Audited Financial Statements 2014-2015
Office of the Privacy Commissioner of Canada
Unaudited 2014-15 annex to the statement of management responsibility, including internal control over financial reporting
This document provides summary information on the measures taken by the Office of the Privacy Commissioner of Canada (The Office) to maintain an effective system of internal control over financial reporting, including information on internal control management, assessment results and related action plans.
2. The Office’s system of internal control over financial reporting
2.1 Internal control management
The Office has a well-established governance and accountability structure to support the assessment efforts and oversight of its system of internal control. A documented financial management internal control framework has been developed and presented to the Commissioner and CFO for approval in the 2014-15 year. Key elements of the framework include the following:
- Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for control management;
- Values and ethics;
- Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
- At least annual monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Commissioner and the Office’s senior management and, as applicable, the Office’s Audit Committee.
- The Office strives for strong controls including IT General Controls (ITGC). However, following the move of the Office from Ottawa to Gatineau, a back-up drive that contained data from the Performance Budgeting for Human Capital (PBHC) system was lost. The Office has immediately reviewed its security controls and actions have been and continue to be taken to address any weaknesses. A threat risk assessment will be performed on all IT related systems for the new location and the ITGC will be reviewed and finalized accordingly.
The Office’s Audit Committee provides advice to the Commissioner on the adequacy and functioning of the Office's risk management, control and governance frameworks and processes.
2.2 Service arrangements relevant to financial statements
The Office relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows.
- Public Works and Government Services Canada centrally administers the payments of salaries and the procurement of goods and services in accordance with the Office’s Delegation of Authority, and provides the costs of accommodation for inclusion in the financial statements as "Common services provided without charge";
- The Treasury Board of Canada Secretariat provides the Office with information used to calculate various accruals and allowances, such as the accrued severance liability; and
- The Office of the Auditor General provides audit services to the Office.
- Shared Services Canada provides information technology (IT) infrastructure services to the Office in the areas of internet connectivity and email security. The scope and responsibilities are addressed in the interdepartmental arrangement between Shared Services Canada and the Office.
- For the purposes of the Financial Administration Act, the Office and the Office of the Information Commissioner (OIC) submit their trial balances jointly to the Receiver General.
- The Office does not contract external service providers to administer programs on his behalf or to capture and report financial transactions.
- It is to be noted that the OPC joined the Integrated Financial System cluster group (GX) on April 1, 2015, thus replacing its Free Balance legacy system. The OPC signed an MOU with the Commission of Human Rights of Canada (CHRC) for the purchase of services related to the payment of its invoices.
3. The Office’s assessment results during fiscal year 2014-15
During 2014-15, the Office continued to improve documentation relating to design effectiveness and operating effectiveness of its system of ICFR.
3.1 Design effectiveness testing of key controls
In 2014-15, the Office tested the design effectiveness of several business processes namely; for the closing and reporting process including revenues and account receivables, the IT General Controls (ITGCs), the budgeting and forecasting process, the contributions process and the reliability of Section 33 of the FAA over the salary and benefits transactions. The positive results achieved while conducting the design effectiveness testing has enabled us to pursuit with the operating effectiveness testing of the same processes. See Section 3.2 below for further details.
3.2 Operating effectiveness testing of key controls
The Office established its testing strategy for the design and operational effectiveness of the key controls based on risk for the organization as we as on the dedicated resources which are limited within a small size Agency such as OPC.
In 2014-15, the Office has performed the design and operational testing of the five processes listed above. Remediation action plans of key control deficiencies are currently underway.
As a result of the operating effectiveness testing, the office has identified the following areas for improvement: the access management to the various systems must be done in a more rigorous fashion and should be reviewed periodically, the OPC should keep tangible evidences demonstrating the approval of key documents/decisions; the OPC should be consistent in reviewing some monthly system’s reconciliations and the OPC should use the control tools in a more consistent manner (for example: the checklists).
3.3 Ongoing monitoring program
The Office continues to ensure that controls are effective over time and seek opportunities to strengthen its key financial control activities, taking into account results from annual assessments and audits. This involves developing and implementing a well-integrated monitoring program to raise awareness and understanding of the organization’s system of ICFR at all levels of the organization, equip staff with the knowledge, skills and tools needed to maintain a robust ICFR, and continue to assess the status of ICFR on an ongoing basis.
In 2014-15, the Office planned to formalize its risk-based testing and monitoring plan for documenting key controls as well as conducting design effectiveness testing and operating effectiveness testing of its key business processes. This plan was finalized in June 2015 and provides a road map of the Office’s ICFR activities over a 3 year rotational cycle.
4. The Office’s action plan
4.1 Progress during fiscal year 2014-15
During 2014-15, the Office continued to make progress in assessing and improving its key controls. The following table summarizes the Office's progress based on the plans identified in the previous fiscal year's annex.
Progress during fiscal year 2014-15
|Key control areas||Design effectiveness testing and remediation||Operational effectiveness testing||Ongoing monitoring rotation|
|Financial Close and Reporting including revenue and account receivables||2014-2015||2014-2015||2015-2016|
|Budgeting & Forecasting||2014-2015||2014-2015||2017-2018|
|Pay and Benefits reliability of section 33 of the FAA||2014-2015||2014-2015||2015-2016|
4.2 Status and action plan for the next fiscal year and subsequent years
As an Agent of Parliament, the Commissioner of the Office is solely responsible for Office’s compliance with the Policy of Internal Control and other TB policy instruments and for responding to any instance of non-compliance. Therefore, the Commissioner and senior managers are committed to sustaining and continuously improving its effective system of ICFR, including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.
In 2015-16, the Office will conduct the following:
The Design effectiveness testing and operating effectiveness testing for the 1) Entity Level Controls, 2) Financial Close and Reporting including Revenues and Account Receivable , 3) the Capital Assets process and 4) the testing of the reliability of section 33 of the FAA for salary and benefits transactions.
Status and Action Plan for the Next Fiscal Year and Subsequent Years
|Business Process||Design effectiveness testing and remediation||Operational effectiveness testing||Ongoing monitoring rotation|
|Entity Level Controls||2015-2016||2015-2016||Every three years|
|ITGCs||2016-2017||2016-2017||Every two years|
|Pay and Benefits||2016-2017||2016-2017||Every two years|
|Procure to Payment||2016-2017||2016-2017||Every three years|
|Capital Assets||2015-2016||2015-2016||Every three years|
|Financial Close and Reporting including revenue and account receivables||2015-2016||2015-2016||Every years|
|Budgeting & Forecasting||2014-2015||2014-2015||Every three years|
|Contributions||2014-2015||2014-2015||Every three years|
|Testing of the reliability of section 33 of the FAA for salary and benefits transactions||2015-2016||2015-2016||Every year|
- Date modified: