CRA Annual Report to Parliament 2011-2012 (PDF - Agence du ...
CRA Annual Report to Parliament 2011-2012 (PDF - Agence du ...
CRA Annual Report to Parliament 2011-2012 (PDF - Agence du ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Control frameworks<br />
The <strong>CRA</strong> uses the Committee of Sponsoring Organizations (COSO) framework <strong>to</strong> assess the design effectiveness of its system<br />
of internal controls, since it is the most widely used model of control for purposes of assessing ICFR. The COSO framework is<br />
based on five interrelated components of control. Each component contains a number of principles and attributes that an<br />
organization’s ICFR may be assessed against: control environment, risk assessment, control activities, information systems<br />
and communication, and moni<strong>to</strong>ring.<br />
Because the COSO only provides limited guidance <strong>to</strong> help organizations establish and evaluate information technology<br />
controls, the <strong>CRA</strong> uses the COBIT (Control Objectives for Information and related Technology) for SOX (Sarbanes-Oxley Act of<br />
2002) framework <strong>to</strong> document and assess the design of its information technology controls that are relevant <strong>to</strong> financial<br />
reporting.<br />
4. Progress and assessment results as of March 31, <strong>2012</strong><br />
This section summarizes the <strong>CRA</strong>’s key assessment results from the design and operating effectiveness testing completed <strong>to</strong><br />
date. In accordance with the plan published in the 2010-<strong>2011</strong> Annex, the <strong>CRA</strong> completed the following activities for the<br />
<strong>2011</strong>-<strong>2012</strong> fiscal year.<br />
Agency activities financial reporting<br />
An assessment of the operating effectiveness of key controls over the five business processes related <strong>to</strong> financial reporting<br />
on agency activities as well as relevant application controls and information technology general controls for the Corporate<br />
Administrative System, the purchasing system (Synergy), and the budget tracking system.<br />
As a result of this review, the <strong>CRA</strong> identified areas for improvement and developed action plans <strong>to</strong> address findings on<br />
key controls related <strong>to</strong> segregation of <strong>du</strong>ties and the design and management of access profiles.<br />
Administered activities financial reporting<br />
Further <strong>to</strong> the requirements of the tax collection agreements, the Office of the Audi<strong>to</strong>r General completed its audit of the<br />
<strong>CRA</strong>’s description of the design effectiveness of the indivi<strong>du</strong>al (T1) income tax program as assessed by the <strong>CRA</strong> as of<br />
November 30, 2010. The audit included testing 88 entity level controls, 54 information technology controls over 44<br />
processing systems, and 102 business process activities. The audit results confirmed that the <strong>CRA</strong> needs <strong>to</strong> enhance the<br />
design of certain key controls in the following areas:<br />
Documentation: Greater consistency in the quality and availability of documentation for audit trail purposes.<br />
Information technology general controls: Strengthen controls related <strong>to</strong> access and change management.<br />
Segregation of <strong>du</strong>ties: Strengthen access provisioning practices as they relate <strong>to</strong> segregation of <strong>du</strong>ties, and strengthen<br />
business process controls related <strong>to</strong> the design and management of access profiles.<br />
The <strong>CRA</strong>’s internal audit function completed an assessment of the operating effectiveness of controls related <strong>to</strong> the corporate<br />
(T2) income tax program. Management intends <strong>to</strong> use the assessment results <strong>to</strong> identify and plan any adjustments needed<br />
<strong>to</strong> enhance the effectiveness of these controls in preparation for the Audi<strong>to</strong>r General’s next controls audit under the tax<br />
collection agreements that will be completed in accordance with the Canadian Standard on Assurance Engagements 3416<br />
auditing guidelines.<br />
These reviews, including the Audi<strong>to</strong>r General’s report, included entity level control assessments and confirmed that the <strong>CRA</strong><br />
continues <strong>to</strong> have a strong system of entity level controls.<br />
CANADA REVENUE AGENCY<br />
137<br />
ANNUAL REPORT<br />
<strong>2011</strong>-<strong>2012</strong>