We are currently moving our web services and information to Canada.ca.

The Treasury Board of Canada Secretariat website will remain available until this move is complete.

Report of the Senior Committee on the Review of the Financial Management Framework of the Government of Canada


Archived information

Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.


Annexe E - Financial Management Policy Framework and Related Suite of Policies

E-3: Policy on Internal Control - Draft

Contents

1. Effective date
2. Application
3. Context
4. Policy statement
5. Policy requirements
6. Monitoring and reporting
7. Consequences
8. Enquiries

Appendix A - Definitions
Appendix B - Pro forma Statement on Internal Control

B.1 - Pro forma Annual Deputy Head Statement on Internal Control (DH SIC)
B.2 - Pro forma annual Chief Financial Officer Statement on Internal Control (CFO SIC)
B.3 - Pro forma Annual Assistant Deputy Minister or Equivalent Statement on Internal Control (ADM SIC)

Appendix C - Types of Evidence for the Annual Statement on Internal Control

1. Effective date

1.1 This policy takes effect on XXX 1, 20XX. Upon approval of the Financial Management Policy Framework and the related suite of financial management policies, an implementation schedule, including full compliance instructions, will be issued.

1.2 In relation to the disclosure of the annual Statement on Internal Control (SIC), references to the "system of internal control" are limited to the system of internal control over financial reporting only.

2. Application

This policy applies to all departments and organizations defined as departments within the meaning of section 2 of the Financial Administration Act. Throughout this policy, the terms "government-wide" and "across government" refer to these organizations.

3. Context

3.1 The financial management policy suite is summarized in the Financial Management Policy Framework (FMPF), which includes five financial management core policies, and a series of directives and standards supporting the policies. The FMPF establishes the Treasury Board financial management policy structure and provides an overview of the financial management roles and responsibilities of deputy heads and key officials for each policy.

3.2 The financial management policy suite, along with the FAA and its regulations, convey an integrated approach to the discipline of public sector management. Applied consistently across government, this framework fosters public service values such as probity, prudence, equity and transparency and provides clear direction to senior departmental managers on how to be good stewards of public resources and assets, and assist ministers in their accountability to Parliament.

3.3 The Policy on Internal Control is one of the five core policies of the Financial Management Policy Framework (FMPF). This policy outlines the responsibilities of deputy heads, the Comptroller General of Canada, Chief Financial Officers and senior departmental managers with respect to the maintenance of an effective and integrated system of internal control.

3.4 Internal control is an essential element of financial management. An effective system of internal control provides reasonable assurance that operations are conducted prudently, efficiently and effectively, in compliance with relevant laws, regulations and policies, and that results and outcomes are achieved.

3.5 At the departmental level, this policy will support the deputy heads in their role as Accounting Officers. They will be provided with assurance that the effectiveness of the system of internal control is monitored across their organization and that weaknesses are identified and addressed. Government-wide, this policy provides a solid monitoring tool and ensures that adequate direction and guidance are provided by the Comptroller General.

3.6 This policy is consistent with existing related TB policies, such as those related to IT controls. It is also consistent with the internal control practices recommended by professional associations and bodies from both the private and public sectors.

3.7 This policy should be read in conjunction with the Policy on Internal Audit and the other four core policies under the FMPF. The policies under the Policy Framework for Assets and Acquired Services should be consulted as well. Further contextual information is included in the FMPF and in the Foundation Framework for Treasury Board Policies.

3.8 This policy is issued pursuant to section 7 of the Financial Administration Act.

4. Policy statement

4.1 Objective

The objective of this policy is to define the roles and responsibilities for internal control management that deputy heads, the Comptroller General of Canada, Chief Financial Officers, and senior departmental managers must exercise and be accountable for in the stewardship, management, and oversight of public resources.

4.2 Result

The expected result of this policy is a clear understanding by all key stakeholders of their responsibilities with respect to internal control.

5. Policy requirements

5.1 General

Disclosure and reporting - Annual Statement on Internal Control (SIC):

5.1.1 Every deputy head will provide to his or her responsible Minister or applicable oversight body, the Secretary of the Treasury Board Secretariat, and the Comptroller General of Canada, an annual departmental Statement on Internal Control. The Statement on Internal Control will be provided within 90 days after the end of the fiscal year and will be published annually;

5.1.2 The annual departmental Statement on Internal Control will consist of at least all of the elements included in the pro forma Statement on Internal Control outlined in Appendix B-1;

5.1.3 The Comptroller General of Canada will provide to Treasury Board an annual government-wide Statement on Internal Control that will also be published annually.

5.2 Deputy head - The deputy head:

5.2.1 Is responsible for the establishment, maintenance and ongoing monitoring of a system of internal control that mitigates risk to ensure the achievement of departmental objectives;

5.2.2 Obtains assurance that the system of internal control ensures that financial information is reliable, departmental assets are safeguarded, and that transactions are processed in accordance with the Financial Administration Act, regulations and Treasury Board policy, are within Parliamentary and delegated authorities, and are properly recorded;

5.2.3 Obtains, within 90 days after the appointment of a new minister, the approval of all departmental delegated authorities;

5.2.4 Reviews the effectiveness of the system of internal control and the annual departmental Statement on Internal Control with the Departmental Audit Committee (Appendix B.1 - Pro forma Statement on Internal Control);

5.2.5 Obtains assurance that appropriate evidence is gathered, maintained and used to support the review process described in the annual departmental Statement on Internal Control as outlined in Appendix C - Types of Evidence for the Annual Statement on Internal Control;

5.2.6 Ensures that appropriate timely action is taken to address significant internal control issues and deficiencies.

5.3 Comptroller General - The Comptroller General of Canada:

5.3.1 Issues guidance on the system of internal control applicable to departments of the Government of Canada;

5.3.2 Oversees the effectiveness of the system of internal control across government by reviewing departmental Statements on Internal Control, internal and external audit reports, and horizontal or special audits commissioned by the Comptroller General of Canada;

5.3.3 Monitors that appropriate action is taken to address significant internal control issues and deficiencies across government that have been identified through the review of Statements on Internal Control, audit reports or other information.

5.4 Chief Financial Officer - The Chief Financial Officer:

5.4.1 Establishes and maintains a system of internal control over financial management, financial information systems, records, and reporting, including all financial internal controls across the department, and ensures that this system is based on effective management of financial risks;

5.4.2 Provides guidance and exercises oversight on the proper application and monitoring of the system of internal control over financial management across the department;

5.4.3 Provides assurance to the deputy head that the system of internal control over financial management is effective and ensures that financial information is reliable, fairly presented, and complete in all material respects, that assets are safeguarded, and that transactions are executed in accordance with the Financial Administration Act, regulations and Treasury Board policy, are within Parliamentary authorities, and properly recorded;

5.4.4 Obtains assurance on the effectiveness of the system of internal control over financial management from external and common financial management service providers for outsourced services, or from participating entities or departments in joint or shared projects or horizontal initiatives;

5.4.5 Provides the deputy head and the Departmental Audit Committee with an annual Chief Financial Officer Statement on Internal Control, which includes the elements included in the pro forma Statement on Internal Control outlined in Appendix B-2, along with assurance of the following:

  • The system of internal control over financial management across the department mitigates financial risk to an appropriately agreed upon extent;
  • The control objectives and performance expectations are communicated to all appropriate officers and used to design efficient controls to mitigate identified risks;
  • Financial plans and programs are revised to take into account changes in the environment;
  • Financial resources are allocated or reallocated within approved plans and priorities;
  • Financial decisions are made by those authorized to make them;
  • Financial resources are safeguarded against material loss due to waste, abuse, mismanagement, errors, fraud, omissions and other irregularities;
  • Relevant laws, regulations, policies, directives and standards with respect to financial management controls are adhered to;
  • Decision-makers receive relevant, reliable and timely financial and related non-financial information to measure performance;
  • Actions from financial decisions are monitored to ensure achievement of intended purposes; and
  • Appropriate actions are taken to correct undesirable performance of financial internal controls;

5.4.6 Gathers and maintains evidence to support the annual Chief Financial Officer Statement on Internal Control.

5.5 Assistant deputy minister or Equivalent - The assistant deputy minister or equivalent:

5.5.1 Is responsible for establishing a system of internal control that is consistent with guidance on internal control provided by the Chief Financial Officer over the operations for which he or she is accountable for;

5.5.2 Provides the deputy head, the Chief Financial Officer, and the Chief Audit Executive with an annual Assistant Deputy Minister or Equivalent Statement on Internal Control that includes the elements outlined in the pro forma Assistant Deputy Minister or Equivalent Statement on Internal Control (see Appendix B-3), along with assurance of the following:

  • Applicable laws, regulations, Treasury Board policies, directives and standards are adhered to;
  • Control objectives and performance expectations, as communicated to all individuals within their area of responsibility, are used to guide the design and operation of effective controls to mitigate identified risks;
  • Financial plans and programs are revised to take into account changes in the environment;
  • Financial resources are allocated or reallocated within approved plans and priorities;
  • Internal and external risks, including financial risks, to which his or her area of responsibility is exposed, are reviewed on an on-going basis and controls are implemented to mitigate these risks;
  • Processes and systems controls, as implemented across his or her area of responsibility, are documented;
  • Managers understand their responsibilities and accountabilities with respect to internal control and financial management;
  • Resources for which he or she is accountable are safeguarded against material loss due to waste, abuse, mismanagement, errors, fraud, omissions and other irregularities;
  • Reliable and comprehensive systems are in place to monitor the financial performance and continued effectiveness of controls;
  • Actions from financial decisions are monitored to ensure achievement of intended purposes; and
  • Appropriate action is taken to correct undesirable performance of financial internal controls;

5.5.3 Gathers and maintains evidence to support the Assistant Deputy Minister or Equivalent Statement on Internal Control.

6. Monitoring and reporting

6.1 At the departmental level, monitoring of this policy will be accomplished through the:

  • Management Accountability Framework process;
  • Review of recommendations prepared by the Departmental Audit Committee;
  • Review of internal and external auditor reports; and
  • Review of the reports and management representations issued by the department.

6.2 In addition, the Comptroller General will have measures in place to monitor the adequacy and skill capacity and capability of the financial management community across government for all aspects of financial management.

6.3 The Comptroller General will report periodically to Treasury Board on the state of financial management, control and reporting across government.

6.4 The Comptroller General will establish an evaluation framework for this policy.

7. Consequences

7.1 Consequences of non-compliance of this policy can include any measure allowed by the Financial Administration Act that the Treasury Board would determine as appropriate and acceptable in the circumstances, such as the establishment and freezing of an allotment under section 31 of the Financial Administration Act.

7.2 Two types of consequences are applicable, institutional or personal. Institutional consequences may involve withdrawal of delegated authorities, imposition of various conditions, additional reporting, special audits or reviews, and a request that corrective action be taken and reported to Treasury Board. Personal consequences may involve a range of disciplinary measures, including the withdrawal of financial authorities delegated to managers and executives.

7.3 When corrective action is not implemented satisfactorily, the Secretary of the Treasury Board may recommend to Treasury Board the withdrawal of spending authority or other measures as appropriate.

8. Enquiries

Please send any questions about this policy to:

Assistant Comptroller General
Financial Management and Analysis Sector
Office of the Comptroller General
300 Laurier Avenue West
Ottawa ON K1A 0R5

Appendix A - Definitions

Accountability (responsabilisation) - Is the obligation to render an account, and accept responsibility for, one's actions, both in terms of the results obtained and the means used. To be held accountable, an individual must be provided with the authority, resources and responsibility for a task, activity or result. It is important to note that authority and responsibility can be delegated, but accountability cannot.

Authority (pouvoir) - Is the power to make certain decisions and/or perform certain tasks within defined limits.

Control (contrôle) - the exercise of power and authority; control starts with a manager's will to exercise authority, and to be accountable, to administer, and to intervene. Control is also defined as any action taken by management and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.

Control framework (cadre de contrôle) - Is a systematic method to categorize controls and the basis for a document outlining the departmental system of internal control as implemented. Treasury Board recognizes that a suitable control framework based upon best-practices is Enterprise Risk Management (ERM) - Integrated Framework, which includes Internal Control - Integrated Framework. These documents have been collectively developed and maintained by the Committee of Sponsoring Organizations (COSO), as recognized by the Risk Management and Governance Board of the Canadian Institute of Chartered Accountants (CICA).

Control framework(s) for information technology (IT) in relation to internal control over financial reporting (Cadre(s) de contrôle pour la technologie de l'information (TI) relativement au contrôle interne exercé sur les rapports financiers ) - Is a suitable control framework for information technology (IT) in relation to departmental internal controls over financial reporting and access security processes. Treasury Board recognizes that such IT frameworks should include at least:

  • CobiT (Control Objectives for Information and related Technology) for IT control objectives embedded in financial and information systems; and
  • Government Security Policy (GSP), including Treasury Board related IT control policies, as approved by Treasury Board.

Internal control (contrôle interne) - Is broadly defined as a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations;
  • Reliability of financial and related non-financial reporting and disclosures;
  • Compliance with applicable laws, regulations, and policies.

Responsibility (responsibilité) - Responsibility identifies the field within which a public office holder (whether elected or unelected) can act; it is defined by the specific authority given to an office holder (by law or delegation).

Risk management (gestion des risques) - Is a process applied in the formulation of strategic direction, designed to identify potential events that may affect the entity and its ability to meet and accomplish its objectives and expected results. Risk management includes steps and actions to counteract the potential risk factors.

Statement on Internal Control (SIC) (Énoncé sur le contrôle interne [ECI]) - Is a summary certified by the deputy head describing the manner in which the department maintains a sound system of internal control on financial reporting that supports the achievement of the department's policies, objectives, mandate, and results. The Statement also outlines how the deputy head, along with the departmental Audit Committee and the Chief Financial Officer, regularly reviews the effectiveness of that system.

System of Internal Control(système de contôle interne) - Is a set of internal controls that constitutes a process to mitigate risk, over departmental resources, systems, procedures, culture, structure and tasks, and the achievement of expected results and outcomes.

Appendix B - Pro forma Statement on Internal Control

Deputy heads are required to make an annual Statement on Internal Control (SIC), published in accordance with this pro forma minimum requirement relating to internal control over financial reporting.

The term "internal control over financial reporting" means a process designed to provide reasonable assurance regarding the reliability of financial information and statements prepared for internal and external purposes. This process is designed to:

  1. Ensure the maintenance of records that fairly reflect all financial transactions of the department;
  2. Provide reasonable assurance that transactions are recorded to permit preparation of internal and external financial information and statements in accordance with TB policies and standards, and that receipts and expenditures of the department are being made in accordance with delegated authorities; and
  3. Provide reasonable assurance that unauthorized transactions that could have a material effect on internal financial information and the annual or periodic external financial statements are prevented or detected in a timely manner.

To sign a SIC, deputy heads require evidence based assurance on the maintenance and review of the system of internal control over financial reporting across the department. Such evidence and assurance are obtained from assistant deputy ministers (ADMs) or equivalents across the department and the Chief Financial Officer (CFO) in the form of annual ADM SICs within their purview of responsibility and CFO SIC, along with the annual holistic opinion from the Chief Audit Executive. Where the deputy head has changed during the period covered by the SIC, or between the end of the period and the date of signature, the deputy head in place on the date of signature is the person who should sign the SIC.

In providing such assurance, Chief Financial Officers must follow the Directive on Internal Control, and each of the deputy head, ADM and CFO SICs must cover the accounting period and the period up to the date of sign off.

ADM SICs and the CFO SIC require that designated ADMs or Equivalents across the department as well as the CFO report annually at the financial year end, and if required on an interim basis, on the work they have performed to mitigate financial risk and to ensure that internal control over financial reporting procedures are effective and appropriate to circumstances.

The Statement of Internal Control also describes how personnel are trained to mitigate risk, and includes a confirmation that it has been reviewed by the Departmental Audit Committee. In addition, disclosure is required in relation to any significant internal control issues or deficiencies.

In this pro forma Statement of Internal Control:

  1. Text in normal script must be replicated in every SIC;
  2. Text in italic script provides additional guidance on the information that needs to be added to the SIC.

Three pro forma SICs follows. Each is applicable to the deputy head (B-1), the CFO (B-2), and ADMs or Equivalents (B-3) respectively.

B.1 - Pro forma Annual Deputy Head Statement on Internal Control (DH SIC)

Deputy Head Statement on Internal Control

Scope of responsibility

As deputy head, I have responsibility for maintaining a sound system of internal control over financial reporting that supports the achievement of [Department/Agency] objectives, mandate and results, while safeguarding public resources and departmental assets, in accordance with the responsibilities assigned to me by legislation, regulations, and policy. (Deputy heads should add to this paragraph an explanation of the accountability arrangements surrounding their role. In particular, they should comment on:

  1. Processes in place by which they inform ministers [or appropriate oversight body], on risk mitigation and the maintenance of internal controls over financial reporting; and
  2. Mechanisms in place to obtain assurance on the review of the effectiveness of internal control over financial reporting where the department:
  • obtains services from any external service entities;
  • has initiated a new program or venture during the fiscal year; or
  • has a material interest in shared horizontal initiatives.

The purpose of the system of internal control

The system of internal control over financial reporting is designed to mitigate risk to a reasonable level rather than to eliminate all risk of failure to achieve objectives, mandate and results. It can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control over financial reporting is based upon an ongoing process designed to identify and prioritize risks and the controls effected to mitigate risks in the achievement of departmental objectives, mandate and results. The system of internal control over financial reporting has been in place in [Department/Agency] for the year ended 31 March 200X and up to the signing of the departmental financial statements, in accordance with Treasury Board guidance.

Capacity to mitigate risk

[Describe the key elements in which:

  • The risk management process is implemented;
  • Staff are trained or equipped to mitigate risk through the management of controls appropriate to their authority and duties. Include comments on the guidance provided to them and the manner in which you seek to learn from good practices.]

The risk and control framework

[Describe the key elements of the risk management strategy, including the way in which risk (or change in risk) is identified, evaluated and controlled. Include mention of how risk priorities are determined and the control framework applied.

Describe the manner in which internal control over financial reporting is embedded in the activity of the department, including mention of the system of internal control over financial reporting.

Describe the manner, and any limitations, in which risk management is embedded when relying upon or participating with external service entities and/or horizontal initiatives, including mention of the review, or the obtaining of credible assurance, of the effectiveness of such internal controls over financial reporting.

Only those departments to which this section is relevant should insert the following:

Describe the key elements of the manner in which public stakeholders are involved in the management of risks that impact on them, including any reference to systems of internal control over financial reporting.]

Review of effectiveness

As deputy head, I have responsibility for reviewing the effectiveness of the system of internal control over financial reporting. My review is informed by the work and evidence of the internal auditors, the Chief Financial Officer, and assistant deputy ministers or equivalents.

I have been advised on the implications of the result of my review of the effectiveness of the system of internal control over financial reporting by the Departmental Audit Committee and a plan and timeline to address issues or deficiencies and ensure continuous improvement of the system is in place.

[Describe the process that has been applied in maintaining and reviewing the effectiveness of the system of internal control over financial reporting and the role of:

  • The Departmental Audit Committee - role and process;
  • The Chief Audit Executive and internal audit, respecting the annual CAE holistic opinion on the effectiveness and adequacy of risk management and control - role and process;
  • The Chief Financial Officer, respecting the CFO Statement on Internal Control - role and process;
  • Assistant deputy minister or Equivalent, respecting their ADM Statement on Internal Control within their purview of responsibility - role and process;
  • External auditors, evaluators, and other review parties for other explicit review / assurance mechanisms that provide appropriate evidence, such as auditor reports, evaluations, special Assessments, etc. - role and process;
  • [External service providers or horizontal government initiative departments as appropriate associated with the department]; and
  • The Risk Committee (if one exists) and/or risk managers (if relevant) - role and process.

Include an outline of the actions taken or proposed to deal with any significant internal control over financial reporting issues or deficiencies and with any undesirable performance respecting financial management controls, if applicable.

Factors that may be helpful in deciding whether a particular issue or deficiency falls into this category include:

  • The issue prevented achievement of a Performance Agreement target;
  • The issue has resulted in a need to seek additional funding from Treasury Board to allow it to be resolved, or has resulted in significant diversion of resources from another aspect of the department;
  • The external auditor regards it as having a material impact on the financial statements and Public Accounts;
  • The Departmental Audit Committee advises it should be considered significant;
  • The Chief Audit Executive reports on it as significant in the annual CAE holistic opinion on the departmental risk management, control and governance processes;
  • The Chief Financial Officer reports on it as significant in their CFO Statement on Internal Control;
  • Assistant deputy ministers or Equivalents report on it as significant in their ADM Statement on Internal Control within their purview of responsibility; and
  • the issue has harmed the reputation of the department.

When material changes have been made in the year, they should be reported in the SIC, to reflect changes to risk mitigation. If an element of the internal control over financial reporting management process has been absent for a material period of time in the year, a department will only be able to make a qualified SIC for the relevant period.]

Establishment of new departments/agencies and machinery of government changes (if applicable)

[When new departments/agencies are established or restructured as part of a machinery change, there will be an impact on the SIC for the entities concerned. The SIC should identify how the effectiveness of the internal controls over financial reporting has been maintained.

In circumstances when all the elements of risk management and the system of internal control over financial reporting have not been in place for the whole of the first accounting period:

  • The SIC should give a brief explanation of how the department/agency has come into existence, including reference to any responsibilities inherited from other bodies, and should set out a timetable to implement key elements of the risk management and the system of internal control over financial reporting; and
  • Subsequent SICs should refer to progress against that timetable, particularly explaining any material delays against plan.]
________________________________
Deputy
________________
Date

B.2 - Pro forma annual Chief Financial Officer Statement on Internal Control (CFO SIC)

Chief Financial Officer Statement on Internal Control

Scope of responsibility

As Chief Financial Officer of [Department / Agency], I am aware that you are required to provide an assurance on the system of internal control over financial reporting across the department to enable you to sign the departmental Statement on Internal Control (SIC) in relation to the annual departmental financial statements and other external reporting for which you are directly responsible.

As Chief Financial Officer of [Department/Agency], I have responsibility for maintaining a sound system of internal control over financial management across the department that supports the achievement of [the Department's/Agency's] objectives, mandate and results. At the same time, I have responsibility for safeguarding public resources and departmental assets, in accordance with the responsibilities assigned to me by legislation, regulations, and policy. (Chief Financial Officers should add to this paragraph an explanation of the accountability arrangements surrounding their role. In particular, they should comment on:

  1. Processes in place by which I inform the deputy head, assistant deputy ministers or equivalents, and the Chief Audit Executive on risk mitigation and the maintenance of internal controls over financial reporting; and
  2. Mechanisms in place to obtain assurance on the review of the effeeemmeees of internal control over financial reporting where the department:
  • obtains services from any external service entities;
  • has initiated a new program or venture during the fiscal year; or
  • has a material interest in shared horizontal initiatives.

The Purpose of the system of internal control

The system of internal control over financial reporting is designed to mitigate risk to a reasonable level rather than to eliminate all risk of failure to achieve objectives, mandate and results. It can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control over financial reporting is based upon an ongoing process designed to identify and prioritize risks and the controls effected to mitigate risks in the achievement of departmental objectives, mandate and results. The system of internal control over financial reporting has been in place in [Department/Agency] for the year ending 31 March 200X and up to the signing of the departmental financial statements, in accordance with Treasury Board guidance.

Capacity to mitigate risk

[Describe the manner in which:

  • Leadership is shown with regard to the risk management process as it is implemented within your area of responsibility;
  • Staff across the department are trained or equipped to mitigate risk through the management of controls appropriate to their authority and duties. Include comments on guidance provided to staff and the manner in which you seek to learn from good practices.]

The risk and control framework

[Describe the key elements of the risk management strategy across the department, including the way in which risk (or change in risk) is identified, evaluated, and controlled. Include mention of how risk priorities are determined and how suitable internal controls are applied. Describe the manner in which control is embedded in the activity of the department, including mention of the system of internal control over financial reporting.

Describe the manner (if applicable), and any limitations, in which risk management is implemented when relying upon external service entities or participating in horizontal initiatives. Describe as well how credible assurance of the effectiveness of internal control over financial reporting is obtained for such arrangements.

Only those Chief Financial Officers to whom this section is relevant should insert it:

  • Describe the key elements of the manner in which public stakeholders are involved in the management of risks that impact on them, including any reference to systems of internal control over financial reporting.
  • When required: I have also received appropriate assurances from external service providers or horizontal government initiative departments associated with the Department.]

Review of effectiveness

To assist you and the Departmental Audit Committee in the SIC review process, I can confirm that I have a process in place to review the effectiveness of the system of internal control over financial reporting across the department, in accordance with guidance set out in the Directive on Internal Control.

[Following text to be modified as appropriate]Having undertaken that review, I can confirm the system of internal control over financial reporting across the department has been, and is effective. There are, in my opinion, no significant issues or deficiencies arising that would require to be raised specifically in your Deputy Head Statement on Internal Control;

OR

I would draw your attention to the following matters, which you may wish to consider when preparing the assurance you are required to give in your Deputy Head Statement on Internal Control:

[Include an outline of the actions taken, or proposed to deal with any significant internal control over financial reporting issues or deficiencies, if applicable.]

Factors that may be helpful in deciding whether a particular issue or deficiency falls into this category include:

  • The issue prevented achievement of a Performance Agreement target;
  • The issue has resulted in a need to seek additional funding from Treasury Board to allow it to be resolved, or has resulted in significant diversion of resources from another aspect of the department;
  • The external auditor regards it as having a material impact on the financial statements and Public Accounts;
  • The Departmental Audit Committee advises the issue should be considered significant;
  • The Chief Audit Executive reports on the issue as significant, for this purpose, in the annual holistic opinion on the departmental risk management, control and governance processes; and
  • The issue harmed the reputation of the department.

When material changes have been made in the course of the year, they should be reflected in the CFO SIC, to reflect changes to risk mitigation. If an element of internal control over financial reporting across the department has not been in place for a significant amount of time during the year, it should be reported as such in the CFO SIC.

Establishment of new programs/branches/functions, and machinery of government changes (if applicable)

When new departments/agencies/programs/branches/functions/policy areas are established or restructured as part of a machinery change, there will be an impact on the CFO Statement on Internal Control for the areas concerned. The CFO SIC should identify how internal controls over financial reporting have been maintained.

In circumstances when all the elements of risk management and the system of internal control over financial reporting have not been in place for the whole of the first accounting period:

  • The CFO SIC should give a brief explanation of how the department/agency/ program/function/policy area has come into existence, including reference to any responsibilities inherited from other bodies, and set out a timetable to implement key elements of the risk management and the system of internal control over financial reporting; and
  • Subsequent CFO SICs should refer to progress against that timetable, particularly explaining any material delays against plan.
________________________________
Chief Financial Officer
________________
Date

B.3 - Pro forma Annual Assistant Deputy Minister or Equivalent Statement on Internal Control (ADM SIC)

Assistant Deputy Minister or Equivalent Statement on Internal Control

Scope of responsibility

As assistant deputy minister or equivalent of [XX], I am aware that you are required to provide an assurance on the system of internal control over financial reporting across the department to enable you to sign the departmental Statement on Internal Control (SIC) in relation to the annual departmental financial statements and other external reporting for which you are directly responsible.

As assistant deputy minister or equivalent of [XX], I have responsibility for maintaining a sound system of internal control over financial reporting within my purview of responsibility that supports the achievement of [XX's] objectives, mandate and results. At the same time, I have responsibility for safeguarding public resources and departmental assets within my purview of responsibility, in accordance with the responsibilities assigned to me by legislation, regulations, and policy. (Assistant deputy ministers or equivalents should add to this paragraph an explanation of the accountability arrangements surrounding their role. In particular, they should comment on:

  1. Processes in place by which I inform and work with the Chief Financial Officer and other ADMs or Equivalents on risk mitigation and the maintenance of internal controls over financial reporting; and
  2. Mechanisms in place to obtain assurance on the review of the effectiveness of internal control over financial reporting where the department:
  • obtains services from any external service entities;
  • has initiated a new program or venture during the fiscal year; or
  • has a material interest in shared horizontal initiatives.

The purpose of the system of internal control

The system of internal control over financial reporting is designed to mitigate risk to a reasonable level rather than to eliminate all risk of failure to achieve objectives, mandate and results. It can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control over financial reporting is based upon an ongoing process designed to identify and prioritize risks and the controls effected to mitigate risks in the achievement of departmental objectives, mandate and results. The system of internal control over financial reporting has been in place in [Department/Agency] for the year ending 31 March 200X and up to the date of the signing of the departmental financial statements, in accordance with Treasury Board guidance.

Capacity to mitigate risk

[Describe the manner in which:

  • Leadership is shown with regard to the risk management process as it is implemented within your area of responsibility;
  • Staff within your area of responsibility are trained or equipped to mitigate risk through the management of controls appropriate to their authority and duties. Include comments on guidance provided to them and the manner in which you seek to learn from good practices.]

The risk and control framework

[Describe the key elements of the risk management strategy within your purview of responsibility, including the way in which risk (or change in risk) is identified, evaluated, and controlled. Include mention of how risk priorities are determined and how suitable internal controls are applied.

Describe the manner in which control is implemented in your area of responsibility, including mention of the system of internal control over financial reporting.

Describe the manner (if applicable), and any limitations, in which risk management is implemented when relying upon external service entities or participating in horizontal initiatives. Describe as well how credible assurance of the effectiveness of internal control over financial reporting is obtained for such arrangements.

Only those programs/functions/policy areas to which this section is relevant should insert it:

  • Describe the key elements of how public stakeholders are involved in the management of risks that have an impact on them, including any reference to systems of internal control over financial reporting.

When required: I have also received appropriate assurances from external service providers or horizontal government initiative departments associated with my areas of responsibility.]

Review of effectiveness

To assist you, the Chief Financial Officer, and the Departmental Audit Committee in the SIC review process, I can confirm that upon guidance from the Chief Financial Officer and the Directive on Internal Control, I have a process in place to review the effectiveness of the system of internal control over financial reporting within my area of responsibility.

[Following text to be modified as appropriate] Having undertaken that review, I can confirm the system of internal control over financial reporting across the department has been, and is effective. There are, in my opinion, no significant issues or deficiencies arising that would require to be raised specifically in your Deputy Head Statement on Internal Control;

OR

I would draw your attention to the following matters, which you may wish to consider when preparing the assurance you are required to give in your Deputy Head Statement on Internal Control:

[Include an outline of the actions taken, or proposed to deal with any significant internal control over financial reporting issues or deficiencies, if applicable.]

ADMs or Equivalents will need to exercise judgement in deciding whether a particular issue should be regarded as falling into this category. Factors that may be helpful in exercising that judgement include:

  • The issue prevented achievement of a Performance Agreement target;
  • The issue has resulted in a need to seek additional funding from Treasury Board to allow it to be resolved, or has resulted in significant diversion of resources from another aspect of the department;
  • The external auditor regards this issue as having a material impact on the financial statements and Public Accounts;
  • The Departmental Audit Committee advises the issue should be considered significant;
  • The Chief Audit Executive reports the issue as significant in the annual holistic opinion on the departmental risk management, control and governance processes;
  • The Chief Financial Officer reports the issue as significant in the CFO Statement on Internal Control; and
  • the issue has harmed the reputation of the department.

When material changes have been made in the course of the year, they should be reflected in the ADM SIC, to reflect changes to risk mitigation. If an element of internal control over financial reporting within your area of responsibility has been not been in place for a significant amount of time during the year, it should be reported as such in the ADM SIC.

Establishment of new programs/branches/functions, and machinery of government changes (if applicable)

When new departments/agencies/programs/branches/functions/policy areas are established or restructured as part of a machinery change, there will be an impact on the Assistant deputy minister or Equivalent Statement on Internal Control for the areas concerned. The ADM SIC should identify how internal controls over financial reporting have been maintained.

In circumstances when all the elements of risk management and the system of internal control over financial reporting have not been in place for the whole of the first accounting period:

  • The ADM SIC should give a brief explanation of how the department/agency/ program/function/policy area has come into existence, including reference to any responsibilities inherited from other bodies, and set out a timetable to implement key elements of the risk management and the system of internal control over financial reporting; and
  • subsequent ADM SICs should refer to progress against that timetable, particularly explaining any material delays against plan.
________________________________
Assistant Deputy Minister of Equivalent
________________
Date

Appendix C - Types of Evidence for the Annual Statement on Internal Control

The following represents appropriate types of evidence gathered from the review of the effectiveness of the system of internal control over financial reporting, to inform the deputy head and the Departmental Audit Committee for disclosures in the Annual Statement on Internal Control (SIC).

Deputy head State-
ments
An ongoing process exists for identifying, evaluating and managing significant risks based upon evidence;

Responsibility for the system of internal control over financial reporting and reviewing its effectiveness;

Summarize the process applied in reviewing the effectiveness of internal controls over financial reporting; and

Confirm actions taken to remedy significant failings or weaknesses.

Types of Evidence and Documentation

Depart-
mental Audit Committee
- Review of risk management and management frameworks matters
Chief Audit Executive - Various audits and annual holistic opinion on effectiveness and adequacy of risk manage-
ment and control
Chief Financial Officer - SIC for internal control over financial reporting Assistant Deputy Minister or Equiva-
lent
- SIC for internal control over financial reporting within their area of responsi-
bility
Other Appropriate Evidence and Documenta-
tion
, such as evaluations, special audits and/or assess-
ments, etc.



Date modified: