, each of the audit criteria listed below was assessed and a conclusion for the audit criteria was determined using the following definitions:

conclusions and opinions
  Conclusion on Audit Criteria Definition of Opinion
1 Criteria Met – Well Controlled Well managed or no material weaknesses noted, controls are effective.
2 Criteria Met with Exceptions Requires improvements, some risk exposure.
3 Criteria Not Met – High Impact – Significant Improvements Requires significant improvements in the area of material financial adjustments, serious risk exposure.

The following are the audit criteria and examples of key evidence and/or observations noted which were analyzed and against which conclusions were drawn. In cases where significant improvements and/or moderate issues were observed, these were reported in the audit report.

criteria
Audit Criteria Conclusion on Audit Criteria Examples of Key Evidence/ Observations
Line of Enquiry 1 – Governance (Control Environment)
Criterion 1.1: Accountability, roles, and responsibilities of process owners for control activities are clearly defined, communicated, and understood. 2 6.1.1
Criterion 1.2: The Internal Control Unit has adequate resource strategies for attracting, developing, retaining and replacing qualified personnel. 1 6.1.1
Line of Enquiry 2 – Risk Management
Criterion 2.1: An effective risk management system, that includes appropriate levels of management, is in place to identify, analyze, manage, and consistently estimate the potential significance of, the risk. 2 6.2.1
Line of Enquiry 3 – Internal Control System and Activities
Criterion 3.1: A risk based assessment of the system of internal controls over financial reporting is conducted to determine its ongoing effectiveness. 2 6.3.1
Criterion 3.2: Key internal controls (all business processes, entity level controls, and information technology general controls that could have a material impact on the financial statements) are included in the ICFR framework. 1 6.3.1
Criterion 3.3: The Internal Control Unit uses control activities that are based on current risk assessments to ensure key risks are mitigated. 2 6.3.1
Line of Enquiry 4 – Monitoring
Criterion 4.1: A process or system is in place to track and monitor progress on deficiencies to ensure that they are remediated on a timely basis. 2 6.1.1

APPENDIX B – ACRONYM LISTING

CFO
Chief Financial Officer (Sector)
COSO
Committee of Sponsoring Organization of the Treadway Commission
Department
Fisheries and Oceans Canada
IC Unit
Internal Control Unit
ICFR
Internal Controls over Financial Reporting
IT
Information Technology
PIC
Policy on Internal Control
TB
Treasury Board