Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting for 2009-2010

Summary of the assessment of effectiveness of the system of internal control over financial reporting and the action plan of the Canadian International Development Agency for fiscal year 2009-2010

Note to the reader

With the new Treasury Board Policy on Internal Control, effective April 1, 2009, departments are now required to demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).

As part of this policy, departments are expected to conduct annual assessments of their system of ICFR, establish an action plan to address any necessaryadjustments, and to attach to their Statements of Management Responsibility a summary of their assessment results and action plan.

Effective systems of ICFR aim to achieve reliable financial statements and to provide assurance that:

  • Transactions are appropriately authorized;
  • Financial records are properly maintained;
  • Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement; and
  • Applicable laws, regulations and policies are complied with.

It is important to note that the system of ICFR is not designed to eliminate all risks, but rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.

The maintenance of an effective system of ICFR is an ongoing process designed to identify, assess and adjust as required key risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to the other based on risks and taking into account their unique circumstances.

In summary, the system of ICFR is designed to mitigate risks to a reasonable level based on an on-going process to identify key risks, to assess effectiveness of associated key controls, and to make any necessary adjustments.

1. Introduction

This document is attached to the Canadian International Development Agency (CIDA)'s Statement of Management Responsibility Including Internal Control Over Financial Reporting for fiscal year 2009-2010. As required by the new Treasury Board Policy on Internal Control, effective April 1st 2009, for the first time, this document provides summary information on the measures taken by CIDA to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the assessments conducted by CIDA as at March 31, 2010, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the Agency.

1.1 Authority, Mandate and Program Activities

Detailed information on CIDA's authority, mandate and program activities can be found in the Agency's latest Departmental Performance Report, and in its latest Report on Plans and Priorities.

1.2 Financial highlights

Find Financial statements (unaudited) of the Canadian International Development Agency for the last fiscal year. Financial information that is relevant to CIDA can also be found in the latest Public Accounts of Canada. For the 2009-2010 fiscal year, here are the financial highlights:

  • CIDA's total expenses were $3.909 billion. Transfer payments comprised the majority (89 percent or $3.474 billion), followed by salaries and employee benefits (5 percent or $196 million for 1,891 employees).
  • CIDA's total revenues were $189 million, largely from gains stemming from the re-evaluation of liabilities denominated in foreign currency at year-end.
  • CIDA's prepaid expenses equalled $182 million at March 31 while its outstanding loans to developing countries and international financial institutions amounted to $137 million; they respectively comprised 43 percent and 33 percent of departmental total assets ($421 million). Cumulative investments and advances to international financial institutions were also very significant at $6.150 billion, but their net realizable value was reduced to zero since CIDA does not anticipate recovering these investments and advances in the future.
  • CIDA's accounts payable and accrued liabilities amounted to $865 million at March 31 and comprised 79 percent of the Agency's total liabilities ($1.092 billion).
  • Although it will be decentralizing its operations much further over the next years, CIDA currently holds a limited presence in various countries that benefit from its development programs. In 2009-2010, expenses incurred directly in the field only represented approximately 2 percent ($94 million) of the Agency's total expenses.  Field expenses are initiated and approved by CIDA staff that is located at foreign missions, while the related payments are processed and recorded by the Department of Foreign Affairs and International Trade (DFAIT) financial and administrative staff. Field expense details are transferred regularly from the DFAIT financial system to CIDA's own financial and accounting system.
  • The Agency uses a stand-alone financial and accounting system based on the SAP application. It is critical to its operations and financial reporting capabilities.  

1.3 Service arrangements relevant to financial statements

The Agency relies on other organizations for the processing of certain transactions that are recorded in its financial statements:

  • Public Works and Government Services Canada (PWGSC) centrally administers the payments of salaries and the procurement of goods and services.
  • Treasury Board Secretariat provides the Agency with information used to calculate various accruals and allowances, such as the accrued employee severance benefits.
  • DFAIT provides payment processing, accounting and banking services to all CIDA offices that are located within the Canadian High Commissions or Embassies abroad. DFAIT also prepares periodic financial reports for CIDA staff detailing the Agency's expenses that were incurred directly in the field.

1.4 Material changes in fiscal-year 2009-2010

Apart from a change in Chief Financial Officers (CFO), no significant departmental changes that are relevant to the Agency's financial management context and/or financial statements occurred in 2009-2010.

The CFO position was occupied by the following individuals over the course of the year:

  • Mrs. Christine Walker, from April 1 to October 30, 2009;
  • Mr. Jim Quinn, from January 12 to March 31, 2010.

2. The Agency's control environment relevant to ICFR

CIDA management recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective systems of ICFR and are equipped to exercise these responsibilities effectively. The Agency's focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.

2.1 Key positions, roles and responsibilities

Below are CIDA's key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.

President — The Agency's President, as Accounting Officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the President relies on the recommendations received from the Departmental Audit Committee and the advice provided by other members of the Management Board.

Chief Financial Officer (CFO) — The Agency's CFO reports directly to the President and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment.

Senior Managers — CIDA's senior managers in charge of program delivery or corporate branches are also responsible for maintaining and reviewing effectiveness of the portions of the system of ICFR falling within their mandate.

Chief Audit Executive (CAE) — The Agency's CAE reports directly to the President and provides assurance through periodic internal audits, which are instrumental to the maintenance of an effective system of ICFR.

Departmental Audit Committee (DAC) — The DAC is an advisory committee that provides objective views on the Agency's risk management, control and governance frameworks. It is comprised of four external members and four internal members, and was re-established in 2009 to comply with all provisions of the Treasury Board Policy on Internal Audit. As such, it reviews the Agency's Corporate Risk Profile and its system of internal control, including the annual assessment and action plans relating to the system of ICFR.

Management Board — As the Agency's central decision-making body, the Management Board reviews, approves and monitors the Corporate Risk Profile and the departmental system of internal control, including the annual assessment and action plans relating to the system of ICFR.

2.2 Key measures taken by CIDA

CIDA's control environment also includes a series of measures to equip its staff to manage risks well through raising awareness, providing appropriate knowledge and tools as well as developing skills. Examples of key measures include:

  • The presence of a Champion of Values and Ethics within CIDA;
  • The implementation of an "Excellence in People Management Action Plan";
  • A section under the CFO branch that is dedicated to internal control;
  • A training program and regular communications to staff in core areas of financial management;
  • The integration of all financial officers and the majority of contracting officers under the CFO's leadership;
  • Departmental policies tailored to the Agency's business and control environment;
  • The documentation of main business processes and of the related key risks and control points to support the management and oversight of its system of ICFR;
  • The constant review of IT processing systems to achieve greater security, data integrity, efficiency and effectiveness.

3. Assessment of CIDA's system of internal control over financial reporting

3.1 Assessment baseline

In 2004, the Government of Canada commenced an initiative to determine the ability of departments to sustain controls-based audits of their financial statements, thus placing reliance on well functioning internal controls. As a result, in 2006, the largest departments (including CIDA) began formalizing their approach to managing their systems of ICFR, by performing readiness assessments and preparing action plans.

Whether it is to support controls-based financial statement audits or the requirements of the Policy on Internal Control, an effective departmental system of ICFR must be in place with the objectives to provide reasonable assurance that:

  • Transactions are appropriately authorized;
  • Financial records are properly maintained;
  • Assets are safeguarded; and
  • Applicable laws, regulations and policies are complied with.

Over time, this includes an initial assessment of the design and operating effectiveness of the system of ICFR, which then leads to the implementation of on-going monitoring and continuous improvement of this system.

A design effectiveness assessment means to ensure that key control points are identified, documented, in place and that they are balanced with and proportionate to the risks they aim to mitigate, that any weaknesses are identified and that any necessary remediation is addressed. This includes the mapping of key IT systems and sub-processes to the main financial records or accounts, by location as applicable.

An operating effectiveness assessment means that the application of key controls has been tested over a defined period, that any weaknesses are identified and that any necessary remediation is addressed.

Such testing covers all levels of departmental control, which include entity (corporate) level controls, IT general controls and business process controls.

3.2 Assessment method at CIDA

In proceeding with its preparation for controls-based financial statement audits, the Agency has initiated measures to assess its system of ICFR. It used its annual financial statements as a starting point to identify the following main accounts or business processes that require enhanced financial controls documentation:

  • Transfer payments expenses, including the directive and responsive contributions approaches, multilateral grants  approach, and program-based approach;
  • Salaries and benefits expenses;
  • Professional services expenses;
  • Expenses incurred directly in the field (i.e. local costs);
  • Investments and advances to International Financial Institutions (IFIs);
  • Loans to developing countries and IFIs;
  • Canada Investment Fund for Africa;
  • Prepaid expenses;
  • General accounts payable and accrued liabilities;
  • Accrued liability for matching funds programs;
  • Accrued employee severance benefits;
  • Gains and losses on foreign exchange;
  • Contractual obligations;
  • Contingent liabilities;
  • Events subsequent to year-end;
  • Year-end closing and financial statement preparation;
  • Adjusting journal entries;
  • Interdepartmental settlements.

For each of these main accounts or business processes, and over a period of three years, the Agency will prepare system descriptions, financial control matrices, and test the design effectiveness as well as the operating effectiveness of the key financial controls that are embedded within them, identify any control weaknesses and take appropriate corrective actions.

At March 31, 2010, CIDA had already documented and assessed its entity (corporate) level controls and IT general controls (IT infrastructure). The Agency had also completed a pilot project on the documentation of financial controls that are embedded within a few specific transfer payment processes. This pilot project comprised the following steps:

  • gathering information pertaining to the transfer payment processes, to risks and controls relevant to ICFR on transfer payments, including appropriate policies, procedures and recent internal audit results;
  • mapping out the transfer payment processes with the identification and documentation of key risk and control points;
  • performing the design effectiveness testing of the transfer payment processes, and remediating the control weaknesses found.

As well, at March 31, 2010, CIDA had undertaken to gather information and prepare the system descriptions of the business processes pertaining to investments and advances to IFIs and the Canada Investment Fund for Africa.

Lastly, financial controls assessments of the operations carried out by two foreign CIDA offices were completed before March 31, 2010. They aimed to provide an enhanced knowledge and understanding of the financial controls that are embedded within CIDA's field expenditures business process, to test their design effectiveness and to gain assurance on the operating effectiveness of the key financial controls, as well as to identify any control weaknesses and recommend appropriate corrective actions.

4. CIDA's assessment results

Based on the assessment approach described above, CIDA is developing baseline architecture of all key control points by main account and/or business process.

Apart from the assessment of entity (corporate) level controls and IT general controls as well as the financial controls assessments performed at two CIDA foreign offices in 2009-2010 that covered both design and operating effectiveness, the Agency has entirely focused on design effectiveness in assessing its key controls for now, which is the prerequisite to testing their operating effectiveness.

4.1 Design effectiveness of key controls

In order to perform design effectiveness testing of the business processes that were assessed before March 31, 2010, the Agency completed all documentation of the processes (including their validation by process owners) and verified whether the entity, general computer and business process controls were in place and corresponded to actual practice. Remediation requirements were addressed shortly after the necessary adjustments had been identified. Design effectiveness testing also included ensuring the appropriate alignment of key controls with the risks they aim to mitigate.

Entity-level controls

When assessed, the entity (corporate) level controls were judged satisfactory, in the sense that they would not preclude an auditor from issuing an unqualified audit opinion on CIDA's financial statements. A few improvement opportunities were nonetheless identified and implemented in the following areas: the addition of external members to the Audit Committee, the formalization of the employees' engagement to adhere to the Values and Ethics Code for the Public Service, and the development of guidelines and tools to facilitate results-based management.

IT general controls

The assessment of IT general controls concluded that weaknesses existed in the IT environment, and it has allowed CIDA to take appropriate remedial actions to address these weaknesses. More specifically, necessary improvements were identified in the following areas:

  • Improved documentation pertaining to IT security, to application development and maintenance (i.e. program change management process), to IT operations, to database, software and network support, as well as to third-party service providers;
  • A formal monitoring of IT control activities performed by third-party service providers;
  • The development of an information security policy, deactivation of the system accounts conferring access to all functionalities of the financial system, and a more rigorous follow-up on actual access to the system;
  • A need for greater audit trails relative to various IT controls, such as control sheets that support the review of system information access logs.

Business process controls

In 2007-2008, an initial assessment of the business process controls documentation concluded that for most of CIDA's significant business processes, improvements were required to the documentation in order to provide an enhanced focus on the links between control activities and their underlying objectives. This would enable external auditors to perform more efficient potential audits of the Agency's financial statements. Thus, while planning for the preparation of more complete business process descriptions, CIDA developed templates that emphasize the links between control objectives and the control activities exercised to meet them.

In particular, a complex government-wide issue exists regarding the relevance of the actuarial data used to calculate the employee severance benefits accrual that is disclosed in every department's financial statements. Over the coming years, CIDA will continue to work with Treasury Board Secretariat in order to obtain an appropriate level of assurance on the relevance of this actuarial data.

In 2008-2009, when CIDA conducted a pilot project on the documentation of financial controls that are embedded within a few specific transfer payment processes, the following design improvement opportunities were identified:

  • a better documentation of the authorization of grants and contributions projects' budget reallocations between fiscal years;
  • an improved monitoring of the relevancy of the vendor master file information;
  • the inclusion of audit trails to show evidence of the review of certain financial documents by competent management;
  • modifications to several financial system user profiles in order to ensure a proper segregation of duties within these profiles.

All of the suggested improvements were implemented by Agency staff with regard to these specific transfer payment processes.

In 2009-2010, when CIDA piloted financial controls assessments of two of its foreign offices, expenditure business process design improvements were found in the following areas:

  • a better documentation and sequencing of account validation procedures performed to support expenditure approvals;
  • a better documentation of spot checks performed on payment documents before issuing the payments;
  • an enhanced segregation of incompatible functions within certain financial system user profiles.

Both foreign offices will be implementing the necessary improvements in these areas over the next year.

4.2 Operating effectiveness of key controls

Design effectiveness testing remains a pre-requisite to the operating effectiveness testing of the key financial controls that are integrated to any business process. Also, whenever possible, operating effectiveness testing of controls is more efficient if performed for several business processes at the same time, as some of the key controls (for example, payment issuance controls) are common to all processes.

In 2009-2010, the Agency commenced its assessment of the operating effectiveness of key financial controls by testing the ones that are embedded within the expenditures business process of the two foreign CIDA offices that were assessed. When completing operating effectiveness testing, the Agency ensured that key controls were well functioning over a 12 months period or a specified period of time during the fiscal year based on risks. Improvement opportunities with regard to the operating effectiveness of key financial controls were found in two areas: pre-payment account validations, and expenditure data reconciliations between field and CIDA headquarters reports. The necessary remediation measures are currently being implemented by both offices.

5. CIDA's action plan

5.1 Progress as of March 31, 2010

During 2009-2010, CIDA has continued to make solid progress in assessing and improving its key controls. Below is a summary of the main progress made by the Agency.

CIDA has completed work to address the following necessary adjustments:

  • Completion of the documentation pertaining to IT security, to computer application development and maintenance (i.e. program change management process), to IT operations, to database, software and network support, as well as to IT controls exercised by third-party service providers;
  • Deactivation of the financial system user accounts conferring access to all functionalities;
  • Increase of audit trails demonstrating the exercise of certain key IT controls or the review of financial documents;
  • Development of business process description templates that emphasize the links between control objectives and the control activities exercised to meet them;
  • Enhanced monitoring of the relevancy of the vendor master file information.

CIDA has substantially completed work to address the following necessary adjustments:

  • Development of a formal information security policy;
  • Regular follow-ups on information system access logs.

CIDA has commenced or partially completed work to address the following necessary adjustments:

  • Modifications to several financial system user profiles in order to ensure a proper and full segregation of duties within these profiles;
  • Formal monitoring of IT control activities performed by third-party service providers;
  • In field operations, better sequencing and documentation of account validation procedures performed to support expenditure approvals;
  • In field operations, better documentation of the spot checks applied to payment documents before issuing the payments.

5.2 Action plan for the next fiscal year and future years

Whether it is to support potential controls-based audits of their financial statements or meet the requirements of the ÀPolicy on Internal Control, departments need to be able to maintain an effective system of ICFR with the objectives to provide reasonable assurance that: a) transactions are appropriately authorized, b) financial records are properly maintained, c) assets are safeguarded and d) applicable laws, regulations and policies are complied with.

Building on progress to date, the Agency is positioned to complete the assessment of its system of ICFR in 2012-2013. As of March 31, 2010, the financial controls design effectiveness testing phase had been undertaken with regard to significant business processes, while very little testing of the operating effectiveness of key controls had been performed.

By the end of 2010-2011, CIDA plans to:

  • Have completed the documentation of all of its remaining main accounts or significant business processes, encompassing full system descriptions, financial control matrices and design effectiveness testing of the processes;
  • Have begun testing the operating effectiveness of key controls that are embedded within significant business processes to ensure they are working effectively and constantly over time; and
  • Have performed additional financial controls assessments of CIDA foreign offices, in support of the increased decentralization of Agency operations.

By the end of 2011-2012, CIDA plans to:

  • Have completed the initial operating effectiveness testing of the key controls that are embedded within significant business processes to ensure they are working effectively and constantly over time.

By the end of 2012-2013, CIDA plans to:

  • Have in place an on-going monitoring program of the effectiveness of the departmental system of ICFR. This program will support the development of a risk-based design and operating effectiveness testing plan that identifies key controls to be tested over a defined period of time, including the selection of locations, the test-period as well as the method and frequency of testing. The program will also incorporate training and communications to enhance the awareness and knowledge of internal controls over financial reporting and of the associated responsibilities across the Agency.