Audited Financial Statements 2013-2014
Office of the Privacy Commissioner of Canada
Unaudited 2013-14 annex to the statement of management responsibility, including internal control over financial reporting
This document provides summary information on the measures taken by the Office of the Privacy Commissioner of Canada (The Office) to maintain an effective system of internal control over financial reporting, including information on internal control management, assessment results and related action plans.
2.1 Internal control management
The Office has a well-established governance and accountability structure to support the assessment efforts and oversight of its system of internal control. A documented financial management internal control framework is currently being developed and will be presented to the Commissioner and CFO for approval in the 2014-15 year. Key elements of the framework include the following:
- Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for control management;
- Values and ethics;
- Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
- At least annual monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Commissioner and the Office’s senior management and, as applicable, the Office’s Audit Committee.
- The Office strives for strong controls including IT General Controls (ITGC). However, following the move of the Office from Ottawa to Gatineau, a back-up drive that contained data from the Performance Budgeting for Human Capital (PBHC) system was lost. The Office has immediately reviewed its security controls and actions have been and continue to be taken to address any weaknesses. A threat risk assessment will be performed on all IT related systems for the new location and the ITGC will be reviewed and finalized accordingly.
The Office’s Audit Committee provides advice to the Commissioner on the adequacy and functioning of the Office's risk management, control and governance frameworks and processes.
2.2 Service arrangements relevant to financial statements
The Office relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows.
- Public Works and Government Services Canada centrally administers the payments of salaries and the procurement of goods and services in accordance with the Office’s Delegation of Authority, and provides the costs of accommodation for inclusion in the financial statements as "Common services provided without charge";
- The Treasury Board of Canada Secretariat provides the Office with information used to calculate various accruals and allowances, such as the accrued severance liability; and
- The Office of the Auditor General provides audit services to the Office.
- Shared Services Canada provides information technology (IT) infrastructure services to the Office in the areas of internet connectivity and email security. The scope and responsibilities are addressed in the interdepartmental arrangement between Shared Services Canada and the Office.
- For the purposes of the Financial Administration Act, the Office and the Office of the Information Commissioner (OIC) submit their trial balances jointly to the Receiver General.
- The Office does not contract external service providers to administer programs on his behalf or to capture and report financial transactions.
During 2013-14, the Office continued to improve documentation relating to design effectiveness and operating effectiveness of its system of ICFR.
3.1 Design effectiveness testing of key controls
In 2013-14, the Office commenced design effectiveness testing of the payroll process. Operating effectiveness testing of key controls was also performed. See Section 3.2 below for further details.
3.2 Operating effectiveness testing of key controls
The Office needs to formalize the risk-based plan for testing the effectiveness of the business process controls. This plan will capture assessment, monitoring and testing efforts to date.
In 2013-14, the Office commenced operating effectiveness testing of its payroll process which was completed in June 2014. Remediation of key control deficiencies is currently underway and in accordance with the established action plan.
As a result of operating effectiveness testing, and considering the small size of the organization, the office identified the following required remediation: difficulty with segregation of duties for certain control activities; lack of complete documentation for some files; lack of consistency in review of some monthly system’s reconciliations; and the difficulty to obtain appropriate documentation for user system access testing.
3.3 Ongoing monitoring program
The Office continues to ensure that controls are effective over time and seek opportunities to strengthen its key financial control activities, taking into account results from annual assessments and audits. This involves developing and implementing a well-integrated monitoring program to raise awareness and understanding of the organization’s system of ICFR at all levels of the organization, equip staff with the knowledge, skills and tools needed to maintain a robust ICFR, and continue to assess the status of ICFR on an ongoing basis.
In 2013-14, the Office planned to formalize its risk-based testing and monitoring plan for documenting key controls as well as conducting design effectiveness testing and operating effectiveness testing of its key business processes. This plan was finalized in June 2014 and provides a road map of the Office’s ICFR activities over a 3 year rotational cycle.
4.1 Progress during fiscal year 2013-14
During 2013-14, the Office continued to make progress in assessing and improving its key controls. The following table summarizes the Office's progress based on the plans identified in the previous fiscal year's annex.
|Element in previous year's action plan||Status|
|Perform testing of key controls with particular focus on the payroll process.||Commenced in 2013-14 and completed June 2014.|
|Develop a control process for the management of the contribution program and test key controls.||Completed the development of the control process. Testing of key controls postponed to 2014-15.|
|Address emerging changes such as paperless environment and adapt processes and controls.||Completed.|
|Consider the new shared services environment in the assessment of ICFR.||Completed for 2013-14. This is an ongoing consideration.|
|A self-assessment of the Entity level controls was mostly completed at the end of March. Proof of evidence will be finalized in the 2013-14 and a final product presented to the Office Senior Management Committee and the Internal Audit Committee.||Completed and presented in June 2013.|
|The IT general controls (ITGC) were identified and an analysis was initiated. The evidence will be gathered and the ITGC finalized in the 2013-14.||Postponed to 2014-15 as the Office moved to a new building and waiting for Threat and Risk Assessment to be completed in 2014-15.|
|The Office has initiated the drafting of a directive on the management of Vendor Master Records and anticipates its approval and implementation during 2013-14. It will manage the creation, maintenance and inactivation of vendor records and quality and consistency of reporting. A related initiative has been started by the Office of the Comptroller General’s working group to develop a standard on vendor record for the Government of Canada.||Draft completed in April 2013; however, the directive is pending approval.|
4.2 Status and action plan for the next fiscal year and subsequent years
As an Agent of Parliament, the Commissioner of the Office is solely responsible for Office’s compliance with the Policy of Internal Control and other TB policy instruments and for responding to any instance of non-compliance. Therefore, the Commissioner and senior managers are committed to sustaining and continuously improving its effective system of ICFR, including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.
In 2014-15, the Office will conduct the following:
Design effectiveness testing, operating effectiveness testing for the financial close and reporting process, receivables, budgeting and forecasting, and ITGCs.
|Key control areas||Design effectiveness
testing and remediation
|Financial Close and Reporting||2014-15||2014-15||2015-16|
|Budgeting & Forecasting||2014-15||2014-15||Future years|
|Capital Assets||2015-16||2015-16||Future years|
|Procure to Payment||Completed||Completed||Future years|
|Entity-level Controls||2016-17||2016-17||Future years|
(1): Once the first round of testing has been completed, there may be further risk rankings of IT general control areas.
(2): Commitments beyond the next fiscal year are to be identified with the planned year of completion or, if currently unknown, as "future years"
Report a problem or mistake on this page
- Date modified: