Audited Financial Statements 2016-2017

Back to Audited Financial Statements List

Office of the Privacy Commissioner of Canada

Unaudited 2016-17 annex to the statement of management responsibility, including internal control over financial reporting

1. Introduction

This document provides summary information on the measures taken by the Office of the Privacy Commissioner of Canada (the Office) to maintain an effective system of internal control over financial reporting (ICFR), including information on internal control management, assessment results and related action plans.

Detailed information on the Office's authority, mandate and program activities can be found in the Office’s Departmental Plan and Departmental Results Report.

2. The Office’s system of internal control over financial reporting

2.1 Internal control management

The Office has a well-established governance and accountability structure to support the assessment efforts and oversight of its system of internal control. A departmental internal control management framework, approved by the Commisionner, is in place which includes:

  • Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for control management;
  • Values and ethics;
  • Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
  • At least annual monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Commissioner and the Office’s senior management and, as applicable, the Office’s Audit Committee.

The Office’s Audit Committee provides advice to the Commissioner on the adequacy and functioning of the Office's risk management, control and governance frameworks and processes.

2.2 Service arrangements relevant to financial statements

The Office relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows.

Common Arrangements
  • Public Services and Procurement Canada (PSPC) centrally administers the payments of salaries and the procurement of goods and services in accordance with the Office’s Delegation of Authority, and provides the costs of accommodation for inclusion in the financial statements as "Common services provided without charge";
  • The Office of the Auditor General provides audit services to the Office;
  • The Treasury Board of Canada Secretariat provides the Office with information used to calculate various accruals and allowances, such as the accrued severance liability;
  • Shared Services Canada (SSC) provides information technology (IT) infrastructure services to the Office in the areas of internet connectivity and email security. The scope and responsibilities are addressed in the interdepartmental arrangement between SSC and the Office, and
  • For the purposes of the Financial Administration Act, the Office and the Office of the Information Commissioner (OIC) submit their trial balances jointly to the Receiver General.
Specific Arrangements
  • The Office does not contract external service providers to administer programs on his behalf or to capture and report financial transactions.
  • In addition to processing the Office’s invoices, the Commission of Human Rights of Canada (CHRC) continued to provide the Office with a G/X financial system platform to capture and report all financial transactions.

3. The Office’s assessment results during fiscal year 2016-17

3.1 New or significantly amended key controls

Following the implementation of the new payroll system Phoenix in April 2016, the payroll process was reviewed to ensure that the process reflects the activities as they are carried out, in order to comply with the internal controls policy.

There are four (4) pay administration models: 1) Fully Serviced by the Pay Centre, 2) Integration, 3) Web Services and 4) Direct Entry. The Office falls within the Direct Entry pay model which refers to a department that does not use the Pay Centre and MyGCHR is not integrated within the new payrol system Phoenix.

3.2 Testing results of key controls

In addition to the design and operating effectiveness testing of its payroll process, the Office performed testing on the procure to pay, financial closing and reporting business processes.

Key controls for the payroll were functionning as intended, however a few areas were considered at risk, namely the lack of independent verification of pay-related actions processed by the Office’s sole compensation advisor (CA) and the CA having the ability to process pay transactions government-wide.

The Office recognizes the issue with respect to the CAs access within the payrol system, however, this issue is not unique to the Office but across departments, regardless of their pay administration model. At the time of the testing, there was lack of clarity as to how the Office would obtain assurance from PSCP regarding the design or operating effectiveness of the payroll system.

Regarding the procure to pay business process, one area was considered at risk which was the lack of segregation of duties as one CHRC user had the ability to maintain vendor master files as well as release the Office’s invoice payments. The Office will continue to engage with CHRC regarding segregation of duties.

There were no risk areas noted for the financial close and reporting process.

3.3 Ongoing monitoring program

The Office continues to ensure that controls are effective over time and seek opportunities to strengthen its key financial control activities, taking into account results from annual assessments and audits. This involves developing and implementing a well-integrated monitoring program to raise awareness and understanding of the organization’s system of ICFR at all levels of the organization, equip staff with the knowledge, skills and tools needed to maintain a robust ICFR, and continue to assess the status of ICFR on an ongoing basis.

4. The Office’s action plan

As an Agent of Parliament, the Commissioner of the Office is solely responsible for Office’s compliance with the Policy of Internal Control and other TB policy instruments and for responding to any instance of non-compliance. Therefore, the Commissioner and senior managers are committed to sustaining and continuously improving its effective system of ICFR, including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.

4.1 Progress during fiscal year 2016-17

The Office made progress on risk areas identified last fiscal year. The progress achieved is summarized as follows:

Key Control Areas Status
Entity Level Controls Design and operating effectiveness testing completed. No remedial actions required.
IT General Controls In March 2016, the Office was provided with CHRC’s assessment of its system of ICFR which concluded ITGCs over the G/X system can be relied upon. CHRC’s IT Management was assessed to be strong.
Month End Closing and Reporting Design and operating effectiveness testing completed. No remedial actions required.
Capital Assets Design and operating effectivenes testing completed. Some ineffective controls were identified and one remains to be updated, namely the formalized regular physical count of attractive assets. This will be completed in 2017-18.
4.2 Action plan for the next fiscal year and subsequent years

In 2017-18, the Office will conduct the design effectiveness testing and operating effectiveness testing for its budgeting and reporting process and contributions.

The Office’s rotational ongoing monitoring plan over the next three years, based on an annual validation of the high risk processes and controls is shown in the following table.

Risk-Based Rotational Ongoing Monitoring PlanFootnote 1
Business Process Cycle Overall Risk Frequency of Testing Ongoing Rotational Plan
2017-18 2018-19 2019-20
IT General ControlsFootnote 2 Based on Service Provider’s ICFR Plan
Capital Assets Medium Every Three (3) Years   x  
Entity Level Controls Medium Every Three (3) Years   x  
Financial Close & Reporting Medium Every Two (2) Years   x  
Payroll Medium Every Two (2) Years   x  
Procure to Pay Medium Every Three (3) Years     x
Budgeting & Forecasting Low Every Three (3) Years x    
Contributions Low Every Three (3) Years x    
Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: