Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting (Unaudited) - For the year ended March 31, 2016

Consolidated financial statements 2015-16 quick links

Alternative format

PDF version (50 KB)

Table of contents

1. Introduction

This document provides summary information on the measures taken by NRC to maintain an effective system of internal control over financial reporting, including information on internal control management, assessment results and related action plans.

Detailed information on NRC's authority, mandate and program activities can be found in the 2015‑16 Departmental Performance Report and the 2016‑17 Report on Plans and Priorities.

2. Departmental system of internal control over financial reporting

2.1 Internal control management

NRC has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. A departmental internal control management framework, approved by the Deputy Head, is in place which includes:

  • Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for control management;
  • Values and ethics;
  • Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
  • At least semi-annual monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Deputy Head and departmental senior management and, as applicable, the Departmental Audit Committee.

The Departmental Audit Committee provides advice to the Deputy Head on the adequacy and functioning of NRC's risk management, control and governance frameworks and processes.

2.2 Service arrangements relevant to financial statements

NRC relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:

Common arrangements

  • Public Works and Government Services Canada centrally administers the payments of salaries and the procurement of goods and services in accordance with NRC's Delegation of Authority, and provides some accommodation on behalf of NRC;
  • The Treasury Board of Canada Secretariat provides NRC with information used to calculate various accruals and allowances, such as the accrued severance liability;
  • The Department of Justice Canada provides legal services to NRC; and Shared Services Canada provides information technology (IT) infrastructure services to NRC in the areas of data centre and network services. The scope and responsibilities are addressed in the interdepartmental arrangement between Shared Services Canada and NRC.

3. Departmental assessment results during fiscal year 2014‑15

The key findings and significant adjustments required from the current year's assessment activities are summarized below.

3.1 New or significantly amended key controls

In July 2014, NRC was subject to a cyber-intrusion on its IT infrastructure. As a result, the financial system and network access was completely shut down for a short period of time, and limited access was restored for most of the business process by the end of 2014‑15 with some business processes still being restored at the beginning of 2015‑16. As significant business processes, that had been modified during 2014‑15, have reverted back to their original state, design effectiveness testing was conducted on the original key controls.

3.2 Ongoing monitoring program

As part of its rotational ongoing monitoring (OGM) plan, NRC completed its reassessment of financial controls within procurement to payment, transfer payments, capital assets, inventory, payroll administration, revenues/receivables and master data management business processes, as well as entity level controls and information technology general controls (ITGC).

For the most part, the key controls tested performed as intended, with remediation required as follows:

  • Procurement to payment: Consistent with last year's assessment, inconsistencies remain regarding the application of expenditure initiation and section 34 for expenses with payments made to other government departments through interdepartmental settlements. NRC is in the process of developing and implementing electronic approvals for purchases, including goods or services received from other government departments, which will address these inconsistencies (in progress);
  • Transfer payments: Assessment of contribution files demonstrated compliance with most of the existing policies and business processes. However, consistent with last year's assessment, the application of established Section 34 and Section 33 account verification procedures was not always applied consistently. Some of these deficiencies are the result of a slow move back to NRC's electronic environment following the cyberintrusion. In fact, some instances may have been prevented with electronic access to documentation. All deficiencies were communicated to management and to the responsible parties. Necessary remediation measures have been or are currently being implemented by NRC (in progress);
  • Capital assets: Consistent with last year's assessment, improvement opportunities with regard to some key financial controls at the lower level business processes for capital assets remain. Specific remediation activities for infrastructure capital projects were undertaken, due to a change in business process, which was detected during ongoing monitoring activities. Lower level custodianship accountability issues are ongoing as they require clarification. A complete review of the business processes surrounding the administration of capital assets is underway (in progress);
  • Payroll: Gaps between the NRC and the government of Canada's payroll administration framework are expected to be completely remediated in 2015‑16 following the implementation of the new Federal pay system Phoenix and a review of all NRC payroll business processes (in progress);
  • Master data: A periodical review plan is currently in development (in progress);
  • Delegation of Authority Application (DAA): Phase II, which has been implemented, results in the application being fully embedded in SAP. Phase III, which is currently under development, will introduce the new functionality of electronic authorizations, which will eliminate any improper segregation of duties at the transaction level, if conflictual roles are assigned. A temporary monitoring plan of conflicting roles has been created and is currently being implemented (in progress); and
  • Revenue: In 2012-13 the revenue control framework was streamlined, strengthened and standardized including the implementation of a continuous review of revenue files. Since then, some significant aspects of the business processes have been continuously improving. Due to the significance of the business process changes introduced, some elements are not fully entrenched in operations. A complete review of the revenue management framework business processes is underway. In order to ensure that operational effectiveness was fully assessed, alternate testing was conducted to ensure that revenues were appropriately recorded (in progress).

4. Departmental action plan

4.1 Progress during fiscal year 2015‑16

NRC continued to conduct its ongoing monitoring according to the previous fiscal year's rotation plan as shown in the following table.

Previous year's rotational ongoing monitoring plan for current year Status
Entity level controls, information technology general controls, inventory and payroll administration Completed as planned and no remedial actions required.
Procurement to payment, transfer payments, capital assets and master data Completed as planned with some remedial actions complete and some underway.
Revenues, receivables and receipts Some operating effectiveness testing delayed or alternatively tested due to delays in fully operationalizing the management action plan.

In 2015‑16, NRC did not conduct any additional work other than the progress made under the ongoing monitoring plan.

4.2 Action plan for the next fiscal year and subsequent years

NRC's rotational ongoing monitoring plan over the next three years, based on an annual validation of the high risk processes and controls and related adjustments to the ongoing monitoring plan as required, is shown in the following table.

Key control areas Fiscal year
Fiscal year
Fiscal year
ITGCs under departmental management
Procurement to payment
Transfer Payments
Capital assets
Payroll administration  
Revenues, receivables and receipts
Master data – customers / vendors    

In addition to the ongoing monitoring rotational plan, NRC also plans to review remediation actions completed in 2016‑17 in all areas in which issues were noted in Section 3. NRC also plans to continue remediation of adjustments identified during its assessments. When new business processes are introduced, or significant internal control process changes occur, NRC will proactively identify, document and test key controls based on associated risks. The results will be incorporated into the assessment plan and the ongoing monitoring program.