National Round Table on the Environment and the Economy’s Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting Fiscal Year 2010-11
Preface
With the new Treasury Board Policy on Internal Control, effective April 1, 2009, departments and agencies are now required to demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).
As part of this policy, departments and agencies are expected to conduct annual assessments of their system of ICFR, establish action plan(s) to address any necessary adjustments, and to attach to their Statements of Management Responsibility a summary of their assessment results and action plan.
Effective systems of ICFR aim to achieve reliable financial statements and to provide assurances that:
- Transactions are appropriately authorized
- Financial records are properly maintained
- Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement
- Applicable laws, regulations and policies are complied with
It is important to note that a system of ICFR is not designed to eliminate all risks, rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.
The maintenance of an effective system of ICFR is an ongoing process designed to identify, assess effectiveness and adjust as required key risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of departmental and agency assessments of the effectiveness of their system of ICFR will vary from one organization to the other based on risks and taking into account their unique circumstances.
The system of ICFR is designed to mitigate risks to a reasonable level based on an on-going process to identify key risks, to assess effectiveness of associated key controls, and to make any necessary adjustments.
Table of Contents
- 1. INTRODUCTION
- 1.1 AUTHORITY, MANDATE AND PROGRAM ACTIVITIES
- 1.2 FINANCIAL HIGHLIGHTS
- 1.3 AUDITED FINANCIAL STATEMENTS
- #1.4 SERVICE ARRANGEMENTS RELEVANT TO FINANCIAL STATEMENTS
- 1.5 MATERIAL CHANGES IN FISCAL-YEAR 2010-1011
- 2. DESCRIPTION OF THE NRTEE’S ENTITY LEVEL CONTROLS RELEVANT TO ICFR
- 2.1 GOVERNANCE
- 2.2 CORPORATE RISK MANAGEMENT
- 2.3 OTHER ENTITY LEVEL CONTROLS
- 3. ASSESSMENT OF THE NRTEE’S SYSTEM OF ICFR
- 3.1 ASSESSMENT BASELINE
- 3.2 ASSESSMENT METHOD AT THE NRTEE
- 4. NRTEE’S ASSESSMENT RESULTS
- 4.1 DESIGN EFFECTIVENESS OF KEY CONTROLS
- 4.2 OPERATING EFFECTIVENESS OF KEY CONTROLS
- 4.3 ONGOING MONITORING PROGRAM
- 5. NRTEE’S ACTION PLAN
- 5.1 PROGRESS AS OF MARCH 31, 2011
- 5.2 ACTION PLAN
1. Introduction
1.1 Authority, Mandate and Program Activities
The raison d’être, or purpose, of the National Round Table on the Environment and the Economy (NRTEE or Round Table) is to play the role of catalyst in identifying, explaining, and promoting, in all sectors of Canadian society and in all regions of Canada, principles and practices of sustainable development.
The NRTEE interprets this broad mandate through a strategic focus on issues of national interest at the intersection of the environment and the economy. It examines the environmental and economic implications of priority issues and offers independent advice on how to address them.
Created in 1988 by the Prime Minister, the NRTEE is an independent national advisory body reporting to the federal government and Parliament through the Minister of the Environment (see Figure 1 for the agency’s internal organization and relationship to the federal government).
The NRTEE is a departmental corporation (Financial Administration Act, Schedule II).
The work of the NRTEE is directed by the Round Table members drawing on their expertise and insight. The members are part-time Governor-in-Council appointees. They represent different regions of Canada and are distinguished leaders from business, labour, universities, public service, and environmental organizations.
The Round Table normally meets four times each year in plenary sessions where members discuss priorities and review and approve the work of the Secretariat. A Secretariat in Ottawa, headed by a President and CEO, supports the members. In this context, the Secretariat provides program management, policy and research analysis, communications, and administrative services to the NRTEE members.
Figure 1: NRTEE internal organization and relationship to the federal government
The NRTEE has developed a Program Activity Architecture (PAA) that reflects how it allocates resources, including investments to its two program activities in order to achieve its strategic outcome. This PAA structure is illustrated below.
Further details regarding the NRTEE’s priorities, strategic outcome and program activity architecture are available in the Departmental Performance Report and the Report on Plans and Priorities.
1.2 Financial highlights
Below is key financial information for fiscal-year 2010-2011. More information can be found in the NRTEE’s audited Financial Statements.
- Total expenses were $5.7M
- Total revenues were $90K
- Total assets and liabilities were $765K and $1.3M respectively. Tangible capital assets comprise 21% of total assets. Accounts payable and accrued liabilities comprise 47% of total liabilities.
- The NRTEE has approximately 30 employees, with salary costs representing approximately 60% of operating expenses.
- The NRTEE is based in Ottawa, and all of the finance and accounting functions are under the leadership of the Chief Financial Officer (CFO).
- The NRTEE has a single financial system (FreeBalance) for financial operations and reporting.
1.3 Audited financial statements:
The NRTEE has received an unqualified audit opinion from the Office of the Auditor General (OAG), the auditors of the NRTEE’s Financial Statements since the OAG began auditing the NRTEE.
1.4 Service arrangements relevant to financial statements
The NRTEE relies on other organizations and their internal controls for the processing of certain transactions that are recorded in its financial statements:
- Public Works and Government Services Canada (PWGSC) centrally administers the payments of salaries;
- Treasury Board Secretariat (TBS) provides information used to calculate various accruals and allowances, such as accrued severance liability;
- The Office of the Auditor General (OAG) provides audit services to the NRTEE; and
- Environment Canada provides compensation services to the NRTEE, and exercises Section 34 over salary transactions. The NRTEE exercises Section 33 over all salary transactions.
1.5 Material changes in fiscal-year 2010-2011
No significant changes that are relevant to the financial statements occurred in 2010-11 other than improvements to the NRTEE’s system of ICFR.
2. Description of the NRTEE’s entity level controls relevant to ICFR
The NRTEE recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective systems of ICFR and is well equipped to exercise these responsibilities effectively. The NRTEE’s focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.
The NRTEE’s main entity-level controls currently in place and relevant to ICFR are set out below.
2.1 Governance
Deputy Head – The NRTEE’s President and CEO has the duties of a Deputy Head. As the Accounting Officer, the President and CEO assumes overall responsibility and leadership for the stewardship, management and oversight of agency resources, as well for the measures taken to maintain an effective system of internal control. The President and CEO is assisted by the Chief Financial Officer. The President and CEO meets regularly with the Management and Planning Committee (MPC).
Chief Financial Officer (CFO) – The Director, Corporate Services is also the CFO and reports directly to the President and CEO and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment. The CFO is part of the MPC, providing functional leadership and a focus on financial management.
Deputy Chief Financial Officer (DCFO) – The NRTEE has a qualified DCFO, with a professional accounting designation, who reports directly to the CFO and provides support to both the President and CEO and the CFO on the ICFR.
Management Planning Committee (MPC) – As the NRTEE’s central decision-making body, the MPC reviews and monitors the Corporate Risk Profile and the departmental system of internal control, including the assessment and action plans relating to the system of ICFR. It is chaired by the President and CEO and comprised of the President and CEO’s direct reports and the Manager, Human Resources.
Directors and Corporate Secretary – Directors and the Corporate Secretary are in charge of program delivery and report to the President and CEO. Directors and the Corporate Secretary are responsible for the management and oversight of resources, including the review and maintenance of an effective system of ICFR, falling within their mandate.
2.2 Corporate risk management
The President and CEO is responsible for risk management at the NRTEE. MPC is responsible for recommending and implementing an effective risk management by providing leadership and strategic direction on risk management, including risk tolerance. Risk awareness and risk management are routinely part of the program and resource planning discussions and decision making at MPC meetings, where all major business decisions are made for the organization.
The NRTEE plans to review its Corporate Risk Profile, which was developed in 2004, during 2011-12. Any adjustments to the Corporate Risk Profile, as a result of the review, will be presented to MPC for approval.
2.3 Other entity level controls
The NRTEE’s entity level controls also include a series of measures to equip its staff to manage risks well through raising awareness, providing appropriate knowledge and tools, as well as developing skills. Key measures include:
HR management – Roles, responsibilities and accountabilities relating to financial management are set out in annual performance agreements where applicable. Financial management capabilities of managers and financial experts at the NRTEE are sustained through an overall HR approach that integrates HR planning with business planning and which includes recruitment, development and retention strategies to attract, equip and retain the talent it needs, including over financial management.
Communication and training – The NRTEE encourages staff training in key areas of management, including financial management. Some training courses are mandatory, in particular for new executives/managers and for financial officers.
Delegated authorities, legislation, regulations and policies – The NRTEE communicates its delegated financial signing authorities to staff with delegated authority on a regular basis. Mandatory requirements flowing from legislation, regulations and policies are systematically communicated to new employees as applicable as well as reinforced annually.
Values and ethics – The NRTEE has a code of conduct that is shared with all new staff upon appointment, and establishes the baseline for values and ethics at the Round Table. Values and ethics are foundational to reinforcing the integrity expected to be demonstrated in all activities and at all levels, including in the area of financial management.
Other enabling tools – The NRTEE will be documenting its main business processes and related key risks and controls to support the management and oversight of its system of ICFR, including the testing of design and effectiveness. This documentation is fundamental in raising awareness and understanding of staff at all levels on key risks and controls as well as to support continuous improvements. NRTEE staff are also equipped with IT systems and applications as key tools to enable efficient processing of transactions.
3. Assessment of the NRTEE’s system of ICFR
3.1 Assessment baseline
In 2004, the Government of Canada commenced an initiative aimed at preparing departments for control-based audits of their financial statements, thus placing reliance on well functioning internal controls.
NRTEE has had an independent audit conducted by the Office of the Auditor General (OAG) since its inception. The NRTEE has received a clean audit opinion each year on these audits. Over the years, the NRTEE has developed procedures and practices to provide assurance to support an audit opinion.
Due to NRTEE’s small size, the annual audits are primarily substantive based, rather than based on internal controls. This involves testing at the transaction level, comparison of results to prior years, variance analysis and reviews of NRTEE policies and procedures. Specific tests are conducted in each risk area and there is a strong emphasis on the balance sheet and financial statement presentation. The OAG provides feedback on NRTEE’s procedures and controls at the conclusion of each annual audit, and where appropriate the NRTEE has incorporated the OAG’s suggestions to further strengthen internal controls.
NRTEE participates in horizontal internal audits through Treasury Board Secretariat (TBS). The results of these audits are reviewed and recommendations are incorporated (where appropriate). NRTEE also participates in TBS’ Management Accountability Framework reviews every three years. These reviews provide independent feedback on the adequacy of NRTEE policies, procedures and practices. This contributes to a stronger control environment.
Whether it is to support control-based audit requirements or those of the Policy on Internal Control, an effective system of ICFR with the objectives to provide reasonable assurance that:
- Transactions are appropriately authorized:
- Financial records are properly maintained;
- Assets are safeguarded; and
- Applicable laws, regulations and policies are complied with.
Over time, this includes assessment of design and operating effectiveness of the system of ICFR and an on-going monitoring program leading to continuous improvement of the departmental system of ICFR.
Design effectiveness means to ensure that key control points are identified, documented, in place and that they are aligned with the risks (i.e. controls are balanced with and proportionate to the risks they aim to mitigate) and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main accounts by location as applicable.
Operating effectiveness means that the application of key controls has been tested over a defined period and that any required remediation is addressed.
Ongoing monitoring program means that a systematic integrated approach to monitoring is in place, including periodic risk-based assessments and timely remediation.
Such testing covers all departmental control levels which include corporate or entity, general computer and business process controls.
3.2 Assessment method at the NRTEE
In proceeding with its preparation for a control-based audit, the NRTEE has taken measures to assess its system of ICFR starting with documentation and assessment of its entity (corporate) level controls.
The NRTEE will continue its assessment based on its financial statement putting emphasis on its main accounts, including:
- Payroll
- Capital assets
- Procurement / Materiel management
For each significant account, the NRTEE will complete the following steps:
- Gather information pertaining to existing processes, risks and controls relevant to ICFR, including appropriate policies and procedures;
- Map key processes with the identification and documentation of key risks and controls on the basis of materiality, volumes, complexity, geographic dispersion, susceptibility to losses/frauds, areas subject to audit observations, past history, external attention, and reliance on third-party.
- Test design and operating effectiveness of key process level controls.
The NRTEE is committed to documenting and assessing its IT general system controls (IT infrastructure).
Finally, the NRTEE takes into account new information available from recent audits or evaluations.
4. NRTEE’s Assessment results
During 2010-11, the NRTEE completed documentation and assessment of its entity level controls. The findings from this assessment are summarized below.
4.1 Design effectiveness of key controls
When undertaking design effectiveness testing, the NRTEE documented its entity level controls and validated key controls with internal stakeholders. It verified that the documented controls are in place and correspond to actual practices. Adjustments to the documentation and/or actual practices were made as required. Design effectiveness also included ensuring appropriate alignment of each key control with risks.
The NRTEE has identified improvements needed in the design effectiveness of its entity level controls and has initiated corrective action. For example, the Delegation of Financial Signing Authority was updated in 2010-11, was approved, and will be implemented early in 2011-12.
4.2 Operating effectiveness of key controls
The NRTEE is committed to completing the design effectiveness of control activities to identify and strengthen key controls before it can initiate the testing of operating effectiveness across all areas. When completing operating effectiveness testing, the NRTEE intends to ensure that key controls are functioning over time and any necessary corrective actions that are identified are initiated and addressed.
4.3 Ongoing monitoring program
As described in section 2, the NRTEE has a well established governance model, including corporate risk management and an enabling environment to support staff at all levels. Looking ahead, as shown in section 5, the NRTEE will seek opportunities to further strengthen its entity level controls taking into account results from annual assessments and audits. This includes ensuring that there is a well-integrated monitoring program in placed to raise awareness and understanding of the department’s system of ICFR at all levels, and equip people with the knowledge, skills, and tools needed.
5. NRTEE’s action plan
5.1 Progress as of March 31, 2011
During 2010-2011, the NRTEE began its assessment of the effectiveness of its key controls. Below is a summary of the main progress made by the department.
- Completion of the documentation of the existing entity level controls and assessment of those controls.
5.2 Action plan
Building on progress to date, the NRTEE has developed a multi-year plan to fully implement the requirements of the Policy on Internal Control and is positioned to complete the main assessment of its system of ICFR in 2012-2013.
By the end of 2011-12, the NRTEE plans to:
- Complete a risk assessment to identify key risks, accounts and business processes
- Document key business processes
- Test design effectiveness of key business processes
- Address required remediation identified during assessments
- Test operating effectiveness of entity level controls
By the end of 2012-13, the NRTEE plans to:
- Test operating effectiveness of key business processes
- Document key IT general controls
- Test design effectiveness of IT general controls
- Address required remediation identified during assessments
Future years:
- In 2013-14, the NRTEE plans to test operating effectiveness of IT general controls
- In 2013-14 and thereafter, the NRTEE will ensure that ongoing monitoring of key controls occurs cyclically based on risk