Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting 2023-2024 (Unaudited)

1. Introduction

This document provides summary information on the measures taken by the Office of the Superintendent of Financial Institutions (OSFI) to maintain an effective system of internal control over financial reporting (ICFR) including information on internal control management, assessment results and related action plans.

Detailed information on OSFI’s authority, mandate and program activities are available in the Departmental Plan and the Departmental Results Report.

2. Departmental system of internal control over financial reporting

2.1 Internal Control Management

OSFI has a well-established governance and accountability structure to support the organizational assessment efforts and oversight of its system of internal control. An internal control management framework is in place and includes the following:

• Organizational accountability structures as they relate to internal control management to support sound financial management, including clear roles and responsibilities for employees in their areas of responsibility for control management;
• Commitment to integrity and ethical values, including the implementation of the Statement of Values and Code of Conduct which is a complement to the Values and Ethics Code for the Public Sector to strengthen the ethical culture and contribute to the public sector integrity;
• On-going communication and training on statutory requirements, policies and procedures for sound financial management and control; and,
• Monitoring and regular updates on internal control management, including the provision of related assessment results and action plans to the Management Oversight Committee and, as applicable, the Audit Committee.

The Audit Committee provides advice to the Superintendent on the adequacy and functioning of the agency’s risk management, control and governance frameworks and processes.

2.2 Service arrangements relevant to financial statements

2.2.1 Reliance on other federal government organizations

OSFI relies on other organizations for the processing of certain transactions that are recorded in its financial statements, as follows.

Common Arrangements

• Public Services and Procurement Canada (PSPC) administers the payments of salaries, the shared travel system (STS), office space arrangement and the procurement of certain types of goods and services falling outside OSFI’s contracting delegation of authority.
• Shared Services Canada (SSC) administers the procurement of certain goods related to information management and information technology falling outside OSFI’s contracting delegation of authority.
• The Department of Justice provides legal services to OSFI.
• Treasury Board Secretariat (TBS) provides OSFI with information used to calculate various accruals, such as employee benefits rate.

Specific Arrangements

• TBS provides OSFI with corporate financial systems support. The services relate to the support of the SAP financial system platform for capturing all financial transactions. As the service provider, TBS is responsible for ensuring that IT General Controls over the SAP environment are designed and operating effectively. As a client, OSFI retains responsibility over certain IT General Controls over the SAP environment, such as user access controls and segregation of duties.

Readers of this annex may refer to the annexes of the above-noted departments for a greater understanding of the systems of ICFR related to these specific services.

2.2.2 Services that other organizations rely upon

Specific Arrangements

• OSFI provides financial services for the calculation of assessment revenue to the Financial Consumer Agency of Canada (FCAC). The Office of the Chief Actuary (OCA) also provides actuarial services to the FCAC.
• The OCA is an independent unit within OSFI that provides a range of actuarial valuation and advisory services to the Government of Canada. The OCA provides appropriate checks and balances on the future costs of the different pension plans and social programs that fall under its responsibility, including, but not limited to, the Canada Pension Plan (CPP), the Old Age Security Program and the Canada Student Financial Assistance Program.

3. OSFI’s assessment results during fiscal year 2023-2024

The following table summarizes the status of the ongoing monitoring activities according to OSFI’s Five-Year Risk Based Plan for the Assessment, Remediation and Ongoing Monitoring of Internal Controls over Financial Reporting. The plan covers the five-year period from April 1, 2023 to March 31, 2028.

Monitoring results for 2023-2024 Status

As part of its ongoing monitoring plan, OSFI completed its assessment of the financial controls within the following eight key business processes:

Overall, the key controls that were tested performed as intended, with some exceptions requiring remediation in the payroll, contracting and procurement and pension revenue processes, specifically:

• Payroll transactions are approved in accordance with the Financial and Human Resources delegations.

Management is aware of the remediations required and action plans have been started to address them. The risk of material misstatement due to these exceptions is low.

New or significantly amended key controls

In the current year, there were no significantly amended key controls in existing processes that required reassessment. There were only minor changes to the design process of the key business processes.

Entity Level Controls (ELCs)

The evaluation of ELCs is tested on a three year basis. No testing was completed for 2023-24 and testing will resume in 2024-25.

IT General Controls (ITGCs)

ITGCs over the SAP financial system are shared between OSFI and the SAP cluster host TBS. OSFI completed the operating effectiveness assessment of controls under its responsibility while TBS completed a Reporting on Controls at a Service Organization commonly called the Canadian Standard on Assurance Engagements (CSAE 3416) audit over the design and operating effectiveness of the SAP system, which benefits all members of the cluster. As the service provider of the SAP financial system, TBS is responsible for completing any remedial actions identified as a result of the CSAE 3416 audit.

For fiscal year 2023-2024 the CSAE 3416 is unqualified. TBS reports on the findings of this audit in its Annex to the Statement of Management Responsibility including Internal Control over Financial Reporting.

In terms of complimentary controls, OSFI performed a semi-annual review of SAP user access.

Financial fraud risk monitoring activities

With the objective to enhance the detection and reporting of fraudulent activity within OSFI, the ICFR Team implemented a new risk-based approach through data analysis techniques (using a data analytics software) to identify anomalies, trends, and risk indicators within a large population of transactions with the objective to identify financial fraud and irregular transactions.

Scope of Testing

Business process in scope include Accounts Payable, Travel, Acquisition Cards and Contracting.

Summary of Results: No potential Fraud was identified.

4. OSFI’s action plan for the next fiscal year and subsequent years

OSFI’s monitoring plan over the next 3 fiscal years in accordance with the Five-Year Risk Based Plan for the Assessment, Remediation and Ongoing Monitoring of Internal Controls over Financial Reporting is shown in the following table.

The ongoing monitoring plan is based on the following:

• Controls tests are performed on a rotational basis: high risk processes are validated annually, medium risk processes every two years, and low risk processes every three years.
• adjustments to the ongoing monitoring plan are made in accordance with a risk assessment against inherent risk criteria.