Audit of internal control over financial reporting

Introduction

1. Internal controls are measures embedded throughout the financial systems, processes and structures of the organization to mitigate risks to the desired outcomes.

2. Internal Control over Financial Reporting (ICFR) is the system of controls that aims to ensure that:

• financial reporting is accurate and complete
• expenditures are authorized and in accordance with delegated authorities
• financial resources are safeguarded^{Footnote 1}

3. Documenting and testing these controls provides assurance that the necessary controls are in place and operate as intended.

4. The Canada Border Services Agency's (CBSA's) system of ICFR and the Internal Control over Financial Management consists of 13 key control areas:

• Entity Level Controls: the "tone-from-the-top" controls that define the corporate culture and commitment to integrity and ethical values
• Information Technology General Controls (ITGCs): controls over the integrity and reliability of Information Technology (IT) systems that support financial transactions and records
• 11 Business Process Controls: controls embedded in the business processes and the lifecycle of financial transactions. All business processes with financial impact are covered by these controls

5. The Internal Control and Quality Assurance Unit (IC Unit), under the Finance and Corporate Management Branch, leads the implementation of the system of ICFR at the CBSA. The IC Unit works with Business Process Owners of key control areas to document, test and strengthen internal controls.

6. Responsibility for the integrity and objectivity of all information contained in the agency's financial statements and an effective system of internal control rests with senior management of the CBSA, and ultimately the agency's Chief Financial Officer (CFO) and President.

7. Other key stakeholders involved in the system of ICFR include:

• Business process owners of key control areas
• Senior departmental managers
• Agency governance committees
• The Audit Committee

Significance of the audit

8. Parliamentarians and Canadians expect that the financial resources of the Government of Canada are well managed. They also expect transparency and accountability in how public funds are spent.

9. The CBSA publicly reports on the resources used to deliver its mandate and the funds it collects on behalf of the Government of Canada and its partners in its annual financial statements. In 2021 to 2022, the agency reported:

• $2.6 billion of operational revenues and expenses used by the CBSA to deliver its mandate
• $34 billion of tax and non-tax revenues, assets and liabilities administered on behalf of the federal, provincial and territorial governments^{Footnote 2}

10. The 2017 Treasury Board (TB) Policy on Financial Management requires that federal departments maintain an effective system of ICFR to provide assurance over the accuracy and completeness of financial reporting, authorization of expenditures, and safeguards of financial resources^{Footnote 3}.

11. Past internal audits revealed that the CBSA's system of ICFR and specific key control areas required improvement (see Appendix A for previous audits).

The 2018 Audit of Internal Control over Financial Reporting identified gaps in the ICFR management framework, risk assessment and ongoing monitoring plan, testing of significant processes, and capacity.

The 2019 Audit of Revenue Collected by the CBSA reported gaps in the review of user access in IT systems used for revenue collection.

The 2021 Audit of Compensation Processes and Controls highlighted that key HR-to-Pay controls were not documented, designed, nor operating effectively.

12. The 2018 Internal Audit of ICFR found that the IC Unit experienced challenges with regards to capacity and staff turnover, which contributed to the gaps identified at that time. During this audit, the IC Unit and their management stated that the IC Unit has continued to experience these issues, which contributed to some of the gaps highlighted in this report. In the last year, management indicated that the team has stabilized and capacity is growing. As of May 2023, the IC Unit consisted of 3 full-time equivalent employees.

13. In the planning phase of the audit, the Internal Audit Division identified deficiencies related to the ICFR management framework and the risk-based monitoring plan. Internal Audit was informed that the IC Unit was developing an updated ICFR management framework and a risk-based ICFR monitoring plan. This work was scheduled to be completed between January and March 2023. In light of the work planned by the IC Unit, the audit did not pursue an in-depth assessment of these areas to limit overlap and duplication of effort. This audit report includes the findings that were identified and shared with the IC Unit in the examination phase in early January of 2023.

14. This audit was approved as part of the 2021 to 2022 Risk-Based Audit and Evaluation Plan.

15. The objective of this audit is to determine whether the ICFR processes are effective in providing reasonable assurance that the agency's financial reporting is accurate and complete.

16. The scope period for the audit is from April 1, 2018, to December 31, 2022.

17. The audit scope included:

• ICFR management framework and risk-based ongoing monitoring plan
• documentation, design and operational effectiveness testing of control activities
• controls to obtain assurance for services received from the Canada Revenue Agency (CRA) through a specific arrangement for the Corporate Administrative System (CAS)^{Footnote 4} – the financial system
• monitoring, reporting and oversight mechanisms for ICFR

18. The audit scope excluded:

• assessment of internal control activities performed by the CRA or other service providers
• re-performance of control testing (design and operating effectiveness) performed by the IC Unit
• assessment of the accuracy and completeness of the agency's financial statements

19. Audit methodology:

• interviewed key stakeholders
• reviewed and assessed ICFR framework and key outputs
• assessed a sample of 4 key control areas; (see the section Assessment of internal controls, Examination of a sample of four key control areas)
• reviewed internal and external ICFR reporting

See Appendix C for detailed audit criteria.

Statement of conformance

20. This audit engagement conforms to related Treasury Board's Policy and Directive on Internal Audit and the Institute of Internal Auditors' International Professional Practices Framework. Sufficient and appropriate evidence was gathered through various procedures to provide an audit level of assurance. The agency's internal audit function is independent and internal auditors performed their work with objectivity as defined by the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

Audit opinion

21. An effective system of ICFR is critical for ensuring that financial reporting is complete and accurate, expenditures are made in accordance with authorities, and financial resources are safeguarded. While the agency has a system of ICFR in place, it requires attention as significant gaps exist, some dating as far back as 2018. Improvements are needed in the areas of the ICFR management framework and its methodologies, internal control assessments, and monitoring and reporting to better position the agency in managing its internal control activities and mitigate its financial reporting risks.

Key findings

22. The agency's ICFR management framework was established, but was outdated and not communicated to key stakeholders and employees.

23. The ICFR monitoring plan was not supported by a risk assessment and a mapping of the financial statement accounts to business processes and key control areas to ensure coverage of all key control areas impacting financial reporting.

24. The IC Unit conducted assessments of internal controls, but there were significant gaps in those assessments. Control documentation did not always cover all elements or business processes, and key control areas were partially assessed. Nevertheless, the audit noted improvement in the assessment of key control areas that were tested from 2021 onward.

25. While the IC Unit improved its approach for monitoring corrective actions over the last year, a sample of four key control areas revealed that internal control weaknesses were not monitored for one of the four areas examined, as there was no evidence to demonstrate such monitoring.

26. While three committees include oversight of internal control as part of their mandate, regular reporting did not occur or include all relevant information required for oversight and decision making. Following the prescribed guidance, the agency externally reported on the ICFR measures taken by the IC Unit in the Annex to the Financial Statements and provided information on the status of internal control assessments and corrective actions. However, the information contained in the statements is not as complete and transparent as it could be given the findings of this audit.

Summary of recommendations

27. The audit makes 5 recommendations:

1. Update the ICFR Management Framework
2. Conduct a comprehensive risk assessment to support the preparation of the ICFR monitoring plan
3. Complete control documentation and assessments of key control areas and retain the assessment information
4. Implement a process to obtain assurance over internal controls applied by third parties
5. Provide complete and regular reporting on ICFR to senior management and externally to support oversight and decision making

Audit findings

The audit resulted in the findings below.

Internal control over financial reporting management framework

28. The purpose of an ICFR Management Framework is to define the measures taken by an organization to meet its ICFR objectives and policy requirements. This includes governance and accountability structures and methodologies that support the ICFR processes. The framework should be communicated so that stakeholders understand their roles and responsibilities^{Footnote 5}.

29. Expectation: an ICFR management framework is developed, approved and communicated per policy requirements.

30. An approved ICFR management framework was in place, but has not been updated since 2015 nor communicated to key stakeholders.

No updates were made to reflect major changes that have happened since 2015, such as:

• the agency's reorganization
• changes in senior management committees
• 2017 update to the TB Policy on Financial Management

The framework did not identify current governance committees that oversee ICFR, their responsibilities and authorities, nor the sequence for reporting ICFR to these committees.

The IC Unit developed draft methodologies in 2020 to define its ICFR processes and guidelines, but they were not finalized and approved.

No evidence was provided to demonstrate that the management framework was periodically communicated to governance committees, key stakeholders and employees.

31. The IC Unit indicated that the lack of capacity and staff turnover limited their ability to update the ICFR management framework and supporting methodologies.

32. Defining key aspects of the internal control process through a management framework is a key foundational step for a consistent internal control process. Without an updated and well communicated management framework, stakeholders may not be aware of their responsibilities and processes may not be consistently carried out, leading to a system of internal control that may not adequately prevent and detect errors in financial reporting.

Monitoring of internal controls

33. TB guidance requires that departments monitor internal controls to ensure that they continue to operate effectively and as designed. It recommends that departments assess key controls using a risk-based approach by performing the following five steps^{Footnote 6}:

1. Risk assessment
2. Monitoring plan
3. Assessment of internal controls
4. Results and corrective actions
5. Report on results

Risk assessment

34. The monitoring process begins with a risk assessment of internal controls. The risk assessment identifies the key processes, financial statement items and the risks related to financial reporting. It assesses the importance of the controls and informs how and when each control area should be assessed. A comprehensive risk assessment should be performed every three to five years. The assessment should then be updated every year, using an environmental scan^{Footnote 7}, to ensure changes to the processes or the environment are considered and reflected.

35. Expectation: A risk assessment of internal controls is conducted to support the development of the monitoring plan.

36. The IC Unit did not perform annual risk assessment updates and did not have complete and up-to-date risk information to inform the planning of monitoring activities.

The IC Unit last conducted a risk assessment of internal controls in 2019. Without annual updates, risk assessment information becomes outdated and may not reliably inform the planning of ICFR monitoring activities.

A mapping of the financial statement accounts to business processes and key control areas helps provide assurance that all material financial activities are captured in the risk assessment^{Footnote 8}. The risk assessment performed in 2019 was not supported by such a mapping. In response to the audit, the IC Unit began a mapping exercise and shared it with the audit team, but has not yet used it to support the risk assessment (see Appendix E for an example of a mapping).

No evidence was provided to show that the 2019 risk assessment was validated with business process owners, shared with or approved by senior management or relevant governance committees. Risk information may not be reliable if it is not validated with agency stakeholders.

37. The IC Unit acknowledged that the risk assessment required improvement and, at the time of the audit, was taking actions to refresh it by March 2023.

38. An updated risk assessment helps to identify areas that need the most attention, and where the monitoring of internal controls should focus. Without it, the agency may not identify and correct control weaknesses in a timely manner.

39. See Recommendation 2, following the section Assessment of internal controls.

Monitoring plan

40. Using the results of the risk assessment, departments develop a monitoring plan and update it annually. The plan maps key controls into common areas - key control areas - and identifies when these will be assessed. Once approved, the agency publishes the updated monitoring plan as part of its financial statements^{Footnote 9}.

41. Expectation: A risk-based monitoring plan is established per policy requirements.

42. For the period in scope, the IC Unit established and annually updated a monitoring plan. However, given that no risk assessment updates were completed since 2019, the monitoring plans for fiscal years 2020 to 2021 to 2022 to 2023 were not risk-based.

The monitoring plan outlined the assessments for the up-coming five years, typically identifying four to five key control areas selected for assessment each year (see Appendix D for an example of a plan). However, the plan did not clearly specify the type of assessments that would be performed (see the section Assessment of internal controls for types of assessments).

The IC Unit confirmed that it selected assessments of key control areas primarily based on a rotation or emerging priority, instead of the risk-based approach prescribed by the TB guidance^{Footnote 10}.

Since no mapping of the financial statement accounts to business processes and key control areas was finalized, the audit could not confirm that the monitoring plan covered all key control areas and business processes with material impact on financial reporting (see an example with Other Revenues and Accounts Receivable).

43. The IC Unit acknowledged that the monitoring plan required improvement and, at the time of the audit, was taking actions to revise its approach for updating it by March 2023.

44. To focus on the most important controls, assessments of internal controls should be selected based on an up-to-date risk assessment and a mapping of financial accounts to key controls. This will strengthen the overall effectiveness of the monitoring activities and will help mitigate the risks to financial reporting.

45. See Recommendation 2, following the section Assessment of internal controls.

Assessment of internal controls

46. Each key control area should be assessed using the following steps^{Footnote 11} in accordance with the monitoring plan. Ongoing monitoring of internal controls begins after a department has completed its initial control assessment.

a) Documentation of controls: business processes and internal controls are identified and documented. The documentation defines the stakeholders, systems, activities, and associated risks and controls for the business process, providing a baseline for testing the effectiveness of the internal controls.

b) Effectiveness testing:

Design effectiveness testing assesses whether the right mix of controls are in place to mitigate the risks associated with the specific business process. It confirms whether the controls in place are appropriate or if they need to be adjusted to be effective, by adding or redesigning the controls in place. For example, design effectiveness testing may discover that a control to periodically review user access to a key IT system is missing and needs to be put in place to mitigate the risk of unauthorized access.

Operating effectiveness testing assesses whether the controls are working as intended. This testing validates that they are being consistently applied to mitigate risks and generate the expected results. For example, operating effectiveness testing may find that the periodic review of the access to a key IT system was part of the documented procedures, but was not being carried out.

c) Corrective actions: When the testing of controls reveals gaps in the process, the IC Unit issues recommendations to correct them. The business process owners prepare action plans to correct the identified weaknesses and the IC Unit monitors their implementation, and eventually re-assesses the controls. Implementation of corrective actions ensures that controls remain effective and that identified risks are mitigated.

47. Expectation: Key controls are documented and their design and operating effectiveness are tested in accordance with the approved ongoing monitoring plan.

48. Our review of control documentation and results of the assessments performed by the IC Unit identified gaps in the assessment of controls. Three of the 13 key control areas on the monitoring plan were fully documented and tested for design and operating effectiveness (see Table 1: Internal control assessments).

The documentation of controls for four key control areas was outdated and lacked a mapping of which business processes were included in these areas^{Footnote 12}. Therefore, the audit could not determine if all key business processes were documented and tested.

For example, the changes to business processes and controls for the "Other Revenues and Accounts Receivable" key control area were not clearly documented (see more in the section Assessment of internal controls, Sample: other revenues and accounts receivable).

Certain key control areas were documented and tested for operating effectiveness, but no evidence was provided to support that they had been tested for design effectiveness^{Footnote 13}. Controls that are only tested for operating effectiveness may be poorly designed, potentially making them ineffective even if they are applied as expected.

For some control areas, testing was performed on certain sub-processes rather than on the entire control area, which provided partial assurance over those control areas^{Footnote 14}.

The IC Unit annually completed up to three of its five planned assessments. Many assessments of internal controls were delayed or spanned over several years (See "Delay of Assessment" in Table 1), which is not optimal to ensure that controls and the system of ICFR are effective.

49. Without a timely and thorough assessment of key controls, monitoring of internal controls may not be effective. This could prevent the agency from identifying and correcting control gaps that could threaten the completeness and accuracy of financial reporting, compliance with financial authorities, or potentially cause financial loss.

50. The table below displays the status of documentation and assessment for each key control area on the agency's monitoring plan for the period in scope.

Examination of a sample of four key control areas

51. To better understand the effectiveness of the assessments performed by the IC Unit, the audit examined a sample of four key control areas. The key control areas selected were:

• ITGCs under CBSA's management
• Capital Assets
• Financial Close and Reporting
• Other Revenues and Accounts Receivable

52. Through this sample, the audit examined the documentation of controls and the results of design and operating effectiveness testing. More specifically, the audit examined the documentation of roles and responsibilities for key control areas; consideration of fraud risk and controls to mitigate them; and the quality and completeness of the internal control assessments performed by the IC Unit.

The results of the review highlighted that control documentation did not always cover all key elements or business processes, and that key control areas were either only partially tested or not tested at all for design effectiveness.

Nonetheless, the audit found that key control areas that were tested more recently (2021 onward) were more complete than those tested in 2019, indicating improvement.

Sample: IT general controls under CBSA management

53. ITGCs are controls over how the IT systems are developed, maintained and operated to ensure they are reliable and operating as intended. The effectiveness of IT application controls and business process controls depends on the effectiveness of ITGCs. Restricting administrative user access is an example of an ITGC. For the IT systems that are operated in-house, ITGCs need to be applied and assessed internally by the CBSA. For the IT systems that are outsourced to or shared with third party providers, the agency should obtain assurance on the effectiveness of ITGCs from them^{Footnote 15}.

54. As part of the sample, the audit found that the IC Unit performed partial documentation and assessment of "ITGCs under CBSA management" (in other words, ITGCs for systems operated in-house): as it was only performed for one system – CAS.

55. For the agency's main financial system - CAS:

• ITGCs under CBSA management were documented
• the documentation included controls against fraud and clearly assigned roles and responsibilities for each control
• design and operating effectiveness testing were completed

56. ITGCs for other systems operated by the CBSA, such as the Accounts Receivable Ledger (ARL)^{Footnote 16} and the Travellers Entry Processing System (TEPS), were not documented or tested as part of this control area, given the IC Unit determined that the scope of ITGCs was limited to CAS.

57. Lack of testing ITGCs of other IT financial systems could impair their integrity and reliability, and therefore provides partial assurance on internal control over financial reporting to senior management.

58. ITGCs ensure the integrity and reliability of IT systems. Without adequate application and testing of ITGCs for all key financial systems, the agency may lose the ability to rely on those systems for complete and accurate financial reporting.

Assurance on IT general controls from the Canada Revenue Agency

59. The CBSA's financial system, CAS, relies on IT services provided by the CRA through a specific service arrangement^{Footnote 17}. To ensure its reliability, the IT components of CAS that are operated by the CRA require application and testing of ITGCs by the CRA. Given the crucial role of CAS to the CBSA's financial reporting, the CBSA should obtain confirmation from the CRA that they assess those ITGCs to ensure they are effective.

60. Expectation: Controls are in place to obtain assurance from the CRA with respect to services provided via the specific arrangement.

61. Prior to 2020, the IC Unit monitored the results of ITGC assessments performed by the CRA. However, no supporting documentation of such monitoring was provided. Since 2020 to 2021, the Unit discontinued this practice.

From 2020 to 2021, the CBSA's monitoring activities for ITGCs have focused on the controls that are managed by the CBSA. Obtaining assurance from the CRA was no longer identified on the monitoring plan or reported at the Audit Committee.

The IC Unit and the Business Process Owner for CAS did not have a set of formally agreed roles and responsibilities with the CRA to obtain assurance for controls under the CRA's management.

62. Obtaining assurance from the CRA about the assessment of those controls would provide the CBSA with confirmation on the reliability of the system.

63. Assurance from service providers on the effectiveness of ITGCs helps ensure that the IT services received meet the agency's needs and that the IT systems can be relied upon for financial reporting.

Sample: capital assets

64. Capital assets are assets that are acquired, constructed or developed for use on continuous basis and not for sale in the ordinary course of business^{Footnote 18}. The Capital Assets key control area covers the business processes and controls to manage and account for construction, operation, maintenance, and disposal of the agency's capital assets. Annual verification of capital assets on hand is an example of a capital assets control.

65. The audit sample demonstrated that the IC Unit partially documented and assessed key controls for Capital Assets.

The documentation of controls did not explicitly assign responsibilities for all controls. For a few controls, it listed "the CBSA" as responsible entity, rather than identifying a particular office of primary interest. When responsibility is not assigned to a specific office or person, the control may not be performed.

The documentation included controls against fraud, which help prevent and detect fraud related to the management and accounting for capital assets.

While controls were tested for operating effectiveness to ensure that controls are operating as intended, no evidence that the key control area was tested for design effectiveness was provided. Without design testing, even if controls are applied as intended they may still be poorly designed, making them ineffective.

66. Incomplete documentation and partial assessment of controls may result in control gaps over the accounting and management of Capital Assets, which increases the risk to inaccuracies in the agency's financial reporting.

Sample: financial close and reporting

67. Financial Close and Reporting refers to the financial and accounting processes performed at the end of the financial exercise and in preparation for financial reporting. Review of general ledger coding and balances to ensure accurate and consistent reporting is an example of a Financial Reporting and Close control.

68. This sample showed that the IC Unit partially documented and assessed key controls for Financial Close and Reporting.

The documentation of controls and operating effectiveness testing were completed for two of the four sub-processes within the control area: Financial Statements and Public Accounts reporting. No evidence of assessment was provided for the other two sub-processes: Future-Oriented Statement of Operations and Quarterly Financial Reporting. Lack of control documentation and testing increases the probability that controls will not be applied.

For each control of the two documented sub-processes, the roles and responsibilities were clearly assigned and included controls against fraud, which helps ensure that controls are carried out and the effectiveness of controls can be tested.

The key controls of the two documented sub-processes were tested for operating effectiveness, ensuring that they are operating as intended. However, evidence for design effectiveness testing was only available for one of the two documented sub-processes (Financial Statements). There may still be gaps in how the controls are designed for the other sub-process (Public Accounts Reporting).

69. Incomplete documentation and partial assessment of controls may result in failure to prevent or detect errors in financial reporting.

Sample: other revenues and accounts receivable

70. The CBSA collects duties and taxes at the border on behalf of the Government of Canada and other partners^{Footnote 19}, totalling in over $30 billion in annual administered revenues^{Footnote 20}. Since 2010, the agency has been modernizing the systems used to manage revenues at the border through the implementation of the CBSA Assessment and Revenue Management (CARM)^{Footnote 21} project, expected to be completed in October of 2023. The ARL was implemented as phase one of CARM in 2016. Two key control areas are associated with these collection activities: Other Revenues and Accounts Receivable, and CARM.

71. The sample showed that the IC Unit did not have complete documentation for the Other Revenues and Accounts Receivable and the CARM key control areas. It performed limited assessment of controls during the period in scope.

The IC Unit had partial and outdated documentation for both key control areas, and did not have a mapping to show which business processes were included. Without complete control documentations, controls may not be consistently applied making it difficult to assess their effectiveness.

Only partial testing was completed for both areas, when design effectiveness for ARL was assessed in 2019 as a deliverable for the CARM project. The scope of testing did not cover all potential business processes for Other Revenues and Accounts Receivable and CARM, such as the refund process. The ARL testing identified significant gaps, but no evidence was provided to show that the IC Unit monitored that corrective actions were implemented. Partial assessments provide limited assurance over the key control areas.

Operating effectiveness testing of controls was not completed during the period in scope. This does not provide assurance that controls are operating effectively and are preventing errors, fraud and financial loss with regard to revenue collection and accounts receivable.

Given the expected implementation of CARM and changes in processes, the IC Unit postponed the testing of those two control areas as it considered that there would be little value in testing them then. However, there is no evidence that the resulting lack of oversight over the controls for this area was transparently communicated, which may have left stakeholders with a false sense of assurance.

72. Given the materiality in revenues administered by the agency, it is important that controls be in place and function as intended. Incomplete control assessments provide limited assurance on the effectiveness of those controls, which could result in the loss of funds collected on behalf of the Government of Canada and other partners and misstatements in financial reporting.

Results and corrective actions

73. Following the assessment of internal controls, the results of the assessment should be shared with the business process owners. If any control weaknesses are identified, management should take prompt corrective action. The IC Unit works with the business process owners to develop action plans to correct the weaknesses and monitors the completion of those plans^{Footnote 22}.

74. Expectation: Results of internal control assessments are communicated to business process owners and monitoring is performed to ensure that weaknesses are addressed.

75. The review of the four samples showed that the IC Unit communicated the results of the assessments to the business process owners and monitored the implementation of management action plans to correct the control weaknesses, but not in all four key control areas examined (see Table 2: Sample results - assessment of internal controls for more details).

For two key control areas, ITGC under CBSA Management and Capital Assets:

• the IC Unit shared the results of assessments with the business process owners
• the business process owners prepared action plans to correct the identified weaknesses
• the IC Unit monitored the implementation of the corrective actions

For the Financial Close and Reporting key control area, given the observations were deemed to be low risk, no management action plan was requested by the IC Unit.

For Other Revenues and Accounts Receivable, there was no evidence that a management action plan was provided or that the IC Unit monitored the implementation of corrective actions. Monitoring ensures that the corrective actions are completed as intended.

76. In April 2022, the IC Unit strengthened its approach to monitor and follow-up on outstanding action plans by implementing a new tracking process. The process consists of following up with business process owners about the status of the action plans as they become due and obtaining evidence that demonstrates implementation of the actions.

77. Establishing management action plans and monitoring their implementation ensures that weaknesses are corrected in a timely manner. Unmitigated control weaknesses could cause erroneous or unauthorized transactions which could result in financial loss and reputational damage.

Sample: results

78. The table below displays the detailed results of the audit sample.

Reporting on results

79. Once internal control assessments are completed and corrective actions are taken, the IC Unit should report on the overall status of ICFR activities to senior management. Reporting allows senior management to oversee and make decisions on internal controls, and ultimately provides assurance on the effectiveness of internal controls^{Footnote 23}.

80. Expectation: ICFR activities are reported internally (via governance forums and stakeholders) to support sound decision making and oversight.

81. For the period in scope, three established governance committees provided oversight over ICFR at the agency:

• One Finance Board – Directors General level committee chaired by the CFO
• Finance Investment Management Committee – Vice-President level committee chaired by the President
• Audit Committee – Committee with external members and CFO that provide advice to the President

82. The review of records of decisions from these governance committees showed that the IC Unit did not provide regular, nor complete reporting to governance committees.

While the Audit Committee received regular reporting on ICFR, the other two committees, Finance Investment Management Committee and One Finance Board, did not.

None of the three committees received complete information to provide oversight and support decision making over the effectiveness of ICFR. The information reported did not consistently cover:

• key risks that could impact the system of ICFR
• complete status of documentation, testing, or remediation of all key control areas
• status of all management action plans that have not been implemented yet
• information about delays in completion of the control assessments and overall progress against the monitoring plan

83.Without regular and transparent reporting senior management cannot perform adequate oversight and decision-making over internal controls, and therefore it could impact the achievement of objectives and affect the effectiveness of the ICFR system.

84. In addition to reporting to senior management, TB policy requires that departments publicly report on the effectiveness of their systems of ICFR in their annual financial statements, included in the Annex to the Statement of Management Responsibility. The Annex should include a summary of the measures taken to maintain an effective system of ICRF, the results of completed assessments, and a status of corrective actions^{Footnote 24}.

85. Expectation: ICFR activities are reported externally (via the publication of financial statements) in accordance with policy requirements.

86. The CBSA annually publishes the results on the effectiveness of its system of ICFR through the Annex to the Statement of Management Responsibility.

87. The audit found that, for the period in scope, the Annex provided information on the status of internal control assessments and corrective actions following the prescribed guidance.

88. The annex reported^{Footnote 25} that the agency has an established governance and framework for ICFR, including ongoing communication and training, a monitoring plan based on high-risk processes, and regular monitoring and updates to senior management and the Audit Committee.

89. However, based on the results of this audit, the information contained in the statements is not as complete and transparent as it could be given that the ICFR management framework is outdated and not communicated, an annual risk assessment does not support the monitoring plan, and that the reporting to senior management is infrequent and incomplete.

90. Canadians expect transparency and accountability in how public funds are spent and that financial resources are well managed. Given that the financial statements and the Annex to the Statement of Management Responsibility are publically reported, it is important that they accurately represent the state of the agency's system of internal control.

Conclusion

91. To ensure complete and accurate financial reporting, appropriate authorization of expenditures, and safeguarding of financial resources, it is vital to have an effective system of ICFR. This audit showed that there are significant gaps in the agency's system of ICFR and that those identified in the agency's 2018 audit still have not been resolved.

92. Management attention is needed to strengthen the agency's system of ICFR in these areas:

• ICFR Management Framework and its supporting methodologies
• annual risk assessment updates to support the monitoring plan
• assessment of key control areas that were not documented, partially assessed or for which evidence was missing
• monitoring of controls applied by third party service providers
• regular, complete and transparent reporting to governance committees and externally

93. Over the last year, the IC Unit has taken steps to stabilize and improve the Internal Control function. Continuing to address these gaps will reinforce the effectiveness of the agency's system of ICFR.

Appendix A: Previous audits

Internal Audit of Internal Control over Financial Reporting (2018)^{Footnote 26}

Examined the extent to which the ICFR processes (governance, risk-assessment, control design and testing, and monitoring) were effective.

Ended in the planning phase because the area was deemed not mature enough for an audit. Planning phase observations were shared with management to help mature the ICFR Framework.

The areas that required improvement were related to updating roles and responsibilities for key ICFR stakeholders, sharing the risk-based internal control plan with agency stakeholders to align with priorities, testing annual ICFR of significant processes and developing plans to support ICFR capacity.

No recommendations were issued.

Internal Audit of Revenue Collected by the CBSA (2019)^{Footnote 27}

Examined the collection, storage, and deposit of revenue collected by the agency.

Highlighted outdated guidance and standards for revenue processes, gaps in the review of user access for IT systems used in revenue collection, and an outdated system used for collection of revenue in the traveller stream - TEPS.

Recommended updating the policies and guidance, including identifying key controls and documentation requirements, and performing periodic review of the user access for TEPS and ARL.

The Finance and Corporate Management Branch completed its management action plan in Q2 of 2021 to 2022.

Internal Audit of Compensation Processes and Controls (2021)^{Footnote 28}

Assessed the adequacy and effectiveness of the governance and controls over the HR-to-Pay process.

Highlighted that gaps existed in the HR-to-Pay internal control framework: more than half of the controls were not designed, documented, nor operating effectively.

Recommended addressing the gaps in the documentation and the design of controls in the HR-to-Pay internal control framework and testing the operating effectiveness of the controls on a regular basis.

The Finance and Corporate Management Branch completed its management action plan for this recommendation in Q4 of 2021 to 2022.

Appendix B: Risk assessment

A preliminary risk assessment was conducted to identify, analyze, and evaluate the areas of highest risk, and prioritize the areas of focus for this targeted control audit. As a result, the following key risk areas were identified:

Appendix C: Audit criteria

Given the preliminary risks identified in the planning phase, the following criteria were chosen.

Appendix D: Canada Border Services Agency's 2022 to 2023 internal control over financial reporting ongoing monitoring plan

Appendix E: Mapping of financial statement accounts to business processes and key control areas

Figure 1 - Text version

This figure shows the mapping of the Financial Statement Accounts in 2022 (in thousands $) and how they are related to the following business processes and therefore to the key control area on monitoring plan.

Financial Statement Accounts in 2022 (in thousands $)

Statement of Financial Position
Tangible Capital Assets: 1,075,645

Statement of Operations
Tangible Capital Assets:

• Acquisition of: 146,370
• Amortization: 106,173
• Proceeds from disposal: 728
• Net loss on disposal: 1,864
• Adjustments: 1,549

Business Processes

1. Assets Under Construction
2. Acquisition
3. Operation, Use and Maintenance
4. Write-off, Retired, Sold and Disposal
5. Segregation of Duties

Key Control Area on Monitoring Plan

Capital Assets

Appendix F: List of acronyms

ARL

Accounts Receivable Ledger

BPO

Business Process Owner

CAS

Corporate Administrative System

CARM

CBSA Assessment and Revenue Management

CBSA

Canada Border Services Agency

CFO

Chief Financial Officer

CRA

Canada Revenue Agency

FCMB

Finance and Corporate Management Branch

IC Unit

Internal Control and Quality Assurance Unit

ICFR

Internal Control over Financial Reporting

IT

Information Technology

ITGC

Information Technology General Controls

TEPS

Travellers Entry Processing System

VP

Vice-President