Summary of the Assessment of Effectiveness of the Systems of Internal Control over Financial Reporting and the Action Plan of the Canadian Institutes of Health Research for the Fiscal Year 2011–12 (Unaudited)
Annex to the Statement of Management Responsibility Including Internal Control Over Financial Reporting
Note to the reader
With the Treasury Board Policy on Internal Control, Departments and Agencies are now required to demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).
As part of this policy, Departments and Agencies are expected to conduct annual assessments of their system of ICFR, establish action plan(s) to address any necessary adjustments, and to attach to their Statements of Management Responsibility a summary of their assessment results and action plan.
Effective systems of ICFR aim to achieve reliable financial statements and provide reasonable assurance that:
- Transactions are appropriately authorized;
- Financial records are properly maintained;
- Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement; and
- Applicable laws, regulations and policies are followed.
It is important to note that the system of ICFR is not designed to eliminate all risks, but rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.
The system of ICFR is designed to mitigate risks to a reasonable level based on an ongoing process to identify key risks, to assess the effectiveness of associated key controls and adjust as required, as well as to monitor the system in support of continuous improvement. As a result, the scope, pace and status of those Department/Agency assessments of the effectiveness of their system of ICFR will vary from one organization to another based on risks and taking into account their unique circumstances.
This document is an annex to the Canadian Institutes of Heath Research’s (CIHR) Statement of Management Responsibility Including Internal Control Over Financial Reporting for the 2011–12 fiscal year. As required by the Treasury Board (TB) Policy on Internal Control, this document provides summary information on the measures taken by CIHR to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the internal control assessments conducted by CIHR as at March 31, 2012, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment of the Agency. This is the second annex produced by CIHR.
1.1 Authority, mandate and program activities
Detailed information on CIHR’s authority, mandate and program activities can be found in its Report on Plans and Priorities and Departmental Performance Report and in the Auditor’s Report and Financial Statements section of its annual report.
1.2 Financial highlights
Key financial highlights from the 2011–12 financial statements are found in the section Financial Statement Discussion and Analysis of the annual report.
Additional departmental financial information for fiscal year 2011–12 can be found under section III – Supplementary Information of the Departmental Performance Report and in the Public Accounts of Canada.
1.3 Service arrangements relevant to financial statements
CIHR relies on other organizations for the processing of certain transactions or the provision of information which impact its financial statements:
- Public Works and Government Services Canada (PWGSC) centrally administers the payment of salaries and benefits, the procurement of some goods and services as well as the provision of accommodations on behalf of CIHR;
- Treasury Board Secretariat (TBS) provides CIHR with information used to calculate various accruals and allowances, such as the employer’s contribution to the health and dental insurance plans which are funded centrally;
- Other federal Departments and Agencies administer funds on behalf of CIHR to issue grants, awards and related payments, such as for the Canada Research Chairs program. These expenses are reflected in CIHR’s Statement of Operations as expenses.
1.4 Material changes in fiscal year 2011–12
No significant material changes that are relevant to the financial statements occurred in 2011–12.
2. CIHR's Control Environment Relevant to ICFR
CIHR recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities effectively. CIHR’s focus is to ensure that risks are well managed through a responsive and risk-based control environment that enables continuous improvement and innovation.
2.1 Key positions, roles and responsibilities
Below are CIHR’s key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.
President – CIHR’s President, as Accounting Officer, assumes the overall responsibility and leadership for the measures taken to maintain an effective system of internal control.
Executive Management Committee (EMC) – EMC provides leadership and decision making for strategic, corporate policy and management areas that support and contribute to the strategic directions set out by CIHR’s Governing Council.
Chief Financial Officer (CFO) – CIHR’s CFO reports directly to the President and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment.
Executive Vice-President and Vice-Presidents – CIHR’s Executive Vice-President and Vice-Presidents are responsible for maintaining and reviewing the effectiveness of their system of ICFR falling within their mandate.
Chief Audit Executive (CAE) – CIHR’s CAE reports administratively to the Executive Vice-President, functionally to the President and has unfettered access to the CIHR Departmental Audit Committee and the Committee Chair. The CAE provides assurance through periodic internal audits that are instrumental to the maintenance of an effective system of ICFR.
Audit Committee –The Audit Committee is an advisory committee that provides objective views on CIHR’s risk management, control and governance frameworks. This committee, established in July 2009, is chaired by a member of CIHR’s Governing Council and is comprised of three other external members. The President also sits on the committee as an ex officio non-voting member.
2.2 Key measures taken by CIHR
CIHR’s control environment includes a series of measures to equip its staff to manage risks by: raising awareness; providing appropriate knowledge and tools; and developing skills. Key measures include:
- An established governance structure and provision of strategic direction through the Governing Council and the Executive Management Committee;
- Development of a corporate risk profile;
- A CIHR Code of Conduct aligned with the Values and Ethics Code for the Public Service;
- A CIHR Financial Management Framework aligned with TB Policy Framework for Financial Management;
- Agency policies that are tailored to CIHR’s control environment;
- Regularly validated and updated delegation of financial signing authorities instrument;
- A requirement for accounting designations in key financial management positions;
- A dedicated unit under the CFO on internal control;
- Documentation of main business processes and related key risk and control points to support the effectiveness, management and oversight of its system of ICFR;
- Training programs and regular communications to employees on core areas of financial and contracting management;
- Human resources management plan and policies that support learning and succession planning;
- A risk-based internal audit plan;
- IT processing systems to achieve enhanced security, integrity, efficiency and effectiveness; and
- Annual performance agreements that include clearly articulated financial management responsibilities.
3. Assessment of CIHR’s System of ICFR
3.1 Assessment baseline
The Policy on Internal Control stipulates that CIHR be able to maintain an effective system of ICFR with the objective to provide reasonable assurance that transactions are appropriately authorized; financial records are properly maintained; assets are safeguarded; and applicable laws, regulations and policies are followed.
Since its inception, CIHR has received an unqualified audit opinion. It has been able to sustain controls-based audits by the Office of the Auditor General. As a result, CIHR did not undergo an audit readiness assessment and hence its reliance on controls provided the baseline for CIHR to move forward in its review of the effectiveness of its ICFR.
The review includes the assessment of design and operating effectiveness of the agency’s system of ICFR, leading to its ongoing monitoring and continuous improvement.
Design effectiveness means to ensure that key control points are identified, documented, in-place and that they are aligned with appropriate risks (i.e. controls are balanced with and proportionate to the risks they aim to mitigate) and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main accounts.
Operating effectiveness means that the application of key controls has been tested over a defined period and that any required remediation is addressed. Such testing includes corporate or entity, general computer and business process controls.
Ongoing monitoring means that a systematic, integrated approach to monitoring is in place in support of continuous improvement, including periodic risk-based assessments and timely remediation.
CIHR also addresses control weaknesses that are raised by the Office of the Auditor General in its annual audit and through recommendations made by the Agency’s internal audit and evaluation functions.
3.2 Scope of CIHR’s assessment
At the beginning of each year, CIHR conducts a financial risk assessment of its previous year’s Financial Statements to identify the key business processes posing the highest risk to the organization and to users of the Financial Statements. CIHR identified 14 significant business processes.
For each significant business process, CIHR took the following steps:
- Gathering information pertaining to processes and locations, risks and controls relevant to ICFR, including appropriate policies and procedures;
- Mapping out key processes using narratives, flow charts and internal control matrices to identify and document key risks and control points on the basis of materiality, volumes, linkage to compliance documents, complexity, and susceptibility to loss;
- Assessing, documenting and testing the design and operating effectiveness of key controls; and
- Formally reporting and remediating the deficiencies identified.
For the fiscal year 2011–12, CIHR completed the documentation and design testing of five processes as well as updated the nine processes that were assessed in 2010–11. All 14 processes have been tested for operational effectiveness during the year.
CIHR’s assessments of entity-level controls and IT general controls were completed in previous fiscal years. In 2011–12, CIHR’s Internal Audit unit conducted an IT Security Audit that supplemented the work performed in the previous year.
4. CIHR’s Assessment Results
As a result of the assessment approach described above, CIHR developed a baseline architecture of the riskiest key control points by business process and main IT systems.
As at March 31, 2012, CIHR had completed the analysis and testing of the design and operating effectiveness for all key business processes identified in the financial risk assessment. The assessment results are described in the following subsections.
4.1 Design effectiveness of key controls
As a result of the assessments, CIHR identified that the following significant adjustments are required:
Approval process and segregation of duties
- Better defined process of approval for the funding of competitions and their results, i.e. at the correct points in the process;
- Strengthened controls where segregation of duties is not feasible due to limited resources; and
- Continuous close monitoring of positions for which system access rights require employees to have almost full access to the system;
- Strengthen year end capital asset reconciliations; and
- Adapt safeguarding procedures to address appropriate and timely recording of disposals of assets;
Reconciliations and documentation
- Maintain documentation of reconciliations and source data in program files; and
- Document reconciliations between workbooks, the Electronic Information System and the Financial System;
- Increase controls surrounding IT security; and
- Continuously strengthen manual controls to support the data management function where limited edit and application controls exist within the systems;
- Establish travel commitments for non-staff committee members;
- Commit funds for all transfer payment programs including partners’ funds in a timely manner; and
- Increase efficiencies over the use of interest earned from partners’ funds.
4.2 Operating effectiveness of key controls
CIHR has assessed the operating effectiveness of key controls in all 14 business processes. In doing so, it has developed a risk-based testing plan that identified key controls to be tested over a defined period of time, including the selection of the test-period as well as the method and frequency of testing. In 2011–12 operating deficiencies in transfer payments, hospitality, travel, shipping and receiving, and payables at year end were noted due to inconsistencies in control process application and level of documentation requirements between various units. Remediation requirements to date have been addressed as soon as necessary adjustments were identified.
5. CIHR’s Action Plan
5.1 Progress during fiscal year 2011–12
During the 2011–12 fiscal year, CIHR continued to make significant progress in assessing and improving its key controls. CIHR completed all items in the action plan from the previous fiscal year except for engaging new personnel or modifying system access profiles to better segregate duties due to budget constraints. However, CIHR has implemented compensating controls to mitigate these risks. Below is a summary of the main advancements made by CIHR.
- Completed the documentation and testing of design/operating effectiveness for all key business processes;
- Completed the implementation of the following design deficiency remediation plans:
- Strengthened shipping and receiving verification procedures;
- Fully implemented a capital asset/inventory management system for better safeguarding of assets;
- Maintained proper documentation of the review of accounting transactions; and
- Ensured greater consistency, accuracy and detail in the documentation of controls and procedures within grant program files.
- Fully implemented an ICFR software solution; and
- Developed a monitoring methodology.
5.2 Action plan
Building on the progress to date, CIHR will begin the transition to ongoing monitoring.
By the end of 2012–13, resources permitting, CIHR plans to:
- Address all remaining design remediation plans;
- Test the operational effectiveness of all key controls in remediation; and
- Develop a risk-based ongoing monitoring plan for key controls to ensure the continued effectiveness of the departmental system of ICFR. The plan will also cover the assessment of design and operating effectiveness related to the introduction of any significant new controls.
By the end of 2013–14, resources permitting, CIHR plans to:
- Implement a risk-based ongoing monitoring plan which would include ensuring the continued effectiveness of key controls that have been previously fully tested and remediated. This includes training to enhance the awareness and knowledge of internal controls over financial reporting and associated responsibilities across CIHR.
- Date modified: