Annex — Assessment of Internal Control over Financial Reporting for the fiscal year ended March 31, 2023 (unaudited)

1. Introduction

The OCL maintains an effective system of ICFR with the objective to provide reasonable assurance that:

• Transactions are appropriately authorized;
• Financial records are properly maintained;
• Assets are safeguarded; and,
• Applicable laws, regulations and policies are complied with.

This document provides summary information on the measures taken by the Office of the Commissioner of Lobbying (OCL) as of March 31,2023, to maintain this system. It includes information on progress, results and related action plans.

Detailed information on OCL’s authority, mandate, program activities and finances can be found in the 2022-23 Departmental Results Report (DRR), the 2023-24 Departmental Plan (DP) and in the OCL’s Financial Statements for 2022-23.

2. Organisational System of Internal Control over Financial Reporting

The OCL is a small entity with low risk associated with its system of internal control. It recognizes the importance of senior management leadership in ensuring that staff at all levels understand their role in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities effectively. The OCL’s focus is to ensure risks are well managed through a responsive and risk-based control environment that enables continuous improvement and innovation.

2.1 Internal Control Management Framework

The OCL has a well-established governance and accountability structure to support organizational assessment efforts and oversight of its system of internal control. An internal control management framework, is in place and includes:

• Organizational accountability structures to support sound financial management, including roles and responsibilities of senior managers.
• An employee code of values and ethics.
• Ongoing communication and training of OCL managers and staff on statutory requirements, and on policies and procedures for sound financial management and control; and
• Monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Commissioner and OCL senior management and, as applicable, OCL’s Audit and Evaluation Committee (AEC).

The AEC provides advice to the Commissioner on the adequacy and functioning of OCL’s risk management, control and governance frameworks and processes.

The OCL’S internal control framework for financial management is aligned with the federal government’s expenditure management process. Funding is controlled through a budgeting and commitment control process. Expenditures are approved at the initiation, commitment, contracting, performance certification and payment approval stages. Financial results are monitored through a monthly financial reporting process and validated by management.

The OCL’s control environment also includes measures and structures to equip staff to be able to manage risks well, through raising awareness, providing appropriate knowledge and tools and developing skills. Key measures include:

• Governance structure and strategic direction through the Executive Management Committee (EMC) and supported by the Audit and Evaluation Committee (AEC);
• Regular reporting of financial performance to the EMC;
• Financial policies tailored to the OCL’s control environment and requirements of the Policy on Financial Management;
• Periodic review and update of the Delegation of Financial Signing Authorities Instrument;
• Documentation of key financial processes and related key risk and control points to support the management and oversight of the OCL’s system of ICFR;
• Completion of a corporate risk profile leading to a multi-year risk-based internal audit and evaluation plan;
• Review of ICFR framework with regular monitoring of basic controls, and when necessary more in-depth reviews based on risk assessment;
• Preparation and implementation of management actions plans in response to observations and recommendations made during the review of the effectiveness of controls.

2.2 Service arrangements relevant to financial statements

The OCL relies on other organizations to process various transactions that are recorded in its financial statements as follows:

Common Arrangements

• Public Services and Procurement Canada (PSPC) centrally administers:
  • the payment of salaries;
  • the procurement of some goods and services; and
  • provides cheque-issuing services; and
  • provides accommodation services.
• Treasury Board of Canada Secretariat (TBS) provides information used to calculate various accruals and allowances, such as the employer’s contribution to the health and dental insurance plans.
• The Office of the Auditor General provides audit services to OCL.

Specific Arrangements

• The Canadian Human Rights Commission (CHRC) provides a financial system platform (GX) to capture and report all financial transactions and performs financial transaction processing and reporting on behalf of OCL. The CHRC also provides Compensation Services. The scope and responsibilities are addressed in the interdepartmental arrangement between CHRC and OCL, as well as in the attestation and summary of results prepared annually by CHRC on its ICFR as it relates to its clients. OCL relies on CHRC’s internal controls over financial reporting and the financial management system to process the financial data that has been approved, authorized and transmitted by the Office. CHRC monitors these controls using a risk-based approach. OCL is responsible to ensure that the financial reports are accurate and fairly present the financial results and position.
• The Office of the Privacy Commissioner (OPC) hosts the OCL’s Lobbyists Registration System (LRS), its website, its desktop systems, servers and support systems on the OPC information technology (IT) infrastructure.

3. Assessment of OCL’s system of ICFR

3.1 2022-23 Assessment of ICFR

The maintenance of OCL’s system of ICFR is an ongoing process designed to identify, assess effectiveness and adjust as required key risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of those assessments of the effectiveness of their system of ICFR are based on risks and consider the size of the organization.

Over time, this includes periodic detailed assessment of the design and operating effectiveness of the system of ICFR for various components leading towards an enhanced, ongoing monitoring and continuous improvement.

In 2022-23, assessment of OCL’s system of ICFR included the following:

• Assessment by an external party of ICFM and ICFR processes to update the documentation and complete walkthroughs for entity-level controls, general computer and business controls and make recommendations as appropriate.
• Assessment and attestation by CHRC of their ICFR as they related to financial services provided to OCL
• Provision of ICFR-related information to the OCL Audit and Evaluation Committee and discussion at AEC meetings

The following section includes details and results of these assessments for 2022-23.

3.2 2022-23 Assessment Details and Results

External Review of Key Controls and Processes

As referenced above, in 2022-23, OCL contracted an external party to assess its ICFM-ICFR business processes. This work included the design effectiveness testing (DET) of seven financial management business processes, as well as operating effectiveness testing (OET) on user access management of Information Technology General Controls (ITGCs). A third element of the contract was to develop an enhanced monitoring plan.

The assessment concluded that because of the size of the of the OCL and the proximity of the CFO to the various business process groups, their process level controls and the relevant process actors, there is strong evidence of process activities being performed in accordance with TBS financial management policies and procedures. In addition, there are multiple compensating controls to ensure key process level controls as a whole operate effectively.

Two recommendations were made:

• The first is linked to depth of capacity to provide both an effective challenge function and support to the CFO.
• The second recommends that version-controlled desktop procedures be formalized and published for processing transactions under Sections 32, 33 and 34 pursuant to the FAA to ensure efficient repeatability of process activities, to ease internal training activities when required and to provide OCL senior management line-of-sight into key control activities

OCL management will consider how best to address these recommendations during 2023-24.

CHRC Assessment and Attestation

The Canadian Human Rights Commission (CHRC) provides services in the areas of financial management, information technology, human resources system access, procurement advice and a financial system platform to capture and report all financial transactions. CHRC has the responsibility of verifying and processing financial information received from the Office that is entered in the financial system. As a result, the Office relies on CHRC’s internal controls over financial reporting to process the financial data that has been approved, authorized and transmitted by the Office.

During 2022-23 CHRC conducted an assessment of its ICFR. The 2022-23 assessment considered the controls in place at CHRC in providing services to various clients, including OCL. Consequently, the testing of internal controls over financial reporting included transactions processed for OCL. Key conclusions of the assessment included:

• All contracting, pay administration, budgeting & forecasting and financial reporting business processes were strong and operating effectively.
• Overall, the audit found that key internal controls over the audited business processes were operating effectively, but some reliance on the Phoenix system still requires improvements.
• IT general controls at CHRC related to systems are generally appropriate and can be relied upon.

CHRC has provided OCL with an attestation concerning the 2022-23 assessment of their internal controls.

AEC Review and Discussions

In 2022-23, the OCL AEC carried out the following activities related to the functioning of internal controls, risk management and governance processes:

• At each regular AEC meeting, the Commissioner and the Chief Audit Executive (CAE)/CFO were asked whether there were any irregularities, including fraud or management override, that they wished to disclose. There were none.
• During the reporting period, the Chair was in regular contact with the Commissioner and the CAE/CFO.
• OCL’s Quarterly Financial Statements were reviewed by external members before they were published. Questions were asked of the CFO and answers were provided.
• External members met in-camera with the OAG Principal responsible for the audit of OCL’s FY 2022-23 financial statements, including an in-camera meeting.
• The AEC was briefed on the work of the consultant that carried out the external ICFM and ICFR review mentioned above.

The AEC will continue to follow closely the work of OCL in assessing and monitoring its ICFM and ICFR processes.

Other Considerations- OAG Audit of OCL’s Financial Statements

The OCL’s 2022-23 financial statements were audited by the Office of the Auditor General of Canada. While the audit did not specifically examine OCL’s internal controls, the OAG’s auditors did not identify opportunities for changes in procedures that would improve the systems of internal control. OCL received an un-modified opinion on its financial statements for 2022-2023.

5. Action plan

5.1 Progress as of March 31, 2023

During 2022-23, the OCL made ongoing progress in improving its system of ICFR as summarized below:

• The OCL updated its control systems and practices to align with new Treasury Board requirements (those that apply to OCL as an independent Agent of Parliament) and is committed to enhance ongoing monitoring and to a cyclical approach to audit of ICFM/ICFR processes beginning in FY 2023-24.
• The OCL has continued to improve its monthly financial situation reports to strengthen financial forecasting, management decision-making and project management delivery.

5.2 Action plan for the next fiscal year and subsequent years

In fiscal year 2023-24, the OCL will continue to strengthen its internal control management framework by:

• Completing operating effectiveness testing of its core controls by a third party;
• Developing capacity through which effective cyclical ongoing ICFM/ICFR monitoring can be implemented; and
• Assessing how it can apply the Small Department Core Control Self-Assessment Tool designed by the Office of the Comptroller General. The purpose of the tool is to provide management with a means to assess, and improve, a subset of financial management controls through a cyclical review.

5.3 ICFM Monitoring Plan for the next fiscal year and subsequent years