Audit of the Test of Design of Entity-Level Controls

Transcription

1 Audit of the Test of Design of Entity-Level Controls Canadian Grain Commission Audit & Evaluation Services Final Report March 2012 Canadian Grain Commission 0 Entity Level Controls 2011

2 Table of Contents 1.0 Executive Summary...2 Introduction... 2 Audit Objective... 3 Conclusion... 3 Statement of Assurance... 4 Summary of Recommendations and Management Action Plans Audit Report...8 Background... 8 Audit Objective... 9 Audit Scope... 9 Audit Criteria... 9 Approach and Methodology Findings and Recommendations...12 Appendix A: Entity Level Control Assessment Summary..19 Canadian Grain Commission 1 Entity Level Controls 2011

3 1.0 Executive summary Introduction 1.1 The mission of the Internal Audit function of Audit and Evaluation Services is to provide independent and objective assurance services designed to add value and improve the Canadian Grain Commission s operations. Internal Audit helps the Canadian Grain Commission accomplish its objectives by bringing a systematic, disciplined approach to assess and improve the effectiveness of risk management, control and governance processes. 1.2 The audit of entity-level controls was included as part of the Audit and Evaluation Services risk-based Audit Plan. The Commission approved the plan following a recommendation by the Departmental Audit Committee in May The audit was conducted as a joint effort with Finance from November 2010 to March It consisted of documenting and reviewing the test of design of entity-level controls in place at the Canadian Grain Commission. 1.4 The Treasury Board Policy on Internal Control which took effect on April 1, 2009 was introduced to ensure that risks relating to the reliability of financial reporting are adequately managed through a risk-based system of internal controls over financial reporting. Under the Policy on Internal Control, organizations are required to document and assess 3 levels of controls, one being entity-level controls. 1.5 As stated in the Policy on Internal Control Diagnostic Tool for Departments and Agencies, entity-level controls are those controls that are pervasive across a department. They include the tone from the top including the organization s culture, values and ethics, governance, transparency and accountability mechanisms as well as the activities and tools put in place across the organization to raise staff awareness, ensure clear understanding of roles and responsibilities and solid capacities and abilities in managing risks well. 1.6 The implementation of the Policy on Internal Control does not require an assessment of all entity-level controls within an organization. Rather, it requires an assessment of key entity-level controls. For purposes of this report, key entity-level controls are those controls that best demonstrate a commitment to overall good governance by Executive Management at the Canadian Grain Commission in ensuring organizational objectives are met. 1.7 In addition to the requirement under the Policy on Internal Control, Audit and Evaluation Services undertook the documentation and assessment of entity-level controls jointly with Finance as part of the Audit Plan for purposes of obtaining a sound understanding of the internal controls in place to ensure that Executive Management expectations pertaining to the entire organization are carried out. Canadian Grain Commission 2 Entity Level Controls 2011

4 1.8 This report contains only those observations, findings, and recommendations associated with the review of the test of design of the Canadian Grain Commission s key entity-level controls. Audit objective 1.9 The objective of the audit is to document and assess the design of the entity-level controls in place at the Canadian Grain Commission in order to provide assurance of their adequacy and to provide recommendations to improve noted deficiencies, if appropriate. Conclusion 1.10 Several entity-level controls exist and have been effectively designed to promote management excellence, good governance and public service management throughout the Canadian Grain Commission. Some of the key highlights noted include: Executive Management and the Commissioners promote and encourage open communication throughout the Canadian Grain Commission and effectively provide information to employees, industry stakeholders and other interested parties. Executive Management is committed to being effective leaders and modelling behaviours which employees are expected to demonstrate. There are 2 levels of governance: the Executive Management Committee and the Commission. Open communication between the Executive Management Committee and the Commission ensures that priorities remain realistic and that organizational objectives are achieved as intended. The Executive Management Committee, the Commissioners and the Departmental Audit Committee are committed to directing the organization in achieving its operational and strategic objectives The following report contains opportunities for improvement that were identified during the audit, including: Further developments in tracking and monitoring of People Planning and the Personal Development and Achievement Program in order to strengthen the Canadian Grain Commission s ability to maintain a sufficient and representative workforce with the appropriate mix of skills. Further efforts to implement new policies, procedures and processes and to update existing ones in order to strengthen the Canadian Grain Commission s ability to carry out its mandate, programs and activities. Further refinements and enhancements to the Integrated Risk Management Program in order to ensure that risks are well managed throughout the organization. Canadian Grain Commission 3 Entity Level Controls 2011

5 Future training to educate employees on roles and responsibilities in order to ensure that effective Internal Controls over Financial Reporting are in place. Executive Management has indicated that all recommendations contained in this report will be implemented. Additional details are contained in this report. Statement of assurance 1.12 In the professional judgment of the Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusion provided in this report. The conclusion is based on a comparison of the conditions as they existed at the time, as described in the Audit Scope, against pre-established audit criteria that were agreed with management. The audit was conducted in accordance with the Treasury Board Policy on Internal Audit and the International Standards for the Professional Practice of Internal Auditing as established by the Institute of Internal Auditors (IIA). Summary of recommendations and management action plans 1.13 The following is a summary of recommendations contained in this report with management s action plans to address the topics identified: Recommendation reference numbers Recommendations 3.10 We recommend that the Executive Management Committee and the Commissioners establish a formal terms of reference document to specify what information is to be communicated to the Commissioners, the Chief Operating Officer or the Executive Management Committee. The document should include the timing of such communication We recommend that management implement and approve a formal process to ensure that divisional people plans are reviewed on a quarterly basis. A quarterly review would ensure that identified gaps are addressed and re-prioritized as necessary in securing human resources to achieve the Canadian Grain Commission s organizational objectives. Management action plans The Executive Management Committee has drafted and approved an Executive Management Committee terms of reference. The Commission terms of reference will be drafted by March 31, Respondent: Chief Operating Officer A process has been drafted for the quarterly monitoring of people plans. Human Resources has developed a template and instructions to assist in the quarterly monitoring of divisional people plans. Divisions have submitted progress reports of their people plans for the first quarter of for review by Human Resources. A summary of this review was prepared for and discussed with the Executive Management Committee in August Canadian Grain Commission 4 Entity Level Controls 2011

6 3.12 We recommend that management implement a performance cycle for each Canadian Grain Commission division to enhance the ability to formally track and monitor the Performance Development and Achievement Program process. In addition, Human Resources should implement a process to ensure that those individuals receiving Personal Development and Achievement Program training are in fact completing Personal Development and Achievement Plans in a timely manner. Divisions will continue to track their people plans on a quarterly basis. A review of quarterly monitoring will be conducted to identify ways to better consolidate monitoring mechanisms with other aspects of the Canadian Grain Commission integrated planning process by March 31, Respondent: Director, Human Resources Human Resources will draft measures and indicators that can be used to monitor the quantitative and qualitative aspects of the effectiveness of Personal Development and Achievement Program implementation. Measures will include those required for all divisions and those recommended by divisional management. This will include reviewing measures in the Public Service Management Dashboard. Human Resources will also consult with Employee Services and the administration officers group on mechanisms to monitor and track this information efficiently within divisions. Measures, and the corresponding monitoring plan, will be presented to the Executive Management Committee for approval by March 31, Human Resources will meet with each divisional management team to develop a plan to select and monitor the Personal Development and Achievement Program measures by June 30, This will also include determining the performance cycle for employees within each division. Human Resources will develop a process and an accountability mechanism as part of the Personal Development and Achievement Program training, to assist individuals in completing their Personal Development and Achievement Program in a timely manner, by June 30, Human Resources will review reports from the Personal Development and Achievement Program monitoring and tracking system within three months of the training to confirm that participants have initiated their Personal Development and Achievement Program. Follow-up will occur for those that have not implemented Personal Development and Achievement Canadian Grain Commission 5 Entity Level Controls 2011

7 Program. Respondent: Director, Human Resources 3.18 We recommend, in continuing to refine the Integrated Risk Management process: a. The Integrated Risk Management sub-group of the Integrated Planning Working Group and other key stakeholders be educated on how to assess residual risk as it relates to the annual environmental scan and other risks identified. b. Management develop a timeline to implement the future plan of assessing residual risk for each of the 8 risk areas identified as part of the Canadian Grain Commission s corporate risk profile. c. Management develop an action plan to determine the position or Canadian Grain Commission unit that will be accountable for coordinating and monitoring Integrated Risk Management on a long-term basis We recommend that management develop an action plan to place greater focus on integrating the operational planning phase of the Canadian Grain Commission's annual planning cycle. This will ensure the resources required for day-to-day delivery of program activities (which are essential in achieving the Canadian Grain Commission's mandate) are planned and monitored throughout the year. a. An option to educate Commissioners, Executive Management and other key stakeholders on the nature of residual risk will be developed by March 31, b. The identification of risk owners for each of the 8 risk areas in the Corporate Risk Profile will by completed by June 30, Subsequent to the educational session, executive management and risk owners will be expected to apply information from the learning session in order to assess the residual risk for each of the 8 areas of the corporate risk profile. Completion of residual risk assessment is anticipated by March 31, c. A succession plan is in place for the Corporate Development Advisor within Corporate Services. The Corporate Development Advisor is accountable for coordinating and monitoring Integrated Risk Management on a long-term basis. Respondent: Director, Corporate Services Corporate Planner and Project Manager and Integrated Planning Working Group to: Identify and engage leaders for key Canadian Grain Commission operational planning processes by September 30, 2011 Develop an integrated operational planning calendar that reflects current operational planning processes by December 31, 2011 Research best practices in integrated operational planning at other government departments by March 31, 2012 Present a multi-year plan to the Executive Management Committee proposing enhancements to operational planning timelines, processes and tools by April 30, 2012 and commence implementation of the plan during the fiscal year Canadian Grain Commission 6 Entity Level Controls 2011

8 Respondent: Director, Corporate Services 3.24 We recommend that management establish a process for ensuring that policies, procedures and other information necessary in carrying out Canadian Grain Commission s mandate, programs and activities be regularly reviewed and updated as required. This will ensure that employees have the most accurate and up-todate information available. Policies and procedures that are currently under development or being re-written should be closely monitored and promptly communicated to employees upon completion We recommend that management develop a plan to ensure that process owners and control owners for internal controls over financial reporting receive proper training so that they are aware of their roles and responsibilities in ensuring that internal controls over financial reporting are appropriately designed and continue to operate effectively. This training should be provided to other employees as required. An overview of the majority of policies and procedures has been incorporated into an easy-to-use tracking chart. This will be presented to the Executive Management Committee on October 6, Divisional directors will assign their leads to establish regular reviews. Divisions will be responsible for tracking updates. Policy changes will go to the Executive Management Committee as specified in the Executive Management Committee terms of reference. The web site will be updated by Multimedia Services and Communications until the web content management system is in place and then leads will update their own information. Respondent: Director, Corporate Services Financial risk assessment will be performed to determine key business processes required for purposes of documenting internal controls over financial reporting. Identification of process and control owners for all key business processes will be completed by March Training will be provided once process and control owners (and other employees as applicable) have been identified. This training will ensure that they are aware of their roles and responsibilities in ensuring that Internal Controls over Financial Reporting are appropriately designed and continue to operate effectively. Training will occur throughout the project and may occur in various forms including, newsletter articles, s, presentations or formal training sessions. Respondent: Chief Financial Officer Canadian Grain Commission 7 Entity Level Controls 2011

9 2.0 Audit report Background 2.1 The Treasury Board Policy on Internal Control, which took effect on April 1, 2009, was introduced to ensure that risks relating to the reliability of financial reporting are adequately managed through a risk-based system of internal controls over Financial Reporting. Under the Policy on Internal Control, organizations are required to document and assess 3 levels of controls, one being entity-level controls. 2.2 As stated in the Policy on Internal Control: Diagnostic Tool for Departments and Agencies, entity-level controls are those controls that are pervasive across a department. They include the tone from the top including the organization s culture, values and ethics, governance, transparency and accountability mechanisms as well as the activities and tools put in place across the organization to raise staff awareness, ensure clear understanding of roles and responsibilities and solid capacities and abilities in managing risks well. 2.3 As the first phase of implementing the Policy on Internal Control and conducting the audit, Finance and Audit and Evaluation Services jointly undertook documentation of the Canadian Grain Commission s entity-level controls. They used the most commonly-used framework for assessing and documenting entity-level controls. The Commission of Sponsoring Organizations developed this framework. 2.4 The Committee of Sponsoring Organizations of the Treadway Commission is a privatesector organization chartered to research and report on improving the quality of financial reporting through values and ethics, internal controls and good organizational governance. In 1992 the Committee of Sponsoring Organizations developed the Internal Controls - Integrated Framework, which is still widely used in assessing entity-level controls to this day. 2.5 As part of the Internal Controls - Integrated Framework, the Committee of Sponsoring Organizations defined the following 5 broad categories. These categories, which were considered in the documentation and assessment of the Canadian Grain Commission s entity-level controls, are: Control Environment Risk Assessment Control Activities Information and Communication Monitoring A definition for each category has been provided throughout the body of the report. Each category is further broken down into a varying number of sub-categories. For example, the Monitoring Category includes 3 separate sub-categories: Ongoing Monitoring, Canadian Grain Commission 8 Entity Level Controls 2011

10 Separate Evaluations and Reporting Deficiencies. Refer to Appendix A for further details. 2.6 Entity-level controls are considered similar to the components of the Management Accountability Framework. Similar to entity-level controls, the Management Accountability Framework outlines the Treasury Board s expectations for good public service management. It is structured around 10 key sub-categories, essential in ensuring an organization is well-managed. 2.7 Given that the Canadian Grain Commission is considered to be a small agency, it is assessed for Management Accountability Framework purposes by the Treasury Board Secretariat every third year. During the fiscal year , the Canadian Grain Commission was required to participate in the Management Accountability Framework Round VIII assessment. The timing of the assessment was beneficial as documentation prepared by the Canadian Grain Commission for Management Accountability Framework VIII could be used for certain sub-categories of the Commission of Sponsoring Organizations Internal Controls - Integrated Framework. Audit objective 2.8 The objective of the audit is to document and assess the design of the entity-level controls in place at the Canadian Grain Commission in order to provide assurance of their adequacy and to provide recommendations to improve noted deficiencies, if appropriate. Audit scope 2.9 The Policy on Internal Control came into effect April 1, While the Policy on Internal Control requires the documentation and assessment of all 3 levels of controls (entitylevel controls, information technology general controls and process level controls), the scope of the audit has been limited to the documentation and assessment of the design of entity-level controls Collection of evidence to support the key entity-level controls from various sources include: documentation submitted for Management Accountability Framework VIII; interviews with Commissioners, Executive Management and selected employees; documentation obtained from selected employees; and information posted on StaffNet, the Canadian Grain Commission s internal web site The scope of the audit explicitly excluded the test of operating effectiveness of entitylevel controls in place at the Canadian Grain Commission. Note that the test of operating effectiveness would provide assurance that the controls continue to operate as intended over a period of time. Test of design provides assurance that controls are appropriately designed to mitigate the risks they are intended to address. Audit criteria 2.12 Each of the sub-categories within the 5 Committee of Sponsoring Organizations categories described above is further broken down into a series of statements. The Canadian Grain Commission 9 Entity Level Controls 2011

11 statements can be directly linked to an identified key entity-level control. There are a total of 82 statements within the Committee of Sponsoring Organizations framework The Audit Criteria for the assessment of entity-level controls can be simply summarized as the existence and design effectiveness of key entity-level controls for each of the 82 statements identified as part of the Committee of Sponsoring Organizations Framework. Approach and methodology 2.14 The audit included interviews and examination of relevant communications, reports and other documentation related to entity-level controls The detailed examination phase was conducted from November 2010 to March It focused on identifying and assessing the design effectiveness of key entity-level controls. Procedures performed during the examination phase included: o o o o Reviewing Management Accountability Framework VIII information and submissions to determine which Management Accountability Framework documentation could be matched to the Committee of Sponsoring Organizations Internal Controls - Integrated Framework. Assessing information gaps resulting from the inability to directly link Management Accountability Framework VIII to the Committee of Sponsoring Organizations Internal Controls - Integrated Framework and determining what further evidence would be required. Developing an entity level control matrix to assess key controls in place for each of the 82 statements that make up each of the sub-categories within the 5 broad categories of the Committee of Sponsoring Organizations Internal Controls - Integrated Framework. Interviewing Executive Management, the Commissioners and other selected employees to: Obtain an understanding of Management s attitude towards controls at the entity level on a collective basis Corroborate that the entity-level controls identified through review of Management Accountability Framework VIII documentation are key controls according to Management Provide management with the opportunity to identify what they consider to be the Canadian Grain Commission s key entity-level controls which may not have been covered as part of Management Accountability Framework VIII 2.16 As a result of the information reviewed and testing conducted during the audit, findings and potential recommendations were developed to allow for strengthening of the Canadian Grain Commission s entity-level controls. These were reviewed with the Chief Operating Officer and Chief Financial Officer. Management Action Plans were obtained from Canadian Grain Commission management and incorporated into this report. A Final Canadian Grain Commission 10 Entity Level Controls 2011

12 Internal Audit Report was prepared to encompass management s commitments for improvement. The Final Report was reviewed on February 13, 2012 by the Departmental Audit Committee, who recommended approval by the Chief Commissioner. The Chief Commissioner subsequently approved this report. Canadian Grain Commission 11 Entity Level Controls 2011

13 3.0 Findings and recommendations Overall entity-level control assessment Findings: 3.1 As previously noted, Canadian Grain Commission entity-level controls were assessed based on the Committee of Sponsoring Organizations Internal Controls - Integrated Framework based on 5 broad categories. Overall entity-level control ratings for each of the categories were determined to be as follows: Committee of Sponsoring Organizations Category Control environment Risk assessment Control activities Information and communication Monitoring Rating Acceptable Acceptable Opportunity for improvement Acceptable Opportunity for improvement Refer to Entity-level control summary table in Appendix A for further details. 3.2 While certain categories received an overall rating of Opportunity for improvement or Acceptable, individual Committee of Sponsoring Organizations sub-categories within each of the 5 categories warrant further discussion. These are described further in each of 5 category sections below. The sub-categories within each of the 5 categories have been bolded for purposes of linking to the results in Appendix A. It should be noted that the following only provides a summary of findings and does not include a description of all key entity-level controls identified through the assessment process. Control Environment Findings: 3.3The control environment is influenced by management s operating style and the communication and promotion of values and ethics throughout the organization which are important factors in designing, administering and monitoring all control components of an organization. 3.4 Management s philosophy and operating style Canadian Grain Commission Management s philosophy and operating style, including overall governance (e.g. the Commission, the Executive Management Committee and Departmental Audit Committee), indicates that the principles of management excellence are applied throughout the organization. The Executive Management Committee, the Commission and the Departmental Audit Committee set an appropriate tone from the top in guiding the Canadian Grain Commission in achieving its operational and strategic objectives. The challenge that could present itself is that there are 2 levels of Canadian Grain Commission 12 Entity Level Controls 2011

14 governance: the Executive Management Committee and the Commission. Open communication between the Executive Management Committee and the Commission ensures that priorities remain realistic and that organizational objectives are achieved as intended. However, there is currently no formal guidance on what information should be presented to the Commissioners, the Chief Operating Officer or the Executive Management Committee. Such guidance would be beneficial in educating new Commissioners and new members of the Executive Management Committee or those in acting assignments. 3.5 Assignment of authority and responsibility Assignment of authority and responsibility is clearly communicated throughout the organization. Open communication is encouraged and the Executive Management Committee is committed to being effective leaders and modelling behaviors which employees are expected to demonstrate. The Executive Management Committee Charter demonstrates that the Executive Management Committee is committed to the current and future direction of the organization. 3.6 Organizational structure A clear and effective organizational structure that is linked to the Canadian Grain Commission's Program Activity Architecture is in place and has been communicated to employees and stakeholders via the Canadian Grain Commission web site. While effective organizational structures are known and in place, the documentation has not been updated on the Canadian Grain Commission s web site. For example, the Chief Financial Officer and the Chief Audit Executive report directly to the Chief Commissioner. However, the web site has not be updated to reflect this. Management has indicated that refinements will be reflected in an updated Governance Structure to be submitted to Treasury Board during the fiscal year. 3.7 Integrity and ethical values Management openly communicates the importance of integrity and ethical values principles. These principles have been integrated into the organization s programs and activities. The Canadian Grain Commission has been developing an organizational Values and Ethics Code throughout All government departments are required to have their own code that is consistent with the new Treasury Board code scheduled for completion by March 31, However, approval of the Treasury Board code has been delayed. It is now scheduled for release in April The Canadian Grain Commission is planning to publish its Values and Ethics Code shortly after the publication of the Treasury Board's. In addition, an internal policy on formal disclosure procedures to report known or suspected wrongdoing is currently under development. 3.8 Commitment to competence Executive Management s commitment to competence is demonstrated through a current project to develop competency frameworks for numerous positions at the Canadian Grain Commission. In addition, the Canadian Grain Commission has developed a competency dictionary to assist management in determining competencies required to perform a specific position s responsibilities. 3 core competencies required for Canadian Grain Commission 13 Entity Level Controls 2011

15 appointment have been identified: Effective Interactive Communication, Adaptability and Being a Team-Player. Management has also indicated that commitment to competence is achieved through the People Planning process. However, there are some concerns that deficiencies exist in the monitoring and tracking of the Canadian Grain Commissionwide people plan and divisional people plans. Monitoring and tracking ensures that gaps are being addressed throughout the year. People planning is considered during Canadian Grain Commission s integrated planning phase. However, input into integrated planning related to people planning is only relevant and meaningful for the delivery of the Canadian Grain Commission s mandate, if people plans continue to be reviewed and revised on an on-going basis. Discussions with Human Resources indicate that there are plans to formalize the process wherein divisional teams would meet with Human Resources on a quarterly basis to go over divisional people plans, perform a variance analysis and re-prioritize where necessary. Significant variances would then be tabled at the Executive Management Committee. 3.9 Human resources policies and practices Several Human Resource policies and practices exist and have been communicated to employees. They include, but are not limited to, the People Management Framework, Canadian Grain Commission training requirements, and the Informal Conflict Management System. In addition, the Canadian Grain Commission has developed the Performance Development and Achievement Program. However, a more comprehensive tracking process to monitor implementation is required. Currently the performance cycle is not aligned with the Canadian Grain Commission s fiscal year end. Human Resources rely on each Canadian Grain Commission division to collect information about how many employees within the division have completed their Performance and Learning Agreement regardless of the cycle. While directors and their direct reports have completed their Performance and Learning Agreements, approximately 60% of Canadian Grain Commission employees (particularly in the regions) have not had the opportunity to fully participate in the program. The organization continues to roll out Personal Development and Achievement Program training to educate employees on how to link their personal performance objectives with the strategic outcome of the Canadian Grain Commission. Recommendations: 3.10 We recommend that the Executive Management Committee and the Commissioners establish a formal Terms of Reference document to specify what information is to be communicated to the Commissioners, the Chief Operating Officer or the Executive Management Committee including the timing of such communication We recommend that management implement and approve a formal process to ensure that Divisional People Plans are reviewed on a quarterly basis to ensure that gaps identified are addressed and re-prioritized as necessary in securing human resources to achieve the Canadian Grain Commission s organizational objectives We recommend that management implement a performance cycle for each division to enhance the ability to formally track and monitor the Performance Development and Achievement Program process. In addition, Human Resources should implement a process to ensure that those individuals receiving Personal Development and Canadian Grain Commission 14 Entity Level Controls 2011

16 Achievement Program training are in fact completing Personal Development and Achievement plans in a timely manner. Risk Assessment Findings: 3.13 Every organization faces a variety of risks from external and internal sources that must be assessed at entity-wide and activity levels throughout its operation. Management s approach to managing organizational risk is an essential factor in ensuring the sustainability of an organization Entity-wide objectives Entity-Wide objectives have been established and communicated to employees and industry stake-holders through the Canadian Grain Commission s mandate, vision, values and strategic outcome as well as through the Departmental Report on Plans and Priorities and the Departmental Performance Report. The Canadian Grain Commission s plans and priorities are consistent with the Canadian Grain Commission's mandate and the strategic direction of the organization. Significant efforts have been placed on strategic planning over the past few years. However, less emphasis has been placed on operational planning. Management is aware of this issue and has decided to focus more on operational planning. Plans include closer monitoring of Key Performance Indicators related to program activities on a quarterly basis and the identification of additional quantitative program activity Key Performance Indicators Activity-level objectives Performance against targets of Activity-level Objectives are reported to the Executive Management Committee through a quarterly tracking tool that captures results information and challenges and lessons learned related to each of the organization s program activities. This tool also captures results, challenges and lessons learned related to the Canadian Grain Commission s strategic priorities. Strategic priorities are identified as part of the annual Strategic Planning Process Risks and change management The Canadian Grain Commission has taken action to address risks and change management affecting the organization. A corporate risk profile exists. The Integrated Risk Management project, started in 2010, resulted in input to the strategic planning process. The identified risks have been linked to the organizational Program Activity Architecture and have been considered as part of the Report on Plans and Priorities. Likelihood and impact were considered as part of the risk assessment process; however, residual risk has not been ranked. Currently, the Integrated Risk Management project remains a work in progress with future plans to enhance the process as follows: Identify the level of residual risk for each of the 8 risk areas identified in the Canadian Grain Commission s Corporate Risk Profile The Corporate Risk Profile to be revised, completed and Canadian Grain Commission staff notified of its completion Canadian Grain Commission 15 Entity Level Controls 2011

17 Risk management training for staff to be undertaken by the Canadian Grain Commission within the next 2 years While the Integrated Risk Management project and working group continues to be led by the Corporate Development Advisor, currently there is no formal plan in place to transition the coordination and ongoing monitoring of Integrated Risk Management upon the upcoming retirement of the Corporate Development Advisor. Given that risk management is an essential component in effectively managing an organization, responsibility for such a function should be assigned at all times The Policy and Planning Group is responsible for coordinating and preparing the Canadian Grain Commission s annual environmental scan which identifies potential and emerging threats, opportunities and risks that need to be considered by the Canadian Grain Commission. Risks identified as part of the environmental scan are not necessarily ranked based on likelihood and impact to the organization. Going forward, the plan is to integrate the Integrated Risk Management and Integrated Planning Working Groups for purposes of the planning process. This would enhance the identification of key risks which are identified as part of the environmental scan. Recommendation: 3.18 We recommend that in continuing to refine the Integrated Risk Management process: a. The Integrated Risk Management sub-group of the Integrated Planning Working Group and other key stakeholders be educated on how to assess residual risk as it relates to the annual environmental scan and other risks identified. b. Management develop a timeline to implement the future plan of assessing residual risk for each of the eight risk areas identified as part of the Canadian Grain Commission s corporate risk profile. c. Management develops an action plan to determine the position(s) or Canadian Grain Commission unit(s) that will be responsible or accountable for coordinating and monitoring Integrated Risk Management on a long-term basis We recommend that management develop an action plan to place greater focus on integrating the operational planning phase of the Canadian Grain Commission's annual planning cycle. This will ensure the resources required for the day-to-day delivery of program activities (which are essential in achieving the Canadian Grain Commission's mandate) are planned and monitored throughout the year. Control Activities Findings: 3.20 Control activities Control activities are policies and procedures for implementing management directives. Control activities cover a wide spectrum and include but are not limited to delegated Canadian Grain Commission 16 Entity Level Controls 2011

18 authorities, verifications, security of assets, segregation of duties and information systems Several policies and procedures for the program activities within the Canadian Grain Commission s Program Activity Architecture have been established and communicated. Examples of such policies and procedures include: Industry Services QMS/ISO 9001:2008 Financial Management Licensing Compliance Audits People Management Health and Safety Information Technology 3.22 Several policies and procedures necessary for the Canadian Grain Commission to carry out its mandate are currently in place. However, there are also policies and procedures that require further development to ensure that the Canadian Grain Commission continues to operate as effectively and efficiently as possible. Management is currently aware of the need to update certain policies and procedures including: Business Continuity and Information Technology Disaster Recovery Plan Grain Research Laboratory ISO Accreditation Grain Research Laboratory overall program policies and procedures Information Technology and Non-Information Technology Asset Management Information Management 3.23 In addition, there is currently no working group or process in place to regularly review and update financial policies and procedures or other organizational policies and procedures. Such policies and procedures are reviewed regularly, but on an ad hoc basis. It is the responsibility of each divisional unit to ensure information is kept current. Discussions with management suggest that StaffNet needs to be reviewed and updated to ensure that the most recent policies and procedures are being communicated to staff. Recommendation: 3.24 We recommend that management establish a process for ensuring that policies, procedures and other information necessary in carrying out Canadian Grain Commission s mandate, programs and activities be regularly reviewed and updated as required to ensure that employees have the most accurate and up-to-date information available. Policies and procedures that are currently under development or being rewritten should be closely monitored and promptly communicated to employees upon completion. Information and Communication Findings: 3.25 Information and communication Canadian Grain Commission 17 Entity Level Controls 2011

19 An organization needs information and communication at all levels to run the day-to-day operations, and move towards achievement of its objectives Canadian Grain Commission management proactively communicates financial and nonfinancial information to employees, key stakeholders and other interested parties on a timely basis. This is seen through the Report on Plans and Priorities, Departmental Performance Report, the delivery of Odyssey and Leadership sessions to employees, employee newsletters and announcements and consultation and communication with external parties The Canadian Grain Commission has developed a 5-year global communications plan that addresses both external and internal communications which has been approved by the Executive Management Committee. While the plan s contents remain a work in progress, the Canadian Grain Commission web site provides a variety of information for producers and other industry stakeholders including information about grain quality, quantity and research, statistical information, legislation and policies and user fees The Canadian Grain Commission has developed several forms and procedures that support the customer service and service improvement components of ISO 9001:2008. The Canadian Grain Commission has also established a number of client feedback committees that involve participation of several key stakeholders including grain producers, producer groups, industry associations and grain companies The Canadian Grain Commission currently has an Information Management committee that includes representatives from Statistics, Communications, Information Technology and Administration to ensure the development of all information components are aligned with the Records Information Management project. The Records Information Management project is ongoing and is in stage 4 of the 5-stage project Information Technology Systems strategic and operational plans have been developed and approved by the Executive Management Committee. The plans include actions to ensure that records, data and information are properly secured and that controls are in place to prevent unauthorized access. Given that these plans are relatively new, there is currently no formal process for ensuring that operational and strategic initiatives are being met. Management is aware of the issue and will be developing a strategy to track progress of Information Technology Systems operational and strategic plans going forward Given the size of the Canadian Grain Commission, resource constraints need to be considered when allocating financial and human resources to information and communication management which could in turn result in a lack of integration of information systems throughout the organization; however management is committed to providing resources to information and communication management where feasible given these resource constraints. Monitoring Findings: Canadian Grain Commission 18 Entity Level Controls 2011

20 3.32 Control systems, policies and procedures tend to change over time and thus monitoring ensures that organizations continue to operate effectively in light of such changes Separate evaluations Separate evaluations of organizational effectiveness are provided through various sources including internal audit, central agency audits (e.g. Public Service Commission), external audit (financial statements), Management Accountability Framework assessments and, in the future, program evaluation. Management Action Plans are identified in response to recommendations provided by internal audit and other external parties. Discussion with the Executive Management Committee and the Commissioners provided consistent messaging that before recommendations are agreed to and an action plan is formulated, management must ensure the recommendations are practical for the organization. Resource constraints including time, employees and funding need to be considered when determining the best way to address issues that were identified Reporting deficiencies The Committee of Sponsoring Organizations sub-category Reporting Deficiencies focuses on ensuring there are proper mechanisms in place to identify internal control or reporting deficiencies. It also ensures that appropriate follow-up actions are taken by management to address any noted deficiencies. There are several controls in place to identify reporting deficiencies. For example, financial results are presented to the Commission and the Executive Management Committee for approval on a monthly basis. The Departmental Audit Committee reviews and recommends financial statements for approval on a quarterly basis. In addition, all members of the Executive Management Committee are actively involved in the budgeting process. Re-profiling requirements made during the year are approved by the Executive Management Committee and the Commission Ongoing monitoring From an ongoing monitoring perspective, it should be noted that internal controls over financial reporting do exist. However, these have not been formally documented. Under the Policy on Internal Control the Canadian Grain Commission has yet to fully implement a process to ensure control documentation and processes relevant for internal controls over financial reporting to remain current and up-to-date. The Canadian Grain Commission has developed a multi-year action plan in order to comply with the Policy on Internal Control. The new Statement of Management Responsibility and its annex were completed by the Canadian Grain Commission within the required timelines for the fiscal year In addition, a Policy on Internal Control Steering Committee has been established and will be meeting on an ongoing basis to determine the next steps of the project, including risk assessment, scoping and control documentation. Given that the Canadian Grain Commission is only in the initial phases of the Policy on Internal Control project, training related to the ongoing monitoring of internal controls over financial reporting has not been provided. Issues relating to the project will be addressed by the Policy on Internal Control Steering Committee as the 3-year phased-in approach continues to evolve. Recommendation: 3.36 We recommend that management develop a plan to ensure that proper training is provided to educate owners of the Internal Controls over Financial Reporting process and control owners (and other employees as required) so that they are aware of their Canadian Grain Commission 19 Entity Level Controls 2011

21 roles and responsibilities in ensuring that internal controls over financial reporting are appropriately designed and continue to operate effectively. We express our appreciation to the Executive Management Committee and the Commissioners for their assistance during the course of the audit. This audit has been reviewed with: Gordon Miles, Chief Operating Officer Cheryl Blahey, Chief Financial Officer Audit & Evaluation Services Contact Brian Brown, Chief Audit Executive Canadian Grain Commission 20 Entity Level Controls 2011

22 Appendix A: Canadian Grain Commission - Entity-level control assessment summary Compliant (3) Partially compliant (3) Non compliant (3) Weighted rating (3) CE (Control Environment) (1) 88% A Integrity and ethical values 50% 50% 0% 75% B Commitment to competence 50% 50% 0% 75% C The Commission, the Executive Management Committee and Department Audit Committee 89% 11% 0% 94% D Management s philosophy and operating Style 80% 20% 0% 90% E Organizational structure 67% 33% 0% 83% F Assignment of authority and responsibility 100% 0% 0% 100% G Human Resources policies and practices 100% 0% 0% 100% RA (Risk assessment) (1) 76% A Entity-wide objectives 75% 25% 0% 88% B Activity-level objectives 86% 14% 0% 93% C Risks 50% 50% 0% 75% D Managing change 0% 100% 0% 50% CA (Control activities) (1) 50% A - Control activities 0% 100% 0% 50% IC (Information and communication) (1) 80% A Information 50% 50% 0% 75% B Communication 71% 29% 0% 86% MON (Monitoring) (1) 67% A Ongoing monitoring 22% 57% 11% 51% B Separate evaluations 0% 100% 0% 50% C Reporting deficiencies 100% 0% 0% 100% Assessment rating the Committee of Sponsoring Organizations Statements (2) % Compliant 49 60% Partially compliant 32 39% Non-compliant 1 1% Total % Note 1: CE, RA, CA IC and MON represent the 5 Committee of Sponsoring Organizations Categories within the Committee of Sponsoring Organizations Internal Controls-Integrated Framework. Each of the Committee of Sponsoring Organizations Categories is further broken down into the sub-categories noted above. Note 2: Each of the sub-categories noted within the Committee of Sponsoring Organizations Internal Controls-Integrated Framework has a varying series of statements that can be directly linked to a key ELC for a total of 82 statements. 32 instances of partial compliance were noted which indicates that while not fully compliant with 29 of the Committee of Sponsoring Organizations statements; actions are currently underway to achieving full compliance in the future. The one instance of non-compliance relates to training on Internal Controls over Financial Reporting not yet provided to employees and will be addressed as the Policy on Internal Controls project continues to evolve. Canadian Grain Commission 21 Entity Level Controls 2011