Summary of the Assessment of Effectiveness of the Systems of Internal Control over Financial Reporting and the Action Plan of the Canadian Institutes of Health Research for the Fiscal Year 2020–21 (Unaudited)

Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting

1. Introduction

This document provides summary information on the measures taken by the Canadian Institutes of Health Research (CIHR) to maintain an effective system of internal control over financial reporting, including information on internal control management, assessment results and related action plans.

Detailed information on CIHR’s authority, mandate and program activities can be found in the 2020-21 Departmental Plan.

2. CIHR’s System of Internal Control over Financial Reporting

2.1 Internal Control Management

CIHR has a well-established governance and accountability structure to support agency assessment efforts and oversight of its system of internal control. The agency internal control management framework, approved by the President, includes:

The Audit Committee provides advice to the President on the adequacy and functioning of CIHR’s risk management, control and governance frameworks and processes.

2.2 Service Arrangements Relevant to Financial Statements

CIHR relies on other organizations for the processing of certain transactions that are recorded in its financial statements as follows.

Common Arrangements

Specific Arrangements

3. CIHR Assessment Results during Fiscal Year 2020–21

The key findings and significant adjustments required from the current year’s assessment activities are summarized below.

Impact of COVID-19

In conducting the assessment for fiscal year 2020-21, CIHR considered the impact of remote work and the COVID-19 pandemic on controls and risks within the different business processes. For the most part, business processes and associated risks were unchanged, with the exception that documentation and approvals moved from hardcopy to electronic formats. The Travel and Hospitality business process was removed from the scope of the assessment due to extremely low transaction levels and associated dollar-values for the fiscal year. The low level of transactions resulted from the elimination of face-to-face peer review and committee meetings, and staff travel. Furthermore, the assessment of the Grants and Awards process took into account the potential higher risk of rapid response funding opportunities by applying a judgemental sampling approach to ensure those transactions were represented.

Deferral of the assessment of Information Technology General Controls (ITGCs) and Entity Level Controls (ELCs)

Although not directly related to remote work and the pandemic, the assessment of Information Technology General Controls (ITGCs) was also deferred for this cycle. Planning work was completed to enhance and modernize the approach to the assessment of ITGCs, which will be implemented for 2021-22.

The assessment of Entity Level Controls (ELCs) was also deferred this year due to the need to allocate available resources to the assessment of other, higher priority business processes. Similar to ITGCs, work was completed to modernize the approach to the assessment of ELCs and align it with the most recent version of COSO. COSO is a widely-accepted, industry-standard model used to establish and assess internal controls and is recommended by Treasury Board for the assessment of ELCs. This modernized framework will support a risk-based approach to the assessment of ELCs and enable more fulsome testing. This will also be implemented for fiscal year 2021-22.

New or significantly amended key controls: In the current fiscal year, there were no significantly amended key controls in existing processes that required a reassessment and there were no new processes to test for design and operating effectiveness.

Ongoing monitoring program: As part of its rotational ongoing monitoring plan, CIHR completed its reassessment of the following business processes:

Most key controls that were tested operated as designed. However, some improvements were required. The identified improvements were accepted by management and an appropriate management response was developed.

4. Departmental Action Plan

4.1 Progress During Fiscal Year 2020-21

CIHR continued to conduct its on-going monitoring according to the previous year’s rotational plans as follows:

Progress During the Fiscal Year 2020-21
Previous year’s rotational on-going monitoring plan for current year Status
Grants and awards, including payment Controls are operating as designed. No remedial actions are required at this time.
Financial statements closing (including Payables at year end and accruals)
Payroll and benefits Controls processes require minor improvements to their design or operational effectiveness. Management has accepted recommendations and has begun remedial actions.
Entity-level controls Deferred
Information technology general controls
Travel, hospitality, conference and event expenditures Removed
Financial management and budgeting Not scheduled for review in 2020/21.

4.3 Action Plan for the Next Fiscal Year and Subsequent Years

CIHR has implemented an ongoing rotational monitoring plan over the next three years based on a risk-based annual validation of high risk processes and controls. The plan takes into consideration any substantial changes to key controls in each process. CIHR’s rotational ongoing monitoring plan over the next three years is shown in the following table.

Key control areas Fiscal Year 2020-21 Fiscal year 2021-22 Fiscal Year 2022-23
Financial Statements Closing Process (including Payables at Year End and Accruals) Yes Yes Yes
Grants and Awards including Payment Yes Yes Yes
Payroll and Salary benefits Yes Yes Yes
Entity-Level Controls Deferred Yes Yes
Travel, Hospitality, Conference, and Event Expenditures Removed No Yes
IT General Controls Deferred Yes No
Procurement Yes No No
Financial Management (Budgeting and Forecasting) No Yes No

In addition to the on-going monitoring rotational plan, CIHR has completed or has planned the following assessment work to complement the system of internal control including:

Date modified: