ARCHIVED - Treasury Board of Canada Secretariat - 2012–13 Departmental Performance Report

• Previous Page
• Table of Contents
• Next Page

This page has been archived.

Annex to the
Statement of Management Responsibility
Including Internal Control Over Financial Reporting

Treasury Board of Canada Secretariat
Fiscal Year 2012–13

Table of Contents

1. Introduction
2. Departmental System of Internal Control Over Financial Reporting
3. Assessment Results in Fiscal Year 2012–13
4. Departmental Action Plan

---

1. Introduction

This document provides a summary of the measures taken by the Treasury Board of Canada Secretariat (the Secretariat) to maintain an effective system of internal control over financial reporting (ICFR), which includes information on internal control management, assessment results and related action plans.

Detailed information on the Secretariat’s authority, mandate and programs can be found in its Departmental Performance Report and Report on Plans and Priorities.

2. Departmental System of Internal Control Over Financial Reporting

2.1 Secretariat’s Control Environment Relevant to ICFR

The Secretariat recognizes the importance of senior management leadership in ensuring that employees at all levels understand their role in maintaining an effective ICFR system and are well equipped to exercise their responsibilities. The Secretariat’s objective is to continually improve its internal control environment using a risk-based approach and targeted resource investments to achieve the required level of effectiveness at a manageable cost.

2.1.1 Key positions, roles and responsibilities

Following are the Secretariat’s key positions and committees that have responsibilities for maintaining and reviewing the effectiveness of its ICFR system:

Secretary of the Treasury Board

The Secretariat’s deputy head, as accounting officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the Secretary chairs the Executive Committee and is a member of the Departmental Audit Committee.

Chief financial officer (CFO)

The Secretariat’s CFO reports directly to the Secretary and provides leadership for the coordination, coherence, and design and maintenance of an effective, integrated system of ICFR, including its annual assessment.

Assistant secretaries and other senior departmental managers

The Secretariat’s senior departmental managers in charge of program delivery are responsible for maintaining and reviewing the effectiveness of the ICFR system, as related to their respective mandates.

Chief audit executive (CAE)

The Secretariat’s CAE reports directly to the Secretary and provides assurance through periodic internal audits, which are instrumental in maintaining an effective system of ICFR.

Government of Canada Audit Committee (GCAC)

The GCAC is an advisory committee to the Secretary that provides objective views on the Secretariat’s financial statements and its risk management, control and governance frameworks. The committee comprises the Secretary and three external members. As such, it reviews the Secretariat’s corporate risk profile, internal audit reports and system of internal control, including the assessment and action plans relating to the ICFR system.

2.1.2 Key organization-wide controls in the Secretariat

The Secretariat’s control environment includes measures and tools to ensure compliance with ICFR and to support the management and oversight of its ICFR system.  It also serves to raise awareness and help develop employees’ internal control knowledge and skill sets. Such measures include:

• A Values and Ethics Office, which provides educational and awareness programs and which has developed a departmental code of conduct;
• A corporate risk profile that is updated annually;
• A risk-based internal audit plan;
• A requirement for accounting designations in all financial executive positions,  key financial management positions and all employees in the section in the Financial Management Directorate that is focused on the Secretariat’s ICFR system;
• Financial management policies , as well as the documentation of the Secretariat’s main business processes, and related key risk and control points;
• A regularly updated delegated authorities matrix;
• A financial management framework, including internal controls;
• Integrated financial planning, forecasting and reporting processes including investment planning;
• Training programs and regular communication to employees on core areas of financial and contract management; and
• Secure financial and contracting information technology (IT) processing systems to ensure enhanced security, data integrity, and transaction efficiency and effectiveness.

2.2 Service Arrangements Relevant to Financial Statements

2.2.1 Secretariat reliance on other federal government organizations

As a department, the Secretariat relies on other organizations to process certain transactions that are recorded in its financial statements. There are two types of arrangements as detailed below; common arrangements which are used by most departments and specific arrangements which are used specifically by TBS.

Common arrangements:

• Public Works and Government Services Canada (PWGSC) centrally administers the payment of salaries and the procurement of goods and services, as per  PWGSC’s delegation of authority, and also provides accommodation services;
• Treasury Board of Canada Secretariat, as a government central agency, provides the department with information used to calculate various accruals and allowances, such as the accrued severance liability;
• The Department of Justice Canada provides legal services to the Secretariat; and
• Shared Services Canada manages IT general controls in the areas of email, data centre and network services. These controls include related security controls.  

Specific arrangements:

• PWGSC performs the day-to-day administration of the Public Service Pension Plan (PSPP);
• The Office of the Chief Actuary within the Office of the Superintendent of Financial Institutions Canada prepares a triennial actuarial valuation of the PSPP;
• PWGSC performs the day-to-day administration of some centrally funded expenses, such as the employer’s share of Canada and Québec Pension Plan (CPP/QPP) contributions, employment insurance premiums and provincial payroll taxes. These types of expenses are recorded on the Secretariat’s financial statements as government-wide funds and reflect Treasury Board’s role as the employer of the public service.

2.2.2 Secretariat reliance on non-governmental service providers

The Secretariat relies on the internal controls of a number of insurance companies that provide specific services such as health care plan administration, dental plan administration and insurance services.

2.2.3 Secretariat services upon which other departments rely

Other government departments rely on the Secretariat to process certain transactions and to provide information that impacts their financial statements.

Common arrangements:

• The Office of the Comptroller General within the Secretariat provides all departments with percentage ratios, derived from the actuarially determined liability for severance benefits for the entire public service population, to be used when calculating their severance pay liability for purposes of their departmental financial statements;
• The Secretariat provides all departments with a percentage amount that allows them to calculate an annual dollar figure for the services they receive without charge for the public service insurance benefit plans funded centrally; and
• The Secretariat provides all departments with details regarding the calculation required to determine the employer’s share of employee benefit plans. These plans include costs to the government for the employer’s contributions and payments to the public service superannuation, the CPP/QPP and the death benefit and employment insurance accounts.

Specific arrangements:

The Secretariat provides certain corporate services to several departments, including the Department of Finance Canada, the Privy Council Office, the Canada School of Public Service and the Immigration and Refugee Board of Canada.

3. Assessment Results in Fiscal Year 2012–13

Business cycle controls at the Secretariat are grouped into two categories: business processes that concern the Secretariat in its role as manager of government-wide funds and public service employer payments and business processes that concern the Secretariat as a department.

In 2012–13, the Secretariat completed design effectiveness testing for its major government-wide pension and employee benefits plans, and conducted operating effectiveness testing for departmental business processes. In addition, the Secretariat continued to perform ongoing monitoring of selected controls related to its financial system, particularly user access and security controls.

3.1 Design Effectiveness Testing of Key Controls

3.1.1 Business cycle controls

The Secretariat in its role as a manager of government-wide funds and public service employer payments completed the assessment of design effectiveness testing of its majority of benefits plans. These plans represent $6.2 billion of the $6.5 billion total gross expenses reported in 2012–13 (approximately 95 per cent).

In 2012-13, design effectiveness testing was completed for the following processes:

• Public Service Dental Care Plan (PSDCP);
• Provincial payroll taxes;
• CPP/QPP contributions; and
• Employment insurance premiums.

In addition and as planned, the Secretariat completed the validation of observations related to design effectiveness testing for the Public Service Health Care Plan (PSHCP).

As a result of design effectiveness testing, the Secretariat identified the following remediation:

• Enhance the review of charges incurred through interdepartmental transfers from PWGSC related to CPP/QPP, employment insurance and provincial payroll taxes. A management action plan was prepared to address observations;
• Review the accounting presentation in the departmental financial statements of the contributions from participating employers under the PSHCP and PSDCP. Remediation of design deficiencies was initiated;
• Enhance verification of the accuracy of payments made to the plan administrator and of the contributions related to the PSHCP and PSDCP received from participating employers. Remediation of design deficiencies was initiated; and
• Enhance review of premiums related to the PSHCP for supplementary and comprehensive coverage. A management action plan is being prepared.

TBS also initiated assessment of the Service Income Security Insurance Plan (SISIP), including documenting process descriptions and design effectiveness testing for the SISIP is scheduled to be completed in 2013–14.

In its role as a department, the Secretariat completed validation of the process descriptions for low dollar value contracts.

3.2 Operating Effectiveness Testing of Key Controls

3.2.1 Business cycle controls

In 2012–13, the Secretariat, in its role as a department, completed operating effectiveness testing for acquisition card charges. The assessment focused on controls related to payments and account verification. As a result of the operating effectiveness testing, the Secretariat identified the need to update its procedures to align with current practices. This work has been completed.

During the year, the Internal Audit and Evaluation Bureau (IAEB) completed an audit of the interdepartmental settlements (IS) process in the Secretariat.  The IS processes support the Secretariat in both of its roles. The audit objectives were to assess the adequacy and effectiveness of the management of IS and to determine whether the SAP financial system supports the IS process effectively and efficiently. Evidence supporting IT-dependent manual controls and application controls were also assessed to ensure maintenance of data integrity.

As a result of the audit of the IS process, certain gaps related to approvals and supporting documentation were identified for transactions related to employee benefits, the pension and taxes. A management action plan was prepared to ensure that these observations are addressed and will be completed by March 2014.

During 2012-13, the audit of the Administration of the External Expert Contract for the Strategic and Operating Review was completed. The objective of the audit was to assess the adequacy and effectiveness of the management control framework over the administration of the contract for the Strategic and Operating Review. In conclusion of this audit it was found that the management control framework over the administration of the contract for the Strategic and Operating Review was adequate and effective.

Some IAEB and Internal Control Unit activities are complementary. In these cases, both groups work together to ensure alignment of complementary activities to maximize results.

3.2.2 Information technology general controls

In 2012–13, the Secretariat initiated operating effectiveness testing of the IT general controls for the SAP financial system that impact the Secretariat’s financial statements. Areas of testing will cover controls related to information system operations, information security, back-up recovery, and application and database implementation and maintenance. The operating effectiveness testing is to be completed in 2013–14.

3.3 Ongoing Monitoring of Key Controls

In the current year, the Secretariat completed planned ongoing monitoring of the SAP financial system’s information security, specifically as related to user access control and segregation of duties. As a result of this monitoring, the Secretariat identified the need to update its procedures to reflect current practice. This work has been initiated and will be completed in 2013-14.

In addition, the Secretariat requested that its Integrated Financial and Materiel System (IFMS) Program Office conduct a security and authorization review of the SAP financial system, including a review of the authentication, security administration, and access and authorization control protocols. Assessment of operations and maintenance policies was part of this review. The review stated that the controls assessed were adequate and noted opportunities for further enhancing controls related to segregation of duties associated with the procurement to pay cycle and user access to functional configuration and view tables. A management action plan was prepared to address these observations which will be fully implemented in 2013-14. The previous formal review was completed in 2009, going forward, the Secretariat plans to conduct a formal review on a triennial basis.

4. Departmental Action Plan

4.1 Progress in Fiscal Year 2012–13

In 2012–13, the Secretariat has continued to make significant progress in assessing and improving its key controls. Following is the summary of the main progress made by the Secretariat based on the plans identified in previous years’ Annexes.

Table 1. Progress Summary 2012–13

Element in Previous Year’s Action Plan	Status
Secretariat as a department
IT General Controls – Ongoing monitoring. This monitoring activity was identified in the 2010–11 Annex.	Ongoing monitoring of the SAP financial system’s information security (user access control and segregation of duties) completed as planned. In addition unplanned operating effectiveness testing initiated for the SAP financial system to complement the above work.
Operating expenses / accounts payable – Design effectiveness and operating effectiveness testing.	Documentation and validation of system description were completed for the new process related to low dollar value contracts. Operating effectiveness testing for acquisition card charges and remediation completed. Operating effectiveness testing for travel and hospitality deferred to 2013–14 due to other management priorities.
Secretariat as the manager of government-wide funds and public service employer payments
Public Service Health Care Plan (PSHCP) – Design effectiveness testing.	Design effectiveness testing was completed in 2011–12, and validation of observations continued during 2012–13. Remediation of design deficiencies initiated as planned.
Public Service Dental Care Plan (PSDCP) – Design effectiveness testing.	Design effectiveness testing completed as planned. Remediation of design deficiencies initiated.
Provincial payroll taxes – Design effectiveness testing and operating effectiveness testing.	Design effectiveness testing and operating effectiveness testing completed. A management action plan was prepared to address deficiencies.
Employment insurance (EI) premiums – Design effectiveness testing and operating effectiveness testing.	Design effectiveness testing and operating effectiveness testing completed. A management action plan was prepared to address deficiencies.
Canada/Québec Pension Plan (CPP/QPP) contributions – Design effectiveness testing and operating effectiveness testing.	Design effectiveness testing and operating effectiveness testing completed. A management action plan was prepared to address deficiencies.
Service Income Security Insurance Plan (SISIP) – Design effectiveness testing.	Design effectiveness testing initiated as planned.
Pensioners’ Dental Services Plan (PDSP) – Design effectiveness testing.	Design effectiveness testing deferred to 2013–14 due to management priorities.
Public Service Management Insurance Plan – Design effectiveness testing.	Design effectiveness testing deferred to 2013–14 due to management priorities.
Provincial Health Insurance Plan premiums – Operating effectiveness testing.	Operating effectiveness testing completed through the internal audit of the IS process.
Québec Parental Insurance Plan – Operating effectiveness testing.	Operating effectiveness testing completed through the internal audit of the IS process.
Supplementary Death Benefit Plan – Operating effectiveness testing.	Operating effectiveness testing completed through the internal audit of the IS process.

4.2 Status and Action Plan for the Next Fiscal Year and Subsequent Years

The Secretariat has made significant efforts to complete in-depth design effectiveness testing for the majority of its business processes related to government-wide funds and public service employer payments. With the assistance of Ernst & Young, the Secretariat is planning to substantially complete operating effectiveness testing for all levels of controls (entity level controls, IT general controls and business processes) by 2013–14 (see Table 2 below).

The Secretariat has reviewed its strategy for assessing the system of ICFR going forward. Instead of pursuing an in-depth assessment of design effectiveness for the remaining benefits plans, the Secretariat has decided to move to operating effectiveness testing in all areas of controls.

Based on this strategy, the Secretariat will not reassess the design of the Provincial Health Insurance Plan premiums, the Québec Parental Insurance Plan and the Supplementary Death Benefit Plan. The initial assessment conducted by an external consulting firm is considered to be sufficient given that the processes associated with these plans have not significantly changed. In addition, the controls related to these plans were assessed during the recent audit of the IS process by the IAEB. These plans represent $84 million (or approximately 1 per cent) of the Secretariat’s $6.5 billion total gross expenses reported in 2012–13.

Building on progress to date, the Secretariat is positioned to substantially complete the full assessment of its system of ICFR in 2013–14. At that time, the Secretariat will apply its rotational ongoing monitoring plan to reassess control performance on a risk basis across all areas.

The status and action plan for the 2013–14 fiscal year and subsequent years is as detailed in Table 2.

Table 2. Status and Action Plan Going Forward

Key Control Areas	Assessment Elements
	Design Effectiveness Testing and Remediation  See annex note (1)	Operating Effectiveness Testing and Remediation  See annex note (1)	Ongoing Monitoring Rotation
Remedial efforts may require more than one year for a few of the remaining observations. Ongoing monitoring of the SAP financial system’s security information, specifically user access control and segregation of duties, has been in effect since 2010–11. For the PSHCP, the Secretariat completed validation of the observations related to design effectiveness in 2012–13. During the year, the IAEB completed the audit of the IS process, including operating effectiveness testing for the controls related to this area. Specific year for the on-going monitoring will be determined based on the results of the operating effectiveness testing, risk ranking and capacity. The rotational on-going monitoring plan will be applied using a five year cycle with more frequent testing in higher risk areas.
Secretariat as a department
Entity level controls	Complete	2013–14	Future years  See annex note (5)
IT general controls under departmental management	Complete	2013–14	2015–16  See annex note (2)
Payroll and benefits	Complete	2013–14	Future years  See annex note (5)
Operating expenses / accounts payable	Complete	2013–14	Future years  See annex note (5)
Financial reporting and closing cycle	Complete	2013–14	Future years  See annex note (5)
Revenues / accounts receivable	Complete	2013–14	Future years  See annex note (5)
Budgeting and forecasting	Complete	2014–15	Future years  See annex note (5)
Capital assets (new assessment element)	2014–15	2015–16	Future years  See annex note (5)
Secretariat as manager of government-wide funds and public service employer payments
Public Service Pension Plan (PSPP)	Complete	2013–14	2015–16
Disability Insurance (DI) Plan	Complete	2013–14	2015–16
Public Service Health Care Plan (PSHCP)	Complete  See annex note (3)	2013–14	2016–17
Public Service Dental Care Plan (PSDCP)	Complete	2013–14	2016–17
Provincial payroll taxes	Complete	Complete  See annex note (4)	Future years  See annex note (5)
Employment insurance (EI) premiums	Complete	Complete  See annex note (4)	Future years  See annex note (5)
Canada/Québec Pension Plan (CPP/QPP) contributions	Complete	Complete  See annex note (4)	Future years  See annex note (5)
Pensioners’ Dental Services Plan (PDSP)	2013–14	2013–14	Future years  See annex note (5)
Public Service Management Insurance Plan	2013–14	2013–14	Future years  See annex note (5)
Service Income Security Insurance Plan (SISIP)	2013–14	2014–15	Future years  See annex note (5)
Provincial Health Insurance Plan premiums	Complete	Complete  See annex note (4)	Future years  See annex note (5)
Québec Parental Insurance Plan	Complete	Complete  See annex note (4)	Future years  See annex note (5)
Supplementary Death Benefit Plan	Complete	Complete  See annex note (4)	Future years  See annex note (5)

• Previous Page
• Table of Contents
• Next Page