Guide to Internal Control Over Financial Management

1. Date of publication

This guide is effective as of November 22, 2019 and incorporates changes effective April 1, 2023.

2. Application, purpose and scope

This guide applies to the organizations listed in section 6 of the Policy on Financial Management.

This guide is intended to help managers and staff develop and implement key internal control frameworks and measures as described in the Policy on Financial Management.

This guide elaborates on the form and content of:

  • summary information on internal control over financial management;
  • the reporting of assessment results; and
  • information that is annexed to the annual Statement of Management Responsibility Including Internal Control Over Financial Reporting.

Examples in the appendices to this guide are provided for illustrative purposes and may not apply to all departments or situations.

3. Context

Canadians expect:

  • the financial resources of the Government of Canada to be well-managed and safeguarded through internal controls; and
  • reliable reporting that provides transparency and accountability for how public funds are spent to achieve results.

Numerous internal control frameworks have been developed by associations of internal control practitioners and other related organizations. One widely recognized framework is that of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which was established in the United States in 1985. Within the COSO integrated framework, everyone in an organization is responsible for internal control to some extent.

After the Policy on Internal Control was introduced in 2009, departments conducted an in-depth review of their internal control over financial reporting, which is a subset of internal control over financial management. Departments:

  • identified the financial statement items and associated processes that have the highest risk of causing financial misstatement; and
  • established processes to document, assess and improve key controls.

The introduction of the Policy on Financial Management in 2017, which replaced the Policy on Internal Control, did not alter the need for internal control over financial management, including internal control over financial reporting. The requirement to maintain a reliable system of internal control over financial management remains, but as departments evolve, so do the:

  • people;
  • processes (including guidance and procedures);
  • systems and structures; and
  • internal controls.

Departments must continue to review their system of internal control to ensure that it is effective. Existing controls may need to be amended, and new controls may need to be introduced.

4. Overview of internal control over financial management and over financial reporting

4.1 Accountabilities and financial management policy requirements

The deputy head accountabilities are described in section 16.4 of the Financial Administration Act (FAA).

As set out in the FAA, deputy heads are designated as accounting officers who have the legal obligation to appear before committees of the Senate and the House of Commons regarding their financial management responsibilities, including but not limited to:

  • the steps taken to maintain an effective system of internal control;
  • the controls that are in place;
  • how the controls function; and
  • the measures taken to ensure that the controls are effective.

The Policy on Financial Management (Policy) sets out the following key responsibilities for deputy heads, chief financial officers and senior departmental managers with respect to internal controls.

In accordance with subsection 4.1.6 of the Policy, the deputy head is responsible for ensuring that a risk-based departmental system of internal control over financial management is established, monitored and maintained.

In accordance with subsections 4.2.8 and 4.2.9 of the Policy, the chief financial officer is responsible for establishing, monitoring and maintaining:

  • a risk-based system of internal control over financial management to provide reasonable assurance that:
    • public resources are used prudently and in an economical manner;
    • financial management processes are effective and efficient; and
    • relevant legislation, regulations and financial management policy instruments are being complied with.
  • a risk-based system of internal control over financial reporting, as demonstrated by the departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting (SMR).

In accordance with subsection 4.2.10 of the Policy, the chief financial officer is also responsible for ensuring that prompt corrective action is taken when control weaknesses and material unmitigated risks are identified.

In accordance with subsections 4.3.6 and 4.3.7 of the Policy, senior departmental managers are responsible for:

  • implementing and maintaining a risk-based system of internal control over financial management in their area of responsibility;
  • notifying the chief financial officer of material control weaknesses; and
  • ensuring that prompt corrective action is taken when control weaknesses are identified in their area of responsibility.

Subsection 4.2 of this guide describes the system of internal control in greater detail.

4.2 System of internal control

Internal control is conducted by an organization’s oversight body, management and other personnel to provide reasonable assurance that the objectives of the organization will be achieved.

Internal control management ensures that organizations have well-established governance and accountability structures in place to support the assessment and oversight of their systems of internal control. In particular, internal control management ensures that:

  • key internal controls are assessed and periodically reassessed for monitoring purposes using a risk-based approach;
  • corrective actions are taken when necessary; and
  • formal oversight of activities takes place through effective governance, including the establishment of an internal control management framework and regular reporting to senior management, the deputy head and, as applicable, the Departmental Audit Committee.

Figure 1 illustrates the responsibilities of the deputy head and the chief financial officer with respect to the system of internal control.

This guide focuses on the inner two circles related to internal control over financial management and internal control over financial reporting.

Figure 1: system of internal control

Figure 1. Text version below:
Figure 1 - Text version

Figure 1: system of internal control

Figure 1 shows 3 superimposed circles, which represent, from the largest to the smallest circle, the system of internal control, the system of internal control over financial management or ICFM, and the system of internal control over financial reporting or ICFR.

The deputy head is responsible for the system of internal control across the department according to the Financial Administration Act, section 16.4, and the Policy on Financial Management, subsection 4.1.6. The chief financial officer is responsible for the system of internal control over financial management and the system of internal control over financial reporting according to the Policy on Financial Management, subsections 4.2.8, 4.2.9, and 4.2.10.

Legend
ICFM: internal control over financial management
ICFR: internal control over financial reporting

4.2.1 Internal control over financial management

Internal control over financial management:

  • comprises measures and activities that provide reasonable assurance of the effectiveness and efficiency of the financial management activities of the department; and
  • involves not only financial reporting, but also those activities that ensure that public resources are prudently and economically managed.

In addition to the business processes supporting financial reporting, internal control over financial management could include, but is not limited to:

  • planning (budgeting and forecasting);
  • costing;
  • investment planning;
  • chief financial officer attestations (included in Cabinet submissions);
  • payroll/salary management process; and
  • project management.

4.2.2 Internal control over financial reporting

Internal control over financial reporting:

  • is a subset of the system of internal control over financial management; and
  • comprises measures and activities that provide reasonable assurance that a department’s financial statements are accurate and complete.

Example of business processes supporting financial reporting could include, but is not limited to:

  • entity-level controls;
  • information technology general controls;
  • financial close and reporting;
  • procure to payment (including contracting);
  • operating and capital expenditures; and
  • revenue.

The results of the assessment of the internal control over financial reporting must be reported in the annex to the SMR, in accordance with subsection 4.1.8.3 of the Policy.

More information on the SMR is provided in section 6 of this guide.

4.2.3 Benefits of an effective system of internal control over financial management and over financial reporting

Internal control over financial management offers many benefits to an organization, such as:

  • provide insight into how the organization is functioning;
  • provide reasonable assurance on the effectiveness and efficiency of operations, the reliability of reporting, and compliance with applicable legislations, regulations, and financial management instruments;
  • identify key risks and their mitigation strategies; and
  • reasonable assurance that financial resources are safeguarded against material loss that may result from waste, abuse, mismanagement, errors, fraud, omissions and other irregularities.

4.3 Internal controls assessment steps

To ensure the establishment and monitoring of effective internal controls over financial management, including internal control over financial reporting, departments perform the following five key steps regarding their internal controls assessment process, ultimately bringing each control to the stage of ongoing monitoring:

  • Risk Assessment: this requires carrying out a risk-based assessment of a department’s most important business processes.
  • Documentation: this requires updating or documenting the business processes, including the controls expected to be in place.
  • Design Effectiveness: this relates to assessing the risks associated with a specific business process and ensuring that controls are designed to address the risks.
  • Operating Effectiveness: this involves testing the controls identified under the design-effectiveness phase to ensure that they are working as intended throughout the year.
  • Ongoing monitoring: this involves putting in place a program of continuous monitoring of internal controls, which means conducting ongoing testing to ensure that the controls continue to operate effectively.

4.3.1 Ongoing monitoring

Departments that have completed their internal control assessment process of identified business processes, including the implementation of corrective actions or compensating controls to address gaps or weaknesses, are considered to be at the ongoing monitoring stage for the internal controls assessed. Ongoing monitoring assesses whether internal controls over financial management and over financial reporting continue to operate effectively and as designed.

Once a department reaches the ongoing monitoring stage, it will continue to remain at this stage, even when new processes are implemented, or the scope of the program is adjusted to reflect changes in the department’s operations or to incorporate new elements of internal control over financial management.

In accordance with the Policy, the deputy head, chief financial officer and senior departmental managers remain responsible for the sound management of the department’s system of internal control over financial management. This responsibility is demonstrated through:

  • the conduct of the department’s annual risk-based assessment of the design and operation of internal controls; and
  • the identification of actions needed to address any significant or material weaknesses.

More information on developing and maintaining an ongoing monitoring plan is available in the Guide to Ongoing Monitoring of Internal Control Over Financial Management.

5. Reporting on the assessment of internal controls

5.1 Reporting on internal control over financial management

To support deputy heads and chief financial officers in ensuring that a sound system of internal control over financial management exists within their organization, departments are expected to regularly assess their processes for internal control over financial management and report the results internally. This assessment could be reported in the annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting (SMR).

5.2 Reporting on internal control over financial reporting

In accordance with subsection 4.2.13.4.1 of the Policy on Financial Management, departments are required to report on their annual assessment of internal control over financial reporting in the annex to the SMR which accompanies the departmental financial statements. The content of the annex will depend on the size of the department and the level of maturity of internal control processes attained by the department according to its assessment.

The annex to the SMR provides an opportunity for departments to highlight:

  • the effectiveness of their management of internal control over financial reporting; and
  • the status of their assessment efforts based on their plans for risk-based ongoing monitoring of internal control over financial reporting.

Departments are to report on progress since the previous fiscal year and provide a high-level picture of the overall status of the complete assessment process, including what has been achieved to date.

The previous fiscal year’s plan would be the starting point for reporting the results of the annual assessment in the annex to the SMR. Departments are to explain deviations from the previous fiscal year’s plan and describe any significant changes to the scope of the department’s risk-based ongoing monitoring plan. The department should demonstrate that it has considered changes or new risks within its environment and reflected them in its annual assessment.

More information on the annex to the SMR is provided in subsection 6.1 of this guide.

5.3 Common service providers

In the context of internal control over financial management, common service providers are departments that provide services and key information, or perform a business activity, function or process on behalf of other government departments. The provision of these services to the broader government community impacts the financial statements of the recipient departments. The following is a non-exhaustive list of common service providers and the services they provide:

  • Public Services and Procurement Canada administers the payment of salaries, the procurement of goods and services, and provides accommodation services;
  • Shared Services Canada provides information technology infrastructure services;
  • Department of Justice Canada provides legal services;
  • Treasury Board of Canada Secretariat provides information on public service insurance and centrally administers payment of the employer’s share of contributions toward statutory employee benefit plans; and
  • Departments hosting system services, such as human resources or financial management.

Under subsection 4.2.13.4.2 of the Policy on Financial Management, common service providers must report in their annex to the SMR on the results of their annual assessment of the system of internal control for the services that they provide to recipient departments. This requirement ensures transparency on the state of controls in common service organizations for the services they provide to recipient departments.

Subsection A.5 of Appendix A to this guide is dedicated to common service providers to present the annual results of their assessment of the internal control over the common services that they deliver. Other departments are not to include this subsection when completing their annex to the SMR.

Similar to the approach for assessments that departments conduct on their internal control over financial reporting, common service providers are encouraged to use a risk-based approach when conducting their assessment of controls for the services provided to recipient departments.

If a common service provider determines that its common service controls are not scheduled for an assessment in a given fiscal year, it should state this in subsection A.5 of Appendix A. Common service providers may instead give an update on any remediation activities that are underway.

It should be noted that although common service providers must report on the system of internal control for the common services that they provide, this requirement is not intended to provide assurance of the reliability of the information in the financial statements of recipient departments.

Recipient departments using a common service provider’s services are still accountable for the control environment within their own organization and retain the responsibility for certain elements, for example:

  • approving access to various systems;
  • ensuring that the information sent to the common service provider is complete and accurate;
  • verifying that the services received are appropriate and in line with memoranda of understanding and contracts; and
  • managing the relationship with the common service provider, including participating in any governance bodies, as required.

6. Statement of Management Responsibility Including Internal Control Over Financial Reporting

The Statement of Management Responsibility Including Internal Control Over Financial Reporting (SMR) is signed by the deputy head and the chief financial officer consistent with responsibilities assigned through subsections 4.1.8 and 4.2.13 of the Policy on Financial Management. The SMR accompanies the departmental financial statements that are linked to, and published concurrently with, the Departmental Results Reports.

The SMR:

  • acknowledges management’s responsibility for maintaining an effective system of internal control over financial reporting; and
  • refers to the annual assessment of the system’s effectiveness and the associated action plan for the next and subsequent fiscal years.

Through the SMR, the deputy head and the chief financial officer are providing reasonable assurance that at a minimum:

  • records are maintained that support and represent fairly all financial transactions;
  • the recording of financial transactions allows for the preparation of internal and external financial information, reports and statements in compliance with financial management policy instruments;
  • expenditures are in accordance with delegated authorities, and unauthorized transactions that could have a material effect on the financial statements are prevented or detected in a timely manner;
  • financial resources are safeguarded against material loss because of waste, abuse, mismanagement, errors, fraud, omissions and other irregularities; and
  • prompt corrective action is taken when control weaknesses and material unmitigated risks are identified, including the risk of fraud, in the system of internal control over financial management and over financial reporting.

A model of a SMR is provided in the Directive on Accounting Standards: GC 4500 Guideline: Illustrative Departmental Financial Statements.

Common service providers are to include information on the system of internal control over the services they provide to recipient organizations in their SMR as per their annual assessment.

The SMR is also accompanied by an annex, which summarizes the measures taken by the department to maintain an effective system of internal control over financial reporting. More information on the annex to the SMR is provided in subsection 6.1 of this guide.

6.1 Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting

This annex provides users of financial statements with summary information that demonstrates how the departmental system of internal control over financial reporting, is being managed through annual assessments, associated action plans and future assessment plans. Departments are encouraged to use the example annex that is appropriate to the department’s circumstances and to adapt, as necessary, the level of detail, content and key messages.

Two common types of annexes are offered.

The standard annex in Appendix A is for departments to report on their assessment efforts and the progress achieved since the previous fiscal year. As most departments have reached the ongoing monitoring phase of their system of internal controls over financial reporting, departments can also include in this annex information on internal control over financial management. Appendix A to this guide provides an example of the standard annex for departments that are at the ongoing monitoring stage for their internal control as well as those that are in the process of reaching the ongoing monitoring stage.

The simplified annex in Appendix B is for departments that do not have an internal audit function in accordance with the Policy on Internal Audit. These departments are required, starting in fiscal year 2022-23, to report on the results of their Core Control Self-Assessments in their annex to the SMR, as well as the results of any supplemental assessments of internal control that have been conducted by the Office of the Comptroller General (OCG). For example, the results of targeted audits conducted by the Internal Audit Sector of the OCG on selected departments.

7. References

Legislation

Related policy and guidance instruments

Tools

8. Enquiries

Members of the public may contact TBS Public Enquiries regarding any questions about this guide.

Individuals from departments should contact their departmental financial policy group regarding any questions about this guide.

Individuals from a departmental financial policy group may contact Financial Management Enquiries for interpretation of this guide.

For additional information on the Core Control Self-Assessments Tools, you may contact the Internal Audit Sector of the OCG.

Appendix A: Standard Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting

The standard annex applies to departments that have an internal audit function.

Subsections A.3 and A.4 are tailored to departments that are at the ongoing monitoring stage for all control areas (see example).

Subsection A.5 is to be completed by common service providers only. Common service providers must use this section to report on the annual assessment of the system of internal control over the services that they provide to recipient departments.

Subsection A.6 is tailored to departments that have not yet reached ongoing monitoring stage for all key control areas.

Departments that are served by Shared Services Canada should continue to address, in the annex, the assessment of any information technology (IT) general controls, such as feeder systems or financial applications that departments continue to manage.

Appendix A is intended as an example, instructions for completing the annex are shown in square brackets. Departments can follow the instructions in the square brackets, modify the text as necessary and insert their own data in the tables. The tables below are presented mainly for illustrative purposes even though they have some template-like characteristics.

For greater clarity of presentation, departments are encouraged to use tables rather than text in appropriate sections of their annex.

Annex: internal control over financial reporting

  • A.1

    Introduction

    This document provides summary information on the measures taken by [name of department] to maintain an effective system of internal control over financial reporting, as well as information on internal control management, assessment results and related action plans.

    Detailed information on the department’s authority, mandate and core responsibilities can be found in the Departmental Plans for the [YYYY] to [YYYY] fiscal year and the Departmental Results Report for the [YYYY] to [YYYY] fiscal year ([titles and links to the reports]).

  • A.2

    Departmental system of internal control over financial reporting

    • A.2.1
      Internal control management

      [Name of department] has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its overall system of internal control. A departmental internal control management framework, is in place and comprises:

      • organizational accountability structures as they relate to internal control management to support sound financial management, including the roles and responsibilities of senior departmental managers for control management in their areas of responsibility;
      • values and ethics;
      • ongoing communication and training on the legislative and policy requirements for sound financial management and control; and
      • monitoring and regular updates on internal control management, as well as provision of related assessment results and action plans to the deputy head and senior departmental management and, as applicable, the Departmental Audit Committee.

      The Departmental Audit Committee is an independent advisory committee to the deputy head. It is responsible to provide advice to the deputy head on the adequacy and functioning of the department’s risk management, control and governance frameworks and processes.

    • A.2.2
      Service arrangements relevant to financial statements

      [Name of department] relies on other departments for processing certain transactions that are recorded in its financial statements, as follows.

      • A.2.2.1
        Common service arrangements
        • Public Services and Procurement Canada administers the payment of salaries, the procurement of goods and services, and provides accommodation services;
        • Shared Services Canada provides information technology (IT) infrastructure services;
        • Department of Justice Canada provides legal services; and
        • Treasury Board of Canada Secretariat provides information on public service insurance and centrally administers payment of the employer’s share of contributions toward statutory employee benefit plans.

        Readers of this annex may refer to the annexes of the above-noted departments for a greater understanding of the systems of internal control over financial reporting related to these specific services.

        [Name of department] relies on other external service providers [and/or] departments for the processing of certain information or transactions that are recorded in its financial statements, as follows:

        [Add details]

      • A.2.2.2
        Specific arrangements
        • An external service provider, under contract with the Government of Canada, administers [name of the program or activity] on behalf of [name of department]’s program. The external service provider has the authority and responsibility to ensure that [specific transactions or payments] are made in accordance with the terms and conditions set out by [name of department]’s program. As a result, the control procedures of the external service provider are relied upon.
        • [Name of department] provides [name of applicable department or agency] with a financial system platform to capture and report all financial transactions.

Internal controls at the ongoing monitoring stage

  • A.3

    Departmental assessment results for the [YYYY] to [YYYY] fiscal year

    The following table summarizes the status of the ongoing monitoring activities according to the previous fiscal year’s rotational plan.

    Progress during the [YYYY] to [YYYY] fiscal year
    Previous fiscal year’s rotational ongoing monitoring plan for the current fiscal yearStatus
    Entity-level controls, grants and contributions, financial close, and master data on vendors and customersCompleted as planned; no remedial actions required
    Capital expendituresCompleted as planned; remedial actions started

    In the [YYYY] to [YYYY] fiscal year, in addition to the progress made in ongoing monitoring, the department tested the design and operating effectiveness of a new payroll system.

    The key findings and significant adjustments required from the current fiscal year’s assessment activities are summarized in subsection A.3.1.

    • A.3.1
      New or significantly amended key controls

      In the current fiscal year, there were no significantly amended key controls in existing processes that required a reassessment. Design and operating effectiveness testing was conducted on the key controls for a new payroll system. Significant adjustments were not required for the new key controls.

    • A.3.2
      Ongoing monitoring program

      As part of its rotational ongoing monitoring plan, the department completed its reassessment of entity-level controls and the financial controls within the business processes of:

      • grants and contributions;
      • capital expenditures;
      • financial close; and
      • master data on vendors and customers.

      For the most part, the key controls that were tested performed as intended, with remediation required as follows. For example, significant control issues related to the segregation of duties and system access for asset custodians were identified in the capital expenditure area. A management action plan addressing the recommendations was developed by the business process owner.

  • A.4

    Departmental action plan for the next fiscal year and subsequent fiscal years

    [Name of department]’s rotational ongoing monitoring plan over the next three fiscal years is shown in the following table. The ongoing monitoring plan is based on:

    • an annual validation of high-risk processes and controls; and
    • related adjustments to the ongoing monitoring plan as required.
    Rotational ongoing monitoring plantable 1 note *
    Key control areas[YYYY] to [YYYY] fiscal year[YYYY] to [YYYY] fiscal year[YYYY] to [YYYY] fiscal year
    Table 1 Notes
    Table 1 Note 1

    The length of the ongoing monitoring plan is at the discretion of the department and will depend on how often the department conducts its risk-based assessment. For example, a plan could cover a 1-, 3- or 5-year cycle.

    Return to table 1 note * referrer

    Entity-level controlsYesYesYes
    Information technology general controls under departmental managementNoYesYes
    Grants and contributionsNoYesYes
    Operating expendituresYesNoYes
    Capital expendituresNoYesNo
    Financial closeNoYesNo
    Master data on vendors and customersNoYesNo
    PayrollYesNoYes
    RevenueNoYesNo

    [Insert the following text, as applicable: In addition to the ongoing monitoring rotational plan, [name of department] plans to conduct the following assessment work [insert, for example, planned new or significantly amended key controls, deferred control work, remediation to be completed] in the fiscal years indicated.]

    [Report any deviations from the ongoing monitoring plan from the previous fiscal year.]

  • A.5

    Common service provider’s annual assessment results for the [YYYY] to [YYYY] fiscal year

    [Name of department], as a common service provider of [common services provided], has completed a risk-based assessment of the internal controls for these services. The results of this assessment are described below.

    Status of assessment of common services
    Key control areasDesign effectiveness testing and remediationOperational effectiveness testing and remediationOngoing monitoring rotationtable 2 note *
    Table 2 Notes
    Table 2 Note 1

    The frequency of the ongoing monitoring of key control areas is risk-based and may occur over a multi-year cycle.

    Return to table 2 note * referrer

    Information technology general controlsCompleteComplete[YYYY] to [YYYY] fiscal year
    Legal services costsCompleteComplete[YYYY] to [YYYY] fiscal year
    Payroll services[YYYY] to [YYYY] fiscal year[YYYY] to [YYYY] fiscal yearFuture fiscal years
    Public service insuranceCompleteComplete[YYYY] to [YYYY] fiscal year

    As a result of design and operating effectiveness testing and ongoing monitoring of key controls, the department identified the following required remediation:

    [Details on remediation activities.]

Internal controls not at the ongoing monitoring stage

  • A.6

    Departmental status and action plan

    Building on progress to date, [name of department] is positioned to complete the full assessment of its system of internal control over financial reporting in the [YYYY] to [YYYY] fiscal year. At that time, the department will be applying its rotational ongoing monitoring plan to reassess control performance on a risk basis across key control areas. The status and action plan for the completion of the identified control areas for the next fiscal year and for subsequent years are shown in the following table.

    Status and action plan
    Key control areasRisk Assessment and DocumentationDesign effectiveness testing and remediationOperational effectiveness testing and remediationOngoing monitoring rotationtable 3 note *
    Table 3 Notes
    Table 3 Note 1

    The frequency of the ongoing monitoring of key control areas is risk-based and may occur over a multi-year cycle.

    Return to table 3 note * referrer

    IT general controls under departmental managementCompleteCompleteComplete[YYYY] to [YYYY] fiscal year
    Capital assetsComplete[YYYY] to [YYYY] fiscal year[YYYY] to [YYYY] fiscal year[YYYY] to [YYYY] fiscal year
    Operating expenses and accounts payableCompleteCompleteComplete[YYYY] to [YYYY] fiscal year
    Payroll and benefitsCompleteCompleteComplete[YYYY] to [YYYY] fiscal year
    Transfer paymentsCompleteComplete[YYYY] to [YYYY] fiscal year[YYYY] to [YYYY] fiscal year
    Revenue and accounts receivableCompleteCompleteComplete[YYYY] to [YYYY] fiscal year

    As a result of design and operating effectiveness testing and ongoing monitoring of key controls, the department identified the following required remediation:

    [Details on remediation activities.]

Appendix B: Simplified Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting

Appendix B is intended as an example of a simplified annex to the SMR for departments that do not have an internal audit function in accordance with thePolicy on Internal Audit. Instructions for completing the annex are shown in square brackets. Departments may modify the text as necessary.

Annex: internal control over financial reporting

  • B.1

    Introduction

    In support of an effective system of internal control, [Name of department] conducted self-assessments of key control areas that were identified to be assessed in the [YYYY] to [YYYY] fiscal year. A summary of the assessment results and action plan is provided in subsection B.2. 

    [Name of department] completed the assessment of key control areas as indicated in the following table. A summary of the results, action plans, and additional details are also provided.

  • B.2

    Assessment results for the [YYYY] to [YYYY] fiscal year

    [Name of department] completed the assessment of key control areas as indicated in the following table. A summary of the results, action plans, and additional details are also provided.

    Key control areasRemediation requiredSummary results and action plan
    DelegationYesIssues to required training were identified. Remedial actions addressed.
    Transfer paymentsNoInternal controls are functioning as intended, no action plan required.

    With respect to the key control areas of the delegation of spending and financial authorities, for the most part, controls related to spending and financial authorities were functioning well and form an adequate basis for the department’s system of internal control. Some issues to the required training were identified and addressed during the fiscal year.

    [Name of department] was audited by the Office of the Comptroller General on key control areas in [key control]. A summary of the audit results and remedial actions are provided below:

    [Add details.]

  • B.3

    Assessment plan

    [Name of department] will assess the performance of its system of internal control by focusing on key control areas over a cycle of years as shown in the following table.

    Assessment plan
    Key control areas[YYYY] to [YYYY] fiscal year[YYYY] to [YYYY] fiscal year[YYYY] to [YYYY] fiscal year[YYYY] to [YYYY] fiscal year[YYYY] to [YYYY] fiscal year
    DelegationYesNoNoNoNo
    Transfer PaymentsYesNoNoNoNo
    ContractingNoYesNoNoNo
    Year-end PayablesNoYesNoNoNo
    ReceivablesNoYesNoNoNo
    Pay AdministrationNoNoYesNoNo
    TravelNoNoYesNoNo
    Financial Management GovernanceNoNoYesNoNo
    HospitalityNoNoNoYesNo
    Fleet ManagementNoNoNoYesNo
    Accountable AdvancesNoNoNoYesNo
    Acquisition cardsNoNoNoNoYes
    LeaveNoNoNoNoYes
    Special Financial AuthoritiesNoNoNoNoYes