Internal Controls Monitoring – 2023‑24 Results (Year 3)
Table of Contents
EXECUTIVE SUMMARY
Since 2017, the Military Police Complaints Commission (MPCC) has developed process controls over financial reporting and is in a mature phase of the implementation of the Policy on Internal Control.
The scope of work therefore included the following:
- Financial Reporting and Close
- Procure to Payment
- Travel Expenditures
- User Access
- Security of non-financial information
Business Process Controls
The assessment found that key internal controls over financial reporting related to the business processes in scope for the year 2023-24 were effective for the most part, some areas for improvement were however noted.
User Access
We consider that the user access controls related to MPCC’ systems in scope are appropriate. We have noted some areas for improvements over prior years.
1. Introduction
In 2017, the Treasury Board approved a new Policy on Financial Management, replacing the Policy on Internal Controls (PIC). With the introduction of this new policy, the focus of internal control is on financial management. As a result, the Military Police Complaints Commission of Canada MPCC or Commission) took the initiative to document significant business processes and controls. The Commission carried out the assessment of the design effectiveness and operating effectiveness of its internal controls and put in place adequate Management action plans to address the opportunities for improvement identified.
The MPCC is an administrative tribunal created by Parliament to provide independent, civilian oversight of the Canadian Forces Military Police. Its mission is to promote and ensure the highest standards of conduct for the military police, deter interference in police investigations and enhance public confidence in policing. It reports is finding and makes recommendations directly to the military police and national defence leadership. As a federal institution, it is part of the Defence portfolio for reporting purposes.
During fiscal year 2019/20, the Commission prepared an Ongoing Monitoring Plan for its internal controls in order to provide senior management assurance over their continued effectiveness. The ongoing monitoring of MPCC’s internal controls provides assurance to client Departments that financial controls over MPCC services are effective, in support of the signature of the Statement of Management Responsibility Including Internal Control over Financial Reporting, in compliance with the Policy on Financial Management.
The following business processes were considered significant and are part of the Ongoing Monitoring Plan:
Key Business Process Controls | Related IT System | ICFM | Other |
---|---|---|---|
1. Purchase to Payments (Expenditures) | CDFS, STS | X | |
2. Travel Expenditures | HRG / STS | X | |
3. Pay Administration | MyGCHR | X | |
4. Budgeting and Forecasting | CDFS… | X | - |
5. Financial Reporting and Close
(financial statement close, trial balance, Treasury Board submission and financial statement reporting) |
X | ||
6. IT Asset Planning | X | ||
Non-Financial Process Areas | |||
7. Security of non-financial information | X | ||
8. Investigation | X | ||
9. Annual reporting | - | - | X |
ITGC Areas | |||
10. User Access (financial areas) | CDFS, Phoenix, STS, HRG | X | |
11. Infrastructure (non-financial information) | X |
2. Objective and Scope
Samson & Associates was engaged to conduct documentation review, walkthroughs and effectiveness testing for the elements in scope as part of the Ongoing Monitoring Plan for the year 2023-24 (See Appendix A).
2.1 Documentation
Documented the key processes and controls in place in the form of a business process narrative, process map and control matrix and ensured they represent the current processes and controls in place.
2.2 Walkthrough and Testing
Conducted a walkthrough and performed the design and operating effectiveness testing for the following processes for MPCC:
- Financial Reporting and Close
- Procure to Payment
- Travel Expenditures
- User Access
The following methodology was used over the course of the engagement:
- Identify/update the key controls that should be tested
- Elaborate testing strategy (including sampling)
- Obtain populations and select samples
- Conduct walkthrough
- Assess Design Effectiveness
- Conduct Operating Effectiveness
- Conclude on testing
The sampling methodology used for a sample selected was based on the approach adopted by Treasury Board in their Guide to Ongoing Monitoring of Internal Controls Over Financial Management. The extent of testing was determined by how frequently a control is performed.
3. Results – Business Processes
Key Financial Processes | 2021/22 Results | 2022/23 Results | 2023/24 Results | Key Control Deficiencies | Number of Key Controls |
---|---|---|---|---|---|
Purchase to Payments | Opportunities for improvement | Out of Scope | Effective | 0 | 11 |
Travel Expenditures | Opportunities for improvement | Out of Scope | Effective | 0 | 8 |
Financial Reporting and Close | Out of Scope | Out of Scope | Opportunities for improvement | 1 | 16 |
Security of Non-Financial InformationNote * | Opportunities for improvement | Out of Scope | Out of Scope | - | - |
Pay Administration | Out of Scope | Effective | Out of Scope | - | 12 |
Budgeting and Forecasting | Out of Scope | Opportunities for improvement | Out of Scope | - | 9 |
IT Asset Planning | Out of Scope | Effective | Out of Scope | - | 4 |
Investigation Process | Out of Scope | Effective | Out of Scope | - | 9 |
3.1 Previous Year Recommendations
MPCC undertook a review of these internal controls for the first time during the year 2021/22. Five recommendations were issued for the three business processes reviewed, and three recommendations were issued for two business processes for the assessment for the year 2022/23. All the recommendations were assessed as low and medium risk ratings.
At the time of our assessment for the year 2023/24, steps had been taken to implement the management action plan developed, whereas four recommendations have been closed, while the others are in various stages of implementation. Samson examined documentation to validate that the management action plans have been implemented. It is expected that MPCC will continue to ensure that the majority of its recommendations will be implemented in the next year. Samson will monitor the progress during this assessment again next year.
For additional details on the previous recommendations issued, management action plans and their progress, refer to Appendix C.
3.2 Procure to Payment
The scope of the controls for the Procure to Payment business process starts with completing a MPCC local purchase form. The form is sent to Financial Administration Act (FAA) section (S.) 32 approval and the commitment is recorded in CDFS. To ensure that commitments are maintained and updated in a timely manner, MPCC maintains a tracking spreadsheet for all commitments recorded.
A contract or purchase order is created for the purchase. After the goods have been received or the services rendered, invoices are received in the Finance inbox and sent to the appropriate delegated authority who performed a review of the invoice and certifies pursuant to FAA S.34. Then the invoice is sent back to Finance Services for payment. When the invoice is received by Finance Services, quality assurance is performed to ensure the payment is appropriate in support of FAA S.33. Once the payment has been approved it is released through SPS.
When needed, changes made to the vendor master file are received from the supplier. The request is received and verified by the Procurement Officer or the Financial Clerk who enters the change in CDFS through the financial authority FIN-GR access. All changes input are reviewed and approved by the FAA S.33 Finance Officer.
3.3 Travel
The scope of the controls for the Travel expenditures business process starts with identifying the need to travel, approving travel requests pursuant to Expenditure Initiation Authority and FAA S.32, certifying travel claims pursuant to FAA S.34 and processing the claims for payment pursuant to FAA S.33.
A travel request is created by a travel arranger on behalf of the traveler using the online booking tool in STS. The request is routed to the appropriate delegated authority pursuant to FAA S.32 for approval and the employee can proceed to make travel arrangements once approval has been obtained. Once the travel is complete, the traveler provides all the receipts collected during travel to the travel arranger. The Travel Arranger then creates a travel claim with all the receipts attached as supporting documentation. The travel claim is routed to the delegated authority for approval pursuant to FAA S.34. The travel arranger selects the approver for the travel request and travel claim from a dropdown menu in STS. Afterwards, the claim is routed to the Processor who performs quality assurance on the claim before approving the payment pursuant to FAA S.33. Once the payment has been approved it is released through SPS.
3.4 Financial Reporting and Close
The purpose of the Financial Close business process is to establish the activities necessary in preparation of the period-end to ensure accurate and complete financial information is properly maintain according to Treasury Board and generally accepted accounting standards. These activities support the preparation of timely and accurate internal and external financial reporting.
Finance is responsible for the policies and procedures relating to accounting for payments and receipts and ensuring that adjustments are performed where required. In addition, Financial Services are responsible for ensuring that reconciliations are performed, adjustments are recorded, preparing and communicating the closing schedule, preparing, reviewing and submitting the trial balance which includes the Certificate of Representations at P9 and P12 as well as the preparation and approval of the departmental financial statements.
During our testing of Financial Reporting, it was noted that journal entries are prepared and posted in CDFS by the same individual. To ensure appropriate segregation of duties a compensatory control is in place whereas these journal vouchers are approved by a separate individual with FAA S.34 delegated authority. However, in was noted in one instance that one of these journal vouchers was not approved by a separate individual and was prepared and posted by the same user.
Inappropriate segregation of duties when creating and approving journal vouchers increases the risk that errors remain undetected in the financial system. This increases the risk that financial data which feeds into the financial statements is not accurate.
Recommendation 1: We recommend that, on an ongoing basis, journal vouchers are prepared, approved and posted by two separate individuals.
CONCLUSION ON BUSINESS PROCESS CONTROLS
The assessment found that key internal controls over the business processes were generally operating effectively.
4. RESULTS ITGC’s
2023‑24 | Control Areas | Common Controls | CDFS | MyGCHR (L&O) | Documentum | SPS (suppliers) | HRG (Travel) |
---|---|---|---|---|---|---|---|
IT Management | 3 | Out of scope in 2021-22 | |||||
IT Security (User Access) | 6 | Opportunity for improvement | Strong | Strong | Strong | Strong | Strong |
2022‑23 | Control Areas | Common Controls | CDFS | MyGCHR (L&O) | Documentum | SPS (suppliers) | HRG (Travel) |
---|---|---|---|---|---|---|---|
IT Management | 3 | Strong | |||||
IT Security (User Access) | 6 | Out of scope in 2022‑23 |
4.1 Previous Year Recommendations
MPCC undertook a review of these internal controls for the first time during the year 2021/22. Two recommendations were issued for the one IT general controls process reviewed at that time, and one recommendation was issued in the year 2022/23. All the recommendations were assessed as low and medium risk ratings.
At the time of our assessment for the year 2023/24, steps had been taken to implement the management action plan developed and the three recommendations have been closed. Samson examined documentation to validate that the management action plans have been implemented.
For additional details on the previous recommendations issued, management action plans and their progress, refer to Appendix C.
4.2 Previous Year Recommendations
The key user access controls are performed when employees arrive within an organization and when they leave. It is upon arrival that majority of the user access assigned, approved, and implemented and upon departure that necessary measures are taken to remove these accesses. 7 user access were tested as part of our assessment. At MPCC, a form is used in both cases to document these steps. While a documented process was not necessarily in place more than 6 years ago, it has been in place for over six years.
We have found the arrival controls to be effective. The few employees where a documented arrival form was not available had been within MPCC for many years and their user accesses were appropriate.
Also, we have found the departure controls to be effective. We were able to confirm if the network access to these employees had been removed in a timely manner.
4.3 On-going User Access Review
A business owner has been identified for each system within the organization. In addition to the approval of user access at the time of hire for each employee (contractor), a regular review of user access should be performed to ensure that accesses are still necessary and appropriate.
CONCLUSION ON USER ACCESS CONTROLS
We consider that the user access controls for the systems in scope are appropriate.
Appendix A: On-going Monitoring Plan
Key Control Areas | Risk | Fiscal Years | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
2021‑22 | 2022‑23 | 2023‑24 | 2024‑25 | 2025‑26 | Notes | ||||||
Entity-Level Controls | MEDIUM | X | - | - | - | - | - | ||||
Business Process Controls | |||||||||||
Purchase to Payments (ExpendituresNote 1) | MEDIUM | X | - | X | - | X | Note 1 | ||||
IT Asset Planning | MEDIUM | - | X | - | X | - | - | ||||
Travel Expenditures | MEDIUM | X | - | X | - | X | - | ||||
Pay Administration | MEDIUM | - | X | - | X | - | - | ||||
Budgeting and Forecasting | MEDIUM | - | X | - | X | - | - | ||||
Financial Reporting | LOW | - | - | X | - | - | - | ||||
Non-Financial Process Areas | |||||||||||
Security of non-financial information | MEDIUM | X | - | - | - | - | - | ||||
Investigations | MEDIUM | - | X | - | - | - | - | ||||
Annual Report | LOW | - | - | - | - | - | - | ||||
ITGC areas | |||||||||||
User Access (financial areas) | - | X | - | X | - | X | - | ||||
Infrastructure (non-financial information) | - | - | X | - | X | - | - |
Appendix B: Management Action Plan
Recommendations | Risk Rating | Management Action Plan (as defined by MPCC in 2023-24) |
---|---|---|
Business Process Controls | ||
Recommendation 1: We recommend that, on an ongoing basis, journal vouchers are prepared, approved and posted by two separate individuals. | Low | In a spirit of continuous improvement, the MPCC accepts the recommendation. As such, the Finance Team will put in place standard operating procedures for the journal voucher process to ensure proper segregation of duties is in place. This should be in place ahead of the 2023-24 fiscal year-end. |
Appendix C: Management Action Plan
Recommendations | Risk Rating | Management Action Plan (as defined by MPCC in 2021-22) | Implementation Progress as of Q3 2023-24 |
---|---|---|---|
Entity Level Controls | |||
Recommendation 1: We recommend that MPCC enhance their threat assessment to include the risk of fraud and ensure that employees are aware of the risk of fraud, how to identify it and reporting protocols. | Medium | The MPCC will integrate the risk of fraud to their next cyclical threat and risk assessment in 2025 or if the MPCC office space has a significant change prior to that date. In the meantime, the MPCC will update their security awareness communication plan, more specifically the article in the month of March on Fraud Prevention Month to incorporate information on who employees should communicate with if they encounter fraud while working and how to identify it. | In progress |
Business Process Controls | |||
Recommendation 2: We recommend that MPCC ensures that commitments are updated when invoices are received to ensure the accuracy of unencumbered funds and that unused funds are released. | Low | The Finance Team will put in place standard operating procedures to ensure that commitments are kept up to date, both in our commitment spreadsheet and in CDFS. The procedures will clarify the timing and individuals/positions responsible for entering, reviewing and approving the information. In addition, we will perform semi-annual reviews of the commitments to ensure accuracy and completeness. We plan on implementing this process in time for the start of fiscal year 2022-23. | Implemented (March 2023) |
Recommendation 3: We recommend that monitoring controls be put in place to ensure that the segregation of duty risk identified can be managed. Possible system notifications could be put in place to manage the risk. | Medium | The MPCC will address the segregation of duty risk by revisiting our CDFS accesses and seek CDFS HelpDesk guidance in limiting the access surrounding vendor/supplier change. A preferred option is to separate the “create” and “approve” accesses between Section 33 approvers (approve only) and the other finance users (create/modify only). The change request has been submitted to CDFS with a proposed timeline of 6 months (September 2022). | In progress |
Recommendation 4: We recommend that, on an ongoing basis, logical access to STS be removed immediately upon an employee leaving the Commission or an employee changing roles and no longer requiring access per their job duties. Furthermore, we recommend that there be a periodic review of access to detect any anomalies and correct them on a timely basis. | Medium | We will update the MPCC’s Departure form to capture this access removal. This will then trigger the travel coordinator to suspend the accounts in the travel portal. We also recommend that at the end of each fiscal year, HR sends a report of all terminated employees from that fiscal year, and the coordinator will then proceed with a review to make sure no employees were missed. | Implemented (December 2023) |
Recommendation 5: We recommend that information management practices and protocols be but in place for all electronic information management systems, whether through Documentum, the shared drive or Teams. | Medium | The MPCC currently has documented information practices and protocols for its departmental information system, Documentum. The MPCC is working on documenting document management and retention on the Microsoft Teams platform and will be implementing a policy, protocol and forms in fiscal year 2022-23. As the MPCC is currently working to retire shared drives, the management of this information will be addressed through the retirement of shared drive by the end of Fiscal year 2023-24. | In progress |
Recommendation 6: We recommend MPCC adopts a QA process for its digitization initiative to ensure that key physical records get digitize in a fashion that the document integrity is maintained. | Low | In 2017, the MPCC adopted and documented a quality assurance process for its digitization initiative to ensure that physical records are digitized in a manner that ensures document integrity. However, there are concerns that the process was not followed properly in the past and some physical records are currently being kept as a back up to digitized records. The MPCC will put in place a plan by the end of 2022-23 to perform the quality assurance process of physical records that were digitized in a manner that ensures document integrity and to proceed to the timely disposition as per the Data Disposition Policy. In addition, the MPCC is in the process of approving a revised version of the Information and Data Disposition Policy. Once approved, the MPCC, through its legal services and over the next year, will carry out a soft audit before destruction of the files already digitized in order to identify the key documents which must be kept for consultation later. |
In progress |
User Access | |||
Recommendation 7: We recommend that the departure process be formalized to ensure a timely removal of all application and network access upon departure. Documentation should be available to demonstrate when the user access have been removed (applications and network access). | Medium | The MPCC shall modify its departure forms to include additional fields in regard to IM/IT related accesses to ensure those accesses are removed upon the departure of employees. For specific accesses within the Finance team, a separate document to track these accesses will be created to track modifications and deactivation as required. |
Implemented (December 2023) |
Recommendation 8: We recommend that the on-going review of user access be documented for future reference. | Low | The MPCC is in the final stage of a new MPCC IT Security Policy which includes new measures for the control of accesses. The policy will formalize roles and responsibilities between IT and managers in the attribution of access and notifications when changes in employment or access profiles occur. The policy will also require record keeping of access changes through standardized procedures and forms. |
Implemented (March 2023) |
Recommendations | Risk Rating | Management Action Plan (as defined by MPCC in 2022-23) | Implementation Progress as of Q3 2023-24 |
---|---|---|---|
Business Process Controls | |||
Recommendation 1:: We recommend that records of decision be documented for key decisions made at the Executive Committee meetings, such as budget allocations. | Low | The Administrative Assistant to the Chairperson is now attending the Executive Committee meetings and acts as the notetaker. All minutes – Records of decision are validated and approved by the Executive Committee members after all meetings. Once approved, minutes are saved and retained in Documentum. | Implemented (June 2023) |
Recommendation 2: We recommend that, the Executive Committee be regularly informed of the results of the Financial Situation Reports, either secretarially or during meetings and that records of approval are retained as evidence of their review. | Low | All Financial Situation Reports (FSR) are tabled to the Executive Committee a few days before the meetings and presented to the Chairperson during the meetings. A summary of the discussion is included in the Records of decision. As needed, ad-hoc meetings are organized to discuss finance initiatives requiring approval. | Implemented (June 2023) |
Investigations | |||
Recommendation 3: We recommend that the MPCC ensures that allegations formulated as a result of Conduct, Interference, and Public Interest complaints appear early in the report and be referenced to an appropriate Policy, Directive, Instruction Manual, Code of Conduct, or Act, when feasible. | Low | The drafting guidelines now state that allegations appear very close to the beginning of Interim and Final Reports and each allegation references the appropriate legislation or policy instrument as appropriate when feasible to do so. | Implemented (June 2023) |
Recommendation 4: We recommend that the MPCC implements a follow up process to track the progress of approved recommendations and management action plans to full implementation, and report the result of the tracking procedures into the MPCC Chairperson's annual report. | Low | The MPCC sought the CFPM’s assistance in receiving those updates. The intent was to enhance accountability to the public by tracking the progress of accepted recommendations to allow the MPCC to provide updates on its external website and in its Annual Report. However, in Fall 2023, the CFPM refused to provide updates to the MPCC on the implementation of its recommendations on the grounds that he does not have a legislative obligation to do so. Therefore, the MPCC will not be able to implement the recommendation made. |
Not Applicable |
- Date modified: