Appendix to the Statement of Management Responsibility Including Internal Control over Financial Reporting

Canadian Space Agency

Summary of the effectiveness of the system of internal control assessment over financial reporting and the action plan for the Canadian Space Agency for fiscal year - (unaudited)

Note to the Reader

With the new Treasury Board Policy on Internal Control, effective , departments are now required to demonstrate the measures they are taking to maintain an effective system of Internal Control over Financial Reporting (ICFR).

As part of this policy, departments are expected to conduct annual assessments of their system of ICFR, establish action plans to address necessary adjustments, and to attach to their Statement of Management Responsibility a summary of their assessment results and the action plan.

An effective system of ICFR aims to achieve reliable financial statements and to provide assurance that:

  • Transactions are appropriately authorized;
  • Financial records are properly kept;
  • Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement; and,
  • Applicable laws, regulations and policies are complied with.

It is important to note that the system of ICFR is not designed to eliminate all risks but rather to mitigate risks to a reasonable level through effective control mechanisms proportional to the risks they aim to mitigate.

Maintaining an effective system of ICFR is an ongoing process, the objectives of which are to identify key risks, assess the effectiveness of controls set up to mitigate risks, make necessary changes and monitor implementation of the controls in support of continuous improvement. Consequently, the scope, pace and status the departmental assessments of the effectiveness of their systems of ICFR will vary from one organization to another, based on risks and taking into account their unique circumstances.

Table of Contents

  1. Introduction
  2. Canadian Space Agency's Control Environment Relevant to ICFR
  3. Assessment of the Canadian Space Agency's System of ICFR
  4. The Canadian Space Agency's Assessment Results as of
  5. The Canadian Space Agency's Action Plan

1. Introduction

This document is appended to the Canadian Space Agency's (CSA) Statement of Management Responsibility Including Internal Control over Financial Reporting for the - fiscal year. In accordance with the Treasury Board Policy on Internal Control, in effect since , the CSA is providing for the first time a summary of the measures taken to maintain an effective system of Internal Control over Financial Reporting (ICFR). More specifically, it provides summary information on assessments carried out by the CSA up to , on the progress, results and associated action plans, as well as some financial highlights pertinent to understanding the control environment unique to the CSA.

1.1 Authority, Mandate and Program Activities

The mandate of the CSA is to "promote the peaceful use and development of space, to advance the knowledge of space through science and to ensure that space science and technology provide social and economic benefits for Canadians".

The CSA is achieving this mandate in collaboration with Canadian industry, academia, Government of Canada organizations, and other international space agencies or organizations. Such partnering maximizes the economic, scientific, and technological benefits and enhances synergies between institutions across the country and with other nations.

The Departmental Performance Report and the Report on Plans and Priorities provide additional information on the CSA's mission and its strategic outcome as well as on the priorities and performance of its programs, as defined in the Program Activity Architecture (PAA).

1.2 Financial Highlights

The following section provides readers with information to better understand the CSA's financial situation and the results of its activities. The CSA's financial highlights for the - fiscal year are included in the Departmental Performance Report and in the Financial Statements (unaudited). Information is also available in the Public Accounts of Canada.

The most significant financial information for the - fiscal year is:

  • Total expenditures amount to $468 million.
    • Professional and Special Services expenditures account for the largest share of expenditures ($151 million or 32%).
    • Salaries account for the second largest share of expenditures ($85 million or 18% for 699.7 full-time equivalents).
    • Acquisition of machinery and equipment and transfer payments respectively account for the third and fourth largest share of expenditures ($52 and $47 million).
  • Capital assets represent 69% of total assets ($932 million).
    • Accounts payable and accrued liabilities account for 80% of total liabilities ($97 million).

The CSA has two main information systems that are critical to its activities and financial reporting: the SAP financial system and the human resources management system (TIPS).

1.3 Service Arrangements Relevant to Financial Statements

The CSA relies on other organizations for the processing of certain transactions and to gather information for calculating some liabilities recorded in its financial statements:

  • Public Works and Government Services Canada (PWGSC) centrally administers:
    • Payment of salaries;
    • Procurement of certain goods and services; and,
    • Shared services relative to facilities.
  • The Department of Justice provides legal services.
  • The Treasury Board Secretariat (TBS) provides necessary information for calculating various accruals and allowances, such as accrued severance liability.

1.4 Major Changes during the - Fiscal Year

The PAA was reorganized in order to present information on performance and financial data under four activities instead of six, as in recent years. This change is presented in the Report on Plans and Priorities as well as in the CSA's Financial Statements, which set out the four new activities in -.

The following are the CSA's Program Activities:

  • Space Data, Information and Services
  • Space Exploration
  • Future Canadian Space Capacity
  • Internal Services

2. Canadian Space Agency's Control Environment Relevant to ICFR

The CSA acknowledges that it is senior management's responsibility to set the tone so that employees at all levels understand the part they play in maintaining an effective system of ICFR and are able to carry out their responsibilities in this regard effectively. The CSA's priority is to ensure that risks are properly managed within a flexible, risk based control environment that enables continuous improvement and innovation.

2.1 Key Positions, Roles and Responsibilities

The CSA's key positions and committees that have a responsibility for maintaining and monitoring the effectiveness of the system of ICFR are described below.

President - As accounting officer, the CSA's President assumes overall responsibility and leadership with respect to the measures taken to ensure the effectiveness of the system of ICFR. In this role, the President is a member of the Audit Committee, chairs the Executive Committee and signs the CSA's financial statements.

Chief Financial Officer (CFO) - The CSA's CFO reports directly to the President and provides a leadership role in coordinating and ensuring the consistency and direction on the design and maintenance of an effective and integrated system of ICFR, including its annual assessments. The CFO chairs the Financial Management Committee and signs the CSA's financial statements.

Chief Human Resources Officer (CHRO) - The CHRO reports directly to the President and provides a leadership role with respect to employee recruiting, training and retention strategies in order to attract employees, provide them with the tools they need and retain the expertise that the CSA requires, as for the financial management expertise. The CHRO is responsible for ensuring and reviewing the effectiveness of aspects of the system of ICFR that fall within his mandate.

Vice-President and Director Generals - The CSA's Vice-President and Director Generals report directly to the President. They are responsible for program delivery within their respective sectors and for ensuring and reviewing the effectiveness of aspects of the system of ICFR that fall within their mandate. Management of the organization's risk profile is the responsibility of the Director General of Corporate Services.

Chief Internal Audit Officer (CIAO) - In accordance with the Treasury Board's Policy on Internal Audit, the CSA appoints a qualified CIAO who reports directly to the President and is independent of the line managers. The CIAO provides assurance by conducting periodic internal audits, which are essential for maintaining the system of ICFR's effectiveness.

Audit Committee (AC) - Reporting directly to the President of the CSA, the AC is an advisory committee whose mandate is to provide objective advice and oversee management control and accountability procedures. The AC met for the first time on . In -, the AC had four meetings, participated in two teleconference meetings and a work session. The CSA President and three external members, one of whom chairs the Committee, form the AC. The AC reviews the CSA's risk profile and internal control system, including assessments and action plans associated with the system of ICFR and financial reports.

Executive Committee (EC) - The CSA's EC, chaired by the President, is the CSA's official decision making body. As such, the EC is responsible for governance and control over the CSA's programs and activities. In accordance with its mandate, the EC is responsible for all management, monitoring and control of activities. The EC reviews, approves and monitors the organization's risk profile and internal control system including assessment and action plans related to the system of ICFR.

2.2 Main Entity Level Controls at the Canadian Space Agency

The CSA's control environment includes a series of measures to help employees manage risks effectively by increasing their awareness and knowledge, providing them with appropriate tools and upgrading their skills. The main measures include the following:

  • A departmental Accounting and Internal Control division that reports to the Deputy Chief Financial Officer (DCFO), who is dedicated to internal control;
  • Documentation of main business processes and related key risk and control points to support the management and oversight of its system of ICFR;
  • IT processing systems to achieve greater security, integrity, efficiency and effectiveness;
  • The public sector Values and Ethics Code and a Values and Ethics Committee who reports to the President;
  • An annual internal audit plan focusing on important and high-risk sectors;
  • Training program's and communications in core areas of financial management in particular for financial officers and delegated managers;
  • A delegated signing authority instrument that is reviewed periodically;
  • Annual performance agreements that specify financial management responsibilities; and,
  • An organization risk profile which outlines mitigation strategies to ensure that risks are properly managed.

3. Assessment of the Canadian Space Agency's System of ICFR

3.1 Assessment Baseline

To meet the Policy on Internal Control requirements, which gradually came into effect over a three year period starting on , departments must ensure that their departmental internal control systems are set up, maintained, monitored and reviewed to provide reasonable assurance that:

  • Transactions are appropriately authorized;
  • Financial records are properly maintained;
  • Assets are safeguarded; and,
  • Applicable laws, regulations and policies are complied with.

Therefore, departments must assess the design and operating effectiveness of their system of ICFR and set up an ongoing monitoring program to continually maintain and improve the system of ICFR.

Design Effectiveness means to ensure that key control points relevant to ICFR are identified, in place and that they are aligned with the risks (i.e. controls are proportional to risks they aim to mitigate) and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main financial statement accounts.

Operational Effectiveness means that the main controls have been tested over a defined period and that any required remediation is addressed.

Such testing covers all departmental control levels which include entity level controls, general IT level controls and business process controls.

Testing of the design and operating effectiveness of the key controls over financial reporting will lead to ensuring the ongoing monitoring and continuous improvement of the departmental system of ICFR.

3.2 The Canadian Space Agency's Assessment Method

The CSA has adopted a process based on the Office of the Comptroller General's toolkit in order to help in identifying a common objective vision of how thorough controls are throughout the organization.

The CSA's process includes the following steps:

  • Plan and define the scope of the assessment based on the main quantitative and qualitative risks to which the CSA's financial reports are exposed;
  • Document entity level controls, general IT controls and process level controls;
  • Identify process level risks, align key controls with risks and perform walkthrough (design effectiveness);
  • Conduct testing of operating effectiveness; and,
  • Consolidate results, analyse deficiencies and draw up actions plans for improving the CSA's system of ICFR.

During the - fiscal year, the CSA has performed the following:

- Design Testing Operating Testing
Documentation Risk and Control Matrix Walkthrough
Entity level controls
Mandatory Training Yes Yes    
Performance appraisal and learning Yes Yes    
Delegation Instrument and Assignment of Delegated Authority Yes Yes    
Budgeting Yes Yes    
Forecast Performance Yes Yes    
General IT controls
Network and application access Yes in progress    
Development of financial system modules and functionalities Yes      
Process level controls
Payroll Yes in progress in progress in progress
Procurement to payment Yes Yes Yes  
Work in progress Yes      
Transfer Payments Yes      
Write-off and disposal Yes      
Hospitality Yes Yes Yes  
Travel Yes Yes Yes  
Month and Year-End procedures Yes      

4. The Canadian Space Agency's Assessment Results as of

The main expenditure items (quantitative risks) subject to key control testing are professional and special services, salaries, acquisition of machinery and material and transfer payments. The key process level controls that support these items are procurement to payment, work in progress, payroll and transfer payments. The main expenditure items subject to key control testing for qualitative risks are travel and hospitality.

The following paragraphs summarise the main results following the design testing effectiveness and the operating testing effectiveness.

4.1 Design Effectiveness of Key Controls

During the - fiscal year, the CSA concentrated its efforts on documenting the main controls identified under section 3.2 and validating the processes with the various participants responsible for specific activities. All necessary amendments have been addressed in the documented controls. Quality, reliability and availability of documentation have been standardized. Also, during - fiscal year, the CSA has completed several risk and control matrixes and has completed several walkthroughs for the processes identified under section 3.2. The design effectiveness testing gave assurance that key controls are in place and help to mitigate major risks.

However, during the design effectiveness testing the CSA found some key control weaknesses with the procurement to payment process (access controls to the SAP financial system) and for the pay process (control related to employee departure procedures). Corrective measures have been put in place to address the identified weaknesses.

4.2 Operating Effectiveness of Key Controls

The CSA started to assess the operating effectiveness of payroll procedures using a risk based methodology to test the key controls over the specified period and foresee completing the assessment in -.

5. The Canadian Space Agency's Action Plan

5.1 Progress Achieved during the - Fiscal Year

During the - fiscal year, the CSA began implementing the Policy on Internal Control and significant progress was made, as follows:

  • A team reporting to the DCFO was set up to plan, implement and monitor the system of ICFR.
  • An action plan based on significant risk financial statement items was elaborated and implemented.
  • The senior management approved the action plan for ICFR.
  • An action plan for ICFR work in progress status report was presented to the AC.
  • Entity level controls (refer to table in section 3.2 for details):
    • Completed the identification of controls and all related documentation (except for the control for organizational risk management); and,
    • Completed control and risk matrixes.
  • General IT controls (refer to table in section 3.2 for details):
    • Completed the identification of controls and all related documentation for controls related to access and development of financial system modules and functionalities; and,
    • Commenced control and risk matrix for access controls.
  • Process level controls (refer to table in section 3.2 for details):
    • Completed the identification of controls and all related documentation;
    • Completed risk and control matrixes and walkthroughs for procurement to payment, hospitality and travel processes; and,
    • Commenced risk and control matrixes, walkthroughs and operating effectiveness testing for the pay process.

5.2 Action Plan for the Next Fiscal Year and Subsequent Years

In order to comply with the Policy on Internal Control requirements, the CSA developed a multi-year action plan. The multi-year plan calendar prioritizes processes the most at risk.

Action plan for fiscal year - and subsequent fiscal years Design Testing Operating Testing Recommandation and Action Plan Ongoing Monitoring
Documentation Risk and Control Matrix Walkthrough
Entity level controls
Mandatory Training     12/13 13/14 13/14 14/15
Performance appraisals and learning     12/13 13/14 13/14 14/15
Delegation Instrument and Assignment of Delegated Authority     12/13 13/14 13/14 14/15
Budgeting     13/14 14/15 14/15 15/16
Forecast Performance     13/14 14/15 14/15 15/16
Organizational risk management 12/13 13/14 13/14 14/15 14/15 15/16
General IT controls
Network and application access   12/13 12/13 13/14 13/14 14/15
Development of financial system modules and functionalities   12/13 14/15 15/16 15/16 15/16
Process level controls
Payroll   12/13 12/13 12/13 12/13 13/14
Procurement to payment       12/13 12/13 13/14
Work in progress   12/13 12/13 13/14 13/14 14/15
Transfer Payments   12/13 12/13 13/14 13/14 14/15
Write-off and disposal   12/13 12/13 13/14 13/14 14/15
Hospitality       12/13 12/13 13/14
Travel       12/13 12/13 13/14
Month and Year-End procedures   12/13 12/13 13/14 13/14 14/15

It is foreseen to continue consultations with the Audit Committee for fiscal year - and subsequent years in order to get independent advice on the CSA's system of ICFR, including advice on governance and risk management.

Furthermore, in subsequent fiscal years, the CSA will continue to look for opportunities to strengthen its entity level controls in considering assessments and annual audits. In particular, the CSA must ensure that a fully integrated monitoring plan is implemented in order to raise employee awareness and increase employee understanding of the system of ICFR at all levels, as well as provide employees with knowledge, skills and the necessary tools to fulfill their tasks.