Unaudited 2022-23 annex to the statement of management responsibility, including internal control over financial reporting

1. Introduction

This document provides summary information on the measures taken by the Office of the Privacy Commissioner of Canada (the Office) to maintain an effective system of internal control over financial reporting (ICFR), including information on internal control management, assessment results and related action plans.

Detailed information on the Office’s authority, mandate and program activities can be found in the Office’s Departmental Plan and Departmental Results Report.

2. The Office’s system of internal control over financial reporting

2.1 Internal control management

The Office has a well-established governance and accountability structure to support the assessment efforts and oversight of its system of internal control. A departmental internal control management framework, approved by the Commissioner, is in place which includes:

Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for control management;
Mechanisms to help promote and strengthen Values and Ethics, including a Values and Ethics Champion, an organizational Code of Values and Ethics, and ongoing training and awareness programs;
Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
At least annual monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Commissioner and the Office’s senior management and, as applicable, the Office’s Audit Committee.

The Office’s Audit Committee provides advice to the Commissioner on the adequacy and functioning of the Office’s risk management, control and governance frameworks and processes.

2.2 Service arrangements relevant to financial statements

The Office relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows.

Common Arrangements

Public Services and Procurement Canada (PSPC) centrally administers the payments of salaries and the procurement of goods and services in accordance with the Office’s Delegation of Authority, and provides accommodation services and the costs of accommodation for inclusion in the financial statements as "Common services provided without charge";
The Office of the Auditor General provides audit services to the Office;
The Treasury Board of Canada Secretariat (TBS) provides the Office with information used to calculate various accruals and allowances, such as the accrued severance liability;
Shared Services Canada (SSC) provides information technology (IT) infrastructure services to the Office in the areas of internet connectivity and email security. The scope and responsibilities are addressed in the interdepartmental arrangement between SSC and the Office, and
For the purposes of the Financial Administration Act, the Office and the Office of the Information Commissioner (OIC) submit their trial balances jointly to the Receiver General.

Specific Arrangements

The Office does not contract external service providers to administer programs on his behalf or to capture and report financial transactions;
PSPC provides the Office with translation services;
In addition to processing the Office’s invoices, the Canadian Human Rights Commission (CHRC) continued to provide the Office with a G/X financial system platform to capture and report all financial transactions. In September 2022, the Office concluded a service agreement with CHRC, agreement adding procurement services to list of services.

3. The Office’s assessment results during fiscal year 2022-23

In recent years, design and operational effectiveness testing of key controls demonstrated that the Office’s systems of internal controls over financial reporting (ICFR) were generally strong and effective.

In the current year, the Office was planning to undertake the design effectiveness testing and operating effectiveness testing for its procure to pay business processes. Due to the change in service delivery model for its procurement function, the Office focused its efforts on implementing the service agreement with CHRC, establishing appropriate lines of communication and modifying key procurement processes and controls.

There were no other significant amendments to key controls in existing processes that required a reassessment.

Ongoing monitoring program

The Office has a comprehensive internal control framework for financial and HR management that is aligned with the federal government’s expenditure management process. The Office manages its funding through the budgeting and commitment control process in its integrated financial and salary budgeting systems. Appropriate segregation of duties is achieved in the context of common, systematized business processes. Expenditures are approved at the initiation, contracting, performance certification and payment approval stages. Payments are subject to a quality control process that tailors verification processes to risk. Controls over payments are tested for effectiveness on a regular basis. Financial results are monitored through a monthly financial reporting process, and validated and approved by management.

In addition to the progress made in ongoing monitoring, the Office reviewed 100% of pay transactions resulting from new signed collective agreements for accuracy and completeness. Also, payroll transactions were reconciled biweekly and at year-end to identify any over or under-payments in a timely manner. The Office made significant progress in analyzing over or under payments both from the current year and address a backlog from prior years. Monitoring is ongoing. The Office continued the analysis and review of any post-implementation issues with corrective measures as required related to the Phoenix pay system. Through the annual review of internal controls and the ongoing monitoring, the Office’s observations pertained mainly to the need to further improve procedures and related documentation.

4. The Office’s action plan

As an Agent of Parliament, the Commissioner is solely responsible for the Office’s compliance with the Treasury Board Financial Management Policy and related instruments and for responding to any instance of non-compliance.

Therefore, the Commissioner and senior managers are committed to sustaining and continuously improving its effective system of ICFR, including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.

4.1 Action plan for the next fiscal year and subsequent years

During fiscal year 2023-24, the Office will test the operating effectiveness of its key payroll business process controls and undertake the design effectiveness testing and operating effectiveness testing for its procure to pay business processes.

Risk-Based Multi-Year Testing Plan
Business Process	Overall Risk	Frequency of Testing	Rotational Plan
Business Process	Overall Risk	Frequency of Testing	2023-24	2024-25	2025-26
Payroll	High	Every Two (2) Years	X		X
IT General Controls^{Footnote 1}	High	Every Two (2) Years		X
Procure to Pay	Medium	Every Three (3) Years	X
Budgeting and Forecasting	Low	Every Five (5) Years		X
Entity Level Controls	Low	Every Five (5) Years
Footnote 1 The Office has three (3) main information systems that process transactions that support the financial statements: G/X, MyGCHR and Phoenix. The Office obtains assurance that the G/X system is operating effectively from an IT perspective from CHRC. Return to footnote 1

Date modified:: 2023-11-09

Language selection

Search and menus

Search