Continuous Auditing of Key Controls Annual Report for 2015-16
Natural Resources Canada
Presented to the Departmental Audit Committee (DAC)
September 22, 2016
Continuous auditing provides ongoing assurance on specific management processes and controls to enable more timely insight into possible risk and control issues. It enables the provision of findings to management on key controls related to financial and non-financial processes in a timely manner. The combined coverage of our continuous and regular audit activities provides adequate coverage of the department’s key processes and controls. During the annual Risk-Based Audit Planning exercise consideration is given to whether a continuous or regular audit is the most effective approach for providing assurance.
Continuous auditing provides management with near real-time audit results on the effectiveness and efficiency of key controls on related transactions. As such, continuous audits can significantly enhance the internal control processes and frameworks within an organization. They differ from traditional audits which tend to be more comprehensive in terms of their scope. On an annual basis all continuous audit activities undertaken by Natural Resources Canada’s (NRCan) Audit Branch (AB) are formally reported through this annual assurance report on key controls. It presents the results of the continuous auditing activities undertaken by the AB on transactions recorded in fiscal year 2015-16.
Accomplishments This Year
With support from the Deputy Minister, Senior Management, and the Departmental Audit Committee (DAC), the AB continued to provide effective and sustainable continuous auditing capacity for NRCan in 2015-16.
The continuous audit activities conducted in 2015-16 focused on identifying potential control issues related to specific processes identified in the Deputy-approved Risk-Based Audit Plan. Accordingly, the following two areas were assessed via continuous auditing in 2015-16:
- Personal Information Management; and
- Contracting and Supplier Payments.
Continuous Audit activities also included Pay; however, as control deficiencies identified in last year’s Continuous Audit of Pay continued to exist in this area, the Audit Branch replaced the audit with a comprehensive process mapping exercise to support management in establishing an adequate and more robust control framework related to pay.
Based on the continuous audit work that was completed in 2015-16, the AB was able to provide timely advice to senior management and the DAC on the functioning of the key controls associated with these areas. Findings and recommendations resulting from the continuous audits were provided to management, in order to assist them with improving existing control mechanisms. These findings and recommendations were also presented to the DAC along with the associated management responses and action plans.
In addition to our continuous audit activities, NRCan ’s management was engaged in continuous monitoring in accordance with the Treasury Board’s (TB’s) Policy on Internal Controls. The combined efforts by both the AB and management have resulted in improvements to control processes and the correction of any identified errors.
The objective was to provide reasonable assurance that key controls were in place for the Personal Information Management and Contracting and Supplier Payments processes, and that these key controls were working as intended.
The scope of the two continuous audit activities was:
- For Personal Information Management, the period under review was April 1, 2014 – August 31 2015.
- For Contracting and Supplier Payments, period under review was April 1, 2015 – December 31, 2015.
The key controls assessed for each process is provided in Appendix A Audit Criteria.
A risk-based approach was used in identifying which transactional processes would most benefit from a continuous audit in 2015-16. As a result of our annual risk-based audit planning exercise, the three processes above were selected for audit, in consideration of the following inherent risks:
- Risk of potential non-compliance with government legislation, policies, and directives which may result in the revocation of certain delegated departmental financial authorities by the Treasury Board Secretariat;
- Risk of loss of public money/public confidence: The management of contracting and safeguarding of personal information are often indicators of a department’s prudence and probity in their management of public funds and sensitive information;
- Risk of possible errors, issues, and omissions associated with these types of transactions which may result in inaccurate and/or a loss of valuable information; and,
- Risk of inadequate documentation to support decisions made during the contracting process could result in the Department not being able to demonstrate that it has a fair and transparent contracting process.
Key Findings and Recommendations
The following summarizes the findings and conclusions for each of the two continuous audits completed in 2015-16, as well as a summary of activities undertaken by the Audit Branch with regards to the Pay Process.
Personal Information Management
Overall, key departmental controls tested during the audit for personal information management are in place and are working as intended. Specifically, the Privacy Management Framework (PMF) in place is adequately designed and key controls tested are being implemented. A particularly good practice is the existence and implementation of a PMF which outlines concrete activities to support effective management of personal information.
In addition, the audit branch consulted with central agencies who confirmed that the Department’s PMF is a good practice and found to be robust in comparison to NRCan ’s personal information management needs, considering that the Department collects a minimal amount of personal information, mostly related to human resources.
The audit found sound practices in place and that the minimal privacy issues that occurred in the past few years were well managed and addressed in a timely manner. There were; however, some minor opportunities for improvement. Specifically:
- Conducting periodic reviews to the PMF to further enhance the framework by ensuring consistency of terminology used and clarifying accountabilities;
- Adopting a more cost-effective and risk-based approach to the delivery of PMF training rather than providing training to 100% of NRCan staff; and updating privacy-related training and tools on the Department’s internal website;
- Verifying that follow-up is conducted systematically to ensure that all Sectors have completed their annual PIB reviews; and
- Ensuring the process to report privacy breaches enables timely proactive reporting to central agencies.
Contracting and Supplier Payments
This continuous audit found that, overall, key controls were in place and operating as intended with respect to the contracts reviewed and their related payments. In particular, the continuous audit noted improvements since last year’s Continuous Audit with regards to documentation of contracting files, as well as systematic post-payment quality assurance verification of financial terms and conditions of contracts against paid invoices.
The audit confirmed that invoices were reviewed and approved by individuals with appropriate delegated authority (as per Financial Administration Act [FAA] section 34) and that transaction payments were approved by individuals with appropriate delegated authority (as per FAA section 33). In addition, a continuous monitoring program continued to be in place which periodically reviews, on a sample basis, payments issued as a result of a contract.
Other good practices that form part of the control framework noted by the audit included:
- A Procurement Review Board (PRB), which plays a key role in assessing and mitigating risks associated with NRCan procurement and contracting activities. Of interest to this continuous audit is the PRB’s responsibility to review, for recommendation or modification, any procurement strategy for all non-competitive (sole source) goods or services requirements over $25,000.
- The NRCan eProcurement system, which is used to initiate most NRCan contract requests. This eProcurement tool allows individuals to purchase and track procurement needs online and from anywhere. Once the appropriate approvals are completed on-line, a procurement specialist executes the request after reviewing the documents that are attached to the request. This tool is a repository for key documents, which is important prior to any contract being issued, and it reduces data input errors.
The audit identified a minor opportunity for improvement to better align the review for certain transactions and the post-payment quality assurance review of low risk transactions to eliminate possible redundancies. In addition, due to an issue regarding extended leave and unavailable resources, quality assurance activities on contracting had not always been completed in a timely manner. Now that the position has been filled on a full-time basis we believe the risk will be mitigated and that quality assurance activities will resume as scheduled.
The Government of Canada’s Consolidation of Pay Services Initiative has resulted in significant changes over the past few years with regards to the management of pay and benefits at NRCan . One major change resulting from the pay consolidation process is that all pay action requests are now processed by the Public Services and Procurement Canada (PSPC) Pay Centre, which has limited NRCan ’s role to initiating a pay action request and verifying that it has been approved by an individual with the appropriate delegated authority. In February 2016, additional changes were made related to pay with the launch of Phoenix, PWGSC’s new government-wide pay system.
The 2014-15 Continuous Audit of Pay found that significant improvements were required to ensure a more robust control framework was in place at NRCan for pay transactions. There were several key areas for improvement identified, most notably regarding controls to ensure timeliness of processing and/or accuracy of the resulting payment calculations. The audit noted, at the time, that considering NRCan’s reliance on the PSPC Pay Centre to process pay action requests, issues related to timeliness of processing and/or accuracy of the resulting payment calculations could exist regardless of whether NRCan-specific initiation controls were functioning as intended.
In the planning phase of the 2015-16 Continuous Audit of Pay, the audit team found that control deficiencies with regards to timely and accurate pay transactions continued to exist, particularly for employees with changes to their schedules including those on leave without pay, parental leave or on part-time schedules. NRCan internal control process descriptions and related process maps for pay were out-of-date, as they did not reflect recent changes related to the launch of Phoenix a new government wide pay system. This information is critical in determining whether appropriate controls are in place and to identify possible control gaps, which further exposes the Department to possible errors in accuracy and timeliness of pay transactions. During the planning phase, management had also advised the audit team that they had identified a high number of employees who had potentially been overpaid since changes to the pay system took effect in 2012. These challenges were further compounded with the launch of Phoenix in February 2016. The PSPC has recently created a satellite office in Gatineau, which was announced in June 2016, with the intention of addressing these issues.
Within that context, the audit team determined that limited value would be achieved by investing resources to confirm that known control deficiencies continued to exist. As such, in lieu of a continuous audit the Audit Branch, with management’s support, conducted a robust process mapping exercise to create control flowcharts and update process descriptions related to the current environment.
As a result of this exercise, the following control gaps within NRCan were identified with regards to Pay:
- Pay Action Requests are not consistently tracked after they have been submitted to the PSPC Pay Centre.
- The PSPC Pay Centre may not be notified in a timely manner for leave without pay (LWOP) greater than 5 days for planned absences.
- No control in place to review accuracy of information entered by managers in Phoenix related to non-standardized work weeks (i.e. part-time schedules or student hours).
- The NRCan employee departure checklist does not include a step to ensure that managers assess the possibility of an overpayment is owed from the employee.
- As a result of continued challenges with timely pay processing across the public service, NRCan’s total salary expense can be understated at year-end, if the salary budget-to-actual expense reconciliations are not completed by responsibility centre managers.
Based on the review of selected transactions for each respective process, the AB can provide reasonable assurance that, overall, key controls are in place and working as intended for the Management of Personal Information and Contracting and Supplier Payments processes. Opportunities for improvement continued to exist to ensure a more robust control process is in place to ensure timely and accurate processing of pay transactions.
The continuous audit findings related to the state of controls in place for Personal Information Management and Contracting and Supplier Payments supports the decision contained in our Risk-Based Audit Plan to examine new areas in fiscal year 2016-17, including Acquisition Cards and Grants and Contributions.
Management has responded with timely action plans to address the issues noted in these two continuous audit activities, and in most cases, issues were corrected immediately. The AB will continue to follow-up on the implementation of these management action plans. AB will also conduct another Continuous Audit of Pay in 2016-17, to ensure that controls implemented to monitor pay transactions are working as intended.
The AB would like to thank those individuals who contributed to these continuous audits and, particularly employees who provided their insights and comments.
Conformance with Professional Standards
In my professional judgement as Chief Audit Executive, the continuous audit activities along with this annual report conform with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.
Christian Asselin, CPA, CA, CMA, CFE
Chief Audit Executive
APPENDIX A – CONTINUOUS AUDIT CRITERIA
PERSONAL INFORMATION MANAGEMENT
The objective of this continuous audit was to provide reasonable assurance that key departmental controls for personal information management are in place and are working as intended. Specifically, the audit assessed whether the Department’s privacy management framework in place was adequately designed; and that key controls were implemented effectively including Sector/employee awareness of roles and responsibilities, training, monitoring, and reporting.
- NRCan has developed a Privacy Management Framework (PMF) to ensure compliance with the Privacy Act.
- NRCan performs ongoing monitoring and assessment of privacy procedures and practices.
- NRCan provides privacy awareness training to employees using a risk-based approach.
- NRCan provides support and advice to program managers with regards to privacy-related matters.
- Sectors ensure that their employees have a clear understanding of their roles, responsibilities, and expectations related to the management and protection of personal information.
- NRCan has established a process for updating the Department’s PIB and coordinates the results internally and with TBS .
- Sector executives and managers, through the Access to Information and Privacy (ATIP) liaison officers, inform the ATIP Secretariat of the annual assessment and review of NRCan personal information banks and preliminary risk assessment results.
- NRCan has a process in place to lead and coordinate the annual assessment of privacy risks.
- Sector executives and managers of programs maintain personal information banks by conducting an annual privacy risk assessment to update the PIB descriptions and to validate the level of risk related to their program or activity.
- Sector executives and managers identify and assess modifications to existing programs or the creation of a new program using the statement of sensitivity, and when required (as per Section 6.3.1 of the Directive on Privacy Impact Assessment), the completion and approval of a privacy impact assessment (PIA).
- NRCan has a process in place to review all statements of sensitivity and to provide advice on whether a PIA is necessary.
- NRCan has documented procedures to be followed when using personal information for non-administrative purposes, including research, statistical, audit, and evaluation purposes.
- Sector executives and managers consult and adhere to the NRCan Privacy Protocol when conducting activities that use personal information for non-administrative purposes.
- NRCan has established plans and procedures, including roles, responsibilities, and accountabilities for addressing privacy breaches.
- The ATIP Secretariat and the Departmental Security Officer provide advice and support to managers in implementing NRCan’s privacy breach management plan.
- Sector executives and managers implement NRCan’s plans and procedures for addressing privacy breaches.
- Sector executives and managers report all privacy breaches to both the ATIP Secretariat and the Departmental Security Officer as well as debrief their respective Assistant Deputy Minister (ADM) in a timely manner.
- NRCan publishes accurate PIA summaries (if PIA are available).
- The ATIP Secretariat notifies TBS and OPC of material privacy breaches.
- NRCan provides regular briefings to the DG ATIP Issues Committee and briefs Executive Committee (EXCOM) on the implementation of the PMF as required.
- NRCan ensures appropriate practices and safeguards are in place and maintained for all NRCan programs and activities.
- NRCan uses the results of the PIA and the PIB reviews to emphasize efforts on monitoring those programs and activities that pose a greater risk to NRCan privacy practices.
CONTRACTING AND SUPPLIER PAYMENTS
The objective of this continuous audit was to provide reasonable assurance that controls were in place and were working as intended for the procurement process (from contract initiation to supplier payment). Specifically, the audit assessed compliance with government and departmental policies, procedures, monitoring, and reporting.
- Appropriate Authority: Section 32 approval thru E-Procurement is appropriate.
- Compliance to policies: Thresholds are respected and key supporting documentation is present.
- Appropriate Authority: Authorities in Procurement Services Unit (PSU) respect the different levels of procurement approval and signing authority.
- Compliance to Policy: PRB reviews and endorses the procurement strategy for sole source contracts over $25,000.
- Delegated authorities are aware of their new responsibilities regarding the validation of vendors with PWGSC.
- Appropriate Authority: Section 34 approval through the E-Payment system is appropriate.
- Appropriate Authority: Section 33 approval is appropriate.
- Compliance to policies and FAA: Post-payment verification is completed for low risk payments.
- Tests are undertaken to identify duplicate payments when Quality Assurance reviews of low risk payments are undertaken.
- A Standards document governing the Procurement Policy Analysis and Reporting (PPAR) Unit’s monitoring and reporting functions exists and is reviewed for relevance.
- Compliance to policies and FAA: Post-contract verification is completed as per the PPAR Standards document.
- PPAR conducts test sampling on issued contracts to ensure data integrity and data entry accuracy, and any noted deficiencies are reported and corrected.
- Transactional Contract Monitoring and the Departmental Risk-Based Contract Monitoring Reports are submitted to PRB.
- Compliance to Policies: Documented evidence exists that the report for proactive disclosure of contracts greater than $10,000 has been reviewed for accuracy and completeness prior to posting on the NRCan Internet website.
- PPAR has the appropriate process in place for the list of contracts to be disclosed on the NRCan Internet website.
- Date modified: