Guide to Internal Control Over Financial Management

This guide is intended to help managers and staff develop and implement key internal control frameworks and measures as described in the Policy on Financial Management. The guide elaborates on the form and content of: summary information on internal control over financial management, the reporting of assessment results and information that is annexed to the annual Statement of Management Responsibility Including Internal Control Over Financial Reporting.
Date modified: 2020-05-01

More information

Guide:

Legislation And Regulations:

Policy:

Terminology:

Hierarchy

Archives

This guide replaces:

View all inactive instruments
Print-friendly XML

1. Date of publication

This guide was shared with departments on November 22, 2019.

This guide replaces the Treasury Board Guideline for the Policy on Internal Control.

2. Application, purpose and scope

This guide applies to the organizations listed in section 6 of the Policy on Financial Management.

This guide is intended to help managers and staff develop and implement key internal control frameworks and measures as described in the Policy on Financial Management.

The guide elaborates on the form and content of:

  • summary information on internal control over financial management
  • the reporting of assessment results
  • information that is annexed to the annual Statement of Management Responsibility Including Internal Control Over Financial Reporting

Examples in the appendices to this guide are provided for illustrative purposes and may not apply to all departmentsFootnote 1 or situations.

3. Context

Canadians expect:

  • the financial resources of the Government of Canada to be well-managed and safeguarded through internal controls
  • reliable reporting that provides transparency and accountability for how public funds are spent to achieve results

Numerous internal control frameworks have been developed by associations of internal control practitioners and other related organizations. One widely recognized framework is that of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which was established in the United States in 1985. Within the COSO integrated framework, everyone in an organization is responsible for internal control to some extent.

After the Treasury Board Policy on Internal Control was introduced in 2009, departments conducted an in-depth review of their internal control over financial reporting, which is a subset of internal control over financial management. Departments:

  • identified the financial statement items and associated processes that have the highest risk of causing financial misstatement
  • established processes to document, assess and improve key controls

Most departments are now at the ongoing monitoringFootnote 2 stage for internal control over financial reporting.

The introduction of the Policy on Financial Management in 2017 did not alter the need for internal control over financial management, including internal control over financial reporting. The requirement to maintain a reliable system of internal control over financial management remains, but as departments evolve, so do the:

  • people
  • processes (including guidance and procedures)
  • systems and structures
  • internal controls

Departments must continue to review their system of internal controls to ensure that it is effective. Existing controls may need to be amended, and new controls may need to be introduced.

The Policy on Internal Control has been rescinded and replaced by the Policy on Financial Management. The ongoing monitoring stage for departments that have completed their first full assessment of internal control over financial reporting is not affected by the introduction of the Policy on Financial Management.

Departments that have not completed assessments of elements of internal control over financial management that are unrelated to internal control over financial reporting must determine how these elements will be considered in their risk-based plans.

4. Overview of internal control over financial management and over financial reporting

4.1 Accountabilities and policy requirements

The deputy head accountabilities are described in section 16.4 of the Financial Administration Act and further elaborated in subsection 4.1.6 of the Policy on Financial Management.

As set out in the Financial Administration Act, deputy heads are designated as accounting officers who have the legal obligation to appear before committees of the Senate and the House of Commons regarding their financial management responsibilities, including but not limited to:

  • the steps taken to maintain an effective system of internal control
  • the controls that are in place
  • how the controls function
  • the measures taken to ensure that the controls are effective

The Treasury Board Policy on Financial Management further emphasizes these accountabilities as follows:

Deputy heads are responsible for … ensuring that a risk-based departmental system of internal control over financial management is established, monitored and maintained.

In addition, the Policy on Financial Management describes the accountabilities of the chief financial officer and senior departmental managers (managers who report directly to the deputy head).

In accordance with subsections 4.2.8 and 4.2.9 of the policy, the chief financial officer is responsible for establishing, monitoring and maintaining:

  • a risk-based system of internal control over financial management to provide reasonable assurance that:
    • public resources are used prudently and in an economical manner
    • financial management processes are effective and efficient
    • relevant legislation, regulations and financial management policy instruments are being complied with
  • a risk-based system of internal control over financial reporting, as demonstrated by the departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting

In accordance with subsections 4.3.6 and 4.3.7 of the Policy on Financial Management, senior departmental managers are responsible for:

  • implementing and maintaining a risk-based system of internal control over financial management in their area of responsibility
  • notifying the chief financial officer of material control weaknesses
  • ensuring that prompt corrective action is taken when control weaknesses are identified in their area of responsibility

Subsection 4.2 of this guide describes the system of internal control in greater detail.

4.2 System of internal control

Internal control is conducted by an organization’s oversight body, management and other personnel to provide reasonable assurance that the objectives of the organization will be achieved.

Internal control management ensures that organizations have well-established governance and accountability structures in place to support the assessment and oversight of their systems of internal control. In particular, internal control management ensures that:

  • key internal controls are assessed and periodically reassessed for monitoring purposes using a risk-based approach
  • corrective actions are taken when necessary (subsection 4.2.10 of the Policy on Financial Management)
  • formal oversight of activities takes place through effective governance, including the establishment of an internal control management framework and regular reporting to senior management, the deputy head and the Departmental Audit Committee

As shown in Figure 1, the deputy head is responsible for the overall system of internal controls across the department. Further details on the roles and responsibilities of deputy heads can be found in subsection 4.1.6 of the Policy on Financial Management and section 16.4 of the FAA. The chief financial officer (CFO) is responsible for the systems of internal control over both financial management and financial reporting. Further details on the roles and responsibilities of CFOs can be found in subsections 4.2.8, 4.2.9 and 4.2.10 of the Policy on Financial Management. Senior departmental managers have responsibilities in the overall system of internal control (including internal control over financial management and internal control over financial reporting) for activities that fall within their areas of responsibility. Further details on the roles and responsibilities of senior departmental managers can be found in subsections 4.3.6 and 4.3.7 of the Policy on Financial Management. This guide focuses on the inner 2 circles related to internal control over financial management and internal control over financial reporting.

Figure 1: system of internal control

Figure 1. Text version below:
Figure 1 - Text version

Figure 1: system of internal control

Figure 1 shows 3 superimposed circles, which represent, from the largest to the smallest circle, the system of internal control, the system of internal control over financial management or ICFM, and the system of internal control over financial reporting or ICFR.

The deputy head is responsible for the system of internal control across the department according to the Financial Administration Act, section 16.4, and the Policy on Financial Management, subsection 4.1.6. The chief financial officer is responsible for the system of internal control over financial management and the system of internal control over financial reporting according to the Policy on Financial Management, subsections 4.2.8, 4.2.9, and 4.2.10.

Legend
ICFM: internal control over financial management
ICFR: internal control over financial reporting

4.2.1 Internal control over financial management

Internal control over financial management:

  • comprises measures and activities that provide reasonable assurance of the effectiveness and efficiency of the financial management activities of the department
  • involves not only financial reporting, but also those activities that ensure that public resources are prudently and economically managed

In addition to the business processes supporting financial reporting (for example, financial close and reporting, procure to payment, and capital assets), internal control over financial management could include, but is not limited to:

  • planning and budgeting
  • costing
  • investment planning
  • chief financial officer attestations (included in Cabinet submissions)

Internal control over financial management may also include identification of new risks in existing business processes identified as supporting financial reporting. For example, as part of the procure-to-payment process assessed under existing systems of internal control over financial reporting, additional controls may be identified that are related to managing commitments. While not directly related to internal control over financial reporting, managing commitments is relevant when considering internal control over financial management and the prudent use of resources. Similarly, the payroll process may be expanded to include:

  • the internal control over salary forecasting
  • the activities in place to ensure that salary forecasting is complete, accurate and updated in a timely manner

4.2.2 Internal control over financial reporting

Internal control over financial reporting:

  • is a subset of the system of internal control over financial management
  • comprises measures and activities that provide reasonable assurance that a department’s financial statements are accurate and complete

The results of the assessment of these controls must be reported in the Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting. The annex, which is reviewed and approved by senior departmental managers, supports the statement that a system of internal control over financial reporting is in place and operating effectively.

4.2.3 Benefits of an effective system of internal control over financial management and over financial reporting

Internal control over financial management and over financial reporting provides:

  • many benefits to an organization
  • management and decision-makers with added confidence about the achievement of objectives
  • insight into how the organization is functioning

Other benefits of effective internal control over financial management and over financial reporting include:

  • valid and consistent costing information that allows for comparative costing of programs and that facilitates the assessment of overall program performance
  • expenditures that are in accordance with delegated authorities, where unauthorized transactions that could have a material effect on financial statements are prevented or detected in a timely manner
  • financial resources that are safeguarded against material loss because of waste, abuse, mismanagement, errors, fraud, omissions and other irregularities
  • consistent practices for processing transactions, thereby:
    • supporting the quality of information and communications across the organization
    • enhancing the reliability of transaction initiation and settlement
    • providing reliable recordkeeping and ensuring the ongoing integrity of data
  • reliable financial management and reporting that support decision-makers on matters such as:
    • the use of public resources
    • the effectiveness of financial management processes (for example, budgeting and forecasting, costing and investment planning)
    • compliance with relevant legislation, regulations and Treasury Board policies

5. Reporting on the annual assessment of internal control

The reporting requirements for internal control over financial reporting have not changed since the Policy on Internal Control was implemented in 2009 (this policy has been rescinded and replaced by the Policy on Financial Management).

Under subsection 4.2.13.4.1 of the Policy on Financial Management, departments must report on their annual assessment of internal control over financial reporting in the Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting. The content of the annex will depend on the level of maturity of the department’s internal control program, or whether the department has reached the ongoing monitoring stage of its assessment. Departments that have completed their first full assessment and that are at the ongoing monitoring stage may refer to the example in Appendix A for how to present their annual results.

Departments are not required to report on internal control over financial management in their annex. However, they may include details on assessments of internal control over financial management processes in their ongoing monitoring plans. To support deputy heads and chief financial officers in ensuring that a sound system of internal control over financial management exists within their organizations, departments are expected to assess their processes for internal control over financial management and report the results internally along with the results of the assessment of internal control over financial reporting.

5.1 Reporting on internal control over financial reporting

The annex provides an opportunity for departments to highlight:

  • the effectiveness of their management of internal control over financial reporting
  • the status of their assessment efforts based on their plans for risk-based ongoing monitoring of internal control over financial reporting

Departments may also report on progress since the previous fiscal year. Departments are expected to provide a high-level picture of the overall status of the complete assessment process, including what has been achieved to date (or since the previous fiscal year’s plan).

The previous fiscal year’s plan should be the starting point for reporting the results of the annual assessment in the annex. Departments are encouraged to explain deviations from the previous fiscal year’s plan and describe any significant changes to the scope of the department’s plan for risk-based, ongoing monitoring. The department should demonstrate that it has considered changes or new risks within its environment and reflected them in its annual assessment.

More information on the annex is provided in subsection 6.1 of this guide.

5.2 Ongoing monitoring

The control assessment process begins with the documentation of key controls, progresses through design and operating effectiveness testing, and culminates in the ongoing monitoring stage. For departments that have completed their initial assessment of internal control over financial reporting, including both design and operating effectiveness, the next step is to conduct a risk-based annual assessment. Such departments are considered to be in the ongoing monitoring stage of their internal controls program. Ongoing monitoring ensures that internal control over financial management and over financial reporting continues to operate effectively and as designed.

Once an organization reaches the ongoing monitoring stage, it will continue to remain at this stage, even when new processes are implemented, or the scope of the program is adjusted to reflect changes in the department’s operations or to incorporate new elements of internal control over financial management. Senior departmental managers are expected to remain committed to the sound management of the department’s system of internal control over financial management. This commitment is demonstrated through:

  • the conduct of the department’s annual risk-based assessment of the design and operation of internal controls
  • the identification of actions needed to address any significant or material weaknesses

More information on developing and maintaining an ongoing monitoring plan is available in the Guide to Ongoing Monitoring of Internal Control Over Financial Management.

5.3 Common service providers

In the context of internal control over financial management, common service providersFootnote 3 are departments that provide services and key information, or perform a business activity, function or process on behalf of other government departments. The provision of these services to the broader government community impacts the financial statements of the recipient departments. The 4 common service providers and the services they provide are:

  • Public Services and Procurement Canada, which administers the payment of salaries and the procurement of goods and services, and provides accommodation services
  • Shared Services Canada, which provides information technology infrastructure services
  • Department of Justice Canada, which provides legal services
  • Treasury Board of Canada Secretariat, which provides information on public service insurance and centrally administers payment of the employer’s share of contributions toward statutory employee benefit plans

Under subsection 4.2.13.4.2 of the Policy on Financial Management, common service providers must report in their annex on the results of their annual assessment of the system of internal control for the services that they provide to recipient departments. This requirement ensures transparency on the state of controls in common service organizations for the services that they provide to recipient departments.

Subsection A.5 of Appendix A to this guide has been created to allow common service providers to present the annual results of their assessment of the internal control over the common services that they deliver. This subsection is dedicated to the 4 common service providers listed above. All other organizations are not to include this subsection when completing the annex.

Similar to the approach for assessments that departments conduct on their internal control over financial reporting, common service providers are encouraged to use a risk-based approach when conducting their assessment of controls for the services provided to recipient departments.

If a common service provider determines that its common service controls are not scheduled for an assessment in a given fiscal year, it should state this in subsection A.5 of Appendix A to this guide. Common service providers may instead give an update on any remediation activities that are underway.

It should be noted that although common service providers must report on the system of internal control for the common services that they provide, this requirement is not intended to provide assurance of the reliability of the information in the financial statements of recipient departments.

Recipient departments using a common service provider’s services are still accountable for the control environment within their own organization and retain the responsibility for certain elements, for example:

  • approving access to various systems
  • ensuring that the information sent to the common service provider is complete and accurate
  • verifying that the services received are appropriate and in line with memoranda of understanding and contracts
  • managing the relationship with the common service provider, including participating in any governance bodies, as required

6. Statement of Management Responsibility Including Internal Control Over Financial Reporting

Under subsection 4.2.13.4 of the Policy on Financial Management, an annual Statement of Management Responsibility Including Internal Control Over Financial Reporting, signed by the deputy head and the CFO, accompanies the departmental financial statements that are linked to, and published concurrently with, the departmental results reports.

The statement:

  • acknowledges management’s responsibility for maintaining an effective system of internal control over financial reporting
  • refers to the annual assessment of the system’s effectiveness and the associated action plan for the next and subsequent fiscal years

The statement is also accompanied by an annex, which summarizes the measures taken by the department to maintain an effective system of internal control over financial reporting.

A summary of the assessment and action plan must be attached to the statement, except when the department has undergone a core control audit.

By signing the statement, the deputy head and CFO are providing reasonable assurance that at a minimum:

  • records are maintained that support and represent fairly all financial transactions
  • the recording of financial transactions allows for the preparation of internal and external financial information, reports and statements in compliance with financial management policy instruments
  • expenditures are in accordance with delegated authorities, and unauthorized transactions that could have a material effect on the financial statements are prevented or detected in a timely manner
  • financial resources are safeguarded against material loss because of waste, abuse, mismanagement, errors, fraud, omissions and other irregularities
  • prompt corrective action is taken when control weaknesses and material unmitigated risks are identified, including the risk of fraud, in the system of internal control over financial management and over financial reporting

According to the Directive on Accounting Standards: GC 4500 Departmental Financial Statements (GC4500.06), a Statement of Management Responsibility Including Internal Control Over Financial Reporting should accompany the Departmental Financial Statements. Illustrative Departmental Financial Statements are available on GCpedia (accessible only on the Government of Canada network). Separate examples are provided for large departments that are not subject to core control audits and for small departments that are subject to core control audits. Common service providers should follow the example for large departments that are not subject to core control audits. Such departments may include information about the system of internal control over the services that they provide to recipient organizations in their statement on the system’s annual assessment.

For small departments that are subject to core control audits, these audits are conducted by the Office of the Comptroller General over a 5-year cycle to assess a department’s compliance with key Treasury Board policy controls.

The illustrative examples for small departments that are subject to core control audits makes a distinction between departments where a core control audit has taken place, and departments where a core control audit has not taken place.

Once a core control audit has taken place, the statement should refer to the audit report and the related action plan. Because these documents are deemed to provide appropriate disclosure of internal control management, an annex is not required.

6.1 Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting

The annex provides users of financial statements with summary information that demonstrates how the departmental system of internal control over financial reporting is being managed through annual assessments, associated action plans and future assessment plans. Departments are encouraged to use the example annex that is appropriate to the department’s circumstances and to adapt, as necessary, the level of detail, content and key messages.

There are 2 common types of annexes.

In the standard annex for large departments that are not subject to core control audits, departments report on their assessment efforts and the progress achieved since the previous fiscal year. As most departments have reached the ongoing monitoring phase of their system of internal controls, departments will describe in this annex the plan for future-year monitoring of controls, including the ability to report on the department’s annual assessment. Appendix A to this guide provides an example of the annex at the ongoing monitoring stage.

The simplified annex for small departments that are subject to core control audits is used by departments where a core control audit has not taken place. As the name implies, this annex is a simpler version of the standard annex and reflects the expectations for small departments that are subject to core control audits. Appendix B to this guide provides an example of the reporting requirements for small departments that are subject to core control audits.

Small departments that are subject to core control audits are expected to ensure that their financial transaction controls (sections 32 to 34 of the Financial Administration Act) continue to perform as expected. In addition, these departments are expected to take appropriate measures to monitor other risk areas pertinent to their departmental system of internal control. Progress is reviewed through periodic audits of core controls and is sustained through oversight of departmental management.

7. References

Legislation

Related policy and guidance instruments

8. Enquiries

Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries if they have questions about this guide.

Individuals from departments should contact their departmental financial policy group if they have questions about this guide.

Individuals from the departmental financial policy group may contact Financial Management Enquiries for interpretation of this guide.


Appendix A: standard annex for large departments that are not subject to core control audits

Subsections A.1 and A.2 of this annex apply to all departments.

Subsections A.3 and A.4 are tailored to departments that are at the ongoing monitoring stage for all control areas (see example).

Subsection A.5 is to be completed by common service providers only. Common service providers must use this section to report on the annual assessment of the system of internal control over the services that they provide to recipient organizations.

Departments that are served by Shared Services Canada should continue to address, in the annex, the assessment of any information technology (IT) general controls, such as feeder systems or financial applications that departments continue to manage.

Even though Appendix A is intended as an example, instructions for completing the annex are shown in square brackets. Departments can follow the instructions in the square brackets and insert their own data in the tables. The tables below are presented mainly for illustrative purposes even though they have some template-like characteristics.

For greater clarity of presentation, departments are encouraged to use tables rather than text in appropriate sections of their annex.

Annex: internal control over financial reporting

  • A.1

    Introduction

    This document provides summary information on the measures taken by [name of department] to maintain an effective system of internal control over financial reporting, including information on internal control management, assessment results and related action plans.

    Detailed information on the department’s authority, mandate and core responsibilities can be found in the departmental plan for the [YYYY] to [YYYY] fiscal year and the departmental results report for the [YYYY] to [YYYY] fiscal year ([titles and links to the reports]).

  • A.2

    Departmental system of internal control over financial reporting

    • A.2.1 Internal control management

      [Name of department] has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. A departmental internal control management framework, approved by the deputy head, is in place and comprises:

      • organizational accountability structures as they relate to internal control management to support sound financial management, including the roles and responsibilities of senior departmental managers for control management in their areas of responsibility
      • values and ethics
      • ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control
      • at least semi-annual monitoring of, and regular updates to, internal control management, as well as the provision of related assessment results and action plans to the deputy head and senior departmental management and, as applicable, the Departmental Audit Committee

      The Departmental Audit Committee provides advice to the deputy head on the adequacy and functioning of the department’s risk management, control and governance frameworks and processes.

    • A.2.2 Service arrangements relevant to financial statements

      [Name of department] relies on other organizations for processing certain transactions that are recorded in its financial statements, as follows.

      • A.2.2.1 Common service arrangements
        • Public Services and Procurement Canada, which administers the payment of salaries and the procurement of goods and services, and provides accommodation services
        • Shared Services Canada, which provides IT infrastructure services
        • Department of Justice Canada, which provides legal services
        • Treasury Board of Canada Secretariat, which provides information on public service insurance and centrally administers payment of the employer’s share of contributions toward statutory employee benefit plans

        Readers of this annex may refer to the annexes of the above-noted departments for a greater understanding of the systems of internal control over financial reporting related to these specific services.

        [Name of department] relies on other external service providers [and/or] departments for the processing of certain information or transactions that are recorded in its financial statements, as follows:

      • A.2.2.2Specific arrangements
        • An external service provider, under contract with the Government of Canada, administers [name of the program or activity] on behalf of [name of department]’s program. The external service provider has the authority and responsibility to ensure that [specific transactions or payments] are made in accordance with the terms and conditions set out by [name of department]’s program. As a result, the control procedures of the external service provider are relied upon.
        • [Name of department] provides [name of applicable agency] with a SAP financial system platform to capture and report all financial transactions.

Departments fully at the ongoing monitoring stage

  • A.3

    Departmental assessment results for the [YYYY] to [YYYY] fiscal year

    The following table summarizes the status of the ongoing monitoring activities according to the previous fiscal year’s rotational plan.

    Progress during the [YYYY] to [YYYY] fiscal year
    Previous fiscal year’s rotational ongoing monitoring plan for the current fiscal year Status

    Entity-level controls, grants and contributions, financial close, and master data on vendors and customers

    Completed as planned; no remedial actions required

    Capital expenditures

    Completed as planned; remedial actions started

    In the [YYYY] to [YYYY] fiscal year, in addition to the progress made in ongoing monitoring, the department tested the design and operating effectiveness of a new payroll system.

    The key findings and significant adjustments required from the current fiscal year’s assessment activities are summarized in subsection A.3.1.

    • A.3.1New or significantly amended key controls

      In the current fiscal year, there were no significantly amended key controls in existing processes that required a reassessment. Design and operating effectiveness testing was conducted on the key controls for a new payroll system. Significant adjustments were not required for the new key controls.

    • A.3.2Ongoing monitoring program

      As part of its rotational ongoing monitoring plan, the department completed its reassessment of entity-level controls and the financial controls within the business processes of:

      • grants and contributions
      • capital expenditures
      • financial close
      • master data on vendors and customers

      For the most part, the key controls that were tested performed as intended, with remediation required as follows. For example, significant control issues related to the segregation of duties and system access for asset custodians were identified in the capital expenditure area. A management action plan addressing the recommendations was developed by the process owner.

  • A.4

    Departmental action plan for the next fiscal year and subsequent fiscal years

    [Name of department]’s rotational ongoing monitoring plan over the next 3 fiscal years is shown in the following table. The ongoing monitoring plan is based on:

    • an annual validation of high-risk processes and controls
    • related adjustments to the ongoing monitoring plan as required
    Rotational ongoing monitoring plan*
    Key control areas [YYYY] to [YYYY] fiscal year [YYYY] to [YYYY] fiscal year [YYYY] to [YYYY] fiscal year

    Entity-level controls

    Yes

    Yes

    Yes

    IT general controls under departmental management

    Yes

    Yes

    Yes

    Grants and contributions

    Yes

    Yes

    Yes

    Operating expenditures

    Yes

    No

    Yes

    Capital expenditures

    No

    Yes

    No

    Financial close

    No

    Yes

    No

    Master data on vendors and customers

    No

    Yes

    No

    Payroll

    Yes

    No

    Yes

    Revenue

    No

    Yes

    No

    * The length of the ongoing monitoring plan is at the discretion of the department and will depend on how often the department conducts its risk-based assessment. For example, a plan could cover a 1-, 3- or 5-year cycle.

    [Insert the following text, as applicable: In addition to the ongoing monitoring rotational plan, [name of department] plans to conduct the following assessment work [insert, for example, planned new or significantly amended key controls, deferred control work, remediation to be completed] in the fiscal years indicated.]

    [Report any deviations from the ongoing monitoring plan from the previous fiscal year.]

  • A.5

    Common service providers’ annual assessment results for the [YYYY] to [YYYY] fiscal year

    [Name of department], as a common service provider of [common services provided], has completed a risk-based assessment of the internal controls for these services. The results of this assessment are described below.

    Status of assessment of common services
    Key control areas Design effectiveness testing and remediation Operational effectiveness testing and remediation Ongoing monitoring rotation*

    IT general controls

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    Legal services costs

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    Payroll services

    [YYYY] to [YYYY] fiscal year

    [YYYY] to [YYYY] fiscal year

    Future fiscal years

    Public service insurance

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    * The frequency of the ongoing monitoring of key control areas is risk-based and may occur over a multi-year cycle.

    As a result of design and operating effectiveness testing and ongoing monitoring of key controls, the department identified that the following required remediation:

    [Details on remediation activities.]

  • A.6

    Departmental status and action plan for the next fiscal year and subsequent fiscal years

    Building on progress to date, [name of department] is positioned to complete the full assessment of its system of internal control over financial reporting in the [YYYY] to [YYYY] fiscal year. At that time, the department will be applying its rotational ongoing monitoring plan to reassess control performance on a risk basis across all control areas. The status and action plan for the completion of the identified control areas for the next fiscal year and for subsequent years are shown in the following table.

    Status and action plan for the next fiscal year and subsequent fiscal years
    Key control areas Design effectiveness testing and remediation Operational effectiveness testing and remediation Ongoing monitoring rotation*

    Entity-level controls

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    IT general controls under departmental management

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    Capital assets

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    Environmental liabilities

    [YYYY] to [YYYY] fiscal year

    [YYYY] to [YYYY] fiscal year

    Future fiscal years

    Operating expenses and accounts payable

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    Payroll and benefits

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    Transfer payments

    Complete

    [YYYY] to [YYYY] fiscal year

    Future fiscal years

    Revenue and accounts receivable

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    Financial close and reporting

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    Note: Specific commitments for the next fiscal year should be identified. Commitments beyond the next fiscal year are to be identified with the planned fiscal year of completion or, if unknown, as "Future fiscal years."

    * The length of the ongoing monitoring plan is at the discretion of the organization and will depend on how often the department conducts its risk-based assessment.

    [Report any deviations from the previous fiscal year’s action plan after the table.]

  • A.7

    Common service providers’ annual assessment results for the [YYYY] to [YYYY] fiscal year

    [Name of department], as a common service provider of [common services provided], has completed a risk-based assessment of the internal controls for these services. The results of this assessment are outlined below.

    Status of assessment of common services
    Key control areas Design effectiveness testing and remediation Operational effectiveness testing and remediation Ongoing monitoring rotation*

    IT general controls

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    Cost of legal services

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    Payroll services

    [YYYY] to [YYYY] fiscal year

    [YYYY] to [YYYY] fiscal year

    Future fiscal years

    Public service insurance

    Complete

    Complete

    [YYYY] to [YYYY] fiscal year

    * The frequency of the ongoing monitoring of key control areas is risk-based and may occur over a multi-year cycle.

    As a result of design and operating effectiveness testing and ongoing monitoring of key controls, the department identified that the following required remediation activities:

    [Details on remediation activities.]

Appendix B: simplified annex for small departments that are subject to core control audits but that have not yet been audited

Even though Appendix B is intended as an example of a simplified annex, instructions for completing the annex are shown in square brackets. Departments can follow the instructions in the square brackets and modify text as necessary.

Annex: internal control over financial reporting

  • B.1

    Introduction

    In support of an effective system of internal control, [name of department] annually assesses the performance of its financial controls to ensure that:

    • financial arrangements or contracts are entered into only when sufficient funding is available
    • payments for goods and services are made only when the goods or services have been received or the conditions of contracts or other arrangements have been satisfied
    • payments have been properly authorized

    [Name of department] will leverage the results of the periodic core control audits performed by the Office of the Comptroller General. A summary of the results of the assessment conducted during the [YYYY] to [YYYY] fiscal year is provided in subsection B.2.

  • B.2

    Assessment results for the [YYYY] to [YYYY] fiscal year

    For the most part, controls related to payment for goods and services and payment authority were functioning well and form an adequate basis for the department’s system of internal control. Some adjustments to reinforce segregation of duties were identified and addressed during the fiscal year.

  • B.3

    Assessment plan

    [Name of department] will continue to monitor the performance of its system of internal control, with a focus on the core controls related to financial transactions.

Date modified: