Office of the Commissioner of Lobbying of Canada

Language selection

Annex — Assessment of Internal Control over Financial Reporting for the fiscal year ended March 31, 2024 (unaudited)

1. Introduction

The OCL maintains an effective system of Internal Control Over Financial Reporting (ICFR) with the objective to provide reasonable assurance that:

  • Transactions are appropriately authorized;
  • Financial records are properly maintained;
  • Assets are safeguarded; and,
  • Applicable laws, regulations and policies are complied with.

This document provides summary information on the measures taken by the Office of the Commissioner of Lobbying (OCL) as of March 31, 2024, to maintain this system. It includes information on progress, results and related action plans.

Detailed information on OCL’s authority, mandate, program activities and finances can be found in the 2023-24 Departmental Results Report (DRR), the 2024-25 Departmental Plan (DP) and in the OCL’s Financial Statements for 2023-24.

2. Organisational System of Internal Control over Financial Reporting

The OCL is a micro-organization with low risk associated with its system of internal control. It recognizes the importance of senior management leadership in ensuring that staff at all levels understand their role in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities effectively. The OCL’s focus is to ensure risks are well managed through a responsive and risk-based control environment that enables continuous improvement and innovation.

2.1 Internal Control Management Framework

The OCL has a well-established governance and accountability structure to support organizational assessment efforts and oversight of its system of internal control. An internal control management framework, is in place and includes:

  • Organizational accountability structures to support sound financial management, including roles and responsibilities of senior managers;
  • A Code of values and ethics for employees;
  • Ongoing communication and training of OCL managers and staff on statutory requirements, and on policies and procedures for sound financial management and control; and
  • Monitoring and regular updating of internal control management, as well as providing related assessment results and action plans to the Commissioner, OCL senior management and, as applicable, OCL’s Audit and Evaluation Committee (AEC).

The AEC provides advice to the Commissioner on the adequacy and functioning of OCL’s risk management, control and governance frameworks and processes.

The OCL’s internal control framework for financial management is aligned with the federal government’s expenditure management process. Funding is controlled through a budgeting and commitment control process. Expenditures are approved at the initiation, commitment, contracting, performance certification and payment approval stages. Financial results are monitored through a monthly financial reporting process and validated by management.

The OCL’s control environment also includes measures and structures to equip staff to be able to manage risks well, through raising awareness, providing appropriate knowledge and tools and developing skills. Key measures include:

  • Governance structure and strategic direction through the Executive Management Committee (EMC) and supported by the Audit and Evaluation Committee (AEC);
  • Regular reporting of financial performance to the EMC;
  • Financial policies tailored to the OCL’s control environment and requirements of the Treasury Board Policy on Financial Management;
  • Periodic review and update of the Delegation of Financial Signing Authorities Instrument;
  • Documentation of key financial processes and related key risk and control points to support the management and oversight of the OCL’s system of ICFR;
  • Assessment of a corporate risks leading to a multi-year risk-based internal audit and evaluation plan;
  • Review of the ICFR framework with regular monitoring of basic controls, and when necessary more in-depth reviews based on risk assessment; and
  • Preparation and implementation of management actions plans in response to observations and recommendations made during the review of the effectiveness of controls.

2.2 Service arrangements relevant to financial statements

The OCL relies on other organizations to process various transactions that are recorded in its financial statements as follows:

Common Arrangements

  • Public Services and Procurement Canada (PSPC) centrally administers:
    • the payment of salaries;
    • the procurement of some goods and services;
    • provides cheque-issuing services; and
    • provides accommodation services.
  • Treasury Board of Canada Secretariat (TBS) provides information used to calculate various accruals and allowances, such as the employer’s contribution to the health and dental insurance plans. 
  • The Office of the Auditor General (OAG) provides external audit services to OCL.

Specific Arrangements

  • The Canadian Human Rights Commission (CHRC) provides a financial system platform (GX) to capture and report all financial transactions and performs financial transaction processing and reporting on behalf of OCL. The CHRC also provides compensation and procurement services to OCL, noting that procurement services were provided for only part of 2023-24 as the Parole Board of Canada (PCB) has taken on this role. The scope and responsibilities are addressed in the interdepartmental arrangement between CHRC and OCL, as well as in the attestation and summary of results prepared annually by CHRC on its ICFR as it relates to its clients. OCL relies on CHRC’s internal controls over financial reporting and the financial management system to process the financial data that has been approved, authorized and transmitted by the Office. CHRC monitors these controls using a risk-based approach. OCL is responsible to ensure that the financial reports are accurate and fairly present the financial results and position.
  • The Office of the Privacy Commissioner (OPC) hosts the OCL’s Lobbyists Registration System (LRS), its website, its desktop systems, servers and support systems on the OPC information technology (IT) infrastructure.
  • The PCB started providing procurement services to OCL during the 2023-24 fiscal year. The services provided include transaction processing, monitoring and reporting, as well as developing and implementing departmental policies and procedures, and activities that support the sound management of procurement. The OCL relies on the PBC’s internal controls over financial reporting as they relate to the procurement services provided. During this fiscal year, PBC took on the provision of procurement services to OCL, which were previously provided by CHRC under a similar arrangement. 

3. Assessment of OCL’s system of ICFR

3.1 2023-24 Assessment of ICFR

The maintenance of OCL’s system of ICFR is an ongoing process designed to identify, assess effectiveness, and adjust as required, risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of the assessments of OCL’s system of ICFR is risk-based and considers the small size of the organization and the low complexity of its financial transactions.

This work includes periodic detailed assessments of the design and operating effectiveness of the system of ICFR to support a risk-based approach to ongoing monitoring and continuous improvement.

In 2022-23, the assessments resulted in two recommendations to help strengthen internal controls. The first recommendation was to strengthen the depth, strategic capacity and challenge function of the CFO role. The second recommendation was for the OCL to develop desktop procedures for processing transactions under sections 32, 33 and 34 of the Financial Administration Act (FAA) and that these procedures be published to ease training of staff and provide OCL senior management line of sight on these processes. 

OCL management agreed with the recommendations and took steps to respond. With respect to augmenting the CFO role, a similar recommendation was made in the context of the 2023-24 ICFR assessments and OCL has implemented a strong action plan which is detailed in section 3.2 below. In terms of the desktop procedures to support sections 32, 33 and 34, the OCL has a well communicated and consistently used checklist and templated approach to documenting and ensuring appropriate sign-off on all transactions related to the above sections of the FAA.

In 2023-24, assessment of OCL’s system of ICFR included the following:

  • Assessment by an external party of ICFR of key business processes, general computer controls and entity level controls a that involved updating the documentation and completing walkthroughs and testing of processes;
  • Assessment and attestation by CHRC of their ICFR as they related to financial services provided to OCL; and
  • Provision of ICFR-related information, and other relevant information such as results of audits, to the OCL Audit and Evaluation Committee (AEC) and discussion at AEC meetings.

The following section includes details and results of these assessments for 2023-24.

3.2 2023-24 Assessment Details and Results

External Review of Key Controls and Processes

As referenced above, in 2023-24, OCL contracted an external party to assess certain ICFR. This work included the operational effectiveness testing of the key controls identified within the following financial management processes: 1) management of assets and inventories, 2) procurement of goods, services and services, and payments to suppliers and 3) budgeting and forecasting. The external party also documented OCL entity level controls. 

The assessment concluded that because of the small size of the of the OCL, the low complexity nature of its financial transactions, and the proximity of the CFO to the various processes and the relevant process actors, there is strong evidence of process activities being performed in accordance with Treasury Board financial management policies and procedures.

One recommendation was made:

  • OCL to ensure that both a sufficient financial strategic capacity and a challenge function remain available to the Commissioner to mitigate the eventuality of a prolonged absence of the CFO. Mitigation steps could include in-house reviews and/or the hiring of senior financial advisory services to perform challenge functions and key financial reviews and address strategic financial matters which may result from audits and/or financial reporting requirements.

In a prepared Management Response, OCL management has agreed with the recommendation. In its response, OCL management stated being aware of this risk for the past several years and has taken actions over that time to ensure that operational, financial and strategic capacity as well as a robust challenge function are available to the Commissioner on a regular basis and in the event of a prolonged absence of the CFO. 

In terms of actions taken, the OCL has provided for greater support and oversight over the day-to-day activities of the finance function by changing the reporting relationship of the Director Finance and Chief Financial Officer (CFO). Specifically, this position now reports to the Executive Director, Corporate Services. However, the role of the CFO continues to report directly to the Commissioner for all financial matters. Moreover, the OCL engaged a senior financial advisor to provide advice and support on a temporary and as needed basis and has also confirmed that the Office of the Comptroller General of Canada has a list of qualified replacements for the CFO role that the OCL can readily access if needed. 

CHRC Assessment and Attestation

The Canadian Human Rights Commission (CHRC) provides services in the areas of financial management, information technology, human resources system access, procurement advice (part of 2023-24 only as PBC is now the procurement service provider) and a financial system platform to capture and report all financial transactions. CHRC has the responsibility of verifying and processing financial information received from the Office that is entered in the financial system. As a result, the Office relies on CHRC’s internal controls over financial reporting to process the financial data that has been approved, authorized and transmitted by the Office.

During 2023-24, CHRC, as a service provider, assessed its ICFR. The assessment considered the controls in place at CHRC in providing services to various clients, including OCL. Consequently, the testing of internal controls over financial reporting included transactions processed for OCL. 

Key conclusions of the assessment included:

  • New or significantly amended key controls. 
    • There were no significantly amended key controls in existing processes that required a reassessment. 
  • Design and Operating Effectiveness of Controls for Business Processes. 
    • Documentation of business processes and controls was reviewed and updated to ensure that they represent the current processes and controls in place.
    • With the walkthrough and the testing of key controls, operating effectiveness was reassessed for the purchase to payments, financial reporting, CFO attestation, and asset management business processes.
    • The assessment revealed that the purchase to payments and financial reporting business processes were strong and operating effectively.
    • The CFO attestation business process was also assessed as acceptable, but only design effectiveness testing could be performed since there were no Treasury Board Submissions in 2023-24 to assess.
    • Testing of the asset management process did reveal some need for improvement, and CHRC is actively implementing the recommendations with the expectation that further testing will be performed in this area in 2024-25.
  • Operating Effectiveness of Information Technology General Controls (ITGCs). 
    • The documentation of the key controls in place and the operating effectiveness of information technology general controls (ITGCs) were reassessed in the area of IT security and Application development and change control.
    • The assessment revealed that key controls were found to be generally appropriate, however there remains room for improvement with respect to removing IT network access for users who have left the department and client organizations. CHRC is actively reviewing and updating this process to ensure that user access is removed in a timely manner.

CHRC has provided OCL with an attestation concerning the 2023-24 assessment of their internal controls.

AEC Review and Discussions

In 2023-24, the OCL AEC carried out the following activities related to the functioning of internal controls, risk management and governance processes:

  • At each regular AEC meeting, the Commissioner and the Chief Audit Executive (CAE)/CFO were asked whether there were any irregularities, including fraud or management override, that they wished to disclose. There were none.
  • During the reporting period, the Chair was in regular contact with the Commissioner and the CAE/CFO.
  • OCL’s Quarterly Financial Statements were reviewed by external members before they were published. Questions were asked of the CFO/CAE and answers were provided.
  • External members met with the Office of the Auditor General (OAG) Principal responsible for the audit of OCL’s FY 2023-24 financial statements, including an in-camera meeting.
  • The AEC met with the external party that carried out the ICFR assessments mentioned above and was briefed on the results and recommendation. The AEC also reviewed the management response and action plan.

The AEC will continue to follow closely the work of OCL in assessing and monitoring its ICFM and ICFR processes.

Other Considerations- OAG Audit of OCL’s Financial Statements

The OCL’s 2023-24 financial statements were audited by the OAG of Canada. While the audit did not specifically examine OCL’s internal controls, the OAG’s auditors did not identify opportunities for changes in procedures that would improve the systems of internal control. OCL received an unqualified opinion on its financial statements for 2023-2024. 

As outlined in the OCL Multi-Year Risk-Based Audit and Evaluation Plan, an audit of procurement activities was carried out in 2023-24, covering the timeframe of 2022 to 2024.  The AEC met with the external auditor who conducted the audit to review the findings as well as management’s response and action plan.

With respect to internal controls, the audit noted a commendable level of compliance and diligence in procurement procedures on the part of the OCL, including diligent record keeping, appropriate segregation of duties, and processes that ensure efficiency, effectiveness, and compliance with regulatory requirements. The audit also noted non-compliance with authorities whereby OCL exceeded the contracting limit identified in its delegation of signing authorities matrix. That limit should have been higher and action by the OCL to adjust the limit to appropriate levels has since been completed. Management also committed to updating its procurement guide for employees and to ensuring that OCL management team receives periodic procurement reporting (i.e., - trends in types of arrangements) from the PCB to allow for greater oversight. 

4. Action plan

4.1 Progress as of March 31, 2024

Overall, during 2023-24, the OCL made progress in improving its system of ICFR.  

As outlined in section 3, the OCL continued its risk-based approach to on-going monitoring of ICFR with a focus in 2023-24 on the Management of Assets and Inventories, Budgeting and Forecasting, Procurement of Goods and Services and Payment to suppliers, and documentation of Entity Level Controls.

The OCL also reviewed and confirmed the relevance of the risks identified in its Corporate Risk Profile which informed its multi-year planning for ICFR, ICFM and for its RBAEP.  

An updated multi-year, risk based ICFR-ICFM plan was developed by management and reviewed by the AEC. 

4.2 Action plan for the next fiscal year and subsequent years

In fiscal year 2024-25, the OCL will continue to strengthen its internal control management framework by: 

  • Continuing on-going monitoring of its core controls by a third party according to its risk based, multi-year ICFM/ICFR plan (three-year plan is provided below);
  • Developing an approach to leveraging the Small Department Core Control Self-Assessment Tool designed by the Office of the Comptroller General to assess core controls.
  • Strengthening reporting on procurement trends and oversight of related controls; and
  • Conducting internal audits according to its multi-year RBAEP.

4.3 ICFM Monitoring Plan for the next fiscal year and subsequent years

Core Control
Control area 2024-25 2025-26 2026-27
ICFM
Financial Planning, Budgeting and Forecasting (support of senior management decision making)  X (see note 1) X (see note 1)  
Payroll and salary management process     X
ICFR
Entity Level Controls  X    
IT General Controls (i.e., administration of password, access limited to as needed)     X
Acquisition cards   X  
Delegation of Authorities X (see note 2)    
Financial Management Governance   X  
Pay administration     X

Note 1: This control assessment will be conducted over two years. In 2024-25 the focus will be the implementation of new forecasting functionality, introduced in 2023-24 (i.e., - training, documentation, extent of up take in its use, etc.). In 2025-26 a full assessment is planned that will include the design and operating effectiveness testing of the planning, budgeting and forecasting process and an assessment of the extent to which the process is enabling and supporting sound resource management and decision making.

Note 2: The 2023-24 Audit of Procurement included a finding relating to an error in procurement delegations. Procurement delegations will be included in the scope of the internal control assessment of OCL’s delegation of authorities.

Date modified: