Continuous Auditing of Key Controls for Selected Processes Annual Report for 2023

Table of Contents

Audit and Evaluation Branch
Natural Resources Canada

Presented to the Departmental Audit Committee February 7, 2024

• Introduction
  • Accomplishments this Year
  • Objectives
  • Scope
  • Methodology
• Key Findings and Recommendations
• Acknowledgments
  • Conformance with Professional Standards
• APPENDIX A - Continuous Audit of Pay, Benefits and Leave Management Key Controls

Introduction

Continuous auditing provides ongoing assurance on specific management processes and controls to enable more timely insight into possible risk and control issues. It enables the provision of findings to management on key controls related to financial and non-financial processes in a timely manner. The combination of continuous and regular audit activities provides adequate coverage of the Department’s key processes and controls. During the annual risk-based audit planning exercise, consideration is given as to whether a continuous or standard assurance audit is the most effective approach for providing assurance.

Continuous audits can significantly enhance the internal control processes and frameworks within an organization. They differ from traditional audits, which tend to be more comprehensive in terms of their scope. Continuous audit activities undertaken by Natural Resources Canada’s (NRCan) Audit and Evaluation Branch (AEB) are formally reported through an annual assurance report on key controls. This report presents the results of the continuous auditing activities completed by the AEB between January 1, 2023, to December 31, 2023.

Accomplishments this Year

With support from Senior Management and the Departmental Audit Committee (DAC), the AEB continued to provide continuous auditing capacity for NRCan in 2023.

The continuous audit activities completed in 2023 focused on identifying potential control issues related to specific processes identified in the approved 2022-27 Integrated Audit and Evaluation Plan (IAEP). Accordingly, the following area was assessed via continuous auditing:

• Pay, Benefits and Leave Management

The AEB was able to provide timely assurance to senior management and the DAC on the functioning of key controls for the area identified above. Findings and recommendations resulting from the examination of these processes were provided to management in order to assist them with further improving existing control mechanisms. These findings and recommendations were also presented to the DAC along with the associated management responses and action plans.

In addition to AEB’s continuous audit activities, NRCan’s management was engaged in continuous monitoring in accordance with the Treasury Board’s (TB) Policy on Financial Management. The combined efforts by both the AEB and management have resulted in improvements to control processes and the correction of any identified control deficiencies.

Objectives

The objective of the Continuous Audit performed was to provide reasonable assurance that select key financial and monitoring controls within NRCan’s HR-to-Pay related processes are working as intended to ensure the validity, accuracy, and completeness of select types of pay transactions and functions within the control of the Department.

Scope

The scope of the continuous audit examined a sample of HR-to-Pay transactions initiated during the period of January 1, 2022, to January 4, 2023, targeting areas of focus that could have a direct impact on employee pay, preventing pay-related errors and identifying potential efficiencies, as they relate to the interdependencies between critical functions.

The key controls assessed during the continuous audit are provided in Appendix A.

Methodology

• A combination of judgemental and random sampling techniques was implemented for this audit. The specific transactions for testing were selected using random sampling, in which every transaction occurring during the scope period has an equal chance of being chosen for examination.
• The audit team followed TBS guidance on frequency sampling, taking into consideration the number of transactions that occur daily for each pay action request type tested. As several key controls tested during the continuous audit are common across multiple types of pay action requests, the audit team used a mathematical approach to ensure that there was sufficient coverage of key controls. Across the various pay actions tested (acting appointments, new hires, leave without pay, and terminations), a targeted minimum of 20 transactions were tested per control, where possible.

Key Findings and Recommendations

The following summarizes the findings and recommendations for the continuous audit engagement. The audit provided reasonable assurances when arriving at conclusions for the key controls that were tested, which were assessed as either- effective, partially effective, or ineffective, based on the following criteria:

1. Effective: The key control was operating effectively throughout the audit period;
2. Partially effective: The key control was not operating effectively throughout the audit period; and,
3. Not effective: The key control was not in place.

Continuous Audit of Pay, Benefits and Leave Management

The continuous audit found that of the six key controls examined, two controls are operating effectively, three controls were deemed to be partially effective, and one control was not effective.

Overall, the continuous audit found that controls are generally working, however, the following opportunities for improvement were identified and will address existing issues as well as issues related to recent changes in processes and systems:

• Expenditure Initiation Authority (EIA): update processes to ensure documentation of EIA is retained for all staffing appointments;
• Financial Delegation of Authorities: clarify processes for verifying relevant financial and HR authorities to ensure they are appropriate at the time of approval, and establish on-going monitoring process to validate and renew relevant authorities;
• Database and System Integration: consolidate processes and systems used for verifying relevant financial and HR authorities to improve consistency, ensure authorities are appropriate at the time of approval, and reduce manual verification efforts;
• Performance Measurement and Monitoring: establish and implement processes to track, monitor, and report on HR-to-Pay actions within NRCan’s control against established service standards; and
• Process Documentation: ensure recent changes to current processes and controls are reflected in updated documentation.

The continuous audit also found that three outstanding recommendations from previous continuous audits in this area were fully implemented.

Acknowledgments

The AEB would like to thank those individuals who contributed to the performance of continuous audits and particularly employees who provided their insights and comments.

Conformance with Professional Standards

In my professional judgement as Chief Audit and Evaluation Executive, the continuous audit activities along with this annual report conform with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the Government of Canada’s Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

Michel Gould, MBA, CPA, CMA, CIA
Chief Audit and Evaluation Executive
February 7, 2024

APPENDIX A - Continuous Audit of Pay, Benefits and Leave Management Key Controls

The objective of the Continuous Audit performed was to provide reasonable assurance that select key financial and monitoring controls within NRCan’s HR-to-Pay related processes were working as intended to ensure the validity, accuracy, and completeness of pay transactions and functions within the control of the Department.

The following key controls were tested during the conduct phase of the audit:

Key Controls
1 & 2)	The initiation of staffing appointments and new hires are valid, correct, complete, and administered in compliance with relevant TB and departmental policies and guidelines.
3)	The initiation of employee departures are valid, correct, complete, and administered in compliance with relevant TB and departmental policies and guidelines.
4a)	Requests for leave without pay (LWOP) greater than five (5) days are administered in compliance with respective collective agreements, TB and departmental policies and directives.
4b)	Request for leave without pay (LWOP) less than five (5) days are administered in compliance with their respective collective agreements, TB and departmental policies and directives.
5)	Pay-related anomalies over $8K identified through monitoring activities are tracked and communicated to the DPLO in a timely manner, and evidence of review & corrective action is retained.
6)	Performance metrics and monitoring of service standards for pay-related action requests.