Annex A: Assessment of internal control over financial reporting for fiscal year ended March 31, 2017

On this page

1. Introduction

This document provides a summary of the measures taken by Public Services and Procurement Canada (PSPC or the department) to maintain an effective system of internal control over financial reporting (ICFR), which includes information on internal control management, assessment results and related action plans.

Detailed information on PSPC's authority, mandate and programs can be found in the 2016 to 2017 Departmental Results Report and 2017 to 2018 Departmental Plan.

2. Public Services and Procurement Canada system of internal control over financial reporting

2.1 Internal control management

PSPC has a well-established governance and accountability structure to support departmental assessment and oversight of its system of internal control. The department's internal control management framework forms part of its Financial Management Framework (FMF) and helps to provide reasonable assurance that, at a minimum:

Furthermore, the FMF helps to ensure that:

The application of the FMF is an important responsibility for which all managers are accountable, and as such forms part of all performance management agreements. The FMF has been approved by the Deputy Head and includes:  

The AEC provides advice to the Deputy Head on the adequacy and functioning of the department's risk management, control and governance frameworks and processes. The AEC meets approximately 6 times a year and is comprised of the Deputy Minister, the Associate Deputy Minister and 3 members external to the federal public administration, one of whom is the Chair. AEC meetings are also attended by the Chief Financial Officer.

To provide reasonable assurance that financial controls are in place and operating as intended, PSPC conducts risk-based assessments, leverages ongoing monitoring programs and conducts specific year-end reviews, including:

These activities help to ensure that:

In addition, PSPC leverages results and findings from audits performed by external auditors as input to its assessment of the control environment as follows:

Below is a summary of the actions and results for the fiscal year ended March 31, 2017 monitoring.

2.2 Service arrangements relevant to financial statements

PSPC relies on other organizations for the processing of certain transactions through both common and specific arrangements that are recorded in its financial statements as follows:

Common arrangements

PSPC administers the following Receiver General Central Systems used by other government departments to process treasury-related and salary-related transactions:

In addition to central systems, PSPC also provides payroll (Phoenix) and pension administration services to other federal government departments, agencies and public service pensioners.

Internal controls related to these systems and common services are maintained and monitored by PSPC as a common service provider and as a result, PSPC provides an annual letter of assurance to all departments attesting to the reliability of the control framework for these central systems.

Specific arrangements

3. Public Services and Procurement Canada assessment results during fiscal year ended March 31, 2017

This assessment of Internal Control over Financial Reporting relates to specific departmental operations and therefore does not include the internal controls of PSPC as a provider of central systems and common services.

3.1 Progress during fiscal year ended March 31, 2017

During the fiscal year ending March 31, 2017, key controls within existing processes were amended, which will require a reassessment (re-documentation and test plan). This resulted from the implementation of new business transformation initiatives and systems, specifically, the application of new business rules designed to provide more reliable information on holdings of capital assets, and the implementation of the new Phoenix pay system.

As a department, PSPC receives centrally provided payroll services from Phoenix. Only those pay processing services that remained internal to PSPC as a department are part of the system of ICFR.

A risk assessment of the remaining business process key financial reporting controls (sales to settlement, general ledger integrity, procurement, payables and payments, national account verification, financial statement close, public accounts reporting and environmental liabilities) indicated a low risk of material failures due to their stability (no system change or major staff changes) and existing documentation and prior years' testing of the related key controls.

In addition to the ongoing monitoring of the financial control processes discussed above, interviews were conducted with key business process owners in all of the control environments (except payroll) to obtain sufficient and reliable evidence to support the assertion that the existing financial control environment remained sound. No material issues were discovered.

The key findings and adjustments required from the assessment activities are summarized below.

3.2 New or significantly amended key controls

The PSPC risk-based monitoring program reviewed the key year-end financial controls in section 3.1. In addition, detailed reviews of the sales tax controls and the capital lease calculation tool were completed. Both the tax controls and the lease tool were found to be functioning as intended. Due to significant enhancements in the control environments related to capital assets and the payroll process, these assessments were postponed as it would be disruptive to the business process owner and of little value from a testing standpoint. The departmental payroll process will be documented and tested up to the point where transactions are transferred to Phoenix as well as from the point when transactions are subsequently returned from the Public Service Pay Centre (Phoenix).

3.3 Ongoing monitoring program

The ongoing monitoring program both assesses the current state of key financial control processes within finance services, and leverages financial control activities being conducted outside of finance services.  This combined approach provides a more robust and holistic view of the department's overall financial control environment and further supports the assertions made in the Statement of Management Responsibility.

The following work was undertaken to support the reasonable assurance assertion by the department, within an established and robust financial management control environment:

Due to known financial control issues identified in the Phoenix payroll process, no testing of the department's own payroll process was done. Once the payroll process has stabilised and the Phoenix process owner has confirmed that the system is operating with the baseline controls in place, a test plan for the significant controls within the department will be developed and financial controls testing will re-commence. Nevertheless, the department undertook active measures, such as monitoring of the over/under payments to help ensure that its payroll-related balances were not materially misstated.

No material issues were discovered in any of the aforementioned activities.

4. Public Services and Procurement Canada's action plan

4.1 Action plan for the next fiscal year and subsequent years

PSPC is in the process of rationalising its risk-based ICFR program in consideration of the level of effort required, changes to the control environment and the new requirement (for fiscal year ending March 31, 2018) to provide assurance on the internal financial controls on common services provided. This renewed program will focus on identifying and documenting high-level assurance processes, entity-wide assurance activities and their related financial controls. This will be combined with a substantive testing program only where a higher level of risk exists and additional assurance is required. This will involve engaging stakeholders as partners and further leveraging the existing control environment. 

4.2 Rotational ongoing monitoring plan for internal controls over financial reporting

A rotational ongoing monitoring plan has been developed which will cover a 3 to 5 year span. It is based on an annual validation of high risk processes, related financial controls and necessary adjustments to the ongoing monitoring and substantive testing plan as required. Each of the following key control areas is subject to annual ongoing monitoring with sub-processes being fully assessed over a 3 to 5 year cycle based on risk assessments: entity level controls, information technology general controls, payroll, financial statements preparation, procurement, payables and payments, sales to settlement, year-end financial close, capital assets, environmental liabilities and financial management controls (new for fiscal year ending March 31, 2018).

4.3 Work plan for fiscal year ending March 31, 2018

The notional work plan for fiscal year ending March 31, 2018 will include the documentation, reassessment and testing of key controls in the amended business processes discussed above (payroll and capital). In addition, any substantially amended requirements for the Directive on Accounting Standards will be reviewed with the business process owner to help ensure understanding and compliance.

The entity's financial control environment as a whole is monitored for substantial changes and if necessary and practical, the assessment plan is risk-adjusted.

In collaboration with the Office of the comptroller General, PSPC will develop a plan to address the new requirement to provide the results of its annual assessment of its system of internal control over common services provided to other departments, introduced in April 2017 by the new Policy on Financial Management.

Date modified: