Canada Revenue Agency Annual Report to Parliament 2012-2013
Disclaimer
We do not guarantee the accuracy of this copy of the CRA website.
Scraped Page Content
Canada Revenue Agency Annual Report to Parliament 2012-2013
Summary of the assessment of effectiveness of the systems of internal control over financial reporting and the action plan of the Canada Revenue Agency
Fiscal year 2012-2013
1. Introduction
This document provides summary information on the measures taken by the Canada Revenue Agency (CRA) to maintain an effective system of internal control over financial reporting (ICFR) including information on internal control management, assessment results, and related action plans.
It is important to note that the system of ICFR is not designed to eliminate all risks, but rather to mitigate risk to a reasonable level with controls that are balanced with, and proportionate to, the risks they aim to mitigate.
The system of ICFR is designed to mitigate risks to a reasonable level based on an ongoing process of identifying key risks, assessing the effectiveness of associated key controls, as well as adjusting and monitoring them to support continuous improvement. As a result, the scope, pace, and status of the CRA's assessments of the effectiveness of their systems of ICFR will vary by engagement type based on risks and the unique circumstances of the CRA's agency and administered programs.
Detailed information on the CRA's authority, mandate, and programs can be found in Departmental Performance Report at www.cra-arc.gc.ca/gncy/prfrmnc_rprts/menu-eng.html and Report on Plans and Priorities www.cra-arc.gc.ca/gncy/rprts/menu-eng.html.
Audited financial statements
For financial reporting purposes, the activities of the CRA have been divided into two sets of financial statements: agency activities and administered activities:
- agency activities include those operational revenues and expenses that the CRA manages and utilizes in running the organization; and
- administered activities include those revenues and expenses that are administered for organizations other than the CRA, such as the federal, provincial, territorial governments, and First Nations.
The CRA has issued annual audited financial statements since 1999-2000 and has consistently received an unmodified opinion from the Auditor General of Canada.
2. CRA system of internal control over financial reporting
2.1 Internal control management
The CRA has a well-established governance and accountability structure to support departmental assessment efforts and oversight of its system of internal control, which includes:
- A departmental internal control management framework and policies, approved by the Commissioner and the Board of Management, which is comprised of a:
a) CRA Policy on Financial Management Governance (approved in 2010), which includes the:
(i) need to maintain an effective internal control framework and management's responsibility over their financial controls;
(ii) roles and responsibilities of the Commissioner/Chief Executive Officer (CEO), the Chief Financial Officer (CFO), Chief Audit Executive (CAE), Chief Information Officer (CIO), Assistant Commissioners, and other senior managers with respect to financial management and control within the CRA; and
(iii) role and responsibility of the Audit Committee of the Board of Management to review and provide direction.
b) CRA Policy on Internal Financial Control (approved in 2010), which includes the need to maintain an effective risk-based system of internal controls over financial reporting to document, test, and assess controls on an ongoing basis, including taking timely corrective measures when issues arise. It also describes the roles and responsibilities of the CEO, CFO, CAE, Assistant Commissioners, and the Audit Committee of the Board of Management regarding how they are to maintain and strengthen the effectiveness of the CRA's internal controls.
- A CEO/CFO Certification Steering Committee (created and approved in 2008), with a clearly stated mandate, terms of reference, and membership requirement as per the CRA Policy on Internal Financial Control. This committee provides direction and guidance over the CRA's ICFR program, reviews progress against planned assessments, approves control frameworks, tests results and action plans, discusses significant issues or concerns, and recommends control assessment reports for the Audit Committee's final approval prior to publication. It is chaired by the CFO, and membership includes all Assistant Commissioners (including the CAE and CIO) involved in financial controls, as well as the Director General of the Financial Administration Directorate, the Director of the Internal Controls Division, and the Director of Internal Audit. They meet each spring (unless special situations arise that require an additional meeting during the year), and a fall update is provided via email.
- The Audit Committee of the Board of Management receives an update on Internal Control assessment results, action and remediation activities, and progress against plans during the spring and other times throughout the year as required.
- A CRA Code of Ethics and Conduct, (updated and approved in 2013), which includes our mission, vision, values, and standards of conduct for which each employee is accountable.
- Ongoing communication and training on statutory requirements, policies, and procedures for sound financial management and control.
2.2 Service arrangements relevant to financial statements
2.2.1 CRA reliance on other Government service providers
The CRA relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows:
Common arrangements:
- Public Works and Government Services Canada centrally issues salary payments as per the CRA's Delegation of Authority and provides accommodation services.
- Treasury Board Secretariat provides the CRA with information used to calculate various accruals and allowances.
- The Department of Justice provides legal services to the CRA.
- Shared Services Canada (SSC) manages IT general controls regarding system operations, security, and maintenance in the areas of email, data center, and network services.
Specific arrangements:
- Revenu Québec is responsible for the joint administration of the goods and services tax and Quebec sales tax for businesses in the Province of Quebec.
2.2.2 CRA services that other departments and agencies rely on
Other Government departments rely on the CRA for the processing of certain transactions or information that affect financial statements as follows:
- Canada Border Services Agency for information technology services, including commensurate internal controls testing for general computer controls, as well as collection services on their behalf for duties, taxes, fees, penalties, or other amounts owing under the Customs Act, Customs Tariff, Excise Tax Act, Excise Act 2001, and/or related regulations.
- Department of Finance for the determination of tax receivables and payables under tax collection agreements with provincial and territorial governments and First Nations.
- Human Resources and Skills Development Canada for the collection of its accounts receivable and the administration of a number of activities related to the Canada Pension Plan and Employment Insurance Operating Account.
3. CRA assessment results during fiscal year 2012-2013
During 2012-2013, the CRA completed the ongoing monitoring testing of its agency activities, and the operating effectiveness assessment of its administered corporation income tax program as planned.
It is important to note that the CRA's assessments related to its internal controls over financial reporting for its administered activities that fall under the Tax Collection Agreements (TCAs) with provinces and territories for the individual (T1), corporation (T2), and trust (T3) income tax programs are also audited by the Office of the Auditor General (OAG).
3.1 Ongoing monitoring of key controls
In the current year, the CRA completed its second ongoing monitoring (OGM) testing exercise to assess the ongoing design and operating effectiveness of its Agency activities as follows:
- 100% of the entity level control activities related to the CRA's Control environment, risk assessment, information and communication, and monitoring controls;
- 60% of the general computer controls related to information systems operations, information security, and systems implementation and maintenance. This included the testing of controls relevant to CBSA, the determination of which control activities were transferred to the SSC, and the testing of the control activities, which are jointly owned with SSC; and
- 90% of the business process control activities for capital assets, procurement and vendor master data, payroll, budget and projections, and financial close and reporting.
As a result of this extensive OGM testing, the CRA found that for the most part, the key controls tested performed as intended, and identified these remediation requirements:
- although most system access roles have been remediated to address access to sensitive transactions, as well as Segregation of Duty (SOD) conflicts within a business line process (e.g., payroll, procurement, financial close), the process surrounding the granting and monitoring of access to prevent SOD conflicts still needs to be improved when it comes to user's access privileges that cross business lines, i.e., need for CRA-wide policy and monitoring; and
- improvements regarding the retention of documentation for audit purposes.
3.2 Operating effectiveness testing of key controls
The CRA completed its readiness assessment of the operational effectiveness for the T2 income tax program. This included full testing of all activities related to the following control objectives:
- Entity level control activities related to the CRA's Control environment, risk assessment, information and communication, and monitoring controls (results were also used for the agency activities' OGM assessment);
- General computer control activities related to information systems operations, information security, and systems implementation and maintenance. This included the determination of which control activities were transferred to the SSC, and the testing of 20% control activities, which are owned solely by the SSC, and 33% which are jointly owned with SSC; and
- Business process control activities for all six of the business processes relevant to internal controls over financial reporting, i.e., return and adjustment collection and entry, assessment and reassessment, master data maintenance and segregation of duties, legislation management, reporting management, and end-user computing.
The key controls tested by CRA were found to be operating effectively, except for the following control objectives:
a) logical security tools and techniques are designed and implemented to restrict access to authorized users of programs, data, and other information resources;
b) documentation exists to demonstrate that modifications to existing application systems and data structures are appropriately tested and approved by management before implementation; and
c) system access is restricted to prevent unauthorized access and segregation of duty is appropriate.
Remediation action plans were developed for all key controls where exceptions were noted with some action plans having been already implemented to address the exceptions.
4. CRA action plan
4.1 Progress during fiscal year 2012-2013
During 2012-2013, the CRA has continued to make significant progress in documenting, assessing, and improving its key controls. Below are two tables summarizing the progress made regarding the documentation of the control frameworks for upcoming assessment engagements, and the remediation of action plans from previous engagements. The actual results for the two assessments completed this year are described in section 3.
All commitments were completed as planned and on schedule. These tables describe the progress and status of each engagement type based on the plans identified in the 2011-2012 annex.
Element in previous year's action plan | Status |
---|---|
Document the scope and control framework for the goods and services tax (GST) programs | Scope has been determined, risks have been assessed, and the control framework has been documented as planned for the GST programs (i.e., GST Rebates, GST Returns, and GST Credits). Design effectiveness testing plans are in place to conduct the assessment as planned in 2013-2014. |
Document the scope and control framework for the T1 unapplied taxes/source deduction programs | Scope has been determined, risks have been assessed, and the control framework has been documented as planned for the T1 unapplied tax and source deductions. Design effectiveness testing plans are in place to conduct the assessment as planned in 2013-2014. |
Document the scope and control framework for the T3 trust income tax | Scope has been determined, a preliminary risk assessment has been done, and documentation of the control framework has begun as planned in 2012-2013. |
Follow-up testing of activities requiring remediation from previous assessments |
The CRA has followed up on all the action plans from the:
Overall results have been positive and approximately 75% of the recommendations made have been implemented. |
4.2 Status and action plan for the next fiscal year and subsequent years
The CRA's plan, based on an annual validation of the high-risk processes and controls related to the control assessments required for its agency and administered activities, is shown in the following three tables.
4.2.1 - Agency activities
The CRA rotational ongoing monitoring plan to assess its agency activity controls over the next three years is based on an annual validation of the high-risk controls and related adjustments to the ongoing monitoring plan as required.
Rotational ongoing monitoring plan for the CRA's internal control over financial reporting related to its Agency activities | |||
---|---|---|---|
Operating effectiveness testing rotation | |||
Key control areas | 2013-2014 | 2014-2015 | 2015-2016 |
Entity level controls | √ | √ | √ |
IT general controls under CRA management | √ | √ | √ |
Capital assets | √ | ||
Procurement and vendor master data | √ | √ | |
Payroll | √ | ||
Budget and projections | √ | ||
Financial close and reporting |
√ | √ |
4.2.2 - Administered activities assessment not related to the Tax Collection Agreements (TCA)
Assessment elements | ||||
---|---|---|---|---|
Assessment engagements | Document framework | Design effectiveness testing and remediation | Operational effectiveness testing and remediation | Ongoing monitoring rotation |
Goods and services tax |
Completed 2012-2013 |
2013-2014 (Footnote 2) |
2016-2017 (Footnote 3) |
Will annually test new, changed, remediated controls. Once each assessment engagement reached the on-going monitoring stage, each tax program will be fully reassessed on a rotational three year basis |
Non-resident income tax | 2014-2015 (Footnote 3) |
2015-2016 (Footnote 3) |
To be determined (Footnote 4) |
Will annually test new, changed, remediated controls. Once each assessment engagement reached the on-going monitoring stage, each tax program will be fully reassessed on a rotational three year basis |
Excise tax | To be determined (Footnote 4) |
To be determined (Footnote 4) |
To be determined (Footnote 4) |
Will annually test new, changed, remediated controls. Once each assessment engagement reached the on-going monitoring stage, each tax program will be fully reassessed on a rotational three year basis |
Benefits | To be determined (Footnote 4) |
To be determined (Footnote 4) |
To be determined (Footnote 4) |
Will annually test new, changed, remediated controls. Once each assessment engagement reached the on-going monitoring stage, each tax program will be fully reassessed on a rotational three year basis |
4.2.3 - Administered activities assessments, which are TCA related and audited by the OAG
For TCA related engagements the CRA performs the readiness testing and submits the results along with a controls assessment report to the OAG who audit them in accordance with Canadian Standard on Assurance Engagements 3416.
Once the audit results are completed and the audit opinion is signed, the report is provided to the federal, provincial, and territorial Ministers of Finance as required under the tax collection agreements. The distribution of this protected report is very limited due to the sensitive nature of its contents.
TCA related control assessment do not go into a regular ongoing monitoring phase because complete re-assessment engagements are required to fully test all control activities to ensure that the selected income tax program is still designed and operating effectively. As such, the timing and frequency of these complete control assessment audits are determined in conjunction with the OAG and will continue to be conducted on a rotational annual basis as long as the tax collection agreements are in place.
The high-level results of these assessments are also used to fulfil the Treasury Board and CRA Internal Financial Control policy requirements, and are included in this annex in the year they are reported.
Assessment elements | |||
---|---|---|---|
Assessment engagements | Document framework | Design effectiveness testing and remediation | Operational effectiveness testing and remediation |
T2 corporation income tax | Completed 2007-2008 (Footnote 1) |
Completed 2008-2009 (CRA) (Footnote 1) |
Completed 2011-2013 (CRA) (Footnote 1) |
Completed 2009-2010 (OAG) (Footnote 1) |
2013-2014 (OAG) (Footnote 2) |
||
T1 individual income tax | Completed 2009-2010 (Footnote 1) |
Completed 2010-2011 (CRA) Completed 2011-2012 (OAG) |
2014-2016 (CRA) 2016-2017 (OAG) |
T1 unapplied taxes/source deductions | Completed 2012-2013 (Footnote 1) |
2013-2014 (CRA) (Footnote 2) |
Will be included in the T1 operating effectiveness assessment (Footnote 3) |
2014-2015 (OAG) (Footnote 3) |
|||
T3 trust income tax | 2012-2013 to 2013-2014 (CRA) (Footnote 2) |
2014-2015 (CRA) 2015-2016 (OAG) |
2016-2017 (CRA) 2017-2018 (OAG) |
(Footnote 1) : Assessment completed as scheduled
(Footnote 2) : Assessment progressing as scheduled
(Footnote 3) : Assessment scheduled
(Footnote 4) : Assessment dates to be determined
Page details
- Date modified:
- 2013-11-06