Assessment of Internal Control over Financial Reporting for the fiscal year ended March 31, 2010

1. Introduction

This document is attached to the Statement of Management Responsibility including Internal Control over Financial Reporting (ICFR) for the fiscal-year 2009-2010. As required by the new Treasury Board Policy on Internal Control, effective April 1^st 2009, for the first time, this document provides summary information on the measures taken by the Public Service Commission (PSC) to maintain an effective system of (ICFR). In particular, it provides summary information on the assessments conducted by the PSC as at March 31, 2010, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the PSC.

1.1 Authority, Mandate and Program Activities

Detailed information on the PSC's authority, mandate and program activities can be found in the 2009-2010 PSC's Performance Report and in the PSC's 2009-2010 Report on Plans and Priorities.

1.2 Financial highlights

The PSC's audited financial statements for fiscal-year 2009-2010 can be found at (http://www.tbs-sct.gc.ca/dpr-rmr/index-eng.asp). Information can also be found in the Public Accounts of Canada.

• Total expenses were $138M. Salaries and employee benefits comprise the majority (71% or $98M).
• Recruitment and Assessment Services and Oversight of Integrity in Staffing and Political neutrality are the largest programs at $56M and $24M, respectively.
• No appropriations were lapsed. A planned $3.3M was carried-forward to manage financial challenges and funding pressures in 2010-2011.
• Revenues in the amount of $12.4M were generated by the sale of assessment and evaluation products and services. The PSC has vote netting authority which allows the PSC to offset expenses with revenues earned up to an amount approved by Treasury Board ($14M in 2009-2010).
• Tangible capital assets comprise 72% of departmental total assets of $24M. Employee severance benefits comprise 59% of total liabilities of $29M.
• Comptrollership challenge function was exercised to streamline budgets and forecasts.

1.3 Service arrangements relevant to financial statements

The PSC relies on other organizations for the processing of certain transactions that are recorded in its financial statements:

• PWGSC centrally administers the payments of salaries and the procurement of goods and services. As well, Treasury Board Secretariat provides PSC with information used to calculate various accruals and allowances, such as the accrued severance liability.
• The PSC relies on figures from other departments for services received without charge such as legal services from the Department of Justice, accommodation from PWGSC, audit services from the Office of the Auditor General, employer's portion of Workers' Compensation benefits from HRSDC, and employer's share of insurance premiums from TBS.

1.4 Material changes in fiscal-year 2009-2010

There were no significant changes to the financial statements in 2009-10.

2. The PSC's control environment relevant to Internal Control over Financial Reporting (ICFR)

The PSC recognizes the importance of setting the tone from the top to help ensure that staff at all levels understands their roles in maintaining effective systems of ICFR. The PSC's focus is to ensure risks are managed well through a proactive and responsive, risk-based control environment that enables continuous improvement and innovation.

2.1 Key positions, roles and responsibilities

Below are the PSC's key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.

President (Deputy Head) – PSC's President, as Accounting Officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the President chairs the Internal Audit Committee and the Commission.

Chief Financial Officer (CFO) – The PSC's CFO reports directly to the President and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment. Falling under the CFO responsibilities is also the management of the Corporate Risk Profile of the PSC.

Senior PSC Executives - PSC's vice presidents in charge of program delivery are responsible for maintaining and reviewing effectiveness of their system of ICFR falling within their mandate.

Chief Audit Executive (CAE) – The PSC's CAE reports directly to the Deputy Head and provides assurance through periodic internal audits which are instrumental to the maintenance of an effective system of ICFR.

Internal Audit Committee (IAC) - The IAC is an advisory committee that provides objective views on PSC's risk management, control and governance frameworks. It is comprised of three external members and was established in 2006. As such, it reviews PSC's Corporate Risk Profile and provides feedback on PSC's system of ICFR.

Executive Management Committee (EMC) - As the PSC's central decision-making body, the EMC reviews, approves and monitors the Corporate Risks Profile and the system of internal control, including the assessment and action plans relating to the system of ICFR.

Corporate Management Practices & Evaluation Division (CMPED) – CMPED conducts evaluations of major program delivery units to measure and report on efficiency and effectiveness of operations.

Financial Management Division (FMD) – As the PSC's resource management and allocation unit, FMD has an important budget challenge and oversight function.

Accounting Operations Division (AOD) – During the implementation phase (2009-2010) of the ICFR framework, AOD is responsible for design, documentation and initial testing of the PSC's system of ICFR.

2.2 Key measures taken by the PSC

PSC's control environment also includes a series of measures to equip its staff to manage risks well through raising awareness, providing appropriate knowledge and tools as well as developing skills. Key measures include:

• an Office of Values and Ethics including an Ombudsman
• a dedicated division under the CFO on internal control.
• annual performance agreements with clearly set out financial management responsibilities
• training program and communications in core areas of financial management.
• departmental policies tailored to the PSC's control environment.
• regularly updated delegated authorities matrix.
• documentation of main business processes and related key risk and control points to support the management and oversight of its system of ICFR.
• IT processing systems to achieve greater security, integrity, efficiency and effectiveness.

2.3 Innovation in ICFR

The PSC took a leadership approach to implementation of the Policy on Internal Control by implementing an integrated ICFR software program, and sharing the results of this initiative with other departments including the Office of the Comptroller General, Office of the Auditor General, and other departments via the Deputy Chief Financial Officer community.

3. Assessment of the PSC's system of ICFR

3.1 Assessment baseline

In 2005, the PSC began preparing audited financial statements. To support this initiative and enable control-based audits rather than substantive audits, the PSC undertook a program of documentation of business processes, information flows, and internal controls. In 2009, Treasury Board approved the Policy on Internal Control. As a result, the PSC has further formalized its approach to managing its systems of ICFR.

Whether it is to support the control-based audit requirements or those of the Policy on Internal Control, an effective system of ICFR has the objectives to provide reasonable assurance that:

• transactions are appropriately authorized;
• financial records are properly maintained;
• assets are safeguarded; and
• applicable laws, regulations and policies are complied with.

Over time, this includes assessment of design and operating effectiveness of the system of ICFR leading to ensuring the on-going monitoring and continuous improvement of the departmental system of ICFR.

Design effectivenessmeans to ensure that key control points are identified, documented, in place and that they are aligned with the risks (i.e. controls are balanced with and proportionate to the risks they aim to mitigate) and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main accounts by location as applicable.

Such testing covers all control levels which include entity, general computer and business process controls.

3.2 Assessment method at the PSC

Due to the relatively small size of the PSC, the nature of its business and risks, and building on business cycle/internal control documentation already completed for audited financial statements, the PSC was able to review the five major business cycles driving the financial statement accounts:

• Payroll
• Expenses
• Revenues from sales of assessment and evaluation services
• Capital Assets
• Financial Reporting

For each cycle, PSC completed the following steps:

• Gathering information pertaining to processes and locations, risks and controls relevant to ICFR, including appropriate policies and procedures.
• Mapping out key processes with the identification and documentation of key risk and control points on the basis of materiality, volumes, linkage to compliance documents, complexity, and susceptibility to losses/frauds.
• Design and operating effectiveness testing.

PSC also documented and assessed its entity (corporate) level controls and IT general system controls (IT infrastructure). Finally, PSC took into account new information available from recent audits.

4. PSC's assessment results

Based on the approach described above, the PSC developed baseline architecture of all key control points by accounts, locations, processes and main financial systems.

Controls assessed as having one or more of the following attributes were considered in-scope for testing:

• Key control
• Driven by Financial Administration Act
• Anti-fraud

In assessing its key controls, PSC also addressed the question of design effectiveness. Throughout the documentation process, additional controls were identified, as were superfluous controls. Necessary changes have been identified and have either been implemented, or are scheduled for further review and implementation in 2010/2011.

The figures below show a progression from identification of the PSC's in-scope accounts to the results of testing, and finally to a breakdown of the types of deficiencies identified for action. Details are provided in Sections 4.1 and 4.2

Figure 1a - Control In Scope/Out of Scope

Figure 1a - long description

 

Figure 1b - Test Result

Figure 1b - long description

 

Figure 1c - Deficienct Type

Figure 1c - long description

4.1 Design effectiveness of key controls

When completing design effectiveness testing, the PSC completed all documentation and verified whether the corporate, general computer and business process controls are in place and correspond to actual practices. Design effectiveness also included ensuring appropriate alignment of each key control with risks.

As a result of these assessments, PSC identified the following recommended improvements:

Documentation:

• Further clarification of supporting documentation and procedures for revenue transactions, especially within the PSC's regional revenue-generating centres.
• Better understanding of the role played by Peoplesoft in the payroll cycle.
• Further consolidation and documentation of desktop accounting procedures.

Management Oversight:

• Implementation of management review of significant disbursements over $100K.

Task Segregation and Approvals:

• One of the functional classes of the financial system required adjustment to ensure proper access segregation including the receipt of cheques and the associated recording in the PSC's financial system.
• Improved verification before approving Section 33 for bulk supplementary pay transaction processing.

IT Systems:

• Greater control over manual journal voucher posting in Free Balance Financials.

4.2 Operating effectiveness of key controls

In 2009-10, the PSC assessed the operating effectiveness of its key controls. In order to do so, it developed a risk-based testing plan that identified key controls to be tested including the test-period (full fiscal year) as well as the method and frequency of testing.

The following notable deficiencies and areas for improvement were identified:

• Evidence to support chart of accounts valid code combination reconciliations for some periods were not available.
• Departmental delegation of financial signing authorities has not been signed by the PSC's minister (Heritage Canada). Discussions are underway with Justice to clarify the authority given to Heritage to delegate signing authorities related to service contracts.
• Evidence of matching shipping waybills/packing slips to invoice to ensure proper goods received was not found for some transactions.
• More employees than necessary had access to create and modify the master vendor information table in the PSC's financial system including recipient and banking information.
• Custodians of some capital assets are not able to determine the asset's location.

Overall, no particular process demonstrated major deficiencies or an excessive numbers of minor deficiencies. Remediation requirements to date have been documented. These deficiencies and areas of improvement are slated for action by December 2010. When completing operating effectiveness testing, the PSC ensured that the key controls were operating effectively over the full fiscal period.

5. PSC's action plan

5.1 Progress as of March 31, 2010

During 2009-2010 the PSC has continued to make significant progress in assessing and improving its key controls. Below is a summary of the main progress made by PSC.

PSC has completed work to address the following issues:

• Completed a review of and documented entity-level controls concerning human resources management practices, governance and oversight, ethics and values, and internal audit.
• Implemented an integrated ICFR software solution and integration of said system with the PSC's process, risk, control, testing, and remediation framework.
• Designed and implementation of an integrated capital asset management tool to improve tracking, reconciliation, and reporting, and reduce the risk of human error.

PSC has advanced work to address the following necessary adjustments:

• Standardize and streamline the vote netting revenue cycle (sale of assessment services) which accounts for approximately 12% of the organization's annual budget. This resulted in a 56% reduction in uncollected accounts receivable at year-end.

5.2 Action plan for the next fiscal year and future years

By end of 2010-11 PSC plans to:

• Continue work on incorporating new payroll cycle processes and systems into the ICFR framework including the implementation of Peoplesoft human resources system (replaces HRMIS), Compensation Web Applications, and any in-year process changes.
• Complete the standardization and streamlining of the vote netting revenue cycle
• Formal flowcharting of business processes to add value to the narratives and structure documented in the ICFR software solution.
• Financial statement account scoping to identify sub-processes requiring additional emphasis.
• Implement a system of business process owner self-assessment questionnaires to supplement the testing and documentation done by the section responsible for implementing the internal control framework.
• Roll-out an improved revenue management system (RMS 1.0) to further streamline the revenue process and strengthen internal control.
• Undertake a full review of the capital asset inventory.

By end of 2011-12 PSC plans to:

• Involve business process owners in the control testing process to increase ownership of those controls and support a system of attestation.
• Implement a system of formal attestation within the PSC's branches with a final roll-up at the vice-president level.

Primary navigation (left column)