Audit of Salaries and Review of Management Action Plans for Hospitality

Internal Audit Report

378-1-267

September 25, 2012

Table of Contents

 

EXECUTIVE SUMMARY

Background

Correctional Service Canada's (CSC) 2011-2014 Risk-Based Audit Plan (RBAP) identified the controls over financial reporting as an area that requires continuous attention and that a continuous audit of various internal controls over financial reporting is to be completed annually. As such, the purpose of this audit was mainly to assess the key controls over financial reporting related to the salary process. Salary expenditures for fiscal year 2011/2012 represented $1.9 billion (73%) out of a total annual departmental operating expense of $2.6 billion.

The objectives were to:

  • assess the adequacy of the management control framework with regard to internal controls over financial reporting for the salary process;
  • assess the adequacy and effectiveness of key internal controls for the salary process related to financial reporting; and
  • ensure that management action plans, in response to past IAS recommendations related to the hospitality process, were being implemented as required.

The audit team analysed financial directives, manuals, guidelines, bulletins, and related information. It conducted site visits to all five regions as well as National Head Quarters (NHQ), to conduct detailed analysis and testing of salary transactions, and interviewed key stakeholders of the salary process.

Conclusion

The audit concluded that overall, the internal controls over the financial reporting in place were adequate and effective to ensure that pay transactions were free of material misstatements; however there are areas for improvement:

  • the roles and responsibilities of financial officers and compensation advisors, related to the verification and validation of pay transactions need to be clarified;
  • the results of the monitoring of key controls performed by the Internal Financial Controls Team (IFCT) should be reported in a more timely manner;
  • controls over the initiation of pay action should be reinforced to ensure timely submission of supporting documentation to compensation advisors;
  • controls over the management of overpayment should be strengthened to ensure effective monitoring and efficient recovery of outstanding amounts.
  • specimen signature cards need to be accurate and easily accessible to compensation advisors.

Recommendations have been made in the report to address these areas for improvement. Management has reviewed and agrees with the findings contained in this report and a Management Action Plan has been developed to address the recommendations (see Annex F).

STATEMENT OF ASSURANCE

This engagement was conducted at a high level of assurance. i

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the area examined. The evidence was gathered in compliance with Treasury Board policy, directives and standards on internal audit and the procedures used meet the professional standards of the Institute of Internal Auditors. The evidence gathered was sufficient to provide senior management with proof of the opinion derived from the internal audit.

__________________________________ Date: __________________
Sylvie Soucy, CIA
Chief Audit Executive

1.0 INTRODUCTION

Background

In March 2004, the Treasury Board announced its intention to make it mandatory that all departments and agencies produce auditable financial statements, in accordance with generally accepted accounting principles (GAAP) by 2008/2009. In response to the ensuing obligations, Correctional Service Canada's Corporate Services Sector launched the Audited Financial Statement Initiative (now referred to as the Internal Financial Controls Initiative), led by the Internal Financial Controls Team (IFCT) in 2006.

Section 6.8 of the June 1, 2010 TB Policy on Financial Resources Management, Information and Reporting, requires that departments take the necessary measures to sustain a control-based audit of its financial statements in whole or in part.

The TB Policy on Internal Audit, April 1, 2012 requires the Chief Audit Executive to provide assurance over the effectiveness of internal controls. Moreover, the Directive on Internal Auditing in the Government of Canada, April 1, 2012 requires Departmental Audit Committees (DAC) to provide objective advice and recommendations to the deputy head regarding the sufficiency, quality and results of assurance on the adequacy and functioning of the department's risk management, control and governance processes.

Internal Audit Branch Role

In October 2009, CSC's Internal Audit Sector (IAS) made a presentation to the DAC to provide details of the requirements from the new TB Policy on Internal Controls. To meet these requirements, CSC's Corporate Services created an initiative to identify key processes, map out key internal controls over those processes, and to develop and implement monitoring mechanisms. Nineteen processes were identified (see Annex C).

In June 2010, IAS reported on the results of its first round of work for this undertaking, which focused on the adequacy and effectiveness of the key controls for the salary, travel, and allowance for doubtful account processes. The report concluded that with the exception of reporting, CSC has an adequate management control framework for these processes. However, documentation was not always on file to demonstrate that the key controls were being performed.

In June 2010, IAS committed to:

  • continue to assess the implementation of the controls and report to the DAC on progress after internal controls are implemented; and
  • establish a continuous audit function of the internal controls in place in fiscal year 2010-2011 to support the initiative.

In December 2010, the DAC agreed to a two-pronged hybrid approach for the advancement of continuous audit function. Details on this approach can be found in Annex D.

In November 2011, the IAS reported on the results of the audit of the internal control process over the financial reporting of hospitality expenses. The audit found that overall, the hospitality expenses tested were found to be acceptable. That stated, the auditors found that documentation of the internal control process, the level of understanding of TB policy and procedures by budget managers and financial staff as well as the adequacy and effectiveness of key internal controls for the process could be strengthened.

At the same time, the IAS provided an update on the implementation of the approved management actions to address recommendations for the salary and travel internal control processes. As of the time of this latest audit, all actions were completed.

Salary Process

The salary process (Payroll and Personnel Cycle) consists of activities conducted by various groups, including Human Resources (HR), the finance function (at NHQ, regions and sites) and the sub-delegated managers. Within the salary process, financial officers are delegated Financial Administration Act (FAA) Section 33 authorization and managers are sub-delegated FAA Sections 32 and 34 authorization.

Salary expenditures for fiscal year 2011/2012 represented $1.9 billion (73%) out of a total annual departmental operating expense of $2.6 billion.

2.0 AUDIT OBJECTIVES AND SCOPE

2.1 Audit Objectives

The audit objectives were to:

  • assess the adequacy of the management control framework with regard to internal controls over financial reporting for the salary process;
  • assess the adequacy and effectiveness of key internal controls for the salary process related to financial reporting; and
  • ensure that management action plans, in answer to past IAS recommendations related to the hospitality process, are being implemented as required.

Specific criteria related to each of the objectives are included in Annex A.

2.2 Audit Scope

The audit was national in scope and included site visits to all regions where the examination and testing of key controls for the salary process was conducted. A schedule of regional visits is included in Annex B. For audit testing, statistical and judgmental samples were selected for the period of December 1, 2011 to March 31, 2012 for the salary process.

Testing was not conducted on all controls identified in the process, but only those assessed as key by the process owner. Information Technology General Controls (ITGC) were excluded from this audit, as they are not yet documented nor has their design effectiveness been evaluated and tested by IFCT.

Testing of controls was conducted at RHQ in each region and at NHQ (refer to Annex B for a schedule of regional visits). For this work, statistical and judgmental samples were selected for the period of December 1, 2011 to March 31, 2012 for the salary process.

3.0 AUDIT APPROACH AND METHODOLOGY

The approach included site visits to all regions and NHQ, interviews with institutional, regional and NHQ staff, and a review of relevant policies, legislation and documentation. It also included detailed testing of a sample of 307 salary transactions, and detailed analysis of a sample of 691 salary transactions across all regions.

Annex E lists and describes the techniques used to gather evidence and select the samples to complete this audit.

4.0 AUDIT FINDINGS AND RECOMMENDATIONS

4.1 Management Framework for Salaries

4.1.1 Policy and Legislative Framework

We expected to find that CSC financial directives, guides and manuals are in place and consistent with Government of Canada legislation and TB policies and directives. We further expected to find that these documents are communicated to staff.

CSC financial directives, guides and manuals are consistent with Government of Canada legislation, TB policies and directives, and are available to staff.

The audit found that CSC had a suite of financial directives, guides, manuals, instructions and bulletins that are consistent with TB policies and directives. These documents were available to staff on CSC's Infonet, with the exception of the Pay Verification Directive, which was under review by Corporate Services at the time of the audit.

4.1.2 Roles and Responsibilities

We expected to find that CSC roles and responsibilities related to the salary process are defined, documented and communicated.

CSC roles and responsibilities related to the salary process are defined and documented and are available to all groups of staff on the Infonet, however there is room for improvement.

The audit team examined CSC's Payroll and Personnel Cycle, (Section 5.17 of the Financial Control Manual), to identify roles and responsibilities defined for the management of the salary process. The identified roles and responsibilities were then compared to CSC's policy instruments to ensure consistency. Further, the audit team conducted interviews with CSC staff involved with the salary process to determine if their roles and responsibilities were communicated to them.

The audit found that roles and responsibilities were defined and documented and were available to all staff on the Infonet. We also found that roles and responsibilities related to the salary process were further documented in various CSC financial directives, manuals, and national generic work descriptions, all of which were consistent with CSC's Payroll and Personnel Cycle.

The audit also found that roles and responsibilities were communicated to staff formally through policy instruments and informally on the job. 72% (41 out of 57) of interviewees indicated that their roles and responsibilities were communicated on the job, versus 4% (2 out of 57) through policy instruments, with the remaining 24% (14 out of 57) citing both methods.

However, the audit found that roles and responsibilities of financial officers and compensation advisors related to the pay verification process needed to be clarified to reduce the risk that high risk transactions were not verified before processing. We came to that conclusion because the audit found that in a batch of 20 high risk transactions processed, 40% (8 out of 20) were not subjected to a pre-verification prior to authorizing section 33 approval as required. The audit team investigated this situation with financial officers and compensation advisors and came to the conclusion that each group believes the other is responsible for the verification of these transactions.

4.1.3 Training

We expected to find that CSC provides employees with the necessary training, tools, resources, and information to support the discharge of their responsibilities for the salary process.

CSC provides its employees with the necessary training, tools and resources to discharge their day to day duties.

The audit found that 63% (36 out of 57) of staff interviewed believe that the training provided is sufficient to enable them to perform their day-to-day duties. Further, 83% (47 out of 57) indicated that knowledge transfer to new employees is typically done through on-the-job training.

More specifically, the audit also found that training is mostly on-the-job for finance officers, while compensation and human resources were required to complete online and in-class training provided by Canada School of Public Service and Public Works and Government Services Canada (PWGSC).

4.1.4 Monitoring and Reporting

We expected to find that key controls, as identified by IFCT are tested on a regular basis, that testing results are reported by IFCT, that improvements are identified, and that changes were made and reported when necessary.

Key controls as identified by IFCT are tested on a regular basis, however reporting on results is not performed in a timely manner.

The audit team examined documentation and conducted interviews with staff to determine if monitoring of key controls for pay transactions occurred, was documented, reported and if improvements were identified and implemented as required.

The audit found that monitoring and reporting requirements and process were partially defined in CSC's Pay Verification Directive (FM-2008-01) and the controls around the process were further defined in CSC's Internal Financial Controls Manual, Section 5.17 (Payroll and Personnel Cycle). The documentation includes direction on the sampling methodology and approach used for testing; however, it did not provide guidance on how results from the testing are to be reported, the frequency of reporting, and how identified issues will be addressed.

The audit team found that IFCT produced monthly sampling plans that include medium and high risk transactions, which were being sent to each region to be completed. Results of the testing were communicated back to IFCT.

For medium-risk pay transactions, Regional Comptrollers provided completed error logs to the IFCT, which contained confirmations that errors identified through the post-payment verification process had been or were being corrected. IFCT reviewed the error logs to ensure that all errors had been or were in the process of being corrected. IFCT also prepared a consolidated national report of all the results from the post-payment verification, where systemic issues were also reported and action plans to address these issues were presented. The report is normally produced on a quarterly and annual basis, but for 2011-12, the report showing the results for the first three quarters is scheduled to be released in September 2012. As a result, the remediation of systemic issues identified during the testing of medium-risk pay transactions has been delayed.

For high risk transactions, IFCT tested the operating effectiveness of the pre-payment verification of high-risk pay transactions. They concluded that the control was ineffective due mainly to a lack of proper documentation. The report on these findings is in working draft and has yet to be shared with process owners involved, such as the Regional Comptrollers and Human Resources Management. Therefore, the implementation of the remediation plan to begin corrective actions was pending.

The audit found that although testing had been performed, the reporting that would allow errors to be known and corrective action to take place is slow.

CONCLUSION:

The audit found that CSC financial directives, guides and manuals were consistent with Government of Canada legislation and TB policies and directives and were available to staff. Roles and responsibilities were defined and documented. Tools, resources and information to support the discharge of duties were available to CSC employees.

The audit also found limited guidance and direction on the pay verification process under S34 of the FAA which may increase the risk of processing non-authorized transaction.

The audit also found that monitoring was performed; however, reporting was not performed in an appropriate timeframe and delayed the remediation of issues identified.


Recommendation 1 1
The Assistant Commissioner Human Resources Management (ACHRM) and the Assistant Commissioner Corporate Services (ACCS) should ensure that guidance and directives are effectively communicated to financial officers and compensation advisors on their respective roles and responsibilities related to the verification and validation of pay transactions. Moreover, the Assistant Commissioner Corporate Services should review the bulk transaction process, as per 4.2.2, to reduce the risk associated with processing high risk transactions without pre-verification.

Recommendation 2 2
The Assistant Commissioner Corporate Services should ensure that results of compliance reviews and operational effectiveness testing are reported in a timely manner to address issues indentified.

4.2 Adequacy and effectiveness of internal controls related to financial reporting

The audit team performed detailed testing of 307 pay transactions (statistic sample) and the analysis of 691 pay transactions (judgmental sample) processed during the period between December 2011 and March 2012. The broad objective of the testing was to identify whether or not controls were being performed as intended to ensure that transactions were properly and accurately processed.

4.2.1 Existence, Occurrence, and Completeness

We expected to find that the controls in place ensured that all salary transactions were recorded in the Salary Management System (SMS) and the Internal Financial Material Management System (IFMMS) in a timely manner and in the period in which they were incurred. Specifically, we expected to find that all transactions processed and recorded during the period represented events that actually occurred during the period, and all transactions which occurred during that period were recorded.

The controls in place do not ensure that all salary related expenses are recorded in SMS and IFMMS in a timely manner or in the period in which they were incurred.

As a result of the detailed testing of the statistical sample, the audit team found that all transactions were recorded in both SMS and IFMMS in a timely manner and in the period in which they were incurred.

However, while analysing the population of salary expenses between December 1, 2011 and March 31, 2012, the audit team found that 3.4% (17,931 out of 535,186) of the pay transactions were negative amounts, totalling $5.5 million. These negative transactions represented amounts that were recovered, or were to be recovered due to over-payments. The audit team examined 95 negative pay transactions as part of the judgmental sample, which were recoveries of overpayments that occurred in previous fiscal years. Chiefs of Compensation interviewed indicated that those overpayments were the result of delegated managers not submitting pay action documentation to compensation in a timely manner.

As these expenses were not captured and not recorded within the appropriate timeframe, there is a risk that this may lead to incidents of overpayment and overstatement of salary expenses.

The audit also found that there were no formal procedures or mechanisms in place to centralize, track and proceed with the collection of salary overpayments. In our audit sample, we found that 2 of the 17 transactions analysed were unrecoverable; one employee declared bankruptcy and one is no longer employee of CSC.

With the upcoming transfer of CSC's compensation function to the PWGSC Center of Expertise in Miramichi (New Brunswick), the timely submission of pay transactions is even more critical to ensure that payments are accurate in order to reduce the risk of overpayments and potentially challenging recoveries.

4.2.2 Authorization

We expected to find that salary transactions were authorized by individuals with the appropriate delegated financial authority, that compensation advisors verified the validity of the transaction and the supporting documentation.

Overall key controls were working as intended; however, there was a lack of documentation supporting the verification process.

As a result of the work performed, the audit team found that 20% (61 out of 307) of the transactions examined did not have evidence to support compensation advisors verification and validation of section 34 under the FAA. For the remaining 80%, even if compensation advisor's initials and dates were available on the supporting documentation, there was no evidence that they validated section 34 against the specimen signature card.

The audit team also found there was no centralized or standardized approach for the management of specimen signature cards (SSC) across all regions. Each region maintains its own SSC's on their respective shared drive and compensation advisors indicated that they often do not have access to these electronic files.

The result of the statistical sample reviewed indicated that supporting documentation could be significantly improved. Forty seven percent (145 out of 307) of the transactions reviewed were missing evidence to support the verification performed, such as calculation templates for severance pay and acting pay, Regional Pay System print screens, etc.

To ascertain whether this lack of documentation was indicative of errors in pay transactions, the audit team performed a calculation of those transactions where documentation was lacking and no errors were found.

Still, a concern exist in relation to high-risk transaction as indicated in section 4.1.2, given the lack of clarity around the roles and responsibilities of financial officers and compensation advisors along with processing of bulk (batches) pay transactions. This increases the risk of processing high-risk transactions without any pre-verification of proper approval.

4.2.3 Valuation, Accuracy, Presentation and Disclosure

We expected to find that the controls in place ensure that all transactions were properly coded, mathematically accurate, described, sorted and classified.

The audit found that 100% (307 out 307) of transactions tested were mathematically accurate, properly coded, sorted and classified with appropriate descriptions.

CONCLUSION:

Although key controls over financial reporting for the salary process are working as intended to ensure the appropriateness of the pay expenses, the audit found some key controls were not working as intended to ensure that all transactions are recorded in a timely manner. The audit also found that there was lack of documentation to support the pay action verification.


Recommendation 3 3
The ACHRM should reinforce the controls in place to ensure the timely submission for processing of pay actions; and implement a formal mechanism to ensure the monitoring and collection of salary overpayments.

Recommendation 4 4
The ACCS should improve mechanisms in place to manage the specimen signature cards including access to the system by compensation advisors to adequately perform the verification and validation of section 34 of the FAA.

4.3 Follow-up on Recommendations from the Audit of Hospitality

The objective of the follow-up on the recommendations from the audit of hospitality was to assess the progress that Corporate Services has made in implementing their action plans related to the audit recommendations.

At the time of the audit, Corporate Services had implemented 60% (6 of 10) of the proposed actions. The remaining four actions are progressing (planned to be completed by November 2012).

The audit team performed a detailed review of the documentation and evidence provided by Corporate Services to determine whether or not the management action plan as presented to the audit committee in November 29, 2011, was implemented as intended.

The audit found that:

Recommendation 1

ACCS should augment the current communication strategy so as to effectively disseminate information on hospitality expenses, in particular to budget managers and financial specialists. A system of regular reminders should be implemented to ensure that CSC employees are cognizant of the regulations in place and the need to follow most recent directives.

Status

Management initially proposed five actions in response to the recommendation. At the time of the audit, four actions that related to updating and communicating the Hospitality Policy were completed. The completion of the other action related to the following was delayed: (1) review the Financial Directive on Verification of Hospitality Expenditures to ensure consistency with new policy including requirements for supporting documentation. This action is due for completion in November 2012.

Recommendation 2

Corporate Services should take the necessary steps to empower financial officers with the means to hold payment of non-supported claims and provide financial officers with an escalation mechanism to use where appropriate.

Status

Management initially proposed two actions in response to the recommendation. At the time of the audit, those two actions, relating the responsibilities of finance officers "challenge function", were implemented.

Recommendation 3

All hospitality expenses must be pre-approved and therefore, any approvals provided after the fact should be done by exception and supported by substantial, written justifications.

Status

Management initially proposed one action in response to the recommendation. At the time of the audit, the completion of this action was outstanding. It related to revising the Financial Directive on Verification of Hospitality Expenditures to reinforce the requirement to pre-approve all hospitality expenses. The completion date is November 2012.

Recommendation 4

Corporate Services should clarify circumstances under which hospitality expenses of EX-04 and above positions are to be identified and disclosed in accordance with the TB policy on proactive disclosure and institute controls to ensure completeness of disclosures.

Status

Management initially proposed two actions in response to the recommendation. At the time of the audit, the completion of the two actions related to the following were outstanding: (1) surveying best practices and seeking clarification from TB regarding communication strategy regarding the proactive disclosure of hospitality expenses; and (2) formally documenting CSC's process and timelines for quarterly proactive disclosure, including senior executive sign-off on what will be disclosed. Both outstanding actions have completion dates of November 2012.

5.0 OVERALL CONCLUSION

The audit concluded that overall, the internal controls over the financial reporting in place were adequate and effective to ensure that pay transactions were free of material misstatements, however, there are areas for improvement:

  • the roles and responsibilities of financial officers and compensation advisors, related to the verification and validation of pay transactions need to be clarified;
  • the results of the monitoring of key controls performed by the Internal Financial Controls Team (IFCT) should be reported in a more timely manner;
  • controls over the initiation of pay action should be reinforced to ensure timely submission of supporting documentation to compensation advisors;
  • controls over the management of overpayment should be strengthened to ensure and effective monitoring and efficient recovery of outstanding amounts; and
  • specimen signature cards need to be accurate and easily accessible to compensation advisors.

ANNEX A

AUDIT OBJECTIVES AND CRITERIA

OBJECTIVES CRITERIA
1. Assess the adequacy of the management control framework with regard to internal controls over financial reporting for the salary process. 1.1 Policy Framework:
  • CSC manuals, financial directives and guidelines in place are consistent with TB policies, Acts and different legislation and applicable collective agreements as they relate to the salary process; and
  • CSC policies and directives related to the salary process are communicated in a timely manner.
1.2 CSC roles and responsibilities in relation to the salary process are defined, documented and communicated.
1.3 CSC provides employees with the necessary training, tools, resources and information to support the discharge of their responsibilities in this area.
1.4 Monitoring and reporting is adequate and effective:
  • Key controls as identified by IFCT (internal financial control team) are tested on a regular basis;
  • Testing results are reported by IFCT as required;
  • Improvements are identified by process owner; and
  • Changes are made and reported when necessary by the process owner.
2. Assess the adequacy and effectiveness of specific internal controls for the salary process related to financial reporting. 2.1 Existence / Occurrence - Transactions are timely, recorded in the SMS and IFMMS systems and represent events that actually occurred during the audited period.
2.2 Completeness - All transactions which actually occurred during the audited period are recorded.
2.3 Authorization - All salary transactions (including overtime and other benefits) are authorized by persons with the appropriate delegated financial authorities.
2.4 Valuation & Accuracy - All transactions are properly coded and mathematically accurate.
2.5 Presentation / Disclosure – All transactions are properly described, sorted and classified.
3. Ensure that management action plans, in answer to past IAS recommendations related to the salary process, are being implemented as required. 3.1 Implementation of management action plans:
  • Actions are taken to address the recommendations;
  • Deliverables to demonstrate the completion of the actions are obtained;
  • Actions to fully address the recommendations are completed within the initially proposed or formally revised timelines.

ANNEX B

LOCATION OF SITE EXAMINATIONS

The following table provides details of the regional offices and institutions visited during the audit. Testing was conducted on-site, and interviews were conducted both on-site and via videoconference.

REGIONS LOCATION
NHQ
  • NHQ Finance (Payroll)
  • NHQ Corporate
Atlantic
  • Regional Headquarters
Quebec
  • Regional Headquarters
Ontario
  • Regional Headquarters
Prairies
  • Regional Headquarters
Pacific
  • Regional Headquarters

ANNEX C

LIST OF INTERNAL CONTROL PROCESSES

The following table provides the status of the implementation of the internal control processes.

Control Level Document Design
Effectiveness>
Operating
Effectiveness
On-going
monitoring
CSC's Assessment Plan for Subsequent Years
Entity-level controls
(including Budgeting and
Forecasting process)
2012-2013 2013-2014 2014-2015 TBD*
Information Technology General Controls
IFFMS 2012-2013 2013-2014 2014-2015 TBD*
Business Processes
Salaries (all key controls) Completed Completed 2012-2013 TBD*
Travel Completed Completed 2012-2013 2013-2014
Hospitality Completed Completed 2012-2013 2013-2014
CSC /CORCAN
Intradepartmental Transactions
Completed Completed 2013-2014 2014-2015
Departmental
Bank Accounts
Completed Completed Completed TBD*
Interdepartmental
Settlements
2012-2013 2012-2013 2013-2014 2014-2015
Procurement/Contracting 2012-2013 2012-2013 2013-2014 TBD*
Payables/Payments 2012-2013 2012-2013 2013-2014 TBD*
Tangible Capital Assets 2012-2013 2013-2014 2013-2014 TBD*
Amortization 2012-2013 2013-2014 2014-2015 TBD*
Financial Statement close 2012-2013 2013-2014 2014-2015 TBD*
Inmate Trust Fund 2014-2015 2014-2015 2015-2016 TBD*
Inventory 2013-2014 2013-2014 2014-2015 TBD*
Assets Under Construction 2012-2013 2013-2014 2013-2014 TBD*
Reconciliations / GL Adjustments 2012-2013 2013-2014 2014-2015 TBD*
Sales/Receivables/Receipts 2013-2014 2014-2015 2014-2015 TBD*
Allowance for doubtful Accounts Completed Completed Completed 2012-2013
Contingent Liabilities 2013-2014 2014-2015 2014-2015 TBD*
Environmental Liabilities 2014-2015 2014-2015 2015-2016 TBD*
FMMS – Integrated Financial and Material Management System
*TBD – To be determined

ANNEX D

APPROACH TO CONTINUOUS AUDIT FUNCTION

When the monitoring plan for a process has not yet been developed, Corporate Services management remains responsible for the process description, risk assessment, and identification of key controls. IAS will be responsible for testing the accuracy, adequacy and effectiveness of the monitoring being performed by Corporate Services management and will recommend improvements as required. IAS will also review the process description and identification of key controls before the process is released. However, no form of assurance on the completeness and adequacy of key controls will be provided at this point. After a certain transition period, IAS will develop the monitoring plan and execute tests of controls. Test results identifying key control weaknesses will be shared with management for remediation. The monitoring plan will then be transferred to management for continuous monitoring implementation.

When the monitoring plan is already developed by management (as was the case with Salaries, Travel, Allowances for Doubtful Account), IAS assesses the accuracy, adequacy and effectiveness of the monitoring plan performed by Management. For those processes where the monitoring plan is developed but not yet implemented, IAS performs the original round of key control testing. The monitoring plan is then transferred to the IFC team for continuous monitoring implementation and IAS continuously look at the accuracy, adequacy and effectiveness of the monitoring plan performed by Corporate Services.


ANNEX E

AUDIT APPROACH AND SAMPLING METHODOLOGY

The audit work was carried out in three phases as outlined below.

Planning Phase:

  • The audit team examined process documentation and risk assessments and conducted interviews with IFCT, finance, and compensation staff at both NHQ and Regional Headquarters (RHQ);
  • Test plans (including tests, methodology and procedures) and tools were developed based on the salary process described in the CSC Internal Financial Control Manual; and
  • The audit team used IDEA (statistical software), to perform preliminary analytical procedures to identify possible exception scenarios and to establish samples.

Examination Phase:

  • Testing of controls was conducted at RHQ in each region and at NHQ (refer to Annex B for a schedule of regional visits). For this work, statistical and judgmental samples were selected for the period of December 1, 2011 to March 31, 2012 for the salary process.

Reporting Phase:

  • Final report to be tabled at the DAC meeting on September 25, 2012.

Sample Methodology

The sample was selected using an attribute sampling approach and the professional judgment of the audit team. This allowed for the consideration of the nature of the internal controls based on the following factors 5 :

  • an assessment of the risk associated with the internal controls: high, medium or low;
  • whether the control is manual or automated; and
  • the control frequency: annual, quarterly, monthly, daily or ad hoc.

Based on those criteria and professional judgement of the audit team, the statistical sample size was 307 transactions.

The audit team also performed preliminary analytical procedures on the total population of salary related transactions from December 1, 2011 to March 31, 2012 to look for unusual transactions. The following types of transactions were identified:

  1. Employees with duplicate Personal Record Identifier (PRI)
  2. Employees with the same name and two separate PRI's
  3. Excessive amount paid for overtime transactions
  4. Negative regular pay amounts
  5. Multiple severance payments
  6. More than nine regular pay transactions during the audit period
  7. Penological factor allowance payments exceeding the limit as per the collective agreements
  8. Excessive amount paid in lieu of leave

Based on these scenarios, an additional sample of 691 transactions was identified using professional judgement to identify unusual transactions.

ANNEX F

Continuous Audit of the Implementation of Internal Controls over Financial Reporting
Audit of Salaries and Review of Management Action Plans for Hospitality
Managment Action Plan (MAP)

Recommendation: Recommendation 16

The Assistant Commissioner Human Resources Management (ACHRM ) and the Assistant Commissioner Corporate Services (ACCS) should ensure that guidance and directives are effectively communicated to financial officers and compensation advisors on their respective roles and responsibilities related to the verification and validation of pay transactions. Moreover, the Assistant Commissioner Corporate Services should review the bulk transaction process, as per 4.2.2, to reduce the risk associated with processing high risk transactions without pre-verification.
Management Response / Position: ___Accepted __________ Accepted in Part __________ Rejected
Action(s) Deliverable(s) Approach Accountability Timeline for Implementation

What action(s) has / will be taken to address this recommendation?

Expected deliverable(s) / indicator(s) to demonstrate the completion of the action(s)

How does this approach address the recommendation?

Who is responsible for implementing this action(s)?

When will action(s) be completed to fully address the recommendation?

Corporate Compensation will develop and distribute internal procedures, in consultation with the regional compensation offices, relating to the consistent application of the compensation transaction peer verification process that are in line with the TBS Pay Administration Control Framework.

Internal procedures have been completed and issued to all compensation advisors.

Provides, to all compensation advisors, written procedures relating to the verification and validation of pay transactions.

ACHRM

2012-12-31

Corporate Compensation will communicate with all regions and require that the Compensation Verifiers at CSC undergo the Delegation of Financial Signing Authority training for Section 34 of the Financial Administration Act. The Compensation Verifiers will also be required to complete specimen signature cards (SSC ) which will then be recorded in CSC's Specimen Signature Database.

Compensation Pay Verifiers will have successfully completed the Delegation of Financial Signing Authority training and have completed SSC `s. Training will have been provided by Finance.

Compensation Pay Verifiers will have received formal training on their responsibilities for performing section 34 of the FAA verification for pay transactions.

ACHRM and ACCS

2013-03-31


Recommendation: Recommendation 27

The Assistant Commissioner Corporate Services should ensure that results of compliance reviews and operational effectiveness testing are reported in a timely manner to address issues identified.
Management Response / Position: ___Accepted __________ Accepted in Part __________ Rejected
Action(s) Deliverable(s) Approach Accountability Timeline for Implementation

What action(s) has / will be taken to address this recommendation?

Expected deliverable(s) / indicator(s) to demonstrate the completion of the action(s)

How does this approach address the recommendation?

Who is responsible for implementing this action(s)?

When will action(s) be completed to fully address the recommendation?

The Comptroller`s Branch will ensure that testing results are issued to process owners and management within a period of three months following testing completion.

Process owners and management receive testing results within three months following testing completion.

Establishing deadlines will ensure timely reporting of issues identified during compliance reviews and operational testing.

ACCS

2013-03-31


Recommendation: Recommendation 38

The ACHRM should reinforce the controls in place to ensure the timely submission for processing of pay actions; and implement a formal mechanism to ensure the monitoring and collection of salary overpayments.
Management Response / Position: ___ Accepted __________ Accepted in Part __________Rejected
Action(s) Deliverable(s) Approach Accountability Timeline for Implementation

What action(s) has / will be taken to address this recommendation?

Expected deliverable(s) / indicator(s) to demonstrate the completion of the action(s)

How does this approach address the recommendation?

Who is responsible for implementing this action(s)?

When will action(s) be completed to fully address the recommendation?

Corporate Compensation and Finance will review the current process of monitoring and following up on salary overpayments focusing on the roles and responsibilities of each respective group. Following this review, standard operating procedures will be issued to all Compensation Advisors and Finance staff involved in the process at CSC.

Completion and distribution of standard operating procedures for salary overpayments that ensure that regular monitoring and follow-ups are performed at CSC.

Compensation Advisors and Finance staff involved in the salary overpayment process are aware of their roles and responsibilities relating to monitoring and following-up with employees (and employees who have left the department) for any outstanding overpayments.

ACHRM and ACCS

2013-03-31

ACHRM will issue a memorandum reminding all managers at CSC of the importance of submitting all documents and duly completed forms relating to Leaves without Pay to Compensation in a timely manner. A monitoring process will also be established to report on its application. This will allow Compensation the time to process the leave in a timely fashion and avoid any overpayments.

Memorandum to all managers at CSC stressing the importance of submitting to Compensation, in a timely fashion, all documents relating to Leaves without Pay. A monitoring process will be in place.

Managers at CSC will be aware of the importance of submitting documents to Compensation in a timely manner to avoid situations of salary overpayments.

ACHRM

2012-12-31


Recommendation: Recommendation 49

The ACCS should improve mechanisms in place to manage the specimen signature cards including access to the system by compensation advisors to adequately perform the verification and validation of section 34 of the FAA.
Management Response / Position: ___ Accepted __________ Accepted in Part __________ Rejected
Action(s) Deliverable(s) Approach Accountability Timeline for Implementation

What action(s) has / will be taken to address this recommendation?

Expected deliverable(s) / indicator(s) to demonstrate the completion of the action(s)

How does this approach address the recommendation?

Who is responsible for implementing this action(s)?

When will action(s) be completed to fully address the recommendation?

Measures will be taken to ensure that all Compensation Advisors have access to their respective regional Specimen Signature Cards (SSC). As part of those measures, the Comptroller`s Branch will be coordinating the development of a national standard electronic SSC database that will contain all Specimen Signature Cards. The development of this database will coincide with the new Financial Signing Authority Matrix which is scheduled to be released within the next 6 months.

All Compensation Advisors will have access to all Specimen Signature Cards for their respective regions. Data will be up-to-date and available in a timely manner.

Ensures that all Compensation Advisors have access to their respective region`s Specimen Signature Cards.

ACCS

2013-03-31

i Amendment made on June 10, 2013 to reflect proper assurance level.

1 Recommendation requires management's attention, oversight and monitoring.

2 Recommendation requires management's attention, oversight and monitoring.

3 Recommendation requires management’s immediate attention, oversight and monitoring.

4 Recommendation requires management's attention, oversight and monitoring.

5 As per Canadian Audit Standards CAS 330 - The Auditor's Responses to Assessed Risks, the audit team developed this guide based on industry standards and audit team experience.

6 Recommendation requires management's attention, oversight and monitoring.

7 Recommendation requires management's attention, oversight and monitoring.

8 Recommendation requires management’s immediate attention, oversight and monitoring.

9 Recommendation requires management's attention, oversight and monitoring.