Foreign Affairs and International Trade Canada

international.gc.ca

Common menu bar

• Français
• Home
• Contact Us
• Help
• Search
• canada.gc.ca

Breadcrumb

1. Home
2. >
3. About the Department
4. >
5. Accountability

Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting Fiscal Year 2009-10

1. Introduction
2. Highlights of fiscal quarter and fiscal year to date (YTD) results
3. Risks and Uncertainties
4. Significant changes in relation to operations, personnel and programs
5. Approval by Senior Officials

1. Introduction

This document is an annex to the Department of Foreign Affairs and International Trade’s (DFAIT) Statement of Management Responsibility Including Internal Control Over Financial Reporting for the fiscal-year 2009-2010. As required by the new Treasury Board Policy on Internal Control (PIC), effective April 1^st 2009, this document provides summary information on the measures taken by DFAIT to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the assessments conducted by DFAIT as at March 31, 2010, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the Department.

It is important to note that the system of ICFR is not designed to eliminate every possible risk, rather to mitigate risk to a reasonable level with controls that are balanced with, and proportionate to, the risks they aim to mitigate. The maintenance of an effective system of ICFR is an on-going process designed to identify, assess effectiveness and adjust as required, key risks and associated key controls as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to another based on risks and taking into account their unique circumstances.

1.1 Authority, Mandate and Program Activities

The strategic direction given to the Department's mandate and role comes from the three strategic outcomes as identified in the Department’s Program Activity Architecture:

• Canada’s International Agenda: The international agenda is shaped to Canada’s benefit and advantage in accordance with Canadian interests and values;

• International Services for Canadians: Canadians are satisfied with commercial, consular and passport services; and
• Canada’s International Platform: The Department of Foreign Affairs and International Trade maintains a mission network of infrastructure and services to enable the Government of Canada to achieve its international priorities.

In accordance with the Department of Foreign Affairs and International Trade Act, the Department has the mandate to manage and direct Canada’s diplomatic and consular missions.  This includes the supervision of the official activities of the various departments and agencies of the Government of Canada represented abroad.

Detailed information on DFAIT’s authority, mandate and program activities can be found in the Departmental Performance Report and the Report on Plans and Priorities.

1.2 Financial highlights

The financial statements (unaudited) of DFAIT for fiscal-year 2009-2010. Information can also be found in the Public Accounts of Canada.

• Total expenses were $2.9B. Salaries and wages comprise the majority (38% or $1.1B) followed by transfer payments (29% or $836M).
• Total revenues were $458M, related primarily to the sale of goods and services (99%, or $455M).
• Tangible capital assets represent 79% of departmental total assets ($1.2B).  Accounts payable and accrued liabilities comprise over 60% of total liabilities ($453M).
• DFAIT’s operations are conducted at the National Headquarters in the National Capital Region,  in 18 offices across Canada and in more than 170 missions abroad. Support at missions abroad represent 27% of the Department’s operating expenses. Financial reporting and financial operations (domestic and international) are centralized under the Corporate Accounting, Finance, Policy and Financial Systems Bureau in the National Capital Region. 
• DFAIT utilizes IMS, a SAP-based software, as its primary financial system, with feeder systems providing source information to IMS.
• Passport Canada is a separate operating agency whose financial results are consolidated in the Department’s financial statements.  Passport Canada’s financial statements are audited by an independent external auditor.

1.3   Service arrangements relevant to financial statements

DFAIT relies on other government departments for the processing of many of the transactions that are recorded in its financial statements:

• PWGSC centrally administers the payment of Canada based salaries and the procurement of goods and services as well as the provision of accomodations in Canada.
• Treasury Board Secretariat provides the Department with information used to calculate various accruals and allowances, such as the accrued severance liability for Canada based staff.
• The Department has a number of memorandums of understanding (MOUs) with partner departments for the administration of programs delivered abroad. DFAIT also has the mandate to manage the procurement of goods, services and real property at missions abroad, and pay the salary of locally engaged staff abroad that deliver DFAIT and partner programs.

1.4 Material changes in fiscal-year 2009-2010

A significant change in the presentation of the Department’s financial statements occurred in 2009-10. For the year ended March 31, 2010 the Canada Account will no longer be reflected in DFAIT’s departmental financial statements.

During the year, the Department adopted the revised Treasury Board accounting policy TBAS 1.2 which is effective for the Department for the 2009-2010 fiscal year. The major change in the accounting policies of the Department required by the adoption of the revised TBAS 1.2 is the recording of amounts due from the Consolidated Revenue Fund as an asset on the Statement of Financial Position.

In April 2010, Gordon White replaced Bruce Hirst as the Department’s Chief Financial Officer. In June 2010, Morris Rosenberg replaced Len Edwards as the Deputy Minister of Foreign Affairs.

2. DFAIT's control environment relevant to ICFR

DFAIT recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective systems of internal control and are well equipped to exercise these responsibilities effectively. The objective of DFAIT’s control environment is to help ensure risks are managed appropriately and to enable continuous improvement at a manageable cost.

2.1 Key Positions, Roles and Responsibilities

Deputy Head - As the Accounting Officer for DFAIT, the Deputy Minister of Foreign Affairs is the Deputy Head of the Department and assumes overall responsibility and leadership for the stewardship, management and oversight of departmental resources, as well for the measures taken to maintain an effective system of internal control.  In this role, the Deputy Head chairs the Executive Council.

Deputy Minister of International Trade and Associate Deputy Minister of Foreign Affairs in accordance with section 8.1 of the Department of Foreign Affairs and International Trade Act “…exercise and perform such powers, duties and functions as deputies of the Minister and otherwise as the Minister may specify”.

Chief Financial Officer - DFAIT’s CFO reports directly to the Deputy Head and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment. The CFO is part of the Executive Council, providing functional leadership and a focus on financial management.

Senior Departmental Managers – DFAIT’s senior departmental managers in charge of program delivery are responsible for maintaining and reviewing the effectiveness of the system of ICFR falling within their mandate.

Heads of Mission (HOMs) -  DFAIT’s Heads of Mission are responsible for the management and direction of his/her mission’s activities including maintaining and reviewing the effectiveness of the system of ICFR falling within their area of accreditation.

Chief Audit Executive (CAE) - DFAIT’s CAE reports directly to the Deputy Head and provides assurance through periodic internal audits which are instrumental to the maintenance of an effective system of ICFR.

Departmental Audit Committee (DAC) - The DAC is an advisory committee that provides objective views on the Department’s risk management, control and accountability processes. It is comprised of 4 external members, including the Chair. As stated in the Policy on Internal Control, the DAC will be engaged, as applicable, on the Department’s risk-based assessment plans and associated results related to the effectiveness of the departmental system of internal control over financial reporting.

Executive Council – reviews and approves the recommendations of all Committees and Boards, but specifically those that have an impact on the financial management of the Department.

2.2 Key Organization-Wide Controls in DFAIT

DFAIT’s control environment also includes a series of measures to equip its staff to manage risks well through raising awareness, providing appropriate knowledge and tools as well as developing skills.

Key measures include:

• Resource Management Committee, Transformation Management Committee, Missions Board,  Core Services Board, and Committees on Mission Management;
• A Values and Ethics Division led by the Inspector General, and reporting directly to the Deputy Head;
• DFAIT’s Conduct Abroad Code and the Public Service Values and Ethics Code;
• Regularly updated delegated authorities matrix;
• Preparation of a Corporate Risk Profile which helps the Department establish a direction for managing corporate risks by presenting a snapshot of DFAIT’s risk status;
• A requirement for accounting designations in key financial management positions;
• Training program and communications in core areas of financial management;
• Departmental policies tailored to DFAIT’s control environment;
• A dedicated Quality Control and Monitoring function for the Department’s financial reporting;
• IT processing systems to achieve greater security, integrity, efficiency and effectiveness;
• A risk-based internal audit plan, with annual coverage of governance and risk management; and
• Mission inspections performed annually by the Office of the Inspector General.

3. Assessment of DFAIT's system of ICFR

3.1   Assessment baseline

In 2004, the Government of Canada commenced an initiative to determine the ability of departments to sustain control-based audits of their financial statements, thus placing reliance on well functioning internal controls. As a result, in 2007, DFAIT underwent an audit readiness assessment conducted by an independent external consulting firm. The assessment provided the baseline for DFAIT to move forward in both preparing for a controls-reliant audit of its financial statements, and to meet the requirements of the Policy on Internal Control, in its first year of implementation.

Whether it is to support control-based audits, or meet the requirements of the Policy on Internal Control, in both cases, departments need be able to maintain an effective system of ICFR with the objectives to provide reasonable assurance that transactions are: a) appropriately authorized, b) financial records are properly maintained, c) assets are safeguarded, and d) applicable laws, regulations and policies are complied with.

Going forward, DFAIT will assess the design effectiveness and the operating effectiveness of its system of ICFR and ultimately will need to have in place an on-going monitoring program to sustain and continuously improve the departmental system of ICFR.

Design effectiveness means to ensure that key control points are identified, documented, in place and that they are aligned with the risks they aim to mitigate and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main accounts by location, as applicable.

Operating effectiveness means that key controls have been tested over a defined period and that any remediation is addressed.

On-going monitoring program means that a systematic integrated approach to monitoring is in place, including periodic risk-based assessments and timely remediation.

3.2 Scope and approach to DFAIT's assessment

In proceeding with its preparations for a controls-based audit, DFAIT has taken measures to assess its system of ICFR starting with its financial statements and a study of material accounts. The methodology used to perform the readiness assessment was designed to identify key improvement areas in the system of internal control over financial reporting and to develop an action plan to prepare the Department for an audit of its financial statements performed under Canadian generally accepted auditing standards. The readiness assessment focused on significant classes of transactions, account balances and disclosures, and the business processes that support them. Significance was assessed relative to the qualitative and quantitative measures of materiality specified by departmental management.

All “in-scope” accounts and locations identified were linked to the related financial processes that generate the financial account information.  The results of this exercise were to identify the following key priority areas of DFAIT’s system of ICFR that need to be addressed in order for DFAIT to sustain a control-based audit:

Foundational elements:

• Entity level controls
• Information technology (IT) general controls

Business process elements

• Financial reporting (National Headquarters)
• Capital assets and asset management  (National Headquarters & Missions)
• Payroll  (National Headquarters & Missions)
• Procurement (National Headquarters & Missions)
• Revenues (National Headquarters & Missions)
• Grants and contributions (National Headquarters)

The completion of these priority areas will also contribute to meeting the requirements of the PIC.

In 2010, DFAIT documented its entity level controls and IT general controls (IT infrastructure), which form the foundation of its system of ICFR. A PIC implementation plan is being developed by DFAIT, which will include, as one element, the documentation of key risk and control points for significant business processes.

DFAIT has completed tests of the design of the IT general controls. The PIC implementation plan will include design tests of entity-level controls and the identification of key process controls, as well as tests of the operating effectiveness of those key controls.

4. DFAIT’s Assessment Results

As the result of the assessment approach described above, DFAIT developed an inventory of all key IT general control points by main IT system, and an understanding of entity-level controls.

As at year end 2009-10, DFAIT completed all testing of design effectiveness related to the IT general controls for the Department’s key information systems. The Department has also documented its key Entity Level Controls.

4.1   Design effectiveness of key controls

DFAIT’s key business processes have been developed to ensure appropriate internal controls are in place.  These controls provide assurance that the financial information is complete, reliable, relevant, timely, and that all authorities and regulations are respected, in particular, Sections 33 and 34 of the Financial Administration Act (FAA).  DFAIT’s PIC implementation plan will include tests of the design effectiveness of entity-level controls, as well as key process controls in 2010-11 and 2011-12.

As part of the Department’s audit readiness preparations, high-level design effectiveness matters were considered for process controls. Based upon this, DFAIT identified the following significant adjustments required:

Documentation:

• greater consistency in the quality, reliability and availability of documentation of controls and procedures.
• further documentation in some areas, including the rationale for requiring specific accounting treatments under the departmental Accounting for Capital Assets Policy.

Data reconciliation and integrity:

• greater consistency of reconciliations and source data;
• strengthened consistency of vendors listed in the Department’s vendor master file, to facilitate the generation of control reports which form part of the Department’s ICFR related to purchases and payables;
• improved verification of the existence of individual capital assets across the Department; and
• analysis of the capital asset recording threshold, including the application of standards for capitalization of software development projects and related eligible expenses.

Monitoring and quality assurance of financial statement preparation:

• enhanced capacity of the financial reporting function to provide for an improved challenge function and quality assurance over the trial balance or amounts and disclosures in the financial statements.

When completing IT General Controls design effectiveness testing, DFAIT completed all documentation (including its validation by process owners) and verified whether the general computer controls are in place and correspond to actual practices. Design effectiveness also included ensuring appropriate alignment of each key control with risks. Based upon this, it was identified that the following significant adjustments were required: strengthen controls related to change management procedures, security settings at various technology layers, access controls, segregation of duties between the development and production environments, and backup and recovery procedures.

4.2 Operating effectiveness of key controls

DFAIT has not yet commenced testing of the operating effectiveness of key controls, however there are compensating controls in place which provide a level of assurance that controls are effective. These compensating controls include:

• During 2009-10, Internal Audit assessed the departmental governance structures, systems governance, and the Department’s risk management process. In addition, Internal Audit assessed controls related to expenditures and IT asset management.
• Ongoing quality assurance on financial accounts assessed the operating effectiveness of certain controls related to the financial reporting process.
• Verification of the Department’s compliance with sections 33 and 34 of the FAA. has been examined by Internal Audit and this process was found to be working effectively.
• The application approval process for Grants and Contributions is established in each program’s accountability risk framework. The programs are subject to evaluations and internal audits. In addition, there are also recipient audits conducted by the Inspector General.

More extensive tests of the operating effectiveness of IT general controls, and process controls will be required for DFAIT to meet the requirements of the PIC.  Once tests of the design effectiveness of key process controls have been completed by the Department, tests of operating effectiveness will need to be linked to specific key controls by business process.

5. DFAIT's forward plan

5.1 Progress as of March 2010

DFAIT has completed work to address the following necessary adjustments:

• Established the Internal Control section to develop the Department’s formal assessment plan guiding the Department’s implementation activities over time and on a risk and priority basis; 
• Completion of the documentation and assessment of the IT general controls for National Headquarters for information systems impacting the Department’s financial reporting;
• The implementation of a quality assurance process on financial accounts;
• Improved capacity of the financial reporting function through the addition of staff resources; and
• The introduction of a capital asset certification process to provide evidence towards the accuracy of the Department’s accounting for capital asset items.

DFAIT has substantially advanced work to address the following necessary adjustments:

• Remediation of findings from the 2009-2010 review of IT general controls relative to; control access to IT programs and data, IT program changes, and backup and recovery of data. 

DFAIT has commenced or partially completed work to address the following necessary adjustments:

• Enhancements to the process to maintain vendor master file data; and
• DFAIT has commenced a financial statement risk assessment to identify and address risks of a material misstatement related to significant financial statement components and underlying business processes.

5.2 Action plan

To March 31, 2010,  DFAIT has focused on the core elements of the Department’s system of internal control over financial reporting – entity level controls, and information technology general controls.

Entity level controls are the foundation for the Department’s control environment. Fundamental weaknesses in entity level controls will significantly reduce the effectiveness of information technology controls, and key process controls.

Information technology general controls help ensure that the IT systems of the Department are operating effectively and as intended. Most importantly, they provide comfort concerning the integrity of the data within the information systems, and system reports.

Moving forward, the Department’s action plan is focused on the documentation and assessment of key control procedures. Key control procedures are built upon the entity level and IT general controls, and help ensure that the objectives of a process are being met.

By end of 2010-11, DFAIT plans to:

• Remediate the identified design gaps in the ITGC process;
• Assess the design effectiveness of the entity level controls and identify gaps for remediation;
• Complete the identification of business processes to be documented through a formal planning and prioritizing exercise;
• Develop an ICFR framework that will provide a standard approach for documenting processes and related controls, and evaluating design of process controls and entity level controls;
• Commence the documentation of significant business processes. The business procesess to be documented will be the payroll cycle and the procure-to-pay cycle. Subsequent business processes to be documented will be prioritized based on risk and impact on DFAIT;
• Complete the financial statement risk assessment, and identify and address risks of a material misstatement related to significant financial statement components and underlying business processes; and
• An updated Section 33 monitoring methodology, such as statistical sampling, will be developed and implemented. 

By end of 2011-12 DFAIT plans to:

• As resources permit, complete the documentation of the remaining significant business processes including the identification of risks, and tests of design effectiveness; and
• As resources permit, develop a monitoring plan for the testing of operating effectiveness of internal controls over financial reporting for significant business processes, entity level controls and financial reporting related IT general controls. 

Primary navigation

Date Modified:

2012-12-27