Transcript
Transcript: Strengthening Internal Controls
[00:00:00 Animated CSPS logo. Text on screen: Welcome/Bienvenue.]
[00:00:06 Jocelyne Charron appears full screen. Text on screen: Office of the Comptroller General. Comptrollership Community Development.]
Jocelyne Charron: Good morning. Good morning, everyone, and welcome to our Fundamental Series. Today, we're talking about Internal Control. It's a very interesting topic. So today's session on the Financial Management Essentials Series focuses on internal controls. Thank you also for joining us. My name is Jocelyne Charron and I am the Executive Director, Financial Management Community and Oversight.
[00:00:32 Text on screen: Jocelyne Charron, Executive Director, Treasury Board of Canada Secretariat.]
I am joining you from the Office of the Comptroller General. We will have panelists, as well as an expert on internal controls, with us today. Therefore, we hope you find this session interesting.
I would also like to point out that I am joining you from Ottawa today. You may be also joining us from other territories throughout Canada. And I find myself on the traditional unceded territory of the Anishinabeg Algonquin Nations. The upcoming September 30th is a day to reflect on the truth, history and legacy of Indigenous residential schools. I invite each of you to think about how you will mark this day and contribute to reconciliation.
Before we begin, I would like to remind you that this session is bilingual.
[00:01:09 Split screen: Jocelyne Charron and slide. Text on screen: As described.]
[00:01:38 Split screen: Jocelyne Charron and slide. Text on screen: As described.]
Jocelyne Charron: I will be switching to English throughout the session, as well.
This is also to encourage you to ask questions and interact in the language of your choice. Simultaneous interpretation services are offered for the event. To access this service, please use the interpretation feature of your virtual meeting platform and select your preferred language.
We will also be using the Wooclap feature to ask questions, and you will have the opportunity to interact with us, our panelists, and also our main presenter. So I invite you to take your cell phone and access it via the web by searching www.wooclap.com and entering the code that appears here on the screen, FMES26, to participate.
This is a sign for you to be ready, and if you have any questions during the presentation, you can ask them and we will try to answer them. Please also note that the presentation is available in both official languages in the Resources section of the event page, along with a useful list of other resources. So, if you're curious, you can access them and check them out.
Our program is quite full. Therefore, after each section, we will have the opportunity to discuss with panelists and if there is time, the panelists will be able to take your questions using the Wooclap feature that will support you. You can also use the Webdiffusion platform's chat feature by clicking on the bubble icon at the top of your screen.
So, in order to frame the discussion a bit, we have Martin Krumins, who is, in fact, my boss.
[00:03:39 Split screen: Jocelyne Charron and Martin Krumins.]
Martin is the Assistant Comptroller General. He reports directly to the Comptroller General of Canada, Annie Boudreau, and he basically takes care of the finance function for the public service as a whole. It's an important role that shapes our financial management. He is here to sort of inspire you to understand the reason and importance of the segment we are going to share with you. So, over to you, Martin. Thank you for being here with us this morning as well.
[00:04:07 Split screen: Martin Krumins and slide. Text on screen: Martin Krumins, CPA, CMA. Assistant Comptroller General, Financial Management Sector, Office of the Comptroller General of Canada, Treasury Board of Canada Secretariat, martin.krumins@tbs-sct.qc.ca.
Martin Krumins: Thank you, Jocelyne. Good morning, everyone. It's a real pleasure to be here today for the Financial Management Essential Series. The series highlights the core elements of financial management, with each session focusing on a unique theme, topic, and set of presenters. Today's topic of Strengthening Internal Controls is particularly special for me because it's where I started my leadership path.
[00:04:29 Split screen: Martin Krumins and slide. Text on screen: Strengthening Internal Controls, September 26, 2025.]
Martin Krumins: But before I get into that, I do want to thank the Canada School for organizing this event and creating a space where we can come together, learn from one another, and strengthen our community. Continuous learning is at the heart of our growth as financial professionals. In a field that is constantly evolving, staying current with the latest knowledge and skills is essential, not just for our own development, but for the strength of the places we work. Opportunities like this allow us to deepen our understanding, sharpen our expertise, and build the foundation for long-term success. I encourage all of you to take full advantage of it, ask questions, share your perspectives, and view this as a meaningful investment in your career. So, a little bit about me. I didn't begin as an executive. Like you, I started as an FI. I did all aspects of financial management, planning, budgeting, accounting, and financial oversight. Step by step, I built my career in departments, both large and small, from Fisheries and Oceans to Treasury Board Secretariat where, some say, I helped shape government-wide financial decisions, and ultimately at Public Health Agency of Canada, where I feel very proud that I was fortunate enough to lead a team of financial management experts during a global pandemic.
So, looking back, one lesson that stayed with me through every role and every challenge, financial management is about trust. Trust in our systems, that they are designed to protect public resources, trust in our teams we lead, that together we can solve problems and find solutions, and trust in ourselves to make the right decisions even when the path is not clear.
I know that our work often behind the scenes, sometimes seen as an enabling function. When we do it well, no one notices it. But when you know the value of what we do, it really goes to your heart. With sound financial management, nothing else functions as it should. That's why today's theme, Strengthening Internal Controls, is so important.
[00:06:18 Split screen: Martin Krumins and slide, as described.]
Martin Krumins: Internal Controls are not just checklists and approval process; they are safeguards that give Canadians confidence in their government. They are structures that allow managers and executives to take bold action knowing the risks – yes, multiple risks – that those risks are being managed responsibly.
So, controls are also a quite quiet, but critical backbone of public trust. When controls are strong, people don't have to think twice about whether their money is being used as intended. But when they are weak, trust erodes, and once it's lost, it's very hard to regain.
Do we think it's so important that we need to talk about it? Of course we do. The team here at the OCG has worked very hard to set up Financial Management Competency Compass, which I hope will help us as financial professionals navigate our careers and develop skills. But just as important, it also informed the design of this learning series, connecting our professional development directly to the competencies that matter the most.
How do internal controls fit here? They tie directly to at least three of those competencies: strategic thinking; oversight and risk management; and compliance. They provide leaders with reliable information for forward-looking decisions, mechanisms to monitor resources and manage those risks that I spoke about earlier, and processes that embed compliance naturally into our daily work. In this way, Internal Controls not only protect public resources, but also enable us to pursue our missions with confidence, accountability, and integrity.
[00:08:00 Split screen: Martin Krumins and slide, as described.]
Martin Krumins: We're very honoured to have with us today, Ralphe Jabbour, Director of Financial Management Policy at Treasury Board Secretariat, [who] will walk us through the system of Internal Controls, the Government of Canada context, and their evolution. As well, David Vaillancourt, Director of Internal Controls division at CRA; and Isabelle Massé, Manager of Internal Controls at Indigenous Services Canada. They will participate in panel discussions at the end of each segment, sharing insights from their years of experience and addressing questions from participants.
So, thank you again to the Canada School for bringing us together for this important discussion. I look forward to the conversations ahead and to continuing to build that strong, trusted financial community, one that Canadians can count on. So, with that, I'll turn it over to Ralphe to get us started. A reminder, the slides in both official languages are available in the resource section. Thank you.
[00:08:39 Ralphe Jabbour appears full screen. Text on screen: Ralphe Jabbour, Director, Office of the Comptroller General, Treasury Board of Canada Secretariat.]
Ralphe Jabbour: Thank you, Martin. Hello everyone, Thank you for being here for this essential session on internal controls. In an increasingly complex government context, as Paul Martin has already stated, internal controls are essential to ensure transparency, accountability and sound management of public resources.
Today, we're going to see how control is integrated into our daily work
[00:09:17 Split screen: Ralphe Jabbour and slide, as described.]
Ralphe Jabbour: and how each of us can contribute to it. We will start with the basics, that is, what internal controls are and why they are important. But understanding the basics is not just theoretical; it's about seeing how these controls prevent problems. Next, we will examine how internal controls are applied today in the federal public sector. And finally, we will explore how internal controls evolve with new technologies and new risks. With emerging technologies like AI, these controls must adapt to manage new risks.
But before we start the first section, we are going to use, as Jocelyne has already mentioned, Wooclap to chat with you a bit and to understand your level of familiarity with internal controls. I think all participants have the Wooclap code, which is FM . . . Yes, that's it.
[00:10:30 Split screen: Ralphe Jabbour and wooclap results slide, as described.]
Ralphe Jabbour: Your answers will help us adjust the content to your reality. So, the three questions are . . . It's a little difficult to see:
How well do you know the Government of Canada's internal controls? There is some experience with them, and what type of . . .
[00:11:20 Wooclap results slide, as described.]
Ralphe Jabbour: …un mélange du niveau d'expérience.
[00:11:49 Split screen: Jocelyne Charron and wooclap results slide.]
Jocelyne Charron: Ralphe, I think we may have lost you. Are you still with us?
Ralphe Jabbour: Yes, yes. It's very difficult to . . .
Jocelyne Charron: To read, yes. Exactly.
Ralphe Jabbour: to read from the screen, yes.
Jocelyne Charron: I agree with you.
Ralphe Jabbour: The three questions are there, right?
Jocelyne Charron: Yes, absolutely. We can see a little bit of the different levels of people's knowledge of internal controls, which is still an important fact. This means they may benefit from the discussion this morning.
Ralphe Jabbour: Yes. We have a mix of participants from large and small departments.
Jocelyne Charron: Yes, exactly.
Ralphe Jabbour: And from different communities. Therefore, I think that . . .
Jocelyne Charron: Yes. So, the question we are asking here is, who are the people in the financial management community? So, it's most of you, about 80%. We have others too. So, we would like to know who these people are. He also said . . . it's interesting because there is definitely complementarity between internal controls and the role of internal auditing. These things are clearly different and have different spheres of interaction, but are definitely also complementary.
So, thank you. We learned a little bit about who you are this morning. Now it's up to you, Ralphe, to continue the dialogue.
[00:12:45 Wooclap results slide, as described.]
[00:13:20 Split screen: Ralphe Jabbour and slide, as described.]
Ralphe Jabbour: In our first section, we're going to talk about the system of Internal Controls. I think, as we heard Martin earlier in his opening remarks, he talked about financial management is ultimately about trust. I think this is why today's session is important because I think Internal Controls are really how we earn and protect that trust.
So, think of them as seatbelts, or an airbag, or a GPS in a car. We don't notice them most of the time, but when something goes wrong, they make all the difference. We wouldn't manage billions of taxpayers' dollars without these invisible safety systems. Of course, we wouldn't. Imagine driving without a GPS. I know I would be lost. Maybe most of us would be lost. So, similarly, without these controls, we'd risk misallocating funds.
So, these invisible tools, I think Martin mentioned, they're kind of invisible. They're behind the scenes. They're essential for managing billions of taxpayers' dollars. So this is why we think this session is important. And then we tried to bring subject matter expertise from different departments. And I think, also, between Jocelyne and I, we have a bit of experience in the area, so we're hoping that it's not going to be all theory, and we're going to try and make this a little bit entertaining, exciting.
From an office of the Comptroller General perspective, Internal Controls aren't just compliance. They're strategic tools. They help departments to operate efficiently, produce reliable information, stay aligned with laws, regulations, policies, and most importantly, they cut across every function. For the people in the audience that are not in Finance, this isn't just about Finance, but it's about Procurement, it's about IT, it's about HR, and it's about Programs, so everyone has a role to play.
What are some examples of this? For example, a manager checking budget variances. What if the manager skips this step? It could lead to unexpected shortfalls, so controls prevent that from happening. A procurement officer, for example, verifying vendor credentials before awarding a contract. What if we forget this verification? This is a big risk of non-compliance. Controls protect against that. Even in a Program environment, a Program Analyst reallocating funds, for example, based on reliable spending data. What if this data is not accurate? This could lead to wrong decisions. So, controls ensure reliability. Next slide, please.
[00:16:12 Split screen: Ralphe Jabbour and slide, as described.]
Ralphe Jabbour: So, let's talk a little bit about theory. I promise I'm not going to go too much into theory, but there are some critical things or important things that we need to cover.
For example, at the heart of this system is what is referred to as the five elements of Internal Controls. These are defined by the Committee of Sponsoring Organizations of the Treadway Commission, also known as COSO. These elements, they work together to help the organization achieve its objectives related not only to just operations but reporting and compliance.
What are these five elements? Leadership, to start with, sets the expectations of ethical behaviour and accountability under the control environment. For example, this is having a clear policy on ethics, it guides daily decisions.
Identifying and evaluating risks that could impact these objectives is done through risk assessments. This is like, for example, evaluating cybersecurity risks in an IT project.
The checks, approvals, reconciliations, these are the guardrails is referred to as control activities. That's what the control activity element is about. For example, think of approving a travel claim or any expense. That's a control that ensures the appropriate use of funds.
Then ensuring that timely, accurate, and transparent reporting is part of information and communication. This could include monthly reports to increase transparency.
Then finally, one of the key elements, in my opinion, is the ongoing review and adoption of these controls. As risks evolve, or there are more risks, we need to continuously monitor that these controls are working.
In addition to these five elements, there are two other elements that influence the control environment. This is the tone from the top, which sets the expectations for integrity and transparency, and this is referred to as the management's philosophy operating style.
And of course, Human Resources, which promotes staff competence and ethical standards. So, these aren't just add-ons or supplementary. They're foundational to the entire system. For example, the tone from the top models ethical behaviour from leadership, so creating a culture of integrity, while the HR function ensures staff are competent and aligned with ethical standards through ongoing training, ultimately building long term trust across the organization. This is why the competency compass is so important for us for the FM community. Next slide, please.
[00:19:15 Split screen: Ralphe Jabbour and slide, as described.]
Ralphe Jabbour: Why do these controls matter? They support financial integrity, as I mentioned, by protecting assets from loss, from misuse, from fraud. They ensure that the data is accurate for reporting and transparency, and they strengthen accountability and compliance across all levels of the organization.
This happens because they support compliance to policies and procedures, and they allow us to apply the rules and procedures consistently. They provide peace of mind by reducing risks, as we mentioned already, and they enable us to make better decisions. When everyone plays their part, the system works, but it requires everyone's participation to function effectively. Internal Controls allow the organization to pivot in order to address unforeseen pressures confidently without sacrificing other objectives.
I know we had a mix of participants, so I want to try and incorporate a "what's in it for me" if you're a Procurement person, or a Finance person, or an Audit person. For a Finance person, this means fewer last-minute surprises. The data is clean, it helps the CFO in doing their attestations. For a Procurement practitioner, this means stronger defensible files, so fewer challenges. If some of the participants are in Internal Audit, this means less, in a way, firefighting, but more time looking at strategic risks. And then, if you're a Program person, it means faster, smoother funding with fewer delays.
The way we're going to do this, and I think this is going to repeat every segment, at the end of, hopefully not my boring presentation, we're going to do some true and false questions, and then we'll get into probably the most exciting part, which is the panel discussion.
[00:21:33 Split screen: Ralphe Jabbour and slide. Text on slide: True or False:
Internal controls are like the goalie on a hockey team, they are the last line of defense to stop risks from turning into issues.]
Ralphe Jabbour: What we'll do now is through wooclap, I think we have a couple of true and false questions. Again, please don't be discouraged. These aren't skill testing questions. We just wanted to get a sense of people's knowledge. So, the first question is Internal Control...
[00:21:33 Wooclap question slide, as described above.]
Jocelyne Charron: The first question is, yes, we want to know if Internal controls are only relevant for auditors.
[00:22:00 Wooclap results slide, as described.]
Jocelyne Charron: I say true, and I would fail. <Laughter> Hopefully not.
Ralphe Jabbour: What do we have here? We have a mix of....
Jocelyne Charron: Yes, a mix of responses.
Ralphe Jabbour: Again, this isn't a test. The answer is actually false because they're really not just relevant to auditors. They're relevant to all management. They're the responsibility of all of us and the entire organization. They help the entire organization, as I already said. If you got it right or if you got it wrong, there is no right or wrong answer. Really, what we're trying to get at here is that they're important to the whole organization, whether you're an auditor in Program, in Procurement, in IT.
All the results are still coming in.
[00:23:03 Wooclap question slide, as described.]
Jocelyne Charron: And then our second question is about the Deputy Head, an important person in your organization.
[00:23:09 Wooclap results slide, as described.]
Jocelyne Charron: We're asking if they're ultimately responsible for establishing and maintaining the system of Internal Control for their department. So, is that true or false?
And again, we talked about the Internal Control as being a bit of a safety – your seat belt, or your GPS. So, Deputy Heads, I don't know how many policies they have to oversee across their organizations and compliance. They are the accounting officer. If something goes wrong, they are accountable to parliament.
So, how do we make sure that they can sleep at night? How do we make sure that they know that things are going in conformity with the policies, that their funds are being properly spent, that they're getting the value to Canadians, and then a bit of that safety net that Ralphe spoke about.
Many people got that one right, Ralphe. Good job. That means they understand.
Ralphe Jabbour: Good job.
Jocelyne Charron: Good job.
Ralphe Jabbour: Maybe it's an unfair question because I think I'm talking about the policy in the next segment, but it is a requirement in the policy on financial management, but you'll hear me talk about that a little later.
[00:24:18 Split screen: Ralphe Jabbour and a previously described slide.]
Ralphe Jabbour: I think with this, we move to our panel discussion.
Jocelyne Charron: We're going to have some of our panelists come and join us.
[00:24:25 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: These are two specialists. They breathe and live Internal Control in their respective departments. So, I'm going to introduce David and Isabelle to you a little bit earlier, so I'm going to ask them a few questions so you can apply a bit of what Ralphe was saying in terms of that theory, the concepts, and then see how they are in that action in your departments. And to me, honestly, because there's so many requirements, so many processes, so many accountabilities in the system, how do we make sure that there's consistency across the 105 federal departments and agencies? How do we make sure that we have the trust to parliamentarians? And so your system of Internal Control is actually one of those unique functions, other than potentially your auditors that would come in after the fact when something is broken or do an audit and then have those fact findings on the audit. So, this is more of a preventative measure as discovery. But to me, is a bit of a report card, an early report card, of where things are going well and where things need to be improved.
So, I'm going to ask Isabelle. Thank you for being with us too, Isabelle.
Interpreter: Thank you very much for being with us, Isabelle.
Jocelyne Charron: <Inaudible> shift in the way process owners view Internal Control and value the work of your team.
[00:25:41 Isabelle Massé appears full screen. Text on screen: Isabelle Massé, Manager, Internal Controls, Indigenous Services Canada.]
Isabelle Massé: Thanks, Jocelyne. Yes, we did see a shift in the mindset. For us in Internal Control, we do assessments of Internal Control, but ultimately, the responsibility is of everyone in the organization.
And then, especially for financial controls, at first it was more of a compliance exercise. And I did see a shift in how it can be more of a process improvement and how we can bring efficiency to the process, so there's more collaboration with business process owners. They are more involved in designing and monitoring the controls.
And we also see a shift in shared accountability. They understand how they can improve their process. And if they see that there is a risk of a control having a gap, they will discuss with us and ensure that the controls are in place, and to ensure also that there are sufficient controls. So, for this shift, there's added value. They see us as a partner for the Internal Control team, so they will ask us for a question and our recommendation. If they are reviewing a process, they'll ask us to review those processes to ensure that they have the controls in place.
So, it's really about communication with the teams, with the process owner, so there's more collaboration. So, that's part of the big shift that I've seen in Internal Controls.
[00:27:27 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: I agree with you. And that's why you can over control things, so that's where a bit of that risk and that strategic thinking ultimately, where do you focus effort, in relation to risk, in relation to impact? And as well, I feel our context in which we operate is so different, not the same as 10 years ago.
[00:28:00 Jocelyne Charron appears full screen.]
Jocelyne Charron: So, if you have, potentially, the same key controls that you did 10 years ago, I think we're doing business very differently. Our vulnerabilities are different, maybe vulnerabilities to fraud, to malfeasance. I think there's a lot of proactiveness, which feeds a bit that we spoke to you about the compass on the strategic thinking and risk management. Very much of a dynamic context and not static.
David, you're at CRA, Director of Internal Controls for a huge organization. How do you embed a culture of accountability and control across the level at CRA? I'm sure that that's not [an] easy feat.
[00:28:29 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
David Vaillancourt: No, it's not so easy, but it's something that we need to work on every day.
[00:28:00 David Vaillancourt appears full screen. Text on screen: David Vaillancourt, Director, Internal Controls Division, Canada Revenue Agency.]
David Vaillancourt: At CRA, it is well established that Internal Control are part of good management service delivery, so not just compliance. Accountability is really at the heart of it. Based on my Internal Control assessment experience, to embed the culture of accountability and control, it starts from the tone from the top.
Every year at CRA, at our management with the committee, we present our Internal Control assessment scope, we discuss the importance of Control, we reinforce role and responsibility of all senior leaders regarding maintaining a good system of Internal Control over financial reporting and financial management because everyone is helping with that. That message flows down through the official CFO launch letter, to formal launch emails, to meetings, conversations at every level, with support from all senior leaders.
Then when we do our work, we do our assessment work, we insert strong documentation. Sometimes people say the documentation is boring, but you will understand my point. Documentation brings clarity. This includes what control is being done, why it is done, how and when it is performed, who is the control performer, and who is accountable for each of those controls? By documenting that, it clarifies role and responsibility and accountability at the same time. People understand why it's important [for] every control they do.
When we report a result, it's not just a technical report. We validate findings with the people who do the work, so the control performer. Share them with the manager executives, which are accountable for the control. All of this is documented into a letter of recommendation with [a] DG approved action plan. We also send a result summary at DG and branch level to ensure accountability of the full chain of comments. Then we go back to our management of the committee to present this result, to close the loop on the planning presented earlier to that committee.
Finally, this is very important also, because our result at the end of the day is incorporated in the statement of management responsibility and its annex, which is an integral part of the financial statement. That financial statement is approved by the CRA Board of Management and co-signed by the CFO and Commissioner. There's a trace, making sure that they understand the responsibility, and this is where the results are published to everyone.
The culture of accountability and control is embedded in all levels across the organization by, I would say, the tone from the top, strong documentation, and solid governance structure.
Jocelyne Charron: I like it.
[00:30:59 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: I do agree. It has to come from the top. To me, it's about making sure that the Deputy Head and the senior ADMs and ADMs in your organization understand that they are a little bit delivering programs, and these programs have key controls. But unless we document them, we check them, we validate them, your safety nets are not really known or understood. So, it's working about making sure they're aware of it. And that's a bit [of] something that maybe we don't do. It's not embedded necessarily in all the programs because it's a bit more of a financial thing that we're built in as a CPA or accountant in terms of integrity and transparency.
But thank you for that, David.
Isabelle, quickly, for you, how do weak internal controls increase risk, and what can we do to strengthen them?
[00:31:54 Isabelle Massé appears full screen.]
Isabelle Massé: Weak Internal Controls can lead to financial errors. If we focus on financial Internal Controls, there's risk of fraud and misuse of public funds. There's also a risk of non-compliance with policies and reputational damage. For example, there can be some scrutiny in the media, or findings in internal audits.
to be clearly documented and clarified – who does what, and when. Documentation, as David mentioned also, processes need to be documented, any decision. This way, processes can be standardized and also consistent.
And there's also data analytics that can be used to strengthen Internal Controls. We can do real-time reviews and invest in training and awareness. Internal Controls are the responsibility of everyone in an organization, so it's important that if an employee is completing a checklist that they understand that they're reviewing that checklist to ensure that there's no errors or no gap in the specific process. So, this shows how weak Internal Controls, especially roles and responsibility and documentation, are important. And that it's the responsibility of everyone in the organization.
[00:33:35 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: I agree with that. Thank you very much. And we'll talk about it in a little bit about how new innovative technologies could actually transform a little bit making Internal Control maybe a little bit more effective, give you more coverage as well. Because as you said, Isabelle, the risks are quite high. Loss of public trust, potentially, scrutiny of how taxpayers' money is spent. Those are real challenges. And as well, realities, as we are public servants. So, I think that those are important, but lots of availability to strengthen as well, which is why we're here today.
So, I'll turn it over to Ralphe. We have another little bit more of a theoretical segment. Just a reminder for all of you that the slides are available in both official languages in the resource section. Ralphe, over to you.
[00:34:27 Split screen: Ralphe Jabbour and slide, as described.]
Ralphe Jabbour: Thank you, Jocelyne. So in this section, we see the internal controls framework in the Government of Canada and this framework is based on the Financial Management Policy. Why is it important? Because these controls ensure transparency, accountability and good management of public funds, even in a complex environment. Let us look at the key points in this slide together. The Financial Management Policy defines the requirement for a risk-based system of internal control, as we have already stated. Here are the main roles. The Deputy Head establishes, monitors and maintains this system to reduce financial risk. For instance, by ensuring that grants are traceable. This avoids [inaudible] and strengthens public trust. The role of the chief financial officer is to implement controls and reports to the executive committee and records the Statement of Management Responsibility to ensure reliable reporting. The role of senior executives or process owners is to implement controls and notify the chief financial officer of deficiencies and possibly take corrective action. For example, by preventing budgetary overspending through monthly reviews. It's control that prevents this. What is the role of all employees? It's about implementing operational controls and perhaps reporting weaknesses in the system. For instance, when someone noticed an error in a factor. It's about potentially preventing fraud.
Therefore, this common approach strengthens responsible management and accountability at all levels.
[00:37:33 Split screen: Ralphe Jabbour and slide, as described.]
Ralphe Jabbour: Next slide, please. It's about compliance and monitoring. Monitoring ensures that all controls are working well with these three pillars: internal department audit. I think Jocelyne already mentioned that. For example, the internal audit function, made up of risk-based reviews, provides independent assurance to management. For instance, the function to quickly identify weaknesses in purchasing to save resources. This, however, not only saves resources, but this also strengthens public trust through proactive corrections. The Office of the Auditor General of Canada conducts independent audits and advises Parliament. But these annual reports reinforce strong controls and underline the responsible use of public funds. The risk and compliance process, which is based on the Management Accountability Framework, assesses management and focuses on effective controls. The new Risk and Compliance Process is an agile system; it also prioritizes emerging risks, for example cybersecurity.
So together, these mechanisms promote continuous improvement and strengthen public trust.
[00:39:25 Split screen: Ralphe Jabbour and slide, as described.]
Ralphe Jabbour: What is the role of finance professionals? As I have already said, internal controls are everyone's responsibility. This is not solely the responsibility of finance professionals. But, finance professionals are leading the way and providing leadership. Even if you're not in finance, your contribution counts too. This by identifying a problem in a business process, for example. It's also a form of control. The control environment promotes the ethics and transparency established by executives so that there is a culture of integrity, for example. Risk management identifies and manages risks in budget planning and forecasting. The control activity must be specifically verified and validated in compliance with the law or various policies, including monitoring, which supports the certification of chief financial officers and adjusts controls according to digital changes.
Some general or practical advice for the participants. I think David talked a little about this; documentation is very important. So, keeping it up to date is very important. Collaborating with the control team and proposing realistic action plans. This means reliable data for finances and less program delays. It's very important to update documents, not as a routine exercise but to document changes in control. I think this avoids major problems.
I think we have a few True or False questions before entering into the second discussion.
Jocelyne Charron: That's exactly it. So, we'll see if people listened to what you said, Ralphe.
[00:42:10 Wooclap question slide, as described.]
Jocelyne Charron: Did they understand? We're asking you to go to Wooclap again. And the question is essentially a true or false: Internal controls are a one-time compliance exercise completed at year-end. True or false?
[00:42:30 Wooclap results slide, as described.]
Jocelyne Charron: We still have a good portion of the votes. We're close to . . . They told us the numbers earlier; we had nearly 2,000 people registered. So, we're going to come and see how many of you are active on Wooclap for the most part. We're going to give them the right answer. They understood that it's not just static at the end of the exercise. That would not be a good idea.
Ralphe Jabbour: Yes, yes.
[00:43:12 Wooclap question slide, as described.]
Jocelyne Charron: We have a second question.
Ralphe Jabbour: The second question.
Jocelyne Charron: The financial management community plays a critical role in supporting chief financial officers and deputy heads in maintaining effective internal controls.
[00:43:26 Wooclap results slide, as described.]
So, it's basically everyone's responsibility, but we've given the chief financial officers, who often have a role at the company level, so at your department level, and who often play a horizontal role, a bit of a maintenance role and that responsibility to maintain the internal control system to support the deputy head. As Ralphe pointed out, I find this interesting because in the public service, the majority of our processes are processes transformed with humans. So, if we were in a machine industry, for example, we would see that the production control of, I don't know, a can of paint…
[00:44:14 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: It changes from one machine to another. So, the control is: have we done the maintenance on the machine? Is the machine broken, or is it lubricated? But because, in the public service, the majority of our transformation is achieved in part through human capital. This is where it becomes important to document your actions. If you conduct a check, we need to ensure that this supplier is legitimate. The supplier's bank account is legitimate. To prevent money from being placed into a bank account that doesn't belong to the right person. Thus, who is responsible for checking, and how is the control documented? So, this is when
it becomes a bit complicated because we think: well, it's the narrative. But otherwise, how do we document how public servants work to transform a program and service into something valuable for a Canadian?
So, it's a little different because it's not as tangible. But I think that's perhaps a good way to explain it.
So, I'm now bringing you back with Isabelle and David, we're going to ask them a few questions because they are obviously our experts.
David, how does the risk and compliance process affect your group and do you plan to make any changes?
[00:45:25 David Vaillancourt appears full screen. Text on screen: David Vaillancourt, Director, Internal Controls Division, Canada Revenue Agency.]
David Vaillancourt: Thanks for the question, Jocelyne. Firstly, PRC is a super important process. This is how we evaluate the performance and compliance of agencies, departments, their deputy ministers, and commissioners. This is a very important process and it affects many areas. If I talk about the evolution of the Management Accountability Framework, so the old <inaudible> MAF towards the risk compliance process, the PRC, it was very interesting. We were involved from the start. We have participated in most of the iterations of the pilot project to date. To be honest, at first I had the impression that it was mostly an update with a new name, a new coat of paint to emphasize its importance. But, throughout the discussions, I better understood the realigning and the objectives desired by the PRC.
So, before discussing concrete examples for my group, I think it's important to remember that the PRC has a much broader scope than just financial internal controls. This requires collaboration with several key players in your agencies and departments. I have also noticed increased collaboration between the strategic teams and my internal control team when developing the results. It is therefore a new development. It's happened before, but it's been strengthened.
I will focus a little more on the impact of the PRC from an internal control perspective. Well, like anything new, the first year of the PRC required some adjustments to establish the foundations. In several cases we were already doing a good portion of the activities requested, but we had to evolve our approach. I see it here more as an evolution, not necessarily changes because these are things we were already doing. For example, for the identification of hazards; one was previously done when an environmental analysis was carried out, which mainly fuelled the planning of the assessment of internal controls. Now, we also need to present and share these risks from a strategic perspective for the Agency.
In order to monitor observations, we have made improvements, we have standardized our way of measuring development. This helped to strengthen accountability. For the definitions of levels of risk. They needed to be refined a bit because we wanted to ensure consistency with the objectives of the PRC.
Finally, the assessment of internal controls. We have gone through, in fact, we are in the process of going from a logic of sufficiency to a logic of maturity. So, what I mean by that is that rather than asking whether a control is enough, we are now also working to assess its level of maturity. This fosters continuous improvement.
Obviously, these aspects will continue to evolve as we gain experience; and I also believe that the process will be refined over time to ensure more alignment between departments, between agencies, in the way they respond.
Ultimately, the PRC leads us to think differently. It is no longer just about achieving a sufficient level of control, but about demonstrating maturity, development; about sharing our results more often. This strengthens transparency, stimulates continuous improvement, and above all, demonstrates the added value of our internal control work.
[00:48:17 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: I like that. Obviously, I think that because there is money involved in everything we do, all our programs and services, we are often financial professionals, the only ones who will bring about horizontal dialogue. Therefore, we must also bring about the discussion of risks, tolerance, and vulnerabilities to the management table. Sometimes we're okay with the risk, but sometimes we tell ourselves: no, we need to do better. We're not comfortable with that. So, we will want to encourage corrective measures. I agree with you.
So, in terms of the discussion, governance, I think there are all some positive benefits to this new risk and compliance process.
Isabelle, how can financial management professionals, and there are many of them here today, inform or influence deputy heads and financial managers regarding the efficiency of internal controls?
[00:49:16 Isabelle Massé appears full screen. Text on screen: Isabelle Massé, Manager, Internal Controls, Indigenous Services Canada.]
Isabelle Massé: Therefore, to inform and influence leaders, you have to speak their language. So, support our messages with data, tying controls to risks. So, if we want to influence them and we emphasize the risks, it will draw their attention, then also to their objectives, and also propose concrete solutions. This will help to influence because we will have already thought about recommendations for senior leaders.
So, to use the data, to try to influence it, is to present trends, risks, dashboards or analyses. Often, just mentioning numbers might not influence senior leaders, but if you show them a visual in a table format, it might influence them. Then, it also goes with the compass. I don't know if I'm using the right term. With the use of technologies, artificial intelligence, and technological tools. So, this will help to influence senior leaders. Telling stories, "storytelling," giving concrete examples. If a control didn't work properly, we can explain, well here's what happened. Because the control was not well documented; there was a deficiency in the way it was carried out. So, if we give a concrete example, it will be able to give them an example to influence them if we also propose solutions afterwards. Then connect the risks. If there is a risk that a control is poorly carried out and there is a risk that it can be identified in a tool, perhaps that will also influence senior leaders.
Therefore, it is up to us, financial management professionals, but also to all employees, to identify if there are shortcomings in internal controls in order to influence senior leaders.
As I mentioned, propose solutions. So, it's important to collaborate with colleagues so that, if there are any shortcomings, we can resolve them, resolve controls, or improve processes. By collaborating within departments, we can also collaborate with other departments to see the best practices that are in place in departments and organizations. If we see good practices being carried out, it will help to influence the decisions of senior leaders. So, here it is.
[00:52:12 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: I really like the idea of collaborating to help each other increase the level of maturity. I think that's also something we can improve within the community, because it's certain that many of you here today have good ideas and good practices. Perhaps there are also some who are more adept with technology. So, we can even automate some of the internal controls so that it becomes almost "just in time," then we can, basically, focus on perhaps more complex controls or proactive detection, especially since we are perhaps even thinking about fraud.
So, David, how are internal controls integrated into the overall risk management strategy within the organization and also your governance? Is this something that has been added to the mix, or is it something that has been placed at the heart of how your governance is managed at the Revenue Agency?
David Vaillancourt: This is at the heart! This is at the heart. That's for sure.
Jocelyne Charron: This is excellent at the Heart!
[00:45:25 David Vaillancourt appears full screen.]
David Vaillancourt: It's obviously a very broad topic because there are multiple risks, it's very complex. For us, it's handled by the internal auditing department. They do this based on the company's risk profile. The best way I could have explained it is: we are specialists in internal control in terms of financial reporting, in financial management. The exercise fits into a <inaudible> collaborative risk management mapping exercise agency-wide where everyone has their specialty. So, IT is involved, HR is involved, I am on the financial side, where, on a regular basis, the audit committees will update this plan quarterly and we do a kind of calibration with them. We make sure that the risks are properly integrated. We also make sure that new risks are identified and that this is updated. We are discussing action plans. It really needs to be seen as a collaborative exercise that allows us to manage the risks in terms of organization.
[00:54:14 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: Excellent. I agree. Thank you. Ralph, can you continue, basically, take us to the last few acetates you have left, then we'll bring back specialists in criminal law.
[00:54:31 Split screen: Ralphe Jabbour and slide, as described.]
Ralphe Jabbour: Thank you, Jocelyne.
Our next section. Let's talk a bit about the history, really quick, and then we'll get into some of the evolution of Internal Controls and then maybe some of the emerging trends.
Just to give people a little bit of history, I promise I won't go into the 20 plus year history, but just at a high level for those of you that aren't familiar. All of this started way back in 2003.
Originally, Internal Controls in the Government of Canada focused on Internal Controls over Financial Reporting. That was shaped by legislation and policy developments, such as the Sarbanes-Oxley Act in the US. There was the Ontario Budget Measures and the Federal Accountability Act in Canada. This started around 2002, which was influenced by a lot of things that were going on globally, or mostly in the States, which led to the Federal Accountability Act in 2006.
So, these milestones shaped the approach for Internal Controls. And a lot of these things had something in common. They emphasized the importance of accurate financial statements, accountability, transparency, things that we've talked about so far in this session. But departments were required to assess and report on the effectiveness of their controls around financial reporting.
But our responsibility over time grew, and the scope of Internal Controls started to transition from Internal Controls around financial reporting to Internal Controls over Financial Management, or what we call ICFM. ICFM goes beyond financial reporting. It includes controls around budgeting, forecasting, costing, investment planning, CFO at the station. There's a long list of things. The shift from Internal Controls over Financial Reporting to Internal Controls over Financial Management reflected the broader requirements that any organization, including government departments, had to comply with or work with. On the next slide, please.
[00:57:14 Split screen: Ralphe Jabbour and slide, as described.]
Ralphe Jabbour: What is this evolving scope? I touched on it a little bit, but maybe we talk about this through a quick example. Under Internal Controls over Financial Reporting, for example, departments focused on ensuring that their year-end financial statements are accurate.
The shift to Internal Controls over Financial Management, that same department also now had to look at whether its budgeting and planning process includes appropriate controls, like validating assumptions, reviewing forecasts, ensuring costing methodologies are sound.
In practice, this meant validating not just numbers, but assumptions behind them. For example, the economic forecast or program demand projections became important. It wasn't just about reporting that number that that program is spending in a financial statement. It was, what are the underlying things that led to that calculation of that number?
Another example of this, let's say a team is implementing a new system, whether it's a Gs&Cs system, or whatever system, now they needed to ensure that automated controls within that system align with financial policies, and the IT general controls are in place to protect the data, and the integrity of the data, and the access to the system. So similarly, if they were rolling out a budgeting tool, these IT general controls that are required to verify access control, who has access to the system, in order to prevent unauthorized changes or anyone going into the system and doing things they're not supposed to.
This evolution from ICFR to ICFM meant that Internal Controls were no longer just the responsibility of finance teams – and we touched on this a little bit – they became a shared responsibility across the organization. From a program manager to an IT specialist, to a procurement officer.
I touched a little bit before about the five elements. And the two – the management's tone from the top, and human resources – those shape the control environment. But in addition to this, there's two important things, one being the Entity Level Controls. These set the organizational culture, like leadership promoting honest, clear HR policies.
And then the IT general controls, these ensure systems like payroll and procurement and budgeting are secure, they're accurate, and they support financial management beyond just Internal Controls over Financial Reporting.
So, these Entity Level Controls are, for lack of a better word, the organizational compass. I don't want to overstep and call something else a compass, but not like the competency compass, but more of a moral compass of the organization. Without them, even if you had the strongest IT controls, these could fail. The Entity Level Controls, these are what set the tone and the integrity of the organization.
I know earlier, I think in segment one, I talked about what does this mean to you if you're a Finance, Procurement, Program person. But I think now, after we've talked a little bit about the policies and a little bit more of the theory and the shift, I thought it would be cool to come back and say, now that we've talked about all of these things, what does this really mean if you're a Finance person? This means that there's a stronger integration of controls across all functions. So, budgeting, planning, forecasting, meaning fewer surprises and better data for decision making.
If you're a Program person, this means embedding these controls in the funding process. They lead to faster approvals, reduced risks of making the wrong decisions with having inaccurate data. If you're a Procurement person, this means automated controls and system safeguards to help ensure compliance. Then for people in Internal Audit, I know I touched about this a little bit, but this means shifting the way you do work, so you're not focusing on transactional type testing. It's more strategic.
So, this is what's in it for everybody. I think the message we all were hoping to come across today [is] that Internal Controls are no longer just about preventing errors, they're about enabling the organization. So, as we evolve, every employee and everybody has a role, and you become a steward of integrity, you're more risk-aware, and then it enables the organization to have a better sense and foresight of these risks. And these risks that are emerging in this current environment with technological advancements.
So, this is the message that we were all trying to convey today. But before we move to one last panel discussion, we have a couple more true and false questions.
[01:03:15 Split screen: Ralphe Jabbour and wooclap question slide. Text on screen, as described.]
Ralphe Jabbour: I don't think these ones are skill testing ones, but we'll see.
[01:03:23 Wooclap question slide appears full screen.]
Jocelyne Charron: We're looking at automation and AI to reduce the need for an Internal Control.
[01:03:30 Wooclap results slide appears full screen.]
Jocelyne Charron: We're keeping you busy, at least. Interact with us a little bit. I think, for me, Ralphe, Internal Controls are a way even you could elevate risk in your organization. You can take more bold decisions. If you put, for example, an additional [Inaudible] control, you could put an additional oversight somewhere to make sure that if the risk materializes, you can either roll back, you know how to de-risk a little bit.
So, I think there's actually quite a bit we could do better for Canadians. If we use Internal Control strategically, and if we put the controls in the right area to serve, as well, they can serve us as a nice safeguards. And especially if you're looking to experiment a little bit, innovate a little bit, it's unknown for your organization, you don't have strong track records, but those can be done, I think, quite in a safe way without exposing, like Isabelle mentioned about some of the risks, we could expose ourselves to media or public scrutiny, but I think they don't necessarily need to be looked at as a policing function.
[01:04:47 Wooclap question slide appears full screen. Text on screen, as described.]
Jocelyne Charron: So, on the next question, too, about the new Risk and Compliance Process.
It replaces the Management Accountability Framework as the primary tool for assessing Internal Controls and departments.
[01:04:57 Wooclap results slide appears full screen.]
Jocelyne Charron: So, a lot of you, if you've been in government for quite some time, you know the MAF. The MAF is now the new Risk and Compliance Process. We're asking true or false.
If you've been listening....
Ralphe Jabbour: Maybe it's unfair. I was going to say [it's] maybe a little bit of an unfair question because I don't think I talked about it.
But you're right. For those of you that got it, it is replacing the Management Accountability Framework. I think David touched on it earlier. I know I only talked about the Internal Controls part of RCP, but it covers about 11 other areas of focus, from people management, procurement, real property, Gs&Cs, so not just Internal Controls. It's shifting more of assessing maturity in all of those areas.
It has already replaced MAF. It launched this summer, and departments are completing their self-assessments as we speak. They're due, I think, next week to TBS. So, it did replace MAF. But for those of you that didn't get it right, no problem. I didn't really give you a date, so I think it was an unfair question, but that's okay. Now we all know.
[01:06:13 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: They all know. It's a way for the Treasury Board to shift a little bit to mature because the MAF was done quite a long time ago. And it is self-assessment, so a risk in one department is not the same in another. You may want to emphasize in one area more than another, depending on the nature of your operation and the mandate of your department, so those are why some of the shifts were made.
So, panelists, I need to put them to work. Isabelle, can you describe when we had to shift from the ICFR to ICFM, what that meant for your team, if you had any challenges with that?
[01:06:53 Isabelle Massé appears full screen.]
Isabelle Massé: ICFR was focused on financial reporting, so it was increased work for my teams, but also for business process owners. As Ralphe mentioned, ICFM is focused on financial management, reviewing if the processes are efficient, if there are specific risks that need to be looked at.
So for example, procurement process, if there are any Procurement individuals today, one of the controls that we reviewed this year is the Procurement Management Framework. So, that was not looked at as a part of ICFR, but now ICFM, we reviewed that control to ensure that the framework was revised and approved, as well.
Another example is user access reviews for IT, if there are any IT folks today. So, user access, there's more scrutiny from the Auditor General relating to user access, and we do use more systems. So, system controls, like user access is important, so we've reviewed that control as well. And also for payroll as part of ICFM, it's not only that there are the proper approvals, but for payroll, for example, we ensure that the approvals are timely.
So, some challenges that my team face also is to the documentation. We had to review some processes to ensure that it's not only the financial reporting control, but also some financial management. And also all new processes were documented, like CFO attestation process. So, it took work from the Internal Control teams, but also the process owner that are doing those processes and are the experts in those fields. And all that is to strengthen the overall Internal Control over financial management for the department.
And also, one part of ICFM that is important is also to ensure that the process is consistent and it's efficient, and also that there's less duplication in our processes.
[01:09:22 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: That makes sense. Through ICFM, we have a bit of a license to go probe and make sure that the things are doing well and effectively, which I think is really important. Because, if not, programs would just be delivering, and the Deputy Heads would have all the accountabilities, and no one is having a bit of that preventative measure. So, very important and a bigger scope as well when we're looking at the ICFM.
David, when we speak of ICFM, we introduced the concept of entity-level control, so sitting at the whole of the organization and ITGC's Internal Controls on IT. How important are those when you look at ICFM?
[01:10:04 David Vaillancourt appears full screen.]
David Vaillancourt: Very important. I'm not sure if it's a perfect analogy, but let's think of control like a house. So, Entity Level Control, ELC, are the foundation of the roof. They set the tone at the top, governance, oversight, value in its code of conduct, training, communication. They create an environment where control can live, can breathe. A strong ELC ensures controls are performed consistently and not weakened by management, external pressure, lack of training, values and ethics, and set the expected behaviour. In other words, they somehow manage [Inaudible] risk of human-driven control and provide the number under which all controls can work efficiently.
Now, let's talk about ITGC, [I'll] keep the house analogy. It's like the plumbing and the electricity of that house. You may not see them in every room, but nothing works without them, from the toaster to the toilet. They safeguard the integrity and reliability of the system by controls like system access provisioning, change management, and computer operation. Weak ITGC can undermine IT-dependent control, even if the design is sound for ICFM and ICFR. This includes automated controls like three-way match. It also includes manual controls that rely on IT like an electronic signature. You can have the smartest automated control in the world, but it's usually as if a system administrator can disable it or change it whenever it's inconvenient.
Let me provide you with a light-hearted example, to make it very visual. Let's go back to my house and toilet analogy. It's not perfect, but please bear with me. It's Friday, and Internal Control is a very fun topic - I will show you. Think of the body's natural process as a control. It requires us to use the toilet on a regular basis. That control depends on the tool, the toilet, which in turn depends on the house plumbing, water flow, the ITGC, to work. If the plumbing fails, the toilet itself still exists, but the control can't be performed as intended, so this is an ITGC issue. The infrastructure is not reliable.
So, now imagine that my child broke an exposed water pipe while playing. So, my control must still happen, and I cannot delay it by much. Sadly, the system, the water, no longer supports it, so in theory, I could perform the control on the floor, which would be unacceptable. Why?
This is where ELC steps in. Thanks to the values instilled by my family: training, communication, values and ethics, reinforced by the tone of the top, my wife, governance, I know I must find an alternative solution that keeps the environment clean with an acceptable standard until the plumbing is fixed.
I'm not sure if that's a fun example to give you an example of ITGC and ELC, how they interact. So, ELC and ITGC together create an environment that allows our control to operate in an effective and dependable manner. They reduce the risk of error, inconsistency, and failure, whether it's caused by the human or system, which make it an essential solution for ICFR and ICFM.
[01:13:05 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: Very interesting. I love how our whole segment has been about paint and toilets and houses and roofs. I think we're looking at Internal Control as a bit of that architecture that supports a lot of the departments and how to keep it safe and functioning.
I want to touch on one question. We also have some questions from the chat. But Isabelle and David, together, let me know, what are your thoughts about how technology can play to strengthen or weaken Internal Controls? I think that's really important as we look at AI, but as well as we look at how we can become more vulnerable for, for example, hacking.
[01:13:44 Isabelle Massé appears full screen.]
Isabelle Massé: I can start. Technology can help us be more efficient. For example, RPA, Robotic Process Automation, are being implemented in some departments. So, there are efficiencies, but then we have to ensure, like David mentioned, that we have the proper ITGC in place to ensure that we can rely on those efficiencies for Robotic Process Automation.
And also AI, it's the same thing. We need to ensure that we have the controls in place to ensure that we can rely on the output of AI. So, that's the weak side. We need to ensure that we have sufficient and the proper controls in place.
[01:14:39 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: I agree. I often see, in audit reports, one of the key weaknesses that comes back on ITGC is that we don't remove accesses for employees when they change roles. So, that means that maybe you're letting people with permissions be able to come back and change administrative rights. Those, if we want to maximize the use of the technology, you may have strengthen who has access when, because you may be heating your house, but all your windows are open in the background without those keys. And that is one that comes back often in audit reports. I'm inviting you to go check your department to audit reports and go see that that ITGC control is coming back as a weakness for your organization.
David, some thoughts from you on how technology can improve, or worsen?
[01:15:28 David Vaillancourt appears full screen.]
David Vaillancourt: I agree with what Isabelle said. To me, I see it as an amplifier. Both with the good and the bad. If it's well managed, it leads to efficiency, stronger control, but there's risk coming with that. Every time you use technology, there's also risk. This is where Internal Controls play a risk because we're here to mitigate that risk and to just keep the good portion of the technology.
So, I think it's key. I think it's also a key message to understand that, as Internal Control, we are often seen as limiting innovation, but we need to change that view because control is not here to limit innovation. In fact, it's here to support it, to secure it, to make sure that the risks are mitigated, to make it a success. Tomorrow, think about it, we're talking about AI, we're talking about automation, RPA, all of that, we're trying to implement that. Our CFO, like Deputy Minister, Commissioner, they will need to demonstrate that that technology is being used in our process and control that is well-mastered, there's proper oversight. We have a role to play with that, and it's central to control. We need to control those new technologies to give that confidence to the public.
So, I think it's very important. We do have an important role to support the transformation of those innovations that will come in the future years. It's a very interesting topic. This is why in the poll, I remember seeing that some people say, Oh, yes. Do you see more control, less control with technology? People were saying, No, I do see the value of control. I believe it will be even more important because we will need to demonstrate the strategy. Yes, very interesting topic.
[01:17:07 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: I completely agree with you. If you want to accelerate with the technology, then having a few safety belts here and there to give it the assurance and a bit of that echo of what's going on, on the ground. Did we open all our windows, and our back doors are open, or are we still keeping it safe? I think we could do it in a very responsible and accountable way as well. If you look at some of the code of conduct related to a Robotics Process Automation and Artificial Intelligence, you will see that the judgment and the transparency and responsibility are key to making sure that we do it in a safe way, especially as stewards of taxpayers' money.
We have an interesting question in the chat. It touches on what Isabelle and you, David, have mentioned, then I think we're going to leave it to there, but what is the biggest cultural barrier? We talked to these participants today about the importance of Internal Control. But I think, for me, it's a lot about making it relevant for our senior leaders. They kind of see it as an administrative, or maybe like a back office something.
How can you make it relevant? What are those barriers to governance so that we can get the senior leaders to understand the importance of it and maybe play with us a little bit more? What are your thoughts on that? David?
[01:18:33 David Vaillancourt appears full screen.]
David Vaillancourt: Yes. I see two barriers. I agree with you, Jocelyne. Having impactful communication is important. Sometimes it's about positioning what we do because people see control as mostly compliance, but we need to change that. There's value in control. There's a reason why the control is there. Being able to position the topic with senior leaders, make them understand, because they care. Sometimes it's just a matter of how we present it to them. That is the first part, making sure that communication – and we do have a role to play in that. We do need to add that to make it clear what it means.
The other thing I would say, something about resisting change, because I feel that to make Internal Control stronger, we need to evolve them. We are often tempted to keep the old ways. In a time where there's AI, automation and everything, we will need to go out of that comfort zone, and you recreate a new comfort zone with Internal Control. That shift is not an easy one to do. We're often tempted to say, Okay, so now there's that new thing. Then as soon as there's some risk, some problem, we go back to the old ways because we're never finished to keep the old ways.
But I think we have expectation from the citizen that new government needs to mature, and we need to take that step to go to the maturation of how we deliver control with a new set of controls to demonstrate that those new controls are as strong or even stronger.
[01:20:00 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: I agree with that. Isabelle, any thoughts you want to add on this last question?
[01:20:11 Isabelle Massé appears full screen.]
Isabelle Massé: I think David mentioned the most of it, and I think it's to remove the barriers. It's to have those discussions on Internal Control and having open discussions with teams and collaborations, asking questions wherever you are in the organization. Oh, I've seen this checklist. Do we need to have it approved? Does it need to be saved in a certain repository, either GCDocs or SAP? So, having the reflexes to ask questions and having those discussions with the teams.
[01:20:52 Split screen: Jocelyne Charron, Ralphe Jabbour, David Vaillancourt, and Isabelle Massé.]
Jocelyne Charron: I agree, the curiosity part, and to David's point, the storytelling part. I think it's all about the "so what" because we're the masters of these. If you've been in Internal Audit or in Finance, you're taught this at university, but that's our area of expertise. And if you think of senior managers, they most likely don't. So, it's a lot better, that education piece, and the "so what" for them. Why does this matter for them and how does that serve them in their program delivery? So, thank you very much.
We're at the end of our segment. So, we've reached the end of our discussion. I would like to sincerely thank Ralph, Isabelle and David. You did a really great job. You really supported me too. I really appreciated your ideas and your tangible examples. Also, I think we pivoted a little bit to try to make it tangible and use examples that often affect us in our personal lives. A big thank you also to you, the participants across Canada. Everyone participated well today. Thank you very much for being here, and also for being curious. We hope to leave you with something to contemplate so that you can grow and perhaps enhance the role of internal controls within your ministry; or if you are curious, perhaps even touch on a role in internal controls eventually. I would also like to take this opportunity to say a big thank you to my team, because it was my team that organized the segment with the School of Public Service. So, it's a lot of work for them too and I sincerely thank them, because otherwise it wouldn't be possible without them.
[01:22:38 Split screen: Jocelyne Charron and slide, as described.]
Jocelyne Charron: Therefore, we invite you to review the resources section. You will find useful links there, including the presentation we gave today; there are <Inaudible> base links; also links to estimation models and also links to advice on <Inaudible> in the cabinet, or even submissions to the Treasury Board. So, you'll find all sorts of great resources for you specialists. So, I think that is a good way. I would also like to acknowledge that today we have succeeded in understanding internal controls, I think. If we redo the initial survey, we hope to have raised your basic understanding of the importance of internal controls; their role within the organization and even their role in protecting the integrity of the public service. Integrity for Canadians, the transparency we talked about earlier. And also really supporting sound financial management, which is essential. This is also how we seek trust, the trust of parliamentarians and also our Canadians. This allows (candidates) to support the accountability and risk mitigation we've been talking about. We can perhaps take better risks if we have a better internal control system, which is more mature with better collaboration, good governance, as we also talked about earlier.
So, keep listening. We've already talked to you a little bit about this series on the core principles of financial management. So, this is a way for the Office of the Comptroller General to try to address the basic knowledge of our communities. We have another session coming up in December, so on December 11th. We're going to try to see if we can reach an even wider audience than the one we had today. This session will focus on public accounts. The public accounts will possibly be tabled in the House soon. The topic will be just right and we will be able to discuss with public accounts experts, because it is also a very important exercise that touches on the heart of your department's financial information, performance and transparency for Canadians. I invite you to register. We will also share that date and the registration link with your management to ensure that this reaches you.
Just a quick reminder, please feel free to share your comments with us. We hope the session was relevant for you. We invite you to fill out the feedback form to try to help us improve and also see: Did we succeed in making you curious or raising your curiosity and making the session relevant for you today. So, I invite you to fill it out. Take a few minutes. This would please us. This will be relevant for our teams as well.
[01:25:37 Split screen: Jocelyne Charon and slide. Text on slide: Thank you! ]
Jocelyne Charron: Once again, a sincere thank you. I hope it was an interesting session. I think we were agile, we were a little bit… not "transcribed." I told Ralph before we started the session, I said: [TRANSLATION] "We're like Realty TV of internal controls. So, maybe we should have our own YouTube channel." The next event, we'll meet again on December 11th. A sincere thank you to you. I also wish you a lovely weekend, and also a beautiful National Day for Truth and Reconciliation which is coming up on September 30th. Thank you all again. Have a nice rest of the day.
[01:26:16 Animated CSPS logo appears. Text on screen: canada.ca/school-ecole.]
[01:26:21 Canada wordmark appears.]
