The Treasury Board Policy on Financial Management came into effect on April 1, 2017 with the objective of ensuring that the financial resources of the Government of Canada are well managed in the delivery of programs to Canadians and safeguarded through balanced controls that enable flexibility and risk management practices. One of the policy requirements to support the objective is to ensure that a risk-based departmental system of internal control over financial management (ICFM) (including internal control over financial reporting (ICFR)) is established, monitored, and maintained. The system of ICFR is designed to mitigate risks based on a process to identify and prioritize key risks, assess effectiveness of associated key controls, and implement any corrective action.
The Policy defines ICFR as a subset of ICFM. Specifically, ICFR is a set of measures and activities that allow senior management and users of the department’s financial statements to have reasonable assurance with respect to their accuracy and completeness. The Environment and Climate Change Canada (ECCC) system of ICFR is based on the Committee of Sponsoring Organizations of the Treadway Commission Internal Control Integrated Framework. The framework’s five (5) complementary components of internal control (control environment, risk assessment, control activities, monitoring activities and information/communication) provide the basis for identification, documentation, and assessment of internal control at all levels in the department.
The system of ICFR includes an ongoing monitoring program, which includes detailed risk assessments of internal controls planned to be conducted every 3 to 5 years, as well as yearly environmental scans. The last full risk assessment at ECCC occurred in fiscal year 2019-2020. The assessments are designed to gauge the likelihood of risks materializing and how they might affect financial reporting and financial management.
Ongoing monitoring of internal controls is intended to ensure that the ICFR continues to operate effectively and as designed and begins once a department has executed its initial control assessment plan. Executing the plan involves completing the documentation, testing for design effectiveness, testing for operating effectiveness, and implementing remediation items or compensating controls to address the gaps or weaknesses identified. ECCC reached the ICFR ongoing monitoring stage in 2016.
What the audit found
A system of ICFR is in place, comprised of a formal framework and associated processes to assess, monitor, remediate, and report on the state of ICFR. Overall, we found that these have been generally adequately implemented, in compliance with Treasury Board Policy on Financial Management requirements and the associated guidance. A few opportunities for improvement were noted.
Roles, responsibilities, and accountabilities for key stakeholders related to ICFR are defined and documented in the ECCC Framework on ICFM and have been implemented in support of the system. There is an opportunity to further clarify the role of Business Process Owners, their delegates, and Senior Departmental Managers in the ICFM framework, and to enhance communication and reporting around ICFR related activities to increase senior management’s awareness and knowledge and support them in fulfilling their roles and responsibilities.
A risk-based ongoing monitoring program, including an annual risk-based assessment of ICFR, has been implemented, which generally aligns with Treasury Board of Canada Secretariat guidance. There are opportunities to further strengthen the risk-assessment methodology, as well as, expanding engagement with key stakeholders during the data-gathering phase to better inform the risk assessment results and the frequency and timeliness of assessments.
A process is in place and working as intended to issue recommendations to Business Process Owners following business process assessments, request the development of action plans to address control deficiencies, and monitor implementation on a semi-annual basis. Internal and external reporting is also in place for reporting remediation actions and progress of their implementation. An opportunity exists to improve the level of information related to the status of remedial actions to demonstrate progress achieved on the measures taken by the Department to maintain an effective system of ICFR, and to support departmental oversight of the overall system.
Recommendations and management response
Three (3) recommendations were developed to address the improvement opportunities identified in this report.
Recommendation 1
The Chief Financial Officer and Assistant Deputy Minister, Corporate Services and Finance Branch, should review and update the ECCC ICFM framework to clearly articulate the roles and responsibilities of Business Process Owners and their delegates, and to enhance engagement of Senior Departmental Managers throughout the ICFR cycle as appropriate.
Management response
The Chief Financial Officer and Assistant Deputy Minister, Corporate Services and Finance Branch, agrees with the recommendation.
The ECCC ICFM Framework outlines Senior Departmental Managers responsibilities in exercising effective financial management, including internal controls, as per the Treasury Board Policy on Financial Management requirements. To affirm their commitment, all Senior Departmental Managers annually provide a signed Senior Departmental Manager Checklist and Sub-Certification to the Chief Financial Officer, in support of the Chief Financial Officer and Deputy Minister signing the annual departmental Statement of Management Responsibility Including ICFM.
However, as noted in the audit, aside from the engagement, the ECCC ICFM framework has a gap in terms of engaging and informing Senior Departmental Managers (branch heads from program branches) outside the Corporate Services and Finance Branch, throughout the ICFR cycle. Although most of the ICFR components are under the responsibility of Business Process Owners in the Corporate Services and Finance Branch, including the other Senior Departmental Managers, it is important to maintain an effective system of ICFR, as it allows them to understand how the ongoing monitoring of internal controls supports the reliability of the unaudited departmental financial statements for decision making.
The Corporate Services and Finance Branch will review and update the ECCC ICFM framework and underlying tools as appropriate to:
- enhance engagement of program Senior Departmental Managers throughout the ICFR cycle; and
- articulate the roles and responsibilities of Business Process Owners and their delegates.
Recommendation 2
The Chief Financial Officer and Assistant Deputy Minister, Corporate Services and Finance Branch, should review and update the risk assessment methodology for ICFR to ensure that the assessments and environmental scans are informed by consulting with all key stakeholders, and that the various components of ICFR are evaluated on a regular basis, including the lower risk ones.
Management response
The Chief Financial Officer and Assistant Deputy Minister, Corporate Services and Finance Branch, agrees with the recommendation.
To ensure that the assessments and environmental scans are informed by consulting with all key stakeholders, the Internal Controls Team will review and update the ECCC ICFM framework and underlying tools and guidance, to enhance required engagement with program Senior Departmental Managers (outside of the Corporate Services and Finance Branch), ensuring alignment with the Treasury Board Secretariat Guide to Ongoing Monitoring of ICFM. This will enable Senior Departmental Managers to identify potential ICFR risks more actively and effectively within their area of responsibility to the Chief Financial Officer, and have these concerns reflected within the departmental risk-based system of ICFM (including ICFR).
We have already begun this engagement. In the summer and fall of 2023, information sessions were held with all Assistant Deputy Ministers and delegated managers at every level on the effective use of public funds. It was an opportunity to remind every employee with delegated financial authorities, including Senior Departmental Managers, that they are accountable for sound, prudent, and proper use of public funds in the delivery of our mandate and to rethink discretionary expenditures.
Additionally, an escalation process for managing non-compliance in the application of spending and financial authorities has been developed and will be implemented in 2024-2025, further reinforcing ICFR accountabilities.
To ensure that the various components of ICFR are evaluated on a regular basis, including those of low risk, the Internal Controls Team will review and update the annual risk based assessment and ongoing monitoring plan methodology to monitor the progress of assessments for each ICFR component against the five-year cycle, and develop a comprehensive internal work plan stemming from the ongoing monitoring plan, including a resource model and contingency planning for each ICFR component.
Although management agrees with this recommendation, additional context is needed regarding the meaning of a risk-based system of internal control. A risk-based systems implies that internal control assessments will be planned based on assessed level of risk and resource availability. The planned assessments may be modified to respond to emerging risks, such as the impact of a pandemic on the system of internal controls. This may result in delayed testing for other business processes which is acceptable from a policy perspective. Management does recognize that any changes to the ongoing monitoring plan and delays in testing should be properly documented and approved.
Recommendation 3
The Chief Financial Officer and Assistant Deputy Minister, Corporate Services and Finance Branch, should ensure that the Annex to the Statement of Management Responsibility includes details on the status of remedial actions associated to the ongoing monitoring activities from the previous fiscal year’s rotational plan.
Management response
The Chief Financial Officer and Assistant Deputy Minister, Corporate Services and Finance Branch, agrees with the recommendation.
The Internal Controls Team will review and update the methodology for the preparation of the Annex to the Statement of Management Responsibility to ensure it incorporates details on the status of remedial actions associated to the ongoing monitoring activities from the previous fiscal year’s rotational plan, as required by Treasury Board Secretariat guidance. This will ensure the reporting of a more complete picture of the measures taken by ECCC to maintain an effective system of ICFR.
To strengthen the integrity of financial reporting, the Internal Controls Team implemented a more robust challenge function in June of 2023 for the semi-annual follow-up on ICFM action plans, whereby areas of high residual risk are escalated to the Chief Financial Officer. This challenge will be further enhanced by incorporating Business Process Owners feedback.
About the audit
The internal audit of ICFR was included in the 2023-2028 Audit and Evaluation Plan. The audit objective was to provide reasonable assurance that ECCC has an effective system of ICFR in place, in compliance with the Treasury Board Policy on Financial Management requirements. The audit focused on an assessment of key ICFR elements including the ongoing monitoring and testing of the system in place at ECCC. The audit was conducted between June 2023 and December 2023.
