Audit of Internal Controls over Financial Reporting (ICFR)

Internal Audit Directorate, June 2025

On this page

• Acronyms
• Executive summary
• Introduction
  • Context
  • Why this is important
  • Audit objective
  • Scope
  • Approach
• Key findings and recommendations
  • ICFR process and the related results
• Conclusion
• Appendix A: Management response

Acronyms

BPO

Business Process Owners

CFO

Chief Financial Officer

DAC

Departmental Audit Committee

DM

Deputy Minister

ICFM

Internal Controls over Financial Management

ICFR

Internal Controls over Financial Reporting

ITGCs

Information Technology General Controls

MAPs

Management Action Plans

SMR

Statement of Management Responsibility

Executive summary

Context

Internal controls over financial reporting (ICFR) are a subset of the system of internal controls over financial management (ICFM), and include measures and activities that ensure validity, accuracy, and completeness of the department's financial statements and related disclosures. The results of the assessment of these controls must be reported in the annex to the Statement of Management Responsibility (SMR) to support that a system of ICFR is in place and operating effectively.

The Deputy Head of an organization is responsible for ensuring that timely and accurate departmental financial information is available to support decision making in the department. The Chief Financial Officer (CFO) is responsible for establishing, monitoring, and maintaining a risk-based system of internal control over financial reporting to provide reasonable assurance that records are maintained that support and fairly represent all financial transactions. Both the Deputy Head and the CFO are also responsible for approving the annual SMR including ICFR.

The SMR is a formal declaration signed by the Deputy Head and the CFO consistent with responsibilities assigned through the Policy on Financial Management. The SMR is accompanied by an annex, which summarizes the measures taken by the department to maintain an effective system of internal control over financial reporting.

The Departmental Audit Committee (DAC) reviews and, as appropriate, advises the Deputy Head on key departmental financial reports and disclosures, including the annual SMR and associated plans and assessments with respect to ICFR.

Each year, the internal controls team is responsible to update the ongoing monitoring plan, which outlines the timing and frequency of the assessment. They are also responsible to conduct assessments of internal controls identified in the ongoing monitoring plan, and report on the results of those assessments including the status of remedial actions.

Why this is important

ICFR helps prevent fraud, provides reasonable assurance that applicable regulations, policies and guidance are followed, and improves the accuracy and timeliness of a department's financial statements. It also enhances the reliability of financial reporting and ensures that financial statements are free from significant misstatements.

Audit objective

The objective of the audit was to provide assurance that the ICFR process has been implemented to support the approval of the SMR including ICFR.

Conclusion

ICFR involves measures and activities that provide reasonable assurance that a department's financial statements are accurate and complete. The ICFR process also helps ensure that the Department has effective internal controls in place and a system to monitor those controls to ensure they remain effective.

DFO is guided by its departmental internal controls over financial management – Ongoing Monitoring Framework which includes a process for monitoring and reporting on ICFR. The Department carries out this work using a risk assessment which fed into an annual internal control plan.

In general, DFO implemented their annual control plan. The internal control assessments were all completed but one of the MAP reviews was not performed. For the other MAP reviews that were performed, the work identified that some previously identified control weaknesses were delayed in being remediated. These results were not fully reported internally or externally and may have influenced how decision makers relied on the results of the ICFR work that supported the departmental financial statements.

DFO's ICFR work adopted an ongoing monitoring approach as a result of the completed control documentation and design and operating effectiveness testing performed since the implementation of SAP S/4HANA on April 1, 2021. There was one business process that had not completed that foundational work and should have been identified in the reporting. Going forward, this clarification will need to be made in external reporting to better inform decision makers who rely on the ICFR work.

To address the identified areas for improvement, the following recommendations were provided:

1. The Chief Financial Officer should ensure that any changes in delivering the annual internal control plan are included in the reported ICFR results.
2. The Chief Financial Officer should ensure that future public reporting accurately reflects the status of the Inventory business process' design testing results and evaluation of operational effectiveness testing since the implementation of SAP S/4HANA.
3. The Chief Financial Officer should ensure that recurring control gaps within the ICFR business processes, and delays in the related MAP implementations, are included in internal reporting and the status of remedial action progress is accurate in external reporting.

Statement of conformance

The audit conforms to the TB Policy on Internal Audit and the Global Internal Audit Standards, as supported by the Internal Audit Directorate's Quality Assurance and Improvement Program.

Management response

The response to the report's recommendations can be found in appendix A.

Introduction

Context

Internal controls over financial reporting (ICFR) are a subset of the system of internal controls over financial management (ICFM), and include measures and activities that ensure validity, accuracy, and completeness of the department's financial statements and related disclosures. The results of the assessment of these controls must be reported in the annex to the Statement of Management Responsibility (SMR) to support that a system of ICFR is in place and operating effectively. The SMR is a formal declaration signed by the Deputy Head and the CFO consistent with responsibilities assigned through the Policy on Financial Management such as delegated financial authorities were respected, unauthorized financial transactions were prevented or detected, and financial resources were protected from errors, fraud, waste, or mismanagement.

The SMR is also accompanied by an annex, which summarizes the measures taken by the department to maintain an effective system of internal control over financial reporting.

The Departmental Audit Committee (DAC) reviews and, as appropriate, advises the Deputy Head on key departmental financial reports and disclosures, including the annual SMR and associated plans and assessments with respect to ICFR.

According to the departmental internal controls over financial management – ongoing monitoring framework, the internal controls team within the CFO sector is responsible for:

• Conducting the annual risk assessment and regional risk assessment with senior departmental managers and BPOs
• Coordinating and delivering the annual testing strategy with the other groups within the Department to ensure that the annual testing strategy is conducted efficiently and effectively
• Following up on management action plans (MAPs) arising from past assessments
• Maintaining internal control documentation
• Reporting results of the annual testing to senior management including the CFO and to the DAC at least once annually

BPOs are responsible for controls that fall under their responsibility. Specifically, they are responsible for:

• Validating control documentation
• Assisting with the assessment of ICFM, including ICFR, in their area of responsibility
• Developing and carrying out corrective action for identified control gaps/breakdowns
• Providing internal signoffs as required

Why this is important

ICFR helps prevent fraud, provides reasonable assurance that applicable regulations, policies and guidance are followed, and improves the accuracy and timeliness of a department's financial statements. It also enhances the reliability of financial reporting and ensures that financial statements are free from significant misstatements.

Audit objective

The objective of the audit was to provide assurance that the ICFR process has been implemented to support the approval of the SMR including ICFR.

Scope

The scope of the audit included the process in place to perform the ICFR work. The audit work did not include activities related to ICFM. The audit focused mainly on the ICFR activities for the 2023-24 fiscal year, including the reporting activities. The BPOs were scoped out of this audit along with decision makers and their advisory body.

Approach

The audit was conducted from January 2025 to June 2025 and completed using the following methods:

• a review of relevant documentation
• interviews conducted with Internal Control Team
• walkthroughs of key processes in place related to ICFR
• examination of the internal control documentation related to the assessment completed during 2023-24
• analysis of the reports on the results of ongoing monitoring activities on key controls in support of the Annex to the SMR related to ICFR

Key findings and recommendations

ICFR process and the related results

The Department's Internal Controls over Financial Management - Ongoing Monitoring Framework (the framework) indicates that the formal reporting of results will be provided in a timely manner to the Deputy Head, the CFO, and Business Process Owners (BPOs). This information is also shared with the DAC through an annual update and with external stakeholders through the annex to the Departmental SMR including ICFR. The department is required to report on the status of each review conducted during the previous fiscal year including the status of remedial actions.

Finding

1. Risk Assessment and Internal Control Plan

The framework requires that risk assessments be conducted annually to validate, and determine risk rankings for the identified business processes, Information Technology General Controls (ITGCs), and Entity-Level Controls. The risk assessment is one of the key factors that determine the frequency of testing the business processes, ITGCs, Entity-Level Controls over a five-year horizon.

The Internal Control Team conducted annual risk assessments for each identified business process and used the results to update the ongoing monitoring plan for subsequent fiscal years. Risk assessment files examined demonstrated that the assessments were generally performed in accordance with the methodology outlined in the framework.

Both the annual internal controls update and the annex to the SMR including ICFR reported that a departmental risk assessment had been completed and the related results were used to shape the ongoing monitoring plan for the next five fiscal years. The multi-year Internal Control Plan was included in the financial statement package approved by both the CFO and the DM.

The 2023-24 Internal Control Plan includes 10 ICFR areas that were scheduled either for an internal control assessment or a MAP review. The objective of the internal control assessment is to ensure that key controls, relevant to financial reporting for the annual financial statements, are designed to mitigate risks threatening the achievement of control objectives and that they are working effectively over a specified period. The objective of the MAP review is to determine whether deficiencies identified in previous assessments have been addressed and remediated. The results of the Internal Control Team's MAP review are based on the documentation provided by the BPOs and do not include retesting.

The table below provides an overview of the control areas scheduled for internal control assessments versus MAP reviews in 2023-24 and will be referred to in the following sections.

The risk assessment and Internal Control Plan were completed in accordance with the expectations set out in the Framework.

2. Internal Control Assessments

Overall, the completed Internal control assessments for entity-level controls, and the business processes related to tangible capital assets, marine service fees, environmental liabilities, and delegation of authority were performed as planned and in accordance with the framework. The results were documented and reported to the relevant BPOs, recommendations were issued to address the control gaps, and MAPs were developed.

The department reported on the results of the 2023-24 internal control assessments in the public Annex to the SMR. The reporting for the 5 internal control assessments complied with the requirements of the Treasury Board Secretariat guidance.

Additionally, the Internal Control Team provided an annual update on the status of the Internal Control Plan to the CFO, DM, and DAC through a deck presentation. The August 2024 update included information on the completed internal assessments for the 5 business processes performed during the fiscal year.

The internal control assessments were carried out in accordance with the expectations set out in the framework and Treasury Board Secretariat guidance.

3. Follow-up on Past Assessments through MAP Reviews

Five key control areas in the 2023-24 Internal Control Plan were planned to be assessed using MAP reviews. In fiscal year 2023-24, the Internal Control Team assessed the 4 following areas using MAP reviews:

• Financial close including:
  • Contingent liabilities
  • Pay administration
  • Grants and contributions
  • ITGCs

For the MAPs that the Internal Control Team assessed as completed, sufficient evidence to support the conclusions of the MAP review was collected. As such, the MAP assessment work that was carried out met expectations. The results of these MAP reviews were communicated by the Internal Control Team to the implicated BPOs and then included in internal and external reporting.

However, the internal control update presented internally to DAC and the DM in August 2024 did not disclose that the Inventory business process was not assessed as planned despite being a high risk business process. In addition, no follow-up had been conducted on the outstanding 2022-23 MAP to determine if the previously identified control weaknesses had been resolved for the Inventory process.

While the MAP review that was not performed was explained as being due to no progress being made on the MAP, the Treasury Board Secretariat Guide to Internal Control over Financial Management requires that deviations from the previous fiscal year's plan be explained in the Annex to the SMR including ICFR. It could also have provided an opportunity for discussion on the reasons for this lack of progress and the associated risks at a DAC meeting.

While the follow-ups carried out were completed in line with expectations, not all MAP reviews identified in the annual plan were carried out or reported on.

4. Ongoing monitoring status

On-going monitoring is defined as the mature state of the ICFM framework. The Treasury Board Guide to Ongoing Monitoring of ICFM states that ongoing monitoring begins after a department completes its initial assessment of controls. This includes documenting the controls, testing their design and operating effectiveness, and developing a management action plan to address any identified gaps or weaknesses.

DFO's 2023-24 annex to the SMR explained that all key financial business processes had been documented and assessed since the implementation of SAP S/4HANA on April 1, 2021. Accordingly, the department had reached the Ongoing Monitoring stage for all business processes.

The annex to the SMR does not clarify that the Inventory business process has not been assessed since SAP implementation as it has only completed its design testing. The MAP review that had been planned for the inventory business process was to address weaknesses in the design of the controls. The operating effectiveness of the inventory controls has not yet been performed. As such, the public annex to the SMR does not accurately reflect the status of all business processes with respect to ongoing monitoring.

The external reporting does not fully represent the current state of all internal controls within DFO and may not fully inform users of the Inventory business process element of the ICFR information.

5. Recurring control weaknesses

Outstanding MAPs were assessed to determine if the previously identified control weaknesses had been remediated. It was expected that any MAP items that were not implemented as planned would be brought to the attention of the decision makers and their advisory body.

The examination of the results of the internal control assessments and the follow-up of the MAPs showed several recurring control gaps in certain ICFR areas, such as capital assets, ITGCs, and marine service fees over the last 3 fiscal years. These weaknesses remain unresolved due to delays in the implementation of the corresponding MAPs.

1. Capital assets: Five recommendations to address control weaknesses were issued in 2021-22 following the internal control assessment of the capital assets business process. The recommendations had target completion dates set between April 2022 and October 2022. A subsequent review was conducted by the Internal Control Team in 2024 concluded that the controls for which the original recommendations were issued in 2021-22 had not yet been fully addressed.
2. ITGCs: Nine recommendations to address control weaknesses were issued in 2021-22. A subsequent assessment in 2022-23 led to 8 recommendations which included six of the original recommendations. A MAP review conducted in March 2024 by the Internal Control Team concluded based on documentation that only two of the six recommendations from 2021-22 were remediated. MAP reviews focus on documentation and the controls are not retested.
3. Marine Service Fees: Seven recommendations to address control weaknesses were issued following the assessment of the marine service fees business process in 2021-22. The related target completion dates were set between April 2022 and March 2023. The Internal Control Team concluded in September 2024 that the implementation of four of the original MAP remained outstanding.

Despite the delays in addressing the recurring control weaknesses in the high risk and medium risk business processes, DFO's annex to the SMR inaccurately identified these remedial actions as “progressing as planned”. Internal departmental reporting identified the remedial actions underway but was silent on the recurring delays in addressing them.

Without sharing the complete information on the recuring internal control gaps and the status of the associated recommendations, the CFO, DM and DAC may not have a full understanding of the risks and issues within the Department's system of internal controls.

Conclusion

ICFR involves measures and activities that provide reasonable assurance that a department's financial statements are accurate and complete. The ICFR process also helps ensure that the Department has effective internal controls in place and a system to monitor those controls to ensure they remain effective.

DFO is guided by its departmental Internal Controls over Financial Management – Ongoing Monitoring Framework which includes a process for monitoring and reporting on ICFR. The Department carries out this work using a risk assessment which fed into an annual internal control plan.

In general, DFO implemented their annual control plan. The internal control assessments were all completed but one of the MAP reviews was not performed. For the other MAP reviews that were performed, the work identified that some previously identified control weaknesses were delayed in being remediated. These results were not fully reported internally or externally and may have influenced how decision makers relied on the results of the ICFR work that supported the departmental financial statements.

DFO's ICFR work adopted an ongoing monitoring approach as a result of the completed control documentation and design and operating effectiveness testing performed since the implementation of SAP S/4HANA on April 1, 2021. There was one business process that had not completed that foundational work and should have been identified in the reporting. Going forward, this clarification will need to be made in external reporting to better inform decision makers who rely on the ICFR work.

Appendix A: Management response