Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting – Royal Canadian Mounted Police – Fiscal year 2012-2013

1. Introduction

This document provides summary information on the measures taken by the Royal Canadian Mounted Police (RCMP) to maintain an effective system of internal control over financial reporting (ICFR) including information on internal control management and assessment results and related action plans.

Detailed information on the RCMP's authority, mandate and program activities can be found in the Departmental Performance Report and Report on Plans and Priorities.

2. RCMP's control environment relevant to ICFR

The RCMP recognizes the importance of setting the tone from the top and helping to ensure that staff at all levels understand their role in maintaining an effective system of ICFR, and it is well equipped to exercise these responsibilities effectively. The RCMP's focus is to ensure risks are managed well through a responsive and risk-based control environment that enables continuous improvement and innovation.

2.1 Key positions, roles and responsibilities

The following are the RCMP's key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.

Commissioner The RCMP's Commissioner, as Accounting Officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the Commissioner chairs the RCMP's Senior Executive Committee.

Chief Financial and Administration Officer (CFAO) The CFAO supports and reports directly to the Commissioner and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment. The CFAO is an ex-officio member at the Departmental Audit Committee quarterly meetings.

Deputy Commissioners The RCMP's senior departmental executives in charge of operations and program delivery are responsible for maintaining and reviewing effectiveness of their system of ICFR falling within their area of responsibilities.

Chief Audit Executive (CAE) The RCMP's CAE reports directly to the Commissioner and through the work of his Internal Audit staff contributes to the effectiveness and adequacy of the RCMP's system of internal control by conducting periodic risk-based audits of different areas of the RCMP's operations. The CAE considers the system of ICFR in the annual risk-based planning process. The CAE is an ex-officio member at the Departmental Audit Committee quarterly meetings.

Senior Executive Committee (SEC) The SEC is the senior decision-making committee of the RCMP. It provides strategic direction and oversight to support the achievement of the Department's three strategic outcomes.

Senior Policy Committee (SPC) The SPC is the senior-level forum for discussing and deliberating significant RCMP policy, program and planning proposals developed by, or impacting, the RCMP. The SPC is responsible for examining horizontal policy, program and planning proposals, and Cabinet business brought forward by business and service lines and makes recommendations to the Senior Executive Committee (SEC). The policy committee will also review and discuss significant risk issues and ensure horizontal collaboration in the development of appropriate risk treatment strategies.

Departmental Audit Committee (DAC) The DAC is an independent advisory committee that provides objective views on the RCMP's risk management, control and governance frameworks and processes. It is comprised of three external members. The Committee reviews the RCMP's Corporate Risk Profile and its system of internal control, including the assessment and action plans relating to the system of ICFR.

2.2 Key measures taken by the RCMP

The RCMP's control environment also includes a series of measures to equip its staff to manage risk well through raising awareness, providing appropriate knowledge and tools as well as developing skills. Key measures include:

Governance:

• A departmental internal control management framework;
• An Office of Professional Integrity, under the Commissioner;
• A monitoring process to track progress on strategic managerial objectives and projects;
• A Corporate Risk Profile that is updated on a regular basis;
• A Senior Policy Committee that oversees Integrated Risk Management;
• Regular reviews of the delegated authorities matrices to meet operational needs of the organization;
• Annual employee performance agreements and learning plans with clear financial management responsibilities for budget holders;
• A risk-based internal audit plan with input requested from each member of the Senior Executive Committee (SEC) before the risk-based audit plan is adopted;
• A Regional Letter of Representation is signed by the Corporate Management Officer (CMO) in each region as confirmation they have maintained a system of internal control designed to provide reasonable assurance that financial information is reliable; and
• A Treasury Board approved departmental Investment Plan, updated annually, to ensure sound stewardship of asset and acquired services.

Oversight:

• Centralized and Regional Internal Control Units within the Corporate Management portfolio dedicated to the documentation, design and operating effectiveness of ICFR under the CFAO functional authority;
• Working groups devoted to addressing control weaknesses identified as a part of the implementation of the Policy on Internal Control and the Audit Readiness Assessment; and
• Quarterly Departmental Audit Committee meetings.

Capacity:

• Training and regular communication to employees on core areas of financial management including internal controls;
• Mandatory Canada School of Public Service financial courses are incorporated in the learning plan of financial specialists to ensure a skilled workforce; and
• Hiring through the Financial Officer Recruitment and Development (FORD) Program and the Chartered Accountant Student Training (CAST) Program where employees are exposed to key aspects of governmental finance in order to develop a competent and knowledgeable workforce.

2.3 Service arrangements relevant to financial statements

The RCMP relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:

Common Arrangements:

• Public Works and Government Services Canada (PWGSC) centrally administers the payments of salaries and benefits under two different pay systems: Regional Pay System (RPS) for Public Servants and Member Pay System (MPS) for Regular and Civilian Members of the RCMP. PWGSC also provides for the procurement of some goods and services as well as the provision of accommodations on behalf of the RCMP;
• The Treasury Board Secretariat provides the RCMP with information used to calculate various accruals and allowances such as accrued severance liability;
• The Department of Justice provides legal services to the RCMP; and
• Shared Services Canada (SSC) manages IT general controls in the areas of email, data centre and network services.

Specific Arrangements:

• An external service provider, pursuant to a contract with the Government of Canada, administers the member pension administration on behalf of the RCMP. The external service provider has the authority and responsibility to ensure that transactions and payments are made in accordance with the Terms and Conditions set out by the Department. As a result, reliance is placed on the control procedures of the external service provider.

3. Departmental assessments results during fiscal year 2012-13

During 2012-13, the RCMP was able to complete the design effectiveness testing and operating effectiveness testing for most of the remaining business processes. This work was completed through the contracted services of an independent firm. Ongoing monitoring was implemented as planned.

3.1 Design effectiveness testing of key controls

In the current year, the RCMP completed design effectiveness testing for Entity Level controls, IT general controls and Financial Closing and Reporting and substantially advanced the design effectiveness for Tangible Capital Assets. Remediation of key control deficiencies are substantially advanced in these control areas based on level of risk.

As a result of design effectiveness testing, the RCMP identified the following in need of remediation based on a moderate level of risk:

• Finalization of Service Level Agreements (SLA) within the RCMP between the Chief Informatics Officer (CIO) and the business systems owners; and
• Monitoring expired financial signing authority training to ensure timely recertification.

3.2 Operating effectiveness testing of key controls

In 2012-13, the RCMP performed operating effectiveness testing for all business processes completed in previous years as well as the processes completed during the current fiscal year. Required remediation based on high and moderate levels of risk are still in progress for the following controls:

• ITGC improvements are needed in three of the main control criteria evaluated: Security (access to programs and data), change management and computer operations; and
• Entity Level controls improvement was identified in the area of employee departure process to ensure notification of termination is communicated to branches responsible for providing assets to staff.

Action plans are tracked to ensure improvement in these areas. Progress is reported to senior management and the Departmental Audit Committee.

3.3 Ongoing monitoring of key controls

In the current year, the department completed planned ongoing monitoring of Payroll and Benefits for Members and Non-Members, Operating Expenditures and Revenue controls.

As a result of ongoing monitoring, the RCMP identified the following remediation requirements based on level of risk:

• Amendment of the Member and Non-Member Payroll and Benefits documentation and controls is needed to reflect centralization of pay compensation services within the RCMP for Members and consolidation of pay compensation services at Public Works and Government Services Canada (PWGSC Miramichi) for Public Servants.

4. Departmental Action Plan

4.1 Progress during fiscal year 2012-13

During 2012-13, the RCMP has continued to make significant progress in assessing and improving its key controls. The following is a summary of the main progress made by the Department based on the plans identified in the previous fiscal year's annex:

Element in previous year's action Plan	Status
Entity Level Controls design and operating effectiveness testing and remediation	Design and operating effectiveness testing completed with remediation of operating effectiveness deficiencies substantially advanced based on level of risk.
IT General Computer Controls design and operating effectiveness testing and remediation	Design and operating effectiveness testing completed with remediation of deficiencies substantially advanced based on level of risk.
Tangible Capital Assets design and operating effectiveness testing and remediation	Design effectiveness substantially advanced in 2012-13 and completed in July 2013. Remediation based on level of risk is needed prior to completion of operating effectiveness testing.
Financial Closing and Reporting design and operating effectiveness testing and remediation	Design and operating effectiveness testing completed with remediation of deficiencies substantially advanced based on level of risk.

4.2 Status and action plan for the next fiscal year and subsequent years

Building on progress to date, the Department is positioned to complete the full assessment of its system of ICFR in 2013-14 with the exception of Pension Plan Liabilities. The delay in completing this last business process is due to the transfer of the RCMP Member Pension Plan from a private sector administrator to Public Works and Government Services Canada (PWGSC) in 2013-14. Pending the completion of the Pension Plan business process cycle, the RCMP is applying its rotational ongoing monitoring plan to reassess control performance on a risk-based approach across all control areas. Depending on the risk of specific key controls within a business process, the RCMP will test certain ones monthly, others annually or every second or third year. The status and three-year action plan for the completion of the identified control areas for the next fiscal year 2013-14 and the subsequent years 2014-15 and 2015-16 is as follows:

Key Control Areas	Assessment element: Design effectiveness testing and remediation	Assessment element: Operational effectiveness testing and remediation	Assessment element: Ongoing monitoring rotation Footnote 1
Operating Expenditures	Complete	Complete	2013-14 (every year)
Revenue / accounts receivable	Complete	Complete	2013-14 (every year)
Payroll and Benefits Non-Members	Complete	Complete	2013-14 (every year)
Payroll and Benefits Members	Complete	Complete	2013-14 (every year)
Entity Level Controls	Complete	Complete	2013-14 (every year)
IT general controls under departmental management	Complete	Complete	2013-14 (every second year)
Financial Closing and Reporting	Complete	Complete	2013-14 (every year)
Tangible Capital Assets	Advanced	2013-14	2014-15 (every year)
Transfer Payments	2013-14	2013-14	2014-15 (every year)
Inventory	2013-14	2013-14	2014-15 (every year)
Pension Plan Liabilities	2014-15	2014-15	2015-16 (every year)