Skip booklet index and go to page content

Follow-up Audit of Finance and Corporate Branch's IT Controls over Financial Systems

Executive Summary

This audit was included in the departmental Risk-Based Audit Plan 2010–2013 as approved by the Deputy Minister, upon the recommendation of the External Audit Advisory Committee.

When the Federal Accountability Act was introduced in 2006, it required departments to be able to produce audited financial statements capable of supporting a controls-based audit. This was subsequently changed to a requirement to produce auditable financial statements.

Each department was to conduct a baseline assessment of its capacity to comply with this requirement and to report annually on its progress toward compliance to the Office of the Comptroller General (OCG).

At Environment Canada, this audit readiness assessment was contracted to an outside firm and was conducted in two phases, beginning in 2007. The Phase 2 Report on the Audit Readiness Assessment (March 2009) highlighted a number of issues, including 25 issues in the area of information technology (IT) financial controls. The Department implemented an action plan to remedy the issues identified by the end of March, 2011.

The objective of this audit was to follow up on the action plan in response to the 25 IT financial control issues from the Phase 2 Audit Readiness Assessment report of March 2009, to review their completion and ensure that the control weaknesses identified in that report had been resolved.

Statement of Assurance

This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Policy on Internal Audit of the Treasury Board of Canada.

In our professional judgment, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on a comparison of the situations, as they existed at the time, against the audit criteria.

Summary of Findings

Since the Phase 2 Audit Readiness Assessment report was released in March 2009, significant effort has been made to address the recommendations and underlying findings regarding the 25 IT financial controls issues. The financial system has undergone major upgrades in its platform and functionality. In particular, in the past 8 months, the Department has migrated the system from a UNIX platform to a LINUX platform, added the asset life-cycle management functionality and patched a number of security threats.

For the work plan arising from the Phase 2 Audit Readiness Assessment of March 2009, which was to be completed by March 2011, we conclude that substantial progress has been made in addressing the 25 ITfinancial control recommendations. All high-risk areas of control weakness have been mitigated but further work is required to address them fully. Eleven controls were found to be well addressed by the work undertaken to date. Twelve of the remaining controls were found to be largely effective with only minor issues that still need to be addressed--each control posing a low level of risk to the Department. [Text removed to protect the security of the system]

When the audit fieldwork began in earnest in December of 2010, the review team found that almost none of the policy and procedural work had been finished. However, by the time the audit team was able to begin testing, this situation had been largely reversed, with almost all of the policy and procedural work having been completed. This was accomplished in an environment in which the resources of the Finance and Corporate Services Branch were involved in the implementation of the major change in platforms in November 2010, as well as the work involved for the financial year-end.

Observations and Recommendations

The following is a summary of the observations and recommendations contained in the body of the report.

Improve sustainability of monitoring controls

The audit team observed that remediation activities had been put in place to address monitoring deficiencies using the existing level of resources. The controls that were implemented will remediate the deficiencies; however, in order for the monitoring to be sustainable over the long term, the automation of certain activities needs to be considered.


The Chief Financial Officer (CFO) should develop a plan for re-engineering the monitoring controls over the financial systems within a continuous improvement strategy in order to integrate them into existing business processes, reduce costs and improve sustainability.

Work plan required for outstanding items

The audit team observed that residual work remains for the 12 low-level risk controls and the two medium-risk controls.


The CFO should develop a work plan to address the completion of activities outstanding from the work plan arising from the Phase 2 Audit Readiness Assessment report.

A program of continuous monitoring should be implemented

The recommendations arising from the Phase 2 Audit Readiness Assessment require that many controls be subject to periodic review (monitoring). The audit team found that processes surrounding this monitoring are documented and managed as individual activities, and that the monitoring controls are independently designed and operated.


The CFO should develop a strategy for the continuous monitoring of IT financial controls, which should be part of an overall strategy of monitoring of internal controls.

Identity and access management controls should leverage information available in human resource systems

The audit team found that many of the controls related to identity and access management, especially those that are detective in nature, would be more effective if the controls could leverage information already available in the HR systems.


The CFO and the Assistant Deputy Minister for HR should establish a strategic plan for leveraging existing user identification for use in the financial systems.

Management Response

Agree. Management has developed a management action plan.

Date modified: