Regulatory Framework - Final Audit Report - Export ... - EDC

Regulatory FrameworkFinal Audit ReportReport Nr. 8/12July 6, 2012Distribution:To:CC:President & CEOSenior Vice President & Chief Financial OfficerSenior Vice President & Chief Risk OfficerVice President & Corporate ControllerVice President, General Counsel & Senior Assistant SecretarySenior Vice President, Corporate Affairs & SecretarySenior Vice President, Human Resources & CommunicationsSenior Vice President, Business DevelopmentSenior Vice President, InsuranceSenior Vice President, FinancingSenior Vice President, Business Solutions & InnovationDirector, Planning & External RelationsSenior Legal Counsel, Legal Services - InsurancePrincipal, Office of the Auditor GeneralDirector, Office of the Auditor GeneralAudit Team:Allison LoweVice President Internal AuditMonica Ryan

IntroductionIn 2008, Internal Audit, in collaboration with management, identified the federal acts, associated laws,regulations, directives and policies with which EDC must comply. We also identified certain internationalagreements and securities regulations that apply to EDC’s business activities. For the purpose of ouraudit, we refer to this as EDC’s Regulatory Framework. An inventory of the items included in ourdefinition of EDC’s Regulatory Framework is provided in Appendix A. In 2011, we performed andreported on an audit of employee related laws and regulations that are applicable to EDC businessactivities in Canada. This report describes the results of our audit on the remaining elements of EDC’sRegulatory Framework.Audit Objectives & ScopeThe overall objective of this audit was to evaluate both the design and operating effectiveness of controlsrelating to EDC’s Regulatory Framework. An inventory of the items included in our definition of EDC’sRegulatory Framework is provided in Appendix A. The scope of this audit included detailed testing of:entity level controls such as policies or Delegations of Authority (DOA); training and tools, transactioncontrols and monitoring and reporting.The audit included transaction testing for all EDC products except those underwritten by the FinancialInstitutions Team. Findings related to those transactions will be addressed in the Trade FinanceObligations (TFO) Underwriting Audit.Internal Audit OpinionThe processes in place to ensure compliance with EDC’s Regulatory Framework are Well Controlled 1 . Adedicated group monitors the introduction of federal bills in the Parliament of Canada, either enactingnew federal laws or amending existing federal laws and conducts an assessment of the impact that certainof these bills could have on EDC. Then an assessment of the need for modifications to internal policies isperformed by various subject-matter experts at EDC. Entity level controls such as policies or DOA existoutlining EDC’s obligations under the Regulatory Framework and are updated periodically to reflectchanges. Training and tools are provided to support compliance of business activities with the RegulatoryFramework. Monitoring and reporting is in place to review compliance at holistic level. Detailed testingwas performed to ensure compliance at a transactional level. One moderate issue was noted and isdescribed in the following section.1Our standard audit opinions are as follows:-Strong Controls: Key controls are effectively designed and operating as intended. Best in class internal controls exist. Objectives of the auditedprocess are most likely to be achieved.-Well Controlled: Key controls are effectively designed and operating as intended. Objectives of the audited process are likely to be achieved.-Opportunities Exist to Improve Controls: One or more key controls do not exist, are not designed properly or are not operating as intended.Objectives of the process may not be achieved. The financial and/or reputation impact to the audited process is more than inconsequential.Timely action is required.-Not Controlled: Multiple key controls do not exist, are not designed properly or are not operating as intended. Objectives of the process areunlikely to be achieved. The financial and/or reputation impact to the audited process is material. Action must follow immediately.Regulatory Framework Audit | July 6, 2012 3

Audit Findings & Recommendations1. UN Sanctions and Special Economic Measures Act (SEMA)Detailed audit testing confirmed that there were no compliance issues at a transactional level related toUN Sanctions or SEMA. The Policy and External Relations (PER) group is the liaison with theDepartment of Foreign Affairs and International Trade Canada (DFAIT) receiving and assessinginformation related to sanctions. Currently, reviews of transactions involving sanctioned or SEMAcountries are being completed by PER and other advisory groups who then may engage Legal Servicesfor consultation on an ad-hoc basis. Legal Services however, is not formally part of the interpretation ofsanctions nor are they always providing transactional level approval authority. Given that sanctionspresent a legal risk, IA recommends that the role of Legal Services be formalized to ensure compliance.This new role and process should be communicated to groups who will require transaction support.Rating of Audit Finding – Moderate 2Action Owner – VP, General Counsel and Senior Assistant Secretary in collaboration with Director PERDue Dates - All actions to be implemented by Q4 2012ConclusionThe audit findings and recommendations have been communicated to and agreed by management whohas developed action plans that are scheduled for implementation no later than Q4 2012.We would like to thank management for their support throughout the audit.2The ratings of our audit findings are as follows:− Major: a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk is more thaninconsequential. The process objective to which the control relates is unlikely to be achieved. Corrective action is needed to ensure controlsare cost effective and/or process objectives are achieved.− Moderate: a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk to theprocess is more than inconsequential. However, a compensating control exists. Corrective action is needed to avoid sole reliance oncompensating controls and/or ensure controls are cost effective.− Minor: a weakness in the design and/or operation of a non-key process control. Ability to achieve process objectives is unlikely to beimpacted. Corrective action is suggested to ensure controls are cost effective.Regulatory Framework Audit | July 6, 2012 4