Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting (Unaudited)

Consolidated financial statements quick links

For the year ended March 31, 2017

1. Introduction

This document provides summary information on the measures taken by NRC to maintain an effective system of internal control over financial reporting, including information on internal control management, assessment results and related action plans.

Detailed information on NRC's authority, mandate and program activities can be found in the 2016‑17 Departmental Results Report and the 2017‑18 Departmental Plan.

2. Departmental system of internal control over financial reporting

2.1 Internal control management

NRC has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control. A departmental internal control management framework, approved by the Deputy Head, is in place which includes:

  • Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility for control management;
  • Values and ethics;
  • Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
  • At least semi-annual monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Deputy Head and departmental senior management and, as applicable, the Departmental Audit Committee.

The Departmental Audit Committee provides advice to the Deputy Head on the adequacy and functioning of NRC's risk management, control and governance frameworks and processes.

2.2 Service arrangements relevant to financial statements

NRC relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:

Common arrangements

  • Public Services and Procurement Canada (PSPC) centrally administers the payments of salaries and the procurement of goods and services in accordance with NRC's Delegation of Authority, and provides some accommodation on behalf of NRC;
  • The Treasury Board of Canada Secretariat provides NRC with information used to calculate various accruals and allowances, such as the accrued severance liability;
  • The Department of Justice Canada provides legal services to NRC; and
  • Shared Services Canada provides information technology (IT) infrastructure services to NRC in the areas of data centre and network services. The scope and responsibilities are addressed in the interdepartmental arrangement between Shared Services Canada and NRC.

3. Departmental assessment results during fiscal year 2016‑17

The key findings and significant adjustments required from the current year's assessment activities are summarized below.

3.1 New or significantly amended key controls

There were three significant changes impacting NRCs Key Financial Controls during 2016‑17:

Firstly, the implementation of Phoenix required substantial resources. Although the NRC is an "Integration Department" and as such is not a fully serviced department with regards to payroll, there was still a significant impact on the organization with regards to the implementation. NRC formally reviewed, documented and assessed business processes and controls regarding key integration points and the impact of Phoenix. Furthermore, NRC proactively implemented the use of data analytics and an updated S.33 approach to payroll for continued payroll analysis.

Secondly, it should be noted that a formalized external assessment of the Delegation of Authority Application was conducted prior to the launch of electronic authorizations in order to assess the controls within the financial system.

Thirdly, NRCs contribution management system was formally integrated with NRCs financial system; resulting in additional system controls and operational efficiencies for electronic approvals. Post launch, additional operational effectiveness testing was conducted on key controls and is being performed on an ongoing basis.

3.2 Ongoing monitoring program

As part of its rotational ongoing monitoring (OGM) plan, NRC completed its reassessment of financial controls within procurement to payment, transfer payments, capital assets, inventory, payroll administration, revenues/receivables as well as entity level controls and information technology general controls (ITGC).

For the most part, the key controls tested performed as intended, with remediation required as follows:

  • Procurement to payment: Consistent with last year's assessment, inconsistencies remain regarding the application of expenditure initiation and Section 34 for expenses with payments made to other government departments through interdepartmental settlements. NRC is in the process of developing and implementing electronic approvals for purchases, including goods or services received from other government departments, which will address these inconsistencies (in progress);
  • Transfer payments: Assessment of contribution files demonstrated compliance with most of the existing policies and business processes. However, consistent with last year's assessment, the application of established Section 34 and Section 33 account verification procedures was not applied consistently. Observations and deficiencies were communicated to management and to the responsible parties. Results are expected to improve with the continued system integration and electronic approvals. Necessary remediation measures have been or are currently being implemented by NRC (in progress);
  • Capital assets: Some minor improvements were noted with regards to key financial controls identified from the previous review (2015-16), as it related to lower level custodianship accountability issues. As well, fiscal year 2015-16 ongoing monitoring activities detected a change in business process for infrastructure capital projects which required the implementation of specific remediation activities, and the 2016‑17 follow up review noted positive results. A complete review of strengthened business processes surrounding the administration of capital assets is underway (in progress) and we expect to see additional positive results in the next fiscal year;
  • Payroll: Payroll testing results remain consistent with last year's findings with minimal impacts on financial controls and the identification of minor improvement opportunities in relation to some lower level business processes. Following the implementation of the new Federal pay system Phoenix, NRC conducted a full review of all NRC payroll business processes. It should be noted that the implementation of Phoenix had a significant impact on the organization as an integrated department (in progress);
  • Master data: A periodical review plan is currently in progress;
  • Electronic Workflow Approvals
    • Delegation of Authority Application (DAA): NRC's DAA is the foundation for the implementation of electronic authentication and authorization. The final phase of the DAA was the implementation of electronic workflows approval of financial signing authority delegations and financial system access.
    • Purchase to Pay (P2P): Approval workflows utilize the DAA to ensure the approval is routed to the appropriate delegated authority based on the approved financial signing authorities matrix and delegated authorities. Auto approvals of three components of the P2P business process were implemented in 2016‑17: online requisitioning for goods and services (expenditure initiation and Section 32), Section 34 contribution payments, and requests for information prior to Section 34.

    In conjunction to this, a formalized external control assessment was conducted which yielded positive results leading to the implementation of Section 34 invoice certification in 2017‑18. This should eliminate improper segregation of duties at the transaction level, if conflictual roles are assigned. An interim monitoring plan of conflicting roles is in progress; and

  • Revenue: There continue to be some elements of the business process that are not fully entrenched in operations and thus not consistently followed. A complete review of the revenue management framework business processes was conducted and has resulted in some additional changes that are currently being implemented. In order to ensure that operational effectiveness was fully assessed, alternate testing was conducted to ensure that revenues were appropriately recorded (in progress).

4. Departmental action plan

4.1 Progress during fiscal year 2016‑17

NRC continued to conduct its ongoing monitoring according to the previous fiscal year's rotation plan as shown in the following table.

Previous year's rotational ongoing monitoring plan for current year Status
Entity level controls, information technology general controls and payroll administration Completed as planned and no remedial actions required.
Procurement to payment, transfer payments, capital assets and master data Completed as planned with some remedial actions complete and some underway. Master data has been postponed to the new year.
Revenues, receivables and receipts Some operating effectiveness testing delayed or alternatively tested due to delays in fully operationalizing the management action plan.

4.2 Action plan for the next fiscal year and subsequent years

NRC's rotational ongoing monitoring plan over the next three years, based on an annual validation of the high risk processes and controls and related adjustments to the ongoing monitoring plan as required, is shown in the following table.

Key control areas Fiscal year
2017‑18
Fiscal year
2018-19
Fiscal year
2019-20
ELCs
ITGCs under departmental management
Procurement to payment
Transfer payments
Capital assets
Inventory    
Payroll administration
Revenues, receivables and receipts
Master data – customers / vendors    

In addition to the ongoing monitoring rotational plan, NRC also plans to review remediation actions completed in 2017‑18 in all areas in which issues were noted in Section 3. NRC also plans to continue remediation of adjustments identified during its assessments. When new business processes are introduced, or significant internal control process changes occur, NRC will proactively identify, document and test key controls based on associated risks. The results will be incorporated into the assessment plan and the ongoing monitoring program.