Internal Controls Monitoring – 2024‑25 Results (Year 4)
Table of Contents
EXECUTIVE SUMMARY
Since 2017, the Military Police Complaints Commission (MPCC) has developed process controls over financial reporting and is in a mature phase of the implementation of the Policy on Internal Control.
The scope of work therefore included the following:
- Pay Administration
- Budgeting and Forecasting
- IT Asset Planning
- Annual Report
- Infrastructure (non-financial information)
Business Process Controls
The assessment found that key internal controls over financial reporting related to the business processes in scope for the year 2024-25 were effective.
User Access
We consider that the user access controls related to MPCC’ systems in scope are appropriate.
1. Introduction
In 2017, the Treasury Board approved a new Policy on Financial Management, replacing the Policy on Internal Controls (PIC). With the introduction of this new policy, the focus of internal control is on financial management. As a result, the Military Police Complaints Commission of Canada (MPCC or Commission) took the initiative to document significant business processes and controls. The Commission carried out the assessment of the design effectiveness and operating effectiveness of its internal controls and put in place adequate Management action plans to address the opportunities for improvement identified.
The MPCC is an administrative tribunal created by Parliament to provide independent, civilian oversight of the Canadian Forces Military Police. Its mission is to promote and ensure the highest standards of conduct for the military police, deter interference in police investigations and enhance public confidence in policing. It reports is finding and make recommendations directly to the military police and national defence leadership. As a federal institution, it is part of the Defence portfolio for reporting purposes.
During fiscal year 2019/20, the Commission prepared an Ongoing Monitoring Plan for its internal controls in order to provide senior management assurance over their continued effectiveness. The ongoing monitoring of MPCC’s internal controls provides assurance to client Departments that financial controls over MPCC services are effective, in support of the signature of the Statement of Management Responsibility Including Internal Control over Financial Reporting, in compliance with the Policy on Financial Management.
The following business processes were considered significant and are part of the Ongoing Monitoring Plan:
| Key Business Process Controls | Related IT System | ICFM | Other |
|---|---|---|---|
| 1. Purchase to Payments (Expenditures) | CDFS, STS | X | |
| 2. Travel Expenditures | HRG / STS | X | |
| 3. Pay Administration | MyGCHR | X | |
| 4. Budgeting and Forecasting | CDFS… | X | - |
| 5. Financial Reporting and Close
(financial statement close, trial balance, Treasury Board submission and financial statement reporting) |
X | ||
| 6. IT Asset Planning | X | ||
| Non-Financial Process Areas | |||
| 7. Security of non-financial information | X | ||
| 8. Investigation | X | ||
| 9. Annual reporting | - | - | X |
| ITGC Areas | |||
| 10. User Access (financial areas) | CDFS, Phoenix, STS, HRG | X | |
| 11. Infrastructure (non-financial information) | X | ||
2. Objective and Scope
Samson & Associates was engaged to conduct documentation review, walkthroughs and effectiveness testing for the elements in scope as part of the Ongoing Monitoring Plan for the year 2024-25 (See Appendix A).
2.1 Documentation
Documented the key processes and controls in place in the form of a business process narrative, process map and control matrix and ensured they represent the current processes and controls in place.
2.2 Walkthrough and Testing
Conducted a walkthrough and performed the design and operating effectiveness testing for the following processes for MPCC:
- Pay Administration
- Budgeting and Forecasting
- IT Asset Planning
- Annual Report
- Infrastructure (non-financial information)
The following methodology was used over the course of the engagement:
- Identify/update the key controls that should be tested
- Elaborate testing strategy (including sampling)
- Obtain populations and select samples
- Conduct walkthrough
- Assess Design Effectiveness
- Conduct Operating Effectiveness
- Conclude on testing
The sampling methodology used for a sample selected was based on the approach adopted by Treasury Board in their Guide to Ongoing Monitoring of Internal Controls Over Financial Management. The extent of testing was determined by how frequently a control is performed.
3. Results – Business Processes
| Key Financial Processes | 2021/22 Results | 2022/23 Results | 2023/24 Results | 2024/25 Results | Key Control Deficiencies | Number of Key Controls |
|---|---|---|---|---|---|---|
| Purchase to Payments | Opportunities for improvement | Out of Scope | Effective | Out of Scope | 0 | 11 |
| Travel Expenditures | Opportunities for improvement | Out of Scope | Effective | Out of Scope | 0 | 8 |
| Financial Reporting and Close | Out of Scope | Out of Scope | Opportunities for improvement | Out of Scope | 1 | 16 |
| Security of Non-Financial InformationNote * | Opportunities for improvement | Out of Scope | Out of Scope | Out of Scope | - | - |
| Pay Administration | Out of Scope | Effective | Out of Scope | Effective | - | 12 |
| Budgeting and Forecasting | Out of Scope | Opportunities for improvement | Out of Scope | Effective | - | 9 |
| Annual Report | Out of Scope | Out of Scope | Out of Scope | Effective | - | 6 |
| IT Asset Planning | Out of Scope | Effective | Out of Scope | Effective | - | 4 |
| Investigation Process | Out of Scope | Effective | Out of Scope | Out of Scope | - | 9 |
3.1 Previous Year Recommendations
MPCC undertook a review of this internal controls for the first time during the year 2021/22. Five recommendations were issued for the three business processes reviewed, three recommendations were issued for two business processes for the assessment for the year 2022/23, and one recommendation was issued for one business process assessed for the year 2023/24. All the recommendations were assessed as low and medium risk ratings. No recommendations were issued for 2024/25.
At the time of our assessment for the year 2024/25, steps had been taken to implement the management action plan developed, whereas two additional recommendations have been closed for a total of six, while the others are in various stages of implementation. Samson examined documentation to validate that the management action plans have been implemented. It is expected that MPCC will continue to ensure that the majority of its recommendations will be implemented in the next year. Samson will monitor the progress during this assessment again next year.
For additional details on the previous recommendations issued, management action plans and their progress, refer to Appendix C.
3.2 Pay Administration
The scope of the controls for the Pay Administration business process starts with completing pre-payment activities which include receiving and implementing staffing actions and performing pre-payment payroll verification, pay activities consisting of releasing pay pursuant to FAA S.33 and performing post-pay verification activities.
Once payment has been issued to employees, MPCC receives an IO50 Report provided PSPC which is reviewed and reconciled against payroll data in CDFS as maintained by the Financial Analyst. All noted issues are tracked, investigated and are resolved as required in a timely manner.
We have found no exception in our testing of internal controls over pay administration for the year 2024/25.
3.3 Budgeting and Forecasting
The purpose of the Budget and Forecasting business process is to ensure that financial management is effective and efficient in the department and to ensure proper management of public resources and regulations.
The scope of the controls for the Budget and Forecasting business process starts by defining the budget process according to Treasury Board (TB) policy. Once the budget is in place, a forecast is prepared and reconciled to the actuals from CDFS. The department implemented a tool called the FSR tracking budget and they use a template to complete their forecast to actuals reconciliation every month. All budget decisions are approved by the Chief Financial Officer (CFO) and the financial information is sent out to the Executive Committee (ExCom) for approval.
We have found no exception in our testing of internal controls over budgeting and forecasting for the year 2024/25.
3.4 Annual Report
The purpose of the Annual Report process is to support the requirements of the National Defense Act whereas the “Chairperson shall, within three months after the end of each year, submit to the Minister a report of the Complaints Commission’s activities during that year and its recommendations”. The process starts with the development of a critical path, developing the report, performing a challenge function and publishing the report once it has been tabled at Parliament.
Corporate Reporting is responsible for overseeing the process for developing, reviewing and obtaining approval for the Annual Report. During the testing, it was noted that data sets are prepared based on information provided by the Registrar. The report is reviewed and recommended for approval by the Senior General Counsel and Director General before it is approved by Chairperson.
We have found no exception in our testing of internal controls over the annual report for the year 2024/25.
3.5 IT Asset Planning
When IT asset planning was first assessed, MPCC was revisiting its IT strategy and considering several migrations to different platforms. In the past five years, MPCC has transitioned many of its systems to Cloud based solutions.
We reviewed the IT Asset Management and Planning process established by MPCC and found it is appropriate and sufficient for the organization. The IT infrastructure / Cloud strategy is well laid out and provides guidance for the next three years.
We have found no exception in our testing of internal controls over IT Asset Planning for the year 2024/25.
CONCLUSION ON BUSINESS PROCESS CONTROLS
The assessment found that key internal controls over the business processes were operating effectively.
4. RESULTS ITGC’s
| 2024‑25 | Control Areas | Common Controls | CDFS | MyGCHR (L&O) | Documentum | SPS (suppliers) | HRG (Travel) |
|---|---|---|---|---|---|---|---|
| IT Infrastructure | 3 | Strong | |||||
| IT Security (User Access) | 6 | Out of scope in 2024-25 | |||||
| 2023‑24 | Control Areas | Common Controls | CDFS | MyGCHR (L&O) | Documentum | SPS (suppliers) | HRG (Travel) |
|---|---|---|---|---|---|---|---|
| IT Management | 3 | Out of scope in 2021-22 | |||||
| IT Security (User Access) | 6 | Opportunity for improvement | Strong | Strong | Strong | Strong | Strong |
| 2022‑23 | Control Areas | Common Controls | CDFS | MyGCHR (L&O) | Documentum | SPS (suppliers) | HRG (Travel) |
|---|---|---|---|---|---|---|---|
| IT Infrastructure | 3 | Strong | |||||
| IT Security (User Access) | 6 | Out of scope in 2022‑23 | |||||
4.1 Previous Year Recommendations
MPCC undertook a review of this internal controls for the first time during the year 2021/22. Two recommendations were issued for the one IT general controls process reviewed at that time, and one recommendation was issued in the year 2022/23. All the recommendations were assessed as low and medium risk ratings. No recommendations were issued for 2023/24 and 2024/25.
All three recommendations have since been closed as steps were taken to implement the management action plans developed.
For additional details on the previous recommendations issued, management action plans and their progress, refer to Appendix C.
4.2 Infrastructure (non-financial information)
During the year 2024/25, we reviewed the IT Infrastructure elements in place to ensure that sufficient controls are in place to safeguard protected information under MPCC management, including the investigation files. These elements include overall network architecture and systems used for the various data.
The infrastructure segmented into three zones procures adequate safeguards, since the network is isolated in different levels.
CONCLUSION ON USER ACCESS CONTROLS
We found that IT general controls around IT Infrastructure in scope are operating effectively.
Appendix A: On-going Monitoring Plan
| Key Control Areas | Risk | Fiscal Years | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| 2021‑22 | 2022‑23 | 2023‑24 | 2024‑25 | 2025‑26 | Notes | ||||||
| Entity-Level Controls | MEDIUM | X | - | - | - | - | - | ||||
| Business Process Controls | |||||||||||
| Purchase to Payments (ExpendituresNote 1) | MEDIUM | X | - | X | - | X | Note 1 | ||||
| IT Asset Planning | MEDIUM | - | X | - | X | - | - | ||||
| Travel Expenditures | MEDIUM | X | - | X | - | X | - | ||||
| Pay Administration | MEDIUM | - | X | - | X | - | - | ||||
| Budgeting and Forecasting | MEDIUM | - | X | - | X | - | - | ||||
| Financial Reporting | LOW | - | - | X | - | - | - | ||||
| Non-Financial Process Areas | |||||||||||
| Security of non-financial information | MEDIUM | X | - | - | - | - | - | ||||
| Investigations | MEDIUM | - | X | - | - | - | - | ||||
| Annual Report | LOW | - | - | - | X | - | - | ||||
| ITGC areas | |||||||||||
| User Access (financial areas) | - | X | - | X | - | X | - | ||||
| Infrastructure (non-financial information) | - | - | X | - | X | - | - | ||||
Appendix B: Management Action Plan
Nil – No new recommendations were issued for 2024/25.
Appendix C: Management Action Plan
| Recommendations | Risk Rating | Management Action Plan (as defined by MPCC in 2021-22) | Implementation Progress as of Q3 2024-25 |
|---|---|---|---|
| Entity Level Controls | |||
| Recommendation 1: We recommend that MPCC enhance their threat assessment to include the risk of fraud and ensure that employees are aware of the risk of fraud, how to identify it and reporting protocols. | Medium | The MPCC will integrate the risk of fraud to their next cyclical threat and risk assessment in 2025 or if the MPCC office space has a significant change prior to that date. In the meantime, the MPCC will update their security awareness communication plan, more specifically the article in the month of March on Fraud Prevention Month to incorporate information on who employees should communicate with if they encounter fraud while working and how to identify it. | In progress |
| Business Process Controls | |||
| Recommendation 2: We recommend that MPCC ensures that commitments are updated when invoices are received to ensure the accuracy of unencumbered funds and that unused funds are released. | Low | The Finance Team will put in place standard operating procedures to ensure that commitments are kept up to date, both in our commitment spreadsheet and in CDFS. The procedures will clarify the timing and individuals/positions responsible for entering, reviewing and approving the information. In addition, we will perform semi-annual reviews of the commitments to ensure accuracy and completeness. We plan on implementing this process in time for the start of fiscal year 2022-23. | Implemented (March 2023) |
| Recommendation 3: We recommend that monitoring controls be put in place to ensure that the segregation of duty risk identified can be managed. Possible system notifications could be put in place to manage the risk. | Medium | The MPCC will address the segregation of duty risk by revisiting our CDFS accesses and seek CDFS HelpDesk guidance in limiting the access surrounding vendor/supplier change. A preferred option is to separate the “create” and “approve” accesses between Section 33 approvers (approve only) and the other finance users (create/modify only). The change request has been submitted to CDFS with a proposed timeline of 6 months (September 2022). | In progress |
| Recommendation 4: We recommend that, on an ongoing basis, logical access to STS be removed immediately upon an employee leaving the Commission or an employee changing roles and no longer requiring access per their job duties. Furthermore, we recommend that there be a periodic review of access to detect any anomalies and correct them on a timely basis. | Medium | We will update the MPCC’s Departure form to capture this access removal. This will then trigger the travel coordinator to suspend the accounts in the travel portal. We also recommend that at the end of each fiscal year, HR sends a report of all terminated employees from that fiscal year, and the coordinator will then proceed with a review to make sure no employees were missed. | Implemented (December 2023) |
| Recommendation 5: We recommend that information management practices and protocols be but in place for all electronic information management systems, whether through Documentum, the shared drive or Teams. | Medium | The MPCC currently has documented information practices and protocols for its departmental information system, Documentum. The MPCC is working on documenting document management and retention on the Microsoft Teams platform and will be implementing a policy, protocol and forms in fiscal year 2022-23. As the MPCC is currently working to retire shared drives, the management of this information will be addressed through the retirement of shared drive by the end of Fiscal year 2023-24. | Implemented (march 2024) |
| Recommendation 6: We recommend MPCC adopts a QA process for its digitization initiative to ensure that key physical records get digitize in a fashion that the document integrity is maintained. | Low | In 2017, the MPCC adopted and documented a quality assurance process for its digitization initiative to ensure that physical records are digitized in a manner that ensures document integrity. However, there are concerns that the process was not followed properly in the past and some physical records are currently being kept as a back up to digitized records. The MPCC will put in place a plan by the end of 2022-23 to perform the quality assurance process of physical records that were digitized in a manner that ensures document integrity and to proceed to the timely disposition as per the Data Disposition Policy. In addition, the MPCC is in the process of approving a revised version of the Information and Data Disposition Policy. Once approved, the MPCC, through its legal services and over the next year, will carry out a soft audit before destruction of the files already digitized in order to identify the key documents which must be kept for consultation later. |
In progress |
| User Access | |||
| Recommendation 7: We recommend that the departure process be formalized to ensure a timely removal of all application and network access upon departure. Documentation should be available to demonstrate when the user access has been removed (applications and network access). | Medium | The MPCC shall modify its departure forms to include additional fields in regard to IM/IT related accesses to ensure those accesses are removed upon the departure of employees. For specific accesses within the Finance team, a separate document to track these accesses will be created to track modifications and deactivation as required. |
Implemented (December 2023) |
| Recommendation 8: We recommend that the on-going review of user access be documented for future reference. | Low | The MPCC is in the final stage of a new MPCC IT Security Policy which includes new measures for the control of accesses. The policy will formalize roles and responsibilities between IT and managers in the attribution of access and notifications when changes in employment or access profiles occur. The policy will also require record keeping of access changes through standardized procedures and forms. |
Implemented (March 2023) |
| Recommendations | Risk Rating | Management Action Plan (as defined by MPCC in 2022-23) | Implementation Progress as of Q3 2024-25 |
|---|---|---|---|
| Business Process Controls | |||
| Recommendation 1: We recommend that records of decision be documented for key decisions made at the Executive Committee meetings, such as budget allocations. | Low | The Administrative Assistant to the Chairperson is now attending the Executive Committee meetings and acts as the notetaker. All minutes – Records of decision are validated and approved by the Executive Committee members after all meetings. Once approved, minutes are saved and retained in Documentum. | Implemented (June 2023) |
| Recommendation 2: We recommend that, the Executive Committee be regularly informed of the results of the Financial Situation Reports, either secretarially or during meetings and that records of approval are retained as evidence of their review. | Low | All Financial Situation Reports (FSR) are tabled to the Executive Committee a few days before the meetings and presented to the Chairperson during the meetings. A summary of the discussion is included in the Records of decision. As needed, ad-hoc meetings are organized to discuss finance initiatives requiring approval. | Implemented (June 2023) |
| Investigations | |||
| Recommendation 3: We recommend that the MPCC ensures that allegations formulated as a result of Conduct, Interference, and Public Interest complaints appear early in the report and be referenced to an appropriate Policy, Directive, Instruction Manual, Code of Conduct, or Act, when feasible. | Low | The drafting guidelines now state that allegations appear very close to the beginning of Interim and Final Reports and each allegation references the appropriate legislation or policy instrument as appropriate when feasible to do so. | Implemented (June 2023) |
| Recommendation 4: We recommend that the MPCC implements a follow up process to track the progress of approved recommendations and management action plans to full implementation, and report the result of the tracking procedures into the MPCC Chairperson's annual report. | Low | The MPCC sought the CFPM’s assistance in receiving those updates. The intent was to enhance accountability to the public by tracking the progress of accepted recommendations to allow the MPCC to provide updates on its external website and in its Annual Report. However, in Fall 2023, the CFPM refused to provide updates to the MPCC on the implementation of its recommendations on the grounds that he does not have a legislative obligation to do so. Therefore, the MPCC will not be able to implement the recommendation made. |
Not Applicable |
| Recommendations | Risk Rating | Management Action Plan (as defined by MPCC in 2023-24) | Implementation Progress as of Q3 2024-25 |
|---|---|---|---|
| Business Process Controls | |||
| Recommendation 1: We recommend that, on an ongoing basis, journal vouchers are prepared, approved and posted by two separate individuals. | Low | In a spirit of continuous improvement, the MPCC accepts the recommendation. As such, the Finance Team will put in place standard operating procedures for the journal voucher process to ensure proper segregation of duties is in place. This should be in place ahead of the 2023-24 fiscal year-end. |
Implemented (September 2024) |
- Date modified: