Audit of budgeting & financial management

Publication type
Audit
Date

Table of contents

    1. Background

    1.1 Overview

    OSFI’s ability to fulfill its mandate depends on effective management of its financial resources (including personnel). To support financial management, OSFI has established a cycle of budgeting and forecasting activities, conducted throughout each fiscal year to manage allocated funding, meet strategic priorities and execute on operational initiatives.

    Currently, OSFI’s financial support services model is partially centralized. While a centralized finance team, led by the Chief Financial Officer (CFO), supports sectors with budgeting and reporting processes, Sector-level central offices coordinate sector-specific financial management and resourcing and serve as the liaison to finance.

    Over the past three years, OSFI has undergone significant FTE and budget growth, ending late in the summer of 2023, with a shift to fiscal constraint. This sudden shift from growth to constraint created the need for process and control pivots in a short period of time, resulting in the introduction of various temporary and ad hoc controls. These include the use of a Resource Management Committee (RMC) to provide oversight of resource management in line with FTE constraints and the centralization of staffing authorities. Additionally, OSFI adopted a modified budget approach for FY2024-25, with an aim to re-balance OSFI’s resource distribution.

    During the scope of the audit, OSFI implemented several significant changes to improve financial management controls including establishing a direct reporting line from the CFO to the Superintendent, a re-design of the Integrated Planning Committee, and more systematic reporting to the Executive Committee (EC) on budget and forecasting.

    Given the current environment and an on-going focus on fiscal constraints, it is critical that OSFI’s budgeting and financial management processes balance the need for appropriate controls and oversight with adaptability, to ensure OSFI can remain agile when priorities shift, without sacrificing financial stewardship.

    1.2 Context on Why We Did This Audit

    OSFI’s operating environment has changed significantly over the past two years, moving from a period of significant FTE growth to fiscal constraint. With fiscal constraint and total FTE limitations being a governmental priority, it is essential that OSFI has the appropriate budgeting and financial management controls to ensure it can still deliver its mandate and meet strategic priorities within the constraints.

    IA has not done work in this area in over five years and given the significant amount of change and pressures that have been faced over the past two years the engagement can help provide insights into the appropriate controls required over financial management in a dynamic and changing environment.

    2. Summary of Audit Results and Findings

    2.1 Overview of Results

    While OSFI has made progress in strengthening financial management controls during the scope period of the audit, including increased oversight reporting, the continued focus on fiscal constraint underscores the need for improvement in the monitoring and challenge functions at different levels to ensure sound stewardship and increase integration and cohesion in the financial management decision making processes.

    Overall, Internal Audit has identified four specific areas to enhance budgeting and financial management controls:

    • Clear roles, responsibilities and accountabilities for financial management, including clearly defined governance and operating models;

    • Increased oversight, monitoring and challenge for financial management from an organizational perspective;

    • Stabilizing the budgeting planning process; and

    • Creating a risk-based variance analysis program.

    2.2 Management Response

    Management agrees with the findings and recommendations contained within this report and has identified Management Action Plans with associated timelines for each recommendation as outlined in the relevant sections.

    3. Key Findings

    3.1 Roles and Responsibilities

    Effective financial management requires clearly defined and communicated roles and responsibilities to ensure accountability and effective decision-making.

    What We Found

    At OSFI, the Sector Heads are responsible and accountable for their individual budgets, and are collectively responsible and accountable, as the Executive Leadership Team, for OSFI’s overall budget. A centralized Finance team, headed by the Chief Financial Officer (CFO) supports sectors with the OSFI budgeting and forecasting processes. The CFO reports to the Deputy Superintendent of Strategy, Risk and Policy Sector and has direct access to the Superintendent via monthly touchpoints. Sector-level Central Office Teams (CoTs) coordinate sector-specific financial management and resourcing and serve as the liaison to Finance.

    During a period of growth following the implementation of the Blueprint Strategic Plan, numerous factors, notably an expanded mandate to ensure that institutions manage risks to their integrity and security responsibly, as well as an FTE cap, led OSFI to almost exceed its budget. To prevent this, hiring of critical positions in sectors had to be postponed while other positions which were able to be staffed faster but were not as critical had been filled. While significant improvements have since been made to the control environment, including improved reporting and the CFO now having a direct reporting line to the Superintendent, IA noted:

    The absence of a financial management framework for OSFI to clearly define the budgeting and financial processes, key controls and the accountabilities, roles and responsibilities.

    Why It Matters

    Without clearly defined processes and roles, there may be inconsistencies and a lack of accountability, resulting in a lack of effective decision-making and transparency.

    Recommendation #1 (High Risk)

    The CFO should develop a Financial Management Framework (FMF), which includes how the budgeting and forecasting processes work at OSFI, the accountabilities, roles and responsibilities of each stakeholder, targets and relevant monitoring and reporting to Executive Committee.

    3.2 Operating Model

    An effective operating model for financial management allows an organization to deploy skilled resources effectively to support diverse sector needs and the organizational requirements.

    What We Found

    There are a variety of operating models for financial management across the public service: centralized, decentralized, and hybrid models. In some departments, Financial Management Advisors (FMA) are centralized in a Finance team and provide support to directorates who are their clients. While centralized models are most common in the core federal public service, there are often still directorate-specific individuals liaising with the FMAs from the divisions.

    OSFI has a hybrid model where the centralized finance team has a limited number of resources who have multiple roles, including supporting their sector clients. Each sector has a central office team (CoT) with a manager and director supporting budgeting and financial management, among other sector specific activities. The CoTs are fully integrated into the sectors and support the diverse needs of their sector such as resource and information management and general administrative support. IA noted that:

    • There are strong, well-established central office functions in place for Supervision and RSP but the model for CoTs varied by sectors.

    • The central offices were created in 2019-20 out of an immediate need from the sectors, and there is currently no standard level of support defined by finance and communicated to sectors and it is not clear what the expectations are for central offices versus finance.

    • While no duplication of efforts was observed between finance and central offices, there were different levels of support being provided by finance to different sectors and the potential for gaps.

    Why It Matters

    Without clear and consistent expectations of financial support services, there may be duplication of effort or gaps in support for Sectors, resulting in a lack of cohesive management of OSFI’s overall financial decision-making process.

    Recommendation #2 (Medium Risk)

    In alignment with the FMF from recommendation one, Finance should define service-level expectations for Finance and CoTs related to financial management processes.

    3.3 Governance & Oversight

    Effective financial management requires a governance and oversight structure that allows for challenge and accountability from the organizational perspective.

    What We Found

    During the scope period of the audit, the EC, the Resource Management Committee (RMC), and for a brief period, the Integrated Planning Committee (IPC) were governance structures in place to support financial management oversight.

    During 2022-23 there was limited forecast reporting being presented to the EC or the ELT, which impacted their ability to provide effective oversight and challenge over the OSFI budget.

    The RMC was put in place in November 2023 as an interim measure to provide an oversight and challenge function over resourcing from an OSFI perspective due to the pivot from growth to constraint and has since been stood down. IPC now has a broader, more integrated planning mandate. At the time, however, it was used to oversee the modified budget approach, which included an exercise to establish the optimum end-state FTE for key areas to re-balance OSFI’s resources to meet its strategic priorities and legislative responsibilities in alignment with its risk appetite. IPC also continued the work of RMC until it was paused in the Fall of 2024 to reconsider its Terms of Reference and ensure the committee is designed to meet the broader objectives it was intended to achieve.

    IA conducted a survey of select committee members from EC and IPC to get input on how effective the committees were felt to be in supporting financial stewardship and enabling effective decision-making according to their mandates. As the survey was focused on the present period, RMC was not included. IA found that:

    • Roles and responsibilities described in the Terms of Reference (ToR) are clearly defined and for the most part committee members felt mandates were understood.

    • There is no systematic process to evaluate and challenge, from an organizational perspective, significant resource requests for projects and initiatives.

    • Members generally felt that forecasting methodology was clear, however, a few members across multiple committees shared that the criteria used to prioritize and allocate resources was not clear.

    • While members acknowledged improvements, there were mixed responses in relation to the frequency and quality of financial reporting data being adequate to support decision-making, especially in the case of variances and overruns.

    Since the audit scope period, there have been improvements to the financial data being reported to EC, which now includes data to better track the status of FTEs across sectors. However, while additional reporting and oversight processes are being designed and implemented, OSFI still lacks an integrated process for monitoring and oversight of financial management.

    Why It Matters

    Without an effective oversight and challenge process over financial management with clear expectations, accountability and decision-making are hindered.

    Recommendation #3 (High)
    1. There should be an oversight body which has in its mandate to act as an oversight and monitoring function over financial management. The Integrated Planning Committee could be redesigned to include this role.
    2. There should be a process in place, through the oversight body referenced in Recommendation 3a, for the CFO to review and challenge budgeting and forecasting information (including resource management) against established targets to ensure integration and holistic review and challenge.

    3.4 Budget Process - Planning

    An effective budget process enables OSFI to allocate resources effectively, establish clear targets and make informed decisions.

    What We Found

    OSFI’s budgeting process has not been stable for the past several years and as priorities have shifted so has the budgeting approach. Finance does not have a budgeting system and leverages spreadsheets developed using information manually uploaded into SAP.

    The administrative portion of the budgeting and forecasting process remained fairly consistent, with an annual call letter outlining priorities to guide requests and quarterly key forecasting requirements to be input into the system, however, what was required from the sectors often changed from year to year and in some cases requiring new templates to support the process.

    IA found that when templates changed materially to support the budgeting exercise, this caused additional work for the CoTs as they had to adjust their own supporting worksheets to fit the new templates. Since the process is manual for both the CoT and Finance, this level of effort can be significant.

    As part of the budget planning process, sectors are provided high-level guidance around the types of requests being evaluated against the established priorities. In one cycle during the scope of the audit, the modified budget approach was applied where sectors were asked to determine the optimal allocation of their budget envelopes to the identified functions within each cost center and identify what activities would be stopped, scaled back or reimagined should their sector’s budgeted headcount be reduced by 10%. However, IA noticed that cost reduction or avoidance has not historically been an enterprise-wide process outside of the modified budget exercise in the previous fiscal year, which was not continued into the 2025-26 budget cycle. Instead, cost reductions were top-down decisions on specific expense lines such as travel caps and general FTE / budget reductions, or sectors were required to self-fund new approved initiatives through internal budget reallocations.

    Why It Matters

    Without a clear and consistent budget planning process, OSFI may not be effectively realigning resources to high-risk areas or strategic priorities, in line with sound stewardship.

    Recommendation #4 (Medium Risk):

    The CFO should stabilize the budgeting exercise and supporting templates and include a principles-based process to consistently evaluate and reallocate resources to areas of emerging risks or new strategic priorities.

    3.5 Forecasting and Variance Analysis

    A structured process for variance analysis and challenge is essential to identifying and understanding key differences between budgeted and actual results and make more informed decisions about resource allocation, operational changes and future budgeting.

    What We Found

    Finance analysts work with the CoT to support Cost Centre managers who are responsible for individual directorates within their sectors, in their responsibilities for adjusting forecasts throughout the fiscal year. CoTs within each sector assist Cost Centre Managers and Sectors heads in managing forecasting assumptions and variances throughout the budget cycle. In the mature functions such as Supervision, this is done regularly with real-time data maintained by the CoT. Each financial analyst will flag areas of over- or under-spending according to forecasts and ask clarifying questions to the CoT. However, IA found that:

    • Financial analysts use professional judgement on a case-by-case basis to identify areas of concern to question or raise to management but there is no guiding criteria to ensure consistency.

    • Financial analysts can ask questions around budgeting and forecasting submissions, but they are not at the appropriate level to truly challenge a sectors assumption or submission.

    • Funds can be moved between expense categories, such as from personnel to non-personnel, or between non-personnel line items to cover shortfalls which increases the complexity of variance analysis as expense coding is not prioritized. There is currently a risk-based approach to manage budgets at the total expense level, including management of FTEs and travel caps, and to monitor spending on large priority projects. However, this does not allow for sufficient challenge on line by line budget management to ensure resource optimization.

    • There is no structured process or formalized thresholds to compare forecasts to initial budgets (over- or under-spending) to identify variances that require more detailed reviews.

    The Finance team currently has limited capacity for additional activities such as detailed variance analysis on other expense lines outside of those informally and historically established as risk areas and operates within time constraints for completing forecasts and budgets. However, designing a structured, risk-based approach to variance analysis would enable systematic monitoring of key risk areas.

    Why It Matters

    Without defined thresholds and variance analysis, financial discrepancies may go unnoticed, leading to potential over- or under-spending, inefficient resource allocation, and missed opportunities for corrective action and oversight.

    Recommendation #5 (Medium Risk)

    The CFO should establish a process for variance analysis across key risk areas including thresholds for when more detailed reviews of variances are required.

    Appendix A – Recommendation Ratings

    Recommendations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.

    Recommendations are ranked according to the following definitions:

    • High Risk: should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or not operating effectively) or a significant operational improvement opportunity.

    • Medium Risk: a control weakness or operational improvement that should be addressed in the near term.

    • Low Risk: non-critical recommendation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort. Individual ratings should not be considered in isolation; and their effect on other objectives should be considered.

    Appendix B - About the Audit

    B.1 Objective

    To assess whether budgeting and financial management processes effectively support financial stewardship and enable decision-making, including:

    • The effectiveness of the support model for financial management;

    • The effectiveness of the governance and oversight model for financial management; and

    • The effectiveness of budgeting, forecasting, and monitoring processes.

    B.2 Scope

    The overarching objective of the audit is to assess whether planning, budgeting and financial management processes effectively support financial stewardship and enable effective decision-making, focusing on the period from April 1, 2022, to December 31, 2024. The audit is being conducted using a sprint-based approach composed of the following sprints, outlined in further detail below:

    • Sprint I: Operating Model

    • Sprint II: Budgeting, Forecasting & Resource Management

    • Sprint III: Governance and Stakeholder Communication

    B.3 Approach and Methodology

    The audit was conducted through document reviews, interviews, and process walkthroughs. Limited sample-based testing was conducted to assess the operational effectiveness of governance processes.

    B.4 Audit Criteria

    The following criteria were established for this audit (based on the scope adjustment outlined above):

    Audit criteria
    Sprint Criteria
    Sprint I: Operating Model 1.1 The operating model for financial management is effectively designed and implemented.
    1.2: Roles, responsibilities and accountabilities within the financial management operating model are clearly defined, communicated and understood.
    1.3: Processes to support Cost Centre managers in executing their budgeting and forecasting responsibilities are clearly established.
    Sprint II: (2.1) Budgeting 2.1 (a): Established annual budgeting processes are operating effectively and budgets are delegated in a timely manner to support CCM in planning, forecasting and spending resources to achieve priorities.
    2.1 (b): Multi-year budget items are evaluated for their impact on operational decisions, ensuring that planned expenditures and resource allocations align with operational needs and objectives
    Sprint II: (2.2) Forecasting 2.2 (a): There are processes, tools and data supporting forecasting models which are monitored and incorporated into planning exercises.
    2.2 (b): Financial forecasts are verified and challenged on a regular basis.
    2.2 (c): Defined risk tolerances and/or sensitivity factors are appropriate and there is an established feedback loop for updating forecasts based on historical trends and emerging risks is in place.
    Sprint II: (2.3) Resource Management 2.3 (a): Resource management and planning processes are clearly defined and closely integrated with OSFI's Strategic priorities and financial planning to ensure affordability and sustainability.
    2.3 (b): Resource and vacancy management decisions are risk-based and budget processes consider vacancy trends and variances between actual and forecasted staffing costs.
    Sprint III: Governance and Stakeholder Communication 3.1: Stakeholders are identified, engaged for input, and the input gathered is used in budgeting and forecasting processes.
    3.2: Information provided to governance committees is timely, accurate and sufficient to support recommendations.
    3.3: Decisions are documented and clearly communicated to relevant stakeholders
    3.4: Clear communication channels for updating stakeholders on the status and outcomes of the forecasting process are in place.

    B.5 Statement of Conformance

    This review was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the TB’s Policy on Internal Audit, and as supported by the results of the Quality Assurance and Improvement Program.

    B.6 Previous Audit Engagements

    There has been no previous audit coverage of Budgeting and Financial management in the past five years. Resource management was examined with a cyber security risk lens as part of the Audit of Cyber Security Governance and Risk Management. Findings from that audit include areas for improvement relating to governance and decision-making for resource management.

    Report a problem or mistake on this page
    Please select all that apply:
    Date modified: