2017-2018 Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting (unaudited)
Fiscal year 2017-18
Introduction
This document provides summary information on the measures taken by the Office of the Information Commissioner of Canada’s (OIC) to maintain an effective system of internal control over financial reporting, including information on internal control management, assessment results and relation action plans.
Detailed information on the OIC’s authority, mandate and program activities can be found in its Departmental Plan (Report on Plans and Priorities), Departmental Result Report (Departmental Performance Report) and Annual Report.
Departmental system of internal control over financial reporting
2.1 Internal control management
The OIC has a well-established governance and accountability structure to support oversight of its system of internal control, including:
- Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas or responsibility for control management;
- Values and ethics that guide and support employees in their professional activities;
- Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
- Regular monitoring and updates on internal control management, as well as the provision of related assessment results and action plans to the Commissioner, the Office’s senior management, and, as applicable, to the Audit and Evaluation Committee.
The OIC Audit and Evaluation Committee provide advice to the Deputy Head on the adequacy and functioning of the department’s risk management, control and governance frameworks and processes.
2.2 Service arrangements relevant to the financial statements
The OIC relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:
Common Arrangements
- Public Works and Government Services Canada (PWGSC) centrally administers payments, provides a platform for employee pay administration, provides procurement tools and provides accommodation services.
- Treasury Board of Canada Secretariat (TBS) provides information used to calculate various accruals and allowances, such as the accrued severance liability and the Employee Benefits Plan, and pays the employer’s share of health and dental insurance premiums.
- Public Service Commission (PSC) provides OIC with language evaluation services.
- The Office of the Auditor General (OAG) provides audit services; and
- Shared Services Canada (SSC) provides information technology (IT) infrastructure services to the OIC in the areas of internet connectivity and email security.
Specific Arrangements
- The Canadian Human Rights Commissions (CHRC) provides OIC with the following (Note 2):
- a financial system platform to capture and report all financial transactions;
- Procurement Services for processing of all contracts and reporting;
- Financial Services for processing of all invoice payments and reimbursement requests.
- The OIC and the other tenants at 30 Victoria Street, Gatineau, have entered into a Memorandum of Understanding (MOU) for base building security and multi tenants responsibilities (Note 1);
- The OIC and other tenants at 30 Victoria Street, Gatineau share facility and services related to the mailroom (Note 1);
- Canada School of Public Service (CSPS) provides OIC with training services.
- Public Works and Government Services Canada (PWGSC) provides OIC with translation services (Note 1).
Departmental assessment results during fiscal year 2017-18
The key findings and significant adjustments required from the current year’s assessment activities are summarized below.
New or significantly amended key controls: In the current year, there were no significantly amended key controls in existing processes which required a reassessment.
Ongoing monitoring program: The OIC has a comprehensive internal control framework for financial and HR management that is aligned with the federal government’s expenditure management process. The OIC manages its funding through budgeting and commitment control process in its integrated financial and salary budgeting systems. Appropriate segregation of duties is done in the context of common, systematized business processes. Expenditures are approved at the initiation, contracting, performance certification and payment approval stages. Payments are subject to a quality control process that tailors verification processes to risk. Controls over payments are tested for effectiveness on a monthly basis. Financial results are monitored through a monthly financial reporting process, and validated and approved by management.
Departmental action plan
4.1 Progress during fiscal year 2017-18
The OIC continues to conduct its ongoing monitoring according to the previous fiscal year’s rotation plan as shown in the following table.
Progress during fiscal year 2017-18
| Previous year’s rotational ongoing monitoring plan | Status |
|---|---|
|
Entity-level controls (Note 3) |
Reviewed on an annual basis. No remedial actions required. Ongoing. |
|
IT general controls |
Completed through IT audit and recommendations addressed. Ongoing. |
|
Asset management |
Monitored as planned. |
|
Payroll (Note 3) |
Payroll transactions reconciled monthly to identify any over or under-payments. Ongoing. |
|
Phoenix HR system. |
Continued analysis and review of any post implementation issues with corrective measures as required especially as it related to the new Phoenix system. |
In 2017-18, the OIC conducted the following work in addition to the progress made in ongoing monitoring:
- Sampled and reviewed pay transactions resulting from the signed collective agreement for accuracy and completeness.
- Formalized an action plan to address the eight (8) recommendations from the Office of the Auditor General (OAG) to the Office of the Comptroller General (OCG) regarding payroll transactions using the Phoenix Pay System. The action plan was reviewed with the Audit and Evaluation Committee as well as the OAG during our annual financial audit.
4.2 Action plan for the next fiscal year and subsequent years
The OIC will continue to ensure that the ongoing monitoring of key controls is based on risk. Senior management is committed to sustaining and continuously improving its sound framework of effective ICFR, including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.
Finally, the Commissioner and senior managers will make themselves available to parliamentary committees that may wish to discuss the system of internal controls at the OIC.
The OIC’s rotational ongoing monitoring plan over the next three years is based on an annual validation of the high-risk processes and controls and is shown in the following table.
Rotational Ongoing Monitoring Plan
| Key control areas | Fiscal Year 2018-19 |
Fiscal Year 2019-20 |
Fiscal Year 2020-21 |
|---|---|---|---|
|
Entity-level controls (Note 3) |
Ongoing |
Ongoing |
Ongoing |
|
IT general controls |
Ongoing |
Ongoing |
Ongoing |
|
Asset |
Review of processes and procedures. |
None planned |
None planned |
|
Payroll (Note 3) |
Ongoing |
Ongoing |
Ongoing |
|
Phoenix HR system. |
Continued analysis and review of any post-implementation issues with corrective measures as required especially as it related to the Phoenix system. |
Continued analysis and review of any post-implementation issues with corrective measures as required especially as it related to the Phoenix system. |
Continued analysis and review of any post-implementation issues with corrective measures as required especially as it related to the Phoenix system. |
NOTES:
Note 1 – MOUs are reviewed on an ongoing basis for clear service levels, roles, responsibilities and controls for shared services.In addition, the OIC reviews its own controls in the area of security to ensure that necessary controls are in place for both those offering shared services to the OIC and those receiving services from the OIC.
Note 2 – The MOU’s with CHRC and OPC are reviewed on a yearly basis to provide feedback related to the provision of services and determine if any changes are required.
Note 3 – These processes are reviewed on an ongoing basis as part of the yearly review of OIC Financial and Administrative processes.