This archived Web page remains online for reference, research or recordkeeping purposes. This page will not be altered or updated. Web pages that are archived on the Internet are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats of this page on the Contact Us page.
The Library and Archives Canada (LAC) Risk-Based Audit Plan (2009–2012) called for an audit of Readiness for the Policy on Internal Control to be conducted in 2009–2010. This audit report presents the outcome of the conduct of the audit from November 2009 to January 2010.
The objective of this engagement was to assess the adequacy of the controls, processes and practices in place within LAC to implement the Policy on Internal Control and achieve the policy objective.1
The scope of the audit included the following integral elements as they relate to the deployment of the Policy on Internal Control at LAC.
While the "in-scope" elements above support the broader implementation of the Policy on Internal Control, the audit opinion focuses on LAC's readiness to implement the policy requirements for an assessment of ICFR.
Approach and Criteria
We used a standard audit process, based on professional standards that are in compliance with the Institute of Internal Auditors' Standards for the Professional Practice of Internal Auditing. For each of the control areas above, specific audit criteria and sub-criteria were identified. The details of the methodology and criteria used are presented in Appendix A and Appendix B.
To meet the Policy on Internal Control requirements, LAC is expected to develop, and execute annually, a risk-based plan to assess the effectiveness of their internal controls over financial reporting. To this end, the CFO has assigned the Manager, Financial Policies, Management Practices and Quality Assurance to lead the ICFR assessment process, and together, they are developing the approach to be ready to meet the requirements of the Statement of Management Responsibility including Internal Control over Financial Reporting for the financial reporting year ending 2011–2012.
To support the achievement of this objective, the framework for the ICFR assessment process should include clear communication and documentation of roles and responsibilities and accountabilities for internal controls, including ICFR, to key stakeholders. In addition, regular communication and awareness training regarding controls and ICFR responsibilities, including the development of specified learning plans for key stakeholders is required. These actions have not yet been taken by the CFO.
The ICFR assessment process hinges on conducting a financial reporting risk assessment. While BAC's risk management practices are maturing; formal risk management practices are being established in key operational areas, analysis of risk is being integrated with annual and strategic planning and investments have been initiated to develop capacity through training and guidance documents, the organization has not yet established financial reporting risk management principles.
LAC has in place both formal and informal controls at the entity level, IT general controls and controls over key financial systems, and for key financial processes. Some formal controls are documented, but most controls are not documented or tested. LAC has not started the process of documenting controls or testing control design and effectiveness.
To carry out the ICFR assessment, LAC will need to select a control framework against which to assess and report on the effectiveness of entity-level controls in relation to key risks facing LAC's financial reporting. LAC will also need to identify on a risk basis, the key IT general controls and financial system and process controls to document and assess for the appropriateness of the design and effectiveness of the control in supporting financial reporting.
In addition to these findings, observations of conditions that were non-systemic and of low materiality and risk have been communicated to management for their consideration.
The report identifies the following recommendations. Management has agreed and developed an action plan to address these recommendations.
Recommendation 3.1 (See section 3):
The CFO ensures that:
Recommendation 3.2 (See section 3):
The CFO develops a framework for assessing ICFR that includes documenting the organization's approach to assessing and managing risks related to financial reporting.
Recommendation 3.3.1 (See section 3):
The CFO, in consultation with the Chief Audit Executive, selects a framework to structure the ICFR assessment of entity-level controls.2
Recommendation 3.3.2 (See section 3):
The CFO develops a plan to assess risks within the "in-scope" IT general controls to determine the nature and extent of testing required.
Recommendation 3.3.3 (See section 3):
The CFO develops a plan to identify key process level controls and assess the risks related to the "in-scope" financial processes and key financial systems, and the CFO determines the nature and extent of documenting and testing required.
Recommendation 3.4 (See section 3):
The CFO defines training plans and awareness requirements in internal control areas to support key stakeholders in their roles and responsibilities for deploying the Policy on Internal Control.
The assessment is that LAC has started the planning phase of the assessment process, and significant work is required to implement the processes and practices needed to complete the remaining phases of the assessment process and comply with the Policy on Internal Control requirements for the Statement of Management Responsibility, including Internal Control over Financial Reporting by 2011–2012.
The CFO has assigned the Manager, Financial Policies, Management Practices and Quality Assurance to lead the assessment planning process. Together, they are in the process of developing the approach.
1 Policy on Internal Control stated objective: to ensure that risks related to stewardship of public resources are adequately managed through effective internal controls, including internal control over financial reporting. See www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=15258
2 Policy on Internal Control, paragraph 3.2: Numerous frameworks have been developed by various professional associations and bodies relating to internal control. One widely recognized framework is that of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).