Audit of Internal Controls Over Financial Reporting (AU1416)

TABLE OF CONTENTS

EXECUTIVE SUMMARY

INTRODUCTION

As per the Treasury Board’s Policy on Internal Control (PIC), the Deputy Minister (DM) is responsible to ensure the establishment, maintenance, monitoring and review of the departmental system of internal control. The Chief Financial Officer (CFO) supports the DM by establishing and maintaining a system of internal control related to financial management including financial reporting and departmental accounts. Other senior departmental managers establish and maintain a system of internal control for their areas of responsibility and within the departmental system of internal control. Within this context, the PIC requires both the DM and the CFO to sign an annual departmental Statement of Management Responsibility Including Internal Control over Financial Reporting as part of the departmental financial statements.

To comply with PIC requirements, management assesses internal controls over financial reporting. Specifically, management reviews and assesses entity level controls, business process controls and Information Technology (IT) general controls as they relate to information reporting in the departmental financial statements.

Within this context, it should be noted that each business process falls under the responsibility of a specific business process owner. As stated in the NRCan Framework for Internal Control over Financial Reporting (ICFR), process owners are responsible for establishing and maintaining internal control measures within their areas of responsibility.

As part of their monitoring role, the Financial Management Internal Controls Unit (FMICU) of the Finance and Procurement Branch (FPB) conducts risk-based assessments of the systems of ICFR based on three-year rotational on-going monitoring plan. The assessment process is a risk-based process to determine control objectives, to identify, document and test key controls, and to identify gaps in controls.

Although FMICU monitors and tests controls for effectiveness on a rotational basis, business process owners are responsible for ensuring controls are established and maintained on an on-going basis.

The system of Internal Control over Financial Reporting (ICFR) is designed to mitigate the most significant risks that could impact the completeness, accuracy and timeliness of departmental financial reporting and not necessarily designed to eliminate all possible risks.

This audit of Internal Control over Financial Reporting was approved by the Deputy Minister on April 26, 2013 as part of the Department’s Risk-Based Audit Plan.

The overall purpose of the audit is to provide reasonable assurance on whether the internal controls over selected business processes are operating effectively, as designed and implemented.

The scope of this audit was designed to provide timely assurance on the following specific business processes Footnote3for related transactions up to March 31, 2014:

  1. Capital Assets (CA);
  2. Revenues and Accounts Receivable (REV);
  3. Offshore Royalties and transfer payments (OFF);
  4. Loans and Advances (LA);
  5. Entity Level controls (ELC); and
  6. IT General Controls for the Specimen Signature Records (SSR) application.

The audit team collaborated with the FMICU to minimize duplication and increase synergies between the respective groups. This approach allowed the audit to provide an opinion on specific business processes, while enabling the FMICU to rely on the audit team’s work for their planned testing in 2014-15.

STRENGTHS

The Department through the Financial Management Internal Control Unit in the Finance and Procurement Branch has set activities to ensure that key controls are designed and implemented. They are assessed for their effectiveness and periodically re-assessed using a risk-based approach for monitoring purposes; furthermore, corrective actions are followed up on and their status is reported to senior management on a regular basis.

AREAS FOR IMPROVEMENT

Opportunities for improvement were identified as a result of testing the effectiveness of controls.  Specifically, business process owners should develop remedial actions to address control deficiencies within reasonable timelines. Furthermore, semi-annual updates to senior management on outstanding remedial action items should include additional details such as timelines and accountabilities to better support informed decision making.

AUDIT CONCLUSION AND OPINION

In my opinion, the Audit Branch can provide reasonable assurance that internal controls are operating effectively, as designed and implemented at the time of audit Footnote2, for processes related to Loans, Offshore Royalties and transfer payments, IT General Control activities over Specimen Signature Records (SSR) application and Entity level controls. Opportunities for improvement exist regarding the effectiveness of internal controls for both Revenue and Accounts Receivable, and Capital Asset processes, which is generally consistent with findings and recommendations presented by management in the 2011-12 and 2012-13 departmental financial statements. Corrective actions to address internal controls for which opportunities for improvement exist should be implemented in a timely manner.

STATEMENT OF CONFORMANCE

In my professional judgement as Chief Audit Executive, the audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

Christian Asselin, CPA, CA, CMA, CFE
Chief Audit Executive

ACKNOWLEDGEMENTS

The audit team would like to thank those individuals who contributed to this project and, particularly employees who provided insights and comments as part of this audit.

INTRODUCTION

As per the Treasury Board’s Policy on Internal Control (PIC), the Deputy Minister (DM) is responsible to ensure that effective internal controls over financial reporting are in place to adequately manage risks relating to the stewardship of public resources.

The Chief Financial Officer (CFO) supports the DM by establishing and maintaining a system of internal control related to financial management including financial reporting and departmental accounts. Other senior departmental managers establish and maintain a system of internal control for their areas of responsibility and within the departmental system of internal control.

The system of Internal Control over Financial Reporting (ICFR) is designed to mitigate the most significant risks that could impact the completeness, accuracy and timeliness of departmental financial reporting and is not necessarily designed to eliminate all possible risks. As such, the maintenance of an effective system of ICFR is an on-going process, designed to identify key controls required to mitigate key risks, assess control effectiveness, adjust as required, and monitor performance in support of continuous improvement.

Within this context, the PIC requires both the DM and the CFO to sign an annual departmental Statement of Management Responsibility Including Internal Control over Financial Reporting as part of the departmental financial statements that:

  • Acknowledges the responsibility of management for ensuring the maintenance of an effective departmental system of internal control over financial reporting;
  • Acknowledges the conduct of an annual risk-based assessment of the system of internal control over financial reporting to determine its on-going effectiveness;
  • Acknowledges the establishment of an action plan to address any significant issues found as a result of the annual assessment of the effectiveness of the system of internal control over financial reporting; and
  • Includes a summary of the results of the annual assessment of the system of internal control over financial reporting along with the actions taken in response to any significant issues.

As part of the Annex to the Statement of Management Responsibility, departments publicly disclose the results of their risk-based assessments of their internal controls over financial reporting, as well as their planned corrective actions to address identified control weaknesses.

In 2012, NRCan’s Audit Branch conducted the Audit of Internal Controls in support of Quarterly Financial Reporting. The audit provided reasonable assurance that the Department had documented, implemented and monitored key internal controls; and had an adequate process for the preparation of quarterly financial reports in compliance with relevant standards and guidance. The previous audit did not, however, provide an opinion on the operating effectiveness of internal controls. This audit focused primarily on the operating effectiveness of specific Internal Controls over Financial Reporting (ICFR).

AUDIT PURPOSE AND OBJECTIVES

The overall purpose of the audit was to provide reasonable assurance on whether the internal controls over selected business processes were operating effectively, as designed and implemented.

Specifically the audit assessed whether:

  • Internal controls for the selected business processes were documented to reflect the current control environment prior to testing;
  • Internal controls had been redesigned and implemented after significant changes;
  • Key internal controls for selected business processes were operating effectively as intended; and
  • Action plans and procedures were taken to remediate any significant deficiencies or issues previously identified within the selected business processes.

AUDIT CONSIDERATIONS

A risk-based approach was used in establishing the objectives, scope and approach to this audit engagement. As a result, the following areas of risk related to the effectiveness of internal controls were identified for this audit:

  • Sufficiency of evidence for a given control may not be appropriate to conclude on the operating effectiveness of the control;
  • The remediation of internal control gaps or weaknesses identified may not be effective; and
  • The risk that unauthorized access might result in data being improperly deleted, altered, recorded or possibly result in a failure to adequately segregate duties.

SCOPE

The scope of this audit was designed to provide timely assurance on specific business processes, taking into consideration the timing of reviews and assessments being conducted by the Financial Management Internal Control Unit – Finance and Procurement Branch. This allowed the audit to provide timely assurance to the Deputy Minister on select business processes, while minimizing duplication and maximizing synergies between the Audit Branch’s work and that of the Finance and Procurement Branch (FPB).

As such, the audit focused on six business processes 3:

  1. Capital Assets (CA);
  2. Revenues and Accounts Receivable (REV);
  3. Offshore Royalties and transfer payments (OFF);
  4. Loans and Advances (LA);
  5. Entity Level controls (ELC); and
  6. IT General Controls for the Specimen Signature Records (SSR) application.

The time frame for the audit included transactions up to March 31, 2014.

The scope of the audit did not include other business processes, besides the six identified or any testing of controls that fell under the responsibility of Other Government Departments (such as Shared Services Canada and/or Agriculture and Agri-Food Canada).

APPROACH AND METHODOLOGY

The approach and methodology followed the Internal Auditing Standards for the Government of Canada, which incorporates the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that audit objectives are achieved.

The audit included tests considered necessary to provide such assurance. Internal auditors performed the audit with independence and objectivity as defined by the Internal Auditing Standards for the Government of Canada.

The audit approach included the following key tasks:

  • Obtaining a sufficient understanding of each business process;
  • Assessing the factors that affect the risk of potential material misstatement;
  • Reviewing of key documents and relevant background documentation related to key business processes;
  • Performing walkthroughs of business processes;
  • Interviewing key personnel;
  • Reviewing monitoring of inefficient controls and assessing current status;
  • Sampling transactions and related controls for testing; and
  • Performing audit procedures including tests to evaluate operating effectiveness of key controls selected.

The audit focused on the assessment of internal control operating effectiveness as designed and implemented by assessing the extent to which a key control has been operating as intended over a specified period of time such as a fiscal year. Tests of operating effectiveness are intended to demonstrate the reliability of the controls over a period of time in reducing related financial reporting risks. They were conducted by selecting a sample of actual transactions over the fiscal year 2013-2014 and testing them to determine if the control was performed consistently and as required based on organizational policy and procedures.

CRITERIA

Audit criteria used in the audit were developed based on the key controls set out in the Office of the Comptroller General’s Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors, the PIC, as well as other relevant associated TBS and NRCan policies, procedures and directives.

The criteria were approved by management prior to the commencement of the audit. These are included in Appendix A.

FINDINGS AND RECOMMENDATIONS

BUSINESS PROCESS DOCUMENTATION

Summary Finding

The Financial Management Internal Control Unit (FMICU) of the Finance and Procurement Branch has documented the key business processes examined and associated internal controls. All business processes reviewed have been documented; however, there are additional streams of offshore revenues and related transfer payments for which internal control documentation should be developed. This issue was the subject of a recommendation in a recent internal audit of Offshore Revenues and Transfers, and, therefore, no further recommendation is required.

Supporting Observations

As required by the PIC, an effective risk-based system of internal control should be in place and be properly maintained, monitored and reviewed, with timely corrective measures taken when issues are identified. As part of this requirement, the Department is required to test the design, implementation and operating effectiveness of internal controls to ensure they are appropriate to mitigate related risks. As part of the assessment process, the Department ensures that internal control documentation reflects the current control environment prior to testing.

When processes are well documented, it enables the Department to demonstrate that there are controls in place, facilitate the testing of those controls and, can contribute to a more efficient external auditor attestation process. Documenting processes provides for a better understanding of internal controls, which tends to improve operational effectiveness and may reduce the potential for reporting errors. In addition, when employee turnover inevitably occurs, documented processes can be used to train new personnel.

Documentation and Update

The FMICU of the Finance and Procurement Branch establishes a controls maintenance process which ensures that the documentation of business processes are updated as part of its three-year rotational on-going monitoring plan. The audit sought to determine whether the documentation was complete and included key components such as narrative descriptions, as well as a flowchart and a risk control matrix for each key business process.

The audit found that business process documentation for the six processes reviewed were drafted and documented. The audit also found that descriptions were being updated, as required, to reflect significant changes to a process. However, there are additional streams of offshore revenues and related transfer payments, such as Net Profit Interest, Incidental Net Profit Interest and Crown Share Adjustment Payments, for which internal control documentation should be developed. It should be noted that as the same issue was the subject of a recommendation in a recent internal audit of Offshore Revenues and Transfers (May 2014), no further recommendation is required.

Ensuring that business processes are well documented, remain up to date and formally approved provides a complete picture of the internal control system. Well documented process descriptions are a critical component of the PIC and enable effective oversight by facilitating management’s identification of key controls and contribute to internal and external assurance activities. Therefore, finalizing these process descriptions through formal approval demonstrates they have been validated by business process owners and provides the necessary assurance and relevance of their content.

RISK AND IMPACT

The absence of comprehensive internal control documentation may impact the ability of external assurance providers to accept such process descriptions as complete and impede the Department’s ability to demonstrate compliance with the PIC.

RECOMMENDATIONS

None.

No recommendation is required as the same issue was the subject of a recommendation in a recent internal audit of Offshore Revenues and Transfers (May 2014).

EFFECTIVENESS OF BUSINESS PROCESSES

Summary Finding

The majority of controls tested were determined to be operating effectively, as designed and implemented. However, opportunities for improvement exist regarding the effectiveness of some internal controls, particularly for the Revenue and Accounts Receivables, and Capital Assets processes. These findings are generally consistent with findings and recommendations presented by management in the 2011-12 and 2012-13 departmental financial statements.

Supporting Observations

Testing the effectiveness of internal controls is another critical requirement of the PIC in order to maintain a sound departmental system of internal control.  Within this context, the FMICU has established a testing schedule to ensure that internal controls for key processes are tested for effectiveness. All processes identified as ‘high-risk’ are tested on a two-year cycle and those identified as ‘moderate/low risks’ are tested on a three-year cycle.

Effectiveness Business Processes Testing

As part of FMICU’s 2011-12 and 2012-13 effectiveness testing, internal controls related to the following business processes were assessed by management and presented in the relevant Statement of Management Responsibility Including Internal Control over Financial Reporting:

  • Capital Assets (CA);
  • Revenues and Accounts Receivable (REV);
  • Offshore Royalties and transfer payments (OFF);
  • Loans and Advances (LA);
  • Entity Level Component of Internal Controls (ELC); and
  • IT General Controls activities over Specimen Signature Records (SSR).

The audit conducted testing on the effectiveness of key controls for these business processes with a focus on transactions in 2013-14. This approach allowed the audit to compare our results with those presented in the 2011-12 and 2012-13 departmental financial statements, while enabling the FMICU to rely on Audit Branch’s work for their planned testing in 2014-15.

In summary, the audit found that 89% of controls tested were operating effectively, as designed and implemented. It was noted that the majority of controls for which opportunities for improvement exist, primarily remain in the Capital Assets and Revenues & Account Receivables processes, which is generally consistent with the results found by FMICU as reported in the Department’s 2011-12 and 2012-13 departmental financial statements.

It should be noted that compensatory controls may exist for any given control. The controls tested reflect those identified by management as ‘key controls’ within their documented business processes; and exist in order to support complete, accurate and/or timely financial information.  Within that context management has acknowledged in several cases that some of these controls may need to be revised to better reflect actual risk, as well as availability of resources. (See Appendix B for additional details.)

RISK AND IMPACT

Controls are established and implemented to mitigate against potential risks. Should key controls be identified as ineffective, the Department is exposed to risk that may impact the accuracy, completeness, timeliness and/or credibility of its financial information and related publications.

RECOMMENDATIONS

1. It is recommended that the Director General (DG) Finance and Procurement Branch; the DG and Chief Human Resources Officer; implement corrective actions, that fall within their respective areas of responsibility, to address controls for which opportunities for improvement exists as identified in Appendix B.

MANAGEMENT RESPONSE AND ACTION PLAN

Management agrees.

Please refer to Appendix B for detailed action plans per control, including position responsible and timing.

MONITORING AND REPORTING

Summary Finding

With regards to monitoring, the FMICU has a program in place to track, follow-up and report on remediation action items related to controls for which opportunities for improvement exist. However, status reporting to senior management on outstanding corrective actions could be further improved by including timelines and accountabilities to better support informed decision-making.

Supporting Observations

Another critical component of the PIC is the effective and timely monitoring and reporting of corrective actions to address control deficiencies. Within this context, when opportunities for improvement to controls are identified through the FMICU’s testing, business process owners are required to identify management action plans to address deficiencies and ensure effectiveness of controls. Subsequently, the FMICU is responsible to monitor and report on progress regarding the implementation of corrective actions to address controls for which opportunities for improvement exist.

Monitoring and Reporting

The operating effectiveness of internal controls over all business processes selected has been tested by FMICU in accordance with their three-year plan and therefore, was complete as of March 31, 2014. The FMICU regularly followed up with business process owners regarding their progress on corrective actions to address control deficiencies.

For the controls where opportunities for improvement existed, a remediation plan was developed and was to be implemented by the responsible business process owner.

The table below provides a summary of the FMICU’s status of recommendations as of March 31, 2014:

 

Process Category

Completed

Not completed

Total

Capital Assets Cycle (CA)

20

2

22

Entity-level Controls (ELC)

6

5

11

Loans and Advances

4

 

4

Offshore Royalties

1

 

1

Revenues & AR

17

4

21

IT GC SSR

6

1

7

Total

54

12

66

Although the FMICU follows-up regularly with business process owners on outstanding recommendations, they advised us that their ability to ensure corrective actions are implemented is often limited. In some cases, the audit found that corrective actions have been outstanding for over a year. As for business process owners, they may have competing priorities or resource constraints, resulting in delays to addressing the FMICU’s recommendations.

As part of ongoing monitoring and reporting, the FMICU prepares a mid-year and year-end update to the Chief Financial Officer, the Deputy Minister and the Departmental Audit Committee. Among the items included with these updates is a status on the progress of actions taken to address recommendations made related to ICFR. The status update provides a high-level summary and identifies actions as ‘complete’ or ‘incomplete’.

The audit found; however, that the status update of ICFR recommendations to senior management does not identify how long a recommendation has been outstanding or the business process owner responsible for its implementation.

Identifying timelines and the accountabilities, along with the information currently provided in the status update, would provide senior management a more complete picture of the progress made to address recommendations and better support informed decision making. In addition, the Departmental Audit Committee could also benefit from receiving this additional level of detail to further inform their advisory role to the Deputy Minister on the Internal Control Framework of the Department and its Financial Reporting.

RISK AND IMPACT

Controls are established and implemented to mitigate against potential risks.  Should appropriate corrective measures not be implemented to address deficiencies in a timely manner, the Department is exposed to risks that could potentially impact the accuracy, completeness and/or credibility of its financial information and related publications.

RECOMMENDATIONS

2. It is recommended that the Director General, Finance and Procurement Branch include timelines and the responsible business process owners for all outstanding remediation action items as part of the mid-year and year-end update to the Chief Financial Officer (CFO), the Deputy Minister (DM) and the Departmental Audit Committee (DAC).

MANAGEMENT RESPONSE AND ACTION PLAN

Management agrees.

In response to recommendation 2, timelines and the responsible business process owners will be included in the 2014-2015 mid-year and year-end update documents to the CFO, the DM and the DAC.

Position responsible: Senior Director, Financial Renewal and Capacity Building, Finance and Procurement Branch

Timing: Mid-year update: November 30, 2014
Year-end update: July 31, 2015

APPENDIX A – AUDIT CRITERIA

The criteria have been developed from the key controls set out in the Treasury Board of Canada’s Core Management Controls and relevant associated policies, procedures and directives.  The audit criteria were pre-established and agreed upon with management.

The overall purpose of the audit was to provide reasonable assurance on whether the internal controls over selected business processes were operating effectively, as designed and implemented.

The following audit criteria were used to conduct the audit:

Audit Sub-Objective Audit Criteria

Sub-Objective 1:

Key internal controls over financial reporting for the selected components were operating effectively as designed and implemented, and were monitored.

1.1 It was expected that internal controls for the selected business processes were documented to reflect the current control environment.
1.2 It was expected that for significant changes in selected business processes, the internal controls had been redesigned and implemented to reflect those changes.
1.3 It was expected that the key internal controls for selected business processes were operating effectively as intended.
1.4 It was expected that action plans, corrective measures and procedures were taken to remediate any significant deficiencies or issues identified within the selected business processes.

APPENDIX B – STATUS OF OPERATING EFFECTIVENESS

The purpose of this Appendix is to provide a summary of controls by business process, for which opportunities for improvement exist based on the audit work completed, as well as the planned remedial management actions committed to by the responsible business process owners.

It should be noted that each business process falls under the responsibility of a specific business process owner. As stated in the NRCan Framework for Internal Control over Financial Reporting (ICFR), process owners are responsible for establishing and maintaining internal control measures within their areas of responsibility.

As part of their monitoring role, the FMICU of the Finance and Procurement Branch conducts risk-based assessments of the systems of ICFR based on three-year rotational on-going monitoring plan. The assessment process is a risk-based process to determine control objectives, to identify, document and test key controls, and to identify gaps in controls.

Although FMICU monitors and tests controls for effectiveness on a rotational basis, business process owners are responsible for ensuring controls are established and maintained on an on-going basis.

Within that context the following table provides a summary of controls identified by business process, for which opportunities for improvement exist based on the audit work completed:

Capital Assets

Control Activity

Remedial Action and Timelines

Business Process Owner

CA 1.7

Monitoring is done (at least monthly) by the office of the Departmental Asset Manager of all goods purchases greater than $10,000, by PO line item, to identify if any capital assets have been recorded with account assignment ‘k’ and an expense GL.

Effective 2014-2015, the Corporate Reporting unit in the Finance and Procurement Branch (FPB) reviews on a quarterly basis, the proper use of Fund codes on Purchase Order (PO) lines which includes a review of the account assignment and General Ledger (GL) accounts. Thus, the Departmental Asset Manager is no longer required to perform the 2012-2013 control activity. 

No action required.

2014-2015: Director General of Finance and Procurement Branch, CMSS

Director of Financial Policy, Reporting and Internal Controls, CMSS

Manager of Corporate Reporting Unit, CMSS

2012-2013
Director General and Chief Human Resources Officer, CMSS

Senior Director Human Resources and Workplace Management Branch, CMSS

Departmental Asset (DA) Management Section Head, CMSS

CA 1.15

Monitoring is done once per year by the office of the Departmental Asset Manager on all non-capital assets with a value greater than 10K to identify if any capital assets were wrongly classified as non-capital assets.

The control will be done once a year in the last quarter.

Target Completion Date:
March 31, 2015

Director General and Chief Human Resources Officer, CMSS

Senior Director Human Resources and Workplace Management Branch, CMSS

Departmental Asset (DA) Management Section Head, CMSS

CA 1.10

Asset management conducts periodic inventory counts of capital assets.  

The Departmental Asset Manager, Human Resources and Workplace Management Branch, will maintain supporting documentation reflecting periodic inventory counts and subsequent follow-up actions implemented to address issues identified.

Target Completion Date: September 30, 2014

Director General and Chief Human Resources Officer, CMSS

Senior Director Human Resources and Workplace Management Branch, CMSS

Departmental Asset (DA) Management Section Head, CMSS

CA 1.14

Once per year, the Departmental Asset Manager ensures that for each AMR (Capital Assets included) there is an equivalent record in the Plant Maintenance module. Having a record in the Plant Maintenance module allows for certain asset actions to be performed properly (e.g. disposals).

The control will be done once a year in the last quarter, along with control activity CA 1.15.

Target Completion Date:
March 31, 2015

Director General and Chief Human Resources Officer, CMSS

Senior Director Human Resources and Workplace Management Branch, CMSS

Departmental Asset (DA) Management Section Head, CMSS

CA 5.1

A bar code with a unique control number is affixed to every piece of Machinery and Equipment purchased. The bar code number is manually entered in SAP in the inventory number field in the AMR in the Asset Accounting (AA) module, and in the EMR in the Plant Maintenance module.

The bar code is recorded as the Equipment Number in the EMR in Plant Maintenance (PM) module and is displayed in the AMR in the Asset Accounting (AA) module in the equipment number field under the allocations tab when the update is made in PM. Thus, the 2012-2013 control activity tested is no longer required.

No action required

Director General and Chief Human Resources Officer, CMSS

Senior Director Human Resources and Workplace Management Branch, CMSS

Departmental Asset (DA) Management Section Head, CMSS

CA 4.1

All disposals of machinery and equipment and vehicles are authorized according to the Delegation of Authority.

The Departmental Asset Manager, Human Resources and Workplace Management Branch, will:

  1. Collaborate with Finance and Procurement Services to ensure appropriate personnel have access to view the SSR database and, subsequently verify appropriate delegation of authority for disposals.
  2. A copy of the SSR will be kept with the disposal file.

Target Completion Date:
August 31, 2014

Director General and Chief Human Resources Officer, CMSS

Senior Director Human Resources and Workplace Management Branch, CMSS

Departmental Asset (DA) Management Section Head, CMSS

CA 4.5

For machinery and equipment and fleet disposals, the Departmental Asset Manager reviews the monthly “National Proceeds Report” to record the disposal in SAP and to ensure that all assets with proceeds have a corresponding Report of Surplus file (file internal to NRCan). 

The Senior Director, Human Resources and Workplace Management Branch, will ensure the review, revision and implementation of the control activity, reflective of the risks and availability of resources, in consultation with the internal control unit in FPB to determine the best approach to address this control activity.

Target Completion Date:
March 31, 2015

Director General and Chief Human Resources Officer, CMSS

Senior Director Human Resources and Workplace Management Branch, CMSS

Departmental Asset (DA) Management Section Head, CMSS

CA 7.1

There is segregation between those that authorize the purchases (Delegated RC managers) and those that record the asset in SAP (SSO Finance and Procurement services).

The recording of an asset in SAP cannot be restricted based on fund center.

The very few staff that can authorize purchases and record assets in SAP will be advised that asset purchases must be authorized by a superior.

Target Completion Date:
December 22, 2014

Director General and Chief Human Resources Officer, CMSS

Senior Director Human Resources and Workplace Management Branch, CMSS

Departmental Asset (DA) Management Section Head, CMSS

CA 7.2

There is segregation between the individuals who record the asset in SAP (SSO Finance and Procurement services) and the individuals who have custody of the assets (the Responsibility Managers).

The recording of an asset in SAP cannot be restricted based on fund center.

The few staff that can record asset in SAP and have custody of the asset (the Responsibility Managers) will be advised that the attestation of inventory and disposal must be authorized by a superior.

Target Completion Date:
December 22, 2014

Director General and Chief Human Resources Officer, CMSS

Senior Director Human Resources and Workplace Management Branch, CMSS

Departmental Asset (DA) Management Section Head, CMSS

CA 1.9

Annually, the Corporate Reporting Unit sends a list of real property capital assets from SAP to Workplace Services requesting a reconciliation of the SAP information with ARCHIBUS.

Management Agrees.

The Director of Financial Policy, Reporting and Internal Controls, CMSS is in the process of completing the annual ARCHIBUS reconciliation between SAP Asset Module and the ARCHIBUS system.

Target Completion Date:
March 31, 2015

Director General of Finance and Procurement Branch, CMSS

Director of Financial Policy, Reporting and Internal Controls, CMSS

Manager of Corporate Reporting Unit, CMSS

 

Offshore Royalties

Control Activity

Remedial Action and Timelines

Business Process Owner

OR 1.1.1

The Financial Assistant, Revenue and A/R, matches the details in the wire notification to the listing of notification emails and crosses the item off in the listing of notification emails.

Matching of wire transfer amounts received to expected amounts (notification emails from the program area) is evidenced by cross reference numbers added on the wire transfers listing and on the notification emails. Those two documents are attached to the printout of the corresponding SAP SD document; the attached documents are maintained on file. 

No action required.  

Director General of Finance and Procurement Branch, CMSS

Director of Finance and Procurement Services, CMSS

Manager, Accounting Operations and Chief of Financial Services, CMSS

 

Revenues and Accounts Receivable

Control Activity

Remedial Action and Timelines

Business Process Owner

AR 1.1.1

At NRCan, credit checks are performed by the Revenue and Accounts Receivable Unit Finance and Procurement Services, before agreements are signed with
clients / before goods and services are provided. 

Management Agrees.

The ADM CMSS and CFO will send an email advising all Sector ADMs of the requirement to notify FPB prior to contract / agreements being signed with clients, so that credit agreements and credit checks can be completed accordingly.

Furthermore, as part of the update to the NRCan Directive on Management of Accounts Receivables, the Director of Financial Policy, Reporting and Internal Controls, CMSS will clarify roles and responsibilities with respect to credit checks.

Target Completion Date:
March 31, 2015

Director General of Finance and Procurement Branch, CMSS

Director of Financial Policy, Reporting and Internal Controls, CMSS

Manager, Financial Management Policy, Training and Monitoring, CMSS

AR 1.1.2

The granting of credit to customers is approved by the Sector ADM.          

Management Agrees.

As part of the update to the NRCan Directive on the Management of Accounts Receivable, the Director of Financial Policy, Reporting and Internal Controls will clarify the roles and responsibilities of Sector ADM’s with respect to approving the granting of credit and advise them accordingly.

Target Completion Date:
March 31, 2015

Director General of Finance and Procurement Branch, CMSS

Director of Financial Policy, Reporting and Internal Controls, CMSS

Manager, Financial Management Policy, Training and Monitoring, CMSS

AR 3.6.1

For overdue accounts of more than 90 days, if possible, collection options such as collection letter, garnishments, set off and voluntary debt assignment are pursued. If not possible, at the 180 day mark, other advance collection methods are pursued (e.g. PCA).

Management Agrees.

Due to resource constraints and competing priorities, the focus was on overdue accounts in excess of $5000; however, effective July 2014, the Accounts Receivable Unit in the Finance and Procurement Branch (FPB) will follow-up on all overdue accounts.

Completed

Director General of Finance and Procurement Branch, CMSS

Director of Finance and Procurement Services, CMSS

Manager, Accounting Operations and Chief of Financial Services, CMSS

 

SSR

Control Activity

Remedial Action and Timelines

Business Process Owner

2.1.4

The identity of users is authenticated to the Oracle Database through passwords or other authentication mechanisms. Oracle Database password and lockout settings meet NRCan policy and leading practices.

Note: Although the Audit Branch concluded that this control remains ineffective, management has advised that planned changes to the SAP system to incorporate Financial Signing Authorities will address this deficiency. In the short-term, management also advises that the risk is minimal.

As such, no further action is required at this time.

Director General and Chief Information Officer, CMSS

Director Business Service Management, CMSS

2.1.6

Authorized access to sensitive data is logged and the logs are regularly reviewed to assess whether the access and use of such data was appropriate.

Note: Although the Audit Branch concluded that this control remains ineffective, management has advised that planned changes to the SAP system to incorporate Financial Signing Authorities will address this deficiency. In the short-term, management also advises that the risk is minimal.

As such, no further action is required at this time.

Director General and Chief Information Officer, CMSS

Director of IT Applications Services, CMSS

Manager of Applications Development Solutions, CMSS

APPENDIX C – DESCRIPTION OF BUSINESS PROCESSES EXAMINED

Capital Assets

The Department capitalizes asset purchases where the total acquisition cost is equal to or greater than $10,000 ($1,000 for revolving fund capital assets). A formal capital asset accounting standard for both purchased capital assets and capital assets developed by the Department is in place; it is available on the Department’s intranet and includes the amortization rates.

Revenue & Accounts Receivables

NRCan revenues are initiated and managed within the Sectors. For large projects with partners external to the federal government (e.g. academia, industry), formal contracts or Service Level Agreements (SLAs) are signed. For revenues with other government departments, Memorandums of Understanding (MOUs) are signed. Contracts, SLAs and MOUs (referred to as “agreements”) are signed by the client and the appropriate signing authority within the Sector. Receivables are financial assets in the form of claims held against customers and others for money, goods, or services. Accounts receivable are classified as short-term receivables that are normally, but not necessarily, expected to be collected within a year.

Offshore Royalties and transfer payments

NRCan is responsible for collecting revenues related to offshore oil and gas royalty payments. This program is managed by a Project Officer in the Frontier Land Management Division and is overseen by the Program Director. Additionally, the Finance and Procurement Branch performs the accounting and payment functions associated with the program.

Under the Canada-Newfoundland Atlantic Accord Offshore Act and the Canada-Nova Scotia Offshore Petroleum Resources Accord Implementation Act (Accord Acts) revenue sharing benefits have been established with each respective province for payments related to offshore royalty payments.

Loans & Advances

The Treasury Board Secretariat approved a loan to be issued by NRCan. A copy of the proof of required collateral as set out in the loan agreement, such as a registered deposit note, is provided to Legal Counsel, the Finance and Procurement Branch and the associated Sector. As of March 31, 2014, this is the only loan receivable in NRCan’s financial statements. Advances to employees are occasionally provided to employees as per policy. Employee advances are not material.

Entity Level controls

Entity level controls (ELC) refer to those controls and practices that may have a direct or indirect impact on the integrity of the department’s financial reporting. Management has used the COSO internal control framework component of control activities in assessing the existence and quality of internal controls. The Department’s entity level controls are supported by frameworks, policies, activities and procedures.

IT General Control Activities over Specimen Signature Record Application (SSR)

The Specimen Signature Record application (also known as SSR) is used within Finance and Procurement, with an interface, via ConneXus, to manage Financial Administration Act (FAA) authorities within the Department. It also serves as a repository for RC Manager signatures for verification. There are IT general controls (ITGCs) associated with the management of the Specimen Signature Records (SSR) application system.