Unaudited 2020-21 annex to the statement of management responsibility, including internal control over financial reporting
1. Introduction
This document provides summary information on the measures taken by the Office of the Privacy Commissioner of Canada (the Office) to maintain an effective system of internal control over financial reporting (ICFR), including information on internal control management, assessment results and related action plans.
Detailed information on the Office's authority, mandate and program activities can be found in the Office’s Departmental Plan and Departmental Results Report.
2. The Office’s system of internal control over financial reporting
2.1 Internal control management
The Office has a well-established governance and accountability structure to support the assessment efforts and oversight of its system of internal control. A departmental internal control management framework, approved by the Commissioner, is in place which includes:
- Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for control management;
- Mechanisms to help promote and strengthen Values and Ethics, including a Values and Ethics Champion, an organizational Code of Values and Ethics, and ongoing training and awareness programs;
- Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
- At least annual monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Commissioner and the Office’s senior management and, as applicable, the Office’s Audit Committee.
The Office’s Audit Committee provides advice to the Commissioner on the adequacy and functioning of the Office's risk management, control and governance frameworks and processes.
2.2 Service arrangements relevant to financial statements
The Office relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows.
Common Arrangements
- Public Services and Procurement Canada (PSPC) centrally administers the payments of salaries and the procurement of goods and services in accordance with the Office’s Delegation of Authority, and provides the costs of accommodation for inclusion in the financial statements as "Common services provided without charge";
- The Office of the Auditor General provides audit services to the Office;
- The Treasury Board of Canada Secretariat (TBS) provides the Office with information used to calculate various accruals and allowances, such as the accrued severance liability;
- Shared Services Canada (SSC) provides information technology (IT) infrastructure services to the Office in the areas of internet connectivity and email security. The scope and responsibilities are addressed in the interdepartmental arrangement between SSC and the Office, and
- For the purposes of the Financial Administration Act, the Office and the Office of the Information Commissioner (OIC) submit their trial balances jointly to the Receiver General.
Specific Arrangements
- The Office does not contract external service providers to administer programs on his behalf or to capture and report financial transactions.
- In addition to processing the Office’s invoices, the Canadian Human Rights Commission (CHRC) continued to provide the Office with a G/X financial system platform to capture and report all financial transactions.
3. The Office’s assessment results during fiscal year 2020-21
In recent years, design and operational effectiveness testing of key controls demonstrated that the Office’s systems of internal controls over financial reporting (ICFR) were generally strong and effective.
In the current year, there were no significant amendments to key controls in existing processes that required a reassessment, notwithstanding of the global COVID-19 pandemic that was declared in March 2020. These controls were deemed to be compliant with the policy on Financial Management and performing as intended.
The following table summarizes the status of the ongoing monitoring activities according to the previous fiscal year’s rotational plan.
| Business Process | Status |
|---|---|
| Payroll | Completed as planned; summary results can be found below. |
| Procure to Pay | Delayed to fiscal year 2021-22. |
| Entity Level Controls | Assessment began and will be completed in 2021–22. |
Payroll
In 2018-19, the Office conducted an examination of its rotational multi-year monitoring plan for ICFR. As a result of this risk assessment, the classification of the Office’s payroll business process was amended from medium to high risk.
As a result, it was recommended that the Office continue to closely monitor its new procedure for pay calculations prior to entry into Phoenix, its one-time procedure to correct calculation errors already processed by Phoenix, and, as required, update relevant Compensation procedures and related training to prevent similar errors moving forward.
Testing of the Office’s payroll business process for 2020-21 transactions was conducted by a third party as planned. A similar approach to 2019-20 was taken and the review focused on preventive, detective, and corrective controls particularly the calculations for high-risk transactions as well as the reconciliations of these individual high-risk transactions.
The results of the testing indicated that no errors were found in calculations for the testing sample selected. Improvements have been made by Public Services and Procurement Canada (PSPC) to the supporting processes to the Phoenix payroll system for high-risk and complex transactions such as retroactive pay. In addition, the compensation group has made improvements to its documentation for complex calculations. Although it was recommended that payroll business processes continue to be ranked as high risk, testing will be done every two (2) years moving forward.
4. The Office’s action plan
As an Agent of Parliament, the Commissioner is solely responsible for Office’s compliance with the Treasury Board Financial Management Policy and related instruments and for responding to any instance of non-compliance.
Therefore, the Commissioner and senior managers are committed to sustaining and continuously improving its effective system of ICFR, including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.
4.1 Action plan for the next fiscal year and subsequent years
During fiscal year 2021-22, the Office will complete a review of its entity level controls. The Office is planning to undertake the design effectiveness testing and operating effectiveness testing for its procure to pay business processes. It will also start its assessment of Internal Controls over Financial Management (ICFM) to meet the requirements of the Policy on Financial Management.
| Business Process | Overall Risk | Frequency of Testing | Rotational Plan | ||
|---|---|---|---|---|---|
| 2021-22 | 2022-23 | 2023-24 | |||
| IT General ControlsFootnote 1 | High | Based on Service Provider’s ICFR Plan | |||
| Payroll | High | Every Two (2) Years | X | ||
| Procure to Pay | Medium | Every Three (3) Years | X | ||
| Budgeting and Forecasting | Low | Every Five (5) Years | X | ||
| Entity Level Controls | Low | Every Five (5) Years | X | ||
- Date modified: