This document is an annex to the Department of Foreign Affairs and International Trade’s (DFAIT) Statement of Management Responsibility Including Internal Control Over Financial Reporting for the fiscal-year 2009-2010. As required by the new Treasury Board Policy on Internal Control (PIC), effective April 1st 2009, this document provides summary information on the measures taken by DFAIT to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the assessments conducted by DFAIT as at March 31, 2010, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the Department.
It is important to note that the system of ICFR is not designed to eliminate every possible risk, rather to mitigate risk to a reasonable level with controls that are balanced with, and proportionate to, the risks they aim to mitigate. The maintenance of an effective system of ICFR is an on-going process designed to identify, assess effectiveness and adjust as required, key risks and associated key controls as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to another based on risks and taking into account their unique circumstances.
1.1 Authority, Mandate and Program Activities
The strategic direction given to the Department's mandate and role comes from the three strategic outcomes as identified in the Department’s Program Activity Architecture:
In accordance with the Department of Foreign Affairs and International Trade Act, the Department has the mandate to manage and direct Canada’s diplomatic and consular missions. This includes the supervision of the official activities of the various departments and agencies of the Government of Canada represented abroad.
1.2 Financial highlights
The financial statements (unaudited) of DFAIT for fiscal-year 2009-2010. Information can also be found in the Public Accounts of Canada.
1.3 Service arrangements relevant to financial statements
DFAIT relies on other government departments for the processing of many of the transactions that are recorded in its financial statements:
1.4 Material changes in fiscal-year 2009-2010
A significant change in the presentation of the Department’s financial statements occurred in 2009-10. For the year ended March 31, 2010 the Canada Account will no longer be reflected in DFAIT’s departmental financial statements.
During the year, the Department adopted the revised Treasury Board accounting policy TBAS 1.2 which is effective for the Department for the 2009-2010 fiscal year. The major change in the accounting policies of the Department required by the adoption of the revised TBAS 1.2 is the recording of amounts due from the Consolidated Revenue Fund as an asset on the Statement of Financial Position.
In April 2010, Gordon White replaced Bruce Hirst as the Department’s Chief Financial Officer. In June 2010, Morris Rosenberg replaced Len Edwards as the Deputy Minister of Foreign Affairs.
DFAIT recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective systems of internal control and are well equipped to exercise these responsibilities effectively. The objective of DFAIT’s control environment is to help ensure risks are managed appropriately and to enable continuous improvement at a manageable cost.
2.1 Key Positions, Roles and Responsibilities
Deputy Head - As the Accounting Officer for DFAIT, the Deputy Minister of Foreign Affairs is the Deputy Head of the Department and assumes overall responsibility and leadership for the stewardship, management and oversight of departmental resources, as well for the measures taken to maintain an effective system of internal control. In this role, the Deputy Head chairs the Executive Council.
Deputy Minister of International Trade and Associate Deputy Minister of Foreign Affairs in accordance with section 8.1 of the Department of Foreign Affairs and International Trade Act “…exercise and perform such powers, duties and functions as deputies of the Minister and otherwise as the Minister may specify”.
Chief Financial Officer - DFAIT’s CFO reports directly to the Deputy Head and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment. The CFO is part of the Executive Council, providing functional leadership and a focus on financial management.
Senior Departmental Managers – DFAIT’s senior departmental managers in charge of program delivery are responsible for maintaining and reviewing the effectiveness of the system of ICFR falling within their mandate.
Heads of Mission (HOMs) - DFAIT’s Heads of Mission are responsible for the management and direction of his/her mission’s activities including maintaining and reviewing the effectiveness of the system of ICFR falling within their area of accreditation.
Chief Audit Executive (CAE) - DFAIT’s CAE reports directly to the Deputy Head and provides assurance through periodic internal audits which are instrumental to the maintenance of an effective system of ICFR.
Departmental Audit Committee (DAC) - The DAC is an advisory committee that provides objective views on the Department’s risk management, control and accountability processes. It is comprised of 4 external members, including the Chair. As stated in the Policy on Internal Control, the DAC will be engaged, as applicable, on the Department’s risk-based assessment plans and associated results related to the effectiveness of the departmental system of internal control over financial reporting.
Executive Council – reviews and approves the recommendations of all Committees and Boards, but specifically those that have an impact on the financial management of the Department.
2.2 Key Organization-Wide Controls in DFAIT
DFAIT’s control environment also includes a series of measures to equip its staff to manage risks well through raising awareness, providing appropriate knowledge and tools as well as developing skills.
Key measures include:
3.1 Assessment baseline
In 2004, the Government of Canada commenced an initiative to determine the ability of departments to sustain control-based audits of their financial statements, thus placing reliance on well functioning internal controls. As a result, in 2007, DFAIT underwent an audit readiness assessment conducted by an independent external consulting firm. The assessment provided the baseline for DFAIT to move forward in both preparing for a controls-reliant audit of its financial statements, and to meet the requirements of the Policy on Internal Control, in its first year of implementation.
Whether it is to support control-based audits, or meet the requirements of the Policy on Internal Control, in both cases, departments need be able to maintain an effective system of ICFR with the objectives to provide reasonable assurance that transactions are: a) appropriately authorized, b) financial records are properly maintained, c) assets are safeguarded, and d) applicable laws, regulations and policies are complied with.
Going forward, DFAIT will assess the design effectiveness and the operating effectiveness of its system of ICFR and ultimately will need to have in place an on-going monitoring program to sustain and continuously improve the departmental system of ICFR.
Design effectiveness means to ensure that key control points are identified, documented, in place and that they are aligned with the risks they aim to mitigate and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main accounts by location, as applicable.
Operating effectiveness means that key controls have been tested over a defined period and that any remediation is addressed.
On-going monitoring program means that a systematic integrated approach to monitoring is in place, including periodic risk-based assessments and timely remediation.
3.2 Scope and approach to DFAIT's assessment
In proceeding with its preparations for a controls-based audit, DFAIT has taken measures to assess its system of ICFR starting with its financial statements and a study of material accounts. The methodology used to perform the readiness assessment was designed to identify key improvement areas in the system of internal control over financial reporting and to develop an action plan to prepare the Department for an audit of its financial statements performed under Canadian generally accepted auditing standards. The readiness assessment focused on significant classes of transactions, account balances and disclosures, and the business processes that support them. Significance was assessed relative to the qualitative and quantitative measures of materiality specified by departmental management.
All “in-scope” accounts and locations identified were linked to the related financial processes that generate the financial account information. The results of this exercise were to identify the following key priority areas of DFAIT’s system of ICFR that need to be addressed in order for DFAIT to sustain a control-based audit:
Business process elements
The completion of these priority areas will also contribute to meeting the requirements of the PIC.
In 2010, DFAIT documented its entity level controls and IT general controls (IT infrastructure), which form the foundation of its system of ICFR. A PIC implementation plan is being developed by DFAIT, which will include, as one element, the documentation of key risk and control points for significant business processes.
DFAIT has completed tests of the design of the IT general controls. The PIC implementation plan will include design tests of entity-level controls and the identification of key process controls, as well as tests of the operating effectiveness of those key controls.
As the result of the assessment approach described above, DFAIT developed an inventory of all key IT general control points by main IT system, and an understanding of entity-level controls.
As at year end 2009-10, DFAIT completed all testing of design effectiveness related to the IT general controls for the Department’s key information systems. The Department has also documented its key Entity Level Controls.
4.1 Design effectiveness of key controls
DFAIT’s key business processes have been developed to ensure appropriate internal controls are in place. These controls provide assurance that the financial information is complete, reliable, relevant, timely, and that all authorities and regulations are respected, in particular, Sections 33 and 34 of the Financial Administration Act (FAA). DFAIT’s PIC implementation plan will include tests of the design effectiveness of entity-level controls, as well as key process controls in 2010-11 and 2011-12.
As part of the Department’s audit readiness preparations, high-level design effectiveness matters were considered for process controls. Based upon this, DFAIT identified the following significant adjustments required:
Data reconciliation and integrity:
Monitoring and quality assurance of financial statement preparation:
When completing IT General Controls design effectiveness testing, DFAIT completed all documentation (including its validation by process owners) and verified whether the general computer controls are in place and correspond to actual practices. Design effectiveness also included ensuring appropriate alignment of each key control with risks. Based upon this, it was identified that the following significant adjustments were required: strengthen controls related to change management procedures, security settings at various technology layers, access controls, segregation of duties between the development and production environments, and backup and recovery procedures.
4.2 Operating effectiveness of key controls
DFAIT has not yet commenced testing of the operating effectiveness of key controls, however there are compensating controls in place which provide a level of assurance that controls are effective. These compensating controls include:
More extensive tests of the operating effectiveness of IT general controls, and process controls will be required for DFAIT to meet the requirements of the PIC. Once tests of the design effectiveness of key process controls have been completed by the Department, tests of operating effectiveness will need to be linked to specific key controls by business process.
5.1 Progress as of March 2010
DFAIT has completed work to address the following necessary adjustments:
DFAIT has substantially advanced work to address the following necessary adjustments:
DFAIT has commenced or partially completed work to address the following necessary adjustments:
5.2 Action plan
To March 31, 2010, DFAIT has focused on the core elements of the Department’s system of internal control over financial reporting – entity level controls, and information technology general controls.
Entity level controls are the foundation for the Department’s control environment. Fundamental weaknesses in entity level controls will significantly reduce the effectiveness of information technology controls, and key process controls.
Information technology general controls help ensure that the IT systems of the Department are operating effectively and as intended. Most importantly, they provide comfort concerning the integrity of the data within the information systems, and system reports.
Moving forward, the Department’s action plan is focused on the documentation and assessment of key control procedures. Key control procedures are built upon the entity level and IT general controls, and help ensure that the objectives of a process are being met.
By end of 2010-11, DFAIT plans to:
By end of 2011-12 DFAIT plans to: