Audited Financial Statements 2015-2016
Office of the Privacy Commissioner of Canada
Unaudited 2015-16 annex to the statement of management responsibility, including internal control over financial reporting
This document provides summary information on the measures taken by the Office of the Privacy Commissioner of Canada (The Office) to maintain an effective system of internal control over financial reporting, including information on internal control management, assessment results and related action plans.
Detailed information on the Office's authority, mandate and program activities can be found in the 2015-16 The Office’s Performance Report and the 2015-16 Report on Plans and Priorities.
2. The Office’s system of internal control over financial reporting
2.1 Internal control management
The Office has a well-established governance and accountability structure to support the assessment efforts and oversight of its system of internal control. A documented financial management internal control framework has been developed and presented to the Commissioner and CFO for approval in the 2014-2015 year. Key elements of the framework include the following:
- Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for control management;
- Values and ethics;
- Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
- At least annual monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Commissioner and the Office’s senior management and, as applicable, the Office’s Audit Committee.
The Office’s Audit Committee provides advice to the Commissioner on the adequacy and functioning of the Office's risk management, control and governance frameworks and processes.
2.2 Service arrangements relevant to financial statements
The Office relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows.
- Public Works and Government Services Canada centrally administers the payments of salaries and the procurement of goods and services in accordance with the Office’s Delegation of Authority, and provides the costs of accommodation for inclusion in the financial statements as “Common services provided without charge”;
- The Office of the Auditor General provides audit services to the Office.
- The Treasury Board of Canada Secretariat provides the Office with information used to calculate various accruals and allowances, such as the accrued severance liability;
- Shared Services Canada provides information technology (IT) infrastructure services to the Office in the areas of internet connectivity and email security. The scope and responsibilities are addressed in the interdepartmental arrangement between Shared Services Canada and the Office, and
- For the purposes of the Financial Administration Act, the Office and the Office of the Information Commissioner (OIC) submit their trial balances jointly to the Receiver General.
- The Office does not contract external service providers to administer programs on his behalf or to capture and report financial transactions.
- It is to be noted that the OPC joined the Integrated Financial System cluster group (GX) on April 1, 2015, thus replacing its Free Balance legacy system. The OPC signed an MOU with the Commission of Human Rights of Canada (CHRC) for the purchase of services related to the payment of its invoices.
3. The Office’s assessment results during fiscal year 2015-16
During 2015-16, the Office continued to improve documentation relating to design effectiveness and operating effectiveness of its system of ICFR.
3.1 Design effectiveness testing of key controls
In 2015-16, the Office tested its Entity Levels Controls as well as the design effectiveness testing of the month-end closing and reporting process and the Assets process including attractive items.
3.2 Operating effectiveness testing of key controls
The majority of OPC’s Entity Level Controls related key controls were appropriately designed and effectively implemented to satisfy the COSO principles. A number of areas of strength were noted including: Audit Committee independence and oversight; OPC’s reporting structure and established authorities; assessment of risk in regards to corporate objectives; deployment of policies and procedures; communication of internal controls matters; and monitoring of corrective action. Of interest, 43 of 49 (88%) unique key controls were considered effective or effective with an opportunity for improvement.
One area was considered at risk which was the absence of assessment of outsourced service providers and more specifically the newly implemented GX system being managed by the Canadian Human Rights Commission (CHRC). At the time of the testing, there was a lack of clarity as to how OPC will obtain assurance that the GX system is operating effectively from an IT perspective. This was addressed in March 2016 when CHRC reported on the assessment of its system of ICFR by a third party stating that “the assessment concluded that the ITGCs over the GX system for client’s purposes can be relied upon. In Particular, IT management was assessed to be strong. Opportunities for improvement were identified in CHRC’s documentation of IT security as well as in application development and change management for GX”.
The OPC is following up with CHRC regarding the opportunities for improvement and the related action plan.
On the month-end closing and reporting, the area for improvement was related to fact that OPC is relying on CHRC to perform the FAA Section 33 authority for OPC. The OPC is of the opinion that this risk is largely mitigated by the 100% post verification performed by Finance’s team and the Monthly Budget Review exercise conducted by each manager.
Regarding the Assets management process, some ineffective controls were identified mostly concerning the segregation of duties, the excessive access controls to GX and Basset Pro, timeliness of the monitoring and review of transactions, the lack of formalized regular physical count, the lack of process for Asset Under Construction (AUC) and the capitalization threshold which is lower that the threshold of 10K noted in Treasury Board Accounting Standard (TBAS) 1.2 that is typically used by similar organizations. All of the recommendations were addressed and a plan of action was presented to senior management for approval.
3.3 Ongoing monitoring program
The Office continues to ensure that controls are effective over time and seek opportunities to strengthen its key financial control activities, taking into account results from annual assessments and audits. This involves developing and implementing a well-integrated monitoring program to raise awareness and understanding of the organization’s system of ICFR at all levels of the organization, equip staff with the knowledge, skills and tools needed to maintain a robust ICFR, and continue to assess the status of ICFR on an ongoing basis.
4. The Office’s action plan
4.1 Progress during fiscal year 2014-15
As an Agent of Parliament, the Commissioner of the Office is solely responsible for Office’s compliance with the Policy of Internal Control and other TB policy instruments and for responding to any instance of non-compliance. Therefore, the Commissioner and senior managers are committed to sustaining and continuously improving its effective system of ICFR, including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.
In 2016-17, the Office will conduct the following:
The Design effectiveness testing and operating effectiveness testing for the 1) ITGCs, 2) Pay and Benefits, 3) Procure to Pay and 4) Financial Closing and Reporting process.
Status and Action Plan for the Next Fiscal Year and Subsequent Years
|Business Process||Design effectiveness testing and remediation||Operational effectiveness testing||Ongoing monitoring rotation||Next Assessment Date|
|Entity Level Controls||2015-2016||2015-2016||Every three years||2018-2019|
|ITGCs||2016-2017||2016-2017||Every two years||2018-2019|
|Pay and Benefits||2016-2017||2016-2017||Every two years||2018-2019|
|Procure to Payment||2016-2017||2016-2017||Every three years||2019-2020|
|Capital Assets||2015-2016||2015-2016||Every three years||2018-2019|
|Financial Close and Reporting including revenue and account receivables||2016-2017||2016-2017||Every year||2017-2018|
|Budgeting & Forecasting||2014-2015||2014-2015||Every three years||2017-2018|
|Contributions||2014-2015||2014-2015||Every three years||2017-2018|
- Date modified: