This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
We have prepared the accompanying financial statements of the Canada Revenue Agency according to accounting principles consistent with those applied in preparing the financial statements of the Government of Canada. Significant accounting policies are set out in note 2 to the financial statements. Some of the information included in the financial statements, such as accruals and the allowance for doubtful accounts, is based on management's best estimates and judgment, with due consideration to materiality. The Agency’s management is responsible for the integrity and objectivity of data in these financial statements. Financial information submitted to the Public Accounts of Canada and included in the Agency’s Annual Report, is consistent with these financial statements.
To fulfill its accounting and reporting responsibilities, management maintains sets of accounts which provide records of the Agency’s financial transactions. Management also maintains financial management and an effective system of internal control over financial reporting (ICFR) that take into account costs, benefits, and risks. They are designed to provide reasonable assurance that transactions are within the authorities provided by Parliament, and by others such as provinces and territories, are executed in accordance with prescribed regulations and the Financial Administration Act, and are properly recorded to maintain the accountability of funds and safeguarding of assets.
Financial management and internal control systems are reinforced by the maintenance of internal audit programs. The Agency also seeks to assure the objectivity and integrity of data in its financial statements by the careful selection, training, and development of qualified staff, by organizational arrangements that provide appropriate divisions of responsibility, by communication programs aimed at ensuring that its regulations, policies, standards, and managerial authorities are understood throughout the organization, and by conducting an annual assessment of the effectiveness of its system of ICFR. An assessment for the year ended March 31, 2011 was completed in accordance with the Policy on Internal Control and the results and action plans are summarized in the annex.
The system of ICFR is designed to mitigate risks to a reasonable level based on an on-going process to identify key risks, to assess effectiveness of associated key controls, and to make any necessary adjustments. The effectiveness and adequacy of the Agency’s financial management and its system of internal control are reviewed by the work of internal audit staff, who conduct periodic audits of different areas of the Agency’s operations and by the Board of Management which is responsible for ensuring that management fulfills its responsibilities for financial reporting and internal control and exercises this responsibility through the Audit Committee of the Board of Management. To assure objectivity and freedom from bias, these financial statements have been reviewed by the Audit Committee and approved by the Board of Management. The Audit Committee is independent of management and meets with management, the internal auditors, and the Auditor General of Canada on a regular basis. The auditors have full and free access to the Audit Committee.
The Auditor General of Canada conducts independent audits and expresses separate opinions on the accompanying financial statements which do not include an audit opinion on the annual assessment of the effectiveness of the Agency's internal controls over financial reporting.
This section of the CRA Annual Report to Parliament 2010-2011 provides the details of the Agency’s resource management performance for the purpose of reporting to Parliament on the use of appropriations in 2010-2011. This complements the information provided in the spending profile sections under each Program Activity and satisfies the reporting requirements set for departmental performance reports.
The CRA’s funding is provided by Parliament through annual appropriations (modified cash accounting basis) and, in this section, the CRA reports its expenditures and performance to Parliament, together with details on the management of Parliamentary appropriations on the same basis. In addition to the above reporting requirements, the CRA is also required to prepare its annual financial statements in accordance with the accounting principles applied in preparing the financial statements of the Government of Canada (full accrual accounting basis). Accordingly, the audited Statement of Operations - Agency Activities in our 2010-2011 Annual Report to Parliament includes certain items such as services received without charge from other government departments and federal agencies. A reconciliation can be found in note 3 in the same report.
The CRA is participating in a Treasury Board Secretariat (TBS) pilot project to extend accrual accounting to the budgeting and appropriations process. As required by the pilot project, CRA prepared and included future-oriented financial statements (FOFS) in the 2010-2011 Report on Plans and Priorities (RPP). This future-oriented financial information was prepared on an accrual basis to strengthen accountability and improve transparency and financial management. As part of the analysis of net cost of operations, this DPR compares actual results to the initial future-oriented financial statements contained in the 2010-2011 RPP.
Main Estimates Table note 24
Planned Spending Table note 25
Total Authorities Table note 26
The Financial Statements - Agency Activities reports $3,975.4 million as total Parliamentary appropriations used (note 3 in our 2010-2011 Annual Report to Parliament shows the reconciliation to the net cost of operations). The difference from the $4,418.5 million reported in this section is explained by two items reported in the Financial Statements - Administered Activities: the statutory disbursements to provinces under the Softwood Lumber Products Export Charge Act, 2006, $220.7 million; and the Children’s Special Allowance payments, $222.4 million.
Of the $4,596.7 million total authority, CRA’s actual spending totalled $4,418.5 million resulting in $178.2 million remaining unexpended at year-end. After deducting unused resources related to Government advertising campaigns, the remaining $178.0 million is available for use by the Agency in 2011-2012 under its statutory two-year spending authority. This amount represents 3.9% of the total authority.
The Agency’s two-year spending authority enables the CRA to be more strategic in its use of public funds by taking a multi-year view of plans and budgets. The financial flexibility in 2010-2011 was somewhat higher than usual due to restraint measures introduced by the CRA during the latter half of the fiscal year in response to the Operating Budget freeze implemented by the Government in Budget 2010. This increased carryforward was part of the Agency’s strategy to address unfunded operating pressures in 2011-2012, including previously approved salary increases for employees.
On July 1, 2010, the CRA successfully implemented the Harmonized Sales Tax (HST) in the provinces of Ontario and British Columbia. However, on August 26, 2011 the Province of British Columbia announced that it will return to the provincial sales tax. The transition period is expected to take a minimum of 18 months. During this period, the Agency will continue to administer the HST in British Columbia.
The CRA has received funding for 2010-2011 and subsequent years of $710 million (including employee benefit plan contributions and accommodation charges) and authority to spend $21.7 million of internal CRA funds for the continuing implementation and administration of the HST in Ontario and British Columbia. Of this amount, $91.7 million was received to cover costs in 2010-2011. Funding was used to enhance service to taxpayers, further develop capacity to identify and address the risk of HST non-compliance, transition affected provincial employees to the Agency, implement remaining IT system modifications, and administer new province-specific HST flexibilities in Ontario and British Columbia.
The CRA established a separate Capital Expenditures Vote as of April 1, 2010, meaning the Agency’s Capital asset expenditures, with the exception of certain year-end adjustments, were funded by a distinct capital budget authority. Previously, capital amounts were included in, and funded out of, the Operating Vote Authority.
In fiscal year 201l, the Agency’s capital expenditures totalled $110.4 million. The Agency carried forward an amount of $52 million, which was a result of an overestimated capital budget requirement at the time Main Estimates were prepared due to changes in assumptions regarding the terms and conditions of procurement agreements. The unused balance of capital funding will be used to finance capital purchases in fiscal year 2012.
As outlined in the table below, the CRA continued to invest in information technology (IT) systems in order to ensure modern and efficient program delivery. The Agency had several large-scale projects that required substantial investments in the development of IT systems. Combined with the acquisition of IT hardware, the Agency invested $106 million in IT related capital assets this fiscal year. The value of these new capital assets has been offset by amortization expenses of $93.4 million in 2010-11.
As part of the 2010 Federal Budget, and to support its priority of restoring fiscal balance, the Government announced a freeze on the operating budgets of departments and agencies until 2012-2013. As a result, no incremental funding was provided to organizations for the costs of wage increases.
In fiscal year 2010-2011, the Agency managed these operating pressures in a decentralised manner by requiring individual budget managers to absorb them within existing budgets. The funding shortfall of approximately $13 million was primarily comprised of the economic increases associated with the Public Service Alliance of Canada (PSAC) and the Professional Institute of the Public Service of Canada (PIPSC) collective agreements, as well as salary increases for the Human Resource (HR) and Executive/ Cadre (EC) groups.
Given the magnitude of the pressures associated with non compensated wage and salary cost increases in future years, the Agency has undertaken a targeted program spending realignment review to identify potential sources of funding. The reduction in spending will primarily be achieved through general administrative and program efficiencies.
The Agency’s 2010-2011 net cost of operations increased by $123 million from 2009-2010. Agency expenses totaled $4,606 million in 2010-2011 (2009-2010 - $4,441 million) (see Note 9 of the Financial Statements - Agency Activities for the breakdown of expenses by category). When adjusting for non-tax revenue of $610 million (2009-2010 - $569 million), the net cost of operations amounts to $3,995 million, as illustrated below:
Personnel expenses are the primary drivers for the Agency. A number of factors contributed to the net increase of $179 million for this type of expenses in 2010-2011, the most significant being the increase in the rate used to calculate severance benefits. Additional costs were also incurred for salary revisions pursuant to collective agreements provisions.
The Agency’s final net cost of operations for 2010-2011 was $163 million more than was anticipated in the future-oriented financial statements included in the 2010-2011 RPP ($3,995 million - $3,832 million). This represents a 4.2% variance and is explained as follows:
For supplementary information on the CRA’s audited financial statements and unaudited supplementary financial information, please visit:
All electronic supplementary information tables found in the 2010-11 Departmental Performance Report can be found on the Treasury Board of Canada Secretariat’s website at: http://www.tbs-sct.gc.ca/dpr-rmr/2010-2011/index-eng.asp.
The Board of Management of the CRA is made up of 15 members appointed by the Governor in Council. They include the Chair, the Commissioner and Chief Executive Officer, a director nominated by each province, one director nominated by the territories, and two directors nominated by the federal government. Members of the Board bring an external and diverse business perspective from the private, public, and not-for-profit sectors to the work of the CRA.
The following are the Board members, as of March 31, 2011. Footnote 4
For each indicator, we use consistent approaches in evaluating the information derived from our data collections systems and all other sources. We rely upon CRA managers to vouch for the completeness of the records for data integrity purposes (i.e., data belongs to the same category, is collected for the same period, and by the same method). We examine data for relevance, formulas for accuracy, and other factors that must be considered. We also use comparable information from prior years for the purpose of historical comparison, which often appears in the Canada Revenue Agency Departmental Performance Report. To ensure consistency, we perform the following tasks to verify that the information reported in our numerous reports is valid, reliable, and is accompanied by appropriate evidence:
We always endeavour to use the most appropriate and reliable data when evaluating our results. There are two main data sources for the Canada Revenue Agency Departmental Performance Report: administrative data (normally communicated in aggregate or after some simple calculations are performed on them) and survey data. All data sources are validated for accuracy and a data quality rating of good, reasonable, or weak, as categorized below, is applied to each indicator.
We believe that these three levels of data quality ratings provide a reasonable assessment of the reliability of the data. Generally, our data sources provide reliable information. In situations where the supporting data is too imprecise to draw firm conclusions, it is reflected in the data quality rating.
Maintaining the confidence of Canadians in the integrity of the tax system is essential to the success of the CRA. Service standards that are reasonable and consistently met contribute to increasing the level of confidence that Canadians place in government. Our service standards publicly state the level of performance that citizens can reasonably expect to encounter from the CRA under normal circumstances. We set targets that state the percentage of time or level of accuracy that we expect to attain for the established standard. Targets represent the percentage or
degree of improvement we expect to attain, based on operational realities such as resource availability, infrastructure, historical performance, the public's expectations, and the complexity of the work. Our standards and targets are reviewed annually and updated, as necessary.
For more information on CRA’s service standards, please visit: http://www.cra-arc.gc.ca/gncy/stndrds/menu-eng.html
This past year was a transition year for the CRA in implementing our Sustainable Development (SD) National Action Plan. While we continued to focus on maintaining SD momentum, we began preparing the CRA to support Canada’s first Federal SD Strategy. During 2010-2011, we implemented numerous activities under the SD National Action Plan including increasing SD awareness, the sustainable business travel course, green procurement, energy conservation, battery recycling program implementation, SD performance reporting and the paper use reduction. The following reflects the results of these efforts:
For more information on our sustainable development performance, please visit www.cra.gc.ca/sds.
With the Treasury Board Policy on Internal Control, effective April 1, 2009, departments and agencies are now required to demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).
As part of this policy departments are expected to conduct annual assessments of their system of ICFR, establish action plans to address any necessary adjustments, and to attach to their Statements of Management Responsibility a summary of their assessment results and action plan.
It is important to note that the system of ICFR is not designed to eliminate all risks, rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.
The maintenance of an effective system of ICFR is an ongoing process which involves identifying key risks, assessing the effectiveness of associated key controls and adjusting them as required, as well as monitoring the system in support of continuous improvement. As a result, the scope, pace and status of departmental assessments of the effectiveness of their systems of ICFR will vary from one organization to another based on risks and taking into account their unique circumstances.
The annual assessment of ICFR contemplated in the Treasury Board (TB) Policy on Internal Control is intended to be a management self-assessment led and administered by the Chief Financial Officer and supported by senior management. However, key external audit findings and results can inform this self-assessment. In the case of the CRA, changes to Federal-Provincial Tax Collection Agreements (TCAs) that took effect starting with the 2004 tax year introduced a new audit provision requiring the Auditor General to periodically perform a review of the adequacy of CRA’s internal controls relevant to the annual financial statements provided under the TCAs, the results of which are reported to provincial and territorial finance Ministers. In fulfilment of these requirements, the Office of the Auditor General (OAG) audits, periodically, those aspects of the CRA’s self-assessment of ICFR that are relevant to the TCAs. The portion of CRA’s ICFR that is subject to audit under the TCAs and the results of the controls audits performed to date by the OAG are explained and described in Sections 3 and 4 of the Annex.
This document is attached to the CRA’s Statement of Management Responsibility Including Internal Control Over Financial Reporting for the fiscal year 2010-2011. As required by the TB Policy on Internal Control, effective April 1, 2009, this document provides summary information on the measures taken by the CRA to maintain an effective system of ICFR. In particular, it provides summary information on the assessments conducted by the CRA as of March 31, 2011, including progress, results and related action plans along with some financial highlights pertinent to understanding the CRA’s unique control environment.
The CRA’s mandate is based upon a framework of complex laws enacted by Parliament and by provincial and territorial legislatures. To fulfil its mandate the CRA administers a range of tax, benefits and related programs aimed at ensuring that taxpayers meet their obligations and receive their entitlements and at protecting Canada’s tax base. For more detailed information on the CRA’s authority, mandate and program activities, please refer to the Agency overview section of the Departmental Performance Report on page 60 or the CRA’s Report on Plans and Priorities http://www.tbs-sct.gc.ca/rpp/2011-2012/inst/nar/nar00-eng.asp. Information on the expenses and revenues related to the CRA’s operations and activities can also be found in the Public Accounts of Canada http://www.tpsgc-pwgsc.gc.ca/recgen/txt/72-eng.html.
Responsibility for delivering CRA’s mandate is shared by program branches and corporate functions located at headquarters and within regional operations across Canada including at 48 Tax Services Offices and 7 Tax Centres. The CRA’s Information Technology (IT) capacity is critical to its ability to deliver services to Canadians and involves the support of two data centres that process up to 4.5 million transactions per hour, five mainframe computers, about 1,400 servers and maintenance of over 450 national business applications across a distributed computing environment covering more than 400 locations.
The Agency’s Finance and Administration (F&A) Branch supports the delivery of CRA programs and services by providing sound advice, products, and services related to a number of key functions including financial administration, resource management, security, internal affairs, and administration. It also helps ensure compliance and accountability with related legislation, policies, and directives. F&A activities are performed by a team of almost 3,000 employees, about 30% of whom are located in headquarters and 70% of whom are located in the regions. This team is integral to the effectiveness of CRA’s system of control over financial reporting, which encompasses two sets of financial statements - one for Agency Activities and one for Administered Activities. Also of importance to financial reporting, in particular in relation to Administered Activities, are many of the procedures carried out as part of regional or headquarters operations, such as collection, data entry and processing of income tax returns, as well as a majority of the system applications in use at the CRA. This makes CRA’s task of scoping, documenting and assessing the related controls uniquely challenging.
As noted above, for financial reporting purposes, the activities of the Agency have been divided into two sets of financial statements: Agency Activities and Administered Activities. The Agency Activities financial statements include those operational revenues and expenses which are managed by the Agency and utilized in running the organization. The Administered Activities financial statements include those revenues and expenses that are administered for someone other than the Agency, such as the federal government, a province or territory, or another group or organization.
The CRA recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining an effective system of ICFR and are well equipped to exercise these responsibilities effectively. The CRA’s focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.
Commissioner – The Commissioner and Chief Executive Officer (CEO) of the CRA, as Accounting Officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the Commissioner chairs the Agency Management Committee, sits on the CRA Board of Management, and attends meetings of the Audit Committee.
Chief Financial Officer (CFO) – The Chief Financial Officer (CFO) reports directly to the Commissioner and provides leadership for the coordination, coherence and focus of efforts to design and maintain an effective and integrated system of ICFR, including its annual assessment. In this role the CFO chairs the CRA CEO/CFO Certification Steering Committee and attends meetings of the Audit Committee.
CEO/CFO Certification Steering Committee – The CEO/CFO Certification Steering Committee, which is chaired by the CFO and composed of Assistant Commissioners with significant responsibility for ICFR including the Chief Information Officer, the Chief Audit Executive and Assistant Commissioner, Corporate Audit and Evaluation Branch and the Chief Risk Officer, is responsible for reviewing the progress and results of CRA’s ICFR assessment process and approving action plans to address significant control issues.
Audit Committee of the Board of Management – The Audit Committee assists the Board of Management (the Board) in fulfilling its oversight responsibilities by reviewing the Agency’s accounting framework, financial and performance information, internal controls and financial risks, and compliance with financial and environmental legislation. On the recommendation of the Audit Committee, the Board approves the Agency’s annual financial statements. The Commissioner, the CFO, and the Chief Audit Executive and Assistant Commissioner, Corporate Audit and Evaluation Branch, as well as a representative of the Office of the Auditor General (OAG) each attend Audit Committee meetings. The Audit Committee was established in 1999 and is comprised of five external members all of whom are independent of the CRA.
Agency Management Committee – As the sole decision-making Committee in the Agency, the Agency Management Committee oversees program development and delivery, as well as the day-to-day business operations of the Agency and all associated risks. The Agency Management Committee reviews, approves and monitors the Corporate Risk Profile.
Chief Audit Executive – The Chief Audit Executive and Assistant Commissioner, Corporate Audit and Evaluation Branch reports directly to the Commissioner and provides, through an effective internal audit function, independent and objective assurance on the CRA’s risk management, internal control and governance practices. In this role, the Chief Audit Executive is a member of the CEO/CFO Certification Steering Committee and attends meetings of the Audit Committee.
Chief Risk Officer – The Chief Risk Officer and Assistant Commissioner of the Enterprise Risk Management Branch reports directly to the Commissioner and oversees the Agency’s ERM function designed to provide sound risk information for use in decision-making at the corporate, operational, and project levels.
Internal Controls Division – The Internal Controls Division within the F&A function supports the CRA’s efforts to design and maintain an effective and integrated system of ICFR by, in collaboration with IT and business process control owners, documenting and testing the adequacy of ICFR and reporting results to the CEO/CFO Certification Steering Committee, the Commissioner and the Audit Committee of the Board including, if applicable, information on action plans to strengthen controls.
The CRA also helps to ensure the effectiveness of its control environment in mitigating financial reporting risks by promoting ethical conduct and through its commitment to competence, its governance and organization structure, its ERM function, and its systems and processes that help ensure relevant information is communicated to appropriate individuals accurately and on a timely basis. Key elements and activities are described below.
The CRA’s financial statements have been audited, as required under the Canada Revenue Agency Act, by the Office of the Auditor General (OAG), for eleven years. In parallel, the Audit Committee of the Board and CRA senior management have been providing increased oversight of the preparation and presentation of financial information including review of information regarding the design and adequacy of its system of ICFR with the objective of obtaining greater assurance that significant financial reporting risks are being properly mitigated.
In addition, revised federal-provincial Tax Collection Agreements (TCAs) that took effect starting with the 2004 tax year introduced new audit provisions requiring reports to be provided periodically to provincial and territorial finance Ministers on the results of Auditor General audits of the adequacy of CRA’s internal controls relevant to the annual financial statement provided under the TCAs. The OAG and CRA agreed that the new audit engagement would be according to the Canadian Institute of Chartered Accountants Handbook (CICA HB) Section 5970 standard (Auditor’s Report on Controls at a Service Organization), a new standard introduced in 2005 in recognition of the dramatic increase in outsourcing and use of service organizations including for the provision of varied and complex services.
These new reports are aimed at providing provincial and territorial governments and their auditors with independent, audit-level assurance that the controls at the CRA supporting the administration and reporting of provincial and territorial income tax revenue are properly designed to mitigate key risks and are operating effectively. The reports are intended for the specific use of provincial and territorial ministries with primary responsibility for income tax and their auditors; they are not public documents. To date CRA has issued two Section 5970 reports, both relating to the design and implementation of all key controls relating to the Corporation Income Tax Program (T2) as at a specific point in time. The third report covers the design and implementation of all key controls relating to the Personal Income Tax Program (T1) as at November 30, 2010.
The audits of ICFR that the OAG performs periodically in fulfilment of TCA requirements are a significant source of information on the state of CRA’s system of ICFR for its Administered Activities financial statements; however, they have a limited scope insofar as they only cover processes and systems involved in reporting on income tax assessed. They exclude certain of the CRA’s Administered Activities related to other revenue streams (e.g., GST, Excise Taxes and Duties) and certain significant accounts that, while not relevant to amounts payable under TCAs, are important aspects of the CRA’s financial information for Administered Activities (e.g., Accounts Receivable and the Allowance for Doubtful Accounts). As explained in subsection 3.2 below, the CRA’s approach to assessing its ICFR for Administered Activities, for purposes of the Policy on Internal Control, will encompass key control aspects falling outside TCA-related assessment and audit requirements.
The CRA’s assessment of ICFR involves first the assessment of design effectiveness to help ensure that all key controls relevant to its financial information have been properly identified, documented, and implemented and that they are aligned with the risks they aim to mitigate. Management will take action to address any areas of concern appropriately and in a timely manner. Once the CRA has verified the design effectiveness of its controls, it will assess operating effectiveness by testing the operation of controls over a defined period of time to determine whether they are working as intended. Management will take action to strengthen controls if needed. Testing of design and operating effectiveness will lead eventually to ongoing monitoring according to which the CRA’s repository of controls will be re-assessed on a multi-year, rotational basis according to risk, including consideration of any new financial reporting risks that have emerged since the last assessment.
In order to define the scope of its ICFR assessment, the CRA examined the main accounts and line items used in the preparation of its two sets of financial statements to determine where there are risks that, individually or in combination with others, could reasonably result in a material misstatement (financial reporting risks). Items at a higher risk were then mapped to the related business processes which were in turn risk rated and used to determine the key applications and systems to be included in the scope of the assessment.
Administered Activities Financial Statements Footnote 5:
The CRA uses the Committee of Sponsoring Organizations (COSO) framework to assess the design effectiveness of its system of internal controls, since it is the most widely used and recognized model of control for purposes of assessing ICFR. The COSO framework is based upon five interrelated components of control, each of which contains a number of principles and attributes against which an organization’s ICFR may be assessed: Control Environment, Risk Assessment, Control Activities, Information Systems and Communication, and Monitoring.
Because COSO only provides limited guidance to assist organizations in establishing and evaluating IT controls, the CRA uses the COBIT (Control Objectives for Information and related Technology) for SOX (Sarbanes-Oxley Act of 2002) Footnote 6 framework to document and assess the design of its IT controls of relevance to financial reporting. COBIT for SOX identifies three control areas for review when assessing the adequacy of controls over the key applications and systems involved in the organization's financial reporting:
In 2010-2011, the CRA completed an assessment of the design effectiveness of its key controls related to financial reporting on Agency Activities. This review included key controls over the five business processes in scope (Payroll, Fixed Assets, Operating Expenditures, Budgeting and Projections, and Financial Close and Reporting) as well as relevant application controls and IT general controls, including for:
Based on this review CRA management determined that a number of its controls related to access management, segregation of duties and certain review and monitoring activities could be improved and established action plans to make the necessary adjustments. As a lessons learned exercise, the CRA also performed selected operating effectiveness testing of controls over Agency Activities financial reporting. The CRA is using the results of this work to plan and perform more comprehensive testing in order to evaluate the operating effectiveness of these controls for the 2011-2012 period.
In 2010-2011, the CRA self-assessed the design effectiveness of certain of its business process controls over financial reporting on the Personal Income Tax Program (T1 Program) and of the application controls and IT general controls related to the key information systems involved in processing T1 transactions. Close to 60 information systems were reviewed in total. The Agency used the results to prepare a description of the design of these controls as at November 30, 2010 which was then submitted to the OAG for audit as per TCA requirements.
Based on the T1 self-assessment and OAG audit, CRA management determined that improvements are needed to the design of certain of its controls involved in the processing of non-routine assessments and reassessments, the management of systems changes and in relation to management of user access and proper segregation of duties.
In 2008, the CRA self-assessed the design effectiveness of certain of its business process controls over the Corporation Income Tax Program (T2 Program) and of the application controls and IT general controls related to the key information systems involved in processing T2 transactions. The Agency used the results to prepare a description of the design of these controls as at November 30, 2008 which the OAG audited in 2009, as per TCA requirements. In response to the findings of the self-assessment and OAG audit, CRA management took steps to improve controls over management of legislative and systems changes and over management of privileged user access as well as to strengthen procedures for managers' semi-annual review of employee access privileges and for facilitating proper segregation of duties.
In 2011-2012, the CRA plans to self-assess the operating effectiveness of these T2 controls, document the results, and, further to the TCA audit provisions, engage the OAG to perform an audit in order to provide an independent opinion on the operating effectiveness of these controls over a six-month period.
From February to September 2009 F&A led an exercise to assess the operating effectiveness of the CRA’s entity level controls (ELCs) relevant to both the Agency Activities financial statements and the Administered Activities financial statements. Key activities included:
This initial assessment indicated that the CRA has a strong system of controls at the entity level, that most of these controls are operating effectively and that all relevant control objectives within the COSO framework are being achieved. While several potential opportunities for improvement were observed and were discussed by management there were no significant gaps identified.
In 2010-2011 F&A conducted a risk-based assessment of the operating effectiveness of these controls both for purposes of the OAG’s audit of the design of CRA’s controls over financial reporting on the T1 program under the TCAs and for purposes of the Statement of Management Responsibility including ICFR for the 2010-2011 financial statements. This assessment revealed that the CRA continues to have a strong system of ELCs.
This section summarizes how CRA is addressing the results of 2010-2011 control assessment activities and its plans for completing the assessment of the design and operating effectiveness of its system of internal control.
In 2010-2011, in response to the results of the design effectiveness and the selected operating effectiveness testing performed, CRA management identified and partially completed a number of corrective measures to strengthen controls over Agency Activities financial reporting. These measures include greater restriction or segregation of access to perform certain transactions, introduction of new directives to clarify and reinforce responsibilities and accountability for role definition and management, and improved documentation of review and monitoring activities for audit trail purposes.
In 2010-2011 the CRA mostly completed its plans to strengthen controls over management of legislative and systems changes and over access management in response to the findings of the OAG’s 2009 audit of the design of T2 controls relevant to TCAs. In addition, the CRA made substantial progress in developing action plans in response to preliminary findings from the 2011 OAG audit of the design of T1 controls relevant to TCAs. These preliminary findings indicated the need to strengthen certain of the controls involved in the processing of non-routine assessments and reassessments, the management of systems changes and access management.
The CRA’s assessment efforts to date have revealed that the CRA has a strong and effective system of ELCs that constitutes an important component of the Agency’s ICFR for both Agency Activities and Administered Activities. Because maintaining public trust is crucial to the fulfilment of its mandate, in 2011-2012 the CRA will continue with the implementation of its new Integrity Framework, comprised of policy instruments, programs, and processes designed to reinforce a culture of integrity by more systematically engaging management and staff in preventing, monitoring, detecting and managing breaches that put employees, assets, information and revenues at risk. Given the significance of ELCs for the overall assessment of the effectiveness of ICFR, the CRA will continue to monitor them annually based on risk to obtain assurance regarding their continued effectiveness.
The CRA’s plan for 2011-2012 is to substantially complete action plans to strengthen the design of controls where required and to complete the assessment of the operating effectiveness of all key ICFR for Agency Activities. Once it is confirmed that these ICFR are operating effectively, the CRA plans to move to an annual monitoring program to track and test changes to these controls and to perform other testing on a selective basis according to risk. This approach will allow the CRA to focus efforts on areas requiring re-testing based on feedback from business and IT control owners regarding changes that have occurred during the period and on higher risk areas.
In 2011-2012 the CRA plans to substantially complete action plans developed to address issues from the 2009 OAG audit related to design effectiveness of controls over the T2 program and the 2011 audit related to the design effectiveness of controls over the T1 program.
The CRA plans to build on the progress achieved in documenting and assessing the design effectiveness of its controls over both T1 and T2 financial reporting in support of TCA audit requirements, by completing assessments of the operating effectiveness of these controls starting with the T2 program in 2011-2012. As noted above, the CRA plans to engage the OAG to conduct an audit of the operating effectiveness of T2 controls over a six-month period. The OAG’s report will be in accordance with the new Canadian Standard on Assurance Engagements (CSAE) 3416, which has replaced the CICA HB Section 5970 standard and is effective starting with reporting periods ending in 2011.
The approach and timing for assessing the operating effectiveness of controls over the T1 Program as well as for assessing both the design and operating effectiveness of the ICFR for the remainder of the CRA’s Administered Activities including IT general controls and application level IT controls will depend on a number of factors including:
In 2011-2012 CRA management will evaluate the level of effort involved in completing the assessment of the operating effectiveness of its system of internal control and will establish a suitable timeline. This timeline will be examined at a minimum annually in order to confirm the feasibility of the key deliverables and to take into account new information on financial reporting risks.
Planned 2013-2014 Table note 27
T1 Personal Income Tax ICFR relevant to TCAs Table note 28
T2 Corporation Income Tax ICFR relevant to TCAs Table note 28
T3 Trust Income Tax Table note 28