Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting

Royal Canadian Mounted Police
Fiscal Year 2009-2010

Note to the reader

With the new Treasury Board Policy on Internal Control, effective April 1, 2009, departments are now required to demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).

As part of this policy, departments are expected to conduct annual assessments of their system of ICFR, establish action plan(s) to address any necessary adjustments, and to attach to their Statement of Management Responsibility a summary of their assessment results and action plan.

Effective systems of ICFR aim to achieve reliable financial statements and to provide assurances that:

• Transactions are appropriately authorized
• Financial records are properly maintained
• Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement
• Applicable laws, regulations and policies are complied with

It is important to note that the system of ICFR is not designed to eliminate all risks, rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.

The maintenance of an effective system of ICFR is an ongoing process designed to identify, assess effectiveness and adjust, as required, key risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to the other based on risks and taking into account their unique circumstances.

1. Introduction

This document is an annex to the Royal Canadian Mounted Police’s Statement of Management Responsibility Including Internal Control Over Financial Reporting for the fiscal year 2009-2010. As required by the new Treasury Board Policy on Internal Control, effective April 1st 2009, this document provides summary information on the measures taken by the RCMP to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the internal control assessments conducted by the RCMP as at March 31, 2010, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the RCMP.

1.1 Authority, Mandate and Program Activities

Detailed information on the RCMP’s authority, mandate and program activities can be found in its 2009-10 Part III – Departmental Performance Reports (DPR) and 2010-11 Part III – Reports on Plans and Priorities (RPP).

1.2 Financial highlights

Financial statements (unaudited) of the RCMP for fiscal-year 2009-2010 can be found on the RCMP website. Information can also be found in the Public Accounts of Canada. Highlights are as follows:

Overall:

• The RCMP has a strong regional presence with six corporate management offices. Each office has a decentralized finance and accounting operations where financial transactions are initiated, approved, processed and/or recorded into the departmental financial systems.
• Other significant information systems, such as the Human Resources Management Information Systems (HRMIS), are critical to our financial reporting.

Expenses:

• Total RCMP expenses for 2009-2010 exceeded $5.0B. The majority of the expenses are for salaries at 65% (or $3.2B) and 35% (or $1.8B) are for other operating expenses.

Revenues:

• A total of $1.7B is collected in revenues, 95% of which is generated from contract policing.

Salary and Benefits:

• The RCMP has in excess of 27,000 employees, divided into three distinct groups: Regular Members, Civilian Members and Public Service employees.
• The RCMP regular and civilian member Pension accounts comprise 90% of total liabilities ($12.7B).

Transfer Payments:

• Transfer Payments include $98.7M in Grants, mostly for compensation to RCMP members for injuries and $13.8M in contributions to provinces and territories and to aboriginal and/or other communities and organizations (not for profit).

Assets:

• The net book value of tangible capital assets is valued at $1.3B including land, buildings, works and infrastructure, machinery and equipment, vehicles, leasehold improvements, capital lease, and assets under construction (including software).
• Accounts Receivables of $630.7M consist mostly of unbilled (accrued) amounts for contract policing revenues and interest receivable from the RCMP Superannuation Account.

1.3 Service arrangements relevant to financial statements

The RCMP relies on other organizations for the processing of certain transactions that are recorded in its financial statements:

• Public Works and Government Services Canada (PWGSC) centrally administers the payments of salaries and benefits under two different pay systems: Regional Pay System (RPS) for Public Servants and Member Pay System (MPS) for Regular and Civilian Members. PWGSC also provides for the procurement of some goods and services as well as the provision of accommodations on behalf of the RCMP.
• The Department of Justice provides legal services to the RCMP.
• The Treasury Board Secretariat provides the RCMP with a percentage ratio to be used when calculating the severance benefits earned by employees and RCMP members. This obligation is calculated using information derived from the results of the actuarially determined liability for employee severance benefits for the Government as a whole.
• The Treasury Board Secretariat provides the amount paid on behalf of the RCMP for the employer’s contributions to the Health and Dental Plans.

Also, the RCMP relies on the internal controls of third party suppliers which provide specific services such as member pension administration, relocation services and health service administration.

1.4 Material changes in fiscal year 2009-2010

During fiscal year 2009–2010 there have been notable changes to the control environment at the RCMP.

• The establishment of the Departmental Audit Committee with three external members recruited from outside the federal public administration improved the department’s governance.
• The RCMP received enhanced financial authorities through the approval of its Investment Plan. The increased authorities are for project approvals, construction, architectural and engineering service contracts and real property transactions.
• The RCMP provided security at the 2010 Vancouver Olympic and Paralympic Games which was the largest and most complex security challenge in Canadian history. This major event required a governance structure of it’s own with appropriate accountability, reviews and monitoring functions.

2. RCMP’s control environment relevant to ICFR

The RCMP recognizes the importance of senior management leadership in ensuring that managers at all levels understand their roles in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities effectively. The RCMP’s objective is to continually improve its internal control environment using a responsive and risk-based approach and targeted resource investment so that continuous improvement and innovation are achieved at a manageable cost.

2.1 Key positions, roles and responsibilities

Below are the RCMP’s key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.

Commissioner – The RCMP’s Commissioner, as Accounting Officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the Commissioner chairs the RCMP’s Senior Executive Committee.

Chief Financial and Administration Officer (CFAO) – The CFAO supports and reports directly to the Commissioner and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment. The CFAO also co-chairs the Senior Executive Committee Integrated Risk Management Sub-Committee and oversees the management of the Corporate Risk Profile. The CFAO is an ex-officio member at the Departmental Audit Committee quarterly meetings.

Deputy Commissioners – The RCMP’s senior departmental executives in charge of operations and program delivery are responsible for maintaining and reviewing effectiveness of their system of ICFR falling within their area of responsibilities.

Chief Audit Executive (CAE) – The RCMP’s CAE reports directly to the Commissioner and provides assurance through periodic internal audits, as part of a risk based audit plan, that are instrumental to the maintenance of an effective system of ICFR. The CAE is an ex-officio member at the Departmental Audit Committee quarterly meetings.

Senior Executive Committee (SEC) – As the RCMP’s central decision-making body, SEC reviews financial matters such as policy, programs and regulations, resource management and addresses issues pertaining to those groups. SEC is also constantly informed through presentations from various SEC Sub-Committees on subjects of interest and approval is sought as required.

Departmental Audit Committee (DAC) – The DAC is an advisory committee that provides objective views on the RCMP’s financial statements, risk management, control and governance frameworks and processes. It is comprised of three external members. As such, the Committee reviews the RCMP’s Corporate Risk Profile and its system of internal control, including the assessment and associated results relating to the effectiveness of the system of ICFR.

2.2 Key organization-wide controls in the RCMP

The RCMP’s control environment includes measures to help manage risk through raising awareness and providing appropriate knowledge and tools as well as developing skills. Key measures, presented under three main categories, include:

Governance:

• An Office of Professional Integrity, under the Senior Deputy Commissioner, to promote the high standards of ethics and integrity expected of our employees;
• A fully implemented monitoring process to track progress on managerial strategic objectives and projects;
• A Change Management Team to assist in the transformation of the RCMP to achieve its Vision for Change;
• A Corporate Risk Profile that is updated annually;
• A SEC Integrated Risk Management Sub-Committee co-chaired by the Chief Financial and Administrative Officer;
• Regularly updated delegated authorities matrices to meet the operational needs of the organization;
• Annual employee performance agreements with clear financial management responsibilities for managers;

Oversight:

• Centralized and Regional Internal Control Units within the Corporate Management dedicated to the documentation, design and operating effectiveness of internal controls over financial reporting; and
• Working Groups devoted to addressing control weaknesses identified as a part of the implementation of the Policy on Internal Control and the Audit Readiness Assessment;
• Senior Executive Committee Finance Sub-Committee provides recommendations, expertise, advice and guidance to the Senior Executive Committee for the efficient and effective management of the funding appropriations granted to the RCMP by Parliament;
• National Asset Investment Board is dedicated to ensure the integrity and effectiveness of the investment decision making process, and supporting the implementation of the RCMP’s capital program;
• Quarterly Departmental Audit Committee meetings;
• A risk-based internal audit plan;

Capacity:

• Training and regular communication to employees on core areas of financial management including internal controls;
• Hiring through the Financial Officer Recruitment and Development (FORD) Program where employees are exposed to key aspects of governmental finance in order to develop a competent and knowledgeable workforce, and;
• Supporting educational initiatives to encourage employees to complete an accounting designation and/or degree to develop talent as part of our succession-planning.

3. Assessment of the RCMP’s system of ICFR

3.1 Assessment baseline

In 2004, the Government of Canada commenced an initiative to determine the ability of departments to sustain control-based audits of their financial statements, thus placing reliance on well functioning internal controls. As a result, beginning in 2006, the largest departments, including the RCMP, are formalizing their approach to managing their systems of ICFR, including audit readiness assessments and action plans.

Whether it is to support controls-based audits or meet the requirements of the Policy on Internal Control, the RCMP must be able to maintain an effective system of ICFR with the objective to provide reasonable assurance that a) transactions are appropriately authorized, b) financial records are properly maintained, c) assets are safeguarded, and d) applicable laws, regulations and policies are complied with.

Over time, this includes assessment of design and operating effectiveness of its system of ICFR leading to ensuring the ongoing monitoring and continuous improvement of the departmental system of ICFR. Such testing covers all departmental control levels including corporate or entity, general computer and business process controls.

Design effectiveness means to ensure that key control points are identified, documented, in place and aligned with risks (i.e. controls are in balance with and proportionate to the risks they aim to mitigate) and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main financial statement accounts by location as applicable.

Operating effectiveness means that the application of key controls has been tested over a defined period and that any remediation is addressed.

3.2 Assessment methodology

In proceeding with our preparation for a control-based audit, the RCMP, with the assistance of an independent external consulting firm, has taken measures to assess its system of ICFR starting from its Financial Statements with a focus on the following business cycles along with the addition of General Computer Controls and Entity Level Controls:

• Operating Expenditures – Accounts Payable & Accruals (National Capital Region and Regions)
• Revenues & Accounts Receivables (National Capital Region and Regions)
• Payroll and Benefits – Regular and Civilian Members (National Capital Region and Regions)
• Payroll and Benefits – Public Servants (National Capital Region and Regions)
• Tangible Capital Assets (National Capital Region and Regions)
• Pension Plan Liabilities (National Capital Region)
• Transfer payments (National Capital Region)
• Financial Closing and Reporting (National Capital Region)
• Inventory (National Capital Region and Regions)

For each of the first two cycles: Operating Expenditures – Accounts Payable & Accruals and, Revenues & Accounts Receivables, the following steps were substantially completed at our six accounting offices:

• Gathered information pertaining to processes and locations, risks and controls relevant to ICFR, including appropriate policies and procedures which included interviews with key staff and the review of policies, regulations, desk procedures and tools
• Mapped out key processes with the identification and documentation of key risk and control points on the basis of materiality, volumes, complexity, geographic dispersion, susceptibility to losses/frauds, areas subject to audit observations, past history, external attention, and reliance on third parties; and
• Design effectiveness tested to confirm that controls were functioning as intended.

4. Assessment results

As a result of the assessment approach described above, the RCMP has developed a baseline architecture of key control points for the two cycles. As of year end 2009-10, the RCMP has completed testing of design effectiveness and is in the process of implementing remediation as required.

4.1 Design effectiveness of key controls

When completing design effectiveness testing, the RCMP updated business process documentation and validated key processes with stakeholders. It verified that the documentation processes corresponded to actual practices and any remediation requirements are in the process of being implemented. Design effectiveness also included ensuring appropriate alignment of each key control with the risks they aim to mitigate.

The RCMP also took into account information from relevant audits, including:

• Audit of the Departmental Financial System TEAM (SAP) (performed by Internal Audit)
• Audit of Departmental Bank Account (performed by Internal Audit)
• Horizontal Internal Audit of High Risk Expenditure Controls in Large Departments and Agencies (performed by the Office of the Comptroller General)
• Horizontal Internal Audit: Delegation of Financial Authorities in Large Departments and Agencies (performed by the Office of the Comptroller General)

As a result of these assessments, the RCMP identified remediation requirements which have been or are being pursued in the following areas:

Documentation of Controls and Evidence of Controls:

• Greater consistency, accuracy and detail in the documentation of controls and procedures.
• Updating of delegation of authorities instruments.
• Strengthening Account Verification Procedures to include standards for evidence of review and monitoring of non-compliance

Monitoring and Segregation of Duties:

• Strengthening internal controls over segregation of duties including user access to departmental financial and payroll systems.

Data reconciliation:

• Greater consistency of reconciliations and source data.

4.2 Operating effectiveness of key controls

The RCMP will begin the testing of the operating effectiveness of internal controls in 2010-2011. The approach will involve a risk-based testing plan that identifies key controls to be tested over a defined period of time, with the appropriate method of testing and using technology to obtain assurance where possible.

4.3 On-going monitoring program

The RCMP has created a dedicated unit responsible for managing the documentation and testing of internal controls which will evolve, in the upcoming years, into a unit responsible for a well integrated risk based approach for the ongoing assessment of the RCMP’s internal controls over financial reporting. This unit will monitor any required remedial actions to its entity level, business processes and general computer controls based on lessons learned from the annual assessments and the results of internal and external audits. This includes ensuring that there is a program in place that raises awareness and understanding of the RCMP's system of ICFR at all levels and ensures that employees have the knowledge, skills and tools required to carry out their responsibilities.

Key accomplishments to date include completion of an audit readiness assessment, development of an action plan to address identified gaps, and progress towards implementation of measures to ensure the departmental ICFR are effective.

5. Action Plan

5.1 Progress as of March 2010

The RCMP continues to make significant progress in assessing and improving its internal control over financial reporting as is demonstrated below:

• Completed the documentation and design effectiveness and made substantial progress in the required remedial measures for Operating Expenditures – Accounts Payable & Accruals and, Revenues & Accounts Receivables cycles.
• Action was taken to address the identified gaps, some examples are provided below:
  • Identification of high risk and low risk transactions for the purposes of account verification which permits a targeted approach on higher risk transactions and use of statistical sampling methodologies on lower risk transactions.
  • Creation of Account Verification Reviewer positions to increase the review of transactions in support of the payment authority officers.
  • Creation of checklists to ensure specific steps in the account verification process are followed and to address the lack of evidence.
  • Establishment of a protocol for the payment authority officers.
  • Policy Renewal Initiative to review and improve our policies and procedures.
  • Standardization of our approach on consequences for non-compliance findings.
  • Enhancement of the clarity of the delegation of authority instruments.
  • Revision of user profiles to ensure segregation of duties and user access monitored through regular review of access logs and reports.
  • Establishment of regional training programs for budget holders and supporting staff.

5.2 Action plan – future years

By end of 2010-2011 the RCMP plans to:

• Conduct operating effectiveness testing of the revenue and operating expenditure controls.
• Update documentation of business processes based on the results of the effectiveness testing.
• Substantially complete the assessment of design and operating effectiveness of payroll and benefit control processes for members and non-members.
• Ensure that education and awareness materials are available for those employees involved with internal controls over financial reporting including access to such materials broadly across the department.

By end of 2011-2012 the RCMP plans to:

• Complete the assessment of operating effectiveness for payroll and benefit control processes for members and non-members.
• Substantially completed the design and operating effectiveness for tangible capital assets, pension plan liabilities, entity level and general computer controls.
• Begin an ongoing monitoring program to ensure internal controls over financial reporting are maintained and continuously improved as required.

By end of 2012-2013 the RCMP plans to:

• Complete the assessment of operating effectiveness for Tangible Capital Assets, Pension Plan Liabilities, Entity Level and General Computer controls.
• Complete the assessment of design and operating effectiveness on the remaining control process: Transfer payment expenses, financial closing and reporting and inventory.
• Have a fully established ongoing risk-based monitoring program to ensure internal controls over financial reporting are maintained and that changes to business processes are documented on a timely basis and internal controls are tested.

This timeline is contingent on the level of effort required to address any gaps that will be identified in future design and operating effectiveness phases.