Audit of Internal Controls over Financial Reporting - AU1801

Audit and Evaluation Branch
Natural Resources Canada

Presented to the Departmental Audit Committee (DAC)
December 2018

Executive Summary
Introduction
FINDINGS AND RECOMMENDATIONS
APPENDIX A – CRITERIA

Executive Summary

Introduction

Parliamentarians and Canadians expect that the financial resources of the Government of Canada are well managed and safeguarded through internal controls. They also expect reliable reporting that provides transparency and accountability for how public funds are spent to achieve results for Canadians. The Treasury Board (TB) Policy on Financial Management (PFM), which came into effect on April 1, 2017, replaced several Treasury Board policy instruments, including the Policy on Internal Control, and was developed with the objective of ensuring that financial resources of the Government of Canada are well managed in the delivery of programs to Canadians and safeguarded through balanced controls. The PFM defines internal control over financial management (ICFM) as ’’a set of measures and activities that provide reasonable assurance of the effectiveness and efficiency of the financial management activities of the department’’. As a subset of the system of internal control over financial management, internal control over financial reporting (ICFR) is defined as ’’a set of measures and activities that allow senior management and users of financial statements to have reasonable assurance of the accuracy and completeness of the department’s financial statements’’. The focus of this audit was on ICFR.

An effective system of ICFR supports the establishment and implementation of key internal controls, which collectively help to ensure that financial transactions are properly recorded. The degree to which internal controls are effectively implemented directly influences the reliability of the Department’s externally facing financial statements, as they protect its financial resources from mismanagement, errors, and other irregularities that could ultimately distort important account balances in the statements. As such, administering adequate measures and safeguards for key business processes, through an effective system of ICFR, is imperative to providing Canadians an accurate representation of the use of public funds. The details within Natural Resources Canada’s (NRCan) annual financial statements are also reported in the Public Accounts of Canada, which are prepared annually by the Office of the Auditor General (OAG) and provide a consolidated representation of the Government of Canada’s financial statements as a whole.

The existence of sound financial information, when integrated with other sources of non-financial information, allows NRCan to effectively manage its priorities and deliver key products and services to the public. Strategic and operational decision-making is enhanced when a complete picture of an entity’s financial performance is available in a timely manner, which directly translates to more effective spending and increased value for Canadians.

As per the PFM, the Chief Financial Officer (CFO) is responsible for establishing, monitoring, and maintaining a risk-based system of ICFR. In September 2012, NRCan developed the NRCan Framework for Internal Controls over Financial Reporting (the Framework) to establish the approach and accountabilities regarding the Department’s system of ICFR. The Framework is intended to outline the roles and responsibilities of senior management, process owners, as well as other NRCan employees, and to provide an overview of the process for assessing NRCan’s system of ICFR. As part of their monitoring role, the Financial Policy Reporting and Internal Controls (FPRIC) unit within the Corporate Management and Services Sector (CMSS) has the responsibility to conduct risk-based assessments of the system of ICFR in order to test its ongoing effectiveness. Although FPRIC is responsible for monitoring and testing key controls for effectiveness, business process owners are responsible for the establishment and maintenance of their respective business process controls.

The objective of the audit was to assess whether key controls of selected business processes are operating effectively, as designed and implemented, and whether the framework in place to manage, monitor, and report on the system of ICFR is effective.

The audit was included in the 2017-2020 Risk-Based Audit Plan, approved by the Deputy Minister on March 30, 2017.

Strengths

Overall, roles, responsibilities, and reporting mechanisms are defined and in place to support the Department’s system of ICFR. The Annex to the Statement of Management Responsibility Including Internal Controls over Financial Reporting largely reflects the results from ongoing assessments for which a monitoring plan and assessment methodology, supported by a risk assessment, have been established. Generally, FPRIC communicates identified control deficiencies to business process owners in a timely manner, and monitors the implementation of corrective actions accordingly.

Areas for Improvement

Opportunities exist to review, update, and communicate the NRCan ICFR Framework to better align it with the TB Policy on Financial Management, and to improve the documentation and completeness of the risk assessment for ICFR. Opportunities also exist for FPRIC to strengthen ongoing monitoring practices in collaboration with business owners. Some key controls surrounding the operating expenditures business process need to be reviewed, and the key controls related to capital assets require significant improvements.

Internal Audit Conclusion and Opinion

In my opinion, there is a framework in place to manage, monitor, and report on the NRCan system of ICFR. Opportunities exist to update that framework and to align it with the TB Policy on Financial Management and to improve some governance, risk assessment, ongoing monitoring, and ICFR testing processes.

Overall, the key controls tested for the operating expenditures and the loan guarantees business processes were designed and implemented effectively, with some opportunities for improvement pertaining to operating effectiveness. Significant design, implementation, and operating effectiveness control deficiencies were identified in the capital assets business process, which is consistent with the findings and recommendations presented in the 2014 internal audit of ICFR.

Statement of Conformance

In my professional judgement as Chief Audit Executive, the audit conforms with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the Government of Canada’s Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

Christian Asselin, CPA, CA, CMA, CFE
Chief Audit and Evaluation Executive
December 13, 2018

ACKNOWLEDGEMENTS

The audit team would like to thank those individuals who contributed to this project and, particularly employees who provided insights and comments as part of this audit.

Introduction

Text version

Figure 1: systems of Internal controls

Deputy Head
System of Internal control across the department.

Chief Financial Officer
System of Internal control over financial management and financial reporting.

Senior departmental managers
System of internal control within their areas of responsibilities.

Source: TB Guide to Ongoing Monitoring of Internal Controls Over Financial Management

As per the PFM, the Chief Financial Officer (CFO) is responsible for establishing, monitoring, and maintaining a risk-based system of ICFR. The PFM also requires the CFO to ensure the accuracy and reasonableness of the departmental financial statements, including the annual departmental Statement of Management Responsibility Including Internal Control over Financial Reporting, which establishes management’s accountability for implementing an effective system of internal controls over financial reporting (ICFR). Both the financial statements and the annual departmental Statement of Management Responsibility Including Internal Control over Financial Reporting are approved by the Deputy Head. For their part, senior managers are responsible for implementing and maintaining a risk-based system of ICFR, as well as notifying the CFO of material control weaknesses and taking prompt corrective actions when necessary.

In September 2012, Natural Resources Canada (NRCan) developed the NRCan Framework for Internal Controls over Financial Reporting (the Framework) to establish the approach and accountabilities regarding the Department’s system of ICFR. The Framework is intended to outline the roles and responsibilities of senior management, process owners, as well as other NRCan employees, and to provide an overview of the process for assessing NRCan’s system of ICFR. As part of their monitoring role, the Financial Policy Reporting and Internal Controls (FPRIC) unit within the Corporate Management and Services Sector (CMSS) has the responsibility to conduct risk-based assessments of the system of ICFR in order to test its ongoing effectiveness. Although FPRIC is responsible for monitoring and testing key controls for effectiveness, business process owners are responsible for the establishment and maintenance of their respective business process controls.

The audit was included in the 2017-2020 Risk-Based Audit Plan, approved by the Deputy Minister on March 30, 2017.

Audit Purpose and Objectives

Specifically, the audit assessed whether:

Roles, responsibilities, and reporting mechanisms are properly defined and in place to support NRCan’s system of ICFR;
The system of ICFR is supported by an adequate risk assessment and risk-based ongoing monitoring plan and reported in the Annex to the Statement of Management Responsibility;
Ongoing monitoring and testing of the ICFR system performed by FPRIC is effective; and
Key internal controls over financial reporting of selected business processes are operating effectively as designed and implemented.

Audit Considerations

A risk-based approach was used in establishing the objectives, scope, and approach for this audit engagement. The following areas were identified as having significance to the effective management of internal controls over financial reporting, and therefore assessed as areas of increased risk for the audit:

Definition, documentation, and communication of the roles, responsibilities, and accountabilities of stakeholders, as well as the working relationships between them;
Adequacy of the ICFR risk assessments, environmental scans, and the risk-based ongoing monitoring plan;
Reliability of ongoing monitoring practices, as well as the communication and follow-up of its results; and
Design, implementation, and operating effectiveness of internal controls over financial reporting for key business processes.

Scope

The scope of this audit included relevant processes, procedures, controls, and tools used to monitor and report on the system of ICFR. The audit focused primarily on the period of April 1, 2016 to June 30, 2018. However, preceding periods were considered for audit procedures related to sub-objective 2.

The following business processes were included as part of the testing related to sub-objectives 3 and 4, and were chosen based on a risk-based approach, including considerations for the materiality of the accounts and the moment they were last tested by the FPRIC unit.

Capital assets
Operating expenditures (the testing related to sub-objective 4 will focus solely on utilities, material and supplies transactions)
Loan guarantees (only included as part of sub-objective 4)

Salaries and employee benefits represent a significant portion of expenditures in NRCan’s financial statements; therefore, this business process was reviewed by the audit team as part of sub-objective 2. However, the audit team did not include salary and benefits as part of the testing related to sub-objectives 3 and 4, since the business process was in transition at the moment of the audit, while all departments in the Government of Canada using Phoenix worked towards addressing existing weaknesses identified by the Office of the Auditor General. The Audit and Evaluation Branch also conducted recent audits and advisory projects related to the pay process, and will be conducting its fourth continuous audit of pay in FY 2018-19.

The Audit and Evaluation Branch conducted continuous audits of grants and contributions, and acquisition cards in 2017-18, and obtained reasonable assurance on the effectiveness of key controls. Therefore, these two areas were excluded from the testing related to sub-objectives 3 and 4.

This internal audit does not provide an opinion on the financial statements prepared by the Department.

Approach and Methodology

The approach and methodology used in this audit followed the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing (IIA Standards) and the Treasury Board Policy of Internal Audit. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that audit objectives are achieved. The audit included tests considered necessary to provide such assurance. Internal auditors performed the audit with independence and objectivity as defined by the IIA Standards.

The audit included the following key tasks:

Interviews and walkthroughs with key personnel;
Review of key documents pertaining to the system of ICFR;
Re-performance of a sample of control testing (design and operating effectiveness) performed by the FPRIC unit; and
Performing audit procedures including tests to assess design and operating effectiveness of selected key controls.

The conduct phase of this audit was substantially completed in August 2018.

Criteria

Please refer to Appendix A for the detailed audit criteria. The criteria guided the audit fieldwork and formed the basis for the overall audit conclusion.

FINDINGS AND RECOMMENDATIONS

GOVERNANCE AND REPORTING

Summary finding

Overall, the audit team found that most internal controls over financial reporting (ICFR) roles, responsibilities, and accountabilities for key stakeholders are clearly defined and documented. Opportunities exist to update the NRCan ICFR Framework to better align it with the TB Policy on Financial Management; to clarify the role of the Financial Policy Reporting and Internal Controls group in the ICFR Framework; and to improve the communication of ICFR responsibilities to business owners.

The audit also found that the ICFR information required for Senior Management to exercise its ICFR responsibilities was generally available and provided in a timely manner; and that the Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting (the Annex) reflected the ICFR related activities performed within the given fiscal year. However, opportunities exist to ensure the consistency of the information communicated in the Annex.

Supporting observations

Governance and reporting mechanisms are key elements in support of an effective system of ICFR, as they allow Senior Management to exercise leadership and oversight on these activities. The audit sought to determine whether ICFR related roles, responsibilities, and accountabilities for key stakeholders are clearly defined, documented, and communicated, and whether information required for Senior Management to exercise its ICFR responsibilities is available and provided in a timely manner. The audit also sought to determine whether the Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting (the Annex) reflects the ICFR related activities performed within the given fiscal year.

Roles, Responsibilities, and Accountabilities

The audit team found that most roles, responsibilities, and accountabilities related to ICFR were clearly defined, documented, and communicated through the NRCan ICFR Framework (the Framework), which was available on the NRCan intranet at the time of the audit. Specifically, roles and responsibilities of various senior officials, process owners, and NRCan employees are documented in the Framework. The Framework also iterates that the Deputy Minister and the Chief Financial Officer (CFO) are required to sign the ‘’Statement of Management Responsibility Including Internal Control over Financial Reporting’. This document accompanies the departmental financial statements and acknowledges the responsibility of management for ensuring the maintenance of an effective system of ICFR; the conduct of an annual risk-based assessment of the system of ICFR to determine its ongoing effectiveness; and the establishment of an action plan to address any significant issues.

However, the audit noted that the ICFR Framework was last updated in 2012, and that it still refers to the TB Policy on Internal Control, which was rescinded in 2017. The audit also noted that the 2017 TB Policy on Financial Management, which replaced the Policy on Internal Control, requires departments to ensure that a risk-based departmental system of internal control over financial management (ICFM) is established, monitored, and maintained. The Framework currently only focuses on ICFR, and does not include considerations for ICFM, resulting in ICFM potentially not being assessed using a risk-based approach. The need to align the Framework with the TB Policy on Financial Management was identified by FPRIC in 2017-18, including the development of an analysis of the main policy changes and their impact on the Framework. Management informed the audit team that they are currently working towards implementing corrective actions and have included ICFM business processes in the 2017-18 financial statements’ Annex.

At NRCan, the Financial Policy Reporting and Internal Controls group (FPRIC) within the Corporate Management and Services Sector (CMSS) is responsible for the conduct of risk-based assessments of the system of ICFR in order to test its ongoing effectiveness. The audit noted that the Framework does not define the roles, responsibilities, and accountabilities of FPRIC. Due to the nature of the work performed by the FPRIC and AEB teams, both groups have collaborated in planning their respective work. When relying on the work performed by the AEB, FPRIC will need to ensure that its ICFR requirements are fully satisfied, supplemented with additional work when required.

Business owners have a key role to play in helping the Department maintain an effective system of ICFR. Specifically, they are responsible for establishing and maintaining internal control measures within their areas of responsibility. This includes ensuring that evidence of the performance of control activities is maintained; incorporating internal controls in policy instruments and procedures when applicable; reviewing internal control documentation and test results; responding to recommendations; as well as identifying and implementing appropriate corrective actions. Business owners are identified in the key control matrices, which are internal tools used by FPRIC to document the key controls of each important business process. However, the audit found that the business owners are not always familiar with their roles and responsibilities within the system of ICFR. When business owners are not aware of key controls under their responsibility, or whether they are being performed, a change in one of these controls may not be communicated to FPRIC in a timely manner, which could in turn have a material impact on the financial statements.

Reporting to Senior Management

The audit found that formal reporting on ICFR was taking place. Specifically, there is evidence of formal reporting on ICFR to Senior Management twice a year, in accordance with the Framework’s guidance. As part of ongoing monitoring and reporting, FPRIC prepares a mid-year and year-end update to Senior Management. Among the items included in the mid-year update is a status on the delivery of the ongoing monitoring plan, which provides a high-level summary of the status of the assessments of the business processes to be performed during the year.

The audit team also reviewed the Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting accompanying the 2016-17 financial statements. This document provides summary information on the measures taken by NRCan to maintain an effective system of ICFR, including information on internal control management, assessment results, and related actions plans. Overall, the audit team found that the information reported in the Annex was aligned with the FPRIC ongoing monitoring plan. However, the audit noted that the Contingent Liabilities business process was not identified for testing in the Annex’s Rotational Ongoing Monitoring Plan, even though it was identified on the FPRIC 2015-16 ongoing monitoring plan. The 2017-18 Annex’s Rotational Ongoing Monitoring Plan includes the Contingent Liability business process.

Risk and impact

A misalignment of the NRCan ICFR Framework with the TB Policy on Financial Management could result in potential non-compliance with the Policy. In addition, a lack of clarity regarding the role of the Financial Policy Reporting and Internal Controls group and the ICFR responsibilities of business owners could result in incomplete work.

Recommendations

R1: It is recommended that the ADM CMSS and CFO review the governance and reporting structures related to ICFR, including:

Ensuring that the ICFR Framework is updated and aligned with the TB Policy on Financial Management;
Ensuring that the roles, responsibilities, and accountabilities of FPRIC are clearly documented and communicated; and that business owners are informed of the impact that controls under their responsibilities have on ICFR;

Management response and action plan

Management agrees with Recommendation 1.

The FPRIC Unit is currently reviewing and updating its ICFR Framework to:
- expand the scope to include key ICFM business processes; and
- delineate the roles and responsibilities of the Director, FPRIC.
Position responsible: Director General, Finance and Procurement Branch (DCFO)
Timing: July 31, 2019
The FPRIC Unit will strengthen its communication with business process owners in the planning stage to ensure that key control objectives and related financial management and reporting risks are better understood.

Position responsible: Director General, Finance and Procurement Branch (DCFO)
Timing: March 31, 2019

ICFR METHODOLOGY, Risk assessment, and ongoing monitoring plan

Summary finding

The audit team found that in 2017-18, a formal ICFR risk assessment was performed, and a five-year ICFR ongoing monitoring plan was documented and implemented.

Opportunities exist to strengthen the documentation and completeness of the risk assessment and to formalize the process for performing environmental scans. Opportunities also exist to improve the clarity of the ICFR methodology, and to align and carry out the ongoing monitoring plan in accordance with the Risk Based Ongoing ICFR Monitoring Methodology.

Supporting observations

A key aspect of maintaining a sound system of ICFR consists of implementing a risk-based approach for the monitoring of its activities. Such an approach enables an organization to allocate their limited resources to the monitoring of key priorities. The audit sought to determine whether an effective methodology has been developed to test the system of ICFR. The audit team also sought to determine whether a detailed ICFR risk assessment is performed on a cyclical basis; environmental scans are conducted in the intervening years; and an adequate ongoing monitoring plan is documented and implemented.

ICFR Methodology, Risk Assessments, and Environmental Scans

The audit team found that a formal ICFR risk assessment was performed in 2017-18. However, there was no evidence of formal risk assessments being performed prior to this date, and there is no evidence of formal environmental scans being performed to identify new key risks that may have an impact on ICFR. FPRIC identified the need to strengthen some of their risk assessment processes as part of their 2017-18 Entity Level Controls assessment. Management also indicated that environmental scans are being conducted informally.

The audit team also found that a methodology has been developed and documented to test the Department’s system of ICFR. The ICFR methodology is comprised of two main documents : the Risk Based Ongoing ICFR Monitoring Methodology, developed by the FPRIC, as well as one externally developed resource, the draft Treasury Board Guide to Ongoing Monitoring of Internal Controls over Financial Reporting (TB guide). However, the ICFR methodology used by FPRIC is not clearly referenced within the Framework, resulting in a lack of a comprehensive and cohesive picture of the Department’s system of ICFR in a single source. The audit also noted a lack of clear links or references between the internally developed tools and the draft TB guide.

The Risk Based Ongoing ICFR Monitoring Methodology provides guidance for the assessment of the risk of material misstatement (RMM) to the financial statements. The RMM of each business process considers the materiality of its account balances or note disclosures, its inherent risk, as well as the risk that controls in place within that business process could fail to detect or prevent a material misstatement. However, the audit noted that the 2017-18 ICFR risk assessment did not consistently apply the documented Risk Based Ongoing ICFR Monitoring Methodology. Specifically, based on this methodology, any account balance or note disclosure equal to or greater than $12M in the 2016-17 financial statements should have been deemed material in the ICFR 2017-18 risk assessment. For instance, the audit noted that the Other Liabilities account, valued at $16M in 2016-17, was not included in the 2017-18 risk assessment. The audit also noted that the capital asset RMM was rated as ”moderate’’ despite several control deficiencies having been identified by the audit branch for that business process in the 2014 internal Audit of ICFR and that the transactions related to this business process can be complex in nature. The audit also found opportunities to improve the documentation of the risk assessment. Specifically, risks deemed as low were not included in the assessment, and the potential impact and likelihood of inherent risks were not consistently documented in a clear manner. In addition, the 2017-18 risk assessment evaluated the Information Technology General Controls (ITGCs) as one business process, with one overall risk rating assigned to ITGCs as a whole. However, the 2017-18 to 2021-22 ongoing ICFR monitoring plan, which reflects the results of the risk assessment, breaks up ITGCs into the applications and systems it encompasses, allowing for differences in planned testing. A lack of proper interpretation and documentation of the risks can result in insufficient mitigating measures being implemented.

Ongoing Monitoring Plan

The audit team found that FPRIC has documented and implemented a five-year ongoing monitoring plan for ICFR covering the period of fiscal year 2017-18 to 2021-2022 inclusively, and provides NRCan with a basis for planning its ICFR assessments. However, the audit noted that the monitoring plan does not always align with the Risk Based Ongoing ICFR Monitoring Methodology. Specifically, the methodology states that high risk business processes should be assessed every two years, and that business processes deemed as having moderate risk should be assessed every three years. The audit found instances where business processes deemed as having high and medium risks were not tested within the prescribed timelines.

Risk and impact

The lack of formality of the process for performing environmental scans and the lack of consistency in the risk assessment and ongoing monitoring plan can result in actual risks having an impact on ICFR not being identified or managed in a timely manner.

A lack of cohesiveness and consistency in the application of the ICFR methodology can negatively impact the assessment of the system of ICFR, thereby increasing the risk of misstatements in the Department’s financial statements.

Recommendations

R2: It is recommended that the ADM CMSS and CFO review the processes surrounding the risk assessment and ongoing monitoring plan, including:

Ensuring that the risk assessment is complete, documented consistently, and updated in a timely manner; and formalizing the process for performing environmental scans; and
Ensuring that the ongoing monitoring plan is aligned and carried out in accordance with the documented ICFR methodology.

Management response and action plan

Management agrees with Recommendation 2.

The FPRIC Unit will:
- review and amend its risk assessment methodology based on best practices (e.g. OCG Draft Guide to Ongoing Monitoring of ICFM) as part of the development of a guide to support the revised ICFM Framework; and
- develop a risk assessment questionnaire, which will be distributed to key stakeholders to identify changes in conditions and events that may impact the risk level of a business process and corresponding assessment prioritization.
Position responsible: Director General, Finance and Procurement Branch (DCFO)
Timing: July 31, 2019
The FPRIC Unit will update its Risk-Based ICFR Methodology, more specifically the frequency of assessment based on the risk level of a business process as part of the guide that will support the revised ICFM Framework. This will ensure proper alignment with the ongoing monitoring plan.

Position responsible: Director General, Finance and Procurement Branch (DCFO)
Timing: July 31, 2019

FPRIC Ongoing assessment of NRCan’S SYSTEM OF ICFR

Summary finding

Overall, the audit team found that the design and operating effectiveness testing of key controls is performed. Opportunities exist to strengthen the documentation of the testing work performed; and to apply the TB guide sampling strategy consistently.

The audit team also found that control deficiencies identified during ICFR testing were generally communicated to business owners in a timely manner, and that FPRIC monitors the management action plans. However, opportunities exist to improve the timeliness of the implementation of management action plans by business owners.

Supporting observations

The ongoing monitoring of the design, implementation, and operating effectiveness of internal controls is a critical aspect of maintaining a sound system of ICFR. The audit sought to determine whether the sampling strategy to test the system of ICFR is applied consistently, and whether the design and operating effectiveness testing of key controls is performed effectively. The audit also sought to determine whether control deficiencies identified during ICFR testing are communicated to business owners in a timely manner, and also whether management action plans are monitored by FPRIC, and implemented by business owners in a timely manner.

The audit found that the TB guide sampling strategy used by FPRIC to test the system of ICFR in 2017-18 was not always applied consistently. Specifically, for the capital assets business process, the audit found that of the 35 key controls tested by FPRIC at the time of the audit, there were 5 instances in which the sample size used by FPRIC was lower than the suggested sample size to be used for the given frequency of the control as per TB guidance. The documentation of the rationale for reducing a statistical sample was not properly supported. In this context, using a smaller sample size could potentially influence whether the sample accurately represents the population of transactions being examined, thereby reducing the accuracy and reliability of results and corresponding conclusions. It is worth noting that the audit team could not assess the adequacy of the sampling strategy used to test 3 key controls, because the ICFR assessment was not completed for the capital asset business process at the time of the audit.

With regards to the 2016-17 testing of the operating expenditures business process, the audit found that 36 out of 36 of the key controls tested by the FPRIC team reflected the sampling strategy prescribed at the time.

FPRIC Design, Implementation, and Operating Effectiveness Testing

The audit team reviewed the design and operating effectiveness testing performed by FPRIC on the operating expenditures (2016-17) and capital asset (2017-18) business processes. Overall, the audit found that a narrative describing the business processes was documented. The audit team also noted that both business processes had a documented control matrix describing the design of their respective key controls.

However, the audit team found that the control matrices did not clearly conclude on the design and implementation effectiveness of key controls, which could potentially result in the testing of a control’s operating effectiveness when it is not designed or implemented effectively. In addition, the audit team noted that the linkage between the key controls and the financial assertions was not documented in the 2016-17 operating expenditures control matrix. When relevant financial assertions are not covered by a key control within a business process, the risks related to the financial information may not be mitigated.

With regards to the operating effectiveness testing, the audit team found opportunities to improve the documentation of the work performed by FPRIC. Specifically, the working papers reviewed by the audit team did not always include the documented procedures that were used to support the testing that took place, which made it difficult to understand or re-perform the work that had been completed.

In both of the business processes selected by the audit team, instances were found in which positive conclusions were not adequately supported by the documented evidence that was on file. For instance, the operating effectiveness of a key control within the capital assets business process was deemed as being effective even though FPRIC’s testing revealed 3 errors out of a sample of 25.

Communication of Control Deficiencies with Business Owners and Follow-Up

The audit team reviewed the communications between FPRIC and business process owners for the capital assets and operating expenditures business processes. Overall, the audit found that that FPRIC is communicating the results of their control testing with the business process owners in a timely manner, allowing them sufficient time to develop and implement management action plans before the following fiscal year & release of the financial statements. However, the audit found that the management action plans addressing FPRIC recommendations were not always implemented in a timely manner for the operating expenditures business process. Of the 5 recommendations resulting from FPRIC’s 2016-17 assessment of the operating expenditures business process, 4 required a revised due date. The corrective actions for 3 of the recommendations were completed by the business process owners past the revised due date, 2 of which were late by over 120 days. Management advised that their ability to ensure corrective actions are promptly implemented is sometimes limited due to competing priorities and resource constraints. This observation was also raised in the 2014 ICFR internal audit conducted by the AEB. It is worth noting that due to the timing of the audit, the audit team could not review the follow-up process related to the capital assets business process, which was tested by FPRIC in 2017-18. All corrective actions associated with this business process are assigned expected completion dates no later than March 31, 2019.

Risk and impact

A lack of consistency in documentation and testing related to the system of ICFR may fail to detect a control deficiency, which can result in unidentified errors, and in some cases can lead to material misstatements to the financial statements.

When corrective actions are not taken in a timely manner to address identified deficiencies, key financial reporting risks may not be mitigated.

Recommendations

R3: It is recommended that the ADM CMSS and CFO review certain aspects of the process in place to test ICFR, including:

Ensuring that testing related to the system of ICFR is documented adequately, and that the ICFR sampling strategy is applied consistently; and
Ensuring that the implementation of management action plans by business owners is done in a timely manner.

Management response and action plan

Management agrees with Recommendation 3.

Position responsible: Director General, Finance and Procurement Branch (DCFO)
Timing: July 31, 2019

The FPRIC Unit will review its testing and sampling methodology based on best practices (e.g. OCG Draft Guide to Ongoing Monitoring of ICFM) as part of developing a guide to support the revised ICFM Framework.
The FPRIC Unit will identify and report to senior management, corrective actions where no progress or insignificant progress has been achieved, including items that have exceeded their implementation date and justification for delay. This information will be useful to ensure that corrective actions are promptly

Position responsible: Director General, Finance and Procurement Branch (DCFO)
Timing: February 28, 2019

CONTROL design, implementation, and operating effectiveness

Summary finding

The audit assessed the design, implementation, and operating effectiveness of key controls for the capital assets; loan guarantees; and operating expenditures (utilities, material, and supplies) business processes, with a focus on transactions in 2017-18. Overall, the audit found that most key controls were designed, implemented, and operating effectively for the contingent liabilities – loan guarantees and utilities, material, and supplies operating expenditures business processes. Opportunities exist to improve the operating effectiveness of the quarterly review of financial statements related to the loan guarantees, as well the review of the management of inactive vendors and the segregation of duties surrounding the operating expenditures business process.

With regards to the capital asset business process, the audit team found significant deficiencies related to the design, implementation, and operating effectiveness of some key controls. It is worth noting that this issue was raised in the 2014 internal audit of ICFR.

Supporting observations

The audit sought to determine whether key internal controls were designed, implemented, and operating effectively for the capital assets, operating expenditures (utilities, material and supplies), and the loan guarantees business processes.

Capital assets

NRCan’s capital assets are presented at $360M in its 2017-18 financial statements; they include various elements, such as buildings, assets under construction, and machinery and equipment. Overall, the audit found that the majority of the key controls that were tested within the capital assets business process were designed effectively. However, significant control deficiencies were noted with the implementation and operating effectiveness of these key controls. The audit noted that no inventory counts were performed since 2013-14, which is not compliant with the 2017 NRCan Directive on Management of Material Assets, which stipulates that an inventory count must be performed every three years. The audit also noted that the certification of assets was not performed in 2016-17, due to operational requirements related to the delivery of a significant infrastructure initiative impacting the workload of the Real Property and Workplace Services Branch. The audit team tested this control for 2017-18, and found that it was not operating effectively.

The audit team also noted that some key controls related to the acquisition of capital assets and for assets under construction were not operating effectively. Potential issues with the segregation of duties were also identified for this business process. It is worth noting that deficiencies were identified in the capital asset business process in the previous 2014 internal audit of ICFR conducted by the AEB. Within that context, management has acknowledged that some of these controls may need to be revisited to better reflect actual risk, as well as the availability of resources to perform this work. Management has also informed the audit team that an Assets Management Framework is currently being developed to help promote effective business processes surrounding capital assets within the Department. FPRIC identified some of these control deficiencies during their 2017-18 assessment of the capital asset business process and provided an overall rating of medium risk on this business process after their assessment.

Operating Expenditures

Operating expenditures are presented at $704M in NRCan’s 2017-18 financial statements and encompass various categories of expenditures, including salaries and benefits; professional services; as well as utilities, materials, and supplies. The audit team focused on the key controls related to the utilities, materials, and supplies expenditures, which are presented at $26M in the 2017-18 financial statements.

Overall, the audit found that the operating expenditures key controls were designed and implemented effectively, and that most of them were operating effectively. However, the audit team noted some opportunities for improvement with regards to the monitoring of inactive vendors and the segregation of duties. Specifically, the audit team found that NRCan does not monitor its list of inactive vendors in SAP, due to the fact that the system is managed by another department as part of a cluster of departments using SAP. The audit team obtained the list of vendors and noted that over 2,000 NRCan vendors had been inactive for more than two years. The audit also noted that while the access to create or change vendors in the system is meant to be restricted to the department leading the SAP cluster, one NRCan user has access to this function for consignee vendors. This individual also has access to modify purchase orders, resulting in an improper segregation of duties. Situations in which inactive vendors are not routinely monitored and combined with improper segregation of duties around vendor files can result in the inappropriate spending.

Other potential segregation of duties issues were also noted. For instance, at NRCan, SAP is configured with automatic controls to prevent a single user from having access to functions that should be segregated when possible. As part of this configuration, the system will not allow a single user to have both access to enter vendor invoices and to execute the daily payment run in SAP. However, the audit team found cases in which users had secondary usernames in SAP, thus causing the automatic controls that would prevent a single user from having access to both functions to be ineffective. The audit team also noted that an individual with access to remove payment blocks in SAP (Section 33) also had Section 34 authority over multiple cost centers. Management indicated that these accesses are required for operational purposes. FPRIC also identified the segregation of duties issue related to S.33 and S.34 during their 2016-2017 assessment of the operating expenditures business process and in August 2018 developed monitoring procedures to mitigate the risk. Opportunities for improvement were also noted with regards to maintaining necessary documentation, including evidence of required approvals during the purchasing process.

Loan Guarantees

A contingent liability is defined as a liability arising from the normal course of operations with an unknown ultimate disposition. The audit team assessed the design and operating effectiveness of NRCan’s key monitoring controls related to the loan guarantees business process. The loan guarantees are presented at $7.8B in the note on contingent liabilities within NRCan’s 2017-18 financial statements. Overall, the audit team found that key controls were designed and implemented effectively, and that most of them were operating effectively. Specifically, 5 out of the 6 key controls identified were operating as intended. However, the audit team noted that the quarterly financial statements were not being reviewed by the NRCan program officials. Management advised that the quarterly documents are not always examined because a detailed review of the audited annual financial statements is carried out.

It is worth noting that at the time of the audit, NRCan’s 2017-18 financial statements were in progress, and that the audit team relied on management to confirm that the lists of transactions for the selected business processes were complete. In addition, while some automated controls were tested as part of this audit, the audit team did not assess the ITGCs, which are planned to be tested for operating effectiveness by FPRIC during in 2018-19 as per the 2017-18 - 2021-22 ongoing ICFR monitoring plan.

Risk and impact

Controls are established and implemented to mitigate against potential risks. Should key controls be identified as ineffective, the Department is exposed to risk that may impact the accuracy, completeness, timeliness, and/or credibility of its financial information and related publications.

Recommendations

R4: It is recommended that the ADM CMSS and CFO strengthen the design, implementation, and operating effectiveness of key controls pertaining to capital assets.

R5: It is recommended that the ADM CMSS and CFO, in collaboration with business owners, review and make the required changes to address the control deficiencies in the operating expenditures and loan guarantees business processes.

Management response and action plan

Management agrees with Recommendation 4.
Business owner will address the capital assets control deficiencies identified the audit (including the physical count and asset certification).

Position responsible: Senior Director, Real Property and Workplace Services Branch

FPRIC will support business owner and monitor the implementation of appropriate corrective actions.

Position responsible: Director General, Finance and Procurement Branch (DCFO)
Timing: December 31, 2019

Management agrees with Recommendation 5.
Business owners will address the operating expenditures and loan guarantees control deficiencies identified in the audit (including quarterly review of entity’s financial statements and annual review of vendor codes.

Position responsible: Senior Director, Finance and Procurement Services and the Senior Director, Renewable and Electrical Energy Division.

FPRIC will monitor the implementation of appropriate corrective actions.

Position responsible: Director General, Finance and Procurement Branch (DCFO)
Timing: December 31, 2019

APPENDIX A – AUDIT CRITERIA

The audit objectives and criteria were developed based on the TB Policy on Financial Management, and the TB Core Management Controls. The criteria guided the fieldwork and formed the basis for the overall audit conclusion.

The following audit criteria were used to conduct the audit:

Audit Sub-Objectives	Audit Criteria
Audit Sub-Objective 1: To determine whether roles, responsibilities, and reporting mechanisms are properly defined and in place to support NRCan’s system of ICFR.	1.1 Roles, responsibilities, and accountabilities for key stakeholders are clearly defined, documented, and communicated.
	1.2 Information required for Senior Management to exercise its ICFR responsibilities is available and provided in a timely manner.
Audit Sub-Objective 2: To determine whether the system of ICFR is supported by an adequate risk assessment and risk-based ongoing monitoring plan and reported in the Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting.	2.1 A detailed risk assessment is performed on a cyclical basis, and environmental scans are conducted in the intervening years.
	2.2 An adequate ongoing monitoring plan is documented and implemented.
	2.3 The Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting reflects the ICFR related activities performed within the given fiscal year.
Audit Sub-Objective 3: To determine whether ongoing monitoring and testing of the ICFR system performed by FPRIC is effective.	3.1 An effective methodology has been developed to test the system of ICFR and it is applied consistently.
	3.2 Design and operating effectiveness testing of key controls is performed effectively.
	3.3 Control deficiencies identified during ICFR testing are communicated to business owners in a timely manner.
	3.4 Management action plans are monitored by the FPRIC unit and implemented by business owners in a timely manner.
Audit Sub-Objective 4: To determine whether key internal controls over financial reporting of selected business processes are designed, implemented, and operating effectively.	4.1 It is expected that key internal controls for selected business processes are designed effectively.
	4.2 It is expected that key internal controls for selected business processes are implemented and operating effectively.

Page details

Date modified:: 2019-05-14

Audit of Internal Controls over Financial Reporting - AU1801

TABLE OF CONTENTS

Executive Summary

Introduction

Strengths

Areas for Improvement

Internal Audit Conclusion and Opinion

Statement of Conformance

ACKNOWLEDGEMENTS

Introduction

Audit Purpose and Objectives

Audit Considerations

Scope

Approach and Methodology

Criteria

FINDINGS AND RECOMMENDATIONS

GOVERNANCE AND REPORTING

Summary finding

Supporting observations

Roles, Responsibilities, and Accountabilities

Reporting to Senior Management

Risk and impact

Recommendations

Management response and action plan

ICFR METHODOLOGY, Risk assessment, and ongoing monitoring plan

Summary finding

Supporting observations

Risk and impact

Recommendations

Management response and action plan

FPRIC Ongoing assessment of NRCan’S SYSTEM OF ICFR

Summary finding

Supporting observations

Risk and impact

Recommendations

Management response and action plan

CONTROL design, implementation, and operating effectiveness

Summary finding

Supporting observations

Risk and impact

Recommendations

Management response and action plan

APPENDIX A – AUDIT CRITERIA

Page details

Thank you for your help!