The assessment activities include performing a sample test of transactions to determine whether the documented procedure and internal control measures are being followed.

Letter of Recommendation and Management Action Plan - A letter of recommendation will be issued internally to the appropriate CFIA managers related to any deficiencies identified during the self-assessment exercise. The process owner will be required to develop a Management Action Plan to remediate the deficiencies in a timely manner

On-going monitoring program " the CFIA will identify areas for continued or periodic observance, update and testing on a defined rotational basis consistent with the level of risk associated with the business process or IT system and include timely remediation measures.

3.2 Assessment objective & scope

To determine the scope of the initiative, a scoping and planning exercise was undertaken to identify key business processes, entity level control areas and general computer control areas. During planning and scoping, both quantitative and qualitative factors were considered. These included, but were not limited to: materiality, transactions requiring significant judgement or estimates (e.g. contingent liabilities), complexity of operations, susceptibility to fraud, feedback or recommendations concerning the financial statements or related matters from the Office of the Comptroller General (OCG), and previous audit findings whether from the Internal Audit Directorate (IAD) or from the OAG.

Business processes are defined as the specific processes supporting the treatment of financial transactions. The following six business processes were identified: Revenue, Pay, Non-Pay (i.e. operating and maintenance expenses), Statutory Compensation Payments, Capital Assets, and Financial Close and Reporting.

Entity level controls are defined as the overarching controls of the organization that set the "tone from the top." The following five entity level control areas were identified: Values & Ethics, Governance, Risk Management, Financial Management, and Competency of Financial Staff.

General computer controls are defined as controls over the core financial systems and IT infrastructure used across the organization and which support financial transactions. The CFIA is responsible for assessing effectiveness of all the key IT general controls for systems that it fully manages including the CFIA Network and Stand Alone Electronic Invoicing System (STEL). Where the CFIA acquired the system development and maintenance services from the other government departments (i.e. Saturn, Enterprise, PeopleSoft, and the Regional Pay System), the self-assessment will be limited to components of the systems that are maintained / controlled by the CFIA such as the access controls. The service providers in the other government departments (OCG) are responsible for the internal control self-assessment on the systems that they maintain for the CFIA.

These control areas are the baseline by which the CFIA developed its three-year self-assessment plan. This three-year plan will be reviewed and updated on an annual basis to reflect changes in the control environment.