Internal Audit Report – The Agency's Response to the Office of the Auditor General's 2017 and 2018 Recommendations Regarding Payroll Transactions in the Government of Canada

Internal Audit Report – The Agency's Response to the Office of the Auditor General's 2017 and 2018 Recommendations Regarding Payroll Transactions in the Government of Canada (PDF – 1,217 kb)

Approved by the President June 2, 2020

On this page

1.0. Background

In its 2017 and 2018 audits of the Consolidated Financial Statements of the Government of Canada, the Office of the Auditor General (OAG) made recommendations regarding the payroll transactions. The OAG tabled 9 recommendations related to payroll processes for all federal organizations whose payroll is processed by Phoenix. In 2017 and 2018, the Canadian Food Inspection Agency (CFIA or the Agency) performed self-assessments to determine whether any of the OAG recommendations applied. The Agency then documented actions to address any deficiencies. The Agency determined that

  • there were opportunities for improvement with 4 recommendations, which required a Management Action Plan, and
  • the remaining 5 recommendations were already addressed by its existing processes

Given the importance of accurate and properly controlled payroll information and processes, the CFIA 2019/20 – 2021/22 Risk-Based Audit and Plan included an audit of the Agency's self-assessments against, and responses to, each of the OAG's 9 recommendations. This report summarizes the audit observations.

2.0. About the audit

2.1. Objective

To assess whether the Agency's self-assessment, corrective actions and existing processes that are under the Agency's control fully addressFootnote 1 the 9 Office of the Auditor General of Canada (OAG) recommendations from the 2017 and 2018 Audits of the Consolidated Financial Statements of the Government of Canada.

2.2. Scope

The scope of the audit focused on the Agency's assessment of, and response to, each of the 9 recommendations from the OAG. For each recommendation, the audit assessed the appropriateness of corrective actions and existing processes to provide assurance that the Agency's internal controls are designed and operating effectively. The audit also performed limited transaction testing.

The audit focused on the period from April 1, 2018 to November 30, 2019. This is the period to which the audit conclusion applies.

The audit did not cover corrective measures required to address Phoenix pay system issues, nor the Government of Canada Pay Centre operations.

3.0. Statement of conformance

The audit conforms to the Institute of Internal Auditors' International Professional Practices Framework, as supported by the results of the CFIA's Internal Audit quality assurance and improvement program. Sufficient and appropriate evidence was gathered in accordance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing to provide a reasonable level of assurance over the findings and conclusions in this report. The findings and conclusions expressed in this report are based on conditions as they existed at the time of the audit, and apply only to the areas included in the audit scope.

4.0. Summary of internal audit of Canadian Food Inspection Agency (CFIA) response to the Office of the Auditor General of Canada (OAG) recommendations

The Agency's self-assessment, corrective actions and existing processes that are under the Agency's control fully address 5 of 9 OAG recommendations from the 2017 and 2018 Audits of the Consolidated Financial Statements of the Government of Canada.

The CFIA internal audit found that there were opportunities for improvement to the Agency's corrective actions and processes to address the 4 remaining recommendations regarding:

  • enhancements to the quality assurance processes for payroll transactions
  • enhancements of controls for the approval of paper-based payroll-related transactions
  • development and communication of clear and concise retention guidance for human resource-related documents
  • implementation of controls surrounding changes to the list of employees who can send and receive pay-related information and requests to the Pay Centre

The following sections detail observations regarding these 4 opportunities for improvement. The other 5 recommendations, which the audit concluded the Agency has fully addressed, are detailed in Appendix B.

4.1. Summary of OAG recommendations 2 and 3

Exercise the same level of control and rigour when performing section 33Footnote 2 and 34Footnote 3 approval for payroll as any other charges against appropriations.

CFIA Internal Audit Expectations CFIA Internal Audit Observations Impact
  • CFIA's section 33 and 34 pay-related controls are designed and operating effectively.
  • CFIA's pay processes and Quality Assurance (QA) Plan are aligned with Treasury Board Secretariat (TBS) guidance and include the same elements as the QA Plan for non-pay.
  • The CFIA analyzes errors noted during the QA for pay, performs trend analysis and addresses errors and issues on a timely basis.
  • Transactional testing and process review revealed general compliance with all section 33 and most section 34 approvals.
  • CFIA identifies critical errors during the QA process, and works toward resolution with Public Services and Procurement Canada, as required.
  • CFIA's processes and QA Plan for pay are aligned with TBS guidance and include the same elements as those for non-pay.

Opportunities for improvement:

  • Human Resources Branch has not implemented a required control to review section 34 for paper-based pay transactions.
  • Although not a policy requirement, Corporate Management Branch does not circulate the QA report for pay to all members of senior management interested in reviewing it.
  • Corporate Management Branch reports all errors in the QA report for pay and follows up with Human Resources Branch to address identified issues. However, the QA report does not distinguish between errors that are and are not under the Agency's control. Doing so would help the Agency focus on improving areas of concern that are within its control.

The Agency cannot certify that payments are a lawful charge against the appropriation and is at increased risk of issuing incorrect payments to employees.

Senior management may not be fully aware of the errors and issues the Agency faces with respect to pay, affecting timeliness of correction.

The Agency may not address systemic issues under its control.

Recommendation #1

The Vice President, Corporate Management Branch and Chief Financial Officer should enhance the Quality Assurance Report for pay-related transactions to

  • differentiate between errors that are and are not within the Agency's control, and use this information when determining where to focus improvement efforts
  • ensure the report is circulated to all members of senior management who would have an interest in reviewing this report

Recommendation #2

The Vice President, Human Resources Branch should ensure that paper-based pay transactions include verification of section 34 approval.

4.2. Summary of OAG recommendation 5

Clarify document retention policies for key human resource management documents to ensure proper personnel files are kept for each employee.

CFIA Internal Audit Expectations CFIA Internal Audit Observations Impact
  • The CFIA has clear and concise retention policies for human resource documents maintained on the Agency's information management system.
  • The CFIA has documented procedures that support the regular review of human resource information, including disposition on a timely basis.
  • Although not required, the Agency has proactively decided to maintain critical human resource documentation internally. This is to mitigate the risks of the information not being available in a timely manner.

Opportunity for improvement:

  • CFIA's human resource documentation retention initiative would benefit if clear disposition and retention guidance for human resource information were developed and communicated.
  • The Agency currently uses external documentation retention and disposition guidance, which does not clarify for CFIA employees their responsibilities under the Agency's human resource documentation retention initiative.

Good practice:

The Agency has chosen to maintain critical pieces of human resource information in order to ensure this information is available when required.

Without concise and clearly documented retention and disposition guidelines, there is a risk that the Agency will mishandle sensitive personal employee information.

Recommendation #3

The Vice President, Human Resources Branch, in consultation with the Vice President, Digital Services Branch, should:

  • develop clear and concise life cycle protocol guidance for each type of human resource information retained by the Agency and effectively communicate this guidance to responsible employees
  • develop and implement a procedure for the timely review of human resource information and appropriate disposal of that information at the end of its life cycle

4.3. Summary of OAG recommendation 7

Establish a process to manage changes to the trusted source listFootnote 4 and monitor the status of pay action requestsFootnote 5.
CFIA Internal Audit Expectations CFIA Internal Audit Observations Impact
  • The CFIA has a process to manage changes to the trusted source list.
  • The CFIA has a process to validate the trusted source list with Public Services and Procurement Canada.
  • The CFIA has an internal process to monitor and validate changes to employees who have access to trusted source accounts.
  • The CFIA has a process to monitor the status of pay action requests.
  • The CFIA has a process in place to validate the trusted source list with Public Services and Procurement Canada.
  • The CFIA has a process in place to confirm trusted sources with Agency officials.
  • Agency personnel and employees can request status updates on individual pay action requests. Branches have implemented internal processes to help employees with individual pay action requests.

Opportunity for improvement:

  • CFIA does not have a robust internal process to monitor and validate access to the generic trusted source email accounts.

Without adequate monitoring and control of the list of employees who have access to the Agency's trusted source accounts, there is a risk that pay action requests may not be appropriately authorized.

Recommendation #4

The Vice President, Human Resources Branch should develop and implement a process to monitor and regularly review changes to the list of individuals with access to trusted source email accounts.

5.0. Appendix A: Summary of internal audit assessment

OAG recommendation Internal audit assessment of the CFIA's response
1. Collaboration to receive information from pay administrator Fully addressed
2. and 3. Financial Administration Act Section 33 and 34 approvals Opportunities for improvement
4. Reconciliation of the payroll report Fully addressed
5. Key human resource document retention Opportunities for improvement
6. Section 34 manager access to Phoenix Fully addressed
7. Internal controls in pay processing Opportunities for improvement
8. Phoenix access and roles Fully addressed
9. Training needs Fully addressed

6.0. Appendix B: Fully addressed recommendations

Summary of OAG recommendation 1

Collaborate with Public Services and Procurement Canada to obtain the information required to assess the accuracy and completeness of payroll information.

CFIA internal audit expectations CFIA internal audit observations
  • The CFIA has demonstrated its efforts in requesting and following up on payroll information.
  • The CFIA has established process(es) for requesting and submitting information.
  • The CFIA performs quality assurance functions and account reconciliations to assess the accuracy and completeness of payroll information.
  • The CFIA routinely requests pay-related information and follows up on information that it has not received.
  • The CFIA has adopted the expected communications process for requesting payroll information. Pay Centre-approved trusted sources (employees and generic email accounts) can request and submit information on behalf of the Agency.
  • The CFIA performs regular quality assurance and account reconciliations.

Summary of OAG recommendation 4

Regularly reconcile the expected salary expense with the payments made and salary expenses recorded in the general ledger.

CFIA internal audit expectations CFIA internal audit observations
  • The CFIA performs and reviews reconciliations between general ledger accounts and the payroll report (IO50) on a timely basis.
  • The CFIA clears suspense accounts on a timely basis.
  • A CFIA partner organization performs the reconciliation on a timely basis following each pay cycle.
  • A CFIA Corporate Financial System employee reviews the reconciliation following each pay cycle, and suspense accounts are cleared on a timely basis, by year end.

Summary of OAG recommendation 6

Establish a process for providing Public Services and Procurement Canada with evidence that the requests for section 34 manager access are authorized.

CFIA internal audit expectations CFIA internal audit observations
  • The CFIA has a clear and rigorous process for ensuring requests for section 34 manager access are authorized.
  • The CFIA has a clear and rigorous process to update section 34 managers in Phoenix.
  • The CFIA has a clear and rigorous process in place for ensuring requests for section 34 manager access are authorized and appropriately monitored.
  • The CFIA has established an automated process to update section 34 managers in Phoenix.
  • Limited transaction testing indicated that the Agency's processes and controls are operating as designed.

Summary of OAG recommendation 8

Obtain an understanding of the roles granted to employees and assess the appropriateness of Phoenix access.

CFIA internal audit expectations CFIA internal audit observations
  • The CFIA has assigned an individual (or team) the responsibility of establishing and removing Phoenix access for employees.
  • The CFIA has an established mechanism to monitor Phoenix roles.
  • The CFIA's processes and controls are operating as designed.
  • The CFIA is in compliance with the required segregation of duties as outlined in Phoenix guidance documentation.
  • The CFIA's Security Access Control Officer grants Phoenix roles following appropriate authorization.
  • Human Resource Systems, Finance or Human Resource Pay Services are required to authorize individual user roles, depending on the role in question.
  • The CFIA has a process in place to track, review and modify roles, as appropriate.
  • Transaction testing performed indicated processes and controls are operating as designed.

Summary of OAG recommendation 9

Assess the training needs and develop an integrated training plan, in collaboration with Public Services and Procurement Canada and the Office of the Chief Human Resources Officer.

CFIA internal audit expectations CFIA internal audit observations
  • The CFIA is actively engaged with Public Services and Procurement Canada and the Office of the Chief Human Resources Officer (OCHRO) to establish an integrated training plan.
  • The CFIA has milestones and deliverables (both short- and long-term) for the creation of an Agency-specific training plan.
  • The CFIA rolls out training on a timely basis to meet users' immediate needs.
  • The CFIA monitors training to ensure completion.
  • The Agency monitors completion of mandatory Phoenix training, and is close to a 100% course completion rate (as at November 2019).
  • The Agency participated in OCHRO's effort to create an HR-to-Pay Training Framework for all government departments by sharing relevant training created at the Agency level. The expectation is that the Framework will be ready in the 2020-2021 fiscal year.
  • The Agency is in the process of creating its own training and monitoring framework, which is expected to:
    • include initiatives, milestones and outcomes
    • identify the owners for both short-term and long-term initiatives related to ensuring that all stakeholders properly understand their roles and responsibilities within the HR-to-Pay process

7.0. Appendix C: List of full OAG recommendations

Recommendation number Details

Recommendation 1

Entities should work with Public Services and Procurement Canada (PSPC) to obtain the information required to assess the accuracy and completeness of payroll information affecting departmental and agency appropriations and employees.

Recommendation 2

Entities should exercise the same level of controls and rigour when performing section 34 approval for payroll-related payments as any other charges against appropriations. Processes should be put in place to monitor that employees performing the section 34 have delegated authority to do so.

Entities, in collaboration with the Treasury Board Secretariat, should identify areas where guidance and training can be provided to improve financial reporting practices and strengthen internal controls.

Recommendation 3

Entities should exercise the same level of control and rigour when performing section 33 approvals for payroll-related payments as any other charges or appropriations.

Entities should implement a formal process, such as the salary forecasting tool, to assist in the detection and prevention of inaccurate payments and the execution of the section 33 process. Adequate controls should be designed and implemented to validate the accuracy and completeness of the data used in the process.

Recommendation 4

Entities should regularly reconcile the expected salary expense, the payments made (IO50 reports) and salary expense recorded in the general ledger.

Entities should also understand and document where the information in the IO50 reports is posted in the general ledger.

Recommendation 5

Entities, in collaboration with the Treasury Board Secretariat, should clarify the document retention policies for key human resource management documents to ensure proper personnel files are kept with each federal employee.

Recommendation 6

Working with PSPC, entities should establish a clear and rigorous process for providing PSPC with evidence that the requests for section 34 manager access are authorized.

Recommendation 7

Entities, in collaboration with PSPC, should put in place a process to manage changes to the trusted source list.

In addition, entities, in collaboration with PSPC, should implement a process to validate that the trusted source authorizations are authentic and appropriate.

Entities should implement a process to monitor the status of pay action requests.

Recommendation 8

Entities, in collaboration with PSPC, should obtain a clear understanding of the existing roles granted to their staff in Phoenix.

Entities should review the roles currently granted to employees, assess the appropriateness of the access and modify the assigned role when necessary.

Recommendation 9

Departments, in collaboration with PSPC and the Office of the Chief Human Resources Officer, should assess globally what the training needs are and develop an integrated training plan at all levels to ensure that all stakeholders properly understand their roles and responsibilities within the HR-to-Pay process.

Once these training programs are established and delivered, they should be updated as needed and their effectiveness should be periodically assessed.

8.0. Appendix D: Management response and action plan

Recommendation 1

The Vice President, Corporate Management Branch and Chief Financial Officer should enhance the Quality Assurance Report for pay-related transactions to:

  • differentiate between errors that are and are not within the Agency's control, and use this information when determining where to focus improvement efforts
  • ensure the report is circulated to all members of senior management who would have an interest in reviewing it

Management response: Management agrees with the recommendation.

Action and rationale Expected completion/ implementation date Responsibility for action

The Quality Assurance (QA) Team in Corporate Management Branch, in collaboration with Human Resources, will report errors that are under the Agency's control, separately in the quarterly QA report. The results will be used to inform HR training, develop InfoBulletin messages to raise awareness of common errors and corrective actions, and facilitate compliance enforcement. This will strengthen the Agency's ability to take internal corrective action and improve the pay process.

Quarterly pay QA reports will be distributed to CFIA branch heads to share the results. Keeping management informed of the pay-related issues is important for ongoing awareness, training and compliance.

March 30, 2020

February 28, 2020

Vice President, Corporate Management Branch

Vice President, Corporate Management Branch

Recommendation 2

The Vice President, Human Resources Branch should ensure that paper-based pay transactions include verification of section 34 approval.

Management response: Management agrees with the recommendation.

Action and rationale Expected completion/ implementation date Responsibility for action

The Vice President, Human Resources Branch, in collaboration with the Vice President, Corporate Management Branch, will ensure that paper-based pay transactions include verification of section 34 approvals.

Action plan:

Human Resources Services has developed a process to validate that all human resources forms, including the 3811 and staffing forms, are signed by the section 34-delegated manager. This process has been in place since summer 2019 and is now complete.

Human Resources Pay Services will have SAP software installed on compensation advisor systems and receive the required training for the validation of section 34 delegated manager on paperwork submitted through the human resources pay portal.

Completed

July 2020

Vice President, Human Resources Branch

Recommendation 3

The Vice President, Human Resources Branch, in consultation with the Vice President, Digital Services Branch, should:

  • Develop clear and concise life cycle protocol guidance for each type of human resource information retained by the Agency and effectively communicate this guidance to responsible employees
  • Develop and implement a procedure for the timely review of human resource information and appropriate disposal of that information at the end of its life cycle

Management response: Management agrees with the recommendation.

Action and rationale Expected completion/ implementation date Responsibility for action

The Vice President, Human Resources Branch, in consultation with the Vice President, Digital Services Branch, agrees to:

  • develop clear and concise life cycle protocol guidance for each type of human resource information retained by the Agency and effectively communicate this guidance to responsible employees
  • develop and implement a procedure for the timely review of human resource information and appropriate disposal of that information at the end of its life cycle

The Human Resources Services Directorate will:

  • elaborate and communicate a human resource pay records management and retention plan for all human resource pay-related forms and information that must be retained for each employee as part of the personnel file
  • ensure that the retention and disposition guidelines are applied as employee files are reviewed as part of pay actions

November 2020

Vice President, Human Resources Branch, in consultation with the Vice President, Digital Services Branch

Recommendation 4

The Vice President, Human Resources Branch should develop and implement a process to monitor and regularly review changes to the list of individuals with access to trusted source email accounts.

Management response: Management agrees with the recommendation.

Action and rationale Expected completion/ implementation date Responsibility for action

The Vice President, Human Resources Branch agrees to develop and implement a process to monitor and regularly review changes to the list of individuals with access to the trusted source email accounts. As such, the Human Resource Services Directorate – Human Resource Pay Services will:

  • Review the existing list of individuals with access to the trusted source email accounts and update as required (including working with information technology to ensure accounts are removed/added to ensure accuracy). This portion of the action is completed
  • Review the list of individuals with access to the trusted source email accounts on a monthly basis to ensure they are accurate and update as appropriate

Completed in January 2020

March 2020 and ongoing

Vice President, Human Resources Branch
Date modified: