This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
This document provides a summary of the measures taken by the Treasury Board of Canada Secretariat (the Secretariat) to maintain an effective system of internal control over financial reporting (ICFR), which includes information on internal control management, assessment results and related action plans.
Detailed information on the Secretariat’s authority, mandate and programs can be found in its Departmental Performance Report and Report on Plans and Priorities.
The Secretariat recognizes the importance of senior management leadership in ensuring that employees at all levels understand their role in maintaining an effective ICFR system and are well equipped to exercise their responsibilities. The Secretariat’s objective is to continually improve its internal control environment using a risk-based approach and targeted resource investments to achieve the required level of effectiveness at a manageable cost.
Following are the Secretariat’s key positions and committees that have responsibilities for maintaining and reviewing the effectiveness of its ICFR system:
The Secretariat’s deputy head, as accounting officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the Secretary chairs the Executive Committee and is a member of the Departmental Audit Committee.
The Secretariat’s CFO reports directly to the Secretary and provides leadership for the coordination, coherence, and design and maintenance of an effective, integrated system of ICFR, including its annual assessment.
The Secretariat’s senior departmental managers in charge of program delivery are responsible for maintaining and reviewing the effectiveness of the ICFR system, as related to their respective mandates.
The Secretariat’s CAE reports directly to the Secretary and provides assurance through periodic internal audits, which are instrumental in maintaining an effective system of ICFR.
The GCAC is an advisory committee to the Secretary that provides objective views on the Secretariat’s financial statements and its risk management, control and governance frameworks. The committee comprises the Secretary and three external members. As such, it reviews the Secretariat’s corporate risk profile, internal audit reports and system of internal control, including the assessment and action plans relating to the ICFR system.
The Secretariat’s control environment includes measures and tools to ensure compliance with ICFR and to support the management and oversight of its ICFR system. It also serves to raise awareness and help develop employees’ internal control knowledge and skill sets. Such measures include:
As a department, the Secretariat relies on other organizations to process certain transactions that are recorded in its financial statements. There are two types of arrangements as detailed below; common arrangements which are used by most departments and specific arrangements which are used specifically by TBS.
Common arrangements:
Specific arrangements:
The Secretariat relies on the internal controls of a number of insurance companies that provide specific services such as health care plan administration, dental plan administration and insurance services.
Other government departments rely on the Secretariat to process certain transactions and to provide information that impacts their financial statements.
Common arrangements:
Specific arrangements:
The Secretariat provides certain corporate services to several departments, including the Department of Finance Canada, the Privy Council Office, the Canada School of Public Service and the Immigration and Refugee Board of Canada.
Business cycle controls at the Secretariat are grouped into two categories: business processes that concern the Secretariat in its role as manager of government-wide funds and public service employer payments and business processes that concern the Secretariat as a department.
In 2012–13, the Secretariat completed design effectiveness testing for its major government-wide pension and employee benefits plans, and conducted operating effectiveness testing for departmental business processes. In addition, the Secretariat continued to perform ongoing monitoring of selected controls related to its financial system, particularly user access and security controls.
The Secretariat in its role as a manager of government-wide funds and public service employer payments completed the assessment of design effectiveness testing of its majority of benefits plans. These plans represent $6.2 billion of the $6.5 billion total gross expenses reported in 2012–13 (approximately 95 per cent).
In 2012-13, design effectiveness testing was completed for the following processes:
In addition and as planned, the Secretariat completed the validation of observations related to design effectiveness testing for the Public Service Health Care Plan (PSHCP).
As a result of design effectiveness testing, the Secretariat identified the following remediation:
TBS also initiated assessment of the Service Income Security Insurance Plan (SISIP), including documenting process descriptions and design effectiveness testing for the SISIP is scheduled to be completed in 2013–14.
In its role as a department, the Secretariat completed validation of the process descriptions for low dollar value contracts.
In 2012–13, the Secretariat, in its role as a department, completed operating effectiveness testing for acquisition card charges. The assessment focused on controls related to payments and account verification. As a result of the operating effectiveness testing, the Secretariat identified the need to update its procedures to align with current practices. This work has been completed.
During the year, the Internal Audit and Evaluation Bureau (IAEB) completed an audit of the interdepartmental settlements (IS) process in the Secretariat. The IS processes support the Secretariat in both of its roles. The audit objectives were to assess the adequacy and effectiveness of the management of IS and to determine whether the SAP financial system supports the IS process effectively and efficiently. Evidence supporting IT-dependent manual controls and application controls were also assessed to ensure maintenance of data integrity.
As a result of the audit of the IS process, certain gaps related to approvals and supporting documentation were identified for transactions related to employee benefits, the pension and taxes. A management action plan was prepared to ensure that these observations are addressed and will be completed by March 2014.
During 2012-13, the audit of the Administration of the External Expert Contract for the Strategic and Operating Review was completed. The objective of the audit was to assess the adequacy and effectiveness of the management control framework over the administration of the contract for the Strategic and Operating Review. In conclusion of this audit it was found that the management control framework over the administration of the contract for the Strategic and Operating Review was adequate and effective.
Some IAEB and Internal Control Unit activities are complementary. In these cases, both groups work together to ensure alignment of complementary activities to maximize results.
In 2012–13, the Secretariat initiated operating effectiveness testing of the IT general controls for the SAP financial system that impact the Secretariat’s financial statements. Areas of testing will cover controls related to information system operations, information security, back-up recovery, and application and database implementation and maintenance. The operating effectiveness testing is to be completed in 2013–14.
In the current year, the Secretariat completed planned ongoing monitoring of the SAP financial system’s information security, specifically as related to user access control and segregation of duties. As a result of this monitoring, the Secretariat identified the need to update its procedures to reflect current practice. This work has been initiated and will be completed in 2013-14.
In addition, the Secretariat requested that its Integrated Financial and Materiel System (IFMS) Program Office conduct a security and authorization review of the SAP financial system, including a review of the authentication, security administration, and access and authorization control protocols. Assessment of operations and maintenance policies was part of this review. The review stated that the controls assessed were adequate and noted opportunities for further enhancing controls related to segregation of duties associated with the procurement to pay cycle and user access to functional configuration and view tables. A management action plan was prepared to address these observations which will be fully implemented in 2013-14. The previous formal review was completed in 2009, going forward, the Secretariat plans to conduct a formal review on a triennial basis.
In 2012–13, the Secretariat has continued to make significant progress in assessing and improving its key controls. Following is the summary of the main progress made by the Secretariat based on the plans identified in previous years’ Annexes.
Element in Previous Year’s Action Plan | Status |
---|---|
Secretariat as a department | |
IT General Controls – Ongoing monitoring. This monitoring activity was identified in the 2010–11 Annex. |
Ongoing monitoring of the SAP financial system’s information security (user access control and segregation of duties) completed as planned. In addition unplanned operating effectiveness testing initiated for the SAP financial system to complement the above work. |
Operating expenses / accounts payable – Design effectiveness and operating effectiveness testing. |
Documentation and validation of system description were completed for the new process related to low dollar value contracts. Operating effectiveness testing for acquisition card charges and remediation completed. Operating effectiveness testing for travel and hospitality deferred to 2013–14 due to other management priorities. |
Secretariat as the manager of government-wide funds and public service employer payments | |
Public Service Health Care Plan (PSHCP) – Design effectiveness testing. | Design effectiveness testing was completed in 2011–12, and validation of observations continued during 2012–13. Remediation of design deficiencies initiated as planned. |
Public Service Dental Care Plan (PSDCP) – Design effectiveness testing. | Design effectiveness testing completed as planned. Remediation of design deficiencies initiated. |
Provincial payroll taxes – Design effectiveness testing and operating effectiveness testing. | Design effectiveness testing and operating effectiveness testing completed. A management action plan was prepared to address deficiencies. |
Employment insurance (EI) premiums – Design effectiveness testing and operating effectiveness testing. | Design effectiveness testing and operating effectiveness testing completed. A management action plan was prepared to address deficiencies. |
Canada/Québec Pension Plan (CPP/QPP) contributions – Design effectiveness testing and operating effectiveness testing. | Design effectiveness testing and operating effectiveness testing completed. A management action plan was prepared to address deficiencies. |
Service Income Security Insurance Plan (SISIP) – Design effectiveness testing. | Design effectiveness testing initiated as planned. |
Pensioners’ Dental Services Plan (PDSP) – Design effectiveness testing. | Design effectiveness testing deferred to 2013–14 due to management priorities. |
Public Service Management Insurance Plan – Design effectiveness testing. | Design effectiveness testing deferred to 2013–14 due to management priorities. |
Provincial Health Insurance Plan premiums – Operating effectiveness testing. | Operating effectiveness testing completed through the internal audit of the IS process. |
Québec Parental Insurance Plan – Operating effectiveness testing. | Operating effectiveness testing completed through the internal audit of the IS process. |
Supplementary Death Benefit Plan – Operating effectiveness testing. | Operating effectiveness testing completed through the internal audit of the IS process. |
The Secretariat has made significant efforts to complete in-depth design effectiveness testing for the majority of its business processes related to government-wide funds and public service employer payments. With the assistance of Ernst & Young, the Secretariat is planning to substantially complete operating effectiveness testing for all levels of controls (entity level controls, IT general controls and business processes) by 2013–14 (see Table 2 below).
The Secretariat has reviewed its strategy for assessing the system of ICFR going forward. Instead of pursuing an in-depth assessment of design effectiveness for the remaining benefits plans, the Secretariat has decided to move to operating effectiveness testing in all areas of controls.
Based on this strategy, the Secretariat will not reassess the design of the Provincial Health Insurance Plan premiums, the Québec Parental Insurance Plan and the Supplementary Death Benefit Plan. The initial assessment conducted by an external consulting firm is considered to be sufficient given that the processes associated with these plans have not significantly changed. In addition, the controls related to these plans were assessed during the recent audit of the IS process by the IAEB. These plans represent $84 million (or approximately 1 per cent) of the Secretariat’s $6.5 billion total gross expenses reported in 2012–13.
Building on progress to date, the Secretariat is positioned to substantially complete the full assessment of its system of ICFR in 2013–14. At that time, the Secretariat will apply its rotational ongoing monitoring plan to reassess control performance on a risk basis across all areas.
The status and action plan for the 2013–14 fiscal year and subsequent years is as detailed in Table 2.
Key Control Areas | Assessment Elements | ||
---|---|---|---|
Design Effectiveness Testing and Remediation See annex note (1) | Operating Effectiveness Testing and Remediation See annex note (1) | Ongoing Monitoring Rotation | |
|
|||
Secretariat as a department | |||
Entity level controls | Complete | 2013–14 | Future years See annex note (5) |
IT general controls under departmental management | Complete | 2013–14 | 2015–16 See annex note (2) |
Payroll and benefits | Complete | 2013–14 | Future years See annex note (5) |
Operating expenses / accounts payable | Complete | 2013–14 | Future years See annex note (5) |
Financial reporting and closing cycle | Complete | 2013–14 | Future years See annex note (5) |
Revenues / accounts receivable | Complete | 2013–14 | Future years See annex note (5) |
Budgeting and forecasting | Complete | 2014–15 | Future years See annex note (5) |
Capital assets (new assessment element) | 2014–15 | 2015–16 | Future years See annex note (5) |
Secretariat as manager of government-wide funds and public service employer payments | |||
Public Service Pension Plan (PSPP) | Complete | 2013–14 | 2015–16 |
Disability Insurance (DI) Plan | Complete | 2013–14 | 2015–16 |
Public Service Health Care Plan (PSHCP) | Complete See annex note (3) | 2013–14 | 2016–17 |
Public Service Dental Care Plan (PSDCP) | Complete | 2013–14 | 2016–17 |
Provincial payroll taxes | Complete | Complete See annex note (4) | Future years See annex note (5) |
Employment insurance (EI) premiums | Complete | Complete See annex note (4) | Future years See annex note (5) |
Canada/Québec Pension Plan (CPP/QPP) contributions | Complete | Complete See annex note (4) | Future years See annex note (5) |
Pensioners’ Dental Services Plan (PDSP) | 2013–14 | 2013–14 | Future years See annex note (5) |
Public Service Management Insurance Plan | 2013–14 | 2013–14 | Future years See annex note (5) |
Service Income Security Insurance Plan (SISIP) | 2013–14 | 2014–15 | Future years See annex note (5) |
Provincial Health Insurance Plan premiums | Complete | Complete See annex note (4) | Future years See annex note (5) |
Québec Parental Insurance Plan | Complete | Complete See annex note (4) | Future years See annex note (5) |
Supplementary Death Benefit Plan | Complete | Complete See annex note (4) | Future years See annex note (5) |