Archived – Annex A: Assessment of internal control over financial reporting for fiscal year ended March 31, 2017

1. Introduction

This document provides a summary of the measures taken by Public Services and Procurement Canada (PSPC or the department) to maintain an effective system of internal control over financial reporting (ICFR), which includes information on internal control management, assessment results and related action plans.

Detailed information on PSPC's authority, mandate and programs can be found in the 2016 to 2017 Departmental Results Report and 2017 to 2018 Departmental Plan.

2. Public Services and Procurement Canada system of internal control over financial reporting

2.1 Internal control management

PSPC has a well-established governance and accountability structure to support departmental assessment and oversight of its system of internal control. The department's internal control management framework forms part of its Financial Management Framework (FMF) and helps to provide reasonable assurance that, at a minimum:

• public resources are used prudently and in an economical manner
• financial management processes are effective and efficient
• relevant legislation, regulations and financial management policy instruments are being complied with

Furthermore, the FMF helps to ensure that:

• records are maintained that support and represent fairly all financial transactions
• recording of financial transactions allows for the preparation of internal and external financial information, reports and statements in compliance with financial management policy instruments
• expenditures made are in accordance with delegated authorities, and unauthorized transactions that could have a material effect on the financial statements are prevented or detected in a timely manner
• financial resources are safeguarded against material loss due to waste, abuse, mismanagement, errors, fraud, omissions and other irregularities

The application of the FMF is an important responsibility for which all managers are accountable, and as such forms part of all performance management agreements. The FMF has been approved by the Deputy Head and includes:  

• values and ethics
• organizational accountability structures for internal control management to support sound financial management
• roles and responsibilities of senior managers for internal control management, as well as those of managers and financial officers
• ongoing communication and training on statutory requirements, as well as policies and procedures for sound financial management and control
• risk-based management practices  
• regular monitoring of internal control management, as well as the provision of related assessment results and action plans to the Deputy Head and departmental senior management and, as applicable, the department's audit committee, the Audit and Evaluation Committee (AEC)

The AEC provides advice to the Deputy Head on the adequacy and functioning of the department's risk management, control and governance frameworks and processes. The AEC meets approximately 6 times a year and is comprised of the Deputy Minister, the Associate Deputy Minister and 3 members external to the federal public administration, one of whom is the Chair. AEC meetings are also attended by the Chief Financial Officer.

To provide reasonable assurance that financial controls are in place and operating as intended, PSPC conducts risk-based assessments, leverages ongoing monitoring programs and conducts specific year-end reviews, including:

• embedded information technology general controls monitoring in the financial management system, including feeder systems
• program branch financial controls and monitoring activities through integrated financial advisors
• financial management framework related performance management assessments
• partnership programs with program branches to enhance the overall financial control environment.  Awareness and monitoring of program branch internal financial control audits and assessments
• awareness and monitoring of program branch internal financial control audits and assessments
• internal audit programs and AEC oversight
• results of control audits and management accountability framework assessments by the Office of the Comptroller General
• documentation and self-assessment of common service provider internal controls

These activities help to ensure that:

• financial arrangements or contracts are entered into only when sufficient funding is available
• payments for goods and services are made only when the goods or services are received or the conditions of contracts or other arrangements have been satisfied
• payments have been properly authorized

In addition, PSPC leverages results and findings from audits performed by external auditors as input to its assessment of the control environment as follows:

• annual financial statement audits of revolving funds performed by an independent auditor
• public accounts audits performed by the Office of the Auditor General

Below is a summary of the actions and results for the fiscal year ended March 31, 2017 monitoring.

2.2 Service arrangements relevant to financial statements

PSPC relies on other organizations for the processing of certain transactions through both common and specific arrangements that are recorded in its financial statements as follows:

Common arrangements

• The Treasury Board Secretariat provides the department with the information it uses to determine amounts owing for employee benefit plans and to calculate various accruals and allowances, such as the accrued severance liability
• Employment and Social Development Canada provides the department with workers' compensation coverage
• The department of Justice provides legal services to PSPC
• Shared Services Canada provides information technology (IT) infrastructure services to PSPC in the areas of data centre and network services

PSPC administers the following Receiver General Central Systems used by other government departments to process treasury-related and salary-related transactions:

• Standard Payment System
• Government Banking System
• Phoenix Pay System
• Payroll System-General Ledger
• Receiver General-General Ledger

In addition to central systems, PSPC also provides payroll (Phoenix) and pension administration services to other federal government departments, agencies and public service pensioners.

Internal controls related to these systems and common services are maintained and monitored by PSPC as a common service provider and as a result, PSPC provides an annual letter of assurance to all departments attesting to the reliability of the control framework for these central systems.

Specific arrangements

• PSPC provides facilities management and services through a contract with an external service provider who is responsible for property and facility management, services to establish third-party leases and agreements, lease administration, and project delivery for all PSPC Crown-owned and leased sites across Canada. The external service provider is responsible for their own internal controls to help ensure compliance. These controls are further strengthened with the addition of a formalised post-payment verification program managed by the Real Property Branch
• PSPC provides Shared Services Canada with a SAP based financial management system platform to capture and report all financial transactions

3. Public Services and Procurement Canada assessment results during fiscal year ended March 31, 2017

This assessment of Internal Control over Financial Reporting relates to specific departmental operations and therefore does not include the internal controls of PSPC as a provider of central systems and common services.

3.1 Progress during fiscal year ended March 31, 2017

During the fiscal year ending March 31, 2017, key controls within existing processes were amended, which will require a reassessment (re-documentation and test plan). This resulted from the implementation of new business transformation initiatives and systems, specifically, the application of new business rules designed to provide more reliable information on holdings of capital assets, and the implementation of the new Phoenix pay system.

As a department, PSPC receives centrally provided payroll services from Phoenix. Only those pay processing services that remained internal to PSPC as a department are part of the system of ICFR.

A risk assessment of the remaining business process key financial reporting controls (sales to settlement, general ledger integrity, procurement, payables and payments, national account verification, financial statement close, public accounts reporting and environmental liabilities) indicated a low risk of material failures due to their stability (no system change or major staff changes) and existing documentation and prior years' testing of the related key controls.

In addition to the ongoing monitoring of the financial control processes discussed above, interviews were conducted with key business process owners in all of the control environments (except payroll) to obtain sufficient and reliable evidence to support the assertion that the existing financial control environment remained sound. No material issues were discovered.

The key findings and adjustments required from the assessment activities are summarized below.

3.2 New or significantly amended key controls

The PSPC risk-based monitoring program reviewed the key year-end financial controls in section 3.1. In addition, detailed reviews of the sales tax controls and the capital lease calculation tool were completed. Both the tax controls and the lease tool were found to be functioning as intended. Due to significant enhancements in the control environments related to capital assets and the payroll process, these assessments were postponed as it would be disruptive to the business process owner and of little value from a testing standpoint. The departmental payroll process will be documented and tested up to the point where transactions are transferred to Phoenix as well as from the point when transactions are subsequently returned from the Public Service Pay Centre (Phoenix).

3.3 Ongoing monitoring program

The ongoing monitoring program both assesses the current state of key financial control processes within finance services, and leverages financial control activities being conducted outside of finance services.  This combined approach provides a more robust and holistic view of the department's overall financial control environment and further supports the assertions made in the Statement of Management Responsibility.

The following work was undertaken to support the reasonable assurance assertion by the department, within an established and robust financial management control environment:

• entity level controls were completely documented and reviewed in the fiscal year ended March 31, 2016 and reassessed for significant changes
• procurement, payables and payments and sales to settlement significant controls were assessed and documented 
• financial statements preparation and year-end financial close significant controls were assessed
• payroll and capital asset business processes underwent, and are still undergoing financial control improvements. As a result, the significant controls will be re-documented and reassessed in fiscal year ending March 31, 2018
• SAP based enterprise financial system's (SIGMA) Information Technology General Controls (ITGCs) were monitored and assessed for their effectiveness
• the Real Property Branch conducted post-payment verifications of the Brookfield maintenance contract
• the Audit Support Group of the Acquisitions Branch performed post-payment audits of contract compliance to help enforce terms and conditions of contracts between the Government of Canada and the defense industry
• environmental liabilities were assessed in the fiscal year ended March 31, 2016 with no significant observations. No further testing has been undertaken
• PSPC also conducted ongoing monitoring through both its national account payments verification system and general ledger integrity monitoring

Due to known financial control issues identified in the Phoenix payroll process, no testing of the department's own payroll process was done. Once the payroll process has stabilised and the Phoenix process owner has confirmed that the system is operating with the baseline controls in place, a test plan for the significant controls within the department will be developed and financial controls testing will re-commence. Nevertheless, the department undertook active measures, such as monitoring of the over/under payments to help ensure that its payroll-related balances were not materially misstated.

No material issues were discovered in any of the aforementioned activities.

4. Public Services and Procurement Canada's action plan

4.1 Action plan for the next fiscal year and subsequent years

PSPC is in the process of rationalising its risk-based ICFR program in consideration of the level of effort required, changes to the control environment and the new requirement (for fiscal year ending March 31, 2018) to provide assurance on the internal financial controls on common services provided. This renewed program will focus on identifying and documenting high-level assurance processes, entity-wide assurance activities and their related financial controls. This will be combined with a substantive testing program only where a higher level of risk exists and additional assurance is required. This will involve engaging stakeholders as partners and further leveraging the existing control environment. 

4.2 Rotational ongoing monitoring plan for internal controls over financial reporting

A rotational ongoing monitoring plan has been developed which will cover a 3 to 5 year span. It is based on an annual validation of high risk processes, related financial controls and necessary adjustments to the ongoing monitoring and substantive testing plan as required. Each of the following key control areas is subject to annual ongoing monitoring with sub-processes being fully assessed over a 3 to 5 year cycle based on risk assessments: entity level controls, information technology general controls, payroll, financial statements preparation, procurement, payables and payments, sales to settlement, year-end financial close, capital assets, environmental liabilities and financial management controls (new for fiscal year ending March 31, 2018).

4.3 Work plan for fiscal year ending March 31, 2018

The notional work plan for fiscal year ending March 31, 2018 will include the documentation, reassessment and testing of key controls in the amended business processes discussed above (payroll and capital). In addition, any substantially amended requirements for the Directive on Accounting Standards will be reviewed with the business process owner to help ensure understanding and compliance.

The entity's financial control environment as a whole is monitored for substantial changes and if necessary and practical, the assessment plan is risk-adjusted.

In collaboration with the Office of the comptroller General, PSPC will develop a plan to address the new requirement to provide the results of its annual assessment of its system of internal control over common services provided to other departments, introduced in April 2017 by the new Policy on Financial Management.