Audited Financial Statements 2010-2011

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

[Back to Audited Financial Statements List]

Office of the Privacy Commissioner of Canada

Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting

Unaudited summary of the assessment of effectiveness of the systems of internal control over financial reporting and the action plan of the Office of the Privacy Commissioner of Canada for fiscal year 2010-11

Note to the reader

With the new Treasury Board Policy on Internal Control, effective April 1, 2009, departments (note: departments include all Federal Entities) are now required to demonstrate the measures they are taking to maintain effective system of internal control over financial reporting (ICFR).

As part of this policy departments are expected to conduct annual assessments of their system of ICFR, establish action plan(s) to address any necessary adjustments, and to attach to their Statements of Management Responsibility a summary of their assessment results and action plan Effective systems of ICFR aim to achieve reliable financial statements and to provide assurances that:

  • Transactions are appropriately authorized
  • Financial records are properly maintained
  • Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement
  • Applicable laws, regulations and policies are complied with  

It is important to note that the system of ICFR is not designed to eliminate all risks, rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.

The maintenance of an effective system of ICFR is an ongoing process designed to identify, assess effectiveness and adjust as required key risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to the other based on risks and taking into account their unique circumstances.

The system of ICFR is designed to mitigate risks to a reasonable level based on an on-going process to identify key risks, to assess effectiveness of associated key controls, and to make any necessary adjustments.



This document is attached to the Office of the Privacy Commissioner of Canada Statement of Management Responsibility Including Internal Control over Financial Reporting for the fiscal-year 2010-2011. As required by the new Treasury Board Policy on Internal Control, effective April 1st 2009, for the first time, this document provides summary information on the measures taken by the Office of Privacy Commissioner of Canada (OPC) to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the assessments conducted by the OPC as at March 31, 2011, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the Office.

Key elements:

1.1 Authority, Mandate and Program Activities

Detailed information on the Office’s authority, mandate and program activities can be found in Departmental Performance Report and Report on Plans and Priorities.

1.2 Financial highlights

You can view the Financial statements (audited by the Office of the Auditor General of Canada) of the OPC for fiscal-year 2010-2011. Information can also be found in the Public Accounts of Canada.

  • Total expenses were $24.8M. Salaries and benefits comprise the majority of expenses (61% or $15M for 160 employees).
  • Tangible capital assets comprise 31% of departmental total assets ($5.4M). Accounts payable and accrued liabilities comprise 50% of total liabilities ($6.8M).
  • The OPC is headquartered in Ottawa with one office in Toronto. There is a centralized finance and accounting function in Ottawa under the leadership of the Chief Financial officer, however, the regional office initiates and records commitments.
  • The OPC utilizes the Free Balance© financial system. This system interfaces with a salary forecasting system to support the management of salary expenditure and forecast.

1.3 Audited financial statements

Financial statements of the Office were audited for the first time for the fiscal year ending March 2004. The OPC has always received an unmodified opinion from the Office of the Auditor General (OAG).

1.4 Service arrangements relevant to financial statements

The OPC relies on other organizations for the processing of certain transactions that are recorded in its financial statements:

  • Public Works and Government Services Canada (PWGSC) centrally administers the payments of salaries.
  • Treasury Board Secretariat (TBS) provides information used to calculate various accruals and allowances, such as the accrued severance liability.

1.5 Material changes in fiscal-year 2010-2011

No significant changes that are relevant to the financial statements occurred in 2010-2011. During the reporting period, the Office continued to assess and improve the system of ICFR.


The Office recognizes the importance of setting the tone from the top to help ensure that staff at all levels understands their roles in maintaining effective systems of ICFR and is well equipped to exercise these responsibilities effectively. The Office’s focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.

2.1 Key positions, roles and responsibilities relative to ICFR

Below are the Office’s key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.

Commissioner – The OPC’s Commissioner has the duties of a Deputy Head. As the Accounting Officer, the Commissioner assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. The Commissioner is assisted by an Assistant Commissioner. In this role, the Commissioner chairs the Senior Management Committee (SMC) and meets regularly, as a member of the OPC Audit Committee.

Chief financial Officer (CFO) – The OPC’s CFO reports directly to the Commissioner and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment.

Senior Managers – The Office’s senior managers in charge of program delivery are responsible for maintaining and reviewing effectiveness of their system of ICFR falling within their mandate.

Chief Audit Executive (CAE) – As specified in the TB Policy on Internal Audit (2009), OPC is required to have an appropriate internal audit capacity. Given that the OPC is a small entity, the CAE is also the Chief Financial Officer (CFO). However, the independence of the CAE and the integrity of the internal audit function are ensured through the following mechanisms:

  • Contracted audit professionals are engaged to develop the OPC risk-based Internal Audit Plan (RBAP) and to audit OPC programs, management processes, and practices. Auditors are provided with access to all OPC records, databases, workplaces, and employees, and can obtain information and explanations from OPC employees and contractors;
  • The RBAP is approved by the Commissioner based on the recommendation of the independent Audit Committee (AC); and,
  • A direct reporting line is established between the contracted audit professionals and both the Commissioner and the AC, ensuring independence, especially for audits which are conducted in the area of Corporate Services, which is managed by the CAE. The auditors present their audit findings directly to the Commissioner and the AC, and are not required to go through the CAE when audit findings relate to Corporate Services and all other areas for which this position has responsibility.

OPC Audit Committee (AC) – The AC is an advisory committee that provides objective views on the OPC’s risk management, control and governance frameworks. It is comprised of two (2) external members, one of which is the chair. The Privacy Commissioner sits on the Committee as an ex-officio member. The CAE/CFO attends all committee meetings.

Senior Management Committee (SMC) – As the OPC’s central decision-making body, the SMC reviews, approves and monitors the Corporate Risk Profile and the departmental system of internal control, including the assessment and action plans relating to the system of ICFR.

2.2 Key measures taken by the Office

The OPC’s has a comprehensive internal control framework over financial transactions. This framework follows the expenditure management process of the Federal government from the initial policy approval of programs through the budgeting process to final program payments and post payment audits.

OPC control environment also includes a series of measures to enable its staff to manage risks well through raising awareness, providing appropriate knowledge and tools as well as developing skills. Key measures include:

  • A Champion of Values and Ethics; The OPCs code of conduct and values and ethics code (in development);
  • Annual performance agreements with senior managers clearly set out financial management responsibilities;
  • Training program and communications in core areas of financial management;
  • Office policies tailored to OPC’s control environment;
  • Human resource management plan and policies that support learning and succession plan.
  • Information Technology (IT) strategic and operational plans to ensure greater security, integrity, efficiency and effectiveness, including annual threat risk assessment.
  • Active monitoring and enhanced reporting on results (underway in 2011-12);
  • Periodically updated delegation of financial signing authorities matrix;
  • The preparation and implementation of an annual risk-based audit Plan.


Financial statements of the OPC have been audited by the Office of the Auditor General for seven (7) years. In parallel, senior management has been providing increased focus on formalizing its approach to the management and on-going maintenance of its systems of ICFR with the objective to support continuous improvement.

As a further step, and consistent with the Treasury Board Policy on Internal Control, the Office has commenced in 2010-2011 to implement a more systemic risk-based and multi-year assessment plan of the design and operating effectiveness of its system of ICFR.

3.1 Assessment baseline

To determine the scope of the initiative, a scoping and planning exercise was undertaken to identify key business processes, entity level control areas and general computer control areas. During scoping and planning, both quantitative and qualitative factors were considered.

Business processes are defined as the specific processes supporting the treatment of financial transactions. The following seven business processes were identified: Payroll, Operating Maintenance expenses, Receivables, Capital assets, Contributions, Budgeting and Forecasting and Financial Close over Reporting.

Entity level controls are defined as the overarching controls of the organization that set the “tone from the top”. The following five entity level controls areas were identified: Values & Ethics, Governance & Accountability, Competency of Financial Staff, Financial Management, and Communication.

General computer controls are defined as controls over the core financial systems and IT infrastructure used across the organization and which support financial transactions. The OPC is responsible for assessing effectiveness of all the key IT general controls for systems that it fully manages.

Where the OPC relies on external systems from other government departments (i.e. the Regional Pay System and Central Financial Management Reporting System (CFMRS)), the self-assessment will be limited to components of the systems that are controlled by the OPC such as the access controls. The service providers in the other government departments (OGD) are responsible for the internal control self-assessment on the systems they maintain for the OPC.

These control areas are the baseline by which the OPC developed its three-year self-assessment plan. This three-year plan will be reviewed and updated on an annual basis to reflect changes in the control environment.

3.2 Assessment elements

  • Design effectiveness assessment – Through design effectiveness assessment, the OPC will ensure that key controls relevant to ICFR have been properly identified, documented, implemented and that they are aligned with the risk that they aim to mitigate and that any remediation is addressed appropriately and in a timely manner. The assessment activities include documentation and mapping of key business processes or IT systems, identification of key risks and the internal controls implemented to mitigate these risks, and a walk-through to assess the design effectiveness of the internal controls.
  • Operating effectiveness assessment – Through operating effectiveness assessment, the OPC will ensure that the application of key controls over financial reporting has been tested over a defined period and they are working as intended. The assessment activities include performing a sample test of transactions to determine whether the documented procedures and internal control measures are being followed.
  • On-going monitoring program – Through on-going monitoring program, the OPC will ensure that a systematic integrated approach to monitoring is in place, including periodic risk-based assessments and timely remediation. Instructions will be issued internally to the appropriate OPC managers related to any deficiencies identified during the continuous monitoring assessment. The manager will be required to address appropriate action(s) and remediate the deficiencies in a timely manner.


During 2010-2011, the OPC identified the significant findings of the assessment of the design effectiveness of the system of ICFR and OPC identified the need for the following documentation to be established, completed or clarified:

  • Development of a commonly understood and convergent oversight framework that will strengthen the governance regime of the Office and will provide a robust structure through which the Office can demonstrate appropriate coverage and oversight of its operations.
  • Development of an OPC code of conduct and values and ethics.
  • Development of documentation of processes and procedures to make changes to financial systems, data and access.
  • Review and update documentation and perform evaluation of entity level controls.

4.1 Design effectiveness of key controls

When completing design effectiveness testing, the OPC updated business process documentation, validated key process with the stakeholders and verified whether the entity level controls are in place and correspond to actual practices. Remediation requirements were addressed as soon as necessary adjustments were identified. Design effectiveness also included ensuring appropriate alignment of each key control with risks.

The results from the design effectiveness testing identified the need for the following:

  • Continuous development of financial management tools such as policies, directives, and processes including on-going training and increased communication between financial staff, management and administrative community to share information vertically and horizontally.
  • An increased procurement capacity and implementation of a contract review committee to ensure oversight of the function.
  • An increased and improved budgeting capacity to promote a better challenge function.
  • Implement a consistent monitoring oversight to ensure strengthening of management practices through tracking and reporting.
  • Development of a Financial Control Framework.

4.2 Operating effectiveness of key controls

Operational effectiveness testing has not yet been commenced and therefore no assessment results are available at this time.

When completing operating effectiveness testing, the OPC will implement a risk-based testing approach and methodology that will identify key controls to be tested over a defined period of time, including the selection of a sample, the test period and the method and frequency of testing.

Operational effectiveness for Entity Level Controls, IT general controls, Business Process and Financial Reporting Controls will not commence until the associated remediation of design effectiveness has been implemented and a sufficient time has passed to allow the controls to function for a portion of the fiscal year.

4.3 Ongoing monitoring program

OPC will continue to ensure that controls are effective over time and seek opportunities to strengthen its entity level controls, taking into account the initial assessment as well as results from annual assessments and audits. This will involve developing and implementing a well-integrated monitoring program to raise awareness and understanding of the organization’s system of ICFR at all levels of the organization, equip staff with the knowledge, skills and tools needed to maintain a robust ICFR, and continue to assess the status of ICFR on an ongoing basis.


5.1 Progress as of March 31, 2011

During 2010-2011 the Office has continued to make significant progress in assessing and improving its key controls. Below is a summary of the main progress made by the Office.

The Office has completed work to address the following necessary adjustments:

  • Identify key risks and financial statement key accounts.
  • Identify key business processes and develop documentation.
  • Alignment of key internal controls to Risks (test of design). Specifically under budgeting, monitoring and procurement functions.
  • Documentation of processes and key controls in payroll, procure to pay, receivables, capital assets and financial close and reporting.
  • Improved segregation of duties which may be a challenge for a small organization and implemented related internal controls to assure compliance.

The Office has substantially advanced work to address the following necessary adjustments:

  • Standardization of the processes and procedures to maintain master vendor records.
  • Development of a financial control framework.
  • Developing related financial directives, processes and detailed desk procedures for finance staff as well as for the managers and administrative community.

The Office has commenced or partially completed work to address the following necessary adjustments:

  • Identified Entity Level controls and related documentation.
  • Identified IT general controls and related documentation.

5.2 Action plan for the next fiscal year and future years

Building on progress to date, the OPC has developed a multi-year plan to fully implement the requirements of the Policy on Internal Control.

Beginning in 2011-2012, the action plan below highlights the progress that the department will be making in completing the assessment of the effectiveness of the OPC system of ICFR:

Elements in action plan 2011-2012
Documentation Design Effectiveness Operating effectiveness Ongoing Monitoring
Entity Level Controls
Control Environment x x   x
IT General Controls
Financial Systems x     x
Business Process,   Financial Reporting Controls
Payroll       x
Operating & maintenance expenses       x
Contribution x x   x
Capital Assets       x
Budget & Forecast x x   x
Financial Close        
Elements in action plan 2012-2013
Documentation Design Effectiveness Operating effectiveness Ongoing Monitoring
Entity Level Controls
Control Environment     x x
IT General Controls
Financial Systems   x   x
Business Process,   Financial Reporting Controls
Payroll     x x
Operating & maintenance expenses     x x
Contribution     x x
Capital Assets     x x
Budget & Forecast     x x
Financial Close     x x
Elements in action plan 2013-2014
Documentation Design Effectiveness Operating effectiveness Ongoing Monitoring
Entity Level Controls
Control Environment       x
IT General Controls
Financial Systems     x x
Business Process,   Financial Reporting Controls
Payroll       x
Operating & maintenance expenses       x
Contribution       x
Capital Assets       x
Budget & Forecast       x
Financial Close       x
Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.


Date modified: