Internal Controls Framework

Table of Contents

  1. Context
    1. 1.1 MPCC Context
  2. Roles and Responsibilities
  3. General Principles
  4. On-going Monitoring Approach
  5. Work plan
    1. 5.1 Entity Level and Business Process Controls
    2. 5.2 IT General Controls
  1. Appendix A. Risk Analysis
    1. A.1 Entity-Level Controls
    2. A.2 Key Business Process Controls
  2. Appendix B. Ongoing Monitoring Approach

1. Context

Internal control is designed to assist departments and agencies in achieving their objectives. Monitoring of controls is an ongoing process to periodically assess and sustain the management of internal controls over time in support of continuous improvement.

In 2017, the Treasury Board approved a new Policy on Financial Management, replacing the Policy on Internal Controls (PIC). With the introduction of this new policy, the focus of internal control is on financial management.

1.1 MPCC Context

The Military Police Complaints Commission of Canada (MPCC) is a civilian, quasi-judicial oversight agency that operates at arm's length from the Government of Canada. The Commission reviews and investigates complaints concerning military police conduct and investigates allegations of interference in military police investigations. It reports its findings and makes recommendations directly to the military police and national defence leadership. As a federal institution, it is part of the Defence portfolio for reporting purposes.

MPCC operates under the National Defence Act, which provides guidance for the MPCC to conduct its investigations into complaints, the types of complaints that can be investigated and the timeframe to conduct the investigation and reporting process.  The Act also provides guidance for hearings.

While the Military Police Complaints Commission of Canada has not implemented the PIC, the finance team was sensitive to the adequacy of its internal controls over many of its significant financial processes. In 2019, the CFO proposed that the MPCC adopts a more formal framework with respect to its internal controls. The proposed framework covers the internal controls over financial reporting, financial management and other key controls with respect to non-financial areas.

In the fall of 2019, MPCC undertook an environmental scan and review of its control environment in order to incorporate the necessary elements.

This document is meant to provide an internal controls' framework for MPCC in the conduct of its ongoing monitoring of internal controls, taking into account the environmental scan and considerations stemming from the recent Policy on Financial Management.  The main themes of the framework include:

  • Roles and responsibilities
  • ICFM environment at MPCC
  • Risk assessment elements
  • Five-year Monitoring Plan

2. Roles and Responsibilities

MPCC management's role in the implementation of the Policy on Financial Management and monitoring of its internal control system is essential to its effectiveness. As illustrated below, the deputy head, Chief Financial Officer and senior departmental managers (managers who report directly to the deputy head) all have accountabilities for the department's system of internal control.

Graphic - Accountabilities for the department’s system of internal control
Alternate format

The graph represents the accountabilities for the department’s system of internal control

  • The Chairperson is responsible for measures taken to maintain effective systems of internal controls and signs the Statement of Management of Responsibility.
  • The Chief Financial Officer leads and coordinates the establishment and execution of the annual assessment plan.
  • The Corporate Services Branch acts as the lead for coordinating and ongoing monitoring of the Internal Control Over Financial Management.
  • The Office of the Comptroller General acts as lead for internal audits.
  • Managers/Business Process Owners are responsible for maintaining effective systems, validate risk assessments, inform Comprtollership branch of significant changes, provide supporting documentation, and contribute to the assessment of key risks and controls.
  • The Information Technology Specialist acts as the lead for infrastructure and system applications, and contributes to assessments of systems and application controls.
  • A small department Audit Committee may wish to monitor the implementation of the Policy on Financial Management and provide insight on plans and results.
  • The Commission relies on other departments and agency service providers, specifically Public Services and Procurement Canada, Shared Services Canada, Treasury Board of Canada Secretariat, the Common Departmental Financial System Cluster Group, and the Canadian Centre for Cyber Security for the processing of certain transactions, who in turn must report the results of their annual assessement of the services they provide.

The following presents roles and responsibilities shared in the organization regarding the ICFM monitoring.

3. General Principles

The internal controls environment includes a set of internal controls components as demonstrated in the diagram below:

Graphic - Internal Controls Components
Alternate format

The graph represents a breakdown of the internal controls components. There are four controls, mainly manual controls, applications controls, IT general controls and entity-level controls.

Manual controls, applies to business processes, namely:

  • Purchases and payments to suppliers
  • Pay administration
  • Information technology investment planning
  • Travel management
  • Budgeting and forecaasting
  • Financial reporting
  • Annual report
  • Investigations
  • Security of non-financial information

Application controls pertain to four applications supporting business processes, namely:

  • Management Reporting Module (Common Departmental Financial System)
  • Shared Travel Services
  • MyGCHR; and
  • Pheonix

IT general controls encompasses infrastructure (security of non-financial information) and access control (only relevant financial area for the Commission). These controls applies to three IT infrastructure services, namely:

  • database, operating system
  • servers; and
  • network

Entity level controls, which include culture, values & ethics, governance, transparency and accountability applies to all three previous controls.

4. On-going Monitoring Approach

The proposed framework will provide MPCC with its first ongoing monitoring plan through the risk assessment update, while integrating additional financial management and program related processes.

The approach adopted by MPCC for its ongoing monitoring has been developed around the proposed guidance issued by the Treasury Board Secretariat (Guide on Internal Controls Over Financial Management, Guide to On-Going Monitoring of Internal Controls Over Financial Management), and includes the following five steps:

Graph -
Alternate format

The graphic represents the five steps on-going monitoring approach adopted by the Commission

  1. Step 1 - Undertake a risk assessment
  2. Step 2 - Develop the ongoing monitoring plan
  3. Step 3 - Complete assessments
  4. Step 4 - Capture assessment results and actions
  5. Step 5 - Create internal and external reports
Step 1:
A detailed risk assessment determines areas of high risk in the department's system of ICFM that need to be reviewed as part of the risk-based approach to ICFM (conducted every five years). A more limited risk assessment, called an environmental scan, will take place in the intervening years to ensure that the plan is updated as required to reflect changes to the department.
Step 2:
The ongoing monitoring plan, which is based on the risk assessment and an analysis of the processes and controls within the department, describes:

  • The frequency of the assessments;
  • The types of assessments; and
  • The person who will conduct the assessments.
Step 3:
The department completes the assessments according to the ongoing monitoring plan.
Step 4:
The assessment results are captured, and remediation actions are developed.
Step 5:
The assessment is then detailed in internal and external reports that inform and communicate the results and recommendations for remedial actions to be taken.

The approach will enable MPCC management to determine whether ICFM within the organization functions as intended (on a continuous basis), to identify internal control deficiencies, to take corrective measures to address those deficiencies and to communicate results to senior management as appropriate.

The framework includes a multi-year monitoring plan that will need to be reviewed and updated regularly. The monitoring plan is a live document and management needs to keep in mind the following fundamental questions while reviewing and updating this monitoring plan on a regular basis:

5. Work plan

The first step of the MPCC multi-year monitoring plan is to conduct an annual risk assessment on entity level controls, business processes, and ITGC areas to ensure that ongoing testing focuses on the highest risk areas. MPCC has adopted a model where the risk assessment is revisited in full every five years with a simpler environmental scan for the other years. This will ensure changes in risks are considered and any needed amendments to the multi-year monitoring plan are made. The decision to determine when business processes or ITGCs will be assessed is selected based on their risk rating to ensure the priority toward higher risk processes.

5.1 Entity Level and Business Process Controls

5.1.1 Risk Assessment Approach

Entity-Level Controls are controls that have a pervasive effect on an organization as they reflect the “tone at the top” and can have significant consequences on the overall assessment of the effectiveness of internal control over financial reporting. According to the COSO framework, it should cover the following elements:

  • Control Environment;
  • Integrity and Ethical Values;
  • Risk Assessment;
  • Control Activities;
  • Information and Communication; and
  • Monitoring.

Business Processes: The following ICFM business processes, as identified by MPCC as the key processes, were considered for the risk assessment.

Internal control over financial management business processes
Key Business Process Controls Related IT System ICFM Other
1. Purchase to Payments (Expenditures) CDFS, STS n/a
2. Travel Expenditures HRG / STS n/a
3. Pay Administration MyGCHR n/a
4. Budgeting and Forecasting CDFS n/a
5. Financial Reporting and Close
(financial statement close, trial balance, Treasury Board submission and financial statement reporting)
n/a n/a
6. IT Asset Planning n/a n/a
Non-Financial Process Areas
7. Security of non-financial information n/a n/a
8. Investigation n/a n/a
9. Annual reporting n/a n/a

5.1.2 Risk Assessment Results

Our risk assessment table includes both inherent risk and control risk, considered together to determine the overall risk ranking. More detailed risk elements supporting MPCC risk assessments are presented in Appendix A.

Risk Assessment Ratings
Process Inherent Risk Rating Control Risk Rating Overall Process Risk Rating
Entity-Level Controls LOW MEDIUM MEDIUM
Financial Management Business Processes
Purchase to Payments (Expenditures) MEDIUM MEDIUM MEDIUM
Travel Expenditures MEDIUM MEDIUM MEDIUM
Pay Administration HIGH LOW MEDIUM
Budgeting and Forecasting MEDIUM LOW MEDIUM
Financial Reporting MEDIUM LOW LOW
Non-Financial Processes
Security of non-financial information MEDIUM MEDIUM MEDIUM
Investigations HIGH LOW MEDIUM
Annual Report MEDIUM LOW LOW

5.2 IT General Controls

A risk assessment was also performed over areas of ITGCs to determine the overall process risk rating for each key system relied upon. MPCC relies on Other Government Departments and Agency Service Providers who provide services including hosting services for MPCC's major IT systems. As a result, MPCC is not the business process owner of these systems and relies on third parties for the IT general controls. MPCC is, however, responsible for ensuring that user access to these systems remains appropriate and are tested as part of the business process controls listed in section 4.1.

Each ITGC area was considered in terms of the following risk factors to determine the area's overall risk rating:

  • Importance / proximity to financial statements;
  • Complexity of ITGC area;
  • Degree of changes in underlying processes; and
  • Instances of control breakdowns / gaps in the past.
Information Technology General Controls Risk Assessment
(User Access Component of ITGC Only)
ITGC Area Importance to financial management Degree of change Complexity / Breakdowns Overall ITGC Risk Rating
CDFS (MRM) User Access only High Low Moderate MODERATE
SPS User Access only High Low Low MODERATE
MyGCHR User Access only Moderate Low Low LOW
Phoenix User Access only High High High HIGH
Shared Travel Services (STS) User Access only Moderate Low Low LOW

Multi-year Monitoring Plan

Based on the monitoring approach presented in Appendix C, the following ongoing monitoring plan is proposed for the following five years (subject to changes based on MPCC priorities and resource levels):

Multi-Year Monitoring Plan
Key Control Areas Risk Fiscal Years
2021‑22 2022‑23 2023‑24 2024‑25 2025‑26
Entity-Level Controls Medium n/a n/a n/a n/a
Business Process Controls
Purchase to Payments (ExpendituresNote 1) MEDIUM n/a n/a
IT Asset Planning MEDIUM n/a n/a n/a
Travel Expenditures MEDIUM n/a n/a
Pay Administration MEDIUM n/a n/a n/a
Budgeting and Forecasting MEDIUM n/a n/a n/a
Financial Reporting LOW n/a n/a n/a n/a
Non-Financial Process Areas (Suggested)
Security of non-financial information MEDIUM n/a n/a n/a n/a
Investigations MEDIUM n/a n/a n/a n/a
Annual Report LOW n/a n/a n/a n/a
ITGC areas
User Access (financial areas) n/a n/a n/a
Infrastructure (non-financial information) n/a n/a n/a n/a

Appendix A. Risk Analysis

The risk analysis was conducted through the assessment of inherent risk and control risk:

The tables below illustrate our analysis of entity-level controls and business process controls. The combined or overall risk rating will determine the extent and frequency of testing.

A.1 Entity-Level Controls

Analysis of entity-level controls
Process Materiality Policy changes Judgment required Attributes of transactions Susceptibility misstatement Inherent Risk Rating
Analysis of entity-level controls
Process Degree of change Instances of control breakdowns Decentralized Environment Complexity of control Control Risk Rating Overall Process Risk Rating

A.2 Key Business Process Controls

Analysis of business process controls
Process Materiality Changes Judgment required Attributes of transactions Susceptibility errors Inherent Risk Rating
Financial Management Process Areas
1. Purchase to Payments (Expenditures) HIGH LOW MEDIUM HIGH MEDIUM MEDIUM
5. Budgeting and Forecasting HIGH MEDIUM HIGH LOW LOW MEDIUM
6. Financial Reporting and Close HIGH LOW MEDIUM LOW LOW MEDIUM
Non-Financial Process Areas
7. IT Security of Non-financial information HIGH HIGH MEDIUM LOW MEDIUM MEDIUM
Analysis of business process controls
Process Degree of change State of Controls Decentralized Environment Complexity of control Control Risk Rating Overall Process Risk Rating
Financial Management Process Areas
1. Purchase to Payments (Expenditures) LOW MEDIUM LOW MEDIUM MEDIUM MEDIUM
5. Budgeting and Forecasting LOW HIGH LOW LOW LOW MEDIUM
6. Financial Reporting and Close LOW LOW LOW LOW LOW LOW
Non-Financial Process Areas
7. IT Security of Non-financial information MEDIUM MEDIUM LOW HIGH MEDIUM MEDIUM

Appendix B. Ongoing Monitoring Approach

There are three key steps in the monitoring of activities:

Note – It is recommended to conduct a walkthrough of each key process every year to confirm process flow and controls. This may not always be possible based on allocated resources.

5.1 Completing the Assessment

The multi-year monitoring plan can build upon the documentation, testing methodologies, sampling strategies, etc. developed from the design effectiveness and operating effectiveness stages of the previous ICFR roadmap. As such, the assessment for previously identified (and assessed) business processes will involve:

  • An update of the process documentation, key controls and control matrix;
  • The conduct of design effectiveness testing (walkthrough); and
  • The conduct of operating effectiveness testing (actual testing of controls).

For new business processes, MPCC will need to:

  • Document the process, identify the key controls and prepare a control matrix;
  • Conduct design effectiveness testing (walkthrough); and
  • Conduct operating effectiveness testing (actual testing of controls).

The nature, extent and frequency of control testing is linked to the risk level associated with the processes and/or the systems in place. The following sections will provide guidance on the level of testing required.

5.1.1 Nature of Testing

Level of testing
Type of Activities Processes Documentation Design Effectiveness Operating Effectiveness
Definition Support the assessments of design and operating effectiveness at all levels Key controls need to be appropriately documented. Refers to whether controls are properly designed to achieve control objectives if they operate as defined. Refers to whether controls consistently operate as designed.
How Development or update of process narratives, process flowcharts, and risk and control matrices. Walkthrough to confirm flow of information to get an understanding of the operation of controls. Testing a sample of transactions to determine whether internal controls are operating effectively over the period.
Frequency Annually As necessary (following a remediation measure, a change/new process, controls or new risk identified). Operating effectiveness testing is performed once successful design effectiveness testing has occurred.

Multi-year rotational based on risk:

HIGH: Annually
MEDIUM: Every 2 years
LOW: Every 3 years
Sample Size All processes One transaction See Sampling Table

5.1.2 Sampling for Testing Operating Effectiveness

The table below is based on widely recognized statistical theory and principles.

Recognized statistical theory and principles
Nature of Control Frequency of Operation Range for Sample Size
With Lower Risk of Key Control Failure With Higher Risk of Key Control Failure
Manual Many times a day 25 40
Manual Daily 15 25
Manual Weekly 5 8
Manual Monthly 2 3
Manual Quarterly 1 1
Manual Annually 1 1
Automated Test of one for each automated control activity

Following the testing, it is essential to complete the documentation of the testing results and analyze the testing results and the need of remediation, as necessary. It is also important to brief and validate the overall testing results and action plans with the process owners/business partners.

The following table provides an overview of the key stakeholders and their responsibilities on this important step:

Table - Main Roles
Alternate format

The table represent the overview of the key stakeholders and their key roles throughout the year.

  • The internal control team leads and reviews
  • The business process owners lead, participate and review
  • The internal audit does not have any key roles
  • The external team (if required) leads
  • The corporate risk team does not have any key roles
  • The Director of internal control does not have any key roles
  • The Chief Financial Officer approves
  • The senior department managers participate and approve
  • The Deputy head inform
  • The Departmental Audit Committee does not have any key roles

5.2 Capturing Assessment Results

Following the assessment step, the Internal control team should document the agreed upon remediation action plan, review and track its progress, and report on it annually.

5.3 Reporting on Results

5.3.1 Internal Reporting

Once the appropriate business owners have completed, reviewed and validated ICFM ongoing monitoring assessments for the year, the results are consolidated and documented in a findings report by the Internal control team. The report will include:

  • Key findings from the ongoing monitoring assessments and associated remediation action plans; and
  • The status of the implementation of the remediation action plans, specifically, outstanding actions that have not been implemented.

The results of the assessments will be reported to key stakeholders annually including the Chairperson, the CFO, senior departmental managers and the DAC.

5.3.2 External Reporting

Statement of Management Responsibility Internal Control over Financial Reporting

The Policy requires that the Chief Executive Officer sign-off annually on the “Statement of Management Responsibility Including Internal Controls over Financial Reporting”. This statement includes an acknowledgement of Management's responsibility for maintaining an effective system of internal control and that an assessment for the year ended was completed and that an action plan was prepared.

Annex to Statement of Management Responsibility

An overview of the results and action plans of the MPCC's annual assessment of the effectiveness of the system of ICFR are to be provided in an annex to the Statement of Management Responsibility. A sample annex and Statement of Management Responsibility have been provided in the draft Guide on Internal Control over Financial Management issued by TBS in October 2017.

The list of ICFM related processes is somewhat different than the ICFR list presented in the Statement of Management Responsibility over ICFR and the related annex. The external reporting requirement focus on ICFR has terminology associated with financial statement line items while ICFM focuses on management processes. We have proposed a reconciliation between ICFM key processes and ICFR processes reported by the Agency. Appendix B presents this reconciliation.

Appendix B Alignment with COSO Framework

In performing its assessment of Internal Controls over Financial Management, MPCC may choose to select a framework such as the 2013 COSO Framework as its applicable internal control framework, which is in-line with other federal departments and agencies.

In 1992, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed its Enterprise Risk Management — Integrated Framework which is often referred to as the “COSO Framework”.

Table - Main Roles
Alternate format

The table represent the COSO Framework.

The are three categories, namely:

  • Effectiveness and efficiency of operations;
  • Reliability of financial reporting; and
  • Compliance with applicable laws and regulations.

There are five interrelated components of internal control within these three categories:

  • Control environment;
  • Risk assessment;
  • Control activities;
  • Information and communication; and
  • Monitoring activities.

The COSO Framework states that “Internal control” is a process, affected by an entity's directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations;
  • Reliability of financial reporting; and
  • Compliance with applicable laws and regulations.

When performing its risk assessment, MPCC needs to ensure that these objectives are addressed. For example, the key business process controls identified during the risk assessment are aligned with the following objectives:

Risk Assessement Objectives
Business Processes Controls Operations Reporting Compliance
Payments (Expenditures) n/a
IT Asset Planning n/a
Travel Expenditures n/a
Pay Administration n/a
Budgeting and Forecasting n/a
Financial Reporting n/a
Security of non-financial information n/a
Investigations n/a

As demonstrated above, there is significant overlap between the three main objective categories, which demonstrates the importance of the business process controls identified. This includes insuring that both financial and non-financial information is safeguarded, loss through waste, inefficiency or poor business decisions of MPCC's assets are prevented and that activities are conducted in accordance with applicable laws and regulations.

There are five interrelated components of internal control. Four components relate to the design and operation of the system of internal control:

  • Control environment;
  • Risk assessment;
  • Control activities;
  • Information and communication; and
  • Monitoring activities.

These components are the basis and foundation for the testing of entity level controls.

Date modified: