550 likes | 798 Views
Policy on Internal Control - the federal perspective. Sharon Smith Director, Financial Management Policy Office of the Comptroller General of Canada. RDIMS 1113156. Presentation to the Ontario Chapter - Financial Management Institute September 19 th , 2012. Purpose.
E N D
Policy on Internal Control -the federal perspective Sharon Smith Director, Financial Management Policy Office of the Comptroller General of Canada RDIMS 1113156 Presentation to the Ontario Chapter - Financial Management Institute September 19th, 2012
Purpose • Provide an overview of the Policy on Internal Control (PIC) • Provide an update on its status and implementation • Provide an overview of how to do an assessment of effectiveness of internal controls 2 2
Background • The Policy on Internal Control (PIC) flowsfrom the Federal Accountability Action Plan to strengthen accountability and transparency in financial controls, reporting and disclosure: • Supporting Deputy Heads (DHs) as Accounting Officers who are responsible for the “measures taken to maintain effective systems of internal controls” (section 16.4 of the FAA) • Clarifying DHs responsibilities and expectations in this area • Maintaining Canada’s position as a leader in financial reporting and disclosure • The PIC is a foundational component of the new TB FM framework articulated around four policies: • Policy on Financial Management Governance (effective April 2009) • Policy on Internal control (effective April 2009) • Policy on Stewardship of Financial Management Systems (effective January 2010) • Policy on Financial Resource Management, Information and Reporting (effective June 2010) Note there are about 25 new Directives and 12 standards in this suite plus a Policy Framework on Financial Management 3
Drivers for the Policy on Internal Control • Position Canada among leading jurisdictions -Lessons learned from Sarbanes-Oxley -New developments and practices in the private sector • Alignment with Accounting Officer responsibilities under the Financial Administration Act andcommitment of the Federal Accountability Action Plan (2006) • Support accountabilities of key players and CFO Model • Next step in government commitment to control-based audits of departmental financial statements • Provide necessary oversight of controls to manage key risks and mitigate against errors, fraud, mismanagement or other irregularities to safeguard public resources - Alignment with increasingly risk-based management approaches
Policy on Internal Control - requirements • Reaffirms the responsibility of Deputy Heads, as accounting officers, for ensuring the maintenance of effective risk-based systems of internal control • With a focus on internal controls over financial reporting requires that Deputy Heads: • ensure the completion of an annual risk-based assessment of the departmental system of internal control over financial reporting (ICFR) • ensure the establishment of an action plan to address any necessary adjustments • include a summary of the assessment results and action plan to be attached as an Annex to a revised Statement of Management Responsibility accompanying the annual financial statements andsigned by the DH and the Chief Financial Officer (CFO) • engage the Departmental Audit Committee or equivalent as appropriate on assessment plans and associated results 5
Internal Control over Financial Reporting • Internal Controls over Financial Reporting (ICFR) aim at mitigating risks over reliability of departmental annual financial statements • Effective ICFR aim to provide reasonable assurances that: • Transactions are appropriately authorized • Financial records are properly maintained • Assets are safeguarded against fraud, abuse, waste, loss and mismanagement • Applicable laws, regulations and policies are followed 6
Levels of departmental internal controls DM as accounting officer Broad system of internal control System of IC ADMs System of internal control in their area of responsibility System of ICFM CFO System of internal control over financial management System of ICFR Policy requirements focus on ICFR
Roles and responsibilities • Deputy Heads (DH) • As accounting officer, the DH is responsible for measures taken to maintain effective systems of ICs • Sign the Statement of Management of Responsibility which includes the Annex • Chief Financial Officers (CFOs) • Lead departmental role for financial management (incl. a key source of expertise) • Lead and coordinate the planning and execution of the assessments and the Annex • Sign the Statement of Management of Responsibility which includes the Annex • Senior Departmental Managers • Responsible for maintaining effective systems of ICs in the programs for which they are responsible • Contribute to the assessment of key risks and controls in their area of responsibility • Chief Audit Executives (CAE) • Lead departmental role for internal audit (incl. a key source of expertise) • No internal audit required under the PIC • PIC assessment results can inform future internal audit plans • Internal audit findings can be leveraged to support the assessment under the PIC • Chief Information Officers (CIO) • Lead departmental role for IT infrastructure and system applications (incl. a key source of expertise) • Contribute to assessments of IT systems and application controls • Departmental Audit Committees (where applicable) • Provide objective advice and recommendations to Deputy Heads • Timing and scope of engagement to be determined by the Deputy Head 8
What the policy means • The policy is not about advocating for more controls (often too many controls) - rather that the right controls are in place and working properly • It is not about assessing all controls - rather it focuses on key controls based on risks as well as ensuring that these controls are proportionate to and balanced with the risks they aim to mitigate • It is not about audits - rather it is a self-assessment by management taking into account risks • It is not about certifying that all risks related to financial reporting have been eliminated - rather it is about demonstrating that key controls over financial reporting are well managed in support of continuous improvement
What well managed means • Financial Statements • Start with annual financial statements - Identify key accounts - key risks and materiality • Set scope and develop assessment plan 3 levels of controls Testing • Design effectiveness: • key controlsdocumented • in place as designed • aligned with risks • Operational effectivenesss: • key controls functioning over time Entity level (tone from the top) General IT level Business process level
Statement of Management of Responsibility • “Management is also responsible for maintaining an effective system of ICFR designed to provide reasonable assurance that financial information is reliable, assets are safeguarded and that transactions are properly authorized” • “The system of ICFR is designed to mitigate risks to a reasonable level based on an on-going process to identify key risks, to assess effectiveness of associated key controls, and to make any necessary adjustments” • “an assessment for the year ended March 31,20XX was completed in accordance with the Policy on Internal Control and the results and action plan are summarized in the annex” 11
Annex to the Statement of Management Responsibility • Annex enables readers to understand the organization’s overall environment and demonstrates the measures taken to maintain an effective system of ICFR within this context • Provides an overarching perspective on the department’s status in assessing their system of ICFR, any remedial actions required and planned future assessments Sections: • Introduction – departmental overview, financial highlights and key organizational changes • Control Environment - Key positions and responsibilities as well as measures taken to set the “tone from the top” • Assessment Approach - Assessment scope and methodology • Assessment Results - Significant findings • Action Plan - Significant actions to be taken and timelines 12
Government-wide implementation plan • A 3 year phased-in approach for the new Statement of Management Responsibility and its summary document (annex) • 2009-10: Largest departments that have completed readiness assessments for undertaking control-based audits of their financial statements • 2010-11: Departments that already have audited financial statements • 2011-12: Other departments • Departments can tailor the scope and pace of their annual assessments, including developing multi-year assessment plans 13
OCG-TBS enabling role • Chair DCFO Advisory Committees • Sharing best practices • Address strategic issues • Policy clarity and specific challenges • Co-Chair PIC managers’ Working Group • Guidelines on developing the Annex • Practical Toolkit on Assessments • Workshop • Strategy for Small Departments • Use of GCPedia (Wiki style resource)
Status and context after 3 years Completed 3 year transitional implementation Maturity advanced across government – OAG Spring 2011 Chapter on Financial Management, Control and Risk Management concluded that TBS and the 7 selected large departments audited on their progress under the PIC had made satisfactory overall progress and that more work remained to be completed. Upcoming 5 year review of the FM policy suite - opportunity to consider future adaptations Cost containment and savings – effective controls key to reliable financial information for tough decisions Consolidation of services – Alternative Service review – Shared Services Canada is first new delivery hub Small departments capacity 15 15
CCA/PIC Approach for Small Departments Objective is to support small departments by leveraging core control audits in support of sound management of internal controls / core controls This approach aims to: Add value and consistency to management’s oversight of its controls Streamline process to gain efficiencies Minimize reporting burden Note that the PIC continues to apply 16
Leveraging: What does it mean? CCA and PIC use different methods but both support sound and efficient management of internal controls Policy on Internal Control does not mandate the details of “annual risk-based assessments” → ability to use CCA For sound management oversight departments consider risk from both PIC and CCA perspective which is informed by: Corporate risk framework and risk history; Nature of mandate and complexity; and Composition and materiality of the financial accounts. Additional oversight under the PIC can be tailored as needed 17
Service arrangements • Service arrangements becoming more prominent as departments and the federal government seek to generate efficiencies, leverage expertise and manage risks • Recent examples: establishment of Shared Services Canada, Budget 2012 “Modernizing and Reducing the Back Office” initiatives, implementation of the Directive on Internal Support Services • Adds complexities on accountabilities for internal controls • Starting Point: The entity is responsible for the design and effectiveness of the controls that they directly manage 18 18
Service arrangements Two typical scenarios: • Services from other government departments: Recipients departments draw assurance from the annex of the service provider concerning the management of their control areas • Service arrangement with external (non–federal government) third party: Departments can require a CSAE 3416 report to obtain an independent opinion of the design and operating effectiveness on the internal controls related to the services provided 19 19
Highlights from a practical workshop: How todo a risk-based assessment • Executing a risk assessment (scoping) • Developing an assessment plan • Documenting key controls and processes • Design effectiveness testing • Operating effectiveness testing 20 20
Assessment of ICFR - Process Overview Key BP Identification Documentation Test of Design O.E.T Monitoring 21 Note: Reporting - Develop summary of results and Action Plan to SoMR
ScopingA—Internal control over financial reporting Decomposing the financial statement into key accounts (cont’d) 22
ScopingA—Internal control over financial reporting Decomposing the financial statement into key accounts (cont’d) 23
ScopingInformation technology general controls (ITGCs)ITGCs relationship to application controls • ITGCs are used to manage and control a company’s information technology activities. • ITGCs are pervasive controls. The degree to which an organization can rely on the integrity of information processing and the effectiveness of application controls (automated) in computer applications (e.g. SAP, GX, Freebalance) depends on the effectiveness of the ITGCs. 24
ScopingEntity-level controls (ELCs) • Main components • Directions set by senior management • Organizational culture • Organizational values and ethics • Governance mechanisms • Tools and activities that enable employees to effectively manage risk (communication, training and professional development) 25
Documentation A – How to document controls? • To be considered complete and to ensure a proper understanding by all potential readers, the following items must be included in the description of a control: • When, Who, What, How? • Preventative or detective? • Manual or automated? • Evidence of the control performed (signature, initials, mark, date, etc.) 26
Documentation C – Walkthrough Once the controls have been documented, their design must be validated by means of a walkthrough. The walkthrough is a control occurrence test used to verify that the documentation describes what actually happens in the course of daily operations. Usually, for an internal control project, 20% to 30% of control descriptions require some modification following a walkthrough. 27
Key success factors • Do not underestimate the time required: • for the documentation validation with the control and process owners; • for the documentation adjustment following the validation with the walkthroughs; and • for the remediation phase. • Tone at the top (have senior management involved); • Dedicated project lead and solid plan; • Access to key people (process and control owners); • Team members with experience in assessment of internal control. 28
S1-3: Process Overview Process Overview Design Effectiveness Testing (DET) Operating Effectiveness Testing (OET) Reporting 29
Session 1: Design Effectiveness Testing Design effectiveness refers to whether controls are properly designed to achieve control objectives and if they operate as designed. 30
Design Effectiveness Testing Overview 1.0 Starting Point Identify Control Objectives based on Process Descriptions 1.1 Assess Risks to Financial Reporting for each Financial Statement Assertion 1.3 Test of Design (DET) Procedures 1.2 Identify Key Control Activities 1.4 Perform Walkthrough 1.5 Conclusion Ending Point 1.6 Remediation Plan 31
1. Assess Risks to Financial Reporting Objective Assess risks related to various financial statement assertions to identify areas where key internal controls will need to be validated.. 32
1. Assess Risks to Financial Reporting Assess Risks as High, Medium, or Low IMPACT potential effect on the organization if it arises LIKELIHOOD probability that a risk can occur Factors Factors • Inherent • Past performance • Time since last review • Economic condition • Competence • Morale • Complexity • Liquidity of assets • Extent of automation • Pressure to meet objectives • Materiality • Financial resources • Human resources • Physical resources • Significance • Corporate objectives • Relationships • Central agencies • Parliament • Public • Media • Obligations to others • Sensitive information • Third party oversight IMPACT • Change • Roles and responsibilities • Staff levels • Operation methods • Budgets • Turnover of staff • Automation • Changes in funding levels LIKELIHOOD 33
2. Key Control Activities Identification Application Controls vs. ITGCs ITGCs Application Controls 34
2. Key Control Activities Identification • Identify key control activities that could be relied upon to reduce the assessment risks to financial reporting. 35
3.2 Design Effectiveness Testing - Walkthrough Review of audit trail (e.g. Walk Through ) validate the application of controls such sign-off by the appropriate authority of key documents, existence of control documents such as checklist, mandatory forms, etc. 36
3.4 DET - Remediation Plan • Identify any remediation plan to address any gaps or issues of design identified to this point including missing details on • who, what, where, when and how How is the conduct of the control in evidence? Who is responsible for the exercise of the control? What is the nature of the control, i.e. reconciliation, management review and approval etc.? When is the control carried out, i.e. what is the frequency (annual, monthly, daily etc.)? Where is the control carried out, i.e. HQ, Region, specific location, etc. 38
Session 2: Operating Effectiveness Testing Tests of operating effectiveness are intended to demonstrate the reliability of the controls over a period of time in reducing related financial reporting risks. Important to gather sufficient documented evidence to enable a conclusion whether or not the controls are operating in practice. • Objectives: • Effective controls are expected to prevent or detect and correct material misstatements. • This means that after all internal control testing is completed, there remains a lower risk of undetected material control weaknesses. • In that case, effective controls are expected to lower the risk of material misstatement in the financial statements. 39
S1-3: Process Overview Operating Effectiveness Testing Overview 40
S1-3: Process Overview 4.1 Operating Effectiveness Testing - Methods 41
4.2 Operating Effectiveness Testing - Sampling • Sampling refers to the process of selecting some units from a population, with two main steps: • How many to select • Which ones to select • Plan for overall sampling • Key locations where there may be high risk, high levels of complexity or other factors; • Numbers of tests of specific key controls; • Testing frequency and time period; and • Random sampling strategy on risk basis. 42
5.3 Operating Effectiveness Testing – Report 2.4 Conclusion & Reporting= Summary annex to the departmental statement of management responsibility 45
Expected benefits of the PIC • Opportunity to showcase how well the department is being managed as well as to demonstrate progress and improvements • More effective and efficient departmental systems of internal controls, with potential for economies and reduced risks • Opportunity to engage and collaborate at all levels in support of continuous improvement related to risk management • Foundational to other initiatives such as quarterly financial reports and potential controls-based audits of financial statements • Instrumental to support Deputy Heads as accounting officers • Increase public confidence and trust through strengthened accountability and transparency, including reliability of financial statements – maintaining Canada’s position as a leader in financial reporting and disclosure. 46
More information Sharon Smith, Director • Sharon.Smith@tbs-sct.gc.ca Margaret Cross, Senior Analyst • Margaret.Cross@tbs-sct.gc.ca Olga Dupuis, Senior Analyst • Olga.Dupuis@tbs-sct.gc.ca GCPedia http://www.gcpedia.gc.ca/wiki/PIC