Presented to the Departmental Audit Committee (DAC)
April 23, 2026
On this page
- Executive summary
- Introduction
- Focus of the audit
- Strengths
- Areas for improvement
- Internal audit conclusion
- Statement of conformance
- Acknowledgements
- Findings and recommendations
- Governance and oversight
- Risk and impact
- Recommendation
- Planning and execution of internal control assessments
- Risk and impact
- Recommendation
- Management response and action plan
- Monitoring and reporting
- Appendix A – About the audit
- Audit purpose and objectives
- Scope
- Approach and methodology
Executive summary
Introduction
Parliamentarians and Canadians expect that the financial resources of the Government of Canada are well managed and safeguarded through a system of internal control. The Treasury Board (TB) Policy on Financial Management defines the system of internal control over financial management (ICFM) as “a set of measures and activities that provide reasonable assurance of the effectiveness and efficiency of the financial management activities of the department.” Within this framework, internal control over financial reporting (ICFR) is a subset that focuses on assurance related to the accuracy and completeness of financial statements. The objective of ICFM monitoring within departments is to ensure sound and prudent use of public funds in an effective, efficient and economical manner.
The diagram below illustrates the relationships between the broader system of internal control, the system of ICFM, and the more narrowly scoped system of ICFR, as well as the corresponding accountabilities of the Deputy Head and Chief Financial Officer (CFO):
Text version
Systems of Internal controls Deputy Head
System of Internal control across the department.
Chief Financial Officer
System of Internal control over financial management and financial reporting.
Senior departmental managers
System of internal control within their areas of responsibilities.
As per the Policy on Financial Management, the CFO is responsible for establishing, monitoring, and maintaining a risk-based system of ICFM and ICFR, and for ensuring the accuracy and reasonableness of departmental financial statements, including the annual Statement of Management Responsibility Including Internal Control over Financial Reporting, which is co-signed by the Deputy Minister and published in NRCan’s annual financial statements. Business process owners (BPOs) are responsible for the day-to-day implementation and maintenance of internal controls within their respective business processes and for taking prompt corrective actions where control weaknesses are identified.
Within NRCan, the Financial Policy, Reporting and Internal Controls (FPRIC) unit, situated under the Corporate Management and Services Sector (CMSS), is responsible for managing the system of internal controls over financial management. The Financial Management Internal Controls (FMIC) team, operating within FPRIC, is responsible for developing and executing the Department’s annual ongoing monitoring plan, which includes risk-based assessments and cyclical testing of key controls across departmental business processes. The results of this work are published annually in the Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting of Natural Resources Canada for the applicable fiscal year.
The Audit Operations Division within the Audit and Evaluation Branch (AEB) is responsible for providing independent, objective assurance on the adequacy and effective functioning of the Department’s internal control processes. In order to maintain independence and objectivity, this audit did not include an assessment of the AEB’s contributions to the Department’s system of internal controls over financial management.
Focus of the audit
The objective of this audit was to assess the adequacy and effectiveness of NRCan’s framework supporting internal controls over financial management, including how the Department plans, implements, and reports on its ongoing monitoring responsibilities in compliance with Treasury Board requirements.
Specifically, the audit assessed whether:
- Appropriate mechanisms have been established to ensure clearly articulated roles and responsibilities, compliance with Treasury Board requirements, and efficient operations;
- Internal control assessments are designed and implemented in a manner that is risk-based and ensures reliable, accurate, and evidence-based results; and,
- Results of internal control assessments are effectively communicated to stakeholders and findings are monitored to support effective oversight and timely corrective action.
Strengths
The Department has established a Framework for Internal Controls Over Financial Management (ICFM) that supports the oversight and delivery of the system of ICFM, including clearly defined roles and responsibilities, and the Department's process for designing and implementing internal controls assessments. Mechanisms in place to support the efficiency of ongoing monitoring activities include established tools and templates. Reporting of assessment results to key stakeholders is occurring in accordance with the relevant guidance, through Letters of Recommendation and semi-annual reports.
Areas for improvement
The audit identified opportunities to increase efficiency and effectiveness of processes related to semi-annual reporting, onboarding and knowledge transfer, and leveraging the work of other assurance providers. While most required elements of a risk-based methodology have been incorporated into the planning of key control assessments, there are opportunities to expand the use of its application when planning the overall approach to support effective oversight and efficient ongoing monitoring of ICFM. This approach would also help ensure that limited resources are focused on key control areas of highest risk.
Internal audit conclusion
The audit found that the Department has established a Framework for Internal Controls Over Financial Management as well as internal reporting mechanisms that are generally aligned with Treasury Board requirements and guidance. The audit identified opportunities to expand the current risk-based approach when planning and executing the overall responsibilities of the ICFM function to support effective oversight and efficient ongoing monitoring of ICFM in the current operating context. In addition to the formal recommendation, the audit also identifies opportunities where management could explore options to simplify processes that may result in additional efficiencies.
The audit team acknowledges the effort that has been made by the Department to carry out the activities of all phases of the ongoing monitoring approach with limited resources. In light of the Department's ongoing efforts to gain efficiencies by simplifying processes, it is important to periodically review and update the Department's approach to ongoing monitoring to ensure the best use of its limited resources.
Statement of conformance
In my professional judgement as Chief Audit and Evaluation Executive, the audit conforms with the Institute of Internal Auditors' Global Internal Audit Standards and the Government of Canada’s Policy on Internal Audit, as supported by the results of engagement supervision and the Quality Assurance and Improvement Program.
Michel Gould, MBA, CPA, CIA
Chief Audit and Evaluation Executive
April 23, 2026
Acknowledgements
The audit team would like to thank those individuals who contributed to this project and, particularly employees who provided insights and comments as part of this audit.
Findings and recommendations
Governance and oversight
Summary finding
The 2019 NRCan Framework for Internal Controls Over Financial Management (the NRCan Framework) articulates the governance and accountability structure, roles and responsibilities, guiding principles, and general approach to support oversight and delivery of a risk-based system of ICFM. The NRCan Framework was found to be generally compliant with the 2024 Treasury Board Policy on Financial Management and communicated. The use of tools and templates generally support a consistent approach for documenting ICFM assessments and reporting. There is an opportunity to expand the current risk-based approach when planning and executing the overall responsibilities of the ICFM function to support effective oversight and efficient ongoing monitoring of ICFM in the current operating context.
Supporting observations
The audit expected that appropriate mechanisms would be in place to ensure clearly articulated roles and responsibilities, compliance with Treasury Board requirements and to support the efficiency of ICFM activities. The audit examined whether the roles and responsibilities of key stakeholders are clearly defined and communicated; whether compliance with relevant Treasury Board policies and guidance (e.g., Policy on Financial Management, Guide to ICFM) is actively monitored and reflected in planning and control frameworks; and whether there are mechanisms to support the efficiency of ICFM activities, including use of technical tools and knowledge transfer.
Compliance with Treasury Board policies and guidance
The 2019 NRCan Framework for Internal Controls Over Financial Management (the NRCan Framework) articulates the governance and accountability structure, roles and responsibilities, guiding principles, and general approach to support oversight and delivery of a risk-based system of ICFM. The audit found that the NRCan Framework generally aligns with the Treasury Board Policy on Financial Management, the TB Guide to ICFM, and the TB Guide to Ongoing Monitoring of ICFM. The objective of ongoing monitoring is to support senior management in its assessment of the system of ICFM, whether it is reliable and whether actions have been implemented to improve controls. The five phases of ongoing monitoring for ICFM are depicted in the figure below.
Text version
Ongoing monitoring approach for ICFM
The figure shows 5 steps involved in the ongoing monitoring approach for ICFM:
Step 1:
Develop and update the risk assessment
Step 2:
Develop and update the ongoing monitoring plan
Step 3:
Complete the assessment
Step 4:
Capture the results and actions of the assessment
Step 5:
Develop the internal and external reports
Source:
TB Guide to Ongoing Monitoring of Internal Controls Over Financial Management
The Department publishes its annual Ongoing Monitoring Plan (OMP) in the Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting. The Department’s OMP generally follows a structured approach to ongoing monitoring and aligns with Treasury Board requirements that the plan be: documented, covers a multi-year period, includes mapping of business processes, and information technology general controls and entity-level controls. Prior to publication, the Ongoing Monitoring Plan is reported to senior management, including the Chief Financial Officer and the Deputy Minister, and the Departmental Audit Committee.
No issues of non-compliance were observed during the audit; however, in support of continuous improvement, there is an opportunity to review and refresh the Framework to ensure alignment with current TB policies and to enhance the efficiency of current operations. In 2024, the Treasury Board Secretariat consulted with several departments, including NRCan, to seek feedback on proposed revisions to its Guide to ICFM. FMIC has expressed its intention to review and update the NRCan Framework for ICFM once the revised Guide is published by Treasury Board.
Roles and responsibilities
The audit found that the NRCan Framework outlines roles and responsibilities of the following key stakeholders: the Deputy Minister, Chief Financial Officer (Assistant Deputy Minister of the Corporate Management and Services Sector), the Deputy Chief Financial Officer, Senior Departmental Managers, Business Process Owners, the Director of the Financial Policy, Reporting and Internal Controls division, the Chief Audit and Evaluation Executive, and the Departmental Audit Committee. A senior departmental manager “reports directly to a deputy head and who is accountable for effective financial management in their areas of responsibility.” A business process owner is “the individual responsible for overseeing the controls associated with a particular business process or an information technology general controls process.” At NRCan, the CFO is the Senior Departmental Manager responsible for all key control areas except Entity Level Controls, wherein the responsibility is shared jointly with the CFO, the Chief Audit and Evaluation Executive, and the ADM of the Strategic Policy and Innovation Sector. The audit found that roles and responsibilities of key stakeholders as clearly articulated in the NRCan Framework are communicated to Business Process Owners during kick off meetings at the start of the assessment of a key control area, as documented in presentation decks. The NRCan Framework is also posted on the departmental intranet and is accessible to all employees.
The NRCan Framework also includes a Responsible, Accountable, Consulted, and Informed table of key stakeholders and their roles in the Department’s ongoing monitoring approach for ICFM, as shown in the table below (Note for efficiency FMIC has combined the risk assessment and Ongoing Monitoring Plan into one general step for planning.) The CFO is accountable for each activity for the ongoing monitoring of the Department’s system of ICFM, and the Financial Management and Internal Controls unit is responsible for carrying out those activities on a day-to-day basis.
| Activity | Responsible | Accountable | Consulted | Informed |
|---|---|---|---|---|
| Planning | FMIC | CFO | BPO, CFO, DCFO and AEB | CFO, DAC, DCFO, DM, and AEB |
| Assessment | FMIC | CFO | BPO, CFO, and DCFO | BPO, CFO, and DCFO |
| Reporting | FMIC | CFO | CFO, BPO, and DCFO | CFO, DAC, DCFO DM, SDM, and AEB |
| Follow-Up | FMIC | CFO | BPO | CFO, DAC, DCFO, AEB, and DM |
Mechanisms supporting efficiency of ICFM activities
The FMIC resourcing model currently comprises of one employee at the manager level who does planning, reporting, and follow-up for the ICFM ongoing monitoring cycle. As a temporary measure to mitigate the risk of not being able to deliver on the Ongoing Monitoring Plan, a third-party consulting firm is also used to perform the internal control assessment testing on an “as required” basis. FMIC has indicated that at the completion of the current contract, it will reassess its resourcing strategy. In light of the current operating context and the anticipated expansion of ICFM areas, it is important to periodically review and update the Department's approach to ongoing monitoring to ensure that limited resources are focused on activities of highest priority, value, and risk to the Department.
The Financial Management and Internal Controls team also considers the assurance work performed by the Audit and Evaluation Branch to support coverage over the system of ICFM. The audit engagements have been referenced in the Ongoing Monitoring Plan as a source of additional assurance on the effectiveness of risk management, control, and governance processes related to the system of ICFM. A comparative review of five other federal departments demonstrated that NRCan’s explicit identification of internal audit in its Ongoing Monitoring Plan is not common. When asked how and whether their internal controls unit relies on the work of internal audit, several external departments interviewed by the audit team noted that their internal controls unit will consider the findings and recommendations of completed audit reports to inform the ICFM risk assessment exercise. One department noted that its ongoing monitoring function for ICFM, including risk assessment, development of the ongoing monitoring plan, internal controls assessments is outsourced to third-party consultants. Findings related to how FMIC assesses and identifies AEB work for leveraging are included in the "Risk Assessment and Ongoing Monitoring Plan" section below.
There are various other mechanisms FMIC has implemented to support the efficiency of ICFM activities. The use of tools and templates, such as the Risk and Control Matrix, corrective action tracker, and templates for reporting support a consistent approach for documenting ICFM assessments and reporting. Furthermore, FMIC has developed detailed instructions and descriptions included within the contract and task authorizations to onboard and set clear expectations for the work to be conducted by the consultants. However, these do not take the place of formalized standard operating procedures. To ensure efficient onboarding and knowledge transfer in future, FMIC should consider leveraging these existing processes to document key operating procedures.
It was observed that most processes are manual and technical tools were not being leveraged to a great extent at the time of the audit. The audit team noted that FMIC actively monitors gaps in its technical capabilities and explores options for improvement, as demonstrated by their participation in the Finance and Procurement Branch’s Digital Roadmap exercise in 2023-24, which documents functional needs and evaluates various market solutions. Through the comparative review, the audit team sought to identify opportunities to increase efficiency with the support of technology. We believe that there will be opportunities to leverage technology, depending on the maturity of the financial management systems cluster supporting departments. We are aware that other departments (as part of other financial management systems clusters) are expanding their use of technology. We encourage the Department to continue to stay up to date on these advances.
Risk and impact
There is a risk that resources will not be allocated to the areas of greatest risk, if the current risk-based approach is not expanded to all elements of the ICFM function, including a common understanding of risk appetite and risk tolerance.
Recommendation
Through the implementation of audit recommendation 1, it is anticipated that the findings identified in this section will be addressed.
Planning and execution of internal control assessments
Summary finding
FMIC conducts an annual risk assessment exercise that determines the risk ratings of all key control areas within the system of ICFM. The results of the risk assessment are used to support the development of the annual Ongoing Monitoring Plan for the testing of key control areas on a rotational basis. There is an opportunity to ensure that other relevant factors taken into consideration for determining risk ratings and priority rankings are well documented, and that the Department’s approach for the ongoing monitoring of ICFM continues to support the efficient use of limited resources to assess key risks.
FMIC has also established a process for designing and implementing internal controls assessments that is defined in the NRCan Framework for ICFM and is compliant with Treasury Board requirements. There is an opportunity to ensure that decisions to rely on work performed by other assurance providers are sufficiently supported by an assessment of whether there is clear alignment of objectives and approach to support that ICFM and ICFR requirements are fully satisfied.
Supporting observations
The audit expected that internal control assessments would be designed and implemented in a manner that is risk-based and ensures reliable, accurate, and evidence-based results. The audit examined whether a structured risk assessment process is designed and implemented to select and prioritize key business processes and controls for testing; and whether internal control testing is conducted using documented procedures and appropriate evidence, supporting the accuracy and validity of conclusions on control design and operating effectiveness. The audit also examined whether reliance on third parties to support testing activities is appropriately managed and integrated into the internal control team's work.
Risk assessment process and ongoing monitoring plan
The Department’s ICFM risk assessment process integrates risk factors that align with Treasury Board guidance. It is conducted annually and reflects consideration of events that may trigger a change in the risk rating of key control areas. Though it is too early to assess as part of this audit, FMIC has indicated that it will also consider the risk assessment results from the TBS Risk and Compliance Process launched in 2025 to inform its future ICFM risk assessments. The audit acknowledges that there can be some benefits to the current FMIC approach of going beyond TB expectations for a full risk assessment of ICFM to be completed only once every 3 to 5 years, with environmental scans conducted during intervening years. However, as part of its overall approach, FMIC is encouraged to review whether a full risk assessment is necessary annually, or could be simplified in consideration of resource constraints, simplification of processes, and cost-benefit assessments.
The ICFM risk assessment includes an assessment of each key control areas by assigning risk ratings for Inherent Risk factors (materiality and significant changes) and Control Risk factors (significance of outstanding recommendations). The risk assessment also considers priority drivers, such as new or changed policies, framework, requirements, and mitigation plans. This methodology is generally aligned with Treasury Board expectations. However, the audit found that documentation of the risk assessment methodology is not sufficiently detailed to clearly capture how the results of risk assessment are consistently applied to the selection key control areas, sub-key control areas, and individual controls for testing in the ongoing monitoring plan. Based on the assessed risk level ratings of Inherent Risk factors and Control Risk factors, priority ranking is established for ongoing monitoring consideration and is used to develop the testing schedule as outlined in the Ongoing Monitoring Plan. The audit team recognizes that there is a degree of professional judgment used to determine which key control areas are to be included in the Ongoing Monitoring Plan, however, there was no documentation of other factors that were considered for determining priority for testing, such as the likelihood of risk factors materializing, or resource constraints and cost-benefit assessments. The linkage between the priority ratings and the decision to include a key control area (including sub-key control areas, and individual controls for testing) in the Ongoing Monitoring Plan is also not clear.
As noted previously, the Ongoing Monitoring Plan references recent and planned internal audit work in scheduling assessment activities. FMIC indicated to the audit team that updates to the OMP are made based on a review of planned audit projects as per the Integrated Audit and Evaluation Plan (IAEP), which outlines a list of planned projects with descriptions of subject areas to be reviewed but does not include preliminary objectives and scope. When updates are made during the annual IAEP process, FMIC reviews the proposed audit projects and reprioritizes its risk based Ongoing Monitoring Plan accordingly in order to leverage AEB’s work. It is recognized as a good practice to consider the results of the work of internal audit and external assurance providers when conducting the risk assessment and preparing the Ongoing Monitoring Plan. Treasury Board guidance indicates that "the internal controls team can use internal audit results if the objectives and the approach of the controls assessment are sufficiently alignedFootnote 1." The audit found that FMIC had not documented its assessment of the alignment between the objectives and approach of its own work and that of internal audit to support reliance on the latter in the OMP. As such, the inclusion of AEB projects in the OMP as providing additional assurance, or in some cases the sole source of assurance, of high priority key control areas may inaccurately represent actual coverage of key controls for ICFM or ICFR to decision-makers who rely on this information. When relying on the work performed by the AEB, FMIC will need to ensure that its ICFM and ICFR requirements are fully satisfied, supplemented with additional work when required. This observation was also raised in the 2018 ICFR internal audit conducted by the AEB.
Internal control testing
Internal control testing for the 2024-25, and 2025-26 assessment cycles was carried out by third-party consultants. The FMIC unit defines the scope and reviews the consultants’ work. The audit confirmed that the approach for internal control testing, as outlined in the Statements of Work for the third-party consultants, aligns with TBS Guide to Ongoing Monitoring of ICFM. This includes a list and description of the sub-processes, key control areas, and systems to be included within the scope of the work to be completed. Task authorizations also clearly set expectations that work should align with TB requirements and recognized best practices such as the Control Objectives for Information and Related Technologies (COBIT). The methodology for how key controls should be described, tested, and documented are outlined in the task authorizations, including a list of deliverables.
The results of the internal control testing assessments are captured in a Risk and Control Matrix (RACM) for each key control area. The RACMs provide a comprehensive summary of the assessments performed, covering areas such as key control objectives, risk statements, control descriptions, and design and operating effectiveness testing and results. The audit reviewed a sample of completed RACMs and noted some inconsistencies in the completeness of the documentation. For example, the sampling approach and total population for testing is not consistently documented, making it difficult to determine whether the sample sizes selected for testing are sufficient. FMIC conducts a supervisory review of the consultants’ work that focuses on the review of the Letters of Recommendation and the testing results documented in the RACMs. However, the audit noted that there is not a formalized quality assurance process for the review of the testing work done. There are different ways of achieving this, ranging from low to higher level of efforts including: a statement of attestation, a checklist of key steps or a full detailed review. The Department should consider exploring options at varying levels of effort to ensure the quality of the work conducted while recognizing limited resources.
Risk and impact
The lack of documented consideration of other factors for determining priority for testing (including resource constraints and operational efficiencies) and clearly documented linkages between the risk assessment and the selection of key control areas, could result in limited resources not being focused on key control areas of highest risk. This could further result in a high-risk key control area being excluded in the Ongoing Monitoring Plan and risk not detecting a control failure that could have a significant impact on the system of ICFM.
Without ensuring sufficient alignment of objectives and scope to support the decision to rely on the work of other assurance providers, there is a risk that information reported to and used by decision-makers who rely on this information does not accurately represent the ongoing monitoring of key control areas for the Department’s system of ICFM or that the Department may not assess higher risk areas to identify deficiencies in a timely manner.
Recommendations
Recommendation 1: It is recommended that the ADM CMSS expand the use of risk assessment, including a common understanding of risk appetite and risk tolerance, when planning and executing the overall approach for the effective oversight and efficient ongoing monitoring of ICFM. It is expected that this exercise would also inform a robust approach for the ICFM risk assessment process and the development of the ongoing monitoring plan, including the assessment of reliance on other assurance providers when required.
Management response and action plan
Management response to recommendation 1:
Management agrees with the recommendation.
In response to Recommendation #1:
1) Risk based approach to ICFM oversight and ongoing monitoring: The Financial Management Internal Control unit conducts an annual risk assessment to identify key areas and sub processes within broader departmental processes that present the highest risk, enabling the prioritization of oversight activities and ensuring that limited resources are directed where they have the greatest impact. The approach will be further refined to enhance risk differentiation, strengthen alignment with established risk appetite and risk tolerance, and improve the precision, effectiveness, and efficiency of oversight and ongoing monitoring activities. Consideration will also be given to resource constraints and cost benefit analysis to ensure that the level of assurance obtained is proportionate to the level of risk, thereby improving the efficiency and effectiveness of FMIC oversight and ongoing monitoring.
Deliverables:
- An updated annual FMIC risk assessment that clearly identifies and prioritizes high risk processes, sub processes, and key control areas, with documented rationale explaining risk assessment conclusions.
- Clear articulation of how risk appetite and risk tolerance are applied within the risk assessment process to guide oversight intensity and resource allocation, taking into account cost benefit considerations.
Position responsible: Director General, Finance and Procurement Branch
Timing: November 30, 2026
2) Independence of ICFM monitoring and referencing to AEB audit results: The FMIC unit does not rely on Audit and Evaluation Branch (AEB) internal audits as a substitute for its ICFM/ICFR monitoring responsibilities but rather, results are referenced only when they provide supplementary assurance related to specific key control areas within the overall system of internal controls. Where audit work is referenced, the associated audit Terms of Reference will be reviewed to confirm that the audit objectives, scope, and timing are sufficiently aligned with ICFM assessment requirements. The results of this analysis and their relevance to FMIC’s risk-based oversight and ongoing monitoring approach will be appropriately documented in the FMIC risk based Ongoing Monitoring Plan (OMP) working documentation.
FMIC acknowledges that references to AEB audit projects in sections 3 and 5 of the Annex could be interpreted as implying that AEB provides coverage for ongoing monitoring, which was not the intended message. To avoid any potential misinterpretation, references to AEB work will be removed from sections 3 and 5 of the Annex going forward and Section 4 will also be clarified, for example as follows:
“The Ongoing Monitoring Plan (OMP) may reference planned projects included in the NRCan Integrated Audit and Evaluation Plan (IAEP) where those projects provide independent and objective assurance relevant to specific governance, risk management, or control components within the broader system of internal controls. Such references are intended solely to provide supplementary assurance. Accountability for assessing the effectiveness of the Department’s risk based system of internal controls over financial management, including its subset, the system of internal controls over financial reporting, remains with the Financial Management Internal Controls (FMIC) unit under the direction of the Chief Financial Officer.”
Notwithstanding the above, coordination with AEB’s planning cycles will continue in practice to minimize duplication of effort, reduce the burden on process owners, and avoid unnecessary overlap. This coordination will be reflected in the Risk-Based Ongoing Monitoring Plan, while maintaining clear accountability for FMIC’s independent ICFM oversight and monitoring responsibilities.
Deliverables:
- Documented review of relevant AEB audit Terms of Reference to assess alignment with ICFM/ICFR assessment objectives and scope.
- A revised Annex to the Statement of Management Responsibility, including Internal Control over Financial Reporting, with all references to AEB audit work removed from sections 3 and 5.
- Confirmation that section 4 of the Annex remains the sole reference to AEB audit projects and will clearly reflect their use for supplementary assurance only, without reliance for core ICFM monitoring.
Position responsible: Director General, Finance and Procurement Branch
Timing: September 30, 2026
Monitoring and reporting
Summary findings
Overall, reporting to key stakeholders is occurring in accordance with the Treasury Board guidance through Letters of Recommendation (for Business Process Owners) and semi-annual reports (for senior management and the Departmental Audit Committee). Follow-up with Business Process Owners is conducted twice annually to monitor the implementation of corrective actions.
The information included in the semi-annual reporting is generally comprehensive and includes detailed annexes. There is an opportunity to review and refine the information and level of detail in reports to senior management, to better facilitate strategic discussions and support informed decision making.
Supporting observations
The audit expected that results of internal control assessments would be effectively communicated to stakeholders, and that findings would be monitored to support effective oversight and timely corrective action. The audit examined whether identified control deficiencies are supported by corrective action plans, and whether appropriate follow-up is conducted to ensure timely implementation.
Reporting on internal controls over financial management
The Department has established mechanisms to communicate the results of internal control assessments to key stakeholders, including Business Process Owners, the Chief Financial Officer, the Deputy Minister, Senior Departmental Managers, and the Departmental Audit Committee. Internal control assessment results and recommendations are communicated through Letters of Recommendation to Business Process Owners, and semi-annual ICFM update reports, in alignment with the general expectations set out in the TB Guide to ICFM, the TB Guide to Ongoing Monitoring of ICFM, and the NRCan Framework. The semi-annual ICFM update reports include key elements outlined in the guidance, including findings, recommendations and the status of corrective actions.
The audit team noted that the presentations prepared for senior management and for DAC are generally comprehensive and contain annexes that provide additional detail. While it is helpful to provide detailed information when reporting to senior management, the audit found that key information for strategic discussions and decision-making may not be clearly articulated amidst an abundance of supporting detail. The Department should consider re-evaluating the usefulness of the information with key stakeholders to ensure the level of detail provided in the ICFM update reports is appropriate and meets user needs, and that resources are used efficiently to provide information that is useful for decision making.
Monitoring and follow up of corrective actions
The audit found that control deficiencies identified through internal controls assessments are communicated to Business Process Owners through Letters of Recommendation that include key elements: findings, risk ratings, and recommendations. The audit confirmed through document review and interviews that FMIC works collaboratively with Business Process Owners to develop the management action plan including identification of corrective actions to address the control deficiencies and timelines for implementation of the corrective actions. Follow-up with Business Process Owners is conducted twice annually to monitor the implementation of corrective actions.
Follow-up activities also include frequent communication with Business Process Owners to clarify recommendations as required, confirmation of deliverables prior to closure, and systematic updates to the corrective action tracker. Evidence of completed actions for selected key control areas demonstrates that corrective actions are being implemented and monitored appropriately, with formal closure confirmed and validated by FMIC. The audit noted that a number of corrective actions were delayed in meeting their original due dates by Business Process Owners. In the 2024-25 Year-End Update on ICFM, presented in August 2025, Business Process Owners indicated that 19 out of 27 outstanding corrective actions required revised timelines due to organizational and operational factors, including management turnover and competing priorities. This observation was also raised in the 2018 ICFR internal audit conducted by the AEB. These delays were documented in the tracker and escalated to senior management, with explanations provided by Business Process Owners. FMIC has indicated that as part of the follow-up phase, they continuously evaluate whether corrective actions are obsolete or could be superseded by the same AEB recommendation.
The audit team acknowledges that implementation of corrective actions is the responsibility of the Business Process Owners, and that FMIC is proactive in following up with Business Process Owners to support the implementation of these corrective actions. FMIC should consider conducting a review of all overdue corrective actions to assess whether the corrective actions are still relevant in the current operating environment.
Appendix A – About the audit
A risk-based approach was used in establishing the objectives, scope, and approach for this audit engagement.
Audit purpose and objectives
The objective of this audit was to assess the adequacy and effectiveness of NRCan’s framework supporting internal controls over financial management, including how the Department plans, implements, and reports on its ongoing monitoring responsibilities in compliance with Treasury Board requirements.
Specifically, the audit assessed whether:
- Appropriate mechanisms have been established to ensure clearly articulated roles and responsibilities, compliance with Treasury Board requirements, and efficient operations;
- Internal control assessments are designed and implemented in a manner that is risk-based and ensures reliable, accurate, and evidence-based results; and,
- Results of internal control assessments are effectively communicated to stakeholders and findings are monitored to support effective oversight and timely corrective action.
This audit was included in the 2024-2029 Integrated Audit and Evaluation Plan (IAEP), approved by the Deputy Minister on June 24, 2024.
Scope
The scope of the audit focused on relevant processes and procedures related to NRCan’s planning, execution, and reporting activities in support of its system of internal controls over financial management. The scope covered activities undertaken for the period between April 1, 2023, and March 31, 2025.
The scope of the audit did not include the following:
- An assessment of the effectiveness of individual internal controls owned by business process owners.
- Direct testing or validation of internal controls performed by third parties or other government departments on NRCan’s behalf. However, FMIC’s approach to incorporating this reliance into its assessments was examined.
- A review of the accuracy or completeness of NRCan’s financial statements or a formal audit opinion on financial reporting.
As indicated in the Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting within NRCan’s consolidated financial statements, FMIC partially relies on the work conducted by the AEB to support its ongoing monitoring activities for providing additional assurance on the effectiveness of risk management, control, and governance processes related to the system of ICFM. In order to maintain independence and objectivity, this audit did not include an assessment of the AEB’s contributions to the Department’s system of internal controls over financial management.
The results of other previous audit, and evaluation projects on related topics were considered to inform the audit and reduce duplication of efforts, including the AEB 2018 Audit of Internal Controls over Financial Reporting.
Approach and methodology
The approach and methodology followed the Institute of Internal Auditors' Global Internal Audit Standards and the Government of Canada’s Policy on Internal Audit. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that audit objectives are achieved. The audit included tests considered necessary to provide such assurance. Internal auditors performed the audit with objectivity as defined by the IIA GIAS.
The audit included the following key tasks:
- Interviews with key personnel involved in the design, implementation, and oversight of the Department’s system of internal control over financial management, including members of the FMIC team, business process owners, and other relevant stakeholders;
- Examination and analysis of departmental documentation including, but not limited to: policies, procedures, risk assessments, testing strategies, risk and control matrices, letters of recommendation, and reporting related to ICFM activities; and,
- A review of publicly available information and interviews with a selection of Science Based Departments and Agencies to identify good practices related to the ongoing monitoring of internal controls over financial management.
The following audit criteria guided the fieldwork and formed the basis for the overall audit conclusion. These criteria were developed based on key controls set out in the Treasury Board of Canada’s Policy on Financial Management and its accompanying guidance.
| Audit sub-objectives | Audit criteria |
|---|---|
|
Sub-objective 1: To determine whether appropriate mechanisms have been established to ensure clearly articulated roles and responsibilities, compliance with Treasury Board requirements, and efficient operations. |
1.1. It is expected that the roles and responsibilities of key stakeholders are clearly defined and communicated. |
| 1.2 It is expected that compliance with relevant Treasury Board policies and guidance (e.g., Policy on Financial Management, Guide to ICFM) is actively monitored and reflected in planning and control frameworks. | |
| 1.3 It is expected that mechanisms are in place to support the efficiency of ICFM activities, including use of technical tools, and knowledge transfer. | |
|
Sub-objective 2: To determine whether internal control assessments are designed and implemented in a manner that is risk-based and ensures reliable, accurate, and evidence-based results. |
2.1 It is expected that a structured risk assessment process is designed and implemented to select and prioritize key business processes and controls for testing. |
| 2.2 It is expected that internal control testing is conducted using documented procedures and appropriate evidence, supporting the accuracy and validity of conclusions on control design and operating effectiveness. | |
| 2.3 It is expected that reliance on third parties to support testing activities is appropriately managed and integrated into the internal control team's work. | |
|
Sub-objective 3: To determine whether results of internal control assessments are effectively communicated to stakeholders and findings are monitored to support effective oversight and timely corrective action. |
3.1 It is expected that results of internal control assessments are reported to senior management on a timely basis and are complete and accurate. |
| 3.2 It is expected that identified control deficiencies are supported by corrective action plans, and that appropriate follow-up is conducted to ensure timely implementation. |