Audit of design and operating effectiveness of entity level controls

Executive summary
1. Background
2. Objective and scope
3. Approach and methodology
4. Findings, recommendations and action plans
5. Conclusion
6. Acknowledgements and contacts
Appendix A: Assessment scale and results summary
Appendix B: Entity level controls mapped to the Committee of Sponsoring Organizations of the Treadway Commission 2013 pillars and principles
Appendix C: Summary of findings, recommendations and management action plans
Appendix D: Canadian Grain Commission’s Internal Control Management Framework details
Appendix E: Canadian Grain Commission’s additional entity level controls details

Alternate format

Audit of design and operating effectiveness of entity level controls (PDF, 470 kb)

Executive summary

In the auditors' opinion, except for the observations noted in this report, there is reasonable assurance that the Canadian Grain Commission has established entity level controls that conform to the 5 component areas of the Committee of Sponsoring Organizations of the Treadway Commission Internal Control – Integrated Framework.

Based on the audit procedures performed, it appears that the Canadian Grain Commission has a sound foundation of entity level controls with the majority of the controls operating effectively, in whole or partially. The audit team has identified opportunities for improvement in the following critical entity level areas:

values and ethics
integrated risk management and assessment
fraud risk assessment framework
business continuity planning

The Chief Operating Officer, directors and business process owners identified in this report have accepted these recommendations. They have committed to appropriate management action plans to address the identified control gaps, as outlined in section 4.

We recognize that a portion of the scoping period, April 1, 2019 to March 31, 2020, fell during an unprecedented COVID-19 global pandemic. This brought never-before-seen challenges to the Canadian Grain Commission, its employees and external partners, who were required to transform business processes, technological solutions and work styles in response to the frequent and unexpected changes inherent in the COVID-19 environment. These challenges impacted the effectiveness and efficiencies of some initiatives and processes.

The audit team conducted the appropriate audit procedures and gathered sufficient evidence to support the opinion provided in this report. The audit team based their opinion on comparing the conditions, as they existed at the time, against pre-established audit criteria agreed upon with the business process owners. This opinion applies only to the entity examined and to the scope described herein. Audit and Evaluation Services conforms to the Institute of Internal Auditors’ International Professional Practices Framework as adopted by the Government of Canada.

Categories of internal control over financial reporting controls.

1. Background

Based on the Treasury Board Secretariat's Policy on Financial Management that came into effect on April 1, 2017, Government of Canada departments are required to establish a risk-based system of internal control over financial reporting. The purpose of these controls is to ensure that "financial resources of the Government of Canada are well managed in the delivery of programs to Canadians and safeguarded through balanced controls that enable flexibility and manage risk."

Entity level controls are one of 3 categories of internal control over financial reporting controls (ICFR) that permeate the organization and directly or indirectly impact financial reporting integrity. Entity level controls are focused mainly on the organization's top-level controls, including components such as:

the ethical "tone at the top"
culture
values and ethics
governance
accountability
transparent communication

These controls also include:

risk management and assessment
human resources management
the internal audit function
the departmental audit committee
other executive oversight bodies

These controls have a fundamental impact on the reliability of controls at the process level and ultimately influence the Canadian Grain Commission's ability to achieve its goals and objectives.

Information technology general controls support the initiation, recording, processing and reporting of financial transactions. Strong information technology general controls (ITGCs) form the foundation for greater reliance on automated application controls embedded within financial systems.

Business process controls are comprised of both manual and automated controls. They are embedded in financial transactions. Generally, these are considered key business processes and can include:

payroll
benefits
capital assets
accounting
travel
expenses
procurement
revenue and receivables

An entity level controls assessment is included within the 3-year Financial System and Controls unit's cyclical monitoring plan. In May 2017, an entity level controls audit was completed by external consultants. This audit resulted in 11 recommendations for improvement:

9 of which have been implemented
1 remains in progress
1 is related to the development of fraud management framework and was re-assessed during this audit

The Chief Commissioner approved this entity level controls audit for inclusion in the 2020-2021 Audit and Evaluation Services' risk-based plan. For additional information on the Canadian Grain Commission’s Internal Control Management Framework, see Appendix D.

2. Objective and scope

The objective of this engagement was to assess the adequacy of design and operating effectiveness of entity level controls established by the Canadian Grain Commission to support the Treasury Board's Policy on Financial Management.

The purpose of the control design is to establish appropriate controls to meet organizational objectives. Operating effectiveness is assessed to determine whether the established controls perform as designed.

The detailed criteria used in this audit were derived from the Committee of Sponsoring Organizations of the Treadway Commission Internal Control – Integrated Framework’s 2013 pillars and principles. Appendix B summarizes the Canadian Grain Commission's entity level controls identified by this audit and maps them to pillars and principles.

The scope of this audit included all Canadian Grain Commission's entity level controls in place from April 1, 2019, to March 31, 2020.

3. Approach and methodology

Audit and Evaluation Services' audit methodology is based on both the Institute of Internal Auditors’ International Professional Practices Framework and the Treasury Board Secretariat's Policy on Internal Audit and related directives.

During the audit, the audit team performed the following procedures:

obtained and reviewed Treasury Board and other Government of Canada policies, procedures, directives and standards pertaining to entity level controls
obtained and reviewed applicable Canadian Grain Commission policies, procedures and internal governance documents
analyzed previous internal control assessment reports, recommendations and remediation actions
interviewed directors and subject matter experts responsible for the maintenance of entity level controls within their area of responsibility
- the purpose of the interviews was to identify existing controls and verify audit findings
corroborated management assertions by obtaining and reviewing supporting documentation and testing selected entity level controls for effectiveness, where applicable
mapped entity level controls identified during this audit against the Treadway Commission Internal Control – Integrated Framework’s 2013 pillars and principles (Appendix B)

4. Findings, recommendations and action plans

This section outlines key findings, recommendations and management action plans. Findings of lesser materiality, risk or impact have been communicated with the auditee either verbally or in management letters. Examined Canadian Grain Commission control elements with no specific audit findings have been outlined in Appendix E.

The findings are organized by the 5 pillars of the Treadway Commission Internal Control – Integrated Framework’s 2013 pillars and principles that are described in detail in Appendix B.

4.1 Control environment

Conclusion: Overall, the control environment was adequately designed and worked effectively. Opportunities for improvement were identified in 4 areas and are outlined in this section.

The control environment is the set of standards, processes and structures that provide the basis for carrying out internal control across the organization. Oversight bodies and executive management establish the tone at the top regarding expected standards of conduct. Management reinforces expectations at various levels of the organization.

The control environment is comprised of:

the organization's integrity and ethical values
governance and oversight
the organizational structure
assignment of authority and responsibility
the process for attracting and retaining competent staff
the rigour around performance measures and rewards

The resulting control environment has a pervasive impact on the overall system of internal control.

The following section describes the entity level controls that defined the Canadian Grain Commission's control environment where there were audit findings.

4.1.1 Values and Ethics Code and training

The Canadian Grain Commission has established a department-specific Values and Ethics Code titled “Living our Values”. The code has been developed to support the government-wide Values and Ethics Code for the Public Sector under the Public Servant Disclosure Protection Act and the Office of Conflict of Interest and Ethics Commissioner provisions.

The Values and Ethics Code identifies accountability and describes organizational expectations and standards for ethical or moral behaviour, acceptable business practices, and the conflict of interest. It includes examples of behaviours that are acceptable and unacceptable.

The responsibility for maintaining the Values and Ethics Code is delegated to the Values and Ethics Officer, who is also a chair of the Values and Ethics Working Group described further in this report. Currently, the Values and Ethics Code is being updated to reflect the most recent Treasury Board Secretariat's People Management Policy and Directive on Conflict of Interest.

New Canadian Grain Commission employees are expected to sign the Values and Ethics Code upon hiring and annually during performance reviews. Upon testing a sample of new hires for the initial Values and Ethics Code sign-off, we found that Human Resources records do not contain evidence of the signed Values and Ethics Code for 76% of sampled employees.

In addition, all new Canadian Grain Commission employees must complete the Orientation to the Public Service course developed by the Canada School of Public Service. This course contains values and ethics components and is built into the employee’s personal core learning profiles. However, it appears that there is not a requirement for periodic and ongoing values and ethics education after hiring.

Recommendation 1 (controlled risk):

We recommend that the Human Resources Director:

analyze the initial Values and Ethics Code signing process and identify actions that will ensure that all new hires sign the code on a timely basis
explore and evaluate options for the periodic and ongoing values and ethics education and incorporate acceptable options into the employees' learning plans

Management action plan 1:

In the letter of offer, a standardized paragraph is included that specifies adherence to the Values and Ethics Code and forms part of the conditions of employment. The Values and Ethics Officer is to determine if an additional sign-off through the onboarding process is required. If deemed necessary, the business support and pay integration unit will collaborate with regional administrative employees to determine the root cause of why we are not receiving the Values and Ethics Code sign-off promptly. They will implement an improved procedure by September 30, 2021.

In concert with a review of all Canadian Grain Commission required training and development of our learning strategy, training options for values and ethics are be further examined. A requirement for periodic values and ethics awareness and/or training for all employees is to be implemented. The Values and Ethics Officer will be responsible for implementation by March 31, 2022.

4.1.2 Values and Ethics Working Group

The Canadian Grain Commission has established a Values and Ethics Working Group to promote the Values and Ethics Code and support the work of the Values and Ethics Officer, who is also a chair of the working group. The working group is comprised of volunteer representatives from each Canadian Grain Commission region. Prior to the COVID-19 pandemic, the group:

met monthly
produced a 3-year values and ethics plan focused on ethical awareness and training activities
reported the program progress to the Departmental Audit Committee periodically

The audit noted that all Values and Ethics Working Group activities, including regular meetings, the activity plan and updates to the Departmental Audit Committee, were suspended in March 2020 due to the pandemic. It appears prior to this suspension that the Values and Ethics Officer's role and responsibilities were not clearly defined in the Values and Ethics Working Group terms of reference or other governing documents.

Recommendation 2 (controlled risk):

We recommend, considering the Canadian Grain Commission's business resumption status, that regular Values and Ethics Working Group activities resume and that the Values and Ethics Officer's role and responsibilities are formalized.

Management action plan 2:

The Values and Ethics Officer, responsible for implementing this action plan, is currently acting as the Director of Human Resources. The Values and Ethics Officer's portfolio will be temporarily re-assigned to a Senior Labour Relations advisor effective September 2021. The Values and Ethics Working Group resumed meetings in November 2020 with the intention to re-establish a regular meeting schedule by October 29, 2021.

In addition, the Values and Ethics Officer’s roles and responsibilities are to be articulated in the terms of reference by October 29, 2021. A 3-year values and ethics action plan for 2021 to 2023 will be prepared and presented to the Chief Operating Officer and Chief Commissioner for approval by October 29, 2021. The Departmental Audit Committee is to be briefed on the values and ethics action plan in November 2021.

4.1.3 Executive Management Committee

The Canadian Grain Commission has formed an Executive Management Committee to assist the Chief Operating Officer in providing leadership and executing strategies related to the day-to-day management of the organization. The Executive Management Committee meets weekly and on an as-needed basis. However, the audit noted that the Executive Management Committee terms of reference has been in draft format since 2017.

Recommendation 3 (well controlled risk):

We recommended that the Chief Operating Officer ensure that the Executive Management Committee terms of reference are updated and presented to the Chief Commissioner for approval.

Management action plan 3:

The Chief Operating Officer is responsible for the updating of the Executive Management Committee terms of reference in consultation with the Executive Management Committee and the Commission. The objective is to ensure that roles and responsibilities between the Executive Management Committee and the Commission are clearly articulated in their respective terms of reference.

Final sign-off of Executive Management Committee terms of reference will be at the Chief Commissioner authority level by December 31, 2021.

4.1.4 Human resources policies and practices

The Canadian Grain Commission has established human resources policies and practices that include, but are not limited to:

A performance management program: A robust performance management program that includes annual and mid-year performance appraisals for all employees. The review process allows managers and employees to communicate and provide feedback through the government-wide Public Service Performance Management (PSPM) platform. Responsibility for the performance reviews is built into each directors' performance objectives. This approach has resulted in the Canadian Grain Commission's average performance appraisal completion rate of over 90%.
Talent management plans: Under the Directive on Performance Management, talent management plans are established for employees who have consistently met expectations and are aspiring to bring their careers to the next level.
Learning and development plans: The Personal Core Learning Maps are developed through collaboration between employees and their supervisors. The plans are tailored to each employees’ interests and incorporate specific training requirements for each employment level and position needs.
The awards and recognition program: The program has been designed to reward employees for their achievements and contributions that reflect the values of the Canadian Grain Commission.
The National Employment Equity, Diversity and Inclusion Committee: The committee has been established to assist the Chief Operating Officer in developing and implementing the diversity and inclusion plans. This committee is comprised of representatives from all Canadian Grain Commission regions and meets periodically to discuss activities and initiatives focused on attracting and maintaining a diversified workforce. The audit noted that key committee information, including the terms of reference, committee members and diversity and inclusion plans, have not been updated since 2015.
People and succession planning: Divisional management teams are provided with tools, instructions and support from human resources advisors to conduct people planning. This process is integrated with budget planning to identify future staffing needs. Corporate people planning sessions are conducted by the Human Resources unit and the Executive Management Committee annually to discuss succession plans for critical and senior positions. However, the audit found no evidence of the integration between the divisional and executive people and succession planning.
Job descriptions and classifications: Employee job descriptions are based on the position classification standards developed by the Treasury Board Secretariat. Any changes to the job description are subject to formal review and approval by an accredited Classification Officer. Upon reviewing a sample of job descriptions, the audit found that the Canadian Grain Commission's job descriptions in several places did not follow a standardized format and have not been reviewed for at least 5 years. However, the upcoming Treasury Board Secretariat's classification conversion exercises will bring the majority of the work descriptions to a current state in alignment with standardized job descriptions in 2021 and 2022.

Recommendation 4 (controlled risk):

We recommend that the Human Resources Director ensure that:

the National Employment Equity, Diversity and Inclusion Committee terms of references, member composition, new diversity and inclusion plan and other relevant information are updated to inform the Canadian Grain Commission staff on new equity and diversity initiatives
a process is developed to ensure periodic integrated divisional people planning is conducted

Management action plan 4:

The membership listing for the National Employment Equity, Diversity and Inclusion Committee is under review and solicitation for new members will take place as required.

National Employment Equity and Diversity Committee co-chairs are working with the Communications unit to update the committee's section on the Canadian Grain Commission’s internal website, StaffNet, by September 30, 2021.

Discussions at the Executive Management Committee meetings will take place at least bi-annually to discuss cross-divisional planning and corporate initiatives. The Human Resources Director accepts responsibly for implementing these actions by December 31, 2021.

4.2 Risk assessment

Conclusion: Further development is needed in the design of the Canadian Grain Commission-wide risk assessment process and fraud management framework.

Risk management involves identifying, assessing and prioritizing risks followed by an application of resources to mitigate the impact of adverse events and maximize possible opportunities. Risk management's objective is to ensure that uncertainty does not hinder an organization from reaching its goals.

This section discusses the current state of integrated risk and fraud risk management at the Canadian Grain Commission and outlines related findings, recommendations and management action plans.

4.2.1 Integrated risk management

To support the Treasury Board Secretariat’s Framework for the Management of Risk, the Canadian Grain Commission created the Integrated Risk Management Policy, which aims to create a proactive risk management culture throughout the organization.

The policy defines the risk management governance structure and roles and responsibilities to ensure a seamless incorporation of integrated risk management into all operational levels of the Canadian Grain Commission. However, the Integrated Risk Management Policy has not been updated since 2010 to reflect changes that have occurred in the organizational environment, roles and responsibilities.

The Integrated Risk Management Working Group is comprised of members from each Canadian Grain Commission division. It was formed to develop a corporate risk register to identify and assess critical risks against strategic objectives. The most recent 2020-2021 Corporate Risk Register was drafted but has not yet been presented to the Executive Management Committee for feedback and consideration in the strategic planning process.

The audit found that the Canadian Grain Commission's current risk identification and assessment process is focused on high-level strategic risks and not aligned with the organization's operational level risk information. Without the bottom-up integration, there is a potential that the risk information is not being consistently analyzed and escalated to appropriate senior decision makers to ensure timely mitigating actions. Coordination will also enable the sharing of risk information across the organization to ensure consistent approaches for similar risk-based decisions and avoid overlapping or duplicating efforts.

Recommendation 5 (controlled risk):

We recommend that the Director, Innovation and Strategy review and update the Integrated Risk Management Policy to reflect the most current organizational environment, including respective roles and responsibilities.

Management action plan 5:

The Director, Innovation and Strategy agrees with the recommendation and will revise the policy by the end of the 2021-2022 fiscal year.

Recommendation 6 (moderate issues):

We recommend that the Executive Management Committee define a process and responsibility for coordinating the operational-level risk assessment and integrate it with the strategic risk assessment process across the Canadian Grain Commission.

Management action plan 6:

The Director of Innovation and Strategy, in consultation with the Executive Management Committee, will define a process for operational-level risk assessment and how it will be integrated with the strategic risk assessment process by March 31, 2022.

Responsibility for coordinating the process will lie with the Integrated Risk Management Working Group, while tracking and mitigating operational level risks will continue to be the responsibility of individual business areas.

4.2.2 Fraud risk framework

The risk of fraud is inherent in all federal government programs and departments. The impact of a fraudulent act can go beyond the loss of tangible assets. It can also undermine Canadians' confidence in the federal public service. The best step that the organization can take to reduce exposure to fraud is to establish a comprehensive fraud management framework comprised of 4 key components:

a governance structure that sends a message that fraud will not be tolerated
a thorough fraud risk assessment to identify vulnerabilities to fraudulent activities
controls to prevent and detect fraud
procedures to investigate and manage fraud allegations

This audit identified elements and players contributing, directly or indirectly, to the fraud risk framework at the Canadian Grain Commission. These elements and players are grouped by the 4 key fraud framework components as described below.

Fraud risk governance: The Canadian Grain Commission has an oversight body, the Departmental Audit Committee, and its Values and Ethics Code. In addition, there is a responsibility for managing conflicts of interest disclosures.

Under the Procedures for Making Wrongdoing Disclosure, employees have the opportunity to raise concerns regarding potential fraud and are guaranteed protection under the Public Servant Disclosure Protection Act.

While there are several governing controls in place, it was noted that there is not an established policy and overall responsibility for the fraud framework. Together, these two additional controls would aid in further strengthening management's position on fraud tolerance and commitment to enforcing the anti-fraud controls and mechanisms.

Fraud risk assessment: The Integrated Risk Management Group considers fraud risks in identifying and assessing risks to the strategic objectives. The Finance team rates fraud risks during the development of a systematic financial statement monitoring plan. The Audit and Evaluation Services team considers fraud risks in developing a multi-year risk-based audit plan and while planning each internal audit engagement.

This audit found that, currently, there is no process in place to identify, document and assess operational fraud risks across the Canadian Grain Commission. Without a formal assessment of fraud risk, including analysis and mitigation planning, there may be an increased risk of fraudulent activities.

Anti-fraud operational controls: All new employees must undertake a mandatory Orientation to the Public Service course offered through the Canada School of Public Service, which includes training on anti-fraud controls and discussion of potential fraud scenarios.

Under the Chief Financial Officer's responsibility, the Finance team maintains a system of controls over accounting transactions and financial statements that directly or indirectly prevent fraudulent transactions. Annually, external auditors perform tests of controls over financial statements, including analysing data to identify possible fraudulent transactions. In addition, internal controls are assessed on a cyclical basis under the Internal Control Management Framework.

To prevent forgery of official grain documents, Industry Services maintains a robust quality management system. In addition, all Canadian Grain Commission employees are subject to background and security clearances. Employees are also held accountable for their conduct through annual and mid-year performance appraisals.

While there is a fraud component in the mandatory training taken by all new employees, there is no requirement for ongoing or periodic targeted fraud training. The absence of systematic fraud training and awareness could potentially result in employees not identifying and reporting potentially fraudulent activities.

Investigation and management of fraud allegations: The Canadian Grain Commission has a Senior Officer for Disclosure, who is a certified fraud examiner with expertise in investigating fraud allegations. This could help determine the path forward if an allegation of fraud was to arise.

Recommendation 7 (controlled risk):

We recommend that the Executive Management Committee assign responsibility for maintaining the fraud risk framework and develop a plan to address components of the Canadian Grain Commission's fraud management framework that require further strengthening. Specifically, the plan must consider a fraud policy or an anti-fraud statement, periodic fraud training and awareness and a systematic fraud risk identification and documentation process.

Management action plan 8:

The Chief Operating Officer, in consultation with the Executive Management Committee, will establish operational leads to ensure that an anti-fraud risk statement is sent to Canadian Grain Commission employees to enhance anti-fraud awareness and determine whether additional organizational training is required to supplement this anti-fraud statement. This will be done by December 31, 2021.

The Chief Operating Officer will ensure that the Director, Innovation and Strategy integrates an anti-fraud component into the annual strategic risk assessment process so that potential fraud risk is identified and documented. This will be done by September 30, 2022.

Responsibility for coordinating the process will lie with the Integrated Risk Management Working Group, while tracking and mitigating operational anti-fraud risks will continue to be the responsibility of individual business areas.

4.3 Control activities

Conclusion: Although control activities were designed effectively, the business continuity plan has not been finalized and tested. Without robust business continuity planning, the Canadian Grain Commission is at high risk of interruptions to critical business processes in the event of a disaster.

The control activities' objective is to serve as a mechanism for managing the achievement of organizational goals. The control activities' guiding principles include selecting and developing internal controls and deploying them through policies and procedures.

The section below describes mechanisms used by the Canadian Grain Commission to report internal control deficiencies to business process owners where there were audit findings. Descriptions of the Canadian Grain Commission’s other elements in this area can be found in Appendix C.

4.3.1 Business continuity planning

The 2017 entity level control audit found that the Canadian Grain Commission's business continuity planning was not finalized and recommended that it be addressed accordingly. While the management agreed to that recommendation and developed an action plan to address it, the implementation was paused due to COVID-19. The audit team was advised that business continuity planning is scheduled to be resumed.

Recommendation 8 (moderate issues):

We recommended that the Chief Financial Officer ensure that business continuity planning is finalized. As per the Treasury Board Secretariat’s Policy on Government Security, the Operational Security Standard – Business Continuity Planning Program, business continuity planning must consider essential components such as governance, business impact analysis and preparedness activities.

Management action plan 8:

The Chief Financial Officer will seek approval from the Executive Management Committee to reactivate the Canadian Grain Commission’s business continuity planning in the first quarter of the 2021-2022 fiscal year. The critical functions and business impact analysis will also be reviewed and renewed in 2021-2022.

During the 2022-2023 fiscal year, the draft business continuity plan will be updated based on lessons learned from the pandemic and submitted to the Executive Management Committee for approval. Training and testing will also be completed in the 2022-2023 fiscal year. The Chief Financial Officer is responsible for this management action plan.

4.4 Information and communication

Conclusion: Processes and controls related to information and communications were designed effectively.

The main objective of information and communication systems is to ensure that internal and external stakeholders are provided with relevant, timely and sufficient information to prepare reliable financial statements and maintain adequate internal controls.

There were no findings in this area. The details of control elements in this area have been outlined in Appendix C.

4.5 Monitoring

Conclusion: Monitoring activities are designed effectively.

The objective of monitoring is to detect and remediate control deficiencies throughout the system of controls over financial statements and reporting. The guiding principles of the monitoring activities include:

conducting ongoing assessments
evaluating
communicating gaps

There were no findings in this area. Monitoring activities identified during this audit are described in Appendix C.

5. Conclusion

Based on the assessment findings outlined above, the audit team's opinion is that the entity level controls at the Canadian Grain Commission are generally designed and implemented in compliance and conform to the 5 key areas of the Committee of Sponsoring Organizations of the Treadway Commission Internal Control – Integrated Framework.

The audit identified some opportunities for improvement that were communicated within this report. A summary of all controls, recommendations and management action plans are also outlined in Appendix C.

6. Acknowledgements and contacts

We express our appreciation to the Chief Financial Officer, Chief Operating Officer, the Commissioners and their staff for their assistance during this audit and looking forward to working with them on future engagements.

The final audit report was issued to:

Doug Chorney, Chief Commissioner
Jocelyn Beaudette, Chief Operating Officer
Cheryl Blahey, Chief Financial Officer
Patti Charach, (Acting) Director, Human Resources
Jon Friesen, Director, Innovation and Strategy

The audit team contacts:

Angela Davis, Chief Audit and Evaluation Executive
Anna Chugunova, Senior Internal Auditor

Appendix A: Assessment scale and results summary

Conclusion	Definition
Well controlled	Well managed. No material weaknesses noted and are mostly effective.
Controlled	Well managed and effective. Minor improvements are needed.
Moderate issues	Requires management focus where at least 1 of the following criteria are met: control weaknesses, but exposure is limited because the likelihood of risk occurring is not high control weaknesses, but exposure is limited because the impact of the risk is not high
Significant improvements required	Requires immediate management focus where at least 1 of the following three criteria are met: financial adjustments material to line item or area or to the department control deficiencies represent serious exposure major deficiencies in overall control structure

Appendix B: Entity level controls mapped to the Committee of Sponsoring Organizations of the Treadway Commission 2013 pillars and principles

The Canadian Grain Commission has adopted the Committee of Sponsoring Organizations of the Treadway Commission framework that was recommended by the Treasury Board's Policy on Internal Controls that took effect in 2009 and was superseded by the Policy on Financial Management in 2017.

In 2013, the Committee of Sponsoring Organizations of the Treadway Commission updated its control framework to address changes in the business, operating and regulatory environment. These updates were intended to:

address significant changes in the business environment
specify criteria to use in the development and assessment of internal control
increase the focus on operations, compliance and non-financial reporting objectives

The table below summarizes the entity level controls identified by this audit and mapped to the related the Committee of Sponsoring Organizations of the Treadway Commission 2013 pillars and principles.

The Committee of Sponsoring Organizations of the Treadway Commission 2013 pillars and principles		Entity level controls
Control environment
Principle 1	The organization demonstrates a commitment to integrity and ethical values.	Values and Ethics Code and training Values and Ethics Working Group and officer Conflict of Interest Disclosure Officer Procedures for Making Wrongdoing Disclosure standard Disclosure Officer responsibility Workplace Harassment and Violence Prevention Policy
Principle 2	The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.	Departmental Audit Committee Values and Ethics Code and training Commissioners Executive Management Committee Audit and Evaluation Services
Principle 3	Management establishes (with board oversight) structures, reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.	Chief Audit and Evaluation Executive and Chief Financial Officer are independent and reporting directly to the Chief Commissioner Chief Audit and Evaluation Executive, Chief Financial Officer and external auditors have unrestricted access to the Departmental Audit Committee Organizational charts are maintained
Principle 4	The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.	Human resources policies and procedures Talent management plans Learning and development plans National Employment Equity, Diversity and Inclusion Committee People and succession planning Job descriptions and classifications Official languages development
Principle 5	The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.	Performance management program Awards and recognitions program
Risk assessment
Principle 6	The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.	Integrated Risk Management Policy Integrated Risk Management Working Group Corporate Risk Register
Principle 7	The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.	Integrated Risk Management Policy Integrated Risk Management Working Group
Principle 8	The organization considers the potential for fraud in assessing risks to the achievement of objectives.	Departmental Audit Committee Values and Ethics Code Responsibility for managing conflicts of interest Procedure for Making Wrongdoing Disclosure The Integrated Risk Management Working Group considers fraud risks Finance rates fraud risks Audit and Evaluation Services considers fraud risks in developing a multi-year risk-based audit plan and while planning each internal audit engagement Orientation to the Public Service course System of controls over accounting transactions External auditors perform testing of controls over financial statements The Internal Control Management Framework Industry Services maintains a quality management system Security clearances Senior Disclosure Officer
Principle 9	The organization identifies and assesses changes that could significantly impact the system of internal control.	Integrated Risk Management Working Group Corporate Risk Register Cyclical financial statement risk assessment and control monitoring External auditors perform testing of controls over financial statements
Control activities
Principle 10	The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.	Internal Control Management Framework Set of financial control policies and procedures Service level agreements Business continuity planning
Principle 11	The organization selects and develops general control activities over technology to support the achievement of objectives.	Out of scope
Principle 12	The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.	Set of financial control policies and procedures Internal Control Management Framework
Information and communication
Principle 13	The organization obtains or generates and uses relevant, quality information to support the functioning of internal controls.	Out of scope
Principle 14	The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.	Canadian Grain Commission public website and StaffNet include policies and procedures Newsletters, town halls, announcements Departmental plans and results documents Corporate Information Services (Communications, Multimedia and Translations Services)
Principle 15	The organization communicates with external parties regarding matters affecting the functioning of internal control.	Results of internal and external control assessments are timely and effectively communicated to appropriate stakeholders Audit results that do not pose issues to the security and privacy are published on the Canadian Grain Commission’s public website
Monitoring
Principle 16	The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.	Control assessment performed by internal and external auditors as well as by other government departments (horizontal audits)
Principle 17	The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action.	Results of internal and external control assessments are timely and effectively communicated to appropriate stakeholders Audit results that do not pose issues to the security and privacy are published on the Canadian Grain Commission’s public website Management action plans are developed and followed up until implemented

Appendix C: Summary of findings, recommendations and management action plans

The following is a summary of controls, findings, recommendations and management action plans communicated through this report. Please see Appendix A for the description of the risk rating used in this report.

Criteria (Committee of Sponsoring Organizations principle)	Description of controls	Findings	Recommendations	Owner	Management action plans
Control environment
Principle 1: The organization demonstrates a commitment to integrity and ethical values	The Canadian Grain Commission has established a department-specific Values and Ethics Code titled “Living our Values”. The code has been developed to support the government-wide Values and Ethics Code for the Public Sector under the Public Servant Disclosure Protection Act and the provisions of the Office of Conflict of Interest and Ethics Commissioner. All new employees and contractors acknowledge the Values and Ethics Code. All new Canadian Grain Commission employees are required to complete the mandatory Orientation to the Public Service course, which contains values and ethics training. As part of the commitment to ethical values, the Canadian Grain Commission has established responsibility and a process for documenting, managing and resolving conflict of interest disclosures. The Canadian Grain Commission's Making Wrongdoing Disclosure standard supports the Public Servants Disclosure Protection Act. The Disclosure Officer responsibility was established and delegated to the Chief Audit and Evaluation Executive. In support of the Canada Labour Code and Occupational Health and Safety Act, the Canadian Grain Commission has established the Policy on Workplace Harassment and Violence Prevention. This policy clearly outlines the roles and responsibilities of all Canadian Grain Commission employees for the prevention, detection and reporting of workplace harassment and violence.	Upon testing a sample of new hires for the initial Values and Ethics Code sign-off, we found that Human Resources records do not contain evidence of the signed Values and Ethics Code for 76% of sampled employees. There is no requirement for periodic and ongoing values and ethics education after the initial hiring process.	1. We recommend that the Human Resources Director commit to: 1.1 an analysis of the initial Values and Ethics Code signing process and identify actions that will ensure that all new hires sign the Values and Ethics Code on a timely basis 1.2 explore and evaluate options for the periodic and ongoing values and ethics education and incorporate acceptable options into the employees' learning plans Controlled risk.	Human Resources Director / Values and Ethics Officer	In the letter of offer, a standardized paragraph is included, which specifies that adherence to the Values and Ethics Code and forms part of the conditions of employment. The Values and Ethics Officer is to determine if an additional sign-off through the onboarding process is required. If deemed necessary, the business support and pay integration unit will collaborate with regional administrative employees to determine the root cause of why we are not receiving the Values and Ethics Code sign-off promptly and implement an improved procedure by September 30, 2021. In concert with a review of all Canadian Grain Commission required training and development of our learning strategy, training options for values and ethics is to be further examined. A requirement for periodic values and ethics awareness and/or training for all employees is to be implemented by March 31, 2022. The Values and Ethics Officer will be responsible for the implementation.
	The Values and Ethics Working Group was established to promote the Values and Ethics Code and support the work of the Values and Ethics Officer.	The audit noted that all Values and Ethics Working Group activities, including regular meetings, the values and ethics activity plan and updates to the Departmental Audit Committee, were suspended in March 2020. Also, it appears that the Values and Ethics Officer's role and responsibilities were not clearly defined and formalized neither in the Values and Ethics Working Group’s terms of reference nor other governing documents.	2. We recommend considering the Canadian Grain Commission's business resumption status, that the regular Values and Ethics Working Group activities resume and that the Values and Ethics Officer's role and responsibilities are formalized. Controlled risk.	Values and Ethics Officer	The Values and Ethics Officer, responsible for implementing this action plan, is currently acting as the Director of Human Resources. The Values and Ethics Officer's portfolio will be temporarily reassigned to a Senior Labour Relations Advisor effective September 2021. The Values and Ethics Committee recommenced meetings in November 2020 with a regular meeting schedule being re-established by October 29, 2021. The Values and Ethics Officer roles and responsibilities are to be articulated in the terms of reference by October 29, 2021. A 3-year values and ethics action plan for 2021 to 2023 will be prepared and presented to the Chief Operating Officer and Chief Commissioner for approval by October 29, 2021. The Departmental Audit Committee is to be briefed on the values and ethics action plan in November 2021.
Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.	Independent oversight responsibility is exercised by the Departmental Audit Committee, comprised of 3 members acting exclusively in an advisory capacity to the Chief Commissioner. This oversight includes challenging and providing advice regarding the sufficiency and quality of the assurance provided on the adequacy and functioning of the Canadian Grain Commission financial statement and internal controls. The Canadian Grain Commission is led by a team of 3 Commissioners appointed by the Governor in Council per section 3 of the Canada Grain Act. The Canadian Grain Commission's responsibility and authority are formalized in the terms of reference. The Executive Management Committee was established to assist the Chief Operating Officer in providing leadership and executing strategies related to the day-to-day management of the organization.	The Executive Management Committee terms of reference has been in draft format since 2017.	3. We recommended that the Chief Operating Officer ensure that the Executive Management Committee terms of reference are updated and presented to the Chief Commissioner for feedback and approval. Well controlled risk.	Chief Operating Officer	The Chief Operating Officer is responsible for the updating of the Executive Management Committee terms of reference in consultation with the Executive Management Committee and the Commission. The objective is to ensure that roles and responsibilities between the Executive Management Committee and the Commission are clearly articulated in their respective terms of reference. Final sign off of the Executive Management Committee terms of reference will be at the Chief Commissioner authority level by December 31, 2021.
Principle 3: Management establishes, with board oversight, structures, reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.	The Canadian Grain Commission decided to support and maintain its own internal audit function. The audit function's purpose, authority and responsibilities are outlined in the Audit and Evaluation Services Charter, which is reviewed by the Departmental Audit Committee and approved by the Chief Commissioner annually. The Charter grants the audit team unrestricted access to all activities, operations, records, databases and workplaces, and the authority to obtain information and explanations from any employee and contractor, as necessary, to provide objective assurance and consulting services to the Canadian Grain Commission. To support the departmental structure, authority and responsibility, the Canadian Grain Commission maintains up-to-date organizational charts that delineate responsibilities and reporting lines within the Canadian Grain Commission. The Classification Officer is reviewing all new positions to ensure the appropriate corporate hierarchy. An independent and objective reporting structure has been ensured by making the Chief Financial Officer and the Chief Audit and Evaluation Executive report directly to the Chief Commissioner. In addition, the Chief Financial Officer, the Chief Audit and Evaluation Executive and external auditors have direct and unrestricted access to the Departmental Audit Committee including in-camera discussions.	No findings.	No recommendations. Well controlled risk.
Principle 4: The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.	The Canadian Grain Commission has established human resources policies and practices that include, but are not limited to: talent management plans learning and development plans the National Employment Equity, Diversity and Inclusion Committee people and succession planning: job descriptions and classifications	The audit noted that key National Employment Equity, Diversity and Inclusion Committee information, including the terms of reference, committee members, and diversity and inclusion plans, have not been updated since 2015. There is no evidence of the integration between the divisional and executive people and succession planning.	4. We recommend that the Humans Resources Director ensure that: 4.1 the National Employment Equity, Diversity and Inclusion Committee terms of reference, member composition, new diversity and inclusion plan and other relevant information are updated to inform the Canadian Grain Commission staff on new equity and diversity initiatives 4.2 a process is developed to ensure periodic integrated divisional people planning is conducted Controlled risk.	Human Resources Director	Membership listing for National Employment Equity, Diversity and Inclusion Committee is under review and solicitation for new members will take place as required. National Employment Equity, Diversity and Inclusion Committee co-chairs are working with the Communications unit to update the committee's section on the Canadian Grain Commission’s internal website, StaffNet, by September 30, 2021. Discussions at the executive committee meetings will take place at least bi-annually to discuss cross-divisional planning and corporate initiatives. The Human Resources Director accepts responsibly for implementing these actions by December 31, 2021.
Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives	The Canadian Grain Commission has established a robust performance management program that includes annual and mid-year performance appraisals for all employees. The review process allows managers and employees to communicate and provide feedback through the government-wide Public Service Performance Management (PSPM) platform. Responsibility for the performance reviews is built into each director’s performance objectives. This resulted in the Canadian Grain Commission's average performance appraisal completion rate of over 90%. The awards and recognition program has been designed to reward employees for their achievements and contributions that reflect the values of the Canadian Grain Commission.	No findings.	No recommendations. Well controlled risk.
Risk assessment
Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.	The Canadian Grain Commission has the Integrated Risk Management Policy, which aims to enforce a culture of proactive risk management at all levels of the Canadian Grain Commission. The policy defines the risk management governance structure and roles and responsibilities to ensure a seamless incorporation of integrated risk management into all operational levels of the Canadian Grain Commission.	The Integrated Risk Management Policy has not been updated since 2010 and does not reflect changes in the organizational environment and roles and responsibilities.	5. The Director, Innovation and Strategy, should review and update the Integrated Risk Management Policy to reflect the most current organizational environment and respective roles and responsibilities. Controlled risk.	Director, Innovation and Strategy	The Director, Innovation and Strategy agrees with the recommendation and will review and update the policy by the end of the 2021-2022 fiscal year.
Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed. Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.	The Integrated Risk Management Working Group is responsible for developing, monitoring and improving the Corporate Risk Register and coordination of the Canadian Grain Commission-wide risk assessment and comprised of members from each divisional area. The Integrated Risk Management Working Group meets on a periodic basis to develop and discuss the Corporate Risk Register in support of the annual strategic planning process. The audit confirmed that the 2020-2021 Corporate Risk Register was completed.	The audit found that the Canadian Grain Commission's current risk identification and assessment process is focused exclusively on high-level strategic risks and not aligned with the organization's risk information at operational levels. Without the bottom-up integration, there is a potential for the risk information to not be consistently analysed and escalated to appropriate senior decision-makers to ensure timely mitigating actions. This coordination will also enable sharing of risk information across the organization to ensure consistent approaches for similar risk-based decisions and avoid overlapping or duplicating efforts.	6. We recommend that the Executive Management Committee define a process and responsibility for coordinating the operational level risk assessment and integrate it with the strategic risk assessment process across the Canadian Grain Commission. Moderate issues.	Director, Innovation and Strategy	The Director, Innovation and Strategy, in consultation with the Executive Management Committee, will define a process for operational level risk assessment and how it will be integrated with the strategic risk assessment process by March 31, 2022. Responsibility for coordinating the process will lie with the Integrated Risk Management Working Group, while tracking and mitigating operational level risks will continue to be the responsibility of individual business areas.
Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives.	The audit identified elements and players contributing, directly or indirectly, to the fraud risk framework at the Canadian Grain Commission. These elements and players are grouped by the 4 key fraud framework components as follows: Governance: The Canadian Grain Commission has an oversight body, the Departmental Audit Committee, and the Values and Ethics Code. There is a responsibility for managing conflicts of interest disclosures. Under the Procedures for Making Wrongdoing Disclosure, employees have the opportunity to raise concerns regarding potential fraud and are guaranteed protection under the Public Servant Disclosure Protection Act. Fraud risk assessment: The Integrated Risk Management Group considers fraud risks in identifying and assessing risks to the strategic objectives. Finance rates fraud risks during the development of a systematic financial statement monitoring plan. Audit and Evaluation Services considers fraud risks in developing a multi-year risk-based audit plan and while planning each internal audit engagement. Operational controls: All new employees must take the mandatory Orientation to the Public Service course offered through the Canada School of Public Service, which includes training on anti-fraud controls and fraud scenarios. Under the Chief Financial Officer's responsibility, the Finance team maintains a system of controls over accounting transactions and financial statements that directly or indirectly prevent fraudulent transactions. Annually, external auditors perform testing of controls over financial statements, including analysing data to identify possible fraudulent transactions. Also, internal controls are assessed on a cyclical basis under the Internal Control Management Framework. To prevent forgery of official grain documents, Industry Services maintains a robust quality management system. All Canadian Grain Commission employees are subject to background and security clearances and are held accountable for their conduct through annual and mid-year performance appraisals. Investigation and management of fraud allegations: The Canadian Grain Commission has a Senior Officer for Disclosure, who is a certified fraud examiner with expertise in investigating fraud allegations. This could help determine the path forward if an allegation of fraud was to arise.	Governance: While there are several governing controls in place, there is no established policy and overall responsibility for the fraud framework. Together, these 2 controls would demonstrate management's position on fraud tolerance and commitment to enforcing the anti-fraud controls and mechanisms. Fraud risk assessment: This audit found that there is currently no process to identify, document and assess fraud risks across the Canadian Grain Commission. Without a formal assessment of fraud risk, including analysis and mitigation planning, there may be an increased risk of fraudulent activities. Operational controls: While there is a fraud component in the mandatory training taken by all new employees, there is no requirement for periodic targeted fraud training. The absence of systematic fraud training and awareness might result in employees not identifying and reporting potentially fraudulent activities.	7. We recommend that the Executive Management Committee assigns responsibility for maintaining the fraud risk framework and develops a plan to address those components of the Canadian Grain Commission's fraud management framework that require further strengthening. Specifically, the plan must consider a fraud policy or an anti-fraud statement, periodic fraud training and awareness and a systematic fraud risk identification and documentation process. Controlled risk.	Chief Operating Officer	The Chief Operating Officer, in consultation with the Executive Management Committee, will establish operational leads to ensure that an anti-fraud risk statement is sent to Canadian Grain Commission employees to enhance anti-fraud awareness and determine what organizational training may be required to supplement this anti-fraud statement. This will be done by December 31, 2021. The Chief Operating Officer will ensure that the Director, Innovation and Strategy integrates an anti-fraud component into the annual strategic risk assessment process so that potential fraud risk is identified and documented. This will be done by September 30, 2022. Responsibility for coordinating the process will lie with the Integrated Risk Management Working Group, while tracking and mitigating operational anti-fraud risks will continue to be the responsibility of individual business areas.
Control activities
Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.	To ensure the appropriateness of internal controls management, the Canadian Grain Commission has developed an Internal Control Management Framework and a periodic risk-based financial control monitoring plan. The framework includes the process to identify, document, evaluate and test key controls including testing of information technology general controls. The framework provides a mechanism to report deficiencies to business process owners, the Departmental Audit Committee and senior management. The Canadian Grain Commission's Finance team developed a set of control-specific policies and procedures. Some of these governing documents are posted on the Canadian Grain Commission’s internal website, StaffNet, and a complete set of policies and procedures are available to all Finance employees. Finance policies are periodically reviewed and updated to ensure compliance and consistency with Treasury Board Secretariat policies, procedures and directives. There is an established responsibility to continuously monitor changes to Treasury Board Secretariat policies and update the Canadian Grain Commission's policies accordingly. Part of the Canadian Grain Commission's control environment includes relying on third-party service providers, primarily other government agencies such as Agriculture and Agri-Food Canada and the Treasury Board Secretariat. The third-party providers maintain their own systems of internal controls that directly affect the Canadian Grain Commission's financial information. Under the Financial Administration Act, the government partners' accountabilities for maintaining and assessing their system of internal controls have been formally defined through service level agreements. Results of the third-party providers' internal control assessments and related action plans have been reported to the partner organizations, including the Canadian Grain Commission, to mitigate gaps and deficiencies, if applicable. The 2017 entity level control audit found that the Canadian Grain Commission's business continuity planning was not finalized and recommended that it be addressed accordingly.	The business continuity planning was paused due to the COVID-19 pandemic.	8. We recommend that the Chief Financial Officer ensures that the business continuity planning is finalized. As per the Treasury Board Secretariat Policy on Government Security, the Operational Security Standard – Business Continuity Planning Program, business continuity planning must consider essential components such as governance, business impact analysis and preparedness activities. Moderate issues.	Chief Financial Officer	The Chief Financial Officer will seek approval from the Executive Management Committee to resume business continuity planning in the first quarter of the 2021-2022 fiscal year. The critical functions and business impact analysis will also be reviewed and renewed in 2021-2022. In the 2022-2023 fiscal year, the draft business continuity plan will be updated based on lessons learned from the pandemic and submitted to the Executive Management Committee for approval. Training and testing will also be completed in the 2022-2023 fiscal year. The Chief Financial Officer is responsible for this management action plan.
Information and communication
Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control.	The Canadian Grain Commission's mandate, vision, mission and values are communicated to the public through the Canadian Grain Commission's website and include all financial and non-financial reporting documents related to internal controls. The Canadian Grain Commission effectively communicates the results of internal control audits and assessments to relevant stakeholders. For example, the results of internal control assessments are reported through the departmental performance reports and the annex to the Statement of Management Responsibility. Audit and Evaluation Services' audit reports are published on the Canadian Grain Commission's public website. The Departmental Audit Committee is informed in a timely manner of the results of the internal control assessments performed by the Audit and Evaluation Services and external auditors. To ensure the quality of information communicated to the public, the Canadian Grain Commission has established the Corporate Information Services team that comprises Communications, Multimedia and Translation Services. The team produces internal and external communications such as print publications, web content, presentations and social media content. Several information management and communications policies and procedures were developed and posted on the Canadian Grain Commission’s internal website called StaffNet. The Canadian Grain Commission leadership has been continuously communicating with the employees on various organizational topics, including, but not limited to, the departmental plans and departmental results, new initiatives, and changes to the Government of Canada policies. Leadership communicates through town hall meetings, all staff messages, internal website updates and ongoing email notifications. In 2020, the Canadian Grain Commission Open Government Working Group established the Open Data Release Procedure to support the Government of Canada's Directive on Open Government. This procedure aims to uphold transparency, accountability and citizen engagement in government decisions and processes. This procedure guides Canadian Grain Commission employees to handle requests for data and information and determines what requested information can or cannot be shared.	No findings.	No recommendations. Well controlled risk.
Monitoring
Principle 16: The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action.	The Canadian Grain Commission's internal controls are assessed by various means, including audits by the Office of Audit General and the Office of Comptroller General, annual financial statement audits conducted by external auditors, audits by the Audit and Evaluation Services, and others. As part of the internal control monitoring approach, results of the Canadian Grain Commission's internal control assessments are communicated to stakeholders responsible for taking corrective actions to develop management action plans to address identified control gaps. Internal control assessments and audit results are shared with the Executive Management Committee and the Departmental Audit Committee, whose members provide comments on recommendations and resulting action plans. Audit recommendations are followed up twice a year by Audit and Evaluation Services to ensure planned actions and timelines are resolved. Finance is responsible for following up on the external auditors' recommendations and other internal controls assessments for financial reporting. The results of all follow-ups are presented to the Departmental Audit Committee.	No findings.	No recommendations. Well controlled risk.

Appendix D: Canadian Grain Commission’s Internal Control Management Framework details

According to Treasury Board's Guide to Internal Control over Financial Management, the Canadian Grain Commission has established an Internal Control Management Framework that addresses key control areas:

the implementation of activities that ensure critical internal controls are assessed and periodically reassessed using a risk-based approach with corrective action taken when necessary
formal oversight of these activities through effective governance, including the establishment of an Internal Control Management Framework
regular reporting to the Executive Management Committee, the Chief Commissioner and the Departmental Audit Committee

According to the Treasury Board's Policy on Financial Management and the Canadian Grain Commission's Internal Control Management Framework:

the Chief Commissioner assumes overall responsibility and leadership for measures taken to ensure the internal control system's effectiveness
the Departmental Audit Committee supports the Chief Commissioner's role by providing independent advice on these elements
the Chief Financial Officer is responsible for supporting the Chief Commissioner in fulfilling the financial management responsibilities and providing leadership to the departmental financial management function
other executive managers are responsible for establishing and maintaining a system of internal controls for their areas

In addition to establishing governance and the appropriate management control frameworks, the Canadian Grain Commission's Internal Control Management Framework requires all significant processes and sub-processes to be assessed over a 3-year cycle. The Financial System and Controls unit within Finance is responsible for:

assessing ongoing financial risk
establishing a risk-based control monitoring plan
periodically evaluating controls
monitoring the implementation of corrective actions taken to address control gaps

The Financial System and Controls unit is also responsible for reporting financial risks and internal control assessments to the Executive Management Committee, Commissioners and Departmental Audit Committee.

Appendix E: Canadian Grain Commission’s additional entity level controls details

This appendix describes the examined Canadian Grain Commission entity level controls areas and provides a description of the elements where there were no audit findings. This section is organized by the 5 pillars of the Treadway Commission Internal Control – Integrated Framework 2013 pillars and principles that are described in Appendix B.

Control environment

the organization's integrity and ethical values
governance and oversight
organizational structure
assignment of authority and responsibility
the process for attracting and retaining competent staff
the rigour around performance measures and rewards

The resulting control environment has a pervasive impact on the overall system of internal control.

Below is a description of the control environment elements where there were no audit findings.

Conflict of interest disclosure

As part of the commitment to ethical values, the Canadian Grain Commission has established responsibility and a process for documenting and managing conflict of interest disclosures.

Procedure for Making Wrongdoing Disclosure standard

The Canadian Grain Commission has established the Procedure for Making Wrongdoing Disclosure standard to support the Public Servants Disclosure Protection Act. The Disclosure Officer's responsibility was established and delegated to the Chief Audit and Evaluation Executive.

Employees who raise wrongdoing concerns are afforded protections under the Public Servants Disclosure Protection Act. Annually, the Disclosure Officer files the Public Servants Disclosure Protection Act annual report to the Treasury Board Secretariat. No disclosures of potential misconduct were reported during the period in scope.

Policy on Workplace Harassment and Violence Prevention

In support of the Labour Code and Occupational Health and Safety Act, the Canadian Grain Commission has established the Policy on Workplace Harassment and Violence Prevention. This policy clearly outlines the roles and responsibilities of all Canadian Grain Commission employees for the prevention, detection and reporting of workplace harassment and violence.

Recently, the policy was updated to bring it in line with changes to the Canada Labour Code and corresponding regulations that came into effect on January 1, 2021. The revised policy was communicated to all Canadian Grain Commission employees in a timely manner through email and posted on the Canadian Grain Commission's internal website called StaffNet.

Departmental Audit Committee

The Departmental Audit Committee has independent oversight and is comprised of 2 external members acting exclusively in an advisory capacity to the Chief Commissioner. This oversight includes challenging and providing advice regarding the sufficiency and quality of the assurance provided on the adequacy and functioning of the Canadian Grain Commission financial statement and internal controls. The external Departmental Audit Committee members are Treasury Board appointments. Potential members are validated by the Office of Controller General based on the metrics established by the Terms and Conditions for Appointment for Audit Committee Member.

Departmental Audit Committee authority, responsibilities and core proficiency requirements are defined by its Charter and are reaffirmed by the Chief Commissioner annually. The Charter grants the Departmental Audit Committee unrestricted access to the Chief Audit and Evaluation Executive, Chief Financial Officer, external auditors and other Canadian Grain Commission employees and records as they deem necessary.

Commissioners

The Canadian Grain Commission is led by 3 commissioners appointed by the Governor in Council per section 3 of the Canada Grain Act. The Commissioners' responsibilities and authorities are formalized in the terms of reference. Notably, the Chief Commissioner as the Deputy Head is “responsible for the financial and human resources of the department,” in addition to accountabilities for Treasury Board policies. The Commissioners set the organization's direction, establish policies and administer the Canada Grain Act. The Commissioners report directly to the Minister of Agriculture and Agri-Food Canada.

Audit and Evaluation Services

Under the Policy on Internal Audit, small federal government departments are not required to maintain an internal audit function. The Canadian Grain Commission, however, decided to support and maintain an internal audit function. The purpose, authority and responsibilities are outlined in the Audit and Evaluation Services Charter, which is reviewed by the Departmental Audit Committee and approved by the Chief Commissioner annually.

In order to provide objective assurance and consulting services to the Canadian Grain Commission, the Charter grants the audit team unrestricted access to all:

activities
operations
records
databases
workplaces

They also have the authority to obtain information and explanations from any Canadian Grain Commission employee and contractor, as necessary.

As per the Treasury Board Secretariat’s Policy on Internal Audit, the Audit and Evaluation Services team establishes a multi-year risk-based audit and evaluation plan based on risk information collected from internal and external sources. The Department Audit Committee and Chief Commissioner approve this plan annually and receive regular updates.

Organizational structure

To support the departmental structure, authority and responsibility, the Canadian Grain Commission maintains up-to-date organizational charts that delineate responsibilities and reporting lines within the organization. The Classification Officer reviews all new positions to ensure the appropriate corporate structure.

An independent and objective reporting structure has been established by ensuring the Chief Financial Officer and the Chief Audit and Evaluation Executive report directly to the Chief Commissioner. In addition, the Chief Financial Officer, Chief Audit and Evaluation Executive and external auditors all have direct and unrestricted access to the Departmental Audit Committee, including in-camera discussions.

Control activities

Internal Control Management Framework

To ensure the appropriateness of internal controls management, the Canadian Grain Commission has developed an Internal Control Management Framework and a periodic risk-based financial control monitoring plan.

This framework include a process to identify, document, evaluate and test key controls including testing of information technology general controls. The framework provides a mechanism to report deficiencies to business process owners, the Departmental Audit Committee and senior management.

Policies and procedures

The Canadian Grain Commission's Finance team developed a set of control-specific policies and procedures. Some of these governing documents are posted on the Canadian Grain Commission’s internal website, StaffNet, and a complete set of policies and procedures are available to all Finance employees.

Finance policies are periodically reviewed and updated to ensure compliance and consistency with Treasury Board Secretariat policies, procedures and directives. There is an established responsibility to continuously monitor changes to Treasury Board Secretariat policies and update Canadian Grain Commission's policies accordingly.

Service level agreements

Part of the Canadian Grain Commission's control environment includes relying on third-party service providers, primarily other government agencies such as Agriculture and Agri-Food Canada and the Treasury Board Secretariat.

The third-party providers maintain their own systems of internal controls that directly affect the Canadian Grain Commission's financial information. Under the Financial Administration Act, the government partners' accountabilities for maintaining and assessing their system of internal controls have been formally defined through service level agreements.

Results of the third-party providers' internal control assessments and related action plans have been reported to the partner organizations, including the Canadian Grain Commission, to mitigate gaps and deficiencies, if applicable.

Information and communication

This section describes how the Canadian Grain Commission communicates with its employees and external stakeholders, including communication on internal control assessments and internal audits. Below is a description of the control environment elements where there were no audit findings.

Mandate, vision and mission

The Canadian Grain Commission's mandate, vision, mission and values are communicated to the public through the Canadian Grain Commission's public website and included in all financial and non-financial reporting documents related to internal controls.

Control: Communication

The Canadian Grain Commission effectively communicates the results of internal control audits and assessments to relevant stakeholders. For example, the results of internal control assessments are reported through departmental performance reports and the annex to the Statement of Management Responsibility. Audit and Evaluation Services' audit reports are published on the Canadian Grain Commission's public website. The Departmental Audit Committee is informed of the results of the internal control assessments performed by Audit and Evaluation Services and external auditors on a timely basis.

To ensure the quality of information communicated to the public, the Canadian Grain Commission has established the Corporate Information Services unit comprised of Communications, Multimedia and Translation Services. The team produces internal and external communications such as print publications, web content, presentations and social media content. Several information management and communications policies and procedures were developed and are posted on the Canadian Grain Commission’s internal website called StaffNet.

The Canadian Grain Commission's leadership has been continuously communicating with the employees on various organizational topics, including:

departmental plans and departmental results
new initiatives
changes to the Government of Canada policies

This information is communicated through:

town hall meetings
all-staff newsletters
internal website updates
ongoing email notifications

Control: Open Data Release Procedure

In 2020, the Canadian Grain Commission's Open Government Working Group established the Open Data Release Procedure to support the Government of Canada's Directive on Open Government. This procedure aims to uphold transparency, accountability and citizen engagement in government decisions and processes.

This procedure guides Canadian Grain Commission employees to handle requests for data and information and determine what requested information can or cannot be shared.

Monitoring

Monitoring activities identified during this audit are described below.

Control assessments

The Canadian Grain Commission's internal controls are assessed by various means, including:

audits by the Office of Audit General and the Office of Comptroller General
annual financial statement audits conducted by external auditors
audits by Audit and Evaluation Services

As part of the internal control monitoring approach, results of the Canadian Grain Commission's internal control assessments are communicated to stakeholders responsible so they can take corrective actions and develop management action plans to address identified control gaps. Internal control assessments and audits results are shared with the Executive Management Committee and the Departmental Audit Committee, whose members provide comments on recommendations and resulting action plans.

Audit recommendations are followed up twice a year by Audit and Evaluation Services to ensure they are resolved per planned actions and timelines. Finance is responsible for following up on the external auditors' recommendations and other internal controls assessments on financial reporting. The results of these follow-up activities are presented to the Departmental Audit Committee.

Date modified:: 2022-02-08