Policy on Internal Control

Notice

We will be updating our design to align with Canada.ca. The policies, directives, standards and guidelines will remain available during and after this update is complete.

Alternate Formats

1. Effective date

1.1 This policy takes effect on April 1, 2009.

1.2 The new policy requirement under section 6.1.2 of this policy relating to the signature of the Statement of Management Responsibility Including Internal Control Over Financial Reporting will be phased-in over a period of three years based on department's state of readiness.

2. Application

2.1 This policy applies to all departments as defined in section 2 of the Financial Administration Act (FAA). Throughout this policy, the terms "government-wide" and "across government" refer to these organizations.

2.2 Section 7.2, and those portions of sections 6.2.1, 6.2.2 and 7.3 that provide for the Comptroller General to monitor compliance with this policy within departments and/or request departments take corrective action, do not apply with respect to the Office of the Auditor General, the Office of the Privacy Commissioner, the Office of the Information Commissioner, the Office of the Chief Electoral Officer, the Office of the Commissioner of Lobbying, the Office of the Commissioner of Official Languages and the Office of the Public Sector Integrity Commissioner. The deputy heads of these organizations are solely responsible for monitoring and ensuring compliance with this policy within their organizations, as well as for responding to cases of non-compliance in accordance with any Treasury Board instruments that address the management of compliance.

3.1 Context

3.1 Parliament and Canadians expect the federal government to be well managed with the prudent stewardship of public funds, the safeguarding of public assets, and the effective, efficient and economical use of public resources. They also expect reliable reporting that provides transparency and accountability for how government spends public funds to achieve results for Canadians.

3.2 These expectations are similar to those found in other private and public sector organizations and jurisdictions. To mitigate the risks related to the achievement of these objectives, these organizations establish and maintain broad systems of internal control. Numerous frameworks have been developed by various professional associations and bodies relating to internal control. One widely recognized framework is that of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) that was established in the United States in 1985. Within the COSO integrated framework, everyone in the organization has responsibility for internal control to some extent.

3.3 More recently, there have been demands for explicit assurance regarding the integrity of financial reporting. The Sarbanes-Oxley Act of 2002 in the United States requires public corporations to provide assurances regarding the effectiveness of internal control over financial reporting and for their external auditors to opine on these internal controls and the reliability of the corporation's financial reporting. Public sector jurisdictions have also introduced similar requirements for assurances relating to the reliability of financial reporting. These assurances generally take the form of a Statement of Internal Control signed by the head of the organization and the Chief Financial Officer (CFO) and sometimes an accompanying audit report.

3.4 In the Canadian federal government, Deputy heads have always had the responsibility to ensure that internal controls are regularly reviewed in the context of risk, ensuring that those internal controls are balanced against and proportional to the risks which they mitigate. Deputy heads and their CFOs sign an annual Letter of Representation to the Auditor General and the Deputy Receiver General in support of the Public Accounts covering their responsibilities for internal control and assertions over the integrity of financial information.

3.5 Deputy heads are also designated as accounting officers for their organizations under the Financial Administration Act, and as such have a legal obligation to appear before parliamentary committees in support of their Ministers' accountability and to answer questions relating to the measures taken to maintain an effective system of internal control in their organizations, as well as three other specific areas of departmental management as set out in provision 16.4.

3.6 In this context, the CFO supports the deputy head by establishing and maintaining a system of internal control related to financial management including financial reporting and departmental accounts. Other senior departmental managers establish and maintain a system of internal control for their areas of responsibility and within the departmental system of internal control.

3.7 The Comptroller General of Canada provides government-wide leadership and functional direction for the system of internal control over financial management, including over financial reporting, in collaboration with the Receiver General of Canada and other central agencies.

3.8 This policy is to be read in conjunction with the Policy on Financial Management Governance and the Policy on Internal Audit.

3.9 This policy is issued pursuant to section 7 of the Financial Administration Act.

4. Definitions

Definitions are provided in the Appendix.

5. Policy statement

5.1 Objective

Risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting.

5.2 Expected results

5.2.1 An effective risk-based system of internal control is in place in departments and is properly maintained, monitored and reviewed, with timely corrective measures taken when issues are identified.

5.2.2 An effective system of internal control over financial reporting is operating in departments as demonstrated by the departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting.

6. Policy requirements

6.1 Deputy head

The deputy head is responsible for:

6.1.1 Ensuring the establishment, maintenance, monitoring and review of the departmental system of internal control to mitigate risks in the following broad categories:

  • The effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets;
  • The reliability of financial reporting; and
  • Compliance with legislation, regulations, policies and delegated authorities.

6.1.2 Signing an annual departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting, also signed by the Chief Financial Officer, which prefaces the departmental financial statements and that will:

  • acknowledge the responsibility of management for ensuring the maintenance of effective departmental system of internal control over financial reporting;
  • acknowledge the conduct of an annual risk-based assessment of the system of internal control over financial reporting to determine its on-going effectiveness;
  • acknowledge the establishment of an action plan to address any significant issues found as a result of the annual assessment of the effectiveness of the system of internal control over financial reporting; and
  • include a summary of the results of the assessment of the system of internal control over financial reporting along with the actions taken in response to any significant issues.

6.1.3 Engaging with the Departmental Audit Committee, as applicable, on risk-based assessment plans and associated results related to the effectiveness of the departmental system of internal control over financial reporting.

6.2 Monitoring and Reporting

6.2.1 Deputy heads – Deputy heads are responsible for:

  • monitoring compliance with this policy and its supporting directives and standards through periodic audits and other reviews to ensure their effective implementation;
  • ensuring that appropriate and timely action is taken to address any significant issues relating to the departmental system of internal control; and
  • providing reports or information on the departmental system of internal control as requested by the Comptroller General.

6.2.2 Comptroller General of Canada – The Comptroller General is responsible for:

  • overseeing the effectiveness of the system of internal control over financial management and financial reporting across government, including monitoring compliance with this policy, in a variety of ways including but not limited to; reviews of the departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting and related evidence presented in its Annex; assessments under the Management Accountability Framework; results of audits and evaluations; special audits or horizontal audits commissioned by the Comptroller General of Canada; as well as reports and special studies by Parliament or its agents;
  • monitoring that appropriate and timely action is taken to address significant issues over financial management and over financial reporting across government that have been identified through the review of the departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting;
  • monitoring government-wide compliance with Treasury Board financial management policies including reporting periodically to the Treasury Board on the state of financial management, control and reporting across government;
  • recommending that corrective action be taken when a department has not complied with the requirements of this policy; and
  • establishing a framework for the review of this policy and supporting directives and standards, and ensuring that a review is initiated within five years of the effective date of this policy.

7. Consequences

7.1 The deputy head is responsible for investigating and acting when significant issues arise regarding policy compliance.

7.2 If the Comptroller General of Canada determines that a department may not have complied with any requirements of this policy or supporting directives and standards, the Comptroller General may request that the Deputy head:

7.2.1 Conduct an audit or a review to assess whether requirements of this policy or its supporting directives or standards have been met. The cost of such an audit or review will be paid from the department's reference level; and

7.2.2 Take corrective actions and report back on the results achieved.

7.3 Consequences of non-compliance with this policy and supporting directives and standards, or of failure to take corrective actions requested by the Comptroller General, may include recommending to Treasury Board:

7.3.1 Limits on the spending authority of the department; or

7.3.2 Imposition of any other measures determined appropriate in the circumstances.

8. References

9. Enquiries

Please direct enquiries about this policy to your department's headquarters. For interpretation of this policy, departmental headquarters should contact:

Assistant Comptroller General
Financial Management and Analysis Sector
Office of the Comptroller General
Treasury Board Secretariat
Ottawa ON K1A 0R5

Facsimile: 613-952-9613
Telephone: 613-957-7233


Appendix A – Definitions

Internal control (contrôle interne)
Is generally recognized as a set of means that organizations put in place to mitigate risks and provide reasonable assurance in the following broad categories:
  • The effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets;
  • The reliability of financial reporting; and
  • Compliance with legislation, regulations, policies and delegated authorities.

In practice, the set of means that represent internal controls can include those elements of an organization such as its resources, systems, processes, culture, structure and tasks that, taken together, support people in managing risks in order to achieve an organization's objectives. The Internal Control – Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a generally accepted framework in this area - see Guideline on Internal Control Over Financial Reporting.

Internal control over financial management (contrôle interne en matière de gestion financière)
Is a set of means to ensure that public resources are used prudently and in an effective, efficient and economical manner. Financial management activities include those of planning, budgeting, accounting, reporting, control, oversight, analysis, decision support/advice, and financial systems. Internal controls relating to financial management also address control objectives and performance expectations as set out in the Financial Management Policy Framework and related policies, directives, and standards.

Financial management internal controls are a sub-set of the broader departmental system of internal controls dealing with effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets.

Internal control over financial reporting (contrôle interne en matière de rapports financiers)
Is a set of means that allow management and users of financial statements to have reasonable assurance that:
  • records which fairly reflect all financial transactions are maintained;
  • recording of financial transactions permits the preparation of internal and external financial information, reports, and statements in accordance with policies, directives and standards;
  • revenues received and expenditures made are in accordance with delegated authorities and unauthorized transactions that could have a material effect on financial information and financial statements are prevented or detected in a timely manner. This includes providing reasonable assurance that financial resources are safeguarded against material loss due to waste, abuse, mismanagement, errors, fraud, omissions and other irregularities.

Financial reporting internal controls are a sub-set of the controls for financial management.

Financial Management (gestion financière)
refers to a continuum of activities undertaken to ensure prudent use of public resources in an effective, efficient and economic manner, and their stewardship. The activities include those of planning, budgeting, accounting, reporting, control and oversight, analysis, decision support and advice, and financial systems.
Financial Reporting (rapports financiers)
refers to financial reports and disclosures that are both internal and external to a department. Internal financial reporting can include financial information that supports decision-making, planning, budgeting, resource allocations, accounting, performance assessments and reports. External reporting includes all financial statements, reports or disclosures, including those prepared for Parliament or to be made public.
Senior Departmental Managers (cadres supérieurs des ministères)
For the purpose of this policy, senior departmental managers are defined as managers reporting directly to a deputy head
Statement of Management Responsibility Including Internal Control Over Financial Reporting (Déclaration de responsabilité de la direction englobant le contrôle interne en matière de rapports financiers)

A Statement of Management Responsibility Including Internal Control Over Financial Reporting states management's responsibility for the financial statements and other financial information and internal reports, as well as the financial reporting process that produces such statements. The report also states the role of the audit committee, when one exists. The purpose of this statement is to communicate to users of these financial statements the key elements of responsibility for the representations made in financial statements and other financial information and to specify whose representations they are and the limits of their accuracy. It is to be signed by the Deputy Head and the CFO. The statement prefaces annual departmental financial statements but is not the subject of the audit opinion on the financial statements where they are audited.

The section of this statement that relates to the responsibility of management for maintaining an effective system of internal control over financial reporting confirms that:

  • an annual risk-based assessment of the effectiveness of the system of internal control over financial reporting has been completed;
  • the Departmental Audit Committee, as applicable, has been engaged on the risk-based assessment plans and results of the annual assessment of the effectiveness of the departmental system of internal control; and
  • a plan with timelines is in place to address significant issues and ensure continuous improvement.
System of internal control (système de contrôle interne)
Is a set of internal controls in a department to mitigate risks and provide reasonable assurance in the following broad categories:
  • The effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets;
  • The reliability of financial reporting; and
  • Compliance with legislation, regulations, policies and delegated authorities.

As such, internal controls operate at all levels throughout the organization and are an integral part of an organization's risk management framework. In practice, the departmental system of internal control is composed of several internal control systems covering various management areas, such as financial management and financial reporting.

Date modified: