Audit of Employee Benefits Payments Project (AU1108)


 

 EXECUTIVE SUMMARY

 INTRODUCTION

Pay and benefits represent a significant amount of the Department’s vote 1 spending budget. These activities constitute $379M (or 45%) of the total departmental 2010–2011 operating budget of $841M. The 2008–2009 expenditures for overtime, paid out vacation, and severance pay were $4M, $2M and $7M, respectively. The 2008–2009 liabilities for vacation pay/compensatory leave and employee severance benefits were $23M and $80M, respectively.

The management of employee benefits takes place in a complex environment that is governed by the Public Service Employment Act, the Financial Administration Act (FAA), and a series of Treasury Board Secretariat (TBS) policies, directives and collective agreements, including the Policy on Terms and Conditions of Employment and the Directive on Leave and Special Working Arrangement. The benefits process also involves three systems: the Government Financial System (GFS), PeopleSoft, and the Regional Pay System (RPS) which is the Public Work and Government Services Canada’s online pay system.

DEPARTMENTAL RISKS

Employee benefits were identified as a significant risk in the 2010 Risk-based Annual Plan,which was tabled and approved at the Departmental Audit Committee meeting in June 2010 and subsequently approved by the Deputy Minister. Some of the risks identified with employee benefits include:

  • employees may be taking leave to which they are not entitled,
  • managers/supervisors may not have the information necessary to fulfill their responsibilities, and
  • the Department’s financial statements may be misstated.

AUDIT PURPOSE AND OBJECTIVES

The overall purpose of this audit was to assess the adequacy of key elements of the management control framework in terms of policy compliance, effective monitoring, and accurate and complete reporting of information related to employee benefits. Specifically, the audit objectives were established to provide assurance that:

  • benefits are managed in compliance with applicable Treasury Board (TB), Treasury Board Secretariat (TBS) and Natural Resources Canada (NRCan) policies, procedures, regulations, collective agreements and terms of employment;
  • overtime, vacation and other benefits are accurate, appropriately and consistently monitored, and reported; and
  • risks associated with overtime, vacation and other benefits are identified and mitigated.
INTERNAL AUDIT CONCLUSION

Overall, the audit provides assurance that employee benefits are being managed in accordance with applicable TB, TBS and NRCan policies, procedures, regulations, collective agreements and terms of employment. However, opportunities exist to improve oversight of these benefits to ensure that they are appropriately and consistently monitored and reported on, and that risks are identified and mitigated at the corporate level. Several minor control weaknesses were identified regarding compliance with the Directive on Leave and Special Working Arrangements and TBS’s Directive on Account Verification.

Audit Findings Pg Recommendations Audit Risk Rating Management Response Timing
Compliance and Corporate Oversight

There are opportunities to improve corporate oversight for the administration of employee leave and benefits. In particular, there is a need for overarching guidance to ensure that roles and responsibilities are clearly distinguished; that the branches involved in the process work together to ensure benefits are being administered, monitored and reported on effectively; that the delegation of authority particulars are effectively communicated; that overtime transactions are being properly authorized; and that tracking mechanisms and service standards are developed for non-routine pay transactions.

 

3

CMSS should:

1. develop a plan to clearly articulate roles and responsibilities as they pertain to the oversight and review of leave and employee benefits.

 

Management agrees.

1.  A plan for increased corporate oversight will be developed and implemented by HRSMB. New staff with a background in compensation and benefits, and policy and oversight capabilities will be hired.

September 1, 2011

2. develop a plan for periodic monitoring of leave and employee benefits.

 

2.  The above plan will include the implementation of a monitoring framework for leave and employee benefits.

September 1, 2011

3. develop a plan and provide necessary training to ensure that the human resources delegation of authority is communicated, adhered to and monitored regarding leave.  

3. A plan for required training will also be developed and implemented by HRSMB, in cooperation with SSOHRSS, to address the communication of, compliance with, and monitoring of human resources (HR) delegation authority.

November 1, 2011

4. ensure that pay transactions are included in the sampling selection under account verification requirements and reported on quarterly.

 

4. SSO Financial Services’ Quality Assurance (QA) Unit will work with SSOHRSS Compensation and Benefits (C&B) to perform QA on pay verification. As part of this QA, Responsibility Centre (RC) managers will be required to print their names and include their RC code on overtime forms (i.e. in addition to signature authorization) so that C&B are able to verify managers’ signatures against their respective RC accounts.

September 1, 2011

5. develop service standards and procedures for tracking non-routine transactions.

 

5. CMSS will expand current compensation and benefits service standards to include non-routine transactions. The standards will be in compliance with TBS policy and account for the government-wide transformation of pay administration initiative.

September 1, 2011

Leave Management

While CMSS has addressed some PeopleSoft control weaknesses, opportunities still exist to improve managers’/supervisors’ overall understanding of leave management and, in particular, the delegation of authority issues that are specific to NRCan that can affect appropriate exercising of their authority.

8 6. CMSS should develop and require mandatory training before a supervisor/manager can approve leave requests in PeopleSoft  

Management agrees.

6. HRSMB will develop and implement such mandatory training, and the SSOHRSS PeopleSoft Team will restrict the delegated authority to approve leave requests to only those supervisors/managers who have received the training.

November 1, 2011

Accuracy of Financial Statements

The process for the posting of leave information to NRCan’s financial statements is clear and timelines are well communicated. However, an opportunity exists to improve the financial statement process as it relates to leave and benefits by creating clear procedures to ensure that data used for the calculation of the financial statements is complete and reproducible.

11 7. CMSS SSO/HRMS should develop procedures to ensure that PeopleSoft reports used to support the information in the financial statements are reproducible.  

7. Management agrees.

The PeopleSoft Team has already amended its Leave Year Procedures to ensure that PeopleSoft reports are reproducible and can support the information in the financial statements. This amendment has been implemented and will be enforced for the current 2010–11 Leave Year End and forthwith.

February 3, 2011

Table of Contents


INTRODUCTION

Employee benefits were identified as a significant risk in the 2010 Risk-based Annual Plan, which was tabled at the Audit Committee meeting in June 2010 and subsequently approved by the Deputy Minister.

Pay and benefits represent a significant amount of the Department’s budget, constituting $379M (or 45%) of the total departmental 2010–2011 vote 1 operating budget of $841M. The 2008–2009 expenditures for overtime, paid out vacation, and severance pay were $4M, $2M and $7M, respectively. The 2008–2009 liabilities for vacation/compensatory leave and employee severance benefits were $23M and $80M, respectively.

The management of employee benefits takes place in a complex environment that is governed by the Public Service Employment Act, the Financial Administration Act (FAA), and a series of Treasury Board (TB) and Treasury Board Secretariat (TBS) policies, directives and collective agreements, including the Policy on Terms and Conditions of Employment and the Directive on Leave and Special Working Arrangements. The benefits process also involves three systems: the Government Financial System (GFS), PeopleSoft, and the RPS (Public Works and Government Services Canada’s online pay system).

Responsibility for employee leave and benefits falls under the Corporate Management and Services Sector (CMSS). While Human Resources and Security Management Branch (CMSS/HRSMB) has responsibility as outlined in the Directive on Leave and Special Working Arrangements, functional responsibility is shared among three key players: the Human Resources Services and Systems (CMSS/SSO/HRSS) has functional responsibility for ensuring the accurate inputting and processing of employee benefit and overtime claims; the HR Management Systems (CMSS/SSO/HRMS) has functional responsibility for the PeopleSoft system; and the Financial Management Branch (CMSS/FMB) has functional responsibility for ensuring the accurate financial reporting of these expenses.

AUDIT PURPOSE AND OBJECTIVES

The overall purpose of this audit was to assess the adequacy of key elements of the management control framework in terms of policy compliance, effective monitoring, and accurate and complete reporting of information related to employee benefits. Specifically, the audit objectives were established to provide assurance that:

  • benefits are managed in compliance with applicable Treasury Board (TB), Treasury Board Secretariat (TBS) and Natural Resources Canada (NRCan) policies, procedures, regulations, collective agreements and terms of employment;
  • overtime, vacation and other benefits are accurate, appropriately and consistently monitored, and reported; and
  • risks associated with overtime, vacation and other benefits are identified and mitigated.
SCOPE AND METHODOLOGY

The period of audit coverage was 1 April 2008 to 1 December 2010, with a focus on:

  • overtime,
  • severance, and
  • vacation or compensatory leave.

This audit was conducted in accordance with the Treasury Board Policy on Internal Audit and with the Standards for Professional Practice of Internal Auditing published by the Institute of Internal Auditors.  It included:

  • a review of relevant background documentation;
  • interviews with key personnel; and
  • an examination of records, data and other supporting documentation to determine if effective financial and program controls were designed and implemented.
CRITERIA

Please refer to Appendix B for a list of audit criteria.

FINDINGS AND RECOMMENDATIONS

COMPLIANCE AND CORPORATE OVERSIGHT
Summary Finding

There are opportunities to improve corporate oversight for the administration of employee leave and benefits. In particular, there is a need for overarching guidance to ensure that roles and responsibilities are clearly defined; that the branches involved in the process work together to ensure benefits are being administered, monitored and reported on effectively; that the delegation of authority particulars are effectively communicated; that overtime transactions are being properly authorized; and that tracking mechanisms and service standards are developed for non-routine pay transactions.

RISK AND IMPACT
Risk Type Audit Risk Rating Impact
Compliance Minor

Non-compliance with the Directive on Leave and Special Working Arrangements allows for instances of inappropriately authorized leave to go undetected.

Non-compliance with NRCan’s Delegation of Authority for Human Resources creates the opportunity for employees to take more leave than they are entitled.

Non-compliance with TBS’s accounts verification directive may allow for improperly approved overtime transactions to be processed.

Operations/Strategy Minor

Inability to track non-routine transactions may lead to inefficient use of resources and employee dissatisfaction.

Supporting Findings

ROLES AND RESPONSIBILITIES

The audit found that corporate oversight is effective regarding the financial approval and management of leave and benefits. Interview results indicate that managers/supervisors who have delegated financial authority are aware of their responsibilities as they pertain to employee benefits when they have a clear cost associated with them. For example, they routinely receive, or access, reports from the Government Financial System (GFS) to monitor for overtime and potential costs for the cash out of vacation time. Managers1 interviewed were aware that overtime needed to be pre-approved, although some indicated that they accepted verbal or email overtime requests. These practices are in compliance with the NRCan policy on overtime, which does not stipulate that overtime requests need to be in writing. Interviews further indicated that managers with delegated financial authority routinely budget and monitor their expenses for employee benefits. Thus, roles and responsibilities and monitoring of benefits with a clear financial component appear to be well-managed and monitored by the responsible managers.

However, employee benefits without a clear financial component (i.e., those processed through the PeopleSoft online leave system), are much more difficult to monitor and report on, as explained in the paragraphs below.

The CMSS/HRSMB has overall responsibility under the Directive on Leave and Special Working Arrangements. The directive states that senior departmental human resources officials or any other person named by the deputy head are responsible for, among other things, “ensuring that the organizational structure, resources, procedures, systems and controls are in place for the secure, accurate and timely application and administration, within their organization, of all types of leave and special working arrangements.”2

Operationally, however, the above-stated responsibilities are divided among the online leave system (PeopleSoft) and the report-generating component that resides with the CMSS/SSO/HRMS group, as well as with the pay processing component which resides with the Compensation and Benefits group. In other words, there is an organizational separation between the overall responsibility that rests with HRSMB and operational components that reside elsewhere.

Managers/supervisors are responsible for “ensuring that requests for leave are only approved in accordance with the applicable authority, in other words, the relevant collective agreement or terms and conditions of employment.”3 However, the current process does not provide them with the necessary tools to fulfill these responsibilities. For example, leave anomaly reports are currently being produced on an ad hoc basis by the CMSS/SSO/HRMS group and are provided to the Compensation and Benefits group. This group however does not routinely review these reports, and they explained to the audit team that they believe it should be the managers’ responsibility to ensure that leave requests are valid. However, neither supervisors nor managers receive leave anomaly reports from PeopleSoft.  Furthermore, if they wish to review an employee’s leave balances, they can only view the transactions of employees who report directly to them. This creates problems particularly in instances when people are “acting” supervisors. This situation is due in part to NRCan’s particular interpretation of the Privacy Act, which currently only allows direct supervisors to view employees’ leave balance and history - thus effectively restricting corporate oversight.

Moreover, by not having a clear oversight function, there is a risk that supervisors may be approving leave to which their employees are not entitled, and due to the interpretation of the Privacy Act no one but the direct supervisor would have access to that information. This could result in employees taking more leave than they are entitled to, which could result in a financial and potential capacity loss for the Department.

HR DELEGATION OF AUTHORITY TRAINING NOT REQUIRED BEFORE GRANTING LEAVE REQUESTS

NRCan’s HR Delegation of Authority instrument, established in October 2008, outlines what level of authority4 is required in specific situations (e.g., initiating a staffing action or approving certain types of leave) and it is based on NRCan’s organizational structure.  The Department requires the completion of in-house training on this instrument before a manager/supervisor can, for example, initiate a staffing action. However, interview results determined that managers/supervisors are unaware of this instrument as it specifically relates to leave. Moreover, training on this instrument is not required before a manager/supervisor can approve leave requests or view leave balances. Furthermore, an employee’s HR delegation of authority level is not embedded in PeopleSoft or documented in HR files.

As a result, managers/supervisors who are responsible for approving online leave requests may not be aware of the delegation of authority directive as it applies to leave, and may be approving leave without the required authority. As a result, the Department may incur a financial and/or capacity loss if leave is being approved for employees to which they are not entitled.

PAPER-BASED OVERTIME REQUESTS VERIFICATION

Most employee leave and benefits transactions are done online through the PeopleSoft system and do not require a financial payment at the time of the transaction. This means that online leave transactions do not require FAA Section 345 verification. However, some transactions, like the paper-based request forms for overtime that go to the Compensation and Benefits group for processing and payment, require FAA Section 34 verification by an FAA Section 336 authority.  The audit found that, in these instances, FAA Section 34 was not being verified before the transaction was processed. In turn, interviewees indicated that it was not needed, as the TBS Account Verification directive regarding account verification states that for low- to medium-risk transactions, a statistical sampling verification process can be used.

Nevertheless, to date, the pay transactions have not been included in a sampling process, as required and committed to in NRCan’s Quality Assurance and Statistical Plan which became effective April 1st, 2009, and in accordance with the management action plan for the previous Audit of Pay and Benefits (AU0901) completed in March 2009. Without proper verification of FAA Section 34, there is the risk that inappropriately approved payment requests might be initiated, thus resulting in a financial loss to the Department.

SERVICE STANDARDS FOR NON-ROUTINE TRANSACTIONS

According to the audit results, routine transactions such as the processing of overtime are meeting established service standards. However, non-routine transactions have no service standards or tracking mechanisms. These transactions tend to be unique, comprised of situations where employees identify a potential pay error and bring it to the attention of their compensation and benefits advisors who then address the issue at their own discretion. Interview results suggest that there are approximately 70 non-routine inquiries a week, and that these requests amount to approximately 15% of a compensation and benefit advisor’s workload.

With no standards for processing employee-generated inquiries, employees may be unsatisfied with the service received and transactions may not be completed in a timely manner.

RECOMMENDATIONS

CMSS should:

  1. develop a plan to clearly articulate roles and responsibilities as they pertain to the oversight and review of leave and employee benefits.
  2. develop a plan for periodic monitoring of leave and employee benefits.
  3. develop a plan and provide necessary training to ensure that the human resources delegation of authority is communicated, adhered to and monitored regarding leave.
  4. ensure that pay transactions are included in the sampling selection under account verification requirements and reported on quarterly.
  5. develop service standards for the processing of non-routine transactions.
Management Action Plan and Time Frame

Management agrees.

  1. A plan for increased corporate oversight will be developed and implemented by HRSMB. New staff with a background in compensation and benefits, and policy and oversight capabilities will be hired.

    Timing:  September 1, 2011

  2. The above plan will include the implementation of a monitoring framework for leave and employee benefits.

    Timing:  September 1, 2011

  3. A plan for required training will also be developed and implemented by HRSMB, in cooperation with SSOHRSS, to address the communication of, compliance with, and monitoring of human resources (HR) delegation authority.

    Timing:  November 1, 2011

  4. SSO Financial Services’ Quality Assurance (QA) Unit will work with SSOHRSS Compensation and Benefits (C&B) to perform QA on pay verification. As part of this QA, Responsibility Centre (RC) managers will be required to print their names and include their RC code on overtime forms (i.e. in addition to signature authorization) so that C&B are able to verify managers’ signatures against their respective RC accounts.

    Timing:  September 1, 2011

    CMSS will expand current compensation and benefits service standards to include non-routine transactions. The standards will be in compliance with TBS policy and account for the government-wide transformation of pay administration initiative.

    Timing:  September 1, 2011
LEAVE MANAGEMENT
Summary Finding

While CMSS has addressed some PeopleSoft control weaknesses, opportunities still exist to improve managers’/supervisors’ overall understanding of leave management and, in particular, the delegation of authority issues that are specific to NRCan that can affect appropriate exercising of their authority.

RISK AND IMPACT
Risk Type Audit Risk Rating Impact
Compliance Minor Employees may be taking more leave than they are entitled.
Supporting Findings

SUPERVISORS/MANAGERS NOT AWARE OF RESPONSIBILITIES REGARDING MANAGEMENT OF EMPLOYEE LEAVE AND BENEFITS

The Directive on Leave and Special Working Arrangements states that persons with the delegated authority to approve leave are responsible for, “ensuring that all applications for discretionary leave and special working arrangements are approved or not approved in a fair, consistent and transparent manner; ensuring that requests for leave are only approved in accordance with the applicable authority, in other words, the relevant collective agreement or terms and conditions of employment”.7 Although managers/supervisors appear to be aware of their responsibilities regarding purely financial pay and benefits transactions, they are not fully aware of their responsibilities as they relate to PeopleSoft.

While managers and supervisors exhibited sound judgment in the approval of leave, many were unaware of the application of certain leave codes. For example, leave code 699 is for “Other paid leave- other.” This code is supposed to be used in exceptional circumstances only when an employee is prohibited from coming to work for reasons beyond their control. In FY 2010–2011, 104 employees applied for and were approved leave under this code, amounting to a total of 148 days of paid leave. Further analysis of those transactions indicated that the leave code, in most cases, was misapplied; however, no intentional abuse was apparent. Managers/supervisors were approving leave under this code for such things as medical appointments in excess of those granted under the terms and conditions of employment. The audit did not find abuse of this leave code, but rather a general lack of knowledge of its purpose.

This lack of understanding of the particulars of leave codes stems in part from the switch to government-wide implementation of the Treasury Board Policy on Learning, Training, and Development in 2006. Prior to the implementation of this policy, training for supervisors and managers was provided in-house and it addressed issues specific to NRCan. Currently, mandatory training for managers/supervisors is offered only through the Canada School of Public Service (CSPS) and does not cover issues specific to NRCan requirements, such as PeopleSoft or NRCan’s delegation of HR authority. Therefore, there is a knowledge gap in the training provided by the CSPS in order for supervisors/managers to effectively manage leave and benefits. Furthermore, even the completion of mandatory training, as outlined by the related policy, is not required before an employee’s supervisor can access and approve leave in PeopleSoft.

This may result in supervisors/managers not being sufficiently aware or trained for the exercise of their responsibilities regarding leave, which could lead to employees being granted more leave than they are entitled to.  It may also lead to inappropriately authorized leave in some cases.

SUPERVISORS/MANAGERS NOT AWARE OF CONTROL WEAKNESSES IN PEOPLESOFT

The PeopleSoft tool is not used universally across the federal government. For the several departments that do use it, like NRCan, some customizations can be implemented to suit their needs. However, department-specific modifications are not covered in the mandatory training courses for new public servants, supervisors and managers provided by the CSPS, potentially resulting in employees not having a clear understanding of how PeopleSoft works in their department.

In terms of NRCan’s use of PeopleSoft, there are controls over some leave categories (e.g,. allowable vacation days); however, PeopleSoft does not have adequate controls to monitor requests such as paid leave or bereavement leave.

MANAGEMENT INITIATIVE

In the planning stage of this audit, the audit team was advised that PeopleSoft was being upgraded. Rather than miss the opportunity to include proposed changes in the upgrade, the Audit Branch issued a management letter identifying concerns in PeopleSoft Version 8. CMSS took the initiative to make changes in Version 8.9, which included the elimination of outdated leave codes and the addition of error prompts when the maximum permissible hours are exceeded for certain leave types.

RECOMMENDATION
  1. CMSS should develop and require mandatory training before a manager/supervisor can approve leave requests in PeopleSoft.
Management Action Plan and Time Frame
  1. HRSMB will develop and implement such mandatory training, and the SSOHRSS PeopleSoft Team will restrict the delegated authority to approve leave requests to only those supervisors/managers who have received the training.

    Timing:  November 1, 2011
ACCURACY OF FINANCIAL STATEMENTS
Summary Finding

The process for the posting of leave information to NRCan’s financial statements is clear and timelines are well communicated. However, an opportunity exists to improve the process as it relates to leave and benefits by creating clear procedures to ensure that the PeopleSoft data used in the production of the financial statement figures is reproducible.

RISK AND IMPACT
Risk Type Audit Risk Rating Impact
Reporting Minor Amounts relating to employee pay and benefits in the financial statements may be inaccurate.
Supporting Findings

EMPLOYEE SEVERANCE BENEFITS INADVERTENTLY OVERSTATED IN THE DEPARTMENTAL FINANCIAL STATEMENTS BUT BEING ADDRESSED

The year-end procedures for calculating NRCan’s accrual benefits and reporting in the financial statements are thorough and clear. The timelines and responsibilities in the process are effectively communicated to ensure that the Department’s financial statements are accurate and fairly stated.

In fiscal year 2009–2010, there was an overstatement of $11.6M in the severance accrual liability reported in the departmental financial statements.  The overstatement occurred because the Office of the Comptroller General (OCG), which provides departments with the severance liability rates for departmental financial statements purposes only, changed the rate for fiscal year 2008–2009 after the initial numbers were calculated and recorded in the financial system.

This rate change created an increase of the severance liability accrual in the fiscal year 2008–2009 of $11.6M. At the time, the financial system had been closed and the OCG indicated that the adjustment should only be made on paper and be reported in the departmental financial statements.  As a result, NRCan included an increase of $11.6M to its severance liability in the departmental financial statements for fiscal year 2008–2009.  At the time of preparing the departmental financial statements for the following year (i.e. the year ending 31 March 2010), the 31 March 2009 severance liability reported in the departmental financial statements was used as the opening severance liability to which was added the expenses for the year and resulted in  double-counting the $11.6M liability. Therefore, the severance liability balance in fiscal year 2009–2010 was overstated by $11.6M in the departmental financial statements. It should be noted that the OCG does the calculation of the severance liability for the Government of Canada as a whole, rather than considering individual department liabilities, and reports it in the Public Accounts of Canada. Therefore NRCan’s overstatement had no impact on the amount reported in the Public Accounts but was strictly limited to NRCan’s financial statements.  

SUPPORTING DOCUMENTATION FOR VACATION PAY AND COMPENSATORY LEAVE TOTALS

To verify the accuracy of liability balances reported on in the departmental financial statements, the audit team attempted to reconcile the leave balance reports used by the Financial Management Branch (FMB) at year end with recreated PeopleSoft leave balance reports dated 31 March 2009 and 31 March 2010.  However, the reconciliation did not match as the PeopleSoft system is a real-time system designed to reflect the up-to-date leave and employment status of employees.  Thus, identical reports on historical leave information could not be consistently generated.

At year end, the FMB receives PeopleSoft reports from the CMSS/SSO/HRMS group on compensatory and leave balances for all employees in order to calculate accrual liabilities in these areas. The process is a straightforward calculation, taking the salary rate of individual employees and multiplying it by the compensatory and vacation leave balances. The FMB has procedures to verify that the data is accurate, including internal verification of leave balances for employees within their own group. The audit team was able to verify that the amounts in the reports which had been produced on 31 March 2009 and 31 March 2010 and kept on file by FMB were reported accurately in the departmental financial statements.  However, without being able to recreate the data used for the financial statements, the audit team could not verify the accuracy of the source data in PeopleSoft.

RECOMMENDATION
  1. CMSS SSO/HRMS should develop procedures to ensure that PeopleSoft reports used to support the information in the financial statements are reproducible.
Management Action Plan and Time Frame
  1. The PeopleSoft Team has already amended its Leave Year Procedures to ensure that PeopleSoft reports are reproducible and can support the information in the financial statements. This amendment has been implemented and will be enforced for the current 2010–11 Leave Year End and forthwith.

    Timing:  February 3, 2011

APPENDIX A – STANDARD AUDIT RISK RATING

STANDARD RISK TYPES

Our standard risk types are classified based on the COSO8 Internal Control-Integrated Framework as follows:

Strategy - High-level goals, aligned with and supporting the Department's mission.

Operations - Effective and efficient use of resources.

Monitoring - Accurate assessments or evaluation of activities.

Reporting - Reliability of operational and financial reporting.

Compliance - Compliance with applicable laws, regulations, policies and procedures.

STANDARD AUDIT RISK RATINGS

Audit findings are rated as follows:

Major: A key control does not exist, is poorly designed or is not operating as intended and the related risk is potentially significant. The objective to which the control relates is unlikely to be achieved. Corrective action is needed to ensure controls are cost effective and/or objectives are achieved.

Moderate: A key control does not exist, is poorly designed or is not operating as intended and the related risk is more than inconsequential. However, a compensating control exists. Corrective action is needed to avoid sole reliance on compensating controls and/or ensure controls are cost effective.

Minor: A weakness in the design and/or operation of a non-key process control. Ability to achieve process objectives is unlikely to be impacted. Corrective action is suggested to ensure controls are cost effective.

APPENDIX B – AUDIT CRITERIA

The audit criteria were derived from widely recognized control models (e.g. CICA Criteria of Control - CoCo). Actual performance was assessed against the audit criteria resulting in either a positive finding or the identification of an area of improvement. The following audit criteria were used to conduct the audit:

Objective 1: Policy Compliance

Benefits are managed in compliance with applicable TB and NRCan policies, procedures, regulations, collective agreements and terms of employment.

1.1  Accountabilities, roles and responsibilities for the administration of overtime, vacation and other benefits are well defined, comprehensive, current and understood by all relevant parties

1.2  Processes and controls exist to capture, record, authorize, action and report overtime, vacation and other benefits

Objective 2: Monitoring and Reporting

Overtime, vacation and other benefits are accurate, appropriately and consistently monitored, and reported on.

2.1  Up-to-date tools/reports are provided in a timely manner to help managers identify variances in overtime, vacation and other benefits

2.2  Processes for monitoring are in place to identify and communicate issues pertaining to overtime, vacation and other benefits and subsequent reporting to management is conducted in a clear, comprehensive and timely manner

2.3  Established service standards are being clearly communicated and adhered to for payments of overtime, vacation and other benefits

2.4  Amounts reported on the financial statement and the payroll are periodically reconciled with personnel data and are accurate, timely and correct

Objective 3: Risk Assessment and Management

To determine the extent to which the risks associated with overtime, vacation and other benefits are identified and mitigated

3.1  Mechanisms are in place to identify, assess and mitigate risks related to overtime, vacation and other benefits


1 The audit team interviewed a sample of 11 Responsibility Centre (RC) managers with delegated financial signing authority and 7 supervisors who had approved leave during the timeframe of the audit but who did not necessarily have delegated financial signing authority.

2 See TBS Directive on Leave and Special Working Arrangements, section 6.1. http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=15774&section=text

3 Ibid, section 6.2.

4 A level 5 is normally a supervisor or a manager who may or may not have delegation of financial authority. A level 5 indicates that there are 4 levels of authority between that individual and the Deputy Minister, who is a level 1.

5 Section 34 provides the authority to certify that all the terms of the contract or agreement that gave rise to the payment are satisfied and all aspects of the account are correct.  In a pay administration context, FAA Section 34 certification originates from the entitlements specified in the terms and conditions of employment.

6 Section 33 provides the authority to pay the expenditures after ensuring that the payment shall be a lawful charge against an appropriation and that section 34 has been properly exercised.

7 See TBS Directive on Leave and Special Working Arrangements, section 6.2. http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=15774&section=text

8 COSO defines internal control as a process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Source : http://www.coso.org/resources.htm