This archived Web page remains online for reference, research or recordkeeping purposes. This page will not be altered or updated. Web pages that are archived on the Internet are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats of this page on the Contact Us page.
To meet the Policy on Internal Control requirements, Library and Archives Canada (LAC) is expected to develop and execute annually, a risk-based plan to assess the effectiveness of its internal controls over financial reporting. Accordingly, the audit has assessed the adequacy of processes and practices in place to support the deployment of the Policy on Internal Control requirement to assess Internal Control over Financial Reporting (ICFR) related to external financial statements. This section presents detailed Findings based on the evidence and analysis from both the initial risk analysis and the detailed audit conduct.
As set out in the Policy on Internal Control, the Deputy Head has overarching responsibility for the departmental system of internal control, including internal control over financial reporting. These responsibilities are, however, reliant upon assurance provided from other key positions related to internal control in the department.
Finding 3.1.1: The CFO has assigned the Manager, Financial Policies, Management Practices and Quality Assurance to lead the ICFR assessment process, and together, they are developing the approach to meet the requirements of the Statement of Management Responsibility including Internal Control over Financial Reporting for the financial reporting year ending 2011–2012.
The framework for conducting a risk-based assessment of the effectiveness of internal control over financial reporting is comprised of five phases: (1) planning, (2) evaluating entity-level controls, (3) evaluating process-level controls, (4) testing control design and operating effectiveness; and (5) concluding on testing results, reporting and developing an action plan.
LAC has started the planning phase of the assessment process, and significant work is still required to implement the processes and practices required to comply with the Policy on Internal Control requirements for the Statement of Management Responsibility, including Internal Control over Financial Reporting by 2011–2012. The CFO has assigned the Manager, Financial Policies, Management Practices and Quality Assurance to lead the assessment planning process.
The purpose of developing a framework for the risk-based ICFR assessment process is to enable a manageable and sustainable approach to meeting the Policy on Internal Control requirements. Proper planning will help to focus the ICFR assessment on the areas of most significance, or risk, to the department's financial statements, identify control testing that can be relied upon to reduce duplication of effort and unnecessary work, and ensure the assessment activities can be completed over the planned assessment timeframe.
Management was provided with additional guidance on how to plan and execute the ICFR assessment by the consulting firm.
Finding 3.1.2: In support of the implementation of the PIC, and the ICFR assessment process, there is a need for communication and documentation of roles, responsibilities and accountabilities for internal controls, including ICFR, to key stakeholders. The CFO has not yet clearly communicated or documented these roles, responsibilities and accountabilities.
The Deputy Head must be supported by key internal parties and advisory committees (such as the Departmental Audit Committee) who have specific roles and responsibilities for maintaining and reviewing the effectiveness of the LAC system of IFRC.
The implementation of the Policy on Internal Control within LAC is in its infancy, and communication of responsibilities and accountabilities for internal control, including ICFR has not yet taken place.
The consulting firm provided management with additional guidance on roles and responsibilities for key internal parties, including senior departmental managers, the Chief Audit Executive and the Departmental Audit Committee.
Communicating ICFR roles and responsibilities to the people upon whom the Deputy Head and CFO will rely for assertions on the state of internal controls within the department will establish a common knowledge and understanding of responsibilities to maintain and monitor the system of internal control over financial reporting. If the key parties—who will enable this process—are not adequately briefed on their responsibilities, there is a risk that the ICFR assessment process will be inefficient and ineffective.
The CFO ensures that:
Management agrees with the recommendation. The risk-based approach that the organization will use to assess its internal controls will be determined in the months to come. As the implementation of the policy on internal controls evolves, we will develop the assessment approach documentation for risk-based controls. This assessment approach—that will establish among other things the roles and responsibilities at various levels in the institution—will be developed in co-operation with the stakeholders involved in the approach. The approach will be submitted to senior management and to the appropriate advisory committees for their review, comments and approval.