With the new Treasury Board Policy on Internal Control, effective April 1, 2009, departments are now required to demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).
As part of this policy, departments are expected to conduct annual assessments of their system of ICFR, establish action plan(s) to address any necessary adjustments, and to attach to their Statement of Management Responsibility a summary of their assessment results and action plan.
Effective systems of ICFR aim to achieve reliable financial statements and to provide assurances that:
It is important to note that the system of ICFR is not designed to eliminate all risks, rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.
The maintenance of an effective system of ICFR is an ongoing process designed to identify, assess effectiveness and adjust, as required, key risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to the other based on risks and taking into account their unique circumstances.
This document is an annex to the Royal Canadian Mounted Police’s Statement of Management Responsibility Including Internal Control Over Financial Reporting for the fiscal year 2009-2010. As required by the new Treasury Board Policy on Internal Control, effective April 1st 2009, this document provides summary information on the measures taken by the RCMP to maintain an effective system of internal control over financial reporting (ICFR). In particular, it provides summary information on the internal control assessments conducted by the RCMP as at March 31, 2010, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the RCMP.
Detailed information on the RCMP’s authority, mandate and program activities can be found in its 2009-10 Part III – Departmental Performance Reports (DPR) and 2010-11 Part III – Reports on Plans and Priorities (RPP).
Salary and Benefits:
The RCMP relies on other organizations for the processing of certain transactions that are recorded in its financial statements:
Also, the RCMP relies on the internal controls of third party suppliers which provide specific services such as member pension administration, relocation services and health service administration.
During fiscal year 2009–2010 there have been notable changes to the control environment at the RCMP.
The RCMP recognizes the importance of senior management leadership in ensuring that managers at all levels understand their roles in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities effectively. The RCMP’s objective is to continually improve its internal control environment using a responsive and risk-based approach and targeted resource investment so that continuous improvement and innovation are achieved at a manageable cost.
Below are the RCMP’s key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.
Commissioner – The RCMP’s Commissioner, as Accounting Officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the Commissioner chairs the RCMP’s Senior Executive Committee.
Chief Financial and Administration Officer (CFAO) – The CFAO supports and reports directly to the Commissioner and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment. The CFAO also co-chairs the Senior Executive Committee Integrated Risk Management Sub-Committee and oversees the management of the Corporate Risk Profile. The CFAO is an ex-officio member at the Departmental Audit Committee quarterly meetings.
Deputy Commissioners – The RCMP’s senior departmental executives in charge of operations and program delivery are responsible for maintaining and reviewing effectiveness of their system of ICFR falling within their area of responsibilities.
Chief Audit Executive (CAE) – The RCMP’s CAE reports directly to the Commissioner and provides assurance through periodic internal audits, as part of a risk based audit plan, that are instrumental to the maintenance of an effective system of ICFR. The CAE is an ex-officio member at the Departmental Audit Committee quarterly meetings.
Senior Executive Committee (SEC) – As the RCMP’s central decision-making body, SEC reviews financial matters such as policy, programs and regulations, resource management and addresses issues pertaining to those groups. SEC is also constantly informed through presentations from various SEC Sub-Committees on subjects of interest and approval is sought as required.
Departmental Audit Committee (DAC) – The DAC is an advisory committee that provides objective views on the RCMP’s financial statements, risk management, control and governance frameworks and processes. It is comprised of three external members. As such, the Committee reviews the RCMP’s Corporate Risk Profile and its system of internal control, including the assessment and associated results relating to the effectiveness of the system of ICFR.
The RCMP’s control environment includes measures to help manage risk through raising awareness and providing appropriate knowledge and tools as well as developing skills. Key measures, presented under three main categories, include:
In 2004, the Government of Canada commenced an initiative to determine the ability of departments to sustain control-based audits of their financial statements, thus placing reliance on well functioning internal controls. As a result, beginning in 2006, the largest departments, including the RCMP, are formalizing their approach to managing their systems of ICFR, including audit readiness assessments and action plans.
Whether it is to support controls-based audits or meet the requirements of the Policy on Internal Control, the RCMP must be able to maintain an effective system of ICFR with the objective to provide reasonable assurance that a) transactions are appropriately authorized, b) financial records are properly maintained, c) assets are safeguarded, and d) applicable laws, regulations and policies are complied with.
Over time, this includes assessment of design and operating effectiveness of its system of ICFR leading to ensuring the ongoing monitoring and continuous improvement of the departmental system of ICFR. Such testing covers all departmental control levels including corporate or entity, general computer and business process controls.
Design effectiveness means to ensure that key control points are identified, documented, in place and aligned with risks (i.e. controls are in balance with and proportionate to the risks they aim to mitigate) and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main financial statement accounts by location as applicable.
Operating effectiveness means that the application of key controls has been tested over a defined period and that any remediation is addressed.
In proceeding with our preparation for a control-based audit, the RCMP, with the assistance of an independent external consulting firm, has taken measures to assess its system of ICFR starting from its Financial Statements with a focus on the following business cycles along with the addition of General Computer Controls and Entity Level Controls:
For each of the first two cycles: Operating Expenditures – Accounts Payable & Accruals and, Revenues & Accounts Receivables, the following steps were substantially completed at our six accounting offices:
As a result of the assessment approach described above, the RCMP has developed a baseline architecture of key control points for the two cycles. As of year end 2009-10, the RCMP has completed testing of design effectiveness and is in the process of implementing remediation as required.
When completing design effectiveness testing, the RCMP updated business process documentation and validated key processes with stakeholders. It verified that the documentation processes corresponded to actual practices and any remediation requirements are in the process of being implemented. Design effectiveness also included ensuring appropriate alignment of each key control with the risks they aim to mitigate.
The RCMP also took into account information from relevant audits, including:
As a result of these assessments, the RCMP identified remediation requirements which have been or are being pursued in the following areas:
Documentation of Controls and Evidence of Controls:
Monitoring and Segregation of Duties:
The RCMP will begin the testing of the operating effectiveness of internal controls in 2010-2011. The approach will involve a risk-based testing plan that identifies key controls to be tested over a defined period of time, with the appropriate method of testing and using technology to obtain assurance where possible.
The RCMP has created a dedicated unit responsible for managing the documentation and testing of internal controls which will evolve, in the upcoming years, into a unit responsible for a well integrated risk based approach for the ongoing assessment of the RCMP’s internal controls over financial reporting. This unit will monitor any required remedial actions to its entity level, business processes and general computer controls based on lessons learned from the annual assessments and the results of internal and external audits. This includes ensuring that there is a program in place that raises awareness and understanding of the RCMP's system of ICFR at all levels and ensures that employees have the knowledge, skills and tools required to carry out their responsibilities.
Key accomplishments to date include completion of an audit readiness assessment, development of an action plan to address identified gaps, and progress towards implementation of measures to ensure the departmental ICFR are effective.
The RCMP continues to make significant progress in assessing and improving its internal control over financial reporting as is demonstrated below:
By end of 2010-2011 the RCMP plans to:
By end of 2011-2012 the RCMP plans to:
By end of 2012-2013 the RCMP plans to:
This timeline is contingent on the level of effort required to address any gaps that will be identified in future design and operating effectiveness phases.