1.1 This policy takes effect on April 1, 2009.
1.2 The new policy requirement under section 6.1.2 of this policy relating to the signature of the Statement of Management Responsibility Including Internal Control Over Financial Reporting will be phased-in over a period of three years based on department's state of readiness.
2.1 This policy applies to all departments as defined in section 2 of the Financial Administration Act (FAA). Throughout this policy, the terms "government-wide" and "across government" refer to these organizations.
2.2 Section 7.2, and those portions of sections 6.2.1, 6.2.2 and 7.3 that provide for the Comptroller General to monitor compliance with this policy within departments and/or request departments take corrective action, do not apply with respect to the Office of the Auditor General, the Office of the Privacy Commissioner, the Office of the Information Commissioner, the Office of the Chief Electoral Officer, the Office of the Commissioner of Lobbying, the Office of the Commissioner of Official Languages and the Office of the Public Sector Integrity Commissioner. The deputy heads of these organizations are solely responsible for monitoring and ensuring compliance with this policy within their organizations, as well as for responding to cases of non-compliance in accordance with any Treasury Board instruments that address the management of compliance.
3.1 Parliament and Canadians expect the federal government to be well managed with the prudent stewardship of public funds, the safeguarding of public assets, and the effective, efficient and economical use of public resources. They also expect reliable reporting that provides transparency and accountability for how government spends public funds to achieve results for Canadians.
3.2 These expectations are similar to those found in other private and public sector organizations and jurisdictions. To mitigate the risks related to the achievement of these objectives, these organizations establish and maintain broad systems of internal control. Numerous frameworks have been developed by various professional associations and bodies relating to internal control. One widely recognized framework is that of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) that was established in the United States in 1985. Within the COSO integrated framework, everyone in the organization has responsibility for internal control to some extent.
3.3 More recently, there have been demands for explicit assurance regarding the integrity of financial reporting. The Sarbanes-Oxley Act of 2002 in the United States requires public corporations to provide assurances regarding the effectiveness of internal control over financial reporting and for their external auditors to opine on these internal controls and the reliability of the corporation's financial reporting. Public sector jurisdictions have also introduced similar requirements for assurances relating to the reliability of financial reporting. These assurances generally take the form of a Statement of Internal Control signed by the head of the organization and the Chief Financial Officer (CFO) and sometimes an accompanying audit report.
3.4 In the Canadian federal government, Deputy heads have always had the responsibility to ensure that internal controls are regularly reviewed in the context of risk, ensuring that those internal controls are balanced against and proportional to the risks which they mitigate. Deputy heads and their CFOs sign an annual Letter of Representation to the Auditor General and the Deputy Receiver General in support of the Public Accounts covering their responsibilities for internal control and assertions over the integrity of financial information.
3.5 Deputy heads are also designated as accounting officers for their organizations under the Financial Administration Act, and as such have a legal obligation to appear before parliamentary committees in support of their Ministers' accountability and to answer questions relating to the measures taken to maintain an effective system of internal control in their organizations, as well as three other specific areas of departmental management as set out in provision 16.4.
3.6 In this context, the CFO supports the deputy head by establishing and maintaining a system of internal control related to financial management including financial reporting and departmental accounts. Other senior departmental managers establish and maintain a system of internal control for their areas of responsibility and within the departmental system of internal control.
3.7 The Comptroller General of Canada provides government-wide leadership and functional direction for the system of internal control over financial management, including over financial reporting, in collaboration with the Receiver General of Canada and other central agencies.
3.8 This policy is to be read in conjunction with the Policy on Financial Management Governance and the Policy on Internal Audit.
3.9 This policy is issued pursuant to section 7 of the Financial Administration Act.
Definitions are provided in the Appendix.
Risks relating to the stewardship of public resources are adequately managed through effective internal controls, including internal controls over financial reporting.
5.2.1 An effective risk-based system of internal control is in place in departments and is properly maintained, monitored and reviewed, with timely corrective measures taken when issues are identified.
5.2.2 An effective system of internal control over financial reporting is operating in departments as demonstrated by the departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting.
The deputy head is responsible for:
6.1.1 Ensuring the establishment, maintenance, monitoring and review of the departmental system of internal control to mitigate risks in the following broad categories:
6.1.2 Signing an annual departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting, also signed by the Chief Financial Officer, which prefaces the departmental financial statements and that will:
6.1.3 Engaging with the Departmental Audit Committee, as applicable, on risk-based assessment plans and associated results related to the effectiveness of the departmental system of internal control over financial reporting.
6.2.1 Deputy heads – Deputy heads are responsible for:
6.2.2 Comptroller General of Canada – The Comptroller General is responsible for:
7.1 The deputy head is responsible for investigating and acting when significant issues arise regarding policy compliance.
7.2 If the Comptroller General of Canada determines that a department may not have complied with any requirements of this policy or supporting directives and standards, the Comptroller General may request that the Deputy head:
7.2.1 Conduct an audit or a review to assess whether requirements of this policy or its supporting directives or standards have been met. The cost of such an audit or review will be paid from the department's reference level; and
7.2.2 Take corrective actions and report back on the results achieved.
7.3 Consequences of non-compliance with this policy and supporting directives and standards, or of failure to take corrective actions requested by the Comptroller General, may include recommending to Treasury Board:
7.3.1 Limits on the spending authority of the department; or
7.3.2 Imposition of any other measures determined appropriate in the circumstances.
Please direct enquiries about this policy to your department's headquarters. For interpretation of this policy, departmental headquarters should contact:
Assistant Comptroller General
Financial Management and Analysis Sector
Office of the Comptroller General
Treasury Board Secretariat
Ottawa ON K1A 0R5
Facsimile: 613-952-9613
Telephone: 613-957-7233
In practice, the set of means that represent internal controls can include those elements of an organization such as its resources, systems, processes, culture, structure and tasks that, taken together, support people in managing risks in order to achieve an organization's objectives. The Internal Control – Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a generally accepted framework in this area - see Guideline on Internal Control Over Financial Reporting.
Financial management internal controls are a sub-set of the broader departmental system of internal controls dealing with effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets.
Financial reporting internal controls are a sub-set of the controls for financial management.
A Statement of Management Responsibility Including Internal Control Over Financial Reporting states management's responsibility for the financial statements and other financial information and internal reports, as well as the financial reporting process that produces such statements. The report also states the role of the audit committee, when one exists. The purpose of this statement is to communicate to users of these financial statements the key elements of responsibility for the representations made in financial statements and other financial information and to specify whose representations they are and the limits of their accuracy. It is to be signed by the Deputy Head and the CFO. The statement prefaces annual departmental financial statements but is not the subject of the audit opinion on the financial statements where they are audited.
The section of this statement that relates to the responsibility of management for maintaining an effective system of internal control over financial reporting confirms that:
As such, internal controls operate at all levels throughout the organization and are an integral part of an organization's risk management framework. In practice, the departmental system of internal control is composed of several internal control systems covering various management areas, such as financial management and financial reporting.