Annex — Assessment of Internal Control over Financial Reporting for the fiscal year ended March 31, 2025 (unaudited)

1. Introduction

The OCL maintains an effective system of Internal Control Over Financial Reporting (ICFR) with the objective to provide reasonable assurance that:

• Transactions are appropriately authorized;
• Financial records are properly maintained;
• Assets are safeguarded; and,
• Applicable laws, regulations and policies are complied with.

This document provides summary information on the measures taken by the Office of the Commissioner of Lobbying (OCL) as of March 31, 2025, to maintain this system. It includes information on progress, results and related action plans.

Detailed information on OCL’s authority, mandate, program activities and finances can be found in the 2024-25 Departmental Results Report (DRR), the 2025-26 Departmental Plan (DP) and in the OCL’s Financial Statements for 2024-25.

2. Organisational System of Internal Control over Financial Reporting

The OCL is a micro-organization with low risk associated with its system of internal control. It recognizes the importance of senior management leadership in ensuring that staff at all levels understand their role in maintaining effective systems of ICFR and are well equipped to exercise these responsibilities effectively. The OCL’s focus is to ensure risks are well managed through a responsive and risk-based control environment that enables continuous improvement and innovation.

2.1 Internal Control Management Framework

The OCL has a well-established governance and accountability structure to support organizational assessment efforts and oversight of its system of internal control. An internal control management framework, is in place and includes:

• Organizational accountability structures to support sound financial management, including roles and responsibilities of senior managers;
• A Code of values and ethics for employees;
• Ongoing communication and training of OCL managers and staff on statutory requirements, and on policies and procedures for sound financial management and control; and
• Monitoring and regular updating of internal control management, as well as providing related assessment results and action plans to the Commissioner, OCL senior management and, as applicable, OCL’s Audit and Evaluation Committee (AEC).

The AEC provides advice to the Commissioner on the adequacy and functioning of OCL’s risk management, control and governance frameworks and processes.

The OCL’S internal control framework for financial management is aligned with the federal government’s expenditure management process. Funding is controlled through a budgeting and commitment control process. Expenditures are approved at the initiation, commitment, contracting, performance certification and payment approval stages. Financial results are monitored through a monthly financial reporting process and forecasts are validated by management and presented to the Executive Management Committee by the Chief Financial Officer (CFO).

The OCL’s control environment also includes measures and structures to equip staff to be able to manage risks well, through raising awareness, providing appropriate knowledge and tools and developing skills. Key measures include:

• Governance structure and strategic direction through the Executive Management Committee (EMC) and supported by the Audit and Evaluation Committee (AEC);
• Regular reporting of financial performance to the EMC;
• Financial policies tailored to the OCL’s control environment and requirements of the Treasury Board Policy on Financial Management;
• Periodic review and update of the Delegation of Financial Signing Authorities Instrument;
• Documentation of key financial processes and related key risk and control points to support the management and oversight of the OCL’s system of ICFR;
• Comprehensive assessment of a corporate risk profile leading to a multi-year risk-based internal audit and evaluation plan with annual monitoring thereon;
• Generating an annual Fraud Risk report, starting in 2024-25;
• Review of the ICFR framework with regular monitoring of basic controls, and when necessary more in-depth reviews based on risk assessment; and
• Preparation and implementation of management actions plans in response to observations and recommendations made during the review of the effectiveness of controls (by the CFO), as well as audits, evaluations or other engagement work (usually performed by an external consultant, under the supervision of the Chief Audit Executive - CAE).

2.2 Service arrangements relevant to financial statements

The OCL relies on other organizations to process various transactions that are recorded in its financial statements as follows:

Common Arrangements

• Public Services and Procurement Canada (PSPC) centrally administers:
  • the payment of salaries;
  • the procurement of some goods and services;
  • provides cheque-issuing services; and
  • provides accommodation services.
• Treasury Board of Canada Secretariat (TBS) provides information used to calculate various accruals and allowances, such as the employer’s contribution to the health and dental insurance plans. 
• The Office of the Auditor General (OAG) provides external audit services to OCL.

Specific Arrangements

• The Canadian Human Rights Commission (CHRC) provides a financial system platform (GX) to capture and report all financial transactions and performs financial transaction processing and reporting on behalf of OCL. In addition, CHRC provides compensation services. Procurement services, which were provided by CHRC for part of 2023–24 and subsequently transferred to the Parole Board of Canada (PBC), continued to be managed by PBC during 2024–25. The scope and responsibilities are addressed in the interdepartmental arrangement between CHRC and OCL, as well as in the attestation and summary of results prepared annually by CHRC on its ICFR as it relates to its clients. OCL relies on CHRC’s internal controls over financial reporting and the financial management system to process the financial data that has been approved, authorized and transmitted by the Office. CHRC monitors these controls using a risk-based approach. OCL is responsible to ensure that the financial reports are accurate and fairly present the financial results and position.
• The Office of the Privacy Commissioner (OPC) hosts the OCL’s Lobbyists Registration System (LRS), its website, its desktop systems, servers and support systems on the OPC information technology (IT) infrastructure. 
• The PBC started providing procurement services to OCL during the 2023-24 fiscal year. The services provided include transaction processing, monitoring and reporting, as well as developing and implementing departmental policies and procedures, and activities that support the sound management of procurement. The OCL relies on the PBC’s internal controls over financial reporting as they relate to the procurement services provided. 
   

3. Assessment of OCL’s system of ICFR

3.1 2024-25 Assessment of ICFR

The maintenance of OCL’s system of ICFR is an ongoing process designed to identify, assess effectiveness, and adjust as required, risks and associated key controls, as well as to monitor its performance in support of continuous improvement. As a result, the scope, pace and status of the assessments of OCL’s system of ICFR is risk-based and considers the small size of the organization and the low complexity of its financial transactions.

This work includes periodic reviews of the business process flow documents and detailed assessments of the design and operating effectiveness of the system of ICFR to support a risk-based approach to ongoing monitoring and continuous improvement.

In 2023-24, the assessments resulted in one recommendation to help strengthen internal controls. The recommendation was to ensure that both a sufficient financial strategic capacity and a challenge function remain available to the Commissioner and to mitigate the eventuality of a prolonged absence of the CFO. 

OCL management agreed with the recommendation. The OCL took steps to secure an external financial expert recommended by the Office of the Comptroller General to support the CFO on an as needed basis. In the event of a prolonged absence of the CFO/CAE, this external expert could assist in performing those functions.

In 2024-25, the assessment of OCL’s system of ICFR included the following:

• Assessment of internal controls for the following key business processes as per OCL’s ICFR 5-year plan: 
  
  • review documentation of the planning, budgeting and forecasting (PBF) process
  • operating effectiveness testing of the entity level controls (ELC) and delegation of authority (DA) processes
• Assessment and attestation by CHRC of their ICFR as they related to financial services provided to OCL; and
• Provision of ICFR-related information, and other relevant information such as the follow-up on recommendations of past audits and evaluations, to the OCL Audit and Evaluation Committee (AEC) and discussion at AEC meetings.

The following section includes details and results of these assessments for 2024-25.

3.2 2024-25 Assessment Details and Results

Assessment of Key Controls and Processes

As referenced above, in 2024-25, OCL conducted assessments of its internal controls based on the organization’s ICFR 5-year plan. This work included the review of the documentation for the PBF process, which included assessing the implementation of the new GX forecasting functionality. The work also included operating effectiveness testing of the ELC and DA processes, which were both performed by an external party.

The assessments generally concluded that there is strong evidence of process activities being performed in accordance with Treasury Board financial management policies and procedures. This is mainly due to the small size of the of the OCL, the low complexity nature of its financial transactions, and the proximity of the CFO to the various processes and the relevant process actors.

The following represents a summary of the results of those individual assessments, carried out by a consultant under the supervision of the CFO:

• PBF: The purpose of this assessment was to review the new and (then) recently implemented changes to the OCL forecasting process and system functionality. The results were reported to the AEC in December 2024. Results indicated that benefits of the new approach were already being seen in terms of effort required, integrity and availability of forecast information. 
• ELC: The purpose of this assessment was to conduct a systematic, comprehensive assessment of the design and operating effectiveness of the entity level controls over financial reporting. The results and management action plan were reported to the EMC and AEC in June 2025. Results indicated that the entity level controls at the OCL had been designed and implemented in compliance with and conform to the 5 key pillars of the COSO Framework. In addition, based on the procedures performed, on balance, the OCL had a sound foundation of entity level controls with most of the controls being designed and operating effectively. There were opportunities for improvement in the following entity level areas: performance management, learning and development plans, policy and procedures and document management. OCL’s plan is to address those recommendations by December 2025.
• DA: The purpose of this assessment was to use the Office of the Comptroller General’s (OCG) Core Control Self-Assessment tools as the framework to assess controls around OCL’s Delegated Spending & Financial Authorities for 2024-25. The results and management action plan were reported to the AEC in June 2025. Results indicated that OCL was compliant with most of the tests performed. Opportunities for improvement were in the areas of documentation of protocols for the annual review of the delegation chart and notes and the attestation of required training. OCL had addressed all those recommendations in July 2025.

CHRC Assessment and Attestation

The Canadian Human Rights Commission (CHRC) provides services in the areas of financial management, information technology, human resources system access and a financial system platform to capture and report all financial transactions. CHRC has the responsibility of verifying and processing financial information received from the Office that is entered in the financial system. As a result, the Office relies on CHRC’s internal controls over financial reporting to process the financial data that has been approved, authorized and transmitted by the Office.

During 2024-25, CHRC, as a service provider, assessed its ICFR. The assessment considered the controls in place at CHRC in providing services to various clients, including OCL. Consequently, the testing of internal controls over financial reporting included transactions processed for OCL. 

Key conclusions of the assessment included:

• New or significantly amended key controls. 
  • There were no significantly amended key controls in existing processes that required a reassessment. 
• Design and Operating Effectiveness of Controls for Business Processes. 
  • Documentation of business processes and controls was reviewed and updated to ensure that they represent the current processes and controls in place. 
  • With the walkthrough and testing of key controls, operating effectiveness was reassessed for contracting, pay administration, revenue management and cost recovery, as well as budgeting and forecasting. The assessment revealed that all four business processes were strong and operating effectively.
• Operating Effectiveness of Information Technology General Controls (ITGCs). 
  • The documentation of the key controls in place and the operating effectiveness of information technology general controls (ITGCs) were reassessed in the area of IT Management and IT security. 
  • The assessment revealed that key controls were found to be generally appropriate, supported by the implementation of CHRC’s Digital Strategy 2023–26, which is guiding IT planning and will be updated in the coming months. With respect to IT security, gaps remained in account monitoring and timely removal of user access. Corrective measures were under review in 2024–25 with new procedures scheduled for implementation.

CHRC has provided OCL with an attestation concerning the 2024-25 assessment of their internal controls.

AEC Review and Discussions

In 2024-25, the OCL AEC carried out the following activities related to the functioning of internal controls, risk management and governance processes:

• At each regular AEC meeting, the Commissioner and the CAE/CFO were asked whether there were any irregularities, including fraud or management override, that they wished to disclose. There were none. An annual update on OCL’s fraud management practices was also developed and presented to the committee.
• During the reporting period, the Chair was in regular contact with the Commissioner and the CAE/CFO.
• OCL’s Quarterly Financial Reports were reviewed by external members before they were published. Questions were asked of the CFO/CAE and answers were provided.
• At each regular AEC meeting, the CFO presented an update on OCL’s financial situation.
• External members met with the Office of the Auditor General (OAG) Principal responsible for the audit of OCL’s FY 2024-25 financial statements, including an in-camera meeting.

The AEC met with the external party that carried out the ICFR assessments mentioned above and was briefed on the results and recommendation. The AEC also reviewed the management response and action plans. The AEC will continue to follow closely the work of OCL in assessing and monitoring its ICFM and ICFR processes.

Other Considerations- OAG Audit of OCL’s Financial Statements and recent internal audits

The OCL’s 2024-25 financial statements were audited by the OAG of Canada. While the audit did not specifically examine OCL’s internal controls, the OAG’s auditors did not identify opportunities for changes in procedures that would improve the systems of internal control. OCL received an unmodified opinion on its financial statements for 2024-2025 and compliance with the specified authorities. The financial statements were free of any material misstatements, including omissions.

In addition, as outlined in the OCL Multi-Year Risk-Based Audit and Evaluation Plan, an internal audit of procurement activities was carried out by an external consultant in 2023-24, covering the fiscal years of 2022-23 to 2023-24 (and reported in 2024-25). Management addressed all recommendations received from this internal audit, including the update of its procurement guide for employees and the receipt of periodic procurement reporting from the PBC to allow for greater oversight.

4. Action plan

4.1 Progress as of March 31, 2025

Overall, during 2024-25, the OCL made progress in improving its system of ICFR.  

As outlined in section 3, the OCL continued its risk-based approach to on-going monitoring of ICFR. The focus in 2024-25 was on:

• The review of documentation for the planning, budgeting and forecasting process
• Operating effectiveness testing of the entity level controls and delegation of authority processes.

The multi-year risk based ICFR-ICFM monitoring plan was reviewed by management and  the AEC and was modified as set out in section 4.3 below.

The OCL also reviewed and confirmed the relevance of the risks identified in its Corporate Risk Profile which will inform its multi-year planning for ICFR, ICFM and for its RBAEP.  

4.2 Action plan for the next fiscal year and subsequent years

In fiscal year 2025-26, the OCL will continue to strengthen its internal control management framework by: 

• Continuing on-going monitoring of its core controls according to its risk based, multi-year ICFM/ICFR plan (three-year plan is provided below);
• Using the Small Department Core Control Self-Assessment Tool designed by the Office of the Comptroller General to assess core controls. 
• Using a third party to assess higher complexity controls.
• Conducting internal audits according to its multi-year RBAEP.

4.3 ICFM Monitoring Plan for the next fiscal year and subsequent years

Note 1: This control assessment is conducted over two years. In 2024-25 the focus was on the implementation of new forecasting functionality, introduced in 2023-24 (i.e., - training, documentation, extent of uptake in its use, etc.).  In 2025-26 a full assessment is planned that will include the design and operating effectiveness testing of the planning, budgeting and forecasting process and an assessment of the extent to which the process is enabling and supporting sound resource management and decision making.

Note 2: The next three fiscal years will be annual updates and monitoring, in accordance with the recommendations from the 2024-25 assessment of the delegation of authority process.