Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting For the fiscal year ending March 31, 2012

Annex to the
Statement of Management Responsibility Including Internal Control over Financial Reporting
Infrastructure Canada
For the fiscal year ending March 31, 2012

With the Treasury Board Policy on Internal Control, effective April 1, 2009, departments are now required to demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).

As part of this policy, departments are expected to conduct annual assessments of their system of ICFR, establish action plans to address any necessary adjustments, and to attach to their Statements of Management Responsibility a summary of their assessment results and action plan.

Effective systems of ICFR aim to achieve reliable financial statements and to provide assurances that:

• Transactions are appropriately authorized;
• Financial records are properly maintained;
• Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement; and
• Applicable laws, regulations and policies are complied with.

It is important to note that the system of ICFR is not designed to eliminate all risks, rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.

The maintenance of an effective system of ICFR is an ongoing process designed to identify, assess effectiveness and adjust as required key risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to the other based on risks and taking into account their unique circumstances.

1. Introduction

This document is an annex to Infrastructure Canada's Statement of Management Responsibility Including Internal Control over Financial Reporting for the fiscal-year 2011-2012. As required by the Treasury Board Policy on Internal Control, effective April 1, 2009, this document provides summary information on the measures taken by Infrastructure Canada to maintain an effective system of ICFR. In particular, it provides summary information on the internal control assessments conducted by Infrastructure Canada as at March 31, 2012, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to Infrastructure Canada.

1.1 Authority, Mandate and Program Activities

Detailed information on the Department's authority, mandate and program activities can be found in the Report on Plans and Priorities and Departmental Performance Report.

1.2 Financial highlights

Financial statements (unaudited) of Infrastructure Canada for fiscal-year 2011-2012 can be found at Infrastructure Canada. Information can also be found in the Public Accounts of Canada.

• Total expenses were $4.419B.
  • 98.6% of total expenses ($4.356B) were spent on Transfer Payments (contributions).
  • Infrastructure Canada has approximately 360 employees, with Salary costs ($36.489M) representing approximately 0.8% of total expenses.
• Financial assets included accounts receivable of $178.956M (24.7% of financial assets)
  • 99.9% of accounts receivable ($178.947M) related to Transfer Payments.
• Tangible capital assets consist mostly of informatics hardware and software.
• Total liabilities were $696.796M.
  • Accounts payable and accrued liabilities represent $691.249M (99.2%) of total liabilities.
• Infrastructure Canada has a significant number of information systems that are critical to its operations and financial reporting such as SAP (Systems, Applications, and Products in data processing).

1.3 Service arrangements relevant to financial statements

Infrastructure Canada relies on other organizations for the processing of certain transactions that are recorded in its financial statements:

Common Arrangements:

• PWGSC centrally administers the payments of salaries and the procurement of some goods and services.
• Government-wide pay and Receiver General central systems administered by PWGSC. The central systems consist of six individual systems: Standard Payment System (SPS), Government Banking System (GBS), Regional Pay System (RPS), Payroll System-General Ledger (PS-GL), Receiver General-General Ledger (RG-GL), and the Central Financial Management Reporting System (CFMRS).
• The Treasury Board Secretariat provides Infrastructure Canada with information used to calculate various accruals and allowances, such as the accrued severance liability and employee benefit plan, and pays the employer's contribution to the health and dental insurance plans.
• The Department of Justice provides legal services to Infrastructure Canada.
• Shared Services Canada (SSC) was created on August 4, 2011 to consolidate, streamline and improve the government's information technology (IT) infrastructure services, specifically email, data centre and network services for 42 federal departments and agencies. Effective November 15, 2011, the responsibility for email, data centre, and network services, including associated resources, was transferred from Infrastructure Canada to SSC. The administration and delivery of these services were shared during the 2011-12 transition period while SSC was being established.

Specific Arrangements:

• Industry Canada provides system support for the Integrated Financial Management System (IFMS), the departmental financial management system
• PWGSC provides pay compensation services to Infrastructure Canada.
• Federal delivery partners (Transport Canada, Atlantic Canada Opportunities Agency, Western Economic Diversification Canada, Federal Economic Development Agency for Southern Ontario, l'Agence de développement économique du Canada pour les régions du Québec, and the Canadian Northern Economic Development Agency) manage certain contribution programs on behalf of Infrastructure Canada.

1.4 Material changes in fiscal-year 2011-2012

Su Dazé was appointed to the position of Infrastructure Canada's Chief Financial Officer in September, 2011. John Forster left the position of Infrastructure Canada's Associate Deputy Minister in January, 2012. The position remained vacant as of March 31, 2012.

2. The Department's control environment relevant to ICFR

Infrastructure Canada recognizes the importance of senior management leadership in ensuring that staff at all levels understand their roles in maintaining effective systems of ICFR and are well-equipped to exercise these responsibilities effectively. Infrastructure Canada's focus is to ensure risks are well-managed through a responsive and risk-based control environment that enables continuous improvement and innovation.

2.1 Key positions, roles and responsibilities

Below are Infrastructure Canada's key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.

Deputy Head – Infrastructure Canada's Deputy Head, as Accounting Officer, assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the Deputy Head sits as an ex-officio member of the Departmental Audit Committee. In addition, the Deputy Head is the chairperson of the Departmental Management Committee.

Associate Deputy Minister - The Associate Deputy Minister reports directly to the Deputy Head. In this role, the Associate Deputy Minister is the primary support to the Deputy Head in discharging her obligations as Accounting Officer and for ensuring that an effective system of ICFR is in place and functioning as intended. In the Deputy Head's absence, the Associate Deputy Minister is the chairperson of the Departmental Management Committee.

Chief Financial Officer (CFO) – Infrastructure Canada's CFO reports directly to the Deputy Head and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment. The CFO's responsibilities also include management of Infrastructure Canada's Corporate Risk Profile.

Senior Departmental Managers – Infrastructure Canada's senior departmental managers in charge of program delivery are responsible for maintaining and reviewing the effectiveness of the system of ICFR falling within their area of responsibility.

Chief Audit Executive (CAE) – Infrastructure Canada's CAE reports directly to the Deputy Head and provides assurance through periodic internal audits which are instrumental to the maintenance of an effective system of ICFR.

Departmental Audit Committee (DAC) – The DAC is an advisory committee that provides objective views on the departments risk management, control and governance frameworks. It is comprised of four external members. As such, it reviews Infrastructure Canada's Corporate Risk Profile and its system of internal control, including the assessment and action plans relating to the system of ICFR.

Departmental Management Committee (DMC) – As Infrastructure Canada's central decision-making body, the DMC reviews, approves and monitors the Corporate Risk Profile and the departmental system of internal control, including the assessment and action plans relating to the system of ICFR.

2.3 Key measures taken by Infrastructure Canada

Infrastructure Canada's control environment incorporates a series of measures to equip its staff to manage risks through raising awareness, providing appropriate knowledge and tools, as well as developing skills. Key measures include:

• Governance and strategic direction: Departmental Management Committee (DMC), Departmental Audit Committee (DAC), People Management Committee (PMC), Investment Planning Committee, various external stakeholder committees;
• Public service values: Infrastructure Canada's Code of Conduct; Conflict of Interest and Post-Employment Guidelines; Integrity Officer (shared with Transport Canada);
• Policies and programs: Program Activity Architecture (PAA); departmental procedures tailored to Infrastructure Canada's control environment; a Delegations of Authority Instrument and Matrix;
• People: departmental integrated Business and Human Resources Plan, supported by integrated Business and Human Resources Plans for each branch;
• Asset Management: Investment Plan; Information Management and Information Technology Steering Committee;
• Risk Management: Corporate Risk Profile, Transfer Payment Program Risk Management Frameworks; Chief Risk Officer reporting through the Chief Financial Officer organization; a function under the Chief Financial Officer organization dedicated to internal control over financial reporting;
• Accountability: Annual performance agreements which clearly set out senior management's financial management responsibilities; training and communication efforts in core areas of financial management; and
• Internal Audit: a risk-based audit plan.

3. Assessment of Infrastructure Canada's system of ICFR

3.1 Assessment baseline

In support of the Policy on Internal Control, Infrastructure Canada must be able to maintain an effective system of ICFR with the objective to provide reasonable assurance that:

• Transactions are appropriately authorized and recorded in accordance with the Financial Administration Act;
• Financial records are properly maintained;
• Assets are safeguarded; and
• Applicable laws, regulations and policies are complied with.

Over time, this includes assessment of the design and operating effectiveness of the system of ICFR leading to ensuring the on-going monitoring and continuous improvement of the departmental system of ICFR.

Design effectiveness means to ensure that key control points are identified, documented, and in place, that they are aligned with the risks they aim to mitigate and that any required remediation is addressed. This includes the mapping of key business processes and Information Technology (IT) systems to the main financial statement accounts.

Operating effectiveness means that the application of key controls has been tested over a defined period and that any required remediation is addressed.

Ongoing monitoring program means that a systematic, integrated approach to monitoring is in place, including periodic risk-based assessments and timely remediation.

3.2 Assessment methodology at Infrastructure Canada

Infrastructure Canada has taken measures to assess its system of ICFR, starting from its financial statements. While planning and scoping, materiality was used to determine that the following financial statement accounts were in-scope:

• Transfer payment expenses;
• Professional and special services (Operating expenses);
• Accounts payable and accrued liabilities;
• Accounts receivable and advances; and
• Salaries and employee benefits (Operating expenses).

Stemming from the in-scope financial statement accounts, Infrastructure Canada has identified the following key business processes:

• Manage Transfer Payments (Variation #1 – Programs Managed Entirely by Infrastructure Canada);
• Manage Transfer Payments (Variation #2 – Programs Managed in Collaboration with Federal Delivery Partners);
• Manage Procure-to-Payment;
• Manage Payroll; and
• Manage Financial Statement Preparation.

Infrastructure Canada's short-term focus will be on assessing the system of internal controls at the business process-level.

4. Assessment results during fiscal year 2011-12

As a result of the assessment approach described above, Infrastructure Canada has developed an internal control framework to support its work under the Policy on Internal Control.

In assessing its key controls, Infrastructure Canada focused on documentation and design effectiveness.

4.1 Design effectiveness of key controls

For each key business process, the following steps were substantially advanced:

1. Gathering information pertaining to processes, risks and controls relevant to ICFR, including appropriate policies, procedures, and accounting standards;
2. Documenting key processes using narratives, flow charts, and internal control matrices to identify, describe, and align key risks to controls; and
3. Stakeholder review and validation of drafted business process documentation.

Infrastructure Canada also took into account information from relevant audits, including:

• Audit of Financial Management Accountability Framework (performed by Internal Audit)
• Audit of Travel, Hospitality, and Acquisition Cards (performed by Internal Audit)
• Audit of Information Technology Contracts (performed by Internal Audit)
• Horizontal Audit of Expenditure Controls (performed by the Office of the Comptroller General)

As a result of its assessment, Infrastructure Canada identified the following significant adjustments:

Documentation:

• Improve the consistency in the quality, reliability and availability of documentation of controls and procedures.
• Develop further documentation in some areas.

Data reconciliation and integrity:

• Improve the consistency and frequency of reconciliations between IT systems and source data.

Segregation of Duties and approval process:

• Strengthen the approval process of financial transactions.
• Strengthen the delegation of financial signing authorities' process, as it relates to transfer payments, so it is aligned with the organizational structure and departmental chart of accounts.

4.2 Operating effectiveness of key controls

As of March 31, 2012, Infrastructure Canada has not yet performed the operating effectiveness testing of its key controls. During fiscal year 2012-2013, Infrastructure Canada will develop a risk-based testing plan for each business process listed in section 3.2. These testing plans will be multi-year and will identify the key controls, the test-period, as well as the method and frequency of testing. Infrastructure Canada plans to launch the testing of its key controls' operating effectiveness by 2013-2014.

5. Infrastructure Canada's action plan

5.1 Progress as of March 31, 2012

During fiscal year 2011-2012, Infrastructure Canada has continued to make significant progress in assessing and improving its key controls. Below is a summary of the main progress made by Infrastructure Canada in two business processes: Manage Transfer Payments and Manage Procure-to-Payment.

Manage Transfer Payments:

• Completed the documentation of the two variations of the Manage Transfer Payments business processes. The documentation is in a standardized narrative format, with supporting process maps.
• Identified key controls and the risks they aim to mitigate throughout the Manage Transfer Payment business process documentation and internal control matrix.
• Validated that business process controls are in place as described and correspond to actual practices, by consulting with process owners.
• Completed the remediation to the documentation as soon as necessary adjustments were identified.

Manage Procure-to-Payment:

• Completed the documentation of the Procure-to-Payment process, which supports the financial statement accounts classified under Operating Expenses (Professional & Special Services Expenses are most materially significant). The documentation is in a standardized narrative format.
• Identified key controls and the risks they aim to mitigate throughout the Manage Procure-to-Payment business process documentation and internal control matrix.
• Validated that business process controls are in place as described and correspond to actual practices, by consulting with process owners.
• Completed the remediation to the documentation as soon as necessary adjustments were identified.

Infrastructure Canada has also advanced its work on entity-level controls. The department has documented a listing of its entity-level controls and associated support. Furthermore, the department has aligned its entity-level controls with the Office of the Comptroller General's Core Management Controls.

5.2 Action plan for the next fiscal year and future years

Elements in action plan	2012-13	2013-14	2014-15
Documentation
Complete documentation, including internal control matrix, of Manage Payroll business process and align documentation with the TBS Pay Administration Model	✓
Consult with process owners to validate that Manage Payroll business process controls are in place as described and aligned appropriately with risks	✓
Complete documentation, including internal control matrix, of Manage Financial Statement Preparation business process	✓
Consult with process owners to validate that Manage Financial Statement Preparation business process controls are in place as described and aligned appropriately with risks	✓
Remediate business process documentation, as required	✓
Initiate the assessment of IT general controls	✓
Initiate a fraud risk assessment, including the identification of key controls addressing fraud risks	✓
Assessment of Design Effectiveness
Conduct process walkthroughs for Manage Transfer Payments – Variation 1	✓
Conduct process walkthroughs for Manage Transfer Payments – Variation 2	✓
Conduct process walkthroughs for Manage Procure-to-Payment	✓
Conduct process walkthroughs for Manage Payroll		✓
Conduct process walkthroughs for Manage Financial Statement Preparation		✓
Test design effectiveness of Entity-level controls	✓
Remediate design of controls, as required	✓	✓
Assessment of Operating Effectiveness
Develop a sampling plan and testing methodology for assessing operating effectiveness for all business processes		✓
Communicate testing plan among all stakeholders, including any resource requirements for all business processes		✓	✓
Testing of operating effectiveness for Manage Transfer Payments – Variation 1			✓
Testing of operating effectiveness for Manage Transfer Payments – Variation 2			✓
Testing of operating effectiveness for Manage Procure-to-Payment			✓
Testing of operating effectiveness for Manage Payroll			✓
Testing of operating effectiveness for Manage Financial Statement Preparation			✓
Testing of operating effectiveness for Entity-level controls		✓
Identify and implement any necessary remediation		✓	✓
On-going monitoring and reporting of the effectiveness of Infrastructure Canada's system of ICFR		✓	✓