|

 

 

 

 

CCAF ~ FCVI Inc.
291 Olmstead Street
Ottawa (Vanier), ON
K1L 7J9 Canada

Tel: 613-241-6713
Fax: 613-241-6900
info@ccaf-fcvi.com

 

Copyright © 2017 CCAF-FCVI
Privacy Policy



Internal Control Over Financial Reporting
Sunday, 29 March 2009 20:00

 

Internal Audit Initiatives in Three Jurisdictions

In several Canadian jurisdictions, internal audit is playing a role in helping management determine the effectiveness of internal control over financial reporting. In this Update, CCAF looks at developments in three jurisdictions: Alberta, Ontario and the Government of Canada.

CCAF wishes to thank the following people for providing the information on which this article is based:

  • Heather Zomar, Chief Internal Auditor, Government of Alberta
  • Richard Kennedy, Chief Internal Auditor and Assistant Deputy Minister, Ministry of Finance, Government of Ontario
  • Fred Jaakson, Executive Director, Internal Audit Sector, Office of the Comptroller General of Canada, Treasury Board of Canada Secretariat, Government of Canada.


Alberta: A self-assessment guide

In 2007, Alberta's Corporate Internal Audit Service (CIAS) undertook a pilot project in the Department of Finance andzomarEnterprise to develop a high-level guide for the department to assess their internal controls over financial reporting.

The pilot was a success, and CIAS finalized a Self-Assessment Guide and a Check up Questionnaire for broader use.

The Self-Assessment Guide covers the five COSO1 control elements:

  • control environment
  • risk assessment
  • control activities
  • information and communication
  • monitoring.

The Guide helps assessors review each of 23 COSO sub-elements under the five control elements. It enables assessors to determine the current state of controls and identify control gaps and opportunities for improvement.

The Questionnaire is a series of statements consistent with the five COSO elements. Assessors can use it to quickly assess a department's awareness and knowledge of controls over financial reporting, and focus the application of the Self-Assessment Guide.

CIAS has since assisted a number of departments to apply the Questionnaire and Guide to assess their own controls over financial reporting. By using these tools, departments are able to provide their Deputy Minister and Controller with an assessment that high-level controls are in place.

CIAS notes that the tools also provide a consistent method of rating internal controls across the government, and help CIAS identify high risk areas for future projects.

 

Ontario: Financial Assurance Program
In 2008, the Ontario Internal Audit Division (OIAD) began introducing the Financial Assurance Program, a joint initiativekennedywith Ontario's Office of the Provincial Controller Division. The multi-year program will support the government's need for increased assurance over the integrity of financial management processes and related information and reporting.

The program's objectives are to:

  • support ministries in implementing processes to confirm the ongoing integrity of financial management and reporting processes, in compliance with control and risk management standards
  • support ministries in implementing processes to manage compliance to applicable financial policies and guidelines in line with their role to ensure the quality of financial management processes and the completeness and accuracy of financial reporting information
  • help build knowledge and capacity for self-assessment against control standards, thereby promoting enhanced continuous improvement and risk management disciplines.


The initial phase of the program is targeted at clients of OIAD's Health Audit Service Team (the Ministry of Health and Long-Term Care and the Ministry of Health Promotion). Later, the knowledge developed will be transferred to other audit service teams and ministries.

The first phase, currently underway, began with a pilot on a selected sub-process, and has now moved on to full-scale deployment for all identified processes. This part of the program involves three steps:

1. Process documentation and evaluation

  • Document and understand processes through narratives, risk and control matrices, and process flowcharts
  • Assess control and process design effectiveness
  • Identify control design gaps and other opportunities for improvement


2. Test controls

  • Test controls to assess operational effectiveness of controls and process
  • Identify any operating deficiencies and develop remediation plans
  • Develop solutions for gaps
  • Develop self-assessment tools


3. Remediation

  • Implement solutions for control gaps and other improvements
  • Re-test remediated controls, as necessary
  • The audit methodology involves an examination of financial management from various angles: from business processing to IT controls to tools and techniques. Projects will be selected based on their transferability to other audit service teams.

OIAD hopes the program will result in:

  • enhanced documentation to support the integrity of certificates of assurance provided by ministry managers
  • improved disclosures regarding internal control practices
  • improved capacity of OIAD to provide assurances with respect to the state of internal controls and financial reporting in the Ontario Government
  • greater reliance by the Auditor General of Ontario on OIAD's work regarding internal controls over financial management
  • reduced number of audit findings by both Auditor General and OIAD.


Canada: Core Controls project

In the Government of Canada context, the objectives of internal control over financial reporting are to:

  • maintain records that fairly reflect all financial transactions of the department
  • provide reasonable assurance that transactions are recorded to permit preparation of financial information and statements in accordance with Treasury Board policies and standards
  • ensure receipts and expenditures of the department are being made in accordance with delegated authorities
  • provide reasonable assurance that unauthorized transactions that could have a material effect on financial information are prevented or detected in a timely manner.

Following from the early work of an advisory group of chief audit executives and senior practitioners, the Office of the Comptroller General (OCG) of Canada has developed a draft framework on core management controls drawing from landmark initiatives such as COSO, COBIT2 and CoCo3 and organized around the ten key elements of the federal government's Management Accountability Framework (COSO is the pre-eminent reference point in this regard).

The Core Management Controls document has been developed as an internal audit framework and tool. It provides chief audit executives with a means to ground their strategy in moving, progressively, towards a point at which they will be able to provide holistic assurance about risk management, control and governance processes. The core controls contain a significant number of internal controls over financial reporting.

The document has been released as a draft with encouragement to departments to work with these ideas and structures. The OCG/Internal Audit Sector will lead or sponsor a small number of pilot projects in departments aimed at testing these ideas and learning how they can or need to be modified or refined for different kinds of organizational environments. At the same time, additional content on internal controls over financial reporting will be developed and integrated.

The Office of the Comptroller General of Canada is developing a requirement for a Deputy Head and a Chief Financial Officer to sign a new version of a Statement of Management Responsibility that includes internal control over financial reporting.

The Deputy Head would expect assurance that internal control over financial reporting is being maintained, monitored, assessed annually for effectiveness, and adjusted as required. The Deputy could obtain this assurance from:

  • the CFO for the results of the annual assessment of the effectiveness of the department's internal control over financial reporting
  • senior departmental managers for elements that fall within their areas of responsibility
  • the chief audit executive
  • advice from the Departmental Audit Committee.

 

A Topic of Increasing Importance

Ever since the days of the Enron and WorldCom scandals early this decade, the topic of internal control over financial reporting has taken on increased importance.

The Sarbanes-Oxley Act of 2002 requires company annual reports to include a report by management on the adequacy of the company's internal control over financial reporting. The Public Company Accounting Oversight Board, created by the Sarbanes-Oxley Act, indicates in its Auditing Standard No. 5 that “Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes.”

As of 2006, CEOs and CFOs of companies listed in Canada have to certify that they are responsible for establishing and maintaining internal control over financial reporting, and that they have “designed such internal control over financial reporting…to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer's GAAP.”

In Canada's public sector, the 2006 Federal Accountability Act makes federal deputy heads accountable before the appropriate committees of the Senate and the House of Commons for “the measures taken to maintain effective systems of internal control in the department”.


GOC Developing New Management Statement

The Office of the Comptroller General of Canada is developing a requirement for a Deputy Head and a Chief Financial Officer to sign a new version of a Statement of Management Responsibility that includes internal control over financial reporting.

The Deputy Head would expect assurance that internal control over financial reporting is being maintained, monitored, assessed annually for effectiveness, and adjusted as required. The Deputy could obtain this assurance from:

  • the CFO for the results of the annual assessment of the effectiveness of the department's internal control over financial reporting
  • senior departmental managers for elements that fall within their areas of responsibility
  • the chief audit executive
  • advice from the Departmental Audit Committee.


--------------------------------------------------------------------------------
1 The committee of sponsoring organizations of the Treadway Commission
2 Control Objectives for Information and related Technology
3 Criteria of Control Board, Canadian Institute of Chartered Accountants