Audited Financial Statements 2011-2012

[Back to Audited Financial Statements List]

Office of the Privacy Commissioner of Canada


Unaudited 2011-12 annex to the statement of management responsibility, including internal control over financial reporting

Note to the reader

With the new Treasury Board Policy on Internal Control, effective April 1, 2009, departments (note: departments include all Federal Entities) are now required to demonstrate the measures they are taking to maintain effective system of internal control over financial reporting (ICFR).

As part of this policy departments are expected to conduct annual assessments of their system of ICFR, establish action plan(s) to address any necessary adjustments, and to attach to their Statements of Management Responsibility a summary of their assessment results and action plan Effective systems of ICFR aim to achieve reliable financial statements and to provide assurances that:

  • Transactions are appropriately authorized
  • Financial records are properly maintained
  • Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement
  • Applicable laws, regulations and policies are complied with  

It is important to note that the system of ICFR is not designed to eliminate all risks, rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.

The maintenance of an effective system of ICFR is an ongoing process designed to identify, assess effectiveness and adjust as required key risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to the other based on risks and taking into account their unique circumstances.

The system of ICFR is designed to mitigate risks to a reasonable level based on an on-going process to identify key risks, to assess effectiveness of associated key controls, and to make any necessary adjustments.


1. Introduction

Purpose:

This document is attached to the Office of the Privacy Commissioner of Canada Statement of Management Responsibility Including Internal Control over Financial Reporting for the fiscal-year ended March 31, 2012. As required by the Treasury Board Policy on Internal Control (PIC), this document provides summary information on the measures taken by the Office of Privacy Commissioner of Canada (the Office) to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the assessments conducted by the Office as at March 31, 2012, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the Office. This is the second year of publication of this annex.

Key elements:

1.1 Authority, Mandate and Program Activities

Detailed information on the Office’s authority, mandate and program activities can be found in Departmental Performance Report and Report on Plans and Priorities.

1.2 Financial highlights

You can view the Financial statements (audited by the Office of the Auditor General of Canada) of the OPC for fiscal-year 2011-2012. Information can also be found in the Public Accounts of Canada.

  • Total expenses were $28.4M. Salaries and benefits comprised the majority of expenses (60% or $17.1M for 160 employees).
  • Tangible capital assets comprise 31% of departmental total assets ($4.5M). Accounts payable and accrued liabilities comprise over 50% of total liabilities ($5.4M).
  • The Office is headquartered in Ottawa with one office in Toronto. There is a centralized finance and accounting function in Ottawa under the leadership of the Chief Financial Officer, however, the regional office records commitments.
  • The Office utilizes the Free Balance© financial system. This system interfaces with a salary forecasting system (Performance Budgeting for Human Capital – PBHC) to support the management of salary expenditure and forecast.

1.3 Audited financial statements

Financial statements of the Office have been audited for the first time for the fiscal year ending March 2004. Since then the Office has always received an unqualified audit opinion from the Office of the Auditor General (OAG).

1.4 Service arrangements relevant to financial statements

The Office relies on other organizations for the processing of certain transactions that are recorded in its financial statements:

  • Public Works and Government Services Canada (PWGSC) centrally administers the payments of salaries.
  • Treasury Board Secretariat (TBS) provides information used to calculate various accruals and allowances, such as the accrued severance liability.

1.5 Material changes in fiscal-year 2011-2012

Changes impacting the Financial Resources

No significant changes that are relevant to the financial statements occurred in 2011-2012. During the reporting period, the Office continued to assess and improve the system of ICFR. However, the total authorities available between 2010–2011 and 2011–2012 have increased by $2.2M. This net increase is related to funding received following the Royal Assent of Canada’s anti-spam law in December 2010. The increased funds were earmarked to deal with the new investigative workload resulting from the passage of Canada’s anti-spam law.

2. The Office’s control environment relevant to ICFR

The Office recognizes the importance of setting the tone from the top to help ensure that staff at all levels understands their roles in maintaining effective systems of ICFR and is well equipped to exercise these responsibilities effectively. The Office’s focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.

2.1 Key positions, roles and responsibilities relative to ICFR

Below are the Office’s key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.

Commissioner – The Office’s Commissioner has the duties of a Deputy Head. As the Accounting Officer, the Commissioner assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. The Commissioner is assisted by an Assistant Commissioner. In this role, the Commissioner chairs the Senior Management Committee (SMC) and meets regularly as a member of the Office Audit Committee.

Chief financial Officer (CFO) – The Office’s CFO reports directly to the Commissioner and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment.

Senior Managers – The Office’s senior managers in charge of program delivery are responsible for maintaining and reviewing effectiveness of their system of ICFR falling within their mandate.

Chief Audit Executive (CAE) – As specified in the TB Policy on Internal Audit, the Office is required to have an appropriate internal audit capacity. Given that the Office is a small entity, the CAE is also the Chief Financial Officer (CFO).

The integrity of the internal audit function is assured through the following mechanisms:

  • Contracted audit professionals are engaged to develop the OPC risk-based internal annual audit plan and to audit the OPC programs and management processes and practices. Audit products from the contracted resources are to be labeled under the auditors’ letter head to show their independence. Auditors are provided with access to all OPC records, databases, workplaces and employees, and the right to obtain information and explanations from OPC employees and contractors;
  • The Committee reviews and recommends for approval the risk-based internal audit plan, and the Commissioner approves the plan; and
  • A direct reporting line is established between the contracted audit professionals, and both the Commissioner and the Committee. This way, the auditors present their audit findings directly to the Commissioner and Committee and are not required to first go through the CAE when audit findings relate to corporate services and all other areas for which this position has responsibility.

The CAE remains responsible and accountable to ensure the integrity of the Internal Audit function.

The Audit Committee (AC) – The Audit Committee is an essential component of the internal audit regime established within OPC and provides objective advice and recommendations to the Commissioner regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the department's risk management, control and governance frameworks and processes (including accountability and auditing systems). This work supports the Commissioner in her role as OPC’s accounting officer before Parliament. The AC It is comprised of two (2) external members, one of which is the chair. The Privacy Commissioner sits on the Committee as an ex-officio member. The CAE/CFO attends all committee meetings.

Senior Management Committee (SMC) – As the Office’s central decision-making body, the SMC reviews, approves and monitors the Corporate Risk Profile and the departmental system of internal control, including the assessment and action plans relating to the system of ICFR.

2.2 Key measures taken by the Office

The Office has a comprehensive internal control framework over financial transactions. This framework follows the expenditure management process of the federal government from the initial policy approval of programs through the budgeting process to final program payments and post payment audits.

The Office's control environment also includes a series of measures to enable its staff to manage risks well through raising awareness, providing appropriate knowledge and tools as well as developing skills. Key measures include:

  • A Champion of Values and Ethics, the Office’s values and ethics code of the Public Sector (April 2nd, 2012);
  • Annual performance agreements with senior managers clearly set out financial management responsibilities;
  • Formal training program and communications in core areas of financial management;
  • Office policies tailored to its control environment;
  • Human resources management plan and policies that support learning and succession planning;
  • Information technology (IT) strategic and operational plans to ensure greater security, integrity, efficiency and effectiveness, including annual threat risk assessment;
  • Active monitoring and enhanced reporting on results;
  • Periodically updated delegation of financial signing authorities matrix; and
  • The preparation and implementation of an annual risk-based audit plan.

3. Assessment of the Office’s system of ICFR

Financial statements of the Office have been audited by the Office of the Auditor General for eight (8) years. In parallel, senior management has been providing increased focus on formalizing its approach to the management and on-going maintenance of its systems of ICFR with the objective to support continuous improvement.

As a further step, and consistent with the Treasury Board Policy on Internal Control, the Office is continuously implementing and enhancing a more systemic risk-based and multi-year assessment plan of the design and operating effectiveness of its system of ICFR.

3.1 Assessment baseline

To determine the scope of the initiative, a scoping and planning exercise was undertaken to identify key business processes, entity level control areas and general computer control areas. During planning and scoping, both quantitative and qualitative factors were considered. Business processes are defined as the specific processes supporting the treatment of financial transactions. The following seven business processes were identified: Payroll, Operating Maintenance expenses, Receivables, Capital assets, Contributions, Budgeting and Forecasting and Financial Close over Reporting.

Entity level controls are defined as the overarching controls of the organization that set the “tone from the top”. The following five entity level controls areas were identified: Values & Ethics, Governance & Accountability, Competency of Financial Staff, Financial Management, and Communication.

General computer controls are defined as controls over the core financial systems and IT infrastructure used across the organization and which support financial transactions. The Office is responsible for assessing effectiveness of all the key IT general controls for systems that it fully manages.

Where the Office relies on the external systems from other government departments (i.e. Regional Pay System and Central Financial Management Reporting System (CFMRS), the self-assessment will be limited to components of the systems that are controlled by the Office such as the access controls. The service providers in the other government departments (OGD) are responsible for the internal control self-assessment on the systems they maintain for the Office.

These control areas are the baseline by which the Office developed its three-year self-assessment plan. This three-year plan will be reviewed and updated on an annual basis to reflect changes in the control environment.

3.2 Assessment elements

In support of the implementation of the Policy on Internal Control (PIC), the Office has taken measures to assess its system of ICFR, starting from its financial statements, with a focus on developing frameworks for its key business processes. For this, the Office gathered information and mapped out these key processes with the identification and documentation of key risk and control points on the basis of materiality, volume, complexity and susceptibility to losses/frauds, areas subject to audit observations and past history.

Design effectiveness assessment – Through design effectiveness assessment, the Office will ensure that key controls relevant to ICFR have been properly identified, documented, implemented and that they are aligned with the risk that they aim to mitigate and that any remediation is addressed appropriately and in a timely manner. The assessment activities include documentation and mapping of key business processes or IT systems, identification of key risks and the internal controls implemented to mitigate these risks, and a walk-through to assess the design effectiveness of the internal controls.

Operating effectiveness assessment – Through operating effectiveness assessment, the Office will ensure that the application of key controls over financial reporting has been tested over a defined period and they are working as intended. The assessment activities include performing a sample test of transactions to determine whether the documented procedures and internal control measures are being followed.

On-going monitoring program – Through on-going monitoring program, the Office will ensure that a systematic integrated approach to monitoring is in place, including periodic risk-based assessments and timely remediation. Instructions will be issued internally to the appropriate managers related to any deficiencies identified during the continuous monitoring assessment. The manager will be required to address appropriate action(s) and remediate the deficiencies in a timely manner.

4. THE OFFICE’S ASSESSMENT RESULTS AS OF MARCH 31, 2012

During 2011-2012, the Office continued to develop documentation on design effectiveness of its system of ICFR with the main focus on the following processes:

  • Development of a commonly understood and convergent oversight framework that will strengthen the governance regime of the Office and will provide a robust structure through which the Office can demonstrate appropriate coverage and oversight of its operations.
  • Identification of key controls as an integrated part of the financial systems in relation to processes and procedures for procure to pay.
  • Continuing to develop and update documentation on control environment.
  • Development of documentation for the contribution program.
  • Development of documentation on the planning budgeting process.

4.1 Design effectiveness of key controls

Design effectiveness is not static. Therefore as policies, systems and procedures are amended, the design effectiveness of the key controls is reassessed and modified accordingly. This ensures compliance and that key controls are still appropriately aligned with the risks they aim to mitigate.

When completing design effectiveness testing, the Office updated business process documentation, validated key process with the stakeholders and verified whether the entity level controls are in place and correspond to actual practices. Remediation requirements were addressed as soon as necessary adjustments were identified. Design effectiveness also included ensuring appropriate alignment of each key control with risks.

The results from the design effectiveness testing identified the need for the following:

  • Continuous development of financial management tools such as policies, directives, and processes including on-going training and increased communication between financial staff, management and administrative community to share information vertically and horizontally.
  • Implementation of a consistent monitoring oversight to ensure strengthening of management practices through tracking and reporting.
  • Implementation of change management tools and processes to facilitate and improve communication and piloting of new processes and procedures in financial management.
  • Continued development and improvement of a Financial Control Framework.

4.2 Operating effectiveness of key controls

Operational effectiveness testing has not yet been commenced and therefore no assessment results are available at this time.

When completing operating effectiveness testing, the Office will implement a risk-based testing approach and methodology that will identify key controls to be tested over a defined period of time, including the selection of a sample, the test period and the method and frequency of testing.

Operational effectiveness for Entity Level Controls, IT general controls, Business Process and Financial Reporting Controls will not commence until the associated remediation of design effectiveness has been implemented and a sufficient time has passed to allow the controls to function for a portion of the fiscal year.

4.3 Ongoing monitoring program

The Office will continue to ensure that controls are effective over time and seek opportunities to strengthen its entity level controls, taking into account the initial assessment, as well as results from annual assessments and audits. This will involve developing and implementing a well-integrated monitoring program to raise awareness and understanding of the organization’s system of ICFR at all levels of the organization, equip staff with the knowledge, skills and tools needed to maintain a robust ICFR, and continue to assess the status of ICFR on an ongoing basis.

5. THE OFFICE’s ACTION PLAN

5.1 Progress as of March 31, 2012

During 2011-2012 the Office continued to make significant progress in assessing and improving its key controls. Below is a summary of the main progress made by the Office.

The Office has completed work to address the following:

  • An increased procurement capacity and implementation of a contract review committee to ensure oversight of the function.
  • The launch of the Office’s values and ethics code of the Public Sector (April 2nd, 2012).
  • An increased and improved budgeting capacity to promote a better challenge function.
  • Formal training in financial management to all staff and managers involved in financial management.
  • Development of documentation, implementation and configuration of automated pay load process in financial systems.

The Office has substantially advanced work to address the following necessary adjustments:

  • Alignment of key internal controls to risks (test of design) under budgeting, monitoring and procurement functions.
  • Standardization of the processes and procedures to maintain master vendor records.
  • Development of a financial control framework.
  • Development of related financial directives, processes and detailed desk procedures for finance staff as well as for the managers and administrative community.

The Office has commenced or partially completed work to address the following necessary adjustments:

  • Identified Entity Level controls and related documentation.
  • Identified IT general controls and related documentation.

5.2 Action plan for the next fiscal year and future years

Building on progress to date, the Office has developed a multi-year plan to fully implement the requirements of the Policy on Internal Control.

The action plan below highlights the progress that the department will be making in completing the assessment of the effectiveness of the Office system of ICFR:

Elements in action plan 2012-2013
Documentation Design Effectiveness Operating effectiveness Ongoing Monitoring
Entity Level Controls
Control Environment x x   x
IT General Controls
Financial Systems x     x
Business Process,   Financial Reporting Controls
Payroll     x x
Operating & maintenance expenses     x x
Contribution       x
Capital Assets     x x
Budget & Forecast       x
Financial Close     x x
Elements in action plan 2013-2014
Documentation Design Effectiveness Operating effectiveness Ongoing Monitoring
Entity Level Controls
Control Environment     x x
IT General Controls
Financial Systems   x   x
Business Process,   Financial Reporting Controls
Payroll       x
Operating & maintenance expenses       x
Contribution     x x
Capital Assets       x
Budget & Forecast     x x
Financial Close       x
Elements in action plan 2014-2015
Documentation Design Effectiveness Operating effectiveness Ongoing Monitoring
Entity Level Controls
Control Environment       x
IT General Controls
Financial Systems     x x
Business Process,   Financial Reporting Controls
Payroll       x
Operating & maintenance expenses       x
Contribution       x
Capital Assets       x
Budget & Forecast       x
Financial Close       x
Date modified: