Financial Statements for the year ended March 31, 2012

Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting — Fiscal year 2011–2012

Note to the Reader

Since April 1, 2009, in accordance with the Treasury Board Policy on Internal Control, departments have been required to demonstrate the measures they are taking to maintain an effective system of internal control over financial reporting (ICFR).

Under this policy, departments are expected to conduct annual assessments of their system of ICFR and to establish action plans to address any necessary adjustments to this system. They must also attach to their annual Statement of Management Responsibility a summary of their assessment results, the actions taken in response to any significant issues identified and the actions planned to address outstanding issues.

An effective system of ICFR aims to achieve reliable financial statements and to provide assurance that:

  • Transactions are appropriately authorized;
  • Financial records are properly maintained;
  • Assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement; and
  • Applicable laws, regulations and policies are followed.

The system of ICFR is designed to mitigate risks to a reasonable level based on an on-going process to identify key risks, to assess the effectiveness of associated key controls and adjust them as required, and to monitor the system in support of continuous improvement. As a result, the scope, pace and status of those departmental assessments of the effectiveness of their system of ICFR will vary from one organization to another based on risks and taking into account their unique circumstances.

It is important to note that the system of ICFR is not designed to eliminate all risks, but rather to mitigate risk to a reasonable level with controls that are balanced with and proportionate to the risks they aim to mitigate.

Table of Contents

1. Introduction

This annex is attached to Citizenship and Immigration Canada (CIC)’s Statement of Management Responsibility Including Internal Control over Financial Reporting for fiscal year 2011–2012. As required by the Treasury Board Policy on Internal Control, this document provides summary information on the measures taken by CIC to maintain an effective system of internal control over financial reporting (ICFR). In particular, it contains some financial highlights pertinent to understanding the Department’s unique control environment and provides an overview of the assessments conducted by CIC during fiscal year 2011–2012, including progress, results and related action plans.

1.1 Authority, mandate and program activities

CIC is responsible for the administration of the Immigration and Refugee Protection Act, the Citizenship Act and the Canadian Multiculturalism Act. Detailed information on CIC’s authority, mandate and program activities can be found in its latest Departmental Performance Report and in its most recent Report on Plans and Priorities.

1.2 Financial highlights

The significant financial highlights for fiscal year 2011–2012 are presented below. More information can be found in CIC’s financial statements (unaudited) and in the Public Accounts of Canada for the fiscal year ended on March 31, 2012.

  • Total expenses were $1.8 billion. Transfer payments comprise the majority of expenses (52%, or $940 million), followed by salaries and employee benefits (34%, or $610 million).
  • Total revenues were $476 million from services under the Immigration and Refugee Protection Act and the Citizenship Act.
  • Tangible capital assets comprise 26% ($146 million) of net departmental assets ($552 million). Deferred revenues comprise over 31% ($257 million) of total liabilities ($822 million).
  • CIC has an important international presence in the delivery of immigration services to immigrants, visitors and refugees. In 2011‑2012, the Department of Foreign Affairs and International Trade (DFAIT) spent $160 million on CIC’s behalf. This amount is reported in CIC’s financial statements as services provided without charge by other government departments.
  • CIC also has a strong regional presence across Canada in the delivery of citizenship, immigration and multiculturalism programs and services.
  • A number of information systems are critical to CIC’s operations and financial reporting capabilities. These systems include the Integrated Financial and Material System (IFMS/SAP), the Global Case Management System (GCMS), the Field Operations Support System (FOSS), the Computer‑Assisted Immigration Processing System (CAIPS), the Case Processing Centre System (CPCS), the Handling of Public Money (HPM) system and the PeopleSoft Human Resources Management System (PSHRMS).

1.3 Service arrangements relevant to financial statements

CIC relies on other organizations for the processing of certain transactions that are recorded in its financial statements, including the following departments that provide government-wide services and support:

  • Public Works and Government Services Canada (PWGSC) centrally administers the payment of salaries and the procurement of certain goods and services, and provides cheque issuance and office accommodation services.
  • The Treasury Board Secretariat (TBS) provides the Department with information on expenses pertaining to the employees’ benefit plans and data used to calculate various accruals and allowances, such as the employee severance liability. It notably pays the employer’s contribution to the health and dental benefit insurance plans.
  • The Department of Justice provides legal services for the Department.
  • Since November 15, 2011, Shared Services Canada (SSC) has been responsible for managing the Department’s email, data centre and network services. However, the administration and delivery of these services were shared during the 2011–2012 transition period while SSC was being established.

In addition, CIC has particular arrangements with the following organizations:

  • DFAIT provides common administrative services and support for the Immigration Program outside Canada, under a memorandum of understanding with CIC. Common administrative services include accommodations, revenues and payments processing, accounting and telecommunications. Program support is offered by both Canada‑based officers and locally engaged staff in missions abroad. DFAIT also prepares periodic financial reports for CIC staff on the revenues collected and the expenses incurred directly in the field.
  • Since January 2011, Medavie‑Blue Cross has been providing claims administration for the Interim Federal Health Program (IFHP). The IFHP reimburses service providers for emergency and essential health‑care services in cases where eligible clients, such as refugees, do not qualify for provincial, territorial or private health coverage.

1.4 Material changes in fiscal year 2011–2012

The position of Associate Deputy Minister was created at CIC during the 2011–2012 fiscal year. Mr. Peter Sylvester was appointed to this position on October 3, 2011.

There was a change in the incumbent of the Chief Financial Officer (CFO) position during the 2011–2012 fiscal year. The position was occupied by the following individuals over the course of the year:

  • Mr. Mark Watters, from April 1 to August 6;
  • Mr. Daniel G. Paquette, on an acting appointment, from August 8 to November 27;
  • Mr. Amipal Manchanda, from November 28 to March 31.

There was also a change in the incumbent of the Chief Audit Executive (CAE) position during the 2011–2012 fiscal year. The position was occupied by the following individuals over the course of the year:

  • Mr. Amipal Manchanda, from April 1 to November 27;
  • Mr. Jacques Marquis, on an acting appointment, from November 28 to March 31.

There were no new programs introduced or significant changes made to the Department’s financial authorities in fiscal year 2011–2012.

Shared Services Canada (SSC) was created on August 4, 2011 to consolidate, streamline and improve the government’s information technology (IT) infrastructure services, specifically email, data centre and network services for 43 federal departments and agencies. Effective November 15, 2011, the responsibility for email, data centre and network services, including associated resources, was transferred from CIC to SSC. The financial resources transferred for these purposes by CIC to SSC for the period of November 15, 2011 to March 31, 2012 amounted to $8.9 million. Nonetheless, the administration and delivery of email, data centre and network services were shared during the 2011–2012 transition period while SSC was being established.

Under proposed legislation, CIC will return fees for Federal Skilled Worker applicants who applied before February 27, 2008, and for whom an immigration officer has not made a decision based on selection criteria by March 29, 2012. CIC estimates that the return of fees paid by applicants will total approximately $119 million.

Also, the impacts of the requirement for applicants to pay $800,000 (rather than $400,000 prior to December 1st, 2010) under the Immigrant Investor Program were observed in this fiscal year.

2. Citizenship and Immigration Canada’s control environment relevant to ICFR

CIC’s senior management recognizes the importance of setting the tone from the top to help ensure that staff at all levels understand their roles in maintaining effective systems of ICFR and are equipped to exercise these responsibilities effectively. The Department’s focus is on ensuring that risks are managed well through a responsive and risk‑based control environment that enables continuous improvement and innovation.

2.1 Key positions, roles and responsibilities

The key positions and committees responsible for maintaining and reviewing the effectiveness of the Department’s system of ICFR are outlined below.

Deputy Minister: As Deputy Head, the Deputy Minister is the Department’s accounting officer and assumes overall responsibility and leadership for the measures taken to maintain an effective system of internal control. In this role, the Deputy Minister chairs the Department’s Audit and Executive committees.

Chief Financial Officer (CFO): The CFO reports directly to the Deputy Minister and provides leadership for the coordination, coherence and focus on the design and maintenance of an effective and integrated system of ICFR, including its annual assessment.

Senior departmental managers: Senior departmental managers in charge of program delivery or corporate branches are responsible for maintaining and reviewing effectiveness of the portions of the system of ICFR falling within their area of responsibility.

Chief Audit Executive (CAE): The CAE reports directly to the Deputy Minister and provides assurance through periodic internal audits, which are instrumental to the maintenance of an effective system of ICFR.

Audit Committee: The Audit Committee is an advisory committee that provides objective advice and recommendations to the Deputy Minister on the Department’s risk management, control and governance frameworks and processes, including accountability and auditing systems. The Audit Committee is comprised of four members, including three external members. It reviews CIC’s Corporate Risk Profile and its system of internal control, including the risk‑based assessment plan, annual assessment results and progress on implementation of remediation action plans related to the system of ICFR.

Executive Committee (ExCom): As CIC’s senior decision‑making body, ExCom reviews, approves and monitors the Corporate Risk Profile and the departmental system of internal control, including the risk‑based assessment plan related to the system of ICFR. ExCom is supported by the following committees: the Policy Committee, which develops policy; the Business Operations Committee, which oversees operational delivery and the innovation agenda; and the Management Accountability Committee, which focuses on a strategic agenda to strengthen departmental accountability.

Departmental Management Committee (DMC): The DMC is a regular information‑sharing forum for senior managers to connect on key management and business developments.

Working committees: A number of working committees inform and advise senior management on key segments of the Department’s business.

2.2 Key measures taken by CIC

CIC’s control environment also includes a series of measures to equip staff to manage risks effectively by raising awareness, providing appropriate knowledge and tools, and developing skills.

Key measures include the following:

  • A Values and Ethics Champions Network, created to solidify linkages between values and ethics regional and sector champions across the organization;
  • A recently updated departmental Code of Conduct supported by the Deputy Minister as Values and Ethics champion;
  • The Office of Conflict Resolution under the Deputy Minister;
  • A Financial Policies and Internal Controls Division reporting to the Deputy CFO;
  • Annual performance agreements with clear financial management responsibilities for all executives;
  • Training programs, communications and tools in core areas of financial management;
  • Departmental directives, procedures and guidelines tailored to CIC’s business and control environment;
  • A periodically updated delegated authorities matrix;
  • The documentation of main business processes and of the related key risks and control points to support the management and oversight of its system of ICFR;
  • Secure financial information technology systems to achieve greater security, integrity, efficiency and effectiveness;
  • Internal client service standards for the Department; and
  • Formal internal quarterly reporting on achievements by senior management to the Executive Committee, as well as their tracking of the use of budgetary authorizations and spending limits effective at the Department.

3. Assessment of Citizenship and Immigration Canada’s system of ICFR

3.1 Assessment approach

In support of the Policy on Internal Control, departments must be able to maintain an effective system of ICFR to provide reasonable assurance that:

  • Transactions are appropriately authorized;
  • Financial records are properly maintained;
  • Assets are safeguarded; and
  • Applicable laws, regulations and policies are followed.

Over time, this implies an assessment of the design and operating effectiveness of the system of ICFR, which then leads to the implementation of ongoing monitoring and the continuous improvement of this system.

A “design effectiveness” assessment means to ensure that key financial control points are identified, documented and in place, that they are aligned with the risks they aim to mitigate, that any weaknesses are identified and that any necessary remediation is addressed. This includes the mapping of business processes and key IT systems to the main financial records or accounts, by location as applicable.

An “operating effectiveness” assessment means that the application of key financial controls has been tested over a defined period, that any weaknesses are identified and that any necessary remediation is addressed.

An “ongoing monitoring program” means a systematic, integrated approach to monitoring that includes periodic risk‑based control assessments and timely remediation.

The required testing for these assessments covers all levels of departmental control, including entity (corporate) level controls, information technology (IT) general controls and business process controls.

3.2 Scope of departmental assessment at CIC

To satisfy the Policy on internal control, the Department has taken measures to assess its system of ICFR. It used its annual financial statements and a risk analysis of their components to identify the main accounts and business processes to be assessed.

Over a period of four years that will end on March 31, 2015, and for each of its main financial accounts and business processes, CIC will have prepared system descriptions, financial control matrices, and tested the design effectiveness as well as the operating effectiveness of the key financial controls that are embedded within them. The Department will also have identified any control weaknesses and taken appropriate remediation measures.

After March 31, 2015, the ongoing design and operating effectiveness of the key financial controls will be monitored on a three-year cycle according to the risk-based assessment plan.

Assessment work performed during fiscal year 2011–2012

CIC had already documented and assessed its entity (corporate) level controls in a previous fiscal year and, as planned, did not perform any further assessment of these controls in 2011–2012. During this fiscal year, the Department completed the documentation and an assessment of the IT general controls (IT infrastructure) and of the following significant accounts and business processes, including their related financial controls:

  • Revenue from abroad (at one international location);
  • Immigration loans;
  • Capital assets;
  • Financial closing and reporting;
  • Adjusting journal entries;
  • Budgeting and forecasting; and
  • Cost management.

The documentation and design assessment exercise comprised the following steps for each of the above mentioned significant accounts or business processes:

  • Gathering information pertaining to the account or process, and to risks and controls relevant to ICFR, including appropriate policies, procedures and recent internal audit results;
  • Mapping out the business process with the identification and documentation of key risk and control points on the basis of materiality, volumes, complexity, geographic dispersion, susceptibility to losses/fraud, areas subject to audit observations, past history, external attention, and reliance on third-party; and
  • Performing the design effectiveness testing of the business process, and starting to remediate the control weaknesses found to have them fully addressed in a timely fashion.

As well, in 2011–2012, CIC prepared system descriptions and substantially advanced its design assessment of the financial controls embedded within the following business processes:

  • Revenue collection, salaries and operating expenses (at one Canadian case processing location);
  • Revenue and operating expenses from abroad (at another international location);
  • Transfer payments – Multiculturalism Program (at Headquarters and in two Canadian regional offices);
  • Transfer payments – Settlement/Resettlement Program (at Headquarters and in two Canadian regional offices); and
  • Salaries and employee benefits (at Headquarters).

The design effectiveness assessment of these processes’ financial controls will be completed in 2012–2013, and the results of this work will be disclosed in next year’s annex.

Lastly, in 2011–2012, the Department completed the operating effectiveness testing of the financial controls embedded within the revenue process from abroad (at one international location) and the capital assets business process. It also substantially advanced the operating effectiveness testing of the financial controls embedded within the following business processes:

  • Revenue from abroad (at another international location);
  • Revenue collection, salaries and operating expenses (at one Canadian case processing location);
  • Transfer payments – Multiculturalism Program (at Headquarters and in two Canadian regional offices); and
  • Transfer payments – Settlement/Resettlement Program (at Headquarters and in two Canadian regional offices).

The operating effectiveness assessment of these processes’ financial controls will be completed in 2012–2013, and the results of this work will be disclosed in next year’s annex.

4. Citizenship and Immigration Canada’s assessment results

Based on the assessment approach described above, CIC is developing baseline architecture of all key control points by main financial account and/or business process.

In 2011–2012, CIC focused on assessing its IT general controls as well as the design effectiveness of financial controls embedded within certain significant accounts or business processes. It also began to test the operating effectiveness of the key controls comprised in a few selected business processes, for which the design assessment had already been completed.

4.1 Design effectiveness of key controls

In order to perform design effectiveness testing of the business processes identified in section 3.2, the Department completed all documentation of these processes and verified whether appropriate controls were in place and corresponded to actual practice. Design effectiveness testing also included ensuring the appropriate alignment of key controls with the risks they aim to mitigate.

Entity-level controls

When assessed in the previous fiscal year, the entity (corporate) level controls were judged very satisfactory.
Suggestions for improvements were identified in three areas. The two following suggestions were already implemented within the Department:

  • Enhanced role of the Departmental Audit Committee (DAC) in reviewing the departmental financial statements; and
  • Creation and regular updating of a significant business relationships repository to assist in properly managing CIC’s business and financial statement disclosure risks.

The third area that will be improved over the next fiscal year consists in the development of more detailed financial fraud risk assessment questionnaires to better support the overall ICFR annual risk assessment exercise.

IT general controls

A design effectiveness assessment of IT general controls performed in 2011–2012 concluded that certain weaknesses existed in the IT environment. However, the Department has already adopted appropriate measures to remediate most of them, including the updating of its departmental IT Security Policy and the development of internal service level agreements for specific computer applications.

The Department has substantially remediated the deficiencies related to the design of security controls delimiting access to the network and applications, and they will all have been addressed by the end of next fiscal year. CIC has also developed timely action plans and initiated remedial actions to address a few design issues pertaining to insufficient documentary evidence of the application of certain key controls in the IT environment.

Business process controls

In 2011–2012, CIC completed the documentation and assessment of the design of financial controls that are embedded within the following significant accounts and business processes:

  • Revenue from abroad (at one international location);
  • Immigration loans;
  • Capital assets;
  • Financial closing and reporting;
  • Adjusting journal entries;
  • Budgeting and forecasting; and
  • Cost management.

The existence of relevant and strong financial controls was confirmed through the documentation and design assessment of the above significant accounts or business processes. The main control objectives pertaining to each account or business process were generally well supported by appropriate key control activities. Despite this overall positive assessment, control design improvement opportunities were identified in the following areas:

  • Documentation of procedures and controls to perform key financial duties (including documentation of certain existing automated controls);
  • Performance of complete reconciliations between two key sources of financial data; and
  • Existence of documentary evidence of the application of certain key controls, such as significant reviews, reconciliations and approvals.

Where feasible, specific remediation requirements were implemented shortly after the necessary adjustments had been identified. Otherwise, management action plans either have been or are currently being developed to fully address the control weaknesses within a reasonable timeframe. A follow-up will be performed on each of the remediation measures in 2012–2013 to ensure that they are being implemented as planned.

4.2 Operating effectiveness of key controls

Design effectiveness testing remains a pre-requisite to the operating effectiveness testing of the key financial controls that are integrated to any business process. Also, whenever possible, operating effectiveness testing of controls is more efficient if performed for several business processes at the same time, as some of the key controls (for example, payment issuance controls) are common to all processes.

IT general controls

An operating effectiveness assessment of IT general controls performed in 2011–2012 concluded that several controls operated effectively, but that certain improvements were required in the following areas:

  • System access restrictions, and timely removal of access to the network and applications upon the departure of employees; and
  • Documentary evidence showing the application of a particular key control in the IT environment.

CIC has already developed timely action plans and partially remediated these weaknesses in the operating effectiveness of the IT general controls, which will all have been addressed by the end of next fiscal year.

Business process controls

In 2011–2012, the Department performed an assessment of the operating effectiveness of the key financial controls that are embedded within the capital assets business process and the revenue process abroad (at one international location). When completing operating effectiveness testing, CIC assessed whether the key controls were well functioning over a twelve month period or a specified period of time during the fiscal year based on risks.

Several of these processes’ key financial controls operated effectively throughout the periods that were tested, and all transactions sampled were supported by valid and appropriate documentation. However, some of them were not fully effective and their application could be improved in the following areas:

  • Performance of complete reconciliations between two key sources of financial data; and
  • Existence of documentary evidence of the application of certain key controls, such as significant reconciliations and approvals.

Where feasible, specific remediation requirements were implemented shortly after the necessary adjustments had been identified. Otherwise, management action plans have been developed to fully address the control weaknesses within a reasonable timeframe. A follow-up will be performed on each of the remediation measures in 2012–2013 to ensure that they are being implemented as planned.

5. Citizenship and Immigration Canada’s action plan

5.1 Progress during fiscal year 2011–2012

In 2011–2012, CIC has continued to make solid progress in assessing and improving its key financial controls. As of March 31, 2012, the financial controls design effectiveness testing phase has been substantially advanced with regards to significant business processes, and the operating effectiveness testing of key controls has been progressing as anticipated.

Notably, and according to plan in 2011–2012, CIC implemented measures to completely address the following necessary adjustments:

  • Development of procedures for revenue collection in missions abroad in collaboration with DFAIT, in order to clarify roles and responsibilities and to strengthen accountabilities and internal controls; and
  • Clarification of the financial coding related to capital asset sub-processes.

Also, as planned in 2011–2012, CIC reached significant progress towards fully addressing the following necessary adjustments:

  • Enhanced monitoring over the transactions included in the Assets Under Construction accounts; and
  • Strengthening of the review process of subscription agreements under the Immigrant Investor Program.

In 2011–2012, CIC commenced or partially completed work to address the following necessary adjustments:

  • Modifications to financial system user profiles in order to ensure a proper and full segregation of duties within these profiles;
  • Documentation of procedures and controls to perform key financial duties (including documentation of certain existing automated controls);
  • Performance of complete reconciliations between two key sources of financial data; and
  • Existence of documentary evidence of the application of certain key controls, such as significant reviews, reconciliations and approvals.

Overall, in 2011–2012, CIC fully addressed 71% of the necessary adjustments that were identified to the design or operating effectiveness of IT general controls and key business process financial controls. The remainder of these adjustments will be addressed by the end of next fiscal year.

Finally, in 2011–2012, CIC substantially completed the implementation of improvement opportunities that had been identified in prior year financial process and control monitoring exercises. In addition to the elements that were identified above, improvements were brought to the following aspects and areas of financial management:

  • Segregation of financial roles and responsibilities among employees; and
  • Monitoring over the application of certain financial controls.

5.2 Action plan for the next fiscal year and future years

Building on progress to date, the Department is positioned to substantially complete the initial overall assessment of its system of ICFR in 2014–2015.

Assessments of the design and operating effectiveness of financial controls will be undertaken in future years as follows, up to and including 2014–2015:

Processes in scope Locations in scope Assessment strategy up to 2014–2015
  • IT general controls
  • Financial closing and reporting
  • Adjusting journal entries
  • Operating expenditures including payroll and benefits
  • Revenues
  • Grants and contributions
  • Services provided without charge
  • Significant balance sheet accounts
  • National Headquarters
  • Three Canadian regional offices
  • Three Canadian case processing centres (CPCs)
  • Offices abroad, where CIC programs and services are delivered
 The remaining portions of the initial design and operating effectiveness assessment of these processes will be completed over a three‑year period. They will subsequently be reviewed on a three-year cycle in accordance with the risk‑based assessment plan.
 
The testing plan is formulated so that each of the three Canadian regional offices and Canadian CPCs will be visited at least once within a three‑year period. Testing is planned for at least one international location per year.

Up to the end of 2014–2015, further work will be accomplished to complete the remedial actions that have already been undertaken and to fully remediate any other necessary adjustments to CIC’s system of ICFR.

The implementation of remedial management action plans will be continuously monitored and will include a formal annual update.

The Internal Financial Controls team will also report on its status and progress of work at each Audit Committee meeting.

Ongoing Monitoring

Following the first overall assessment of the Department’s system of ICFR, and beginning in 2015–2016, an ongoing monitoring strategy will be implemented to ensure consistency in the design and application of the key financial controls that are embedded within CIC’s entity-level controls, IT general controls and significant business processes. This ongoing monitoring strategy will be risk-based and cover a three-year cycle. Our understanding of the design of the processes and of the related financial controls will be reconfirmed, and operating effectiveness testing of the key controls will be performed for the high, medium and low risk processes on a rotational basis. Testing of key financial controls will be performed every one to two years if they relate to high risk processes, every two to three years for medium risk processes and every three years for low risk processes.

In addition, because the Department is decentralized, significant financial processes will be assessed in each geographical area, on a rotational basis according to risk. CIC’s Internal Financial Controls team will work with the Internal Audit and Accountability Branch and with DFAIT’s Office of the Inspector General to allow for an increase in coverage and to help maximize efficiency.