Annex to the Statement of management responsibility including internal control over financial reporting for the fiscal year ended March 31, 2016
Official title: Employment and Social Development Canada 2015–2016 Departmental Performance Report
On this page
1 Introduction
This document provides summary information on the measures taken by management to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the assessments conducted by Employment and Social Development Canada (ESDC) as at March 31, 2016, including progress, results and related action plans unique to the Department.
Detailed information on ESDC’s authority, mandate and program activities can be found in Departmental Performance Report and Report on Plans and Priorities.
2 Departmental system of internal control over financial reporting
2.1 Internal Control Management
ESDC recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective systems of ICFR and is well equipped to exercise these responsibilities effectively. The Department’s focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.
The Department has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. A Departmental Internal Control Management Framework was developed and approved by the Deputy Minister in November 2013. The Framework was a collaborative effort between various branches of ESDC including Internal Audit Service Branch (IASB) in order to prepare a more robust internal control framework which includes:
- Organizational accountability structures as they relate to internal control management to support sound financial management including roles and responsibilities for senior managers in their areas of responsibility for control management
- Guidance to business process owners regarding impacts of changes on internal controls; and
- Monitoring and regular updates on a semi-annual basis on internal control management plus assessment results and action plans to the Chief Financial Officer (CFO), Corporate Management Committee (CMC) and Departmental Audit Committee (DAC)
The DAC is an advisory committee which provides objective views on the Department’s risk management, control and governance processes as well as general reporting.
Other key committees with responsibilities for maintaining and overseeing the effectiveness of its system of ICFR include:
Portfolio Management Board (PMB) – As the main decision-making body of the portfolio, the PMB determines strategic directions and priorities; approves portfolio-wide plans and strategies; and makes decisions on strategic issues that affect the portfolio as a whole. The PMB also acts as the key portfolio vehicle for information sharing, consultation and collaboration at the Deputy Minister and Assistant Deputy Minister level. The CFO is a member of this committee.
Corporate Management Committee (CMC) – Oversees the implementation of the portfolio’s management agenda, as approved by the PMB, including the achievement of the management outcomes and objectives set out in the Integrated Business Plan, the Management Accountability Framework, and the corporate fiscal and planning processes. The committee also oversees departmental activities related to the operationalization of departmental security measures. The CFO is a member of this committee.
ESDC’s control environment also includes a series of measures to equip its staff to manage risks well through raising awareness, providing appropriate training to enhance skills and expertise required. Key measures are comprised of:
- An Office of Values and Ethics
- ESDC Code of Conduct
- Guidelines of Professional conduct for the Labour Program and Service Canada
- A dedicated division under the CFO on internal control
- Documentation of main business processes and related key risk and control points to support the management and oversight of its system of ICFR
- Ongoing communications in core areas of financial management
- Departmental policies tailored to ESDC’s control environment
- Periodically updated delegated authorities matrix
- A Risk Assessment, Management and Mitigation methodology for Grants and Contributions
- Integrated Business Plan
- Multi-year risked based internal audit plan
- Departmental Internal Control Management Framework
- Regularly updated Corporate Risk Profile
- Recipient Audit Strategy; and
- Payment Accuracy Review (PAAR) and Processing Accuracy Review (PRAR) for major benefit programs
2.2 Service arrangements relevant to financial statements
ESDC relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:
Common arrangements:
- Public Services and Procurement Canada (formally named Public Works and Government Services Canada) centrally administers the payments of salaries, the procurement of goods and services in accordance with the ESDC delegation instrument and, and provides accommodation services
- Treasury Board Secretariat provides the Department with information used to calculate various accruals and allowances, such as the accrued severance liability
- The Department of Justice provides legal services to ESDC; and Shared Services Canada (SSC) provides information technology services to ESDC in the areas of data center and network services
Specific arrangements:
- ESDC, through the Service Canada (SC) initiative, acts as a focal point for government access to Canadians. As a result, ESDC has entered into several agreements with many federal government departments designed to provide Canadians with better access to programs and services
- A private service provider, pursuant to a contract with the Canada Student Loans Program, administers the delivery of the Direct loans issued under the Canada Student Loans Program. As a result, reliance is placed on the control procedures of the external service provider and the annual audit on financial information and internal controls performed by an external audit firm
- The Canada Revenue Agency (CRA) provides full collection services to ESDC for the recovery of its Accounts Receivable. Although CRA uses ESDC’s departmental accounts receivable systems (DARS), reliance is placed on the control procedures at CRA for the collection services and CRA’s reporting capacity; and
- The CRA also administers a number of activities for the Canada Pension Plan (CPP), Old Age Security (OAS), Employment Insurance (EI) Operating Account and the Universal Child Care Benefit (UCCB) program
3 Departmental assessment results during fiscal year 2015-2016
During 2015-2016, ESDC completed the operating effectiveness testing of the remaining key control areas.
With the implementation of the new Enterprise Resource Planning (ERP) system in 2014-2015, various business processes have been affected by this new solution and therefore, the design effectiveness along with the operating effectiveness will have to be assessed in the context of the new system as part of on-going monitoring.
The following sections will summarize the significant findings of the internal control assessment activities undertaken during fiscal year 2015-2016.
3.1 Design effectiveness testing of key controls
During 2015-2016, the design effectiveness testing of IT General Controls (ITGC) was updated concurrently with testing of operating effectiveness. Accordingly, the results from this assessment can be found in section 3.2 Operating effectiveness of key controls.
Design effectiveness testing of the CPP business process was conducted during 2013-2014. Since then, three new relevant systems have been implemented and new internal controls have been put in place as a result of these new systems. Two CPP business sub-processes, CPP Benefit Payments and CPP Overpayments and Receivables were significantly impacted by the system changes where a number of controls documented during design effectiveness testing had changed or new key controls introduced. As a result, the following approach was taken to address the changes:
- Walkthroughs of implicated systems and sub-processes were conducted to identify new or revised risks
- Key background documents (e.g. policies, procedures, etc.) regarding new or revised controls were reviewed
- Narratives and control matrices were updated to reflect new or revised processes, procedures and key controls; and
- Testing plan was updated to reflect new or revised key controls identified through the review of documented policies and procedures for impacted sub-processes
Assessment results can be found in section 3.2 Operating effectiveness of key controls. It is noted that this scenario in which significant changes had been brought to a process in a relatively short time is illustrative of the dynamic environment at ESDC where transformation, modernization and process reengineering are often underway.
3.2 Operating effectiveness testing of key controls
ESDC has made progress in advancing remediation actions required from process owners following the operating effectiveness testing of key controls for the majority of the business processes in 2014-2015 and earlier. Although full remediation has not yet been attained in all cases, compensatory controls were identified by process owners in their respective action plans. For certain business processes for which operating effectiveness had been assessed prior to 2014-2015, remediation was contingent on the implementation of SAP which occurred on April 1, 2014. The extent to which the new system has addressed the previously identified control deficiencies will be determined through risk-based ongoing monitoring.
During 2015–2016, ESDC completed operating effectiveness testing of key control areas: CPP, EI and ITGC. ESDC determined that key financial controls for significant or high risk accounts are generally working effectively to prevent or detect a material misstatement to the Financial Statements. There are however areas that have been identified requiring remediation:
CPP
As a result of the assessment, some of the key recommendations included but were not limited to:
- The need to strengthen the documentation and clarity of requirements for authorization under section 34 of the Financial Administration Act (FAA) for CPP benefit payments and administrative expenses
- The need to strengthen the evidence of section 33 of the FAA for CPP benefits; and
- The need to resolve outstanding interface issues impacting collection activities on certain overpayments
Management responses and action plans (MRAPs) will be prepared by process owners with a view to strengthening control and progress against these plans will be tracked during 2016-2017.
EI
No significant control deficiencies were identified for EI, however two key control areas surrounding authorization of section 34 and section 33 of the FAA were not tested as the required remediation which was previously identified in the design effectiveness testing had not been fully implemented.
ITGC
The assessment of ITGC was conducted as part of a multi-year contract awarded in 2014-2015 which includes developing the strategy for ongoing monitoring of ITGC. Following an extensive risk assessment and scoping exercise, the assessment conducted during 2015-2016 included SAP and 12 feeder systems.
Assessment results identified that several controls operated effectively however there are areas for improvements in all four main control pillars evaluated: Access to programs and data, change management, program development and computer operations. The majority of the findings pertain to the access to programs and data pillar.
Management responses and action plans (MRAPs) will be prepared by process owners with a view to strengthening control and progress against these plans will be tracked during 2016-2017.
As a result of operating effectiveness findings during 2015-2016 and prior, ESDC has continued to advocate the following types of remediation required:
- Make use of and increase the frequency of monitoring
- Strengthen and properly maintain departmental policies
- Develop and enforce formalized procedures and guidelines
- Develop standardized approval and/or review processes
- Update and train employees on national policies to ensure consistency
- Enrich the quality of evidence supporting approvals pertaining to requirements of Sections 34 and 33 of the FAA for certain types of payments
- Improve archiving and record keeping practices
- Continued implementation of the fraud framework
- Perform periodic review of user access and profiles; and
- Update Hire to Pay process to reflect the Transformation of Pay Administration initiative
3.3 Ongoing monitoring of key controls
During 2015-2016, ESDC developed a risk-based ongoing monitoring plan. Ongoing monitoring of key controls will begin in 2016-17 for Entity-Level Controls (ELCs), the Manage Grants & Contributions business process and Old Age Security. Ongoing monitoring will also include tracking the implementation of the existing MRAPs to ensure ESDC is progressing in strengthening its system of ICFR.
As noted earlier, significant transformations have taken place, or are planned to take place, within ESDC since the initial design and operating effectiveness assessments were conducted. These initiatives include, but are not limited to, the implementation of SAP (my EMS) and PeopleSoft, the migration of the departmental pay function to a centralized provider, onboarding to the new Phoenix pay system as part of the implementation of the Transformation of Pay Administration initiative and the ESDC Grant and Contribution Modernization initiative. Transformations of this extent will impact the initial design and operating effectiveness assessments, and will require reassessments of the key control areas impacted as part of the ongoing monitoring. The timing of such transformations are considered to the extent possible in ESDC’s risk-based ongoing monitoring planning.
4 Departmental action plan
4.1 Progress during fiscal year 2015-2016
During 2015-2016, ESDC continued to make progress in assessing and improving its key controls. The following table summarizes the department’s progress based on the plans identified in the previous fiscal year’s annex:
Elements in previous year’s action plan |
Status |
---|---|
Completion of operating effectiveness (OE) testing for Information Technology General Computer Controls (ITGC). |
OE testing was completed for ITGC. One relevant SAP feeder system originally anticipated to be within scope of 2015-16 testing (the Internet Reporting System (IRS)) was taken out of scope and deferred to 2016-17 and will be reported on then. |
Completion of OE testing for Employment Insurance (EI). |
OE testing was completed for EI. |
Completion of OE testing for Canada Pension Plan (CPP). |
OE testing was completed for CPP. |
4.2 Status and action plan for the next fiscal year and subsequent years
Building on the progress to date, ESDC has completed the initial full risk-based assessment of its system of ICFR in 2015-2016 and is positioned to implement its ongoing monitoring plan for reassessing control performance using a risk-based approach across all control areas.
ESDC will also continue to strengthen the existing risk assessment and methodology for the implementation of the ongoing monitoring of its departmental system of ICFR. During 2015-2016, significant progress was made with respect to improved collaboration and coordination between organizations within ESDC with an assurance/monitoring mandate. Further gains with respect to such collaboration are expected to be realized in 2016-2017.
The status of the identified control areas and the planned timing for ongoing monitoring in the next three fiscal years are shown in the table below. Ongoing monitoring plans will be reassessed annually based on a risk assessment, the timing of other relevant audit and monitoring activities and the impact of changes that occurred during the year or that are planned for the coming year(s).
Key control areas 2015-2016 | Assessment elements1 |
||
---|---|---|---|
Design effectiveness testing |
Operational effectiveness testing |
On-going monitoring Rotation | |
Entity Level Controls |
Completed |
Completed |
2016-20172 |
IT General Computer Controls |
Completed |
Completed |
Future Years3 |
Manage Revenue, Receivables and Receipts |
Completed |
Completed |
2018-2019 |
Manage Interdepartmental Settlements |
Completed |
Completed |
2018-2019 |
Manage Procure to Payment |
Completed |
Completed |
2017-2018 |
Manage Planning and Budgeting |
Completed |
Completed |
2018-2019 |
Manage Travel |
Completed |
Completed |
2018-2019 |
Manage Other Payments |
Completed |
Completed |
2017-2018 |
Manage Post-payment Verification |
Completed |
Completed |
2017-2018 |
Manage Other Capital Assets |
Completed |
Completed |
2017-2018 |
Manage Financial Close |
Completed |
Completed |
2017-2018 |
Manage Financial Reporting |
Completed |
Completed |
2017-2018 |
Pay Administration |
Completed |
Completed |
2017-2018 |
Manage Grants and Contributions |
Completed |
Completed |
2016-2017 |
Canada Student Loans Program |
Completed |
Completed |
2018-2019 |
Canada Education Savings Programs |
Completed |
Completed |
2018-2019 |
Employment Insurance (EI) |
Completed |
Completed |
2017-2018 |
Canada Pension Plan (CPP) |
Completed |
Completed |
2018-2019 |
Old Age Security (OAS) |
Completed |
Completed |
2016-2017 |
1 Status as of March 31, 2016
2 A portion of Entity Level Controls will be monitored annually. Over a three year cycle, each component will be revisited.
3 An ITGC monitoring strategy will be developed in 2016-17 that will include consideration of the action plans developed in response to the assessment conducted in 2015-16.
Page details
- Date modified: