Internal Controls Monitoring – 2022‑23 Results (Year 2)
Table of Contents
EXECUTIVE SUMMARY
Since 2017, the Military Police Complaints Commission (MPCC) has developed process controls over financial reporting and is in a mature phase of the implementation of the Policy on Financial Management.
The scope of work for the current period therefore included the following:
Business Processes
- IT Asset Planning
- Pay Administration
- Budgeting and Forecasting
- Investigations (non-financial processes)
IT General Controls
- Infrastructure Security
Business Process Controls
The assessment found that key internal controls over financial reporting related to the business processes in scope for the year 2022/23 were effective for the most part, some areas for improvement were however noted.
IT General Controls
We consider that the infrastructure in place has sufficient controls to safeguard sensitive information.
1. Introduction
In 2017, the Treasury Board approved a new Policy on Financial Management, replacing the Policy on Internal Controls (PIC). With the introduction of this new policy, the focus of internal control is on financial management. As a result, the Military Police Complaints Commission of Canada (MPCC or Commission) took the initiative to document significant business processes and controls. The Commission carried out the assessment of the design effectiveness and operating effectiveness of its internal controls and put in place adequate Management action plans to address the opportunities for improvement identified.
The MPCC is a civilian, quasi-judicial oversight agency that operates at arm’s length from the Government of Canada. The Commission reviews and investigates complaints concerning military police conduct and investigates allegations of interference in military police investigations. It reports its findings and makes recommendations directly to the military police and national defence leadership. As a federal institution, it is part of the Defence portfolio for reporting purposes.
During fiscal year 2019/20, the Commission prepared an Ongoing Monitoring Plan for its internal controls in order to provide senior management assurance over their continued effectiveness. The ongoing monitoring of MPCC’s internal controls provides assurance to client Departments that financial controls over MPCC services are effective, in support of the signature of the Statement of Management Responsibility Including Internal Control over Financial Reporting, in compliance with the Policy on Financial Management.
The following business processes were considered significant and are part of the Ongoing Monitoring Plan:
| Key Business Process Controls | Related IT System | ICFM | Other |
|---|---|---|---|
| 1. Purchase to Payments (Expenditures) | CDFS, STS | X | - |
| 2. Travel Expenditures | HRG / STS | X | - |
| 3. Pay Administration | MyGCHR | X | - |
| 4. Budgeting and Forecasting | CDFS… | X | - |
| 5. Financial Reporting and Close
(financial statement close, trial balance, Treasury Board submission and financial statement reporting) |
- | X | - |
| 6. IT Asset Planning | - | X | - |
| Non-Financial Process Areas | |||
| 7. Security of non-financial information | - | - | X |
| 8. Investigation | - | - | X |
| 9. Annual reporting | - | - | X |
| ITGC Areas | |||
| 10. User Access (financial areas) | CDFS, Phoenix, STS, HRG | - | X |
| 11. Infrastructure (non-financial information) | - | - | X |
2. Objective and Scope
Samson & Associates was engaged to conduct documentation review, walkthroughs and effectiveness testing for the elements in scope as part of the Ongoing Monitoring Plan for the year 2022‑23 (See Appendix A).
The following areas are in scope for this year:
Business Processes
- IT Asset Planning
- Pay Administration
- Budgeting and Forecasting
- Investigations (this is the only non-financial process under review)
ITGC – Infrastructure Security
The work was conducted between October 2022 and January 2023 and covered the period from October 2021 - September 2022.
We also conducted follow-up procedures on past recommendations as part of our work.
2.1 Documentation
Documented the key processes and controls in place in the form of a business process narrative, process map and control matrix and ensured they represent the current processes and controls in place.
2.2 Methodology
The following methodology was used over the course of the engagement:
- Conduct walkthrough
- Identify the key controls that should be tested
- Develop testing and sampling strategies
- Assess Design Effectiveness
- Obtain populations and select samples
- Conduct Operating Effectiveness
- Conclude on testing
The sampling methodology used for a sample selected was based on the approach adopted by Treasury Board in their Guide to Ongoing Monitoring of Internal Controls Over Financial Management. The extent of testing was determined by how frequently a control is performed.
3. Entity-Level Controls
There are four components related to the design and operation of the system of internal control at the entity level. These components are the basis and foundation for the testing of entity-level controls. While no specific testing was conducted during our monitoring activities in 2022/23, we performed follow-up procedures on one area where opportunities for improvement were noted in the previous year.
| Entity-Level Control Elements | Assessment |
|---|---|
| Control Environment | Effective |
| Risk Assessment | Opportunity for Improvement |
| Control Activities and Related Monitoring | Effective |
| Information and Communication | Effective |
3.1 Risk Assessment
One recommendation was made in 2021/22 for the enhancement MPCC threat assessment to include the risk of fraud and ensure that employees are aware of the risk of fraud, how to identify it and reporting protocols.
Some fraud awareness communications have been made since last year, but the key action item will not be done until 2025, when MPCC will integrate the risk of fraud to their next cyclical threat and risk assessment.
4. Results – Business Processes
| Key Financial Processes | Control Effectiveness 2021/22 |
Control Effectiveness 2022/23 | Key Control Deficiencies | Number of Key Controls |
|---|---|---|---|---|
| Purchase to Payments | Opportunities for improvement | Note in Scope | 2 | 11 |
| Travel Expenditures | Opportunities for improvement | Note in Scope | 2 | 8 |
| Security of Non-Financial InformationNote * | Opportunities for improvement | Note in Scope | - | - |
| Pay Administration | Note in Scope | Effective | 0 | 12 |
| Budgeting and Forecasting | Note in Scope | Opportunities for improvement | 2 | 9 |
| IT Asset Planning | Note in Scope | Effective | - | 4 |
| Investigation Process | Note in Scope | Effective | - | 9 |
4.1 Previous Year Recommendations
MPCC undertook a review of this internal controls for the first time during the year 2021/22. Five recommendations were issued for the three business processes reviewed, with low and medium risk ratings.
At the time of our assessment for the year 2022/23, steps had been taken to implement the management action plan developed last year but it has not been fully implemented. Our review was conduced less than 1 year after the recommendations have been issued and it is expected that the majority of it will be implemented in the next year. Samson will monitor the progress during this assessment again next year.
4.2 Pay Administration
The scope of the controls for the Pay Administration business process starts with completing pre-payment activities which include receiving and implementing staffing actions and performing pre-payment payroll verification, pay activities consisting of releasing pay pursuant to FAA S.33 and performing post-pay verification activities.
Once payment has been issued to employees, MPCC receives an IO50 Report provided by PSPC which is reviewed and reconciled against payroll data in CDFS as maintained by the Financial Analyst. All noted issues are tracked, investigated and are resolved as required in a timely manner.
We have found no exception in our testing of internal controls over pay administration for the year 2022/23.
4.3 Budgeting and Forecasting
The purpose of the Budget and Forecasting business process is to ensure that financial management is effective and efficient in the department and to ensure proper management of public resources and regulations.
The scope of the controls for the Budget and Forecasting business process starts by defining the budget process according to Treasury Board (TB) policy. Once the budget is in place, a forecast is prepared and reconciled to the actuals from CDFS. The department implemented a tool called the FSR tracking budget and they use a template to complete their forecast to actuals reconciliation every month. All budget decisions are approved by the Chief Financial Officer (CFO) and the financial information is sent out to the Executive Committee (ExCom) for approval.
During our testing of the approval of the budget allocations, it was noted that there was no evidence to support the approval from ExCom as records of decisions were not documented.
Recommendation 1: We recommend that records of decision be documented for key decisions made at the Executive Committee meetings, such as budget allocations.
During our testing of the Financial Situation Reports which includes the tracking of budgets, actuals and forecast, it was noted that the Executive Committee was not regularly informed of the results of the forecasting review each period.
Recommendation 2: We recommend that, the Executive Committee be regularly informed of the results of the Financial Situation Reports, either secretarially or during meetings and that records of approval are retained as evidence of their review.
4.4 IT Asset Planning
When the initial risk assessment exercise was conducted, MPCC had an IT strategy in place to renew / migrate a number of platforms. IT asset planning had therefore been considered a medium risk process area.
As part of our assessment for the year 2022/23, we reviewed the IT Asset Management and Planning process established by MPCC and found it is appropriate and sufficient for the organization. The IT infrastructure / Cloud strategy is well laid out and provides guidance for the next three years.
4.5 Investigations
A high-level assessment of the investigation process was conducted by Samson and three files were selected for review. We found that an appropriate investigation process exists with sufficient internal controls in place, and strong oversight to manage complex and sensitive investigations. We have however noted two minor improvements:
Recommendation 3: We recommend that the MPCC ensures that allegations formulated as a result of Conduct, Interference, and Public Interest complaints appear early in the report and be referenced to an appropriate Policy, Directive, Instruction Manual, Code of Conduct, or Act, when feasible; and
Recommendation 4: We recommend that the MPCC implements a follow-up process to track the progress of approved recommendations and management action plans to full implementation, and report the result of the tracking procedures into the MPCC Chairperson's annual report.
CONCLUSION ON BUSINESS PROCESS CONTROLS
The assessment found that key internal controls over the business processes were generally operating effectively. Some
recommendations were identified to help improve the control environment.
5. RESULTS ITGC’s
| 2022‑23 | Control Areas | Common Controls | CDFS | MyGCHR (L&O) | Documentum | SPS (suppliers) | HRG (Travel) |
|---|---|---|---|---|---|---|---|
| IT Infrastructure | 3 | Strong | |||||
| IT Security (User Access) | 6 | Out of scope in 2022‑23 | |||||
| 2021‑22 | Control Areas | Common Controls | CDFS | MyGCHR (L&O) | Documentum | SPS (suppliers) | HRG (Travel) |
|---|---|---|---|---|---|---|---|
| IT Management | 3 | Out of scope in 2021‑22 | |||||
| IT Security (User Access) | 6 | Opportunity for improvement | Strong | Strong | Strong | Strong | Strong |
Note: Appendix B
5.1 Infrastructure
During the year 2022/23, we reviewed the IT Infrastructure elements in place to ensure that sufficient controls are in place to safeguard protected information under MPCC management, including the investigation files.
These elements include overall network architecture and systems used for the various data.
We have found that adequate safeguards are in place at MPCC.
CONCLUSION ON IT GENERAL CONTROLS
We found that IT general controls around IT Infrastructure in scope are operating effectively.
Appendix A: On-going Monitoring Plan
| Key Control Areas | Risk | Fiscal Years | ||||
|---|---|---|---|---|---|---|
| 2021‑22 | 2022‑23 | 2023‑24 | 2024‑25 | 2025‑26 | ||
| Entity-Level Controls | Medium | X | - | - | - | - |
| Business Process Controls | ||||||
| Purchase to Payments (ExpendituresNote 1) | MEDIUM | X | - | X | - | X |
| IT Asset Planning | MEDIUM | - | X | - | X | - |
| Travel Expenditures | MEDIUM | X | - | X | - | X |
| Pay Administration | MEDIUM | - | X | - | X | - |
| Budgeting and Forecasting | MEDIUM | - | X | - | X | - |
| Financial Reporting | LOW | - | - | X | - | - |
| Non-Financial Process Areas | ||||||
| Security of non-financial information | MEDIUM | X | - | - | - | - |
| Investigations | MEDIUM | - | X | - | - | - |
| Annual Report | LOW | - | - | X | - | - |
| ITGC areas | ||||||
| User Access (financial areas) | - | X | - | X | - | X |
| Infrastructure (non-financial information) | - | - | X | - | X | - |
Appendix B: Management Action Plan
| Recommendations | Risk Rating | Management Action Plan |
|---|---|---|
| Business Process Controls | ||
| Recommendation 1: We recommend that records of decision be documented for key decisions made at the Executive Committee meetings, such as budget allocations. | Low | This recommendation was implemented in the Fall 2022 but more formalized in January 2023. The Administrative Assistant to the Chairperson is now attending the Executive Committee meetings and acts as the notetaker. All minutes – Records of decision are validated and approved by the Executive Committee members after all meetings. Once approved, minutes are saved and retained in Documentum. |
| Recommendation 2: We recommend that, the Executive Committee be regularly informed of the results of the Financial Situation Reports, either secretarially or during meetings and that records of approval are retained as evidence of their review. | Low | This recommendation has been implemented. All Financial Situation Reports (FSR) are tabled to the Executive Committee a few days before the meetings and presented to the Chairperson during the meetings. A summary of the discussion is included in the Records of decision. As needed, ad-hoc meetings are organized to discuss finance initiatives requiring approval. |
| Investigations | ||
| Recommendation 3: We recommend that the MPCC ensures that allegations formulated as a result of Conduct, Interference, and Public Interest complaints appear early in the report and be referenced to an appropriate Policy, Directive, Instruction Manual, Code of Conduct, or Act, when feasible; and | Low | This recommendation has been implemented. The drafting guidelines now state that allegations appear very close to the beginning of Interim and Final Reports and each allegation references the appropriate legislation or policy instrument as appropriate when feasible to do so. |
| Recommendation 4: We recommend that the MPCC implements a follow-up process to track the progress of approved recommendations and management action plans to full implementation, and report the result of the tracking procedures into the MPCC Chairperson's annual report. | Low | This recommendation is in the process of implementation. The Registrar has created a tracking chart for the progress of recommendations accepted by the CFPM. However before full implementation and reporting in future Annual Reports, the MPCC will need to first advise the CFPM’s office that we will be doing this. The MPCC will advise the CFPM’s office in FY 2023‑24 during the next semiannual bilat with the CFPM or earlier. |
- Date modified: