Follow-up Audit on the Implementation of the Office of the Auditor General of Canada Recommendations on Payroll Management

Follow-up Audit on the Implementation of the Office of the Auditor General of Canada Recommendations on Payroll Management PDF Version (1.1 Mb)

© Her Majesty the Queen in Right of Canada, 2020
Cat. No.: PS4-262/2020E-PDF
ISBN: 978-0-660-34962-6
This material may be freely reproduced for non-commercial purposes provided that the source is acknowledged.

Background

Pay Administration in the Government of Canada

Departments are responsible for ensuring that financial resources of the Government of Canada are well managed and that effective governance and internal controls are established.

This includes documenting and communicating roles and responsibilities in relation to pay administration, namely the procedures, controls and monitoring activities that should be undertaken.
Public Services and Procurement Canada (PSPC) is the pay administrator for the Government of Canada.
PSPC maintains the system used for processing pay (Phoenix) and manages the centralized pay processing centre (Pay Centre).
All departments use Phoenix, but not all departments use the services of the Pay Centre. In addition, a department’s Human Resources Management System (HRMS) may or may not be integrated with Phoenix. As a result, departmental end-to-end pay processes vary.

End-to-end pay process

The pay administration process is divided into three sub-processes:

Pre-payroll relates to activities to initiate, approve and verify a pay or HR action (“pay-related action”) before payment.
Payroll relates to activities to calculate net pay, perform payment authority and issue payments.
Post-payroll relates to activities to monitor payments, ensure that certification and verification of pay transactions has been completed, record pay in the Departmental Financial and Materiel Management System (DFMS) and complete period end reconciliations.

Source: Treasury Board Secretariat Guideline on Financial Management of Pay Administration

Pay Administration at Public Safety Canada

Public Safety Canada (PS) is fully serviced by the Pay Centre. Under this pay administration model, the department relies on the Pay Centre to process pay, and the departmental HRMS is integrated with Phoenix.
There are significant interdependencies between the department and PSPC: PS relies on the effectiveness of the Phoenix system for pay processing and time and labour reporting, and on the effectiveness of Pay Centre activities and practices (including controls).
PSPC relies on the effectiveness of departmental activities and practices to ensure that information provided to Phoenix and the Pay Centre is valid, timely, complete and accurate.
Irrespective of the pay administration model, all departments must follow the Financial Administration Act (FAA), specifically, section 32 (commitment authority), section 33 (payment authority) and section 34 (certification authority), and the associated Treasury Board (TB) policy instruments.

Accountability over the pay process

Accountability and controls over the pay process should be in place in compliance with the FAA and Treasury Board policy instruments.

A detailed overview of the steps in the pay process is included in Annex A.

Image Description

The figure is a process diagram with arrows and consist of three areas of accountability: Responsibility Centre Manager, Human Resources and Finance.

Oversight Activities over Payroll Management

A number of oversight activities over payroll management have occurred over the last few years, both government-wide and departmentally:

2017 Office of the Auditor General (OAG) Audit of the Consolidated Financial Statements of the Government of Canada for inclusion in the Public Accounts of Canada.
2018 OAG Management Letter distributed by the Comptroller General of Canada in response to the OAG recommendations.
2018 OAG Audit of the Consolidated Financial Statements of the Government of Canada (GC) for inclusion in the Public Accounts of Canada.
2018 Issuance of a second OAG Management Letter distributed by the Comptroller General of Canada to address one additional OAG recommendation.
2019 OAG request to departments to complete a Self-Assessment Tool on pay administration.
2019 PS completes its 2018-19 Internal Control Framework Assessment.

2017 - Office of the Auditor General - Audit of the Consolidated Financial Statements of the GC for inclusion in the Public Accounts of Canada

OAG audits of the consolidated financial statements are conducted to obtain reasonable assurance that the consolidated financial statements are free of material misstatements, including transactions and financial information relating to personnel expenses.
PS was included in the scope of the 2017 audit and provided a limited sample of transactions.
On February 7, 2018, the OAG issued a letter to the Comptroller General of Canada (CG), providing observations and eight recommendations on the understanding that the details would be distributed to all the departments whose payroll is processed by the Phoenix pay system.
- These observations identified opportunities for changes in procedures that would improve systems of internal control, enhance financial reporting practices, and other matters (i.e. document retention, training, etc.).

OAG Management Letter distributed by Comptroller General of Canada

On March 29, 2018, the CG issued an email to the Deputy Minister of all organizations where pay is processed by Phoenix. The CG requested departments to:
- Prepare management actions plans (MAP) to address the OAG comments applicable to their organization. Senior management should track progress on the implementation of the MAP, perhaps making use of existing processes for comparable internal audit work follow up.
- Provide a copy of the OAG observations to their DAC, or equivalent oversight body, for their information.
- Engage internal audit to consider the risks and determine if additional work would be of value.
Following the issuance of the letter, PS’ Corporate Management Branch developed a MAP which was presented and approved at the DAC meeting in October 2018.
During the DAC meeting, a decision was made that the MAP would not be included in the Internal Audit and Evaluation Directorate (IAED) MAP follow-up process. Instead, a follow-up engagement was included in the 2019-20 Risk-Based Audit and Evaluation Plan and approved by the Deputy Minister.

2018 - Office of the Auditor General - Audit of the Consolidated Financial Statements of the GC for inclusion in the Public Accounts of Canada

PS was again included in the scope of the 2018 OAG audit and provided a limited sample of transactions.
On December 21, 2018, the OAG issued a second letter to the CG. The letter included the same observations that were previously communicated as a result of the previous year’s audit, but also included one new observation related to training needs.

The PS Chief Financial Officer amended the MAP to include the ninth recommendation on training needs. On April 29, 2018, the PS Chief Audit and Evaluation Executive informed DAC members that the CFO had amended the MAP to include the ninth recommendation on training needs.

OAG Self-Assessment Tool

In July 2019, the OAG requested that departments complete a self-assessment to evaluate progress on the implementation of the nine recommendations stemming from the 2017 and 2018 audits on the financial statements.
Departments were asked to assess whether they have put in place the ‟minimal expectations” corresponding to the recommendations and to describe any other relevant processes implemented to address the recommendations. PS used the OAG rating scale (Annex B) to assess the status of implementation of the management action plan items. The results were shared with the OAG in the Summer 2019.

2018-19 Internal Control Framework Assessment

In accordance with PS’ Internal Control Monitoring Plan, Corporate Management Branch (CMB) engaged an external third party to perform an assessment of the internal control framework which was finalized in Fall 2019. Internal controls over pay administration were included in this review.
The objective was to identify, test and assess the design effectiveness and operating effectiveness of 9 key controls to ensure compliance with the TB Policy on Financial Management.

The assessment found that three controls were designed effectively but there was no evidence to support operating effectiveness; and six controls were not tested for operating effectiveness because the design was deemed ineffective.

More specifically, the assessment found a number of weaknesses in the following areas:

Salary forecasting process;
Lack of evidence to support selected pay administration activities;
Limited monitoring of system users with direct access to Phoenix;
Data integrity;
Maintenance of HR Trusted Source listing; and
Post-payment verification process.

Because other oversight activities related to payroll management were being conducted simultaneously (i.e. OAG self-assessment, IAED Follow-up Audit), CMB committed to develop a consolidated MAP to address all of the results.

IAED Follow-up Audit Objective and Scope

Image Description

IAED Follow-up Audit Objective and Scope

The objective of this follow-up audit was to assess whether PS’ original planned actions, presented and approved at the DAC meeting in October 2018, have been effectively implemented to address the OAG recommendations on payroll management.

The scope of this follow-up audit focused on the status of implementation of the planned actions to address the nine recommendations as at December 31, 2019.

IAED used a rating scale to assess the implementation of the actions outlined by PS in its original management action plan, and to determine whether they align with the minimal expectations as described in the OAG Self-Assessment Tool.

The scale, adopted from the grid used by the OAG and aligned with IAED’s MAP follow-up process, ranges from level 1 (no progress or insignificant progress) to level 5 (full implementation).
As part of its MAP, PS had committed to implement most planned actions to respond to the OAG recommendations by Fall 2019.

IAED Follow-up Audit Approach and Methodology

In conducting the follow-up audit, the following were performed:
- Review of TB policy instruments and departmental documentation;
- Data collection through interviews and walkthroughs with personnel to examine processes and controls implemented;
- Testing of operating effectiveness of key payroll controls against the requirements of the TB Policy on Financial Management;
- Survey distributed to all Salary Forecasting Tool (SFT) Coordinators and Branch Planners to seek input of employees who work with the tool; and
- Examining the results of the OAG Self-Assessment Tool completed by Finance (FIN) and Human Resources (HR).
The follow-up audit also considered the results of the 2018-19 Internal Control Framework Assessment. IAED re-performed testing of a sample of transactions to gain a better understanding of the completeness and effectiveness of payroll controls.

Conformance with professional standards

The follow-up audit conforms with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the Government of Canada's Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

OAG Recommendations – Themes

The nine recommendations issued by the OAG following the 2017 and 2018 Audits of Consolidated Financial Statements of the GC were based on observations reported under the following themes:

Information Received from Pay Administrator
Financial Management – Section 34 Approvals
Financial Management – Section 33 Approvals
Financial Management – Reconciliations of the IO50 Report
Human Resource Management – Key Document Retention
Human Resource Management – Section 34 Manager Access to Phoenix
Internal Controls in Pay Processing
Access and Roles
Training Needs

Information Received from Pay Administrator

OAG Recommendation #1

PS should work with PSPC to obtain the information required to assess the accuracy and completeness of payroll information affecting the department's appropriations and employees.

What we found

PS internally assesses which reports are required from PSPC, although these assessments are not formally documented. The audit could therefore not determine if the assessments were performed on a regular basis.

It should be noted that PS has no ability to have PSPC reports customized for its specific needs.

There are ongoing communications between PS and PSPC/Pay Centre, however most of the interactions are related to specific employee pay issues.
PS attends ad hoc working groups and presentations provided by PSPC and the Treasury Board Secretariat (TBS) on specific payroll-related matters.
PS uses the SFT with the intention of improving the accuracy and completeness of payroll information. The SFT is a SAP application to provide management with a tool to forecast and assign employee salary dollars to their operational budgets.
PS is in the early stages of improving data quality in SFT as well as obtaining access to business intelligence tools to assist with ensuring accuracy and completeness of payroll information.

44% of the SFT users who responded to the survey distributed by IAED indicated that they do not use the tool to help identify pay-related issues.

OAG Recommendation #1- IAED Assessment
OAG Recommendations	Minimal Expectations OAG Self-Assessment Tool	Self-Assessment Level	IAED Assessment Level
1. Information Received from Pay Administration Entities should work with Public Services and Procurement Canada (PSPC) to obtain the information required to assess the accuracy and completeness of payroll information affecting departmental and agency appropriations and employees.	i. Internally assessed which reports are required from PSPC.	Level 3	Level 3
	ii. Formalized a communication line between entity and PSPC/Pay Centre POD (i.e. regularly scheduled meetings, key point of contact, pre-defined response times, etc.).	Level 4	Level 4
	iii. Reviewed reports and assessed accuracy and completeness of payroll information (e.g. review of Phoenix error report, Business intelligence tool or other relevant report).	Level 2	Level 2
	iv. Other relevant processes as reported by PS: PS has a plan to further improve data quality in SFT to assist with ensuring accuracy and completeness of the payroll information.	Level 1	Level 1

Financial Management – Section 34 Approvals

OAG Recommendation #2(a)

PS should exercise the same level of control and rigour when performing Section 34 approvals for payroll related payments as any other charges against appropriations. Processes should be put in place to monitor that employees performing Section 34 have the delegated authority to do so.

What we found

The Responsibility Center Manager (RCM) is responsible for initiating expenditures, managing commitments and exercising certification under Section 34 of the FAA. Pursuant to the TBS Directive on the Administration on Required Training, the RCM is required to complete the mandatory delegation authority training before certifying under Section 34.
The TBS Guideline on Financial Management of Pay Administration states that the Trusted Source is responsible for ensuring that signatures on pay-related requests transmitted from the department to the Pay Centre are authenticated by an individual who has appropriate delegated HR and/or financial authority.
PS established the Financial Authority Specimen Signature Record (FASSR) Tracker, an electronic tool that provides the list of PS employees with Section 34 authority.

The process to ensure that delegated authorities are documented, signed and kept available for validation is documented in the FASSR Manual.

The current process outlined in the HRMS Trusted Source Desktop Operational Manual is unclear on the actions required by the Trusted Source to verify that an individual has the appropriate delegated authority.
Based on the samples reviewed, the audit found that:

Evidence of the HR Trusted Source confirming the validity of RCM Section 34 delegation was not being retained for pay action request (PARs) submitted to the Pay Centre.
There were instances where an individual’s delegated authority was labeled as active in the FASSR Tracker, while the Financial Authority Specimen Signature Record indicated that it was cancelled.
There were a few cases where there was no evidence provided to validate that the RCM had completed the required training prior to their FASSR being activated.
There was no evidence that PS is conducting formal monitoring of the FASSR as required in the TBS Directive on Delegation of Spending and Financial Authorities.

OAG Recommendation #2(b)

PS, in collaboration with TBS, should identify areas where guidance and training can be provided to improve financial reporting practices and strengthen internal controls.

What we found

PS has not conducted a formal and documented assessment of departmental training needs for payroll activities for departmental staff and management of HR and FIN.
PS attends ad hoc TBS meetings and presentations to help improve financial reporting practices and strengthen internal controls.
PS has focused its efforts on training on the SFT to improve financial reporting practices.

In late 2019, PS performed an assessment to help identify issues affecting SFT data integrity by conducting interviews with Branch Planners/SFT Coordinators and analyzing SFT data.

PS has not developed a checklist (or other mechanisms) to provide guidance to individuals performing or reviewing Section 34 sign-offs with respect to payroll transactions.

Guidance should be available to ensure the adequacy and reliability of the account verification process, especially if the process has recently changed or if multiple and ongoing errors have been identified. A tool such as a checklist standardizes the expectations and performance of account verification for all payroll transactions.

PS monitors transactions for pending Section 34 approval and follows-up with individual RCMs directly on an ad hoc basis in order to provide one-on-one coaching on their responsibility and simultaneously help them clear their backlog of pending approvals.

OAG Recommendation #2 - IAED Assessment
OAG Recommendations	Minimal Expectations OAG Self-Assessment Tool	Self- Assessment Level	IAED Assessment Level
2. Financial Management – Section 34 approvals a) Entities should exercise the same level of control and rigour when performing Section 34 approvals for payroll related payments as any other charges against appropriations. Processes should be put in place to monitor that employees performing Section 34 have the delegated authority to do so.	i. Access to Phoenix and the electronic Pay Action Request "e- PAR" application is restricted to allow only delegated people with s.34 authority to sign-off on pay transactions.	Level 4	Level 1
	ii. Procedures are documented and implemented to update the s.34 authorities and FASSR database regularly to account for new, expired or modifications to s.34 authorities.	Level 4	Level 3
	iii. Performed monitoring procedures to assess the accuracy of s.34 approvals, supported by source documents (i.e. FASSR).	Level 3	Level 1
	iv. Other relevant processes as reported by PS; PS ensures that all s.34 Managers have Authority Delegation Training (ADT) prior to activating their SSR. PS ensures that the list of s.34 Managers in Phoenix corresponds to the list of SSRs maintained in its application. PS also performs an annual review of all SSRs.	Level 4	Level 1
2b) Entities, in collaboration with the Treasury Board Secretariat of Canada (TBS), should identify areas where guidance and training can be provided to improve financial reporting practices and strengthen internal controls.	i. Entity assessed which training is required and also documented their needs.	Level 3	Level 3
	ii. Established communication with TBS and other key players to obtain required training.	Level 3	Level 3
	iii. Procedures, checklists or other mechanisms exist to provide guidance to individuals performing and/or reviewing section 34 sign-offs.	Level 3	Level 2
	iv. Other relevant processes as reported by PS; A third-party internal control assessment of payroll is currently underway to determine if the key controls are designed and operating effectively.	Level 2	Level 5

Financial Management - Section 33 Approvals

OAG Recommendation #3(a)

PS should exercise the same level of control and rigour when performing Section 33 approvals for payroll related payments as any other charges against appropriations.

What we found

Individuals in FIN with delegated authority for Section 33 can perform payment authority, reject changes to regular payments, perform stop payments, or take no action (in such cases the amounts associated with payments are left pending at the end of the pay cycle).

Once the department provides authorization under Section 33 of the FAA, Phoenix sends requisitions to the Receiver General Standard Payment System for payment processing.

To balance the appropriate execution of delegation of authority with timely delivery of pay, departments may use a risk-based approach. The approach may include quality assurance processes carried out by those with payment authority, both before exercising payment authority (pre-payment verification) and after exercising payment authority (post-payment verification).
Based on the Section 33 FAA Procedures for Payroll Payments developed by PS in April 2019 and provided to the audit team, pre-payment verification should be carried out on all high risk transactions.

However, the staff performing Section 33 authorizations were not aware of the existence of this guidance document during the course of the audit, nor were they able to describe the practice they are currently conducting.

FIN stated that the current practice is to review transactions over $8,000 threshold as well as other unusual items.
When performing this step, the staff with Section 33 authority may question HR on a specific payroll transaction; however the evidence clearing that query is not kept by FIN. Accordingly, an audit trail is not retained to support the work performed.

The audit could not determine if the process is risk-based, sufficient and consistently applied.

OAG Recommendation #3(b)

PS should implement a formal process, such as the salary forecasting tool, to assist in the detection and prevention of inaccurate payments and execution of the Section 33 process.

What we found

The Section 33 FAA Procedures for Payroll Payments also makes reference to post-payment verification procedures; however, FIN has not implemented a post-payment verification process on pay transactions.

Without a post-payment verification process, the department is heavily reliant on the Section 33 pre-payment verification process to identify and resolve all large and unusual variances.

The lack of adequate documentation to support Section 33 and the inexistence of a post-payment verification process was also raised in the Internal Control Framework Assessment.
The SFT Variance Report was developed to flag differences between forecasted salary and actual salary expenditures to assess reasonableness of pay transactions; however, it is not being generated and utilized due to poor quality of data in the SFT.
FIN has established a SFT Working Group that met on an ad hoc basis to help support SFT users within PS; however, these meetings have not occurred since August 2019.

Issues discussed in the Working Group included the consistency in utilizing SFT, branch-level monitoring, and oversight of data integrity, including access to HR information to validate data inputted in the system (i.e. pay increments, acting pay, employee transfers in, etc.).

The survey conducted as part of the audit revealed that:
- 35% of the respondents had less than a year of experience using SFT;
- A majority of the respondents stated that their work in SFT was not reviewed by their supervisor;
- Most of the respondents rarely or never used the SFT monitoring checklist and had not reviewed the recently updated PS Salary Forecasting Tool Reference Guide but had taken the SFT training; and
- More than half of the respondents never or rarely attended the SFT working group meetings.

OAG Recommendation #3 - IAED Assessment
OAG Recommendations	Minimal Expectations OAG Self-Assessment Tool	Self- Assessment Level	IAED Assessment Level
3. Financial Management – Section 33 Approval a) Entities should exercise the same level of control and rigour when performing Section 33 approvals for payroll related payments as any other charges against appropriations.	i. Pre-payment verification is performed and documented prior to s.33 authorization (usually based on pre-defined thresholds i.e. all payments above certain $, potential duplicate payments, etc.).	Level 4	Level 2
	ii. Post-payment verification process on individual pay transactions is performed and documented.	Level 2	Level 1
	iii. Other relevant processes as reported by PS; A third-party internal control assessment of payroll is currently underway to determine if the key controls are designed and operating effectively.	Level 2	Level 5
3b) Entities should implement a formal process, such as the salary forecasting tool, to assist in the detection and prevention of inaccurate payments and execution of the Section 33 process. Adequate controls should be designed and implemented to validate the accuracy and completeness of the data used in this process.	i. A formal process was documented and implemented such as analyzing reasonableness of payment amounts prior to performing s.33 authorization (i.e. using Salary Forecasting Tool, variance analysis, etc.)	Level 1	Level 1
	ii. Data used in "3b) i." is validated for accuracy and completeness.	Level 1	Level 1
	iii. Procedures or checklists exist, are documented and are used to provide guidance to individuals performing and/or reviewing section 33 sign-offs.	Level 2	Level 1
	iv. Other relevant processes as reported by PS; A third-party internal control assessment of payroll is currently underway to determine if the key controls are designed and operating effectively.	Level 2	Level 5

Financial Management - Reconciliations of the IO50 Report

OAG Recommendation #4 (a) & (b)

(a) PS should regularly reconcile the expected salary expense, the payments made (IO50 reports) and the salary expense recorded in the G/L (SAP).

(b) PS should also understand and document where the information in the IO50 report is posted in the G/L (SAP).

What we found

Reconciliation of I050 to G/L (SAP)

For each pay period, PS receives an IO50 report which lists actual salary payments incurred and serves as the payroll register.
FIN gave IAED a walkthrough of the I050 reconciliation process that is performed on a biweekly basis. FIN provided a list of reconciliations for the period of April 2019 to December 2019.

IAED did not reperform these I050 reconciliations but reviewed some samples with FIN to confirm that the process is being conducted.

Mapping to G/L

PS developed a document that explains the existing process for mapping the entitlement codes to the G/L (SAP).

FIN also provided IAED with a walkthrough of the process of updating the mapping for each new fiscal year and making ad hoc changes throughout the year.

IAED was provided with the documented process for monitoring pay suspense and Receiver General (RG) control accounts to ensure proper recording of transactions in the G/L (SAP).
FIN also walked IAED through the process of performing weekly reconciliations to ensure that suspense accounts are cleared on frequent basis. At the end of December 2019, FIN informed IAED that the variance was under $ 2,000.
FIN also provided some common reconciling examples.
IAED did not reperform these suspense account reconciliations but reviewed some samples with FIN to confirm that the process is being conducted.

SFT in Comparing Actual to Budgeted Salaries

It is expected that regular reconciliations of actual salary amounts to salary forecasts are conducted to ensure that salary budgets reflect the reality of the managers’ financial situation and exact burn rate, and to help detect inaccurate payments made to employees.

To support this process, managers should ensure that information in SFT is accurate and by capturing and recording the most current information on salaries.

FIN confirmed that reconciliations have not been occurring due to data quality issues in SFT.
In November 2019, FIN also performed a detailed analysis of the issues affecting the SFT data quality. Elements highlighted included insufficient SFT training, lack of awareness of the reconciliation process, as well as lack of communication between HR, FIN and the Branch Planners.

The results are intended to inform next steps to improve the reconciliation process.

OAG Recommendation #4 - IAED Assessment
OAG Recommendations	Minimal Expectations OAG Self-Assessment Tool	Self- Assessment Level	IAED Assessment Level
4. Financial Management – Reconciliations of the IO50 Report a) Entities should regularly reconcile the expected salary expense, the payments made (IO50 reports) and the salary expense recorded in the G/L.	i. Reconciliation prepared between the I050 pay files and the financial reporting account (FRA) 51311.	Level 3	Level 5
	ii. All reconciling items identified and supported by backup.	Level 2	Level 5
	iii. Frequency chosen to perform the reconciliation.	Level 2	Level 5
	iv. Other relevant processes as reported by PS; A third-party internal control assessment of payroll as well as financial close reporting is currently underway to determine if the key controls are designed and operating effectively.	Level 2	Level 5
4b) Entities should also understand and document where the information in the IO50 reports is posted in the G/L.	i. If overall reconciliation in step a) was not conclusive, obtain the mapping document of pay expenditure by IO50 codes to the entity's GL account. If reconciliation was conclusive, step b) is not applicable.	Level 3	Level 5
	ii. Other relevant processes as reported by PS: PS monitors pay suspense accounts and RG control accounts to ensure proper recording of transactions by G/L and fiscal year on a monthly basis and performs corrective accounting entries as required.	Level 4	Level 5

Human Resources Management – Key Document Retention

OAG Recommendation #5

PS, in collaboration with the TBS, should clarify the document retention policies for key human resources management documents to ensure proper personnel files are kept for each employee.

What we found

Library Archives Canada guidelines requires departments to retain key documents to support salary and other payment amounts made to employees.
PS developed a document that outlines the process and procedures for managing employee personnel files, which includes considerations outlined by guidelines developed by the Human Resource Council.

These guidelines were developed by the Departmental Working Group on Pay process, as part of which the Office of the Chief Human Resource Officer (at TBS) was consulted.

Despite this document, PS is experiencing issues retaining supporting documentation regarding pay transactions/corrections. The need to establish a departmental-wide approach for retaining and maintaining financial information was outlined in the Internal Control Framework Assessment.
HR continues to work toward improving information management practices by developing a multiphase project with the Information Management division to develop standard processes for maintaining employee personnel file documents.

OAG Recommendation #5 - IAED Assessment
OAG Recommendations	Minimal Expectations OAG Self-Assessment Tool	Self- Assessment Level	IAED Assessment Level
5. Human Resources Management – Key Document Retention a) Entities, in collaboration with the TBS, should clarify the document retention policies for key human resources management documents to ensure proper personnel files are kept for each federal employee.	i. Entity confirmed that the documents retention policies exists, are aligned with Library and Archives guidelines and are used for key human resources management documents. (i.e. TBS' "Employee’s Personnel file Guidelines" or entity's own).	Level 3	Level 3
	ii. Communicated their document retention policies within their entity (i.e. what to store, where to store and for how long).	Level 3	Level 3

Human Resources Management – Section 34 Manager Access to Phoenix

Recommendation #6

Working with PSPC, PS should establish a clear and rigorous process for providing PSPC with evidence that the requests for Section 34 Manager access are authorized.

What we found

Section 34 Manager access requests are managed by PS through the Delegation of Financial Signing Authorities Instrument and the creation of FASSRs. The FASSR Tracker application contains the listing of all delegated Section 34 Managers is uploaded to Phoenix every time there is a change.
There is a documented departmental process in place for authorized financial officers to create, validate, activate and cancel FASSR for Section 34 Managers, which are then inventoried in the FASSR Tracker. The process is documented in the FASSR Manual and is available on InfoCentral.
- Establishing appropriate procedures to maintain the accuracy and completeness of this data is thus crucial for approving pay-related transactions in Phoenix.
Based on the samples reviewed, the audit found:
- Inconsistencies in the delegated authorities between the FASSR Tracker and the specimen signature records; and
- Instances where the sampled specimen signature records were inconsistent with the FASSR Tracker. In addition, there were a few instances where the signatures records did not have a valid authority.
As per the TBS Guidelines on Financial Management of Pay Administration, PS should monitor access rights for appropriateness on a periodic basis.
There can also be instances when an employee is not able to input their own time-related data in Phoenix (for example, when an employee file is not yet transferred to the department). The department may then choose to establish a Timekeeper role in Phoenix where a designated individual enters time and labour in Phoenix.

In these instances, the employee submits the pay-related action to the delegated authority, who certifies the pay action before forwarding it to the Timekeeper. The Timekeeper then ensures that the first portion of certification under Section 34 of the FAA was provided and enters the information into Phoenix and approves the transaction directly into Phoenix, on behalf of the delegated authority.

The Timekeeper role is only provided to individuals within the department that require it for performing their job duties.

PS has granted this role to one individual in the Department.

The lack of monitoring of the Timekeeper role was identified as an issue in the Internal Control Framework Assessment.

HR has approached the Pay Centre to request a report to facilitate monitoring of the activities within the Timekeeper role, but had not received a response during the course of the audit.

OAG Recommendation #6 - IAED Assessment
OAG Recommendations	Minimal Expectations OAG Self-Assessment Tool	Self- Assessment Level	IAED Assessment Level
6. Human Resources Management – Section 34 Manager Access to Phoenix a) Working with PSPC, entities should establish a clear and rigorous process for providing PSPC with evidence that the requests for Section 34 Manager access are authorized.	i. Procedures are documented and used specifying who is authorized to regularly update the list of s.34 Manager access for any new, expired or modified approvers in the "Time Card Labour" module.	Level 4	Level 3
	ii. Completion of standardized form when section 34 access is required for the "Time Card Labour"	Level 4	Level 3

Internal Controls in Pay Processing

OAG Recommendation #7 (a), (b) & (c)

(a) PS, in collaboration with PSPC, should put in place a process to manage changes to the trusted sources list.

(b) In addition, PS, in collaboration with PSPC, should implement a process to validate that the trusted source authorizations are authentic and appropriate.

What we found

Trusted Sources are responsible for ensuring that signatures on paper requests transmitted from the Department to the Pay Centre are authenticated by an individual who has appropriate delegated authority, that all required supporting documentation has been obtained and that the pay action request is complete and accurate before it is sent to the Pay Centre.
PS is responsible for maintaining a secure Trusted Sources list and submitting the list to the Pay Centre in a timely manner. PS should confirm with PSPC the continued appropriateness of the list.
The audit found that there are no documented procedures for maintaining the list of the Trusted Sources; the list is managed based on arrivals and departures in the group.

What we found

The audit found that the Department has not established a robust departmental tracking mechanism to monitor the status of PARs on an ongoing basis.

The current practice is for PARs to be assigned and tracked through the email management system. The audit did not attempt to determine whether the list of PARs currently inventoried is exhaustive and accurate.

OAG Recommendation #7 - IAED Assessment
OAG Recommendations	Minimal Expectations OAG Self-Assessment Tool	Self-Assessment Level	IAED Assessment Level
7. Internal Controls in Pay Processing a) Entities, in collaboration with PSPC, should put in place a process to manage changes to the trusted sources list.	i. Formalized a communication line between entity and PSPC to discuss procedures required to manage change to the trusted source list.	Level 4	Level 3
	ii. Procedures are documented and implemented to manage changes to the trusted sources lists, including who is authorized to initiate changes. (e.g. a standardized form).	Level 4	Level 3
b) In addition, entities, in collaboration with PSPC, should implement a process to validate that the trusted source authorizations are authentic and appropriate.	i. A process discussed with PSPC is documented and in place to provide evidence of the authenticity and appropriateness of the Trusted Source approval of the pay action request (PAR).	Level 3	Level 3
c) Entities should implement a process to monitor the status of PARs.	i. A process discussed with PSPC is documented and in place to provide evidence of the authenticity and appropriateness of the Trusted Source approval of the pay action request (PAR).	Level 1	Level 1
	ii. Regular follow-up done on PARs that have not been actioned within a reasonable timeframe.	Level 1	Level 1

Access and Roles

OAG Recommendation #8

PS, in collaboration with PSPC, should obtain a clear understanding of the existing roles granted to their staff in Phoenix. PS should review the roles currently granted to its employees, assess the appropriateness of the access, and modify the assigned role when necessary.

What we found

The TBS Guideline on Financial Management of Pay Administration states that the Security Access Control Officer (SACO) is responsible for establishing processes and procedures to verify that business users have the appropriate access in accordance with their job, and have completed the required training associated with roles requested. The SACO should review the Phoenix roles on a periodic basis.
IAED was provided with a recent SACO report to demonstrate the review of Phoenix access roles (January 7, 2020). FIN walked us through the process of updating the underlying data for the SACO report.

We understand that there is a heavy reliance on PSPC to identify any segregation of duties issues.

Based on the Phoenix SACO Refresher Workshop developed by PSPC (November 2018), the PS SACO should identify and action inappropriate access as quickly as possible and not place increased reliance on PSPC.
PS should have a clear understanding of access rights granted to individuals with direct access to Phoenix to ensure that delegated authorities be exercised in a manner that segregates certain duties. Where duties cannot be segregated, the transactions should be monitored by an independent person and evidence of the review and be maintained.

As previously mentioned, PS does not have an established process or access to a report generated in Phoenix to monitor information entered directly into Phoenix by the Timekeeper to ensure that it is valid, complete, accurate and appropriately approved.

OAG Recommendation #8 - IAED Assessment
OAG Recommendations	Minimal Expectations OAG Self-Assessment Tool	Self- Assessment Level	IAED Assessment Level
8. Access and Roles Entities, in collaboration with PSPC, should obtain a clear understanding of the existing roles granted to their staff in Phoenix. Entities should review the roles currently granted to their employees, assess the appropriateness of the access, and modify the assigned role when necessary.	i. Obtained an understanding of existing roles granted in Phoenix.	Level 4	Level 3
	ii. Periodically reviewed the documented roles granted and user access rights to verify appropriateness as well as proper segregation of duties.	Level 3	Level 3
	iii. Other relevant processes as reported by PS; The Security Access Control Officer (SACO) ensures that employees are provided with the access to Phoenix that they require for their functions, that the requests are approved by the appropriate authority and that the access follows rules for segregation of duties.	Level 3	Level 3

Training Needs

OAG Recommendation #9

PS, in collaboration with PSPC and the Office of the Chief Human Resources Officer (OCHRO), should assess globally what the training needs are and develop an integrated training plan at all levels to ensure that all stakeholders properly understand their roles and responsibilities within the HR to Pay process.

What we found

PS has not conducted an overall assessment training needs for payroll administration or established an integrated training plan for the Department.
Training is provided on an ad hoc basis.

Current efforts have been focused on improving data integrity in SFT. In late 2019, the Senior SFT coordinator resumed one-on-one training, which is provided when a need is identified based on the quality of information input in SFT by coordinators.

PS has developed manuals for staff performing payroll transactions; however, they were not consistently communicated to ensure awareness and encourage compliance.
Good practices have been established within HR where specific job aids have been developed to assist staff in inputting timely, complete and accurate data into Phoenix.
We have observed progress since the Internal Control Framework Assessment, namely in the areas of SFT data analysis, training, and proposed process improvements.

OAG Recommendation #9 - IAED Assessment
OAG Recommendations	Minimal Expectations OAG Self-Assessment Tool	Self- Assessment Level	IAED Assessment Level
9. Training needs a) Entities, in collaboration with PSPC and the Office of the Chief Human Resources Officer (OCHRO), should assess globally what the training needs are and develop an integrated training plan at all levels to ensure that all stakeholders properly understand their roles and responsibilities within the HR to Pay process.	i. Entities, PSPC and/or OCHRO have identified areas of training needs and developed a training plan for all levels and different roles and responsibilities of stakeholders in the HR to Pay process.	Level 3	Level 3
	ii. Training plan has been communicated to all stakeholders.	Level 4	Level 3
	iii. Other relevant processes, as reported by PS: The SACO ensures that employees are provided with the access to Phoenix that they require for their functions, that the requests are approved by the appropriate authority and that the access follows rule for segregation of duties.	Level 4	Level 3

Follow-Up Audit Conclusion

Improvements are required for PS to effectively address the OAG recommendations on payroll management and the results of the Internal Control Framework Assessment.

It should be noted that most of the planned actions have not been fully implemented in relation to their original completion date tabled at the DAC meeting in October 2018.

IAED will not issue additional recommendations to improve the internal control framework over pay administration as a result of this follow-up audit. However, management actions moving forward should:

Continue to address the recommendations from the 2017 and 2018 OAG Audits of the Consolidated Financial Statements of the Government of Canada for inclusion in the Public Accounts of Canada and the 2018-19 Internal Control Framework Assessment;
Meet the minimal expectations of a management action plan as defined by the OAG in the Self-Assessment Tool; and
Consider the findings included in this follow-up audit report.

The resulting Management Action Plan will be subject to IAED’s follow-up process.

As part of the follow-up process, IAED will assess and validate the corrective measures that have been taken and determine whether the actions carried out are appropriate.

Annex A: Pay Process Steps

Pay Process Steps
Accountability	Pay Process Steps
Responsibility Centre Manager (RCM)	*Step 1. Expenditure Initiation*. The RCM submits a request to Human Resources (HR)-Staffing to request a staffing action or to HR-Compensation for action (for example, acting less than 4 months, overtime etc.).
	*Step 2. Commitment Control (Section 32 FAA).* The RCM with delegated Section 32 FAA authority confirms availability of funds by signing the Request for Human Resources Services (RHRS) document.
	*Step 3. Section 34 FAA Certification By RCM. The RCM with delegated Section 34 FAA* authority certifies entitlement, for example, signs the Letter of Offer, signs the overtime form and or the WEB enabled Extra Duty Pay (EDP) application of the Compensation WEB Application (CWA) etc.
Human Resources	*Step 4. Pay Input*. HR-Compensation confirms the employee’s eligibility, performs the required calculations and enters the transaction into the Regional Pay System (PHOENIX) and into PeopleSoft.
Human Resources	*Step 5. Pay Verification-HR*. A second Compensation Advisor verifies the transaction. As auditable evidence, the peer verifier Compensation Advisor stamps, signs and dates the screen printout from PHOENIX.
Finance	*Step 6. Section 33 FAA Authorization. The Finance Officer with delegated Section 33 FAA* authority approves the transaction in phoenix For salary transactions that have been identified as high risk, a Finance representative carries out the procedures for reviewing salary payments before the Finance Officer with delegated authority for Section 33 FAA approves the transaction (pre-payment verification); and For salary transactions that have been identified as medium or low risk: The Finance Officer with delegated authority for Section 33 FAA approves the transaction; and A Finance representative carries out the procedures for reviewing salary payment on a sample basis after the transaction has been approved for Section 33 FAA (post-payment verification).

Source: Public Safety Canada Section 33 Procedure for Payroll Payment; Certification Authority and Payment Desk-book

Annex B: Rating Scale – Status of Implementation of OAG Recommendations on Payroll Management

Rating Scale – Status of Implementation of OAG Recommendations on Payroll Management
Rating Scale*
Level 1	No progress or insignificant progress Actions such as striking a new committee, having meetings, and generating informal plans should be regarded as insignificant progress.
Level 2	Planning stage Your organization has created formal plans for organizational changes and had them approved by the appropriate level of management (at a sufficiently senior level, usually executive committee level or equivalent) with appropriate resources and a reasonable timetable.
Level 3	Preparations for implementation Your organization has made concrete preparation for implementing a recommendation by hiring or training staff, or developing or acquiring the necessary resources to implement the recommendation.
Level 4	Substantial implementation Your organization has structures and processes in place and integrated within at least some parts of the department, and some achieved results have been identified. Your organization also has a short-term plan and timetable for full implementation.
Level 5	Full implementation Your organization has structures and processes that are operating as intended and are fully implemented.
Level N/A	Obsolete / Other Your organization considers the recommendation obsolete or not applicable because of unforeseen events or because the issues superseded by the introduction of a new process or program. Provide explanation when using this rating.

*The rating scale was adopted from the Office of the Auditor General’s Self-Assessment Grid

Annex C: CMB Management Response

The Internal Control Unit under the CFO sector has recently performed an assessment of the department’s Payroll and Operating Expenditures processes, that identified findings consistent with this IAED Follow-up Audit.
As a first step to address the IAED findings, PS will develop a comprehensive strategy; which will consider financial and non financial impacts, options, risk and feasibility analysis (resources, prioritization, realization of efficiencies).

Present strategy to the Departmental Management Committee (DMC) in the Fall 2020 to seek approvals on proposals and potential resource implications.

As a second step, PS will develop a detailed Management Action Plan including key timelines and correctives measures.

Present the MAP to DAC in the Winter 2021.

In the meantime, PS will continue to improve upon the keys findings of the various assessments (e.g. evidence of review, Information Management practices, documentation, etc.).

Date modified:: 2022-08-10