This archived Web page remains online for reference, research or recordkeeping purposes. This page will not be altered or updated. Web pages that are archived on the Internet are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats of this page on the Contact Us page.
Experience from public and private sector organizations both in Canada and internationally has shown that one of the key success factors to an efficient and cost-effective ICFR assessment is the adoption of a top-down and risk-based approach
Finding 3.3.1: A control framework has not been selected against which to assess and report on the effectiveness of entity-level controls in relation to key risks facing LAC's financial reporting.
Entity-level controls set the tone and broad expectations for the manner in which a department or agency will pursue its objectives, and as such, have a pervasive influence throughout the department.
While we found that many entity controls exist at LAC, formally and informally, the CFO indicated that a control framework has not yet been selected for the ICFR assessment process. Management was provided with additional guidance on control frameworks by the consulting firm.
If entity-level controls are weak, inadequate, or nonexistent, they can create weaknesses in controls at the process level, and ultimately, impact the department's ability to achieve its goals and objectives. When operating effectively, entity-level controls directly support the department's ability to manage its strategic and operational risks, and thus achieve its various departmental objectives and may reduce the nature, timing and extent of detailed control testing required within financial processes and IT systems.
Also, using a well-structured and comprehensive assessment framework will verify coverage and completeness of the ICFR assessment, and support defensibility of ICFR conclusions.
The CFO, in consultation with the Chief Audit Executive, selects a framework to structure the ICFR assessment of entity-level controls.7
Management agrees with this Recommendation. The CFO, in consultation with the Chief Audit Executive, will establish a framework for the assessment of the controls at the institutional level.
Once the organization wide control environment or entity level is understood and assessed, controls are further identified and tested at two primary levels: IT general controls and the financial process level.
Finding 3.3.2: Key financial systems have been identified and some, but not all, key IT general controls related to these systems have been documented; however these controls have not been assessed for the appropriateness of the design or effectiveness of the control in supporting financial reporting.
Information technology general controls are controls that impact the IT environment, such as access to programs and data, program changes, program development, and computer operations.
Key financial systems in use by LAC include: FreeBalance Financial Systems; FreeBalance Performance Budgeting for Human Capital; and AMMIS system for capital asset tracking. The Financial Systems Group is responsible for maintaining FreeBalance (manage application-level security and daily back-up), with some additional support from the IT Branch. For example, the entity-wide security program is run by IT Branch.
The 2008 Internal Audit Review of Privacy report observed that LAC's security infrastructure shows some strengths and weaknesses. The review noted several strengths in relation to the security measures to properly safeguard personal information, including secure server location, intrusion prevention system, firewall access rules, ad hoc monitoring of the use of computers by employees, security threat and risk assessment conducted when the system is storing Protected A or higher information,8 and a security training program for employees.
In addition, LAC's Round VI MAF Assessment and Action Plan 2009–2010 for Area of Management 19—Effective Management of Security and Business Continuity includes pursuing ongoing initiatives to continue improving the departmental security program, including communications and roll-out of the new security policy to be in alignment with the Government Security Policy.9
IT general controls in relation to FreeBalance Financial Systems, such as authorized users, application software development and change controls, system software controls (such as user classes, password access controls), segregation of duties, and business continuity plans were all identified by interviewees as being in place. Some of these controls have been documented; however, they have not been tested.
In terms of the ICFR assessment process, IT general controls related to these key financial systems should be documented and assessed for the appropriateness of the design or effectiveness of the control. For LAC to rely on automated controls to support the achievement of its financial reporting objectives, relevant IT general controls for related underlying systems must be designed and operating effectively.
The CFO develops a plan to assess risks within the "in-scope" IT general controls to determine, using a risk-based approach, the nature and extent of testing required.10
Management agrees with this Recommendation. When computer controls are available to support the institution's control framework, they will be used to improve the efficiency of the control systems. The nature and scope of the computer control tests will then be established based on risk assessment.
Internal controls are required around the key financial statement process cycles and the significant accounts within each process.
Process level controls mitigate the risks threatening the execution of individual transactions and provide assurance that transaction objectives are achieved.
Finding 3.3.3: Key transaction-level controls for "in-scope" financial processes have not been documented, nor has the effectiveness of the design or operation of the controls been tested.
Internal controls (automated IT application controls as well as manual controls) are required around the key financial statement processes and significant accounts within each process to ensure transactions are authorized, complete, accurate, valid and timely processed.
The CFO and the Manager, Financial Policies, Management Practices, Quality Assurance identified the significant accounts on LAC's external financial statements (capital assets, purchases/payables, receivables/revenue and payroll), however, the next step of identifying, documenting and testing key controls for these "in-scope" financial processes has not been executed.
LAC has designed procedures, practices and processes to ensure that the financial data, books of account and financial reports are complete, accurate and prepared on a timely basis, for example:
LAC has not documented these controls, nor has it put in place testing and monitoring procedures of the design and operating effectiveness of these financial process controls.
Process-level controls mitigate the risks threatening the execution of individual transactions and provide assurance that transaction objectives are achieved. In the absence of these controls (or in the absence of testing and monitoring these controls, on a risk basis), there is a risk that the goal of ensuring financial data, books of account and financial reports are complete, accurate and prepared on a timely basis may not be achieved.
The CFO develops a plan to identify key process-level controls and assess the risks related to the "in-scope" financial processes and key financial systems, and the CFO determines the nature and extent of documenting and testing required.
Management agrees with this Recommendation. The implementation of the internal control policy will be undertaken progressively using an approach based on financial report risks as required by the Treasury Board. In the months to come, we will proceed with the assessment of the financial report risks and then the implementation plan will be developed in line with the risk assessment. The plan will establish the key control systems that will have to be documented, reviewed and assessed as well as the scheduled deadlines.
7 Policy on Internal Control, paragraph 3.2: Numerous frameworks have been developed by various professional associations and bodies relating to internal control. One widely recognized framework is that of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
8 Through interviews with Finance and Accommodation Branch, we were advised that a security threat and risk assessment has not been conducted on the key financial systems.
9 The MAF Round VII assessment may result in changes to the initiatives and action plan for Area of Management 19 – Effective Management of Security and Business Continuity.
10 When assessing IT general controls, LAC should refer to the Control Objectives for Information and Related Technology (COBIT) framework to identify the IT control objectives that are considered significant or "in-scope" for IT systems. The COBIT framework is a set of best practices for the management of IT governance, risk and control. The COBIT framework is widely used in both the private and public sectors as a framework or source of reference against which IT general controls can be assessed. The framework describes control objectives and criteria within a number of categories, including systems development, access to programs and data, change management, security, and computer operations.
11 Accounting Operations processing and control over payment authorization includes 100 percent verification of expenditure initiation (s. 32) and s. 34 approvals, and matching the invoice to source documents. Once the review of compliance with regulations and policies, and application of appropriate financial controls is complete, the financial officer in accounting operations then exercises s.33 approval.