Guideline for the “Policy on Internal Control”

Guidance on the form and content of annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting and Treasury Board Secretariat’s related expectations.
Date modified: 2013-08-13

More information

Policy:

Terminology:

Hierarchy

Print-friendly XML

1. Purpose

This guideline set outs:

  • The form and content of summary information on internal control management, assessment results and action plans to be annexed to the Statement of Management Responsibility Including Internal Control Over Financial Reporting (the Statement);and
  • The Treasury Board of Canada Secretariat’s (the Secretariat’s) expectations for internal control management and departmental assessment progress.

This guideline supports the Policy on Internal Control.

2. Structure of the Guideline

Section 3 outlines the purpose of, and the templates for, the Statement. Sections 4and 5 detail the form and content of the annexes to be attached to the Statement. Section 6 provides a summary of the Secretariat’s expectations for internal control management and departmental assessment progress, as reported in the annex, for the three clusters of departments subject to the three-year transitional implementation plan for the Policy on Internal Control.

Appendices provide examples of templates for the two common types of annexes, as follows:

3. Statement of Management Responsibility Including Internal Controls Over Financial Reporting

The annual Statement of Management Responsibility Including Internal Control Over Financial Reporting, signed by deputy heads and their chief financial officers, accompanies the financial statements that are linked to, and published concurrently with, Departmental Performance Reports. 

The Statement acknowledges management’s responsibility for maintaining an effective system of internal control over financial reporting. It also refers to the annual assessment of the effectiveness of this system, conducted by management, along with the associated action plan for the next and subsequent fiscal years. As required by the Policy on Internal Control, a summary of the assessment and action plan is to be annexed to the Statement, excluding departments that have undergone a core control audit.

Templates for the Statement can be found in the Treasury Board Accounting Standard 1.2 – Departmental and Agency Financial Statements. Two templates are provided—one for departments not subject to core control audits and one for small departments subject to core control audits. Some parts of the templates can be customized.

The template for departments subject to core control audits makes a distinction between departments where a core control audit has taken place and departments where one has not. If a core control audit has taken place, the Statement should reference the audit report and the related action plan. Because these documents are deemed to provide appropriate disclosure of internal control management, an annex is not required and the reference to it has been removed.

4. Overview of the Annex to the Statement of Management Responsibility Including Internal Controls Over Financial Reporting

The annex to the Statement provides users of financial statements with summary information that demonstrates how well the departmental system of internal control over financial reporting is being managed through annual assessments and associated action plans. In the annex templates provided in this guideline, the expected content in previous annexes has been streamlined to reduce reporting burden.

It is understood that based on departmental size, complexity, risk, capacity, decentralization and other pertinent factors, the implementation and completion of the first full assessment of  key controls can take place over multiple years. The Policy on Internal Control recognizes these differences, and flexibility is provided for departments to take a multi-year approach to the assessment of their system of internal control over financial reporting. 

Internal Control Management

Beginning in 2013-14, See footnote [2] departments completing the standard annex are to include, in Section 2.1, a summary of the measures being taken to effectively manage departmental internal controls. Internal control management includes activities to ensure that key internal controls are assessed and periodically reassessed on a risk-basis and for monitoring purposes; corrective actions are being taken when necessary; and formal oversight of those activities takes place through effective governance, including the establishment of an internal control management framework and regular reporting to senior management, the deputy head and the departmental audit committee. 

Generally, an internal control management framework, approved by the deputy head, establishes the tone from the top and how effective internal control management will be practised in the department. The framework may include such elements as governance structure, roles and responsibilities for the management of internal controls, internal control measures in the performance management agreements of senior managers, an internal control management focus group under the chief financial officer, and annual validations of internal control management results (for example, requiring program assistant deputy ministers to sign off on controls management in their program areas).

Section 2 of the annex should also include the membership of the departmental audit committee, as well as the frequency and focus of its meetings.

Examples of language for internal control management, which may be adapted to reflect departmental practices, are found in Appendix A.

Status of Assessment

Departments publish their annexes on a fiscal year basis. Annexes provide an opportunity for departments to highlight not only the effectiveness of their management of internal controls but also the status of their assessment efforts. In this way, departments leverage and demonstrate the progress achieved since the prior year’s annex. Departments are expected to provide a high-level picture of the overall status of the full assessment process—what has been achieved to date and what still needs to be achieved to complete the full assessment of all key controls and control areas. Once the first full assessment has been completed, the organization’s annex should reflect the ongoing monitoring stage, as indicated in Scenario B of Appendix A.

5. Policy Statement

The format and the content of annex templates in published annexes up to 2011-12 have been streamlined to reduce reporting burden. Departments are encouraged to use the annex template appropriate to the department’s circumstances and to adapt, as necessary, the level of detail, content and key messages. 

A department newly subject to the Policy on Internal Control, such as a new government department, should contact the Office of the Comptroller General for guidance on policy requirements and on the development of an inaugural annex.

The two types of common annexes are:

  • Standard annex for departments not subject to core control audits: This annex is to be used by departments that have already started the assessment process under the Policy on Internal Control and have completed an annex for the previous fiscal year. The focus of this annex is the progress achieved since the prior fiscal year. It should be noted that departments can progress through the assessment of the control areas at different rates. That is, certain control areas can start a program of ongoing monitoring ahead of other areas, which would be reflected in the results and in the status and action plan information. Appendix A provides examples of the annex both before and after all the control areas have reached the ongoing monitoring stage.
  • Simplified annex for departments subject to core control audits: This annex is to be used by departments subject to core controls audits until such time as a core control audit has taken place. As the name implies, this annex is a simpler version of the standard annex and has been significantly amended to reflect the expectations for departments subject to core control audits, as described in Section 6.  

6. The Secretariat’s Expectations for Internal Control Management and Departmental Assessment Progress Reported in the Annex

For greater clarity and transparency, the Treasury Board of Canada Secretariat’s expectations of departments for internal control management and assessment progress are detailed below. The expectations for departmental assessment progress, while generalized, take into account the high diversity of departments. As the Secretariat’s expectations mature over time, they will be periodically updated and communicated to departments.

Internal Control Management

Large departments have reached a general state of maturity in the assessment of internal control over financial reporting. Senior departmental management is expected to remain committed to the sound management of its system of internal control over financial reporting, as demonstrated through the conduct of the department’s annual risk-based assessments. To support the assessment efforts and management commitment, departments will be expected to have in place a formalized internal control management framework, approved by the deputy head, that identifies such elements as internal control governance, accountabilities, measures in the performance management agreements of senior management, and any other key measures used by the department to manage internal controls.

Beginning with the 2013-14 annexes, a new section has been added to the standard annex for departments to summarize their departmental internal control management practices. 

Departments subject to core control audits will be expected to have in place, at a minimum, a framework with appropriate oversight and focus on the ongoing performance of their core controls and any related measures to mitigate additional key financial risks to their department.

Assessment Progress

The three-year implementation of the Policy on Internal Control See footnote [3] was completed with the publication of the 2011-12 financial statements and associated annexes. Many departments have been assessing their system of internal control for multiple years. With the publication of each subsequent annex, departments are expected to demonstrate reasonable assessment progress across all control areas (for example, entity-level controls, information technology [IT] general controls, and key business processes). Assessment progress relates to the movement from the documentation of key controls, through design and operating effectiveness testing, to the full ongoing monitoring stage.

Key factors that may influence the pace of progress and thus the overall departmental maturity of internal control management include:

  • Complexity of mandate;
  • Nature and complexity of key financial accounts and related risks;
  • Nature and extent of decentralization;
  • Nature of service arrangements with other government departments; and
  • Capacity.

The Secretariat’s expectations for departmental maturity in assessment progress, as reported in the annex, are as follows:

  • Cluster I (22 departments): Cluster I departments started assessing their system of internal control under the Audited Financial Statements Initiative that began in 2004, prior to the Policy on Internal Control. As a result, by the end of 2012-13, these 22 departments were expected to be nearing completion of operating effectiveness testing and ideally to be fully into the ongoing monitoring stage. 
  • Cluster II (17 departments not subject to core control audits): Because their departmental financial statements are audited, Cluster II departments are also expected to be advanced in operating effectiveness testing and possibly into the ongoing monitoring stage in some control areas.
  • Cluster III (12 departments not subject to core control audits): By the end of 2012–13, Cluster III departments were expected to be advanced in design effectiveness testing in some or all control areas, as applicable, and to have possibly started operating effectiveness testing in some control areas. 
  • Departments subject to core control audits (46 departments): Departments subject to core control audits are expected to ensure that their financial transaction controls (sections 32 to 34 of the Financial Administration Act) continue to perform as expected. In addition, these departments are expected to take appropriate measures to monitor other risk areas pertinent to their departmental system of internal control. Progress is reviewed through periodic audits of core controls and is sustained through departmental management oversight.

Appendix A: Example of a Standard Annex, for Departments Not Subject to Core Control Audits

Notes

  1. Sections 1 and 2 of this annex apply to all departments. Sections 3 and 4 are tailored to departments that have not yet completed the first full assessment (Scenario A) or that are at the ongoing monitoring stage for all of the control areas (Scenario B).
  2. For greater clarity of presentation, departments are encouraged to use tables rather than text in appropriate sections of the template.
  3. Departments that fall under Shared Services Canada should continue to address, in the annex, the assessment of any information technology (IT) general controls for the feeder systems or financial applications, for example, which departments continue to manage.

1. Introduction

This document provides summary information on the measures taken by [insert name of department] to maintain an effective system of internal control over financial reporting, including information on internal control management, assessment results and related action plans. 

Detailed information on the department’s authority, mandate and program activities can be found in the YYYY-YY Departmental Performance Report and the YYYY-YY Report on Plans and Priorities [link titles to the reports on the department’s website]. 

2. Departmental system of internal control over financial reporting

2.1 Internal control management See footnote [4]

The [insert name of department] has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. A departmental internal control management framework, approved by the Deputy Head, is in place and includes:

  • Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for control management;
  • Values and ethics;
  • Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and  
  • At least semi-annual monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Deputy Head and departmental senior management and, as applicable, the Departmental Audit Committee.

The Departmental Audit Committee provides advice to the Deputy Head on the adequacy and functioning of the department’s risk management, control and governance frameworks and processes.    

2.2 Service arrangements relevant to financial statements

The [insert name of department] relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows.

Common Arrangements
  • Public Works and Government Services Canada centrally administers the payments of salaries and the procurement of goods and services in accordance with the [insert name of department] Delegation of Authority, and provides accommodation services;
  • The Treasury Board of Canada Secretariat provides [insert name of department] with information used to calculate various accruals and allowances, such as the accrued severance liability;
  • The Department of Justice Canada provides legal services to [insert name of department]; and
  • Shared Services Canada provides information technology (IT) infrastructure services to [insert name of department] in the areas of data centre and network services. The scope and responsibilities are addressed in the interdepartmental arrangement between Shared Services Canada and [insert name of department].
Specific Arrangements
  • An external service provider, pursuant to a contract with the Government of Canada, administers the [insert the name of the program or activity] on behalf of the [insert name of department]Branch program. The external service provider has the authority and responsibility to ensure that [insert the specific transactions or payments] are made in accordance with the terms and conditions set out by the [insert name of department]program. As a result, reliance is placed on the control procedures of the external service provider; and
  • [Insert name of department] provides the [insert name of applicable agency] with a SAP financial system platform to capture and report all financial transactions.

Note: If your department has not yet completed the first full assessment, go to Scenario A. If your department is fully into the ongoing monitoring stage, go to Scenario B.

Scenario A: Departments that have not yet completed the first full assessment

3. Departmental assessment results during fiscal year YYYY-YY

During YYYY-YY, the [insert name of department] completed all design effectiveness testing and most of its operating effectiveness testing of key control areas. Ongoing monitoring was implemented according to plan.

3.1 Design effectiveness testing of key controls

In YYYY-YY, the department completed design effectiveness testing of environmental liabilities, the last remaining key business process. Remediation of key control deficiencies is substantially advanced in this control area.

As a result of design effectiveness testing, the department identified the following required remediation:

  • Greater consistency in the quality and availability of documentation of controls and procedures across headquarters and the regions; and
  • Improvements to documentation in some areas, including improved rationale for the accounting treatment of environmental liabilities.

3.2 Operating effectiveness testing of key controls

In YYYY-YY, the department completed operating effectiveness testing of its IT general controls, transfer payments, and operating expenses and accounts payable. Required remediation has been completed for operating expenses and accounts payable and for IT general controls, with remediation still in progress for transfer payments. 

As a result of the operating effectiveness testing, the department identified the following required remediation:

  • Clarification of the roles and responsibilities for transfer payment program management and associated departmental policies and directives.

3.3 Ongoing monitoring of key controls

In YYYY-YY, the department completed planned ongoing monitoring of entity-level and payroll and benefits controls. 

As a result of ongoing monitoring, the department identified the following required remediation:

  • Increased awareness of entity-level controls though regular communications; and
  • Assurance that key controls for new employees working in the regions are operating consistently.

4. Departmental action plan

4.1 Progress during fiscal year YYYY-YY

During YYYY-YY, [insert name of department] continued to make significant progress in assessing and improving its key controls. The following table summarizes the department’s progress based on the plans identified in the previous fiscal year’s annex.

Progress During Fiscal Year YYYY-YY
Element in previous year’s action plan Status

Environmental liabilities: Design and operating effectiveness testing and remediation of deficiencies 

  • Design effectiveness completed, and remediation of design deficiencies advanced.
  • Operating effectiveness testing deferred until YYYY-YY because of other management priorities.

IT general controls, transfer payments, and operating expenses and accounts payable:  Operating effectiveness testing and remediation of deficiencies

  • Operating effectiveness testing and remediation completed for IT general controls and for operating expenses and accounts payable. 
  • Operating effectiveness testing completed, and remediation substantially advanced for transfer payments.

Entity-level controls and payroll and benefits: Ongoing monitoring

  • Rotational reassessment completed for entity-level controls and for payroll and benefits; remediation has started.

4.2 Status and action plan for the next fiscal year and subsequent years

Building on progress to date, the [insert name of department] is positioned to complete the full assessment of its system of internal control over financial reporting in YYYY-YY. At that time, the department will be applying its rotational ongoing monitoring plan to reassess control performance on a risk basis across all control areas. The status and action plan for the completion of the identified control areas for the next fiscal year and for subsequent years are shown in the following table.

Status and Action Plan for the Next Fiscal Year and Subsequent Years
Key control areas Design effectiveness testing and remediation Operational effectiveness testing and remediation Ongoing monitoring rotation See footnote [5]

Entity-level controls

Complete

Complete

YYYY-YY

IT general controls under departmental management

Complete

Complete

YYYY-YY

Capital assets

Complete

Complete

YYYY-YY

Environmental liabilities

YYYY-YY

YYYY-YY

Future years

Operating expenses and accounts payable

Complete

Complete

YYYY-YY

Payroll and benefits

Complete

Complete

YYYY-YY

Transfer payments

Complete

YYYY-YY

Future years

Revenue and accounts receivable

Complete

Complete

YYYY-YY

Financial close and reporting

Complete

Complete

YYYY-YY

Note: Specific commitments for the next fiscal year need to be identified. Commitments beyond the next fiscal year are to be identified with the planned year of completion or, if currently unknown, as “future years.”

Scenario B: Departments fully at the ongoing monitoring stage

3. Departmental assessment results during fiscal year YYYY-YY

The key findings and significant adjustments required from the current year’s assessment activities are summarized below.

New or significantly amended key controls: In the current year, there were no significantly amended key controls in existing processes which required a reassessment. Design and operating effectiveness testing was conducted on the key controls for a new payroll subsystem. Significant adjustments were not required for the new key controls.

Ongoing monitoring program: As part of its rotational ongoing monitoring plan, the department completed its reassessment of entity-level controls and the financial controls within the business processes of grants and contributions, capital expenditures, financial close, and master data on vendors and customers. For the most part, the key controls that were tested performed as intended, with remediation required as follows:

  • Significant control issues were found in the capital expenditure area related to segregation of duties and system access for asset custodians. A management action plan addressing recommendation was developed by the process owner. 

4. Departmental action plan

4.1 Progress during fiscal year YYYY-YY

The [insert name of department] continued to conduct its ongoing monitoring according to the previous fiscal year’s rotational plan as shown in the following table.

Progress During Fiscal Year YYYY-YY
Previous year’s rotational ongoing monitoring plan for current year Status

Entity-level controls, grants and contributions, financial close, and master data on vendors and customers

Completed as planned; no remedial actions required.

Capital expenditures

Completed as planned; remedial actions started.

In YYYY-YY, the department conducted the following work in addition to the progress made in ongoing monitoring:

  • Testing of the design and operating effectiveness of a new payroll subsystem. 

4.2 Action plan for the next fiscal year and subsequent years

The [insert name of department]’s rotational ongoing monitoring plan over the next three years, based on an annual validation of the high-risk processes and controls and related adjustments to the ongoing monitoring plan as required, is shown in the following table.

Rotational Ongoing Monitoring Plan
Key control areas Fiscal year
YYYY-YY
Fiscal year
YYYY-YY
Fiscal year
YYYY-YY

Entity-level controls

Yes

Yes

Yes

IT general controls under departmental management

Yes

Yes

Yes

Grants and contributions

Yes

Yes

Yes

Operating expenditures

Yes

No

Yes

Capital expenditures

No

Yes

No

Financial close

No

Yes

No

Master data on vendors and customers

No

Yes

No

Payroll

Yes

No

Yes

Revenue

No

Yes

No

[Insert the following text, as applicable:  In addition to the ongoing monitoring rotational plan, [insert name of department] plans to conduct the following assessment work (e.g., planned new or significantly amended key controls, deferred control work, remediation to be completed) in the years indicated.]

Appendix B: Example of a Simplified Annex, for Departments Subject to Core Controls Audits

1. Introduction

In support of an effective system of internal control, the [insert name of department] annually assesses the performance of its financial controls to ensure that:

  • Financial arrangements or contracts are entered into only when sufficient funding is available;
  • Payments for goods and services are made only when the goods or services are received or the conditions of contracts or other arrangements have been satisfied; and
  • Payments have been properly authorized.

The [insert name of department] will leverage the results of the periodic core control audits performed by the Office of the Comptroller General. Below is a summary of the results of the assessment conducted during fiscal year YYYY-YY.

2. Assessment results during fiscal year YYYY-YY

For the most part, controls related to payment for goods and services and payment authority were functioning well and form an adequate basis for the department’s system of internal control. Some adjustments to reinforce segregation of duties were identified and addressed during the fiscal year.

3. Assessment plan

The [insert name of department] will continue to monitor the performance of its system of internal control, with a focus on the core controls related to financial transactions.

Date modified: