Canadian Food Inspection Agency - 2011-12 Departmental Performance Report

Over time, this includes assessment of design and operating effectiveness of the system of ICFR leading to ensuring the on-going monitoring and continuous improvement of the CFIA’s system of ICFR.

Design effectiveness means to ensure that key control points are identified, documented, in place and that they are aligned with the risks (i.e. controls are balanced with and proportionate to the risks they aim to mitigate) and that any remediation is addressed. This includes the mapping of key processes and IT systems to the main accounts as applicable.

Operating effectiveness means that the application of key controls has been tested over a defined period and that any required remediation is addressed.

3.2 Assessment baseline

To determine the scope of the assessment, a scoping and planning exercise was undertaken to identify key business processes, entity level control areas and general computer control areas. During planning and scoping, both quantitative and qualitative factors were considered. These included, but were not limited to: materiality, transactions requiring significant judgment or estimates (e.g. contingent liabilities), complexity of operations, susceptibility to fraud, feedback or recommendations concerning the financial statements or related matters from the Office of the Comptroller General (OCG), and previous audit findings whether from the Internal Audit Directorate (IAD) or from the OAG.

Business processes are defined as the specific processes supporting the treatment of financial transactions.

Entity level controls are defined as the overarching controls of the organization that set the “tone from the top”.

General computer controls are defined as controls over the core financial systems and IT infrastructure used across the organization and which support financial transactions. The CFIA is responsible for assessing effectiveness of all the key IT general controls for systems that it fully manages. The service providers in the other government departments (OGD) are responsible for the internal control self-assessment on the systems that they maintain for the CFIA.

These control areas are the baseline by which the CFIA developed its initial three-year self-assessment plan. This three-year plan will be reviewed and updated on an annual basis to reflect changes in the control environment.

CFIA has completed two years of self-assessment activities which include the majority of areas identified in the three-year plan. The third year of the self-assessment will include completion of 2012-13 self-assessment activities identified in the three-year plan as well as preparation for transition to on-going monitoring commencing in 2013-14. At the end of fiscal year 2012-13, a risk-based multi-year monitoring plan will be in place to enable continuous improvement of the CFIA’s system of ICFR.