2012-2013 Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting (unaudited)
This document is attached to the Office of the Information Commissioner of Canada’s (OIC) Statement of Management Responsibility Including Internal Control over Financial Reporting for fiscal year 2012–2013. As required by the Policy on Internal Control, this document provides a summary of measures the OIC has taken to maintain an effective system of internal control over financial reporting (ICFR). In particular, it summarizes the assessments the OIC has conducted, describes the progress, as at March 31, 2013, to review and improve its key controls, and sets out actions the OIC will take in coming years, along with some financial highlights pertinent to understanding the OIC’s unique control environment.
The Information Commissioner is an Agent of Parliament; therefore, the OIC is not subject to monitoring by the Comptroller General of Canada for compliance with the Policy on Internal Control (see Section 2 of the policy). Instead, the Commissioner, as deputy head, is responsible for compliance and for responding to any instances of non-compliance. As a result, the OIC is vigilant in ensuring it has the controls in place to ensure proper governance and in assessing their effectiveness.
Authority, mandate and program activities
The OIC was created under the Access to Information Act, which came into force on July 1, 1983. The Information Commissioner is appointed by the Governor-in-Council following approval by resolution of the Senate and the House of Commons. The OIC is listed under Schedule I.1 of the Financial Administration Act and is funded through annual appropriations. The Commissioner is accountable for, and reports directly to Parliament on, the results the OIC achieves each year.
Detailed information on the OIC’s authority, mandate and program activities can be found in its Report on Plans and Priorities, Departmental Performance Report, Annual Report andStrategic Plan 2011–2014.
Below is the key financial information for 2012–2013. Additional information can be found in the OIC’s annual audited Financial Statements and in the Public Accounts of Canada (under the Department of Justice Canada).
- Total expenses were $14.0 million. Salaries and employee benefits accounted for the majority of the OIC’s total expenditures (73 percent or $10.2 million).
- Tangible capital assets comprised 94 percent of the OIC’s total non-financial assets of $885,873, with prepaid expenses accounting for the remaining.
- Total liabilities were $2.0 million. Employee future benefits (liability for severance pay) represented the largest portion of liabilities (38 percent). Accounts payables to suppliers and other government departments accounted for another 29 percent. The balance was made up of accrued salaries, vacation pay and compensatory leave.
- The OIC’s primary financial system is Freebalance.
Service arrangements relevant to financial statements
The OIC relies on other organizations to process various transactions that are recorded in its financial statements and as part of these organizations’ figures for reporting purposes:
- Public Works and Government Services Canada (PWGSC) centrally administers the payment of salaries and the procurement of some goods and services, and provides cheque-issuing services as well as accommodations.
- Treasury Board of Canada Secretariat (TBS) provides information used to calculate various accruals and allowances, such as the accrued severance liability and the Employee Benefits Plan, and pays the employer’s share of health and dental insurance premiums.
- The Office of the Auditor General (OAG) provides audit services.
- For the purposes of the Financial Administration Act, the OIC and the Office of the Privacy Commissioner (OPC) submit their trial balances jointly to PWGSC. The OPC hosts the servers that house the two organizations’ financial and salary management systems.
- In April 2012, the OIC engaged the Shared Services unit at PWGSC to provide human resources services, including compensation and staffing.
Material changes in 2012–2013
On July 6, 2012, the OIC appointed Layla Michaud as its Chief Financial Officer and Director General, Corporate Services, on a permanent basis.
OIC’s control environment relevant to ICFR
The OIC is a small entity, and very low risk is associated with its system of internal control. Nonetheless, senior management recognizes the importance of ensuring that staff at all levels understand their role in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities. The OIC’s goal is to ensure risks are well managed through a responsive and risk-based control environment that enables continuous improvement and innovation.
Key positions, roles and responsibilities
Deputy Head: The Commissioner carries out the duties of deputy head. As accounting officer, the Commissioner has overall responsibility for the stewardship, management and oversight of the OIC’s resources, as well for the measures taken to maintain an effective system of internal control. The Commissioner is assisted by the Assistant Commissioner, Complaints Resolution and Compliance, the Director General, Corporate Services, and the General Counsel and Director, Legal Services. The Commissioner is a member of the Audit Committee and meets regularly with the Senior Management Team.
Chief Financial Officer (CFO): The CFO—the Director General, Corporate Services—reports directly to the Commissioner and is responsible for, among other things, the coordination, coherence and focus of the design and maintenance of the system of ICFR, including its annual assessment.
Chief Audit Executive (CAE): It is not practical for the OIC to have a full-time Chief Audit Executive, due to the organization’s size, risk profile and resources. For this reason, the OIC had split the function between a management consulting firm and the Chief Financial Officer. However, effective January 31, 2013, the OIC assigned the full role to an external member of the Audit Committee. This change will ensure the independence of the position and provide the incumbent direct access to the deputy head, when required. This change will also ensure compliance with the TBSDirective on Internal Auditing in the Government of Canada.
Audit Committee: The Audit Committee provides the Commissioner with independent and objective advice, guidance and assurance on the adequacy of the OIC’s risk management, control and accountability processes. The committee has three members: two who are external to the federal government (one who is the CAE, and the other who is the Chairperson) and the Commissioner. The committee reviews the OIC’s audited financial statements and its system of internal control, including internal audit reports, and the assessments and action plans related to the system of ICFR. It also reviews draft audit reports from the OAG and other central agencies. The committee presents its annual report to both the Comptroller General of Canada and the House of Commons Standing Committee on Access to Information, Privacy and Ethics.
Senior Management Team (SMT): SMT is the OIC’s central decision-making body. It is made up of senior managers and is chaired by the Commissioner. It provides overall strategic and administrative direction for the OIC.
Key measures taken
The OIC has a comprehensive internal control framework for financial management that is aligned with the federal government’s expenditure management process.
The OIC manages its funding through a budgeting and commitment control process in its integrated financial system, and segregates duties in the context of common, systematized business processes.
Expenditures are approved at the initiation, contracting, performance certification and payment approval stages. Payments are subject to a quality control process that tailors verification processes to risk. Controls over payments are tested for effectiveness on a monthly basis.
Financial results are monitored through a monthly financial reporting process, and validated and approved by management.
The control environment also includes measures and structures to equip staff to manage risks well, including the following:
- established governance structure and strategic direction developed by SMT and supported by the Audit Committee;
- strategic planning function that coordinates and supports organization-wide planning;
- fully implemented CFO model;
- finance unit dedicated to internal control over financial reporting;
- regular reporting of financial performance to SMT and at Audit Committee meetings, including clearly setting out financial management responsibilities;
- training program and communications in core areas of financial management;
- specialized mandatory training for financial officers (FI); FIs who do not have an accounting designation are encouraged to complete all necessary training to meet the professional accounting designation requirements;
- documentation of main business processes and related key risk and control points to support the management and oversight of the system of ICFR;
- certification process requiring managers to attest to the reliability of the financial information in their area of responsibility;
- complete range of human resources, financial and contracting policies tailored to the control environment and departing from the requirements of the Policy on Internal Control when appropriate, due to the OIC’s exemption from the policy as an Agent of Parliament;
- regularly updated and detailed financial signing authority, which is available to all staff on the OIC’s intranet;
- secure financial processing systems, with access limited to appropriate staff: these are in place to ensure the integrity of financial data and processing of transactions; and
- guidelines as part of the overall security program, including elements on information and personnel security.
Assessment of the system of ICFR
In 2004, the Government of Canada launched an initiative to determine the ability of organizations to sustain control-based audits of their financial statements, thus requiring them to develop well-functioning internal controls.
The requirement of organizations to annually assess their system of ICFR, make any necessary adjustments, and attach to their Statements of Management Responsibility a summary of this activity was formalized in April 2009, when the Policy on Internal Control came into effect.
Whether it is to support control-based audit requirements or those of the Policy on Internal Control, an effective system of ICFR aims to provide reasonable assurance of the following:
- transactions are appropriately authorized;
- financial records are properly maintained;
- assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement; and
- applicable laws, regulations and policies are followed.
Over time, this requirement includes assessment of the ongoing monitoring, continuous improvement and testing of internal controls at all levels (entity, information technology [IT], and business process).
The maintenance of an effective system of ICFR is an ongoing process designed to identify, assess the effectiveness of and adjust, as required, key risks and associated key controls, as well as to monitor system performance in support of continuous improvement. As a result, the scope, pace and status of the assessments of the effectiveness of a system of ICFR will vary from one organization to the other based on risks and taking into account an organization’s unique circumstances.
As part of the assessment of its system of ICFR, the OIC documents and reviews its entity-level controls on an ongoing basis. These are controls and practices that permeate the organization and set the “tone from the top.”
Controls are designed to address significant risks and presume the good faith of the individuals who apply them and their associated processes. The OIC must be aware of the inherent risk related to the effectiveness of internal controls. Many internal and external factors increase the risk that controls may fail to prevent or detect simple errors or fraud. The continuous monitoring of records, controls and processes helps identify and evaluate new risks, after which mitigating controls can be implemented accordingly.
The OIC is also committed to documenting and assessing its general controls for IT infrastructure. IT general controls are controls that affect the organization-wide IT environment, such as access to computer programs and data. The OIC is responsible for assessing all of the key controls for systems that it fully manages. In cases in which the OIC acquires services from another organization (i.e. Freebalance, Human Resources Information System, Regional Pay System), the assessment is limited to the components of the system the OIC maintains and controls; assessment of all other components is the responsibility of the organizations that provide them.
Since 2003–2004, the OAG has conducted an annual audit of the OIC, including assessing the overall control environment and the control activities relevant to the audit. The OAG has adopted a controls-reliant approach for operating expenses other than payroll. The OIC has received unqualified or unmodified opinions on all financial statements audited by the OAG to date.
Progress as at March 31, 2013
During 2012–2013, the OIC continued to assess and improve its key controls, as summarized below:
- In light of the contracting out of its human resources services, the OIC conducted a review of all salary controls related to staffing, compensation and leave. This review resulted in recommendations for improvement of controls related to communications and information sharing with Shared Services. A management action plan to implement these improved controls is expected to be complete by the end of 2013–2014.
- The OIC ensured that recurring salary payments were properly verified and approved under section 33 of the Financial Administration Act (FAA). This control activity was part of the post-payroll quality assurance process under the responsibility of the finance division.
- The OIC ensured that managers were conducting the second part of the FAA section 34 certification for salary expenditures and providing evidence of their approval of those expenditures. This occurred during the monthly budget review process. The manager doing the certifying signed an attestation approving salary expenditures and stating that data on items such as overtime, vacation and leave was up-to-date.
- The OIC updated procurement procedures and processes for managers, including the following: Managers’ Guide to Contracting for Goods and Services, Contracting Policy and Acquisition Card Policy. In addition, the Delegation Instrument related to contracting was updated.
- In conjunction with the OPC, a review of user access to the organizations’ shared financial system was carried out to limit access to only those employees who require it for their current position.
Furthermore, the OIC carried out its annual review of the control documentation to ensure ongoing accuracy.
The OIC also monitored new or updated TBS policies to ensure ongoing compliance.
Plan for the next fiscal year and future years
Through its internal audit program, the OIC will do a compliance check against various TBS policies to ensure that there are no gaps in coverage.
The OIC will continue to ensure that the ongoing monitoring of key controls is based on risk. Senior management is committed to sustaining and continuously improving its sound framework of effective ICFR, including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.
Finally, the Commissioner and senior managers will make themselves available to parliamentary committees that may wish to discuss the system of controls at the OIC.