Audited Financial Statements 2019-20
Office of the Privacy Commissioner of Canada
Unaudited 2019-20 annex to the statement of management responsibility, including internal control over financial reporting
1. Introduction
This document provides summary information on the measures taken by the Office of the Privacy Commissioner of Canada (the Office) to maintain an effective system of internal control over financial reporting (ICFR), including information on internal control management, assessment results and related action plans.
Detailed information on the Office's authority, mandate and program activities can be found in the Office’s Departmental Plan and Departmental Results Report.
2. The Office’s system of internal control over financial reporting
2.1 Internal control management
The Office has a well-established governance and accountability structure to support the assessment efforts and oversight of its system of internal control. A departmental internal control management framework, approved by the Commissioner, is in place which includes:
- Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for control management;
- Mechanisms to help promote and strengthen Values and Ethics, including a Values and Ethics Champion, an organizational Code of Values and Ethics, and ongoing training and awareness programs;
- Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
- At least annual monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Commissioner and the Office’s senior management and, as applicable, the Office’s Audit Committee.
The Office’s Audit Committee provides advice to the Commissioner on the adequacy and functioning of the Office's risk management, control and governance frameworks and processes.
2.2 Service arrangements relevant to financial statements
The Office relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows.
Common Arrangements
- Public Services and Procurement Canada (PSPC) centrally administers the payments of salaries and the procurement of goods and services in accordance with the Office’s Delegation of Authority, and provides the costs of accommodation for inclusion in the financial statements as "Common services provided without charge";
- The Office of the Auditor General provides audit services to the Office;
- The Treasury Board of Canada Secretariat (TBS) provides the Office with information used to calculate various accruals and allowances, such as the accrued severance liability;
- Shared Services Canada (SSC) provides information technology (IT) infrastructure services to the Office in the areas of internet connectivity and email security. The scope and responsibilities are addressed in the interdepartmental arrangement between SSC and the Office, and
- For the purposes of the Financial Administration Act, the Office and the Office of the Information Commissioner (OIC) submit their trial balances jointly to the Receiver General.
Specific Arrangements
- The Office does not contract external service providers to administer programs on his behalf or to capture and report financial transactions.
- In addition to processing the Office’s invoices, the Commission of Human Rights of Canada (CHRC) continued to provide the Office with a G/X financial system platform to capture and report all financial transactions.
3. The Office’s assessment results during fiscal year 2019-20
In recent years, design and operational effectiveness testing of key controls demonstrated that the Office’s systems of internal controls over financial reporting (ICFR) were generally strong and effective.
In 2018-19, the Office conducted an examination of its rotational multi-year monitoring plan for ICFR. As a result of this risk assessment, the classification of the Office’s payroll business process was amended from medium to high risk. Testing of its key controls, both design effectiveness and operational effectiveness, was changed to every year.
As a result, it was recommended that the Office continue to closely monitor its new procedure for pay calculations prior to entry into Phoenix, its one-time procedure to correct calculation errors already processed by Phoenix, and, as required, update relevant Compensation procedures and related training to prevent similar errors moving forward.
Testing of the Office’s payroll business process for 2019-20 transactions was conducted by a third party as planned. Based on the knowledge from the previous few years, it was recommended that the review focus on preventive, detective, and corrective controls particularly for high-risk transactions as well as the reconciliations of these individual high-risk transactions.
High risk was determined based on several factors including large dollar amounts (both positive and negative), infrequent amounts (e.g. retroactive pay adjustments), complexity of manual calculations and risk of known errors in automated calculations by Phoenix. Individual payroll transaction reconciliations between G/X (financial system) and Phoenix (payroll) were targeted to determine if potential errors could be detected more promptly, efficiently and effectively this way rather than through the existing higher level and delayed batch-type reconciliations between G/X and Phoenix.
The results of the testing indicated that while no errors were found in calculations for the testing sample selected, both the third party and OPC staff encountered significant difficulty in reconciling several amounts. This was largely due to an absence of a ‘storyline’ explaining these transactions, which were often corrections or retroactive payments. Another observation is that batch-type reconciliations happen less frequently and often weeks can elapse between the transaction and reconciliation, which can result in time-consuming efforts to determine the basis for the transaction and reconstruct the calculation by the compensation staff. The following recommendations were provided by the third party:
- Compensation staff, in coordination with Finance, refine reconciliation procedures and/or develop formal procedures when appropriate, with the intent of reducing risk/errors and also streamlining use of Finance and Compensation staff time;
- Determine the structure/processes/protocols for what should be formally documented in an electronic record system for supporting documentation; and
- Consider determining technical requirements for a transaction management tool and, if appropriate, review available options.
The OPC has reviewed the recommendations from this assessment and agrees to continue to refine its reconciliation procedures, with the intent of reducing risk/errors and also streamlining use of Finance and Compensation staff time. The OPC is also committed to further improving its information sharing and documentation practices. As the OPC considers its payroll business process as a high risk, the annual testing and assessment of it key controls will continue. The OPC will integrate these recommendations into its annual testing plan and assess progress made during the year.
Considering that the OPC has made significant investments in time and resources in improving its monitoring and reconciliation processes of pay related transactions in recent years, the OPC will continue to participate in government wide initiatives aimed to find efficiencies and allow compensation staff to provide more tailored support to employees. The OPC does not find opportune, at this time, to determine the structure for what should be formally documented in an electronic records system for supporting documentation or to establish technical requirements for a management tool.
According to the Office’s rotational multi-year monitoring plan for ICFR, an update to the documentation of Entity Level Controls (ELCs) and testing at the design effectiveness level was scheduled in 2019-20. This work was to commence in the last quarter of the year but has been delayed to fiscal year 2020-21 due largely to the COVID-19 pandemic. Results of this work will be provided in the next report.
4. The Office’s action plan
As an Agent of Parliament, the Commissioner is solely responsible for Office’s compliance with the Treasury Board Financial Management Policy and related instruments and for responding to any instance of non-compliance.
Therefore, the Commissioner and senior managers are committed to sustaining and continuously improving its effective system of ICFR, including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.
4.1 Action plan for the next fiscal year and subsequent years
During fiscal year 2020-21, the Office will continue to test the operating effectiveness of its key payroll business process controls and undertake a review of its entity level controls. The Office will also start during the last quarter of the fiscal year the design effectiveness testing and operating effectiveness testing for its procure to pay business processes.
| Business Process |
Overall Risk |
Frequency of Testing |
Rotational Plan | ||
|---|---|---|---|---|---|
| 2020-21 | 2021-22 | 2022-23 | |||
| IT General ControlsNote 1 | Based on Service Provider’s ICFR Plan | ||||
| Payroll | High | Annually | X | X | X |
| Procure to Pay | Medium | Every Three (3) Years | X | ||
| Budgeting & Reporting | Low | Every Five (5) Years | X | ||
| Year-End / Month-End Close | Low | Every Five (5) Years | X | ||
| Entity Level Controls | Low | Every Five (5) Years | X | ||
- Date modified: