Audited Financial Statements 2012-2013
Office of the Privacy Commissioner of Canada
Unaudited 2012-2013 annex to the statement of management responsibility, including internal control over financial reporting
Note to the reader
With the new Treasury Board Policy on Internal Control, effective April 1, 2009, departments (note: departments include all Federal Entities) are now required to demonstrate the measures they are taking to maintain effective system of internal control over financial reporting (ICFR).
As part of this policy, departments are expected to conduct annual assessments of their system of ICFR, establish action plan(s) to address any necessary adjustments, and to attach to their Statements of Management Responsibility a summary of their assessment results and action plan.
Effective systems of ICFR aim to achieve reliable financial statements and to provide assurances that:
- Transactions are appropriately authorized
- Financial records are properly maintained
- Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement
- Applicable laws, regulations and policies are complied with
It is important to note that the system of ICFR is not designed to eliminate all risks, rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.
The maintenance of an effective system of ICFR is an ongoing process designed to identify, assess effectiveness and adjust as required key risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to the other based on risks and taking into account their unique circumstances.
The system of ICFR is designed to mitigate risks to a reasonable level based on an on-going process to identify key risks, to assess effectiveness of associated key controls, and to make any necessary adjustments.
This document is attached to the Office of the Privacy Commissioner of Canada Statement of Management Responsibility Including Internal Control over Financial Reporting for the fiscal-year ended March 31, 2013. As required by the Treasury Board Policy on Internal Control (PIC), this document provides summary information on the measures taken by the Office of Privacy Commissioner of Canada (the Office) to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the assessments conducted by the Office as at March 31, 2013, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the Office.
1.1 Authority, Mandate and Program Activities
1.2 Financial highlights
- Total expenses were $28.1M. Salaries and benefits comprised the majority of expenses (68% or $19.1M for 173 employees).
- Tangible capital assets comprise 34% of departmental total assets ($4.3M). Accounts payable and accrued liabilities comprise over 48% of total liabilities ($4.6M).
- The Office is headquartered in Ottawa with one office in Toronto. There is a centralized finance and accounting function in Ottawa under the leadership of the Chief Financial Officer, however, the regional office records commitments.
- The Office utilizes the Free Balance© financial system. This system interfaces with a salary forecasting system (Performance Budgeting for Human Capital – PBHC) to support the management of salary expenditure and forecast.
1.3 Audited financial statements
Financial statements of the Office have been audited for the first time for the fiscal year ending March 2004. Since then the Office has always received an unqualified audit opinion from the Office of the Auditor General (OAG).
1.4 Service arrangements relevant to financial statements
The Office relies on other organizations for the processing of certain transactions that are recorded in its financial statements:
- Public Works and Government Services Canada centrally administers the payment of salaries as well as the payment of invoices to suppliers through the Standard Payment System. It also provides the costs of accommodation for inclusion in the financial statements as "Common services provided without charge".
- Treasury Board Secretariat (TBS) provides information used to calculate various accruals and allowances, such as the accrued severance liability.
- The Office of the Auditor General provides audit services to OPC.
1.5 Material changes in fiscal-year 2012-2013
No significant changes that are relevant to the financial statements occurred in 2012-2013. During the reporting period, the Office continued to assess and improve the system of ICFR. OPC’s governance structure ensures that maintaining effective systems of ICFR is a corporate priority. Staff is well equipped to exercise their role and responsibilities effectively. OPC’s focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.
The Office recognizes the importance of setting the tone from the top to help ensure that staff at all levels understands their roles in maintaining effective systems of ICFR and is well equipped to exercise these responsibilities effectively. The Office’s focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.
2.1 Key positions, roles and responsibilities relative to ICFR
Below are the Office’s key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.
Commissioner – The Office’s Commissioner has the duties of a Deputy Head. As the Accounting Officer, the Commissioner assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. The Commissioner is assisted by an Assistant Commissioner. In this role, the Commissioner chairs the Senior Management Committee (SMC) and meets regularly as a member of the Office Audit Committee.
Chief financial Officer (CFO) – The Office’s CFO reports directly to the Commissioner and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment.
Senior Managers – The Office’s senior managers in charge of program delivery are responsible for maintaining and reviewing effectiveness of their system of ICFR falling within their mandate.
Chief Audit Executive (CAE) – As specified in the TB Policy on Internal Audit, the Office is required to have an appropriate internal audit capacity. Given that the Office is a small entity, the CAE is also the Chief Financial Officer (CFO).
The integrity of the internal audit function is assured through the following mechanisms:
- Contracted audit professionals are engaged to develop the OPC risk-based internal annual audit plan and to audit the OPC programs and management processes and practices. Audit reports are posted on the OPC Website. Auditors are provided with access to OPC records as required and the right to obtain information and explanations.
- The Audit Committee reviews and recommends for approval, the risk-based internal audit plan, and the Commissioner approves the plan; and
- A direct reporting line is established between the contracted audit professionals, and both the Commissioner and the Audit Committee. This way, the auditors present their audit findings directly to the Commissioner and Audit Committee and are not required to first go through the CAE when audit findings relate to corporate services and all other areas for which this position has responsibility.
The CAE remains responsible and accountable to ensure the integrity of the Internal Audit function.
The Audit Committee (AC) – The Audit Committee is an essential component of the internal audit regime established within OPC and provides objective advice and recommendations to the Commissioner regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the department's risk management, control and governance frameworks and processes (including accountability and auditing systems). This work supports the Commissioner in her role as OPC’s accounting officer before Parliament. The AC is comprised of two (2) external members, one of which is the chair. The Privacy Commissioner sits on the Committee as an ex-officio member. The CAE/CFO attends all committee meetings.
Senior Management Committee (SMC) – As the Office’s central decision-making body, the SMC reviews, approves and monitors the Corporate Risk Profile and the departmental system of internal control, including the assessment and action plans relating to the system of ICFR.
2.2 Key measures taken by the Office
The Office has a comprehensive internal control framework over financial transactions. This framework follows the expenditure management process of the federal government from the initial policy approval of programs through the budgeting process to final program payments and post payment audits.
The Office's control environment also includes a series of measures to enable its staff to manage risks well through raising awareness, providing appropriate knowledge and tools as well as developing skills. Key measures include:
- A Champion of Values and Ethics and the Office’s values and ethics code of the Public Sector;
- Annual performance agreements with senior managers clearly set out financial management responsibilities;
- Formal training program and communications in core areas of financial management;
- Office policies tailored to its control environment;
- Human resources management plan and policies that support learning and succession planning;
- Staff in key financial management positions holds accounting designations;
- Information technology (IT) strategic and operational plans to ensure greater security, integrity, efficiency and effectiveness, including annual threat risk assessment;
- Active monitoring and enhanced reporting on results;
- The financial delegation instrument is updated regularly;
- Financial delegations are only given as managers successfully completed the mandatory Authority Delegation Training; and
- The risk-based audit plan is updated annually.
Financial statements of the Office have been audited by the Office of the Auditor General with successive clean opinions and maintaining this state since 2004-05. In parallel, senior management has been providing increased focus on formalizing its approach to the management and on-going maintenance of its systems of ICFR with the objective to support continuous improvement.
3.1 Assessment baseline
The Office maintains an effective system of ICFR with the objectives to provide reasonable assurance that:
- transactions are appropriately authorized;
- financial records are properly maintained;
- assets are safeguarded from risks such as waste, abuse, loss, fraud, and/or mismanagement; and
- applicable laws, regulations and policies are complied with.
To determine the scope of the initiative, a scoping and planning exercise was undertaken to identify key business processes, entity level control areas and general computer control areas. During planning and scoping, both quantitative and qualitative factors were considered. Business processes are defined as the specific processes supporting the treatment of financial transactions. The following seven business processes were identified: Payroll, Operating Maintenance expenses, Receivables, Capital assets, Contributions, Budgeting and Forecasting and Financial Close over Reporting.
Entity level controls are defined as the overarching controls of the organization that set the “tone from the top”. The following five entity level controls areas were identified: Values & Ethics, Governance & Accountability, Competency of Financial Staff, Financial Management, and Communication.
General computer controls are defined as controls over the core financial systems and IT infrastructure used across the organization and which support financial transactions. The Office is responsible for assessing effectiveness of all the key IT general controls for systems that it fully manages.
Where the Office relies on the external systems from other government departments (i.e. Regional Pay System and Central Financial Management Reporting System (CFMRS), the self-assessment will be limited to components of the systems that are controlled by the Office such as the access controls. The service providers in the other government departments (OGD) are responsible for the internal control self-assessment on the systems they maintain for the Office.
3.2 Assessment elements
As part of the requirements of the Treasury Board’s Policy on Internal Control, the Office is to assess both the design and operating effectiveness of key controls over financial reporting and ensure the on-going monitoring and continuous improvement of OPC’s system of ICFR.
Design effectiveness assessment is the assurance that key control points are in place and that they are identified, documented, and aligned with the risks (i.e. controls are balanced with and proportionate to the risks they aim to mitigate). This includes the mapping of key processes to the main accounts.
Operating effectiveness assessment means that key controls have been tested over a defined period and that any remediation is addressed.
On-going monitoring means that a systematic integrated approach to monitoring is in place, including periodic risk-based assessment and timely remediation.
Finally, the Office will take into account new information available from recent audits or evaluations.
During 2012-2013, the Office continued to improve documentation on design effectiveness of its system of ICFR.
4.1 Design effectiveness of key controls
Design effectiveness is not static. Therefore as policies, systems and procedures are amended, the design effectiveness of the key controls is reassessed and modified accordingly. This ensures compliance and that key controls are still appropriately aligned with the risks they aim to mitigate.
The Office continued to develop financial management tools and increased communication between financial staff, management and administrative community to share information vertically and horizontally; a consistent monitoring oversight to ensure strengthening of management practices through tracking and reporting; the use of change management.
4.2 Operating effectiveness of key controls
The Office had two business processes audited in 2011-2012 and 2012-2013. Recommendations resulting from the audit on financial resource management have all been implemented. Recommendations resulting from the audit on procurement will be implemented as per the action plan.
Testing of the effectiveness of some key processes has been completed in 2012-13. The capital assets process was tested to facilitate the implementation of any issues arising from the findings before the move of the Office to another location late in 2013-14. The findings were mostly related to equipment not being tagged properly, accurately and regularly. Procedures and further monitoring have been put in place to address this issue and integrated in the design. The procure to pay process was tested as well and minor findings were addressed in the design.
The Office need to formalize the risk-based plan for testing the effectiveness of the business process controls. This plan will capture assessment, monitoring and testing efforts to date.
4.3 Ongoing monitoring program
The Office will continue to ensure that controls are effective over time and seek opportunities to strengthen its entity level controls, taking into account the initial assessment, as well as results from annual assessments and audits. This will involve developing and implementing a well-integrated monitoring program to raise awareness and understanding of the organization’s system of ICFR at all levels of the organization, equip staff with the knowledge, skills and tools needed to maintain a robust ICFR, and continue to assess the status of ICFR on an ongoing basis.
5.1 Progress as of March 31, 2013
During 2012-2013, the Office continued to strengthen its key controls. The following is a summary and a status of a number of initiatives undertaken to address observations from the previous year ICFR assessment.
- The Office has reviewed the Procurement and Capital Assets business process based on findings arising from the testing of effectiveness.
- Key month-end and year-end accounting processes and procedures were reviewed and updated to ensure appropriate documentation of controls.
- A Material Management Directive was nearly completed at the end of March and was implemented on June 2013. This directive will clarify among other things the roles and responsibilities and processes related to the management of assets and other material, including the coordination of the material management process, the maintenance of records, and the custody and safeguard of assets.
- The Instrument of Delegation of Financial Authorities was modified to reflect recent changes to TB policy instruments.
- A self-assessment of the Entity level controls was mostly completed at the end of March. Proof of evidence will be finalized in the 2013-14 and a final product presented to the OPC Senior Management Committee and the Internal Audit Committee.
- The IT general controls were identified and an analysis was initiated. The evidences will be gathered and the ITGC finalized in the 2013-14.
- OPC has initiated the drafting of a directive on the management of Vendor Master Records and anticipates its approval and implementation during 2013-2014. It will manage the creation, maintenance and inactivation of vendor records and quality and consistency of reporting. A related initiative has been started by the Office of the Comptroller General’s working group to develop a standard on vendor record for the Government of Canada.
- Users' access profiles of the Office's financial systems are being reviewed to enhance segregation of duties which is always a challenge for a small organization.
5.2 Action plan for future years
As an Agent of Parliament, the Commissioner of the Office is solely responsible for OPC’s compliance with the Policy of Internal Control and other TB policy instruments and for responding to any instance of non-compliance. Therefore, the Commissioner and senior managers are committed to sustaining and continuously improving its effective system of ICFR, including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.
In 2013-2014, the Office will:
- Perform testing of key controls with particular focus on the payroll process.
- Develop a control process for the management of the contribution program and test key controls.
- Address emerging changes such as paperless environment and adapt processes and controls.
- Consider the new shared services environment in the assessment of ICFR.
In 2014-2015, OPC plans to:
- Review its control environment relevant to ICFR, which includes improving the documentation and testing of identified key controls, such as updating flowcharts that will compliment and simplify the understanding of the narrative descriptions.
- Develop and establish a formal process of continuous monitoring of ICFR. This may include putting cycles on a rotational review, with an in-depth review of one cycle being performed annually and walkthroughs of the other cycles being done during the same year.
- Follow up on progress made in any areas identified for improvement in previous years.
Finally, the Commissioner and senior managers will be making themselves available to parliamentary committees that may wish to discuss the system of internal control at OPC or for Agents of Parliament in general.
- Date modified: