Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting - Transport Canada

1. Introduction
2. Departmental System of Internal Control over Financial Reporting
- 2.1 Internal Control Management
- 2.2 Service Arrangements Relevant to Financial Statements
3. Departmental assessment results for fiscal year 2017-18
4. Departmental Action Plan
- 4.1 Progress during fiscal year 2017-18
- 4.2 Status and action plan for the next fiscal year and subsequent years

1. Introduction

This document provides summary information on the measures taken by Transport Canada to maintain an effective system of internal control over financial reporting (ICFR), including information on internal control management, assessment results and related action plans.

Detailed information on Transport Canada’s authority, mandate and program activities can be found in the 2017-18 Departmental Results Report and 2018-19 Departmental Plan.

2. Departmental System of Internal Control over Financial Reporting

2.1 Internal Control Management

Transport Canada has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. A departmental internal control management framework, approved by the Deputy Minister, is in place and includes:

Organizational accountability and oversight structures to support sound financial management, including roles and responsibilities for senior departmental managers (Transport Executive Management Committee (TMX) members and others);
A Values and Ethics Office to provide awareness, educational activities and administration of TC’s Code of Values and Ethics, as well as a Senior Integrity Officer to provide advice, guidance and oversight on internal disclosures;
Ongoing communication and training on statutory requirements, policies, and procedures for sound financial management and control;
Leveraging the work of Audit and Advisory Services for internal audits on the effectiveness of risk management, control and governance processes, where appropriate;
Monitoring and regular updates at least semi-annually on internal control management for ICFR including assessment results and action plans to the Deputy Minister, Resource Management Committee (RMC) members and the Departmental Audit Committee (DAC) as applicable;
Advice and feedback from DAC to the Deputy Minister on the adequacy and functioning of the Department’s risk management, control and governance frameworks and processes; and
Annual validations of internal control management results through TMX members’ sign-off on controls management for their areas of responsibility.

2.2 Service Arrangements Relevant to Financial Statements

Transport Canada relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:

Common Arrangements:

Public Services and Procurement Canada (PSPC) centrally administers the payments for salaries and the procurement of goods and services, as per the Department’s Delegation of Authority and provides accommodation services.
Treasury Board Secretariat (TBS) provides the Department with information used to calculate various accruals and allowances, such as the accrued severance liability.
The Department of Justice provides legal services to the Department.
Shared Services Canada (SSC) provides information technology (IT) infrastructure services to Transport Canada in the areas of data centre and network services. The scope and responsibilities are addressed in Shared Service Canada’s Information Technology General Control Framework in relation to internal controls over financial reporting.

As a result, Transport Canada relies on the effective system of internal control over financial reporting in place at these service providers.

Specific Arrangements:

Through memoranda of understanding with Infrastructure Canada, Transport Canada provides some program management and administrative services under the Canada Strategic Infrastructure Fund and the Border Infrastructure Fund (project implementation), as well as the Building Canada Fund (major infrastructure component).
On a cost recovery basis, Transport Canada provides financial management, accounting services and reporting, in addition to some information technology and management services to the Administrator of the Ship-Source Oil Pollution Fund and the Fund for Railway Accidents Involving Designated Goods.

3. Departmental assessment results for fiscal year 2017-18

In 2014-15, the Department commenced implementation of its ongoing risk-based monitoring program of ICFR as outlined in Transport Canada’s ICFR Framework for Risk-Based Assessment and Monitoring. A full cycle of ICFR ongoing monitoring was completed by the end of 2017-18.

In 2017-18, Transport Canada completed its assessment of the following business processes based on its ongoing risk-based monitoring plan:

Entity Level Controls (22 out of 43 points of focus under the 2013 COSO Framework);
IT General Controls;
Financial Close and Reporting; and
Environmental Liabilities.

The key financial controls for the above-mentioned business processes were generally found to be operating effectively, or in place but requiring improvement, to ensure the production of reliable financial information. There was one control weakness identified with a high risk impact related to IT general controls. Approved Management Action Plans (MAP) are in place or in progress to address the identified weaknesses. These MAPs have been signed off by the accountable Directors General and are actively monitored and reported to senior management and the DAC on a semi-annual basis.

As a result of the ongoing monitoring, the Department identified the following remediation activities to strengthen its control environment:

Entity Level Controls

Conduct a periodic review and update of Human Resources policies in accordance with departmental established timeframes.

IT General Controls

Improve the process for the granting, modification and removal of network accesses including the timely notification of employee departures/transfers and retention of approved Network Service Request forms.
Perform and/or retain documentation to support the periodic review of user accesses for three application systems.
Implement segregated access for the submission, approval and invoicing of services for one application system.
Finalize the departmental Informatics Disaster Recovery Plan and test it on periodic basis to enable continuity of key financial systems in situations of an unexpected event.

Environmental Liabilities

Enhance the annual review process of closing environmental liability balances by contaminated site.

In addition, the Department continued to monitor:

The completion of the period-end and year-end sign offs as part of the Financial Close and Reporting business process; and
Compliance with the TBS Directive on Delegation of Spending and Financial Authorities through Transport Canada’s National Sampling Plan of expenditure payments as part of its ongoing oversight of key controls.

4. Departmental Action Plan

4.1 Progress during fiscal year 2017-18

During 2017-18, Transport Canada continued the execution of its ongoing risk-based monitoring plan and strategy as follows:

Key Control Areas	Status
Entity Level Controls – Year 3 (22 out of 43 points of focus under the 2013 COSO Framework)	Ongoing monitoring assessment of operating effectiveness was completed as planned. Remedial plan is in progress and expected to be completed by March 2019.
IT General Controls	Ongoing monitoring assessment of operating effectiveness was completed as planned. Remedial plans are in progress and expected to be mostly completed in 2018-19 with two in 2021-22.
Financial Close and Reporting	Ongoing monitoring assessment of operating effectiveness was completed as planned. Remedial plans are in progress and expected to be completed in 2018-19.
Environmental Liabilities	Ongoing monitoring assessment of operating effectiveness was completed as planned. Remedial plans are in progress and expected to be completed in early 2019-20.
Procurement (Operating Expenditures, Contracting and Commitments) carried forward from 2016-17	Ongoing monitoring assessment of operating effectiveness was reported to RMC in June 2018. The assessment was substantially completed in May 2017 but delays were encountered in finalizing the report until 2017-18. Remedial plans are in progress and expected to be completed in 2018-19.

In 2017-18, Transport Canada also followed up on the status of remedial plans from previous years. Seventy-one percent (71%) of those remedial plans are complete. Fourteen management action plans related to Entity Level Controls, Financial Budgeting and Forecasting, Revenues and Receivables and Travel and Events with low-medium and medium risk impacts are in progress and will be closely monitored until the remediation plans can be fully implemented in 2018-19.

4.2 Status and action plan for the next fiscal year and subsequent years

Transport Canada’s ongoing risk-based monitoring plan was changed from four years to five years commencing in 2018-19. The extension of the ongoing monitoring plan is to account for the expanded scope of work to encompass the five financial management areas identified by TBS (budgeting and forecasting, costing, investment planning, CFO attestation and payroll/salary), as well as consideration of internal capacity to carry out the plan. Entity Level Controls were assessed in accordance with a three-year rolling calendar that commenced in 2015-16 but in 2018-19 will revert back to a rotational basis as no significant control weaknesses were identified to warrant a more frequent reassessment.

Based on the full integrated ICFR risk assessment conducted in June 2017 and subsequent update, the approved five-year Internal Control over Financial Management (ICFM) ongoing monitoring plan is shown below:

Rotational Ongoing Risk-Based Monitoring Plan
Key Control Areas	Fiscal Year 2018-19	Fiscal Year 2019-20	Fiscal Year 2020-21	Fiscal Year 2021-22	Fiscal Year 2022-23
Entity Level Controls
Entity Level Controls	Empty	Empty	Empty	Empty	X
Information Technology (IT) Controls
IT General Controls (ITGC)^{Footnote 1} Includes: Oracle ERP (including iTravel, Government Acquisition Cards, Departmental Travel Expense Account and Transport Canada Billing System), Transport Integrated Personnel System / Leave and Extra Duty, Salary Management System, Hyperion, Business Intelligence, and Marine Safety Dispatch and Tracking System	Empty	Empty	Empty	X	Empty
Business Process Controls
Capital Assets and Work in Progress (Capital Expenditures)	X	Empty	Empty	Empty	Empty
Payroll and Salary Benefits^{Footnote 2}	X	Empty	Empty	Empty	Empty
Revenues and Receivables^{Footnote 3}	X	X	Empty	Empty	Empty
Grants and Contributions Transfer Payments	Empty	X	Empty	Empty	Empty
Financial Budgeting and Forecasting	Empty	Empty	X	Empty	Empty
Accruals and Other General Entries	Empty	Empty	X	Empty	Empty
Travel and Events	Empty	Empty	X	Empty	Empty
Procurement (Operating Expenditures, Contracting and Commitments)	Empty	Empty	Empty	X	Empty
Environmental Liabilities	Empty	Empty	Empty	Empty	X
Financial Close and Reporting	Empty	Empty	Empty	Empty	X
Additional Internal Control over Financial Management Areas
Investment Planning	Empty	X	Empty	Empty	Empty
CFO Attestation of Treasury Board and Cabinet Document Submissions	Empty	Empty	X	Empty	Empty
Costing	Empty	Empty	Empty	X	Empty

TBS guidance documents on ICFM have not yet been issued but when they become available, Transport Canada will then be able to update its Internal Control over Financial Reporting Framework for Risk-Based Assessment and Monitoring to incorporate ICFM elements, as well as commence scoping the new expanded ICFM processes. Transport Canada will also reassess the controls related to any significant changes in key processes that are introduced during the year.

Footnotes

Footnote 1

Some relevant Oracle application controls are assessed in an integrated manner within the associated business process testing that will occur as per the Ongoing Monitoring Plan.

Return to footnote 1 referrer

Footnote 2

In April 2016, the Phoenix pay system was implemented at Transport Canada (TC) but not to the same extent as other federal departments and agencies. TC compensation services have not been transferred to Miramichi and TC is not using all of Phoenix’s modules. For example, application controls remain in place for the TC Pay System and Leave and Extra Duty, which interfaces with Phoenix to process pay and benefit transactions. As part of the NSP, these transactions are sampled and tested quarterly for authorization, accuracy and recording on a post-payment basis. In addition, pay transactions continue to be closely monitored to ensure all employees are properly paid.

Return to footnote 2 referrer

Footnote 3

The Revenues and Receivables business process will be examined over a two-year period given its extensive scope of revenue sub-streams and related key controls.

Return to footnote 3 referrer

Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting - Transport Canada - Fiscal Year 2017-2018 (Unaudited)
(PDF, 386 KB)

Language selection

WxT Language switcher

Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting - Transport Canada - Fiscal Year 2017-2018 (Unaudited)

Table of Contents