Summary of the Assessment of Effectiveness of the Systems of Internal Control over Financial Reporting and the Action Plan of the Canadian Institutes of Health Research for the Fiscal Year 2011–12 (Unaudited)

Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting

Note to the reader

With the Treasury Board Policy on Internal Control, Departments and Agencies are now required to demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).

As part of this policy, Departments and Agencies are expected to conduct annual assessments of their system of ICFR, establish action plan(s) to address any necessary adjustments, and to attach to their Statements of Management Responsibility a summary of their assessment results and action plan.

Effective systems of ICFR aim to achieve reliable financial statements and provide reasonable assurance that:

It is important to note that the system of ICFR is not designed to eliminate all risks, but rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.

The system of ICFR is designed to mitigate risks to a reasonable level based on an ongoing process to identify key risks, to assess the effectiveness of associated key controls and adjust as required, as well as to monitor the system in support of continuous improvement. As a result, the scope, pace and status of those Department/Agency assessments of the effectiveness of their system of ICFR will vary from one organization to another based on risks and taking into account their unique circumstances. 

1. Introduction

This document is an annex to the Canadian Institutes of Heath Research’s (CIHR) Statement of Management Responsibility Including Internal Control Over Financial Reporting for the 2011–12 fiscal year. As required by the Treasury Board (TB) Policy on Internal Control, this document provides summary information on the measures taken by CIHR to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the internal control assessments conducted by CIHR as at March 31, 2012, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment of the Agency. This is the second annex produced by CIHR.

1.1 Authority, mandate and program activities

Detailed information on CIHR’s authority, mandate and program activities can be found in its Report on Plans and Priorities and Departmental Performance Report and in the Auditor’s Report and Financial Statements section of its annual report.

1.2 Financial highlights

Key financial highlights from the 2011–12 financial statements are found in the section Financial Statement Discussion and Analysis of the annual report.

Additional departmental financial information for fiscal year 2011–12 can be found under section III – Supplementary Information of the Departmental Performance Report and in the Public Accounts of Canada.

1.3 Service arrangements relevant to financial statements

CIHR relies on other organizations for the processing of certain transactions or the provision of information which impact its financial statements:

1.4 Material changes in fiscal year 2011–12

No significant material changes that are relevant to the financial statements occurred in 2011–12.

2. CIHR's Control Environment Relevant to ICFR

CIHR recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities effectively. CIHR’s focus is to ensure that risks are well managed through a responsive and risk-based control environment that enables continuous improvement and innovation.

2.1 Key positions, roles and responsibilities

Below are CIHR’s key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.

President – CIHR’s President, as Accounting Officer, assumes the overall responsibility and leadership for the measures taken to maintain an effective system of internal control.

Executive Management Committee (EMC) – EMC provides leadership and decision making for strategic, corporate policy and management areas that support and contribute to the strategic directions set out by CIHR’s Governing Council.

Chief Financial Officer (CFO) – CIHR’s CFO reports directly to the President and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment.

Executive Vice-President and Vice-Presidents – CIHR’s Executive Vice-President and Vice-Presidents are responsible for maintaining and reviewing the effectiveness of their system of ICFR falling within their mandate.

Chief Audit Executive (CAE) – CIHR’s CAE reports administratively to the Executive Vice-President, functionally to the President and has unfettered access to the CIHR Departmental Audit Committee and the Committee Chair. The CAE provides assurance through periodic internal audits that are instrumental to the maintenance of an effective system of ICFR.

Audit Committee –The Audit Committee is an advisory committee that provides objective views on CIHR’s risk management, control and governance frameworks. This committee, established in July 2009, is chaired by a member of CIHR’s Governing Council and is comprised of three other external members. The President also sits on the committee as an ex officio non-voting member.

2.2 Key measures taken by CIHR

CIHR’s control environment includes a series of measures to equip its staff to manage risks by: raising awareness; providing appropriate knowledge and tools; and developing skills. Key measures include:

3. Assessment of CIHR’s System of ICFR

3.1 Assessment baseline

The Policy on Internal Control stipulates that CIHR be able to maintain an effective system of ICFR with the objective to provide reasonable assurance that transactions are appropriately authorized; financial records are properly maintained; assets are safeguarded; and applicable laws, regulations and policies are followed.

Since its inception, CIHR has received an unqualified audit opinion. It has been able to sustain controls-based audits by the Office of the Auditor General. As a result, CIHR did not undergo an audit readiness assessment and hence its reliance on controls provided the baseline for CIHR to move forward in its review of the effectiveness of its ICFR.

The review includes the assessment of design and operating effectiveness of the agency’s system of ICFR, leading to its ongoing monitoring and continuous improvement.

Design effectiveness means to ensure that key control points are identified, documented, in-place and that they are aligned with appropriate risks (i.e. controls are balanced with and proportionate to the risks they aim to mitigate) and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main accounts.

Operating effectiveness means that the application of key controls has been tested over a defined period and that any required remediation is addressed. Such testing includes corporate or entity, general computer and business process controls.

Ongoing monitoring means that a systematic, integrated approach to monitoring is in place in support of continuous improvement, including periodic risk-based assessments and timely remediation.

CIHR also addresses control weaknesses that are raised by the Office of the Auditor General in its annual audit and through recommendations made by the Agency’s internal audit and evaluation functions.

3.2 Scope of CIHR’s assessment

At the beginning of each year, CIHR conducts a financial risk assessment of its previous year’s Financial Statements to identify the key business processes posing the highest risk to the organization and to users of the Financial Statements. CIHR identified 14 significant business processes.

For each significant business process, CIHR took the following steps:

  1. Gathering information pertaining to processes and locations, risks and controls relevant to ICFR, including appropriate policies and procedures;
  2. Mapping out key processes using narratives, flow charts and internal control matrices to identify and document key risks and control points on the basis of materiality, volumes, linkage to compliance documents, complexity, and susceptibility to loss;
  3. Assessing, documenting and testing the design and operating effectiveness of key controls; and
  4. Formally reporting and remediating the deficiencies identified.

For the fiscal year 2011–12, CIHR completed the documentation and design testing of five processes as well as updated the nine processes that were assessed in 2010–11. All 14 processes have been tested for operational effectiveness during the year.

CIHR’s assessments of entity-level controls and IT general controls were completed in previous fiscal years. In 2011–12, CIHR’s Internal Audit unit conducted an IT Security Audit that supplemented the work performed in the previous year.

4. CIHR’s Assessment Results

As a result of the assessment approach described above, CIHR developed a baseline architecture of the riskiest key control points by business process and main IT systems.

As at March 31, 2012, CIHR had completed the analysis and testing of the design and operating effectiveness for all key business processes identified in the financial risk assessment. The assessment results are described in the following subsections.

4.1 Design effectiveness of key controls

As a result of the assessments, CIHR identified that the following significant adjustments are required:

Approval process and segregation of duties

Asset management

Reconciliations and documentation

IT systems

Financial management

4.2 Operating effectiveness of key controls

CIHR has assessed the operating effectiveness of key controls in all 14 business processes. In doing so, it has developed a risk-based testing plan that identified key controls to be tested over a defined period of time, including the selection of the test-period as well as the method and frequency of testing. In 2011–12 operating deficiencies in transfer payments, hospitality, travel, shipping and receiving, and payables at year end were noted due to inconsistencies in control process application and level of documentation requirements between various units. Remediation requirements to date have been addressed as soon as necessary adjustments were identified.

5. CIHR’s Action Plan

5.1 Progress during fiscal year 2011–12

During the 2011–12 fiscal year, CIHR continued to make significant progress in assessing and improving its key controls. CIHR completed all items in the action plan from the previous fiscal year except for engaging new personnel or modifying system access profiles to better segregate duties due to budget constraints. However, CIHR has implemented compensating controls to mitigate these risks. Below is a summary of the main advancements made by CIHR.

5.2 Action plan

Building on the progress to date, CIHR will begin the transition to ongoing monitoring.

By the end of 2012–13, resources permitting, CIHR plans to:

By the end of 2013–14, resources permitting, CIHR plans to:

Date modified: