Download presentation
Presentation is loading. Please wait.
Published byBarbra Maxwell Modified over 8 years ago
1
Shared Services and Third Party Assurance: Panel May 19, 2016
2
Department to department service provision – Examples: Shared Services Canada, Financial Management System shared clusters and Pay Centre; External service provider. Purpose of the presentation: To present an overview of the shared service (service provider) assurance activities being applied on to the following: 2
3
Definition – Service provider Sourcing arrangements linked to a range of mechanisms in which the Government use organizational partnerships: between departments, or outside the public sector, to improve performance in conducting operations or delivering programs services to citizens and businesses. 3
4
Enterprise Approach Benefits Achieved Cost and Effort Optimizing Departmentally Optimize to Government as a Whole Diminishing Returns 4
5
In the Private Sector… Service organization is providing services to one or more user entities. User entity may identify need for assurance over an activity that relies on the controls at a service organization. Specifically: Assurance over whether controls exist and are suitably designed to meet objectives Assurance over whether controls are operating effectively throughout the specified period Under the standards for reporting on controls at a service organization, Canadian Standard on Assurance Engagements (CSAE) 3416, the service auditor obtains assurance: whether the controls at the service organization were suitably designed throughout a specified period (type 1 report); whether the controls at the service organization were suitably designed and were operating effectively throughout a specified period (type 2 report). CSAE 3416 allows service auditors to rely on relevant internal audit work carried out by service organization’s internal audit function. 5
6
In the Federal Government… Areas of consideration: Internal control over financial reporting Financial system Service provision for procurement, HR, Internal Audit Shared Services Canada Ministerial accountability 6
7
Service Provider –example ICFR reporting The department relies on other organizations for the processing of certain transactions that are recorded in its financial statements, including: Department A for common administrative services and support to the programs; Public Services and Procurement Canada (PSPC), for centrally administering the payment of salaries and providing accommodations and cheque-issuing services; Department of Justice for legal services; Treasury Board Secretariat for information to calculate various employee benefit amounts; and, Medicare inc. for providing claims administration for the Interim Federal Health Program (IFHP). The department will need to continue working with these organizations to determine how they can assist with our departmental PIC objectives. 7
8
Levels of departmental internal controls System of ICFR System of ICFM System of IC DM as accounting officer Broad system of internal control CFO System of internal control over financial management ADMs System of internal control in their area of responsibility Policy requirements focus on ICFR 8
9
Assessment of Key Controls Assessment Design effectiveness: – key controls documented – in place as designed – aligned with risks Operational effectivenesss: – key controls functioning over time Entity level (tone from the top) General IT level 3 levels of controls Risk-based approach Start with annual financial statements - Identify key accounts - key risks and materiality Business process level 9
10
Consider: Key control objectives following the COSO 2013 framework. Key control objectives from the Control Objectives for Information and Related Technology (COBIT) 5 framework developed by the Institute of Information Systems Audit and Control Association (ISACA). Specific element for Privacy and Security. Control Framework 10
11
Set enterprise governance to establish clear, coherent GoC direction and ensure tight coordination. Set operational governance for common and shared services Establish an enterprise portfolio management office to support governance, oversight, plan investments, track savings, etc. Get Governance in Place Getting Started: Service Provider Common procedure and practice changes across GoC Identify performance indicators. Identify reporting requirements and information standards. Develop common business processes for key services If external, begin new procurement approaches. 11
12
Roles and responsibilities (some examples) Deputy Heads (DH) –As accounting officer, the DH is responsible for measures taken to maintain effective systems of Ics and sign the Statement of Management of Responsibility Chief Financial Officers (CFOs) –Lead departmental role for financial management (incl. a key source of expertise) –Lead and coordinate the planning and execution of the assessments and sign the Statement of Management of Responsibility Senior Departmental Managers –Responsible for maintaining effective systems of ICs in the programs for which they are responsible –Contribute to the assessment of key risks and controls in their area of responsibility Chief Audit Executives (CAE) –Lead departmental role for internal audit (incl. a key source of expertise) –Assessment results can inform future internal audit plans –Internal audit findings can be leveraged to support the assessment Chief Information Officers (CIO) –Lead departmental role for IT infrastructure and system applications (incl. a key source of expertise) –Contribute to assessments of IT systems and application controls Departmental Audit Committees (Where applicable) –Provide objective advice and recommendations to Deputy Heads –Timing and scope of engagement to be determined by the Deputy Head 12
13
Options… At the highest level, to be able to rely on service organizations a user entity could: Obtain assurance through 3 rd party auditor directly performing audits to gather sufficient and appropriate evidence over the appropriate design and effectiveness of service organization controls; Directly perform internal or external audits in service organizations; Rely on internal audit work carried out at service organizations; Request management attestation. 13
14
Conclusion: Who approve the scope of the assurance product? What authority does a user entity have over conducting assurance activities at a service organization (e.g. access to people and records)? Service level agreement or Memorandum of Understanding? What would be included in the agreement? (e.g. services being provided, relevant controls at service organization, complementary controls, access rights, etc.) Who should conduct these engagements? How should findings be communicated and to whom? Service organization have a Quality Assurance and Improvement Program? What avenues of recourse are possible and appropriate? 14
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.