Financial Systems and Controls
Table of Contents
     

13.0

Financial Systems and Controls
  13.1

Objectives
  13.2 General
  13.3 Policy
  13.4 Information and References
    13.4.1 Approval
    13.4.2 Risk and Controls Review

13.1 Objectives

  • ensure that financial and other systems are developed and implemented with due consideration to system development principles, generally accepted control and security standards, and are consistent with government business and systems strategic direction

13.2 General

Financial systems are a vital component in the delivery of government programs and services. When managed effectively, financial systems improve service to the public, enhance productivity and reduce costs.

Roles and Responsibilities

Ministries are responsible for their financial systems and ensuring compliance with policy and technology standards.

The Office of the Comptroller General is responsible for policy for financial systems and communication of control standards.

13.3 Policy

A financial system is any system that is used to exercise financial management, control and accountability over public monies or assets. Included are those systems (manual or automated) that are used to record, verify, report, generate and/or execute financial transactions, and those used for the management and control of assets, liabilities and assets held in trust.

  1. Ministries are responsible for determining the methodology to be used in the development of financial systems. The methodology used must be consistent with government information technology standards (see Risk and Controls Review for guidance).
  2. Ministries must ensure that financial systems have sufficient and comprehensive controls to prevent and reduce the risk of loss, error, misuse or fraud to an acceptable level.
  3. A risk and controls review must be performed and documented for a new financial system, and whenever there are significant modifications to an existing financial system. Qualified, independent and objective parties must carry out the review.
  4. The scope of a risk and controls review depends on the nature and complexity of the financial system. A comprehensive review includes project management, systems development, general environmental controls and application-based controls (see Risk and Controls Review).
  5. A financial system must receive executive financial officer approval prior to being placed into production. The executive financial officer on the recommendation of the chief financial officer must approve implementation of a new financial system and significant enhancements to an existing financial system.
  6. The ministry's executive financial officer, or chief financial officer where delegated, has overall responsibility for the ongoing operation of financial systems.
  7. Ministries that require a financial system to interface with other systems must establish proper and integrated processes to secure financial information.
  8. Where the financial system interfaces with the Corporate Accounting System (CAS), agreement must be established between the ministry and CAS that interface requirements have been tested and are working correctly before the system is moved into production.
  9. For a financial system that interfaces with CAS, a copy of the financial system's risk and controls report must be made available to the Office of the Comptroller General (OCG) on request.
  10. Ministries must ensure financial system documentation is sufficient in detail to enable effective system maintenance. This documentation must be completed prior to system implementation.
  11. Ministries must establish and maintain an inventory of their financial systems. The inventory must be updated annually to capture any additions or changes, and be made available to OCG upon request.
  12. Ministries must ensure that senior management approvals for accepting a new financial system, or a significantly modified system, are documented and retained (see Approval). A copy of the approval document must be provided to OCG upon request.

13.4 Information and References

13.4.1 Approval

System acceptance indicates that the financial system meets minimum control requirements, user objectives and business requirements. The following are approval guidelines for documentation and reporting of ministry financial systems:

  • a statement by the chief financial officer, prior to implementation, that adequate system testing, user testing and, where necessary, interface testing has been successfully completed, and user manuals and other documentation are complete;
  • approval and acceptance of the financial controls by the chief financial officer;
  • approval and acceptance of the system by the executive financial officer. Sign off documentation should also include project manager and system custodian approvals for the system in meeting business and control objectives.

13.4.2 Risk and Controls Review

The risk and controls review requirements are outlined below. The risk and controls report should be attached to the ministry's financial system sign-off sheet.

I. General

A risk and controls review is a formal analysis of a financial system and the environment in which it operates. The objective of the review is to determine whether a system includes adequate controls to mitigate business risks. As part of the review, deficiencies in the system's ability to meet business risks and control objectives should be documented for redress.

II. Risk and Controls Report

The risk and controls report is a document that describes the overall assessment of a financial system, the controls and any deficiencies to support the overall assessment. The report should contain:

  • a description of risks, the significance of a risk to the business, a description of the control and an assessment of the adequacy of each control for the risk identified, to assist in the overall evaluation; and
  • an action plan to correct major deficiencies, including the date when the problem will be corrected and any follow-up required.

    Risk Identification:

    Identification of business and information technology risks, and any factors that will influence the risk assessment.

    Risk factors that should be considered:

    • the susceptibility of business assets to fraud or misappropriation;
    • complexity of business transactions or degree of reliance on the system to account correctly;
    • the degree of manual intervention and related potential for error involved in the system;
    • decentralization of systems and complexity of user security profiles;
    • interfaces with any third party systems; and
    • reliance by the business on the continuing availability of the system.

    Controls:

    Some control areas to consider to support project management / systems development, general environmental and application based controls follow. Note that this is not a complete list:

    1. System development should be based on clearly understood needs that are consistent with meeting government and ministry strategic objectives, including review of existing government systems to assess potential suitability.
    2. Ministry senior management should support and be actively involved in the planning and use of information resources, and the development and implementation of new financial systems.
    3. The project management team should be assigned clear roles and responsibilities. The team should have a sufficient level of authority and an appropriate mix of skills and experience to manage the project.
    4. Ministry users should support development by actively planning and participating in defining requirements, and in verifying that the system meets their needs.
    5. The design specifications should accurately and completely summarize user requirements.
    6. The systems environment security design should be supported by a security threat and risk assessment.
    7. User test and acceptance procedures to determine whether a project resulted in a specified application or level of performance need to be conducted and documented.
    8. Access to financial systems and applications should be restricted to only those staff whose responsibilities require the access. Also, require separation of incompatible functions, for example, custody of assets and access to asset data records.
    9. Input validation to ensure data entry is authorized, accurate and complete.
    10. Processing checks to ensure that all transactions are processed properly.
    11. Output reviews to ensure the completeness, accuracy and validity of reported information and the adequacy of audit trails.
    12. System interfaces that are designed and tested to protect the integrity of data exchange.
    13. Applications that are fully understood by staff and comply with the ministry's information resource management plan.
    14. Applications that are routinely monitored and properly evaluated.
    15. Physical security to provide an environment that protects hardware and software from damage by unauthorized access and elements such as water, extreme temperatures and fire.
    16. Back up of data and offsite storage for system operation recovery.
    17. Recovery of computer operations in the event of a disaster.
Note: Additional guidance on information system controls and risks can be obtained by contacting Internal Audit and Advisory Services, OCG: Phone 250 387-6303.