Audit of Internal Controls over Financial Reporting

July 2016

Executive Summary
Background
Audit Approach
Report Structure
Audit Findings
Findings and Conclusion
Statement of Conformance
Management Action Plan
Annex A
Annex B
Annex C

1 Executive Summary

Introduction

In 2009, Treasury Board introduced the Policy on Internal Control ("policy") to strengthen public sector financial management, internal controls and financial reporting. Under this policy, the Deputy Minister is responsible for ensuring the establishment, maintenance and monitoring of the departmental system of internal control. Management at Infrastructure Canada is responsible for the integrity and objectivity of the information contained in the department's financial statements and for maintaining an effective system of internal control over financial reporting (ICFR). The ICFR was designed to provide reasonable assurance that financial information is reliable, that assets are safeguarded and that transactions are properly authorized and recorded in accordance with the Financial Administration Act and other applicable legislation, regulations, authorities and policies.

The policy requires that departments develop a control framework and conduct an annual self-assessment of the ICFR. Infrastructure Canada developed and implemented a Control Framework and Multi-year Risk Based Plan ("Framework") and the Policy and Internal Control (PIC) unit within the Corporate Services Branch undertook the first self-assessment of the ICFR in 2014-2015. This self-assessment led to the identification of control deficiencies and developing a remediation plan which is currently being implemented.

This audit focused on both design of the system of ICFR, the re-testing of internal controls from the self-assessment.

Audit Objective and Scope

The audit objective was to provide assurance that Infrastructure Canada had designed and maintained an effective system of internal controls over financial reporting for four selected business processes: Transfer Payments; Transfer Payments including Federal Delivery Partners (FDP); Procure-to-Payment; and Financial Statement Close.

The testing of controls covered the timeframe of April 1^st, 2014 to March 31^st, 2015.

The audit does not provide an opinion on the accuracy of balances reported in the financial statements prepared by the Department.

Findings and Conclusion

The Department has designed a system of ICFR which includes a Framework for risk-based assessment and monitoring as required under the Policy on Internal Control. That said, during the first year of testing it was found that the Framework was not fully followed by the PIC team and while controls for selected business processes are in place, not all controls are fully functioning as intended. It is the opinion of the Chief Audit and Evaluation Executive (CAEE) that the Department is progressing as expected in its implementation of an effective ICFR for the selected business processes and we expect that they will continue to improve as the organization gains maturity with respect to the policy.

Based on looking at INFC in the context of a process maturity model, we expected to find that, in this early stage of implementation of the PIC, there are controls that either do not work as intended or that are not sufficiently repeatable. This is, in fact, what we observed. Some control processes will need to be re-designed, while for others more consistency in application is required in order to bring error rates down to acceptable levels. Regarding the latter point, it is important to note that the PIC demands that INFC provide reasonable, not absolute assurance, from its ICFR.

History has shown that full compliance with the PIC is challenging and requires organizational commitment over the long term. For example, the Office of the Auditor General of Canada's (OAG) June 2011 audit of seven large departments in the first wave of implementation of the ICFR found that none had fully assessed their ICFR. In their 2013 follow-up audit, the OAG found that five of the seven audited departments including the Treasury Board of Canada Secretariat had still made unsatisfactory progress in response to OAG 2011 recommendations. In addition, many departments were forecasting that they would need several more years to fully implement the policy requirements, including an additional one to three years to complete the first full assessments of their internal controls.¹

Our audit also found that opportunities for improvement exist in terms of achieving full compliance with the specific requirements of Infrastructure Canada's current Framework as well as in adopting some best practices. More specifically, with respect to the testing controls for external financial reporting, the design effectiveness assessment tools and processes need to be further standardized and assessment results better documented. In addition, the audit determined that while the Framework includes a strategy for conducting operational effectiveness testing that includes adequate associated guidance and tools, the strategy is not always followed fully.

Infrastructure Canada's mandate has changed since the Framework was designed. As a result, the department is revisiting its existing Framework to ensure that it reflects recent significant changes to its operating environment, such as being responsible for the New Bridge for the St-Laurence, Public–Private Partnerships Canada (P3 Canada), the Toronto Waterfront Revitalization Initiative and the Windsor-Detroit Bridge Authority. This will help the department ensure that its ICFR reflects the full spectrum of risks it is facing and to more effectively design and maintain its system of ICFR.

The audit's recommendations focus on specific ways to strengthen the internal control systems. They include more clearly defined roles and responsibilities, improved documentation, standardized tools and some new or modified processes. Management is in agreement with all of the recommendations stemming from this audit. The detailed recommendations and corresponding management actions plans are found on page 25 of this report.

The PIC was introduced by Treasury Board to strengthen departments' internal controls over financial reporting, to clarify accountabilities and to improve consistency across the federal government. It is important to recognize that prior to the PIC, the INFC already had a system of internal controls over financial reporting in place, including key elements such as segregation of duties, delegation of authorities and a variety of policies. The ICFR builds on this base, and as such, the department is well placed too.

Overall, as the Policy on Internal Control unit is identifying ineffective controls and implementing the resulting action plans, we can conclude that senior management can rely on the system in place for the ICFR for the selected business processes. It is important to recognize, however, that our conclusion is based on INFC continuing its efforts to strengthen its ICFR and achieve full compliance with the PIC over time. Absent such a commitment, the existence of persistent, unaddressed weaknesses in internal controls may increase the risk of material financial error to unacceptable levels.

To provide management with assurance that the ICFR is evolving as expected, an audit of ICFR – Entity Level Controls (ELC's) and IT General Controls (ITGCs) is planned for fiscal year 2018-2019. As part of this engagement, Internal Audit will also conduct re-performance of design and operating effectiveness testing completed by the PIC unit as a follow-up to the current ICFR audit.

2 Background

Purpose

The Treasury Board Policy on Internal Control (policy) was put in place in April 2009 to strengthen public sector financial management. The objective of the policy is to manage risks relating to the stewardship of public resources through effective internal controls, including internal controls for financial reporting (ICFR).

The policy is designed to ensure that an effective risk-based system of internal control exists and that an effective system of ICFR is operating as demonstrated by the departmental Statement of Management Responsibility Including Internal Control over Financial Reporting.

More specifically, the policy requires Deputy heads to ensure the following are done:

establish, maintain, monitor and review an effective system of internal controls;
conduct an annual risk-based assessment of the system of ICFR;
establish an action plan to address significant issues found in the assessment and ensure appropriate and timely action is taken to address issues; and
publish a summary of the assessment results and actions taken in response.

The policy requires organizations to design, document, and implement three levels of controls:

Entity level controls - controls that are pervasive across a department and include measures taken by management to equip staff to manage risks through raising awareness, providing appropriate knowledge and tools, as well as developing skills. Examples include: values and ethics code, hiring standards, staff training, risk management, communication and monitoring. Entity level controls set broad expectations for the manner in which the Department pursues its objectives and has an impact on the reliability of business process controls and IT general controls.
Business process controls - are both manual and automated controls, embedded in business processes applicable to financial transactions (e.g. Transfer Payments, Transfer Payments including Federal Delivery Partners (FDP), Procure-to-Payment, Financial Statement Close and Payroll business processes).
IT general controls (ITGC) – are those controls relative to an organization's general IT infrastructure and systems (e.g. user account administration, change management processes, backup and recovery). However, automated application controls are documented as part of business process controls (and not IT general controls).

Infrastructure Canada Assessment of ICFR

Infrastructure Canada was part of the third cluster of government departments and agencies to implement of the Policy on Internal Control as directed by the Treasury Board Secretariat. Infrastructure Canada was required to report on compliance with the Policy as of March 31, 2012.

The Treasury Board Secretariat Management Accountability Framework (MAF) Assessment for 2012-13 identified that Infrastructure Canada did not demonstrate sufficient progress in the documentation of the IT General Controls over its ICFR or in assessing the effectiveness of the system of ICFR. As such, the departmental rating fell from "acceptable" to "attention required" in this area. In addition, Infrastructure Canada was encouraged to advance its assessment of IT General Controls and Entity Level Controls and to continue to make progress on the assessment of its business processes.

In 2013-2014, the Ernst & Young firm was hired to assist the department in achieving compliance with the policy, including development of a Control Framework and Multi-year Risk Based Plan ("Framework") for fiscal years 2014-2015 to 2017-2018.

According to Infrastructure Canada's Framework, the assessment of the system of ICFR is a risk-based process to determine control objectives, to identify, document and test key controls, and to identify gaps in controls. It is based on the internationally accepted Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, and involves five basic steps to be performed by the Policy and Internal Control (PIC) unit within Corporate Services Branch:

Documentation – which consists of updating business control documentation and identifying the impact of any changes in processes with business process owners.
Design effectiveness testing – which consists of ensuring that key controls are included, aligned and balanced with the risks they aim to mitigate.
Operating effectiveness testing – which consists of applying key controls over a defined period.
Reporting of assessment results – which consist of the identification of internal control deficiencies by the PIC unit and communication to each business process owner. Business process owners are responsible for providing management action plans to address the deficiencies with target timelines for completion. Further, the findings and recommended remediation actions are reported to the department's senior management (Departmental Management Committee and Departmental Audit Committee).
Ongoing monitoring – which consists of periodic risk-based assessments as per a multi-year monitoring plan. These assessment exercises ensure the continuous improvement of the departmental system of ICFR.

(Definitions and more details on the steps for documentation, assessment and reporting on ICFR are found in Annexes A and B.)

In 2014-2015 the assessment of the design and operating effectiveness of selected business processes internal controls was completed for the first time by the PIC unit in accordance with the Framework. The testing led to the identification of control deficiencies and a remediation plan was developed and is being implemented.

Audit Objective and Scope

The testing of controls covered the timeframe of April 1^st, 2014 to March 31st, 2015.

The audit does not provide an opinion on the accuracy of balances reported in the financial statements prepared by the Department.

Audit Approach

The approach and methodology used for this audit conforms to the Internal Auditing Standards for the Government of Canada, the Treasury Board Policy on Internal Audit and the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing.

Audit criteria were sourced from the Treasury Board Policy on Internal Control, the Directive on Internal Control, as well as relevant elements of the Office of the Comptroller General's Audit Criteria Related to the Management Accountability Framework.

The criteria were designed to determine if the Framework that Infrastructure Canada had implemented contained the elements required by the policy, and if Infrastructure Canada was following its Framework. However, determining whether all the elements of the Framework were well-suited to the context of the Department was not within the scope of this audit engagement.

The audit team examined sufficient, reliable and relevant evidence to provide a reasonable level of assurance in support of the audit conclusion. The audit techniques included:

Interviews and walkthroughs with key individuals across the department;
Reviews of key business process narrative, flowcharts and control matrices;
Reviews of process documentation, design assessments, operating effectiveness testing documentation, reports, remediation plans, progress updates, internal control Frameworks, methodologies and other relevant documentation; and
Re-performance of design and operating effectiveness testing completed by the PIC unit to validate approach and findings.

The auditors also tested the operating controls related to Transfer Payments delivered by Federal Delivery Partners (FDP). This had not been tested by the PIC unit as part of their assessment of controls over selected business processes during 2014-2015, as it was scheduled for testing during 2015-2016. In conducting this work, the auditors applied the sampling approach described in the Framework.

Report Structure

The report is comprised of three sections:

Internal Control Design assessment
Internal Control Operating assessment
Ongoing Monitoring assessment

For each of the above, the report includes important contextual information on the audit what expected to find, and the overall findings, supported by specific observations, and the audit recommendations.

The last section of the report is management's action plan to address the audit recommendations.

Audit Findings

Internal Control Design assessment

Audit Criteria 1: Internal controls over financial reporting for selected business
processes were designed in compliance with the policy, documented and assessed.

It was expected that:

The control framework and responsibility for the assessment, remediation and ongoing monitoring of ICFR were defined and comprehensive;
ICFR for selected business processes were developed in compliance with the policy, documented and took into account the risks they aimed to mitigate; and,
ICFR for selected business processes were assessed by the PIC unit during the 2014-2015 fiscal year.

Conclusion:

We found that the ICFR were designed and documented in compliance with the policy, and that the PIC unit did assess internal controls for selected business processes for design effectiveness for the 2014-2015 fiscal year as planned in the Framework. However, there are opportunities to strengthen controls in the areas of defining roles and responsibilities, clarifying assumptions and standardizing documentation requirements.

More specifically, the audit found that:

The control Framework and responsibility for the assessment, remediation and ongoing monitoring of ICFR were defined in the Framework. However, the PIC unit's specific roles and responsibilities were not defined and the overall risk assessment methodology did not clearly define the quantitative and/or qualitative assumptions used to assign risk level to each selected business process.
While ICFR for selected business processes were developed and documented in compliance with the policy, the annual risk analysis for selected business processes was not completed with business owners prior to testing the business control design effectiveness. The audit also found various formats of control matrices were used, controls documentation was not always dated, and management sign-offs were missing.
Automated key controls were not documented in the process narratives and flowcharts for each selected business processes.
The PIC unit did not include supporting documents in all testing files or clearly document where supporting documentations are kept.

Summary of findings:

Sub-criteria 1.1: The comprehensiveness of the Control Framework and Multi-Year Risk Based Plan

The Framework defines Infrastructure Canada's control framework and responsibilities for the assessment, remediation and ongoing monitoring of ICFR, including the responsibility for monitoring and maintenance of the Multi-Year Risk-Based Plan.

The Framework describes the department's organizational structure and outlines senior management's roles and responsibilities. It also summarizes the responsibilities of the advisory committees and the accountabilities related to the assessment and reporting against ICFR and monitoring expectations. In addition, it includes a multi-year risk based plan, which defines the level of risk and relative priority being assigned to each of the three core areas of internal control (entity, transaction and IT level), and serves as the basis for the detailed multi-year approach.

A review of the Framework found that the PIC unit's roles, responsibilities and accountabilities were not described. As the Framework is a planning document, including the roles, responsibilities and accountabilities of the PIC unit will enable Infrastructure Canada to better meet the requirements of the policy and to ensure that the PIC unit understands its mandate and accountabilities.

Innovation, Science and Economic Development Canada is the host of Infrastructure Canada's departmental financial management system, the Integrated Financial Management System (IFMS). The service arrangement also includes system support. The audit found that the roles and responsibilities of the financial systems service provider roles and responsibilities were not referenced in the Framework, although given that this information is available in the MOU, it is not a risk for the Department.

Moreover, the audit found that the overall risk assessment methodology did not clearly define the quantitative and/or qualitative assumptions used to assign the risk level to each selected business process. The quantitative and/or qualitative assumptions are important components for the identification of risk level for each financial business process and it drives the overall testing strategy.

During the audit, the Corporate Services Branch indicated that they were considering revisiting the Framework in order to reflect Infrastructure Canada's evolving environment, given the government's changing priorities. As a result of changes that occurred after the audit period, such as addition of the New Bridge for the St. Lawrence Corridor Project to Infrastructure Canada and the establishment of new capital asset business process. As a result of the changes, the current Framework no longer addresses all of the risks being faced by the department. Internal Audit concurs that when the Framework is revised, these elements will have to be taken into consideration.

Risk and potential impact:

Given that the PIC unit's roles, responsibilities and accountabilities were not described in the Framework, there is a risk that the PIC unit may not be able to effectively carry out its mandate. In addition, an unclear risk assessment methodology could increase the risk of misinterpretation and inadequate application of the Framework and, in some cases, may not provide the desired or expected results.

Sub-criteria 1.2: Internal control documentation and risk mitigation for selected business processes

The documentation of the business processes internal controls help develop an understanding of each business process from beginning to end, and to document transaction cycle flows. These include the processes for initiating, authorizing, recording, processing, and reconciling accounts and transactions that affect financial reports as per the policy.

Completed internal control documentation is comprised of three documents: a process narrative; a process flowchart; and a risk and control matrix. The documentation assists PIC unit members in identifying the controls that support the assertions made by management related to those accounts or transactions and it helps the PIC unit in identifying the areas in the processes where a processing error or a misstatement due to error or fraud could potentially occur.

The PIC unit followed a standardized approach to document each selected business processes. They first acquired an understanding, from beginning to end, of the selected business processes and considered the flows involved in each financial transaction cycle. The PIC unit documented selected business processes and narratives, flowcharts, and control matrices were reviewed with business process owners to determine whether there were any significant changes to their processes.

It was noted that during these document updates, control documents were not always dated and there were no sign offs to show that management had accepted the documentation as a correct representation of the process and controls.

Auditors also noted that risks related to each key control were not validated and updated with process owners annually to ensure related controls were appropriate to remediate risks and to reflect Infrastructure Canada's changing business environment.

More specifically, our review of the business process documents – narratives and flow charts; and risk and control matrices – found the following:

Findings - Narratives and flow charts

The process narrative is a written description that provides detail and context to the process / controls. The process flowchart is a visual depiction of the process broken down by step, location of control and control owner. Further descriptions of these processes are detailed in Annex C.

The audit found that automated controls were not documented in the process narratives and flowcharts for each selected business processes. These automated controls relate to system configurations, user access and segregation of duties. They were identified and evaluated by the PIC unit during the assessment of the operating effectiveness of key controls but were not documented in the narratives or flow charts. As such, design control documentation did not reflect all current key controls.

In addition, all narratives and flow charts were missing the name and title of the author, and in some instances the business owners' approval and the dates these documents were prepared, updated and approved.

Findings - Risk and control matrices

Risk and control matrices were designed to document risks and controls and to report on the design and operating effectiveness in order to identify gaps between actual controls and specific control objectives and risks. More specifically, these matrices were used to summarize the design and operating effectiveness testing for each business process carried-out by the PIC unit.

These matrices linked the activities to their original objectives and to the narrative descriptions for each business process and cross-referenced it to the risks they addressed. They also identified the impact and likelihood of risks that needed to be mitigated.

Risk and control matrices also provide information on financial statement assertions (Completeness, Cut-off, Accuracy, Authorization, Valuation, Ownership and Presentation), whether controls are preventive or detective, the type (anti-fraud, management review, reconciliation, segregation of duties, system access), the nature (automated/manual), and the control owner. They also present the design walkthrough procedures, findings, conclusion (effective/ineffective), the conclusion and management action plan follow-up and implementation date. More specifically, the matrices identify places in the processes where an error or a misstatement due to error or fraud may occur.

The audit team found that various formats had been used to document risk and control matrices during the documentation updates with business process owners, rather than one consistent version of the template as required in the Framework. These templates were also missing critical information such as instructions for certain fields. In addition, information was not completed in a consistent manner.

Finally, fields in the matrices pertaining to control risks impact and likelihood requiring mitigation were not completed with business owners during 2014-2015 fiscal year documentation update.

Risk and potential impact:

A well-documented, current and formally approved business process is a critical component of the Policy as it facilitates management's identification of key controls, which is necessary for effective oversight. It also contributes to internal and external assurance activities. Without formal approval and "sign-off" by process owners on process documentation and testing results, it may be difficult to hold process owners accountable for maintaining business processes controls.

In addition, when key automated controls are not documented in the narratives and flow charts, this may impede the PIC unit's ability to detect issues related to segregation of duties, configuration and system access controls.

The PIC unit uses different versions of risk and control matrices and does not update control risks on an annual basis. The potential impacts are that the controls tested may no longer mitigate the targeted risks and significant changes may not be assessed in a timely manner.

Sub-criteria 1.3: Internal control design to prevent or detect material errors for selected business processes

Internal Control design effectiveness testing is performed to determine whether key controls are effective to prevent or detect material errors or misstatements related to the business processes. Typically, it involves a walkthrough being performed from start to finish using a specific transaction. Walkthroughs provide the PIC unit the ability to validate the accuracy of the process documentation as well as assess the design of the controls, and to confirm that controls are in place as expected.

The design effectiveness was assessed by the PIC unit in the fall of 2014 using walkthrough documentation for each in-scope internal control business processes scheduled for testing.

Re-performance results and design effectiveness assessment

The auditors re-performed the testing of the design effectiveness of the same transactions and key controls that were reviewed and assessed by the PIC unit. As such, for each selected business process, the audit team was provided the same documentation to perform the same walkthrough.

In the course of the audit team's re-performance, it was noted that supporting documentation for control testing related to the proper application of delegation instruments, specimen signature cards, and financial signing authorities exercised, were missing from the files. Hence, the audit team was unable to trace all transactions in order to reach the same conclusion as the PIC unit on the testing results.

In doing testing, the PIC unit had identified 9 out of 38 controls that were not designed properly. The audit team concurred, but identified a further 3 controls for improvement. We also noted that a management action plan had been developed to implement specific corrective actions.

In conclusion, the PIC unit assessed internal controls for selected business processes for design effectiveness for the 2014-2015 fiscal year as planned in the Framework. However, auditors were unable to reach the same conclusion as the PIC unit in all cases retested. This was mainly due to the absence of documentation on file to support delegations of authority to provide evidence of control testing.

Risk and potential impact:

Without consistent and complete information and documentation on file (or references to where the information can be found) to substantiate the testing procedures, and to trace transactions of control testing performed, the PIC unit may not be able to provide a high level of assurance over the design effectiveness of key controls for certain business processes.

There will be no recommendation related to this risk as this area was included in the Delegated Authorities audits completed in 2015-2016.

Recommendations

It is recommended that:

The Framework be revised to ensure that the PIC unit's roles and responsibilities are clearly defined and the risk assessment methodology adequately describes the materiality assumptions used to assign a risk level to each selected business process.
Automated controls design be properly documented to ensure the completeness and accuracy of process documentation.
A periodic risk analysis be performed with the business owner prior to testing control design and operating effectiveness.
A formal approval and "sign-off" of control documentation by process owners be in place in order to strengthen accountability.
A consistent risk and control matrix be used to document controls, and all fields be defined and completed during the documentation update and design and operating effectiveness assessment.

Internal Control Operating assessment

Audit Criteria 2: Internal controls over financial reporting for selected business
processes are operating effectively as intended.

It was expected that:

Operating effectiveness testing methodology is in line with Infrastructure Canada's Control Framework and Multi-year Risk Based Plan.
ICFR for selected business processes were assessed to ensure that they are working as intended and consistently producing expected results.

Conclusion:

It was determined that the sampling methodology and operating effectiveness testing were not performed in accordance with the Framework in terms of sampling size, risk and testing schedule. Furthermore, while the ICFR for selected business processes were assessed by the PIC unit, auditors were unable to reach the same conclusion as the PIC unit as supporting documentation was not available.

Sub-criteria 2.1: Testing Strategy

Infrastructure Canada has developed and documented its strategy for completing tests of effectiveness of key controls in the Framework. The testing strategy describes the scope, approach, methodology, basis for sampling sizes, frequency (testing plan with timelines) and lists the business processes to be assessed. Within this context, testing is conducted by selecting and testing a sample of transactions, the size of which is dependent on the inherent risk rating assigned to the control area and the frequency of the occurrence of the control in question based on an established schedule.

The audit found that the sampling strategy was not applied consistently by the PIC unit and it was not in conformance with the size and risk identified as described in the Framework. For example, "financial close" business process controls were tested based on smaller or bigger sample size than expected.

In addition the selected business processes key controls were tested for operating effectiveness at the same time as the design effectiveness testing rather than according to the testing schedule established in the Framework.

Risk and potential impact:

When controls are tested for operating effectiveness at the same time as the design effectiveness testing, it does not allow for identified control design deficiencies to be addressed and sample size revision to reflect the updated control risk.

The PIC unit's approach to testing, including the plan, timelines, and sample sizes for each in-scope business process, did not comply with the Framework. As such, there is a risk that their testing strategy may not be relevant and timely to monitor the operating effectiveness of the internal controls.

Sub-criteria 2.2: Operating effectiveness assessment

The operating effectiveness assessment of ICFR for selected business processes was completed for fiscal year 2014-2015 by the PIC unit. The testing led to the identification of control deficiencies and a remediation plan was developed and is being implemented by business owners.

Re-performance results

The audit team re-performed the operating effectiveness testing done by the PIC unit to ensure that internal controls consistently produced expected results for the following business processes: Transfer Payments, Procure-to-Payment, and Financial Statement Close.

The audit team found that, generally, controls tested were operating effectively, as designed and implemented.

In the course of the audit team's re-performance, it was noted that supporting documentation for control testing were missing on file. As a result, 23 out of 42 (55%) of those controls tested by the auditors could not be concluded upon due to the absence of documentation related to the proper application of delegation instruments, specimen signature cards and financial signing authorities.

Of the controls that auditors were unable to assess, 11 of 23 or 47% were identified by the PIC unit as ineffective or as an area for improvement. A Management Action Plan was developed to implement specific corrective actions.

In conclusion, the PIC unit has assessed internal controls for selected business processes for operating effectiveness for 2014-2015 fiscal year as planned in the Framework. However, auditors were unable to reach the same conclusion as the PIC unit in all cases. This was mainly due to the absence of supporting documentation on file to provide evidence of control testing.

Risk and potential impact:

Without adequate information and sufficient supporting documentation on file to support the nature and extent of the control testing performed, there is a risk that the PIC unit may not be able to validate the results of its operating effectiveness testing.

Recommendations

It is recommended that:

Control testing protocols and sampling strategies be in conformance with the size and risk identified and the timing of the testing be applied as per the Framework. Alternatively, should the Framework no longer be reflective of Infrastructure Canada's context, operations and risks, it will be amended.
Testing be sufficiently documented, with information retained to support and substantiate the nature and extent of testing performed by the PIC unit.

Ongoing Monitoring

Audit Criteria 3: The internal controls over financial reporting for selected
business processes were effectively monitored.

It was expected that:

Internal control deficiencies were identified and Management Action Plans were developed to address any significant issues.
Design and operating effectiveness testing results were shared with senior management and business processes owners in a timely manner.
Management Action Plans for the design and operating effectiveness assessment were implemented in a timely manner.

Conclusion

The ICFR for selected business processes were effectively monitored:

Internal control deficiencies were identified and Management Action Plans were developed to address any significant issues.
Once design and operating effectiveness testing had been conducted, results were shared with senior management and business processes owners in a timely manner.
There is an opportunity to improve the monitoring of Management Action Plans by adding completion dates and to present deficiencies consider addressing based on risk rank.

Sub-criteria 3.1: Internal control deficiencies were identified and Management Action Plans were developed

The Framework provides context on the ongoing monitoring and oversight of ICFR. Management is required to consider the potential impact that control weaknesses may have on the integrity of financial statements, as well as monitor the implementation of remedial actions required to address specific control deficiencies. As part of the process, there should be timely reports to the Chief Financial Officer (CFO) and senior management on the nature of the results of the assessments and the associated action plans.

Auditors confirmed that, when the design and operating effectiveness testing was completed by the PIC unit, internal control deficiencies and related recommendations were identified and communicated to each business process owner.

The audit identified evidence of business process owners acknowledging the recommendations made, as well as providing action plans for remediation. Specifically, business process owners were responsible for addressing remediation action by providing Management Action Plans and target timelines for completion.

Sub-criteria 3.2: Reporting of results to senior management and business processes owners

The audit found that reporting of design and operating effectiveness testing was done by the PIC unit, and that they followed-up regularly with business process owners on outstanding recommendations to address control deficiencies within their area of responsibility.

In addition, the audit confirmed that the design and operating effectiveness findings and recommended remediation actions were reported internally and externally.

Internally, the design effectiveness findings and Management Action Plans were communicated to the Departmental Management Committee (DMC), the Departmental Audit Committee (DAC) and the Deputy Minister. In addition, the design effectiveness test results were reported to the Director General Finance and Contracting and the Deputy Chief Financial Officer (DCFO) through regular bi-lateral meetings and discussions.

Externally, the annual Annex to the Statement of Management Responsibility that was presented to the DAC and signed by the Deputy Minister and CFO, was posted on the departmental website as a component of the departmental financial statements.

Sub-criteria 3.3: Management Action Plans were implemented in a timely manner

The PIC unit established a formalized process to monitor and report on the implementation of recommendations and the status on progress of action plans that were identified through controls testing.

A status report on management action plans template was completed for testing done in 2014-2015 and identified remediation actions as ‘Completed', ‘Underway' or ‘Not Started', as well as target dates and the business process owner responsible for its implementation.

As of February 2016, 39 Management Action Plans were completed and 4 were underway.

The auditors also found that the status report on management action plans template did not indicate an actual completion date or whether amendments were made to the original dates of the action in order to identify how long a recommendation had been outstanding. This does not allow auditors to assess whether Management Action Plans were implemented in a timely manner.

In addition, findings in the status reports on management action plans template were not presented based on risk ranking (high to low). This is important to ensure that management's implementation of remedial activities are appropriately focused on areas of higher risk and significance to the department.

Risk and potential impact:

Identifying timelines of implementation would provide senior management with a more complete picture of the progress made to address recommendations and better support informed decision making.

Recommendations

It is recommended that:

Status reports on Management Action Plans resulting from monitoring activities be presented based on risk ranking and clearly identify whether remediation actions were implemented by the originally approved completion dates.

Findings and Conclusion

The Department has designed a system of ICFR which includes a Framework for risk-based assessment and monitoring as required under the Policy on Internal Control. That said, during the first year of testing it was found that the Framework was not fully followed by the PIC team and while controls for selected business processes are in place, not all controls are fully functioning as intended. It is the opinion of the Chief Audit and Evaluation Executive (CAEE) that the Department is progressing as expected in its implementation of an effective ICFR for selected business processes level and we expect that they will continue to improve as the organization gains maturity with respect to the policy.

Based on looking at INFC in the context of a process maturity model, we expected to find that, in this early stage of implementation of the PIC, there are controls that either do not work as intended or that are not sufficiently repeatable. This is, in fact what we observed. Some control processes will need to be re-designed, while for others more consistency in application is required in order to bring error rates down to acceptable levels. Regarding the latter point, it is important to note that the PIC demands that INFC provide reasonable, not absolute assurance, from its ICFR.

In their 2013 follow-up audit, the OAG found that five of the seven audited departments including the Treasury Board of Canada Secretariat had still made unsatisfactory progress in response to OAG 2011 recommendations. In addition, many departments were forecasting that they would need several more years to fully implement the policy requirements, including an additional one to three years to complete the first full assessments of their internal controls.²

More specifically, with respect to the testing controls for external financial reporting, the design effectiveness assessment tools and processes need to be further standardized and assessment results better documented. In addition, the audit determined that while the Framework includes a strategy for conducting operational effectiveness testing that includes adequate associated guidance and tools, the strategy is not always followed fully.

Infrastructure Canada's mandate has changed since the Framework was designed. As a result, the department is revisiting its existing Framework to ensure that it reflects recent significant changes to its operating environment such as being responsible for the New Bridge for the St-Laurence, Public–private partnerships Canada (P3 Canada), the Toronto Waterfront Revitalization Initiative and the Windsor-Detroit Bridge Authority. This will help the department ensure that its ICFR reflects the full spectrum of risks it is facing and to more effectively design and maintain its system of ICFR.

The audit recommendations focus on specific ways to strengthen the internal control systems. They include more clearly defined roles and responsibilities, improved documentation, standardized tools and some new or modified processes.

Management is in agreement with all the recommendations stemming from this audit.The detailed recommendations and corresponding management actions plans are found on page 25 of this report.

Statement of Conformance

The audit conforms to the International Standards for the Professional Practice of Internal Auditing and the Internal Auditing Standards for the Government of Canada as supported by the results of the quality assurance and improvement program.

Management Action Plan

The Assistant Deputy Minister, Corporate Services Branch wishes to note that:

As mentioned in the audit report, Infrastructure Canada first formalized its ICFR processes with the help of a consultant in 2013-14. As the department continues to develop its comfort and capabilities related to ICFR, ongoing refinement of the Framework and related processes will be required.

ICFR testing is administered in accordance with an annual testing cycle. Any changes to the Framework or related processes may take up to a year before the impact of those changes is known. As such, the planned Framework update process will be iterative and will evolve and be refined over the coming years.

For all recommendations, progress will be made throughout 2016-17, however formalized, standardized, and/or approved documentation will likely not be completed until the 2017-18 internal control cycle.

The Assistant Deputy Minister, Corporate Services Branch is responsible for the implementation of the following recommendations
#	Recommendation	Management Action Plan	Due Date
1	It is recommended that: The Control Framework and Multi-Year Risk Based Plan be revised to ensure that the Policy and Internal Control unit's roles and responsibilities are clearly defined and the quantitative and/or qualitative assumptions used to assign risk level to each selected business process is adequately described.	Management agrees with this recommendation. The Framework will be updated to clarify roles and responsibilities, and expectations around the assumptions used to determine materiality to assign a risk level. The formal update will occur in coordination with recommendation #6. During the 2016-17 internal control assessments the assumptions used when assigning risk will be documented.	August 2017
2	It is recommended that: Automated controls in the narratives, flow charts, and risk and control matrices be properly documented to ensure the completeness and accuracy of process documentation.	Management agrees with this recommendation. The three parts of control documentation (the narrative, flow chart, and risk and control matrices) will be updated to ensure the various components are consistent, and include all relevant information, as business processes are tested.	Updates will occur as part of the 2016-17 internal control testing, which are expected to conclude in August 2017.
3	It is recommended that: A periodic risk analysis be performed with the business owner prior to test control design and operating effectiveness.	Management agrees with the need for a risk analysis. As part of the 2016-17 internal control testing, a risk analysis will be conducted with process owners. The ongoing manner in which the risk analysis is conducted and documented will be reflected in the framework update (as part of recommendation #6).	A risk assessment of business processes will occur as part of the 2016-17 internal control testing, which will conclude in August 2017.
4	It is recommended that: A formal supervisory approval and "sign-off" by process owners on control documentation be in place in order to strengthen accountability.	Management agrees with this recommendation. Beginning as part of the 2016-17 internal control testing, formal supervisory review, and "sign-off' from key business process owners will be sought as part of the control design testing.	Updates will occur as part of the 2016-17 internal control testing, which will conclude in August 2017.
5	It is recommended that: A consistent format/template of the Risk and control Matrix to document and assess controls be used and all fields are defined and appropriately filled out during the documentation update and design and operating effectiveness assessment.	Management agrees with this recommendation. As both the framework and some key business processes are changing in 2016-17, it is not yet possible to fully standardize all templates. Beginning as part of the 2016-17 internal control testing, INFC will start to standardize the various templates currently being used (i.e.: tombstone data and look and feel). Full standardization will occur once the new framework is put in place.	August 2017
6	It is recommended that: Control testing protocols and sampling strategies be in conformance with and applied as per the Framework. Alternatively, should the Framework no longer be reflective of Infrastructure Canada's context, operations and risks, it will be amended.	Management agrees with this recommendation. The operations and risks of the department have significantly changed since the initial framework was established. The testing protocols and sampling strategies will be updated as part of the overall update to the Framework. As of January 2016, and until the framework is updated, where testing protocols and sampling strategies vary from the framework, an explanation of the methodology used will be included with the related control testing.	August 2017
7	It is recommended that: Testing of design and operating effectiveness be sufficiently documented, with information retained to support and substantiate the nature and extent of testing performed by the Policy and Internal Control unit.	Management agrees with this recommendation. Since January 2016, documentation related to control testing is being kept to support the work performed.	January 2016
8	It is recommended that: Status reports on internal control management action plans resulting from monitoring activities clearly identify whether remediation actions were implemented by the originally approved completion dates and are presented based on risk ranking.	Management agrees with this recommendation. As of January 2016, any changes or extensions to internal control action plans are being formally tracked and monitored.	January 2016

Annex A

Entity level controls – are defined as those controls which impact the organization at the highest level and impact the overall effectiveness of the system of internal controls. They are often referred to as the "tone from the top" type of controls.

Transaction level controls (business process controls) – cover those controls embedded in the day to day recording of financial information (i.e. accounts payable, accounts receivable, revenue, expenses). The performance and effectiveness of these controls is a factor of the entity level control effectiveness.

IT level controls – are comprised of two pieces, IT general controls and application controls. IT general controls, similar to entity level controls set the tone for the IT environment as a whole. The primary focus is on logical access and change management controls within systems critical to financial reporting. Application controls are embedded within the various applications used to process transactions and are evaluated as part of the transaction level control review.

Design effectiveness – the design of an internal control includes consideration of the information used to perform the control, the experience and knowledge of the identified individuals to effectively perform the control, the timeliness and nature of the control as well as the anticipated output or evidence from the control operation.

Operational effectiveness – the effectiveness with which a control operates is a function of the consistency of its operation. Key controls are expected to operate as designed consistently without exception.

Automated Controls - Controls performed by computer systems or enforced by system security parameters.

Financial Statement Close - represents the process for accruing, and reversing period end adjustments in the financial statements. The objective of this process is to ensure the complete and accurate recording of all assets and liabilities that meet the definition of asset or liability to be accrued in accordance with the relevant basis of accounting (IFRS, Canadian GAAP).

Procure to Pay - represents the initiation of the purchasing process from initial requisition of a good/service through to receipt and subsequent approval for payment (s. 34 of the Financial Administration Act (FAA)) and the release of funds (s.33 of FAA) for a good/service procured through the contracting process. The objective of this process is to ensure that all purchases have been initiated, approved, received and that payments are accurate, timely and authorized in accordance with the Infrastructure Canada and Treasury Board procurement policies and recorded accurately in the financial system.

Payroll - represents the creation, modification and termination of employment services with Infrastructure Canada and its employees. The objective of this process is to ensure the accurate and timely recording of employee's pay, benefits, changes in employment status of individuals within Infrastructure Canada and the related financial statement impact of those changes.

Transfer Payment (managed by Infrastructure Canada) - represents the process for approving and monitoring contribution agreements and processing and paying claims and advances. The objective of this process is to ensure that contribution agreements are authorized and financial information is accurately recorded in the financial system and that claims and advances are processed, eligible, paid and recorded in the financial system, timely and accurately.

Transfer Payment (managed by Federal Delivery Partners (FDP)) - represents the process for approving and monitoring contribution agreements and the transfer of payments to FDPs. The objective of this process is to ensure that contribution agreements and related expenditures are authorized and financial information is recorded accurately and on a timely basis in the financial system. Transfer payments that are managed by FDPs include Memorandum of Understanding (MOU) or Service Level Agreements which delegates the processing of claims and payments to the FDPs.

Annex B

The steps for the documentation, assessment and reporting on Internal Control over Financial Reporting³

Documentation Update

Update control documentation for changes on an annual basis with financial business owners for all identified business processes.
Risk assessment is conducted to ensure that changes in processes and systems are considered. Risk rating is updated for each areas using a risk matrix.

Design Effectiveness Testing

Evaluate design effectiveness of internal control over financial reporting for the selcted business processes and document results of the evaluation.

Operating Effectiveness Testing

Evaluate operating effectiveness of internal control over financial reporting for the selected business processes and document results of the evaluation.

Identify and Correct Deficiencies

Identify, accumulate, and evaluate design and operating control deficiencies; communicate findings and correct deficiencies.

Report on Internal Control

Prepare management's written assurance on the effectiveness of internal control over financial reporting.

Annex C

Procure to Pay Business Process

1- MANAGE COMMITMENTS

P2P-1

Commitment Authority and Contract Authority are obtained for the request for Service Contract from appropriate individual(s)

2- MANAGE CONTRACTS

P2P-2

Contracts approved by PRC

P2P-3

Contract reviewed and Contracting & Procurement Checklist is completed and signed by Contracting Officer

P2P-4

Contract signed by Contract Authority and Commitment Authority (Sec.32) and the vendor

3- MANAGE PAYMENTS

P2P-5

Invoice and supporting documentation are reviewed and approved by the FCM with delegated financial signing authority for FAA Sec.34

P2P-6

Financial Clerk reviews the payment information in IFMS and parks the transaction

P2P-7

Financial Officer reviews the documents, approves payment certifying Sec.33, and posts the transaction

Transfer Payment Business Process

1- MANAGE COMMITMENTS

TPV1-1

Minister of Infrastructure Canada signs agreement (Sec.32)

TPV1-2

Financial Officer enters total commitment for the project in PIMS, as per agreement

TPV1-3

Transfer Payment Financial Analyst verifies and creates commitment in IFMS according to Agreement and Cash Flow schedule

2- MANAGE PAYMENTS

TPV1-4

Claims Unit verifies and approves claim request. Program Analyst verifies and approves advance request

TPV1-5

Contribution Payment Form is certified for FAA Sec.34 by ADM of POB

TPV1-6

Financial Officer performs quality assurance on the payment

TPV1-7

Manager of FMAS signs off on quality assurance

TPV1-8

Certification under FAA Sec.33 as per delegated authorities

TPV1-9

Financial Clerk parks the transfer payment request

TPV1-10

Financial Officer verifies and posts the payment in IFMS

TPV1-11

Monthly, Financial Officer reconciles and monitors the transfer payments to recipients

Transfer Payment – FDP Business Process

1- MANAGE COMMITMENTS

TPV2-1

Minister enters into a Contribution Agreement (CA) with recipient

TPV2-2

Financial Officer enters total commitment for the project in PIMS. CA status in PIMS is signed

2- PAYMENT TO FEDERAL DELIVERY PARTNER (FDP)

TPV2-3

Advance: Financial Officer creates commitment for advance to FDP in IFMS
Expense: Financial Officer creates commitment for expense and reduces the commitment for advance to FDP in IFMS

TPV1-4

DCFO Approval

TPV2-5

Advance: Financial Clerk parks the payment to FDP in IFMS
Expense: Financial Clerk parks the JV to recognize expenditures in IFMS

TPV2-6

Advance: Financial Officer verifies and posts the payment to FDP
Expense: Financial Officer verifies and posts the JV to recognize expenditure in IFMS

TPV2-7

Monthly, Financial Officer reconciles and monitors transfer payments to FDPs

Financial Close Business Process

1- CREATION OF PAYEs

1.1 Transfer Payment

FS-1

Director in POB verifies and certifies Sec.34 on an 'interim' basis

FS-2

Financial Officer verifies PAYE request and supporting documentation

1.2 Operating

FS-3

Branch Manager or DCFO verifies and certifies Sec.34 on an 'interim' basis

1.3 For all PAYEs

FS-4

DCFO or Financial Officer verifies and certifies Sec.33 on PAYEs

FS-5

Financial Officer verifies information and processes the PAYE in IFMS

2- SETTLING OF PAYEs

2.1 OGD PAYE

FS-6

Branch Manager or DCFO reviews and approves PAYE invoice (Sec.34)

FS-7

Financial Officer receives operating and salary payment invoices and certifies Sec.33

FS-8

Manager of TPFAS signs off on the outstanding TP PAYE reports

3- CREATION & SETTLING OF RAYEs

FS-9

DCFO reviews and approves RAYEs for FDP managed TP

FS-10

Financial Clerk verifies RAYE, creates and parks invoices and JVs in IFMS

FS-11

Financial Officer reviews and approves the RAYEs in IFMS

4- SPECIAL ACCRUAL ENTRIES

FS-12

Special accural JVs are reviewed and approved by Chief AO

FS-13

Financial Clerk enters the JVs and parks in IFMS

FS-14

Financial Officer verifies and posts in IFMS

5- YEAR- END CLOSE

FS-15

Financial Officer prepares reconciliation and JVs, and Senior Financial Officer verifies and approves

FS-16

Financial Clerk enters the JVs and parks, and Financial Officer verifies and posts in IFMS

FS-17

Financial Officer approves the Trial Balance Checklist

FS-18

DCFO signs the certifiate of representations for the trial balance

FS-19

CFO and DM sign the Letter of Representation

FS-20

Financial Officer closes the fiscal year-end accounting period

FS-21

The final draft financial statement is signed by CFO and DM

Footnotes

Footnote 1

http://www.oag-bvg.gc.ca/internet/English/parl_oag_201311_01_e_38795.html

Return to Footnote 1

Footnote 2

http://www.oag-bvg.gc.ca/internet/English/parl_oag_201311_01_e_38795.html

Return to Footnote 2

Footnote 3

Adapted from "KPMG: Assessing Internal Control over Financial Reporting A Guide for Implementing"

Return to Footnote 3

Date modified:: 2016-10-19

Audit of Internal Controls over Financial Reporting

Table of Contents

1 Executive Summary

Introduction

Audit Objective and Scope

Findings and Conclusion

2 Background

Purpose

Infrastructure Canada Assessment of ICFR

Audit Objective and Scope

Audit Approach

Report Structure

Audit Findings

Internal Control Design assessment

Conclusion:

Summary of findings:

Risk and potential impact:

Risk and potential impact:

Risk and potential impact:

Recommendations

Internal Control Operating assessment

Conclusion:

Risk and potential impact:

Risk and potential impact:

Recommendations

Ongoing Monitoring

Conclusion

Risk and potential impact:

Recommendations

Findings and Conclusion

Statement of Conformance

Management Action Plan

Annex A

Annex B

Documentation Update

Design Effectiveness Testing

Operating Effectiveness Testing

Identify and Correct Deficiencies

Report on Internal Control

Annex C

Procure to Pay Business Process

Transfer Payment Business Process

Transfer Payment – FDP Business Process

Financial Close Business Process

Footnotes