Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting - Transport Canada - Fiscal year 2011-2012

NOTE TO THE READER

With the Treasury Board Policy on Internal Control, effective April 1, 2009, departments are required to demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).

As part of this policy departments are expected to conduct annual assessments of their system of ICFR, establish action plan(s) to address any necessaryadjustments, and attach to their Statement of Management Responsibility Including ICFR a summary of their assessment results and action plan.

Effective systems of ICFR aim to achieve reliable financial statements and to provide assurances that:

• Transactions are appropriately authorized;
• Financial records are properly maintained;
• Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement; and
• Applicable laws, regulations and policies are followed.

It is important to note that the system of ICFR is not designed to eliminate all risks, rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.

The system of ICFR is designed to mitigate risks to a reasonable level based on an on-going process to identify key risks, to assess the effectiveness of associated key controls and adjust them as required, as well as to monitor the system in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to another based on risks and taking into account their unique circumstances.

Table of Contents

• 1. Introduction
  • 1.1 Authority, Mandate and Program Activities
  • 1.2 Financial Highlights
  • 1.3 Service Arrangements Relevant to Financial Statements
  • 1.4 Material Changes in Fiscal Year 2011-12
• 2. Control Environment of Transport Canada Relative to ICFR
  • 2.1 Key Positions, Roles and Responsibilities
  • 2.2 Key Measures Taken by Transport Canada
• 3. Assessment of Transport Canada’s System of ICFR
  • 3.1 Assessment Approach
  • 3.2 Scope of Assessment during Fiscal Year 2011-12
    • 3.2.1 Transport Canada ICFR Risk-based Assessment and Monitoring Strategy
    • 3.2.2 Test of Operating Effectiveness - Completed
    • 3.2.3 Other Risk-based Assessments - In Progress
    • 3.2.4 Other On-going Monitoring Activities - Completed
• 4. Departmental Assessment Results during Fiscal Year 2011-12
  • 4.1 Operating Effectiveness of IT General Controls
• 5. Transport Canada’s Action Plan
  • 5.1 Action Plan for 2012-13 and Subsequent Fiscal Years

1. Introduction

This document is an annex to Transport Canada’s Statement of Management Responsibility Including Internal Control over Financial Reporting for the fiscal year 2011-12. As required by the Treasury Board Policy on Internal Control this document provides summary information on the measures taken by Transport Canada (TC) to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the internal control assessments conducted by Transport Canada as at March 31, 2012, including progress, results, and related action plans along with some financial highlights pertinent to understanding the control environment unique to the department. This represents the third annex produced by the department.

1.1 Authority, Mandate and Program Activities

Detailed information on Transport Canada’s authority, mandate and program activities can be found in the 2011-12 Part III-Departmental Performance Report (DPR), and 2012-13 Part III - Reports on Plans and Priorities (RPP).

1.2 Financial Highlights

Financial statements (unaudited) of Transport Canada for fiscal year 2011-12 can be found at http://www.tc.gc.ca/eng/corporate-services/finance-fs-791.htm. Information can also be found in the Public Accounts of Canada 2011-12. Highlights are as follows:

• Total expenses were $1.56B.

   

  • 23% of total expenses ($351M) were spent on Transfer Payments (grants and contributions).
  • Transport Canada has 5,441 employees, with Salary costs ($595M) representing approximately 38% of total expenses.
• Total Revenues were $402M, largely from airport rent ($273M or 68% of total revenues). Non-Re-spendable revenues collected on behalf of the Government of Canada represent $314M (78%) of the Total Revenues.
• Tangible Capital Assets represent 65% of total assets ($2.48B).
• Total liabilities were $2.27B.

   

  • Consistent with prior fiscal year, accounts payable represents the largest portion of liabilities at $1.36B or 60% of total liabilities.
  • Lease obligations for tangible capital assets were $588M or 26% of total liabilities.
• Transport Canada has a strong regional presence representing approximately 31% ($490M) of the Department’s operating expenses. There is a decentralized finance and accounting function in each of the regional offices that initiate, approve, process and/or record a significant portion of operating expenses and capital expenditures. Transport Canada has nine key information systems that are critical to its operations and financial reporting, including many internal and external systems interfaces.

1.3 Service Arrangements Relevant to Financial Statements

Transport Canada relies on other organizations for the processing of certain transactions that are recorded in its financial statements:

Common Arrangements

• Public Works and Government Services Canada (PWGSC) centrally administers the payments of salaries and the procurement of goods and services, as per the Department’s Delegation of Authority.
• Treasury Board Secretariat (TBS) provides Transport Canada with information used to calculate various accruals and allowances, such as the accrual for severance liability.
• Department of Justice provides legal services to Transport Canada.
• Shared Services Canada provides Transport Canada with certain IT administration and support services. Shared Services Canada was created on August 4, 2011 to consolidate, streamline and improve the government’s information technology (IT) infrastructure services for 43 federal departments and agencies. Effective November 15, 2011, the responsibility for administering email, data centre and network services, including the associated resources, was transferred from Transport Canada to Shared Services Canada. The administration and delivery of these services were shared during the 2011-12 transition period while Shared Services Canada was being established.

Specific Arrangements

• Transport Canada manages certain programs on behalf of Infrastructure Canada.

1.4 Material Changes in Fiscal Year 2011-12

There have been no material changes from the previous year.

2. Control Environment of Transport Canada Relative to ICFR

Transport Canada recognizes the importance of senior management leadership in ensuring that staff at all levels understand their roles in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities effectively. Transport Canada’s objective is to continually improve its internal control environment using a responsive and risk-based approach and targeted resource investment so that continuous improvement and innovation are achieved at a manageable cost.

2.1 Key Positions, Roles and Responsibilities

Below are Transport Canada’s key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.

Deputy Minister - Transport Canada’s Deputy Minister, as Accounting Officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the Deputy Minister is an ex-officio committee member of the Departmental Audit Committee. The Deputy Minister is also the chair of the Transport Executive Management Committee (TMX).

Chief Financial Officer (CFO) - Transport Canada’s CFO supports and reports directly to the Deputy Minister and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment. The CFO’s responsibilities also include management of the department’s Corporate Risk Profile.

Senior Departmental Managers - Transport Canada’s senior departmental managers in charge of program delivery are responsible for maintaining and reviewing the effectiveness of the system of ICFR falling within their area of responsibility.

Chief Audit Executive (CAE) - Transport Canada’s CAE reports directly to the Deputy Minister and provides assurance through periodic internal audits that are instrumental to the maintenance of an effective system of ICFR.

Departmental Audit Committee (DAC) – The DAC is an advisory committee that provides objective views on the department’s financial statements, risk management, control and governance frameworks. It is comprised of four external members and was established in 2008. As such, it reviews Transport Canada’s Corporate Risk Profile and its system of internal control, including the assessment and action plans relating to the system of ICFR.

Transport Executive Management Committee (TMX) – As Transport Canada’s central decision-making body, the TMX reviews, approves and monitors the Corporate Risk Profile and the departmental system of internal control, including the assessment and action plans relating to the system of ICFR. This committee addresses both Policy, Programs and Regulations issues, as well as resource and management issues, on a regular basis.

2.2 Key Measures Taken by Transport Canada

Transport Canada’s control environment continues to include measures to equip its staff to manage risks through raising awareness, providing appropriate knowledge and tools, as well as developing skills.

Key measures include:

• Governance and strategic direction: Transport Executive Management Committee (TMX), Departmental Audit Committee, Strategic Outcome Management Boards (SOMB), Internal Services Management Board (ISMB), Resource Management Committee;
• Public service values: an Office of Values and Ethics, an Integrity Officer, a code of conduct, and a values and ethics code;
• Policies and programs: Program Activity Architecture (PAA), departmental policies tailored to Transport Canada’s control environment, a Budget Management Framework, Governance paper and a delegation of authorities matrix;
• People: a National Integrated Human Resource Plan, and a requirement for accounting designations in key financial management and financial accounting services positions;
• Citizen-focused service: various external stakeholder committees;
• Risk management: a Corporate Risk Profile, a Risk Management Framework for Transfer Payments, a National Sampling Plan, ICFR Risk-based Assessment and Monitoring Strategy, and a dedicated financial monitoring function responsible for managing internal control over financial reporting;
• Stewardship: documentation of main business processes and related key risk and control points to support the management and oversight of the system of ICFR;
• Accountability: annual performance agreements with clearly defined financial management responsibilities;
• Learning, innovation and change management: training programs and communications in core areas of financial management;
• Results and performance: Performance Measurement Framework, regular reporting of financial performance;
• Automation: Improved IT and Oracle financial application systems through systems upgrade to achieve greater security, integrity, efficiency and effectiveness; and
• Internal audit:a risk-based internal audit plan.

3. Assessment of Transport Canada’s System of ICFR

3.1 Assessment Approach

In support of the Policy on Internal Control, Transport Canada must maintain an effective system of ICFR with the objective to provide reasonable assurance that:

• Transactions are appropriately authorized;
• Financial records are properly maintained;
• Assets are safeguarded, and
• Applicable laws, regulations and policies are followed.

To ensure these objectives are met over time, assessments of design and operating effectiveness of the system of ICFR must take place and be subsequently supported by an ongoing monitoring framework that will lead to continuous improvement of the departmental system of ICFR.

Assessment of design effectiveness is defined as the documentation process that takes place to ensure key controls relevant to financial reporting for annual financial statements, at the entity, business process and IT control levels are identified and documented, and that they are aligned with the risks they aim to mitigate, and in place as designed. This includes identification of any remediation that needs to be addressed.

Assessment of operating effectiveness is defined as the testing and evaluation of identified and documented key controls at the entity, business process and IT levels, to ensure the controls are functioning as designed over a defined period of time and that any required remediation is addressed through documented management action plan(s). Such testing is performed using acceptable sampling methodology on a full scope of departmental transactions at the entity, business process and IT general computer controls levels.

An effective on-going monitoring framework refers to an integrated strategy and on-going approach to periodically assess and sustain the management of ICFR in support of continuous improvement. It encompasses an integrated corporate approach where the department has in place various mechanisms through which design and operating effectiveness of entity, business and IT controls are assessed and reassessed on a risk basis in accordance with a periodic rotational assessment plan, including taking the necessary timely remediation and corrective actions.

3.2 Scope of Assessment during Fiscal Year 2011-12

3.2.1 Transport Canada ICFR Risk-based Assessment and Monitoring Strategy

As committed in the 2010-11 Annex to the Statement of Management Responsibility, including Internal Control over Financial Reporting, the department completed a risk-based assessment framework and on-going monitoring strategy for ICFR.

This document formally sets out the overall methodology and approach for completing assessments of design and operating effectiveness of key controls at the entity, business process and IT computer levels. The department will follow the strategy and approach documented for conducting the remaining outstanding operating effectiveness assessments on entity level, certain business process and key IT application (computer system) controls. More significantly, the document outlines the roles and responsibilities of functional business process owners and key stakeholders critical to the integrity and management of the system of ICFR at Transport Canada.

In addition, the Transport Canada ICFR – Risk-based Assessment and Monitoring Strategy document outlines a standardized multi-year rotational assessment plan for testing key controls at the entity, business process and IT general control levels that ensures the frequency and scope of testing are proportionate and appropriate to the risks identified.

3.2.2 Test of Operating Effectiveness - Completed

IT General Controls

Transport Canada assessed and completed the operating effectiveness of IT General Controls testing as described below and detailed further in Section 4.1.

• Oracle Financial Application E-Business suite (including iTravel)

When completing operating effectiveness testing, Transport Canada identified that key controls are functioning well over a 12-month period based on testing. Any remediation requirements to date are in the process of being addressed.

3.2.3 Other Risk-based Assessments - In Progress

Due to significant resource constraints in 2011-12, certain planned design and operating effectiveness assessments were delayed in commencing, and consequently did not complete by March 31, 2012. These assessments are now under way and will be completed by end of the upcoming fiscal year (see details in Section 5 below):

• Entity Level controls – within the context of ICFR
• Business Process controls:

   

  • Manage Budgeting and Forecasting;
  • Manage Capital Assets and Work in Progress; and
  • Manage Pay and Salary benefits.
• IT Application controls:

   

  • Oracle Applications – core Finance, Materiel and iTravel modules (post Oracle Release 12);
  • Transport Canada Billing System;
  • HR TIPS Pay and LEX Leave and Extra Duty system; and
  • Salary Management System (SMS).

3.2.4 Other On-going Monitoring Activities - Completed

As mentioned previously, due to resource constraints during the fiscal year, the department focused its available resource skillsets on strengthening certain control weaknesses identified in previous assessments by Internal Audit, while developing a risk-assessment approach and resource strategy to ensure remaining assessments of operating effectiveness will be completed on time by the end of fiscal year 2012-13.

During the fiscal year, Transport Canada completed and took into account information from the following relevant audits and functional reviews:

• Transport Canada Internal Audit

   

  • Audit of IM/IT Project Life Cycle Controls
  • Audit of Financial Controls for Procurement
• Transport Canada functional reviews

   

  • Annual reviews of financial key controls
  • Functional reviews on contracting practices
  • Functional reviews of procurement with respect to Government Acquisition Card spending, review of professional and temporary help services; and
  • Other reviews of financial expenditures (e.g., travel, hospitality, etc) in support of deficit reduction action plan.

Transport Canada continues to pursue business process improvements with a view to strengthen controls over financial reporting and achieved the following:

Business processes:

• Improved the consistency of documentation to better support a more effective and efficient assessment of internal control over financial reporting;
• Improved the consistency of reporting and monitoring of the quality assurance process in respect of account verification (both pre and post-payment) to reduce gaps in performance in response to areas of improvements noted in the 2011-12 Audit of Financial Controls for Procurement;
• Implemented an updated National Sampling Plan that included improvements such as an on-line guide to verify key financial controls, and a consistent checklist to verify key control attributes;
• Standardized period-end sign-off and reporting across the departmental financial accounting offices; and
• Clarification of standards, roles and responsibilities for the proper exercise of delegated authority.

4. Departmental Assessment Results during Fiscal Year 2011-12

As indicated in section 3.2 above, the following summarizes key assessment results from the operating effectiveness testing completed by Transport Canada in 2011-2012.

4.1 Operating Effectiveness of IT General Controls (ITGC)

When completing operating effectiveness testing for the department’s IT general controls (ITGC), Transport Canada updated previous design documentation and validated key processes with various IM/IT and business stakeholders.

The assessment of ITGC was conducted in accordance with COBIT principles (Control Objectives for Business related Information Technology) which in turn were developed based on the COSO framework. COBIT is the industry accepted framework for assessing IT governance and IT controls, and are broken down into the following four main control criteria:

• Security - Access to Programs and Data;
• Change Management;
• Program Development (and system implementation); and
• Computer Operation.

Assessment results and findings identified areas for improvements in all four main control criteria evaluated: Security (access to programs and data), change management, program development and computer operations.

The department has taken the necessary steps to start identifying cost-effective management action plans with a view to remedy and strengthen controls related to access, timely removal of access and IT system development risks. Management action plans will be tracked against progress on a quarterly basis.

5. Transport Canada’s Action Plan

5.1 Action Plan for 2012-13 and Subsequent Fiscal Years

The following table provides an update of progress made in fiscal year 2011-12 based on planned commitments noted in previous year’s reporting. In addition, the table provides a summary action plan, including other on-going monitoring activities and plans that have been put in place to ensure that Transport Canada continues to monitor and improve its system of ICFR with a balanced cost-effective approach taking into account risks, and resource capacity and capabilities.

Internal Controls over Financial Reporting (Control Elements)	Assessment of Operating Effectiveness							Other On-going Monitoring
	Completed Assessment during the year	Initial Assessment (to complete)	Multi-Year Rotational Assessment
	2011-12	2012-13	2012- 2013	2013-2014	2014-2015	2015-2016	2016-2017	2012-2013	2013-2014	2014-2015
Entity Level Controls
Entity Level controls	Delayed to 2012-13	√					√
Business Process Controls
Manage Financial Budgeting and Forecasting	Delayed to 2012-13	√				√
Manage Payroll and Salary Benefits		√				√
Manage Capital Assets and WIP (Capital Expenditures)		√				√
Manage Travel Procurement - iTravel				√
Manage Procurement (Operating Expenditures)				√
Manage Accruals and Other General Entries (PAYEs, JEs)					√
Manage Environmental and other liabilities					√
Manage Grants & Contributions Transfer Payments					√
Manage Revenues and Receivables			√			√
Manage Contracting and Commitments				√			√
Manage Financial Close and Reporting				√			√
IT Controls (General ITGC & Application)
Oracle ERP ITGC (include iTravel)	Yes					√
Oracle EBS R12 Application Controls (including iTravel)		√				√
GAC (Oracle Cluster Group)						√
TCBS		√				√
TIPS						√
LEX (Leave and Extra Duty)						√
Salary Management System (SMS)		√				√
DAPLS - Department Air Pilot Licensing System					√
Hyperion					√
OADI					√
Other On-Going Monitoring Activities
Develop and document a risk-based strategy, plan and approach for standardized testing and monitoring of the effectiveness of internal control over financial reporting	Yes							√	√	√
Revise National Sampling Plan testing questionnaire package & procedures; Improve and update NSP reporting; update and publish NSP policy	Yes							√	√	√
NSP sampling strategy for Pay transactions	Delayed to 2012-13 - after assessment of Payroll and Salary benefits							√	√	√
Oracle User Access - annual review and update								√	√	√
Period-end Monitoring (monthly)								√	√	√
NSP post payment testing (monthly)								√	√	√
Grants & Contributions - NSP post audit strategy - pilot								√	√	√
Grants & Contributions - NSP post audit strategy of low risk payments								√	√	√
Financial Controls Review - annual site visits								√	√	√