Annex — Assessment of Internal Control over Financial Reporting for the fiscal year ended March 31, 2022 (unaudited)

1. Introduction

This document is attached to the Office of the Commissioner of Lobbying Statement of Management Responsibility Including Internal Control Over Financial Reporting for the fiscal year 2021-22. As required by the Treasury Board Policy on Internal Control, this document provides summary information on the measures taken by the Office of the Commissioner of Lobbying (OCL) to maintain an effective system of internal control over financial reporting (ICFR). It provides summary information on the work performed by the OCL as of March 31, 2022, including progress, results and related action plans along with some financial highlights pertinent to understanding the control environment unique to the OCL.

Due to the COVID-19 pandemic, an internal review of OCL’s overall control environment was performed in 2020-2021, and it was determined that none of the key controls were compromised because of the pandemic.

Although operations continued remotely in 2021-2022 due to the COVID-19 pandemic, financial transactions continued to be approved by the appropriate authority and no changes were required to OCL’s delegation instruments.

There were no changes required to the risk assessment done at the beginning of the COVID-19 pandemic. The risk related to the key controls continue to be low and therefore there is no impact on the validity, accuracy and completeness of OCL’s Financial Statements, including the Notes.

1.1 Authority, Mandate and Program Activities

The Office of the Commissioner of Lobbying was established in 2008 under the Lobbying Act. The Commissioner of Lobbying is an Agent of Parliament and is responsible for the administration of the Lobbying Act. The legislation seeks to improve transparency and accountability regarding communications between lobbyists and federal public office holders and increase the confidence of Canadians in the integrity of government decision-making.

Detailed information on the OCL’s authority, mandate and programs activities can be found in its 2021-22 Departmental Results Report, Departmental Plan and Annual Report.

1.2 Financial highlights

Key financial information for 2021-22 is discussed below. Additional information can be found in the OCL’s Financial Statements. Information can also be found in the Public Accounts of Canada.

• Total expenses were $5.2 M. Salaries and employee benefits comprise the majority (63% or $3.3 M for 26 employees) followed by professional and special services (20% or $1.0 M).
• Tangible capital assets comprise 99% of OCL’s total non-financial assets ($1.6 M).
• Accounts payable and accrued liabilities (57 %) followed by vacation pay and other leaves (37%) comprise the main portion of total liabilities ($0.6 M).
• The OCL utilizes the GX financial system.

1.3 Service arrangements relevant to financial statements

The OCL relies on other organizations to process various transactions that are recorded in its financial statements as follows:

Common Arrangements

• Public Services and Procurement Canada (PSPC) centrally administers:
  • the payment of salaries;
  • the procurement of some goods and services; and
  • provides cheque-issuing services; and
  • provides accommodation services.
• Treasury Board of Canada Secretariat (TBS) provides information used to calculate various accruals and allowances, such as the employer’s contribution to the health and dental insurance plans.
• The Office of the Auditor General provides audit services to OCL.

Specific Arrangements

• The Canadian Human Rights Commission (CHRC) provides a financial system platform (GX) to capture and report all financial transactions and performs financial transaction processing and reporting on behalf of OCL. The CHRC also provide Compensation Services. The scope and responsibilities are addressed in the interdepartmental arrangement between CHRC and OCL, as well as in the attestation and summary of results prepared by CHRC on its ICFR regarding the impact it has on its clients. OCL relies on CHRC’s internal controls over financial reporting and the financial management system to process the financial data that has been approved, authorized and transmitted by the Office. In 2021-22 CHRC engaged audit services to update the documentation and to complete the operating effectiveness testing of controls at the entity level and for business processes and Information Technology General Controls in accordance with its risk based ongoing monitoring plan for fiscal year 2021-22. CHRC will continue to monitor these controls using a risk-based approach. OCL is responsible to ensure that the financial reports are accurate and fairly present the financial results and position.
• The Office of the Privacy Commissioner hosts the OCL’s Lobbyists Registration System (LRS), its website, its desktop systems, servers and support systems on the OPC information technology (IT) infrastructure.

1.4 Material changes in 2021–22

No significant changes that are relevant to the financial statements occurred in 2021-22. In January 2022, the OCL updated its financial delegation instrument. No major modifications were made to the financial delegation instrument. The OCL also completed a corporate risk profile assessment that led to a risk-based multi-year internal audit and evaluation plan.

2. OCL’s control environment relevant to ICFR

The OCL is a small entity with low risk associated with its system of internal control. It recognizes the importance of senior management leadership in ensuring that staff at all levels understand their role in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities effectively. The OCL’s focus is to ensure risks are well managed through a responsive and risk-based control environment that enables continuous improvement and innovation.

2.1 Internal Control Management

The OCL has a well-established governance and accountability structure to support organizational assessment efforts and oversight of its system of internal control. An organizational internal control management framework, is in place and includes:

• Organizational accountability structures as they relate to internal control management to support sound financial management, including roles and responsibilities of senior managers in their areas of responsibility.
• Employee code of values and ethics.
• Ongoing communication and training on statutory requirements, and policies and procedures for sound financial management and control; and
• Monitoring of and regular updates on internal control management, as well as the provision of related assessment results and action plans to the Commissioner and organizational senior management and, as applicable, OCL’s Audit and Evaluation Committee (AEC).

2.2 Key positions, roles and responsibilities

Below are the OCL’s key positions and committees with responsibilities for maintaining and reviewing the effectiveness of its system of ICFR.

Commissioner (deputy head): As the Accounting Officer, the Commissioner assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the Commissioner chairs the Executive Management Committee and is an ex-officio member of the Audit and Evaluation Committee.

Director of Finance and Chief Financial Officer: Under the supervision of the Commissioner, the Director of Finance and Chief Financial Officer provides leadership for the coordination and coherence of the design and maintenance of an effective and integrated system of ICFR, including its annual review and assessment. The CFO is responsible for the development, implementation and maintenance of the financial and accounting control regime for the OCL. The CFO is also responsible for the operational planning, including the coordination and implementation of risk management activities. The position is also responsible for the management of the organization’s financial planning and reporting, accounting and contracting activities. It provides support to the internal audit function, and expert financial advice and recommendations to the Commissioner.

It is not practical for OCL to have a full-time Chief Audit Executive, due to the organization’s size, risk profile and resources. For this reason, the function is performed by the Chief Financial Officer who assumes administrative responsibility for the internal audit function. Given the size of the organization and limited resources, the OCL must supplement its internal audit capacity by outsourcing most of its internal audit services. The CFO recuses himself from audits of the financial and contracting functions.

Executive Management Committee (EMC): This Committee is the senior decision-making body at OCL. The Committee is chaired by the Commissioner and its membership also includes the Chief Financial Officer and the three directors.

The primary purpose of EMC is to establish and oversee the Office’s strategic policy and management direction. It provides a forum to consider decisions on policy, administrative practices and management issues and ensures that the Commissioner is strategically prepared to provide direction on the Office’s key activities, to help her fulfill her mandate. EMC supports the Commissioner in making strategic decisions on key policy and operational planning issues, ensures integration of cross-cutting decisions and addresses items impacting on the Office’s business. It specifically provides advice to the Commissioner and supports the oversight function with respect to business planning, finance, human resources, information technology, information management, official languages, outreach activities and workplace health and safety, as well as advises the Commissioner on resource allocation prior to making decision.

Audit and Evaluation Committee (AEC): The AEC provides the Commissioner with independent and objective advice on internal audit, program evaluation, risk management, control framework and reporting practices. It consists of two external members and the Commissioner, as an ex-officio member. The committee reviews the Corporate Risk Profile, OCL’s financial statements and its system of internal controls, including internal audit reports, and the assessments and action plans related to the system of ICFR. The AEC meets with the OAG to receive the results of their annual audit of the OCL financial statements. It also reviews other accountability reports, such as the DP and the DRR, and internal audit reports. The committee presents its observations in a report annually to the Commissioner.

2.3 Key measures taken by the OCL

The OCL has a comprehensive internal control framework for financial management that is aligned with the federal government’s expenditure management process. The OCL’s funding is controlled through a budgeting and commitment control process in its integrated financial system. Expenditures are approved at the initiation, commitment, contracting, performance certification and payment approval stages. Financial results are monitored through a monthly financial reporting process and validated by management.

The OCL’s control environment also includes measures and structures to equip staff to be able to manage risks well, through raising awareness, providing appropriate knowledge and tools and developing skills. Key measures include:

• Governance structure and strategic direction through the Executive Management Committee (EMC) and supported by the Audit and Evaluation Committee;
• Regular reporting of financial performance to the EMC;
• Financial policies tailored to the OCL’s control environment and requirements of the Policy on Internal Control;
• Periodic review and update of the Delegation of Financial Signing Authorities Instrument;
• Documentation of key financial processes and related key risk and control points to support the management and oversight of the OCL’s system of ICFR;
• Completion of a corporate risk profile leading to a multi-year risk-based internal audit and evaluation plan;
• Review of the internal controls over financial reporting framework leading towards an ongoing monitoring plan;
• Preparation and implementation of management actions plans in response to observations and recommendations made during the review of the effectiveness of controls.

3. Assessment of OCL’s system of ICFR

3.1 Assessment baseline

The OCL maintains an effective system of ICFR with the objective to provide reasonable assurance that:

• Transactions are appropriately authorized;
• Financial records are properly maintained;
• Assets are safeguarded; and,
• Applicable laws, regulations and policies are complied with.

Over time, this includes assessment of design and operating effectiveness of the system of ICFR leading to ensuring the ongoing monitoring and continuous improvement of the system of ICFR.

Design effectiveness means to ensure that key control points are identified, documented, in place and that they are aligned with the risks (i.e., controls are balanced with and appropriate to the risks they aim to mitigate) and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main accounts by location as applicable.

Operating effectiveness means that the application of key controls has been tested over a defined period and that any required remediation is addressed.

Such testing covers all departmental control levels which include corporate or entity, general computer and business process controls.

The maintenance of an effective system of ICFR is an ongoing process designed to identify, assess effectiveness and adjust as required key risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of those assessments of the effectiveness of their system of ICFR are based on risks and consider the size of the organization.

3.2 Assessment method at the OCL

In 2021-22, the OCL monitored its internal financial controls to comply with the Treasury Board Policy of Internal Control and to ensure that controls in place were sound and provided reasonable assurance that financial operations were conducted in compliance with regulations and applicable policies and directives.

The OCL has documented the following significant processes and controls: salary expenditures, procurement and payment to suppliers, acquisition cards, business travel cards, financial delegation, hospitality expenditures, travel expenditures, petty cash, asset management, teleworking policy and cellular phones and other wireless devices.

The monitoring of the internal controls processes consisted of walking through the processes with various stakeholders.

As a small organization, the OCL acquires some of its internal services through Memoranda of Understanding for information technology, human resources and financial services from other government departments. Where the OCL relies on these other government departments, they are responsible for the self-assessment of their internal controls. CHRC has provided to OCL an attestation concerning their assessment of their internal controls.

4. Assessment results

The preparation of internal controls documentation and subsequent assessment of the efficiency of controls is part of a continuous improvement process that will allow the OCL to implement healthy financial management practices.

2021-2022, is the eleventh year that the OCL financial statements have been audited by the Office of the Auditor General (OAG). The comparative information presented in the financial statements for the year ended March 31, 2021, is audited.

OCL has received an un-modified opinion on its financial statements for 2021-2022.
Based on the audit work performed, the OAG’s auditors have not identified opportunities for changes in procedures that would improve the systems of internal control, streamline operations, and/or enhance financial reporting practices.

In 2021-22, the OCL had its corporate risks assessed by a third party which lead to an updated corporate risk profile (CRP). The results enabled the OCL to develop a multi-year risk-based internal audit and evaluation plan (MYRBIAEP). The CRP and MYRBIAEP was reviewed and endorsed by the AEC.

In 2021-22, OCL has continued to refine its internal control processes and tested their effectiveness. It has also undertaken a review of its internal control processes to align them with both the organizational structure and remote working environment. When necessary, slight adjustments were made to the processes.

In 2020-21, OCL has continued to refine its internal control processes and tested their effectiveness. It has also undertaken a review of its internal control processes to align them with both the organizational structure and remote working environment. When necessary, slight adjustments were made to the processes.

The key findings and significant adjustments required from the current year`s assessment activities are summarized below.

New or significantly amended key controls: In 2021-22, a new Minister responsible for OCL’s delegation authorities was appointed and within 90 days of the appointment the financial delegation instrument (FDI) must be signed. Updates were increases to the delegated contracting values to reflect the level of authorities given under the contracting policy. Also, a telework policy was implemented in March 2022. The policy provides guidance about employee and employer responsibilities. The OCL proceeded with minor modifications to internal control processes as required.

The Corporate Risk Profile assessment identified 3 areas of potential higher risk (depth of capacity, Lobbyists Registration System (LRS) and cybersecurity) that have been earmarked for further review through either an audit or evaluation in the OCL Risk-Based Audit and Evaluation Plan 2022-25. In the meantime, management believes that strong compensatory controls exist to manage within reasonable thresholds potential risks. The potential risks or exposure to internal controls over financial reporting are believed to be minimal.

Ongoing monitoring program: As part of its ongoing monitoring plan, OCL reviews and updates annually, in collaboration with CHRC, its process flows and narratives, which includes documenting controls. In 2021-22, no significant control issues were found. Procedures and detailed variance reports are in place to efficiently obtain additional internal assurance over the financial reporting.

5. Action plan

5.1 Progress as of March 31, 2022

During 2021-22, the OCL has continued to make progress in improving the implementation of its key controls, as summarized below:

• Collaborated with CHRC in preparing OCL’s response to the OCG-OAG HR to PAY self-assessment.
• Received from CHRC their assessment results of its operating effectiveness for testing controls at the entity level and for business processes and Information Technology General Controls (ITGCs). The assessment revealed that the key internal controls for Procurement to Payments and Financial Reporting business processes were strong, whereas the results of the design effectiveness for Cost Recovery and CFO attestation processes were deemed acceptable.
• In 2021-22 the OCL completed its corporate risk profile and multi-year risk-based audit and evaluation plan
• Continued to improve the monthly financial situation reports to strengthen financial forecast, assist management decision making and strengthen the project management delivery.

5.2 Action plan for the next fiscal year and subsequent years

In fiscal year 2022-23, the OCL will continue to strengthen its management accountability framework, including planning and reporting instruments such as the Performance Measurement Framework. As a result of the Corporate Risk Profile exercise completed in 2021-22 and in particular depth of capacity risk identified the OCL will assess its need for additional resources in order to enhance alignment, flow and accountability. This will support a request for additional funding to mitigate the depth of capacity risk. In addition, for added assurance, the OCL will undertake an audit of its ICFR/ICFM framework beginning in fiscal 2022-23. The objective of this audit, among others, will be to ensure the following:

• The current Internal control structure sufficiently adheres to Treasury Board of Canada Secretariat’s revised financial management policy requirements regarding ICFM; and
• There are effective processes in place to develop capacity, through which effective and ongoing ICFM can be put in place.

The OCL will assess how it can apply the Small Department Core Control Self-Assessment Tool designed by the Office of the Comptroller General. The purpose of the tools (14) is to provide management with a means to assess, and improve, a subset of financial management controls.

The OCL will review its policy on the accounting treatment of capital assets to better align with the CICA accounting standards and OAG audit findings.

The Summary table of internal controls with respect to ICFR was developed in January 2017. In collaboration with other Directorates, Financial Services updates the documentation annually.

OCL will implement an ongoing monitoring plan in 2022-23 based on an annual validation of the high-risk processes and controls.