Follow-up Audit on the Implementation of the Office of the Auditor General of Canada Recommendations on Payroll Management

Follow-up Audit on the Implementation of the Office of the Auditor General of Canada Recommendations on Payroll Management PDF Version (1.1 Mb)

© Her Majesty the Queen in Right of Canada, 2020
Cat. No.: PS4-262/2020E-PDF
ISBN: 978-0-660-34962-6
This material may be freely reproduced for non-commercial purposes provided that the source is acknowledged.

Background

Pay Administration in the Government of Canada

Departments are responsible for ensuring that financial resources of the Government of Canada are well managed and that effective governance and internal controls are established.

End-to-end pay process

The pay administration process is divided into three sub-processes:

  1. Pre-payroll relates to activities to initiate, approve and verify a pay or HR action (“pay-related action”) before payment.
  2. Payroll relates to activities to calculate net pay, perform payment authority and issue payments.
  3. Post-payroll relates to activities to monitor payments, ensure that certification and verification of pay transactions has been completed, record pay in the Departmental Financial and Materiel Management System (DFMS) and complete period end reconciliations.

Source: Treasury Board Secretariat Guideline on Financial Management of Pay Administration

Pay Administration at Public Safety Canada

Accountability over the pay process

Accountability and controls over the pay process should be in place in compliance with the FAA and Treasury Board policy instruments.

A detailed overview of the steps in the pay process is included in Annex A.

Figure Overview of Pay Process
Image Description

The figure is a process diagram with arrows and consist of three areas of accountability: Responsibility Centre Manager, Human Resources and Finance.

Oversight Activities over Payroll Management

A number of oversight activities over payroll management have occurred over the last few years, both government-wide and departmentally:

2017 - Office of the Auditor General - Audit of the Consolidated Financial Statements of the GC for inclusion in the Public Accounts of Canada

OAG Management Letter distributed by Comptroller General of Canada

2018 - Office of the Auditor General - Audit of the Consolidated Financial Statements of the GC for inclusion in the Public Accounts of Canada

OAG Self-Assessment Tool 

2018-19 Internal Control Framework Assessment

IAED Follow-up Audit Objective and Scope

IAED Follow-up Audit Objective and Scope
Image Description

IAED Follow-up Audit Objective and Scope

The objective of this follow-up audit was to assess whether PS’ original planned actions, presented and approved at the DAC meeting in October 2018, have been effectively implemented to address the OAG recommendations on payroll management. 

The scope of this follow-up audit focused on the status of implementation of the planned actions to address the nine recommendations as at December 31, 2019.

IAED Follow-up Audit Approach and Methodology

Conformance with professional standards

The follow-up audit conforms with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the Government of Canada's Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

OAG Recommendations – Themes

The nine recommendations issued by the OAG following the 2017 and 2018 Audits of Consolidated Financial Statements of the GC were based on observations reported under the following themes:

  1. Information Received from Pay Administrator    
  2. Financial Management – Section 34 Approvals
  3. Financial Management – Section 33 Approvals
  4. Financial Management – Reconciliations of the IO50 Report
  5. Human Resource Management – Key Document Retention
  6. Human Resource Management – Section 34 Manager Access to Phoenix
  7. Internal Controls in Pay Processing
  8. Access and Roles
  9. Training Needs

Information Received from Pay Administrator

OAG Recommendation #1

PS should work with PSPC to obtain the information required to assess the accuracy and completeness of payroll information affecting the department's appropriations and employees.

What we found

OAG Recommendation #1- IAED Assessment
OAG Recommendations Minimal Expectations OAG Self-Assessment Tool Self-Assessment Level IAED Assessment Level

1. Information Received from Pay Administration

Entities should work with Public Services and Procurement Canada (PSPC) to obtain the information required to assess the accuracy and completeness of payroll information affecting departmental and agency appropriations and employees.

 

i. Internally assessed which reports are required from PSPC.

Level 3

Level 3

ii. Formalized a communication line between entity and PSPC/Pay Centre POD (i.e. regularly scheduled meetings, key point of contact, pre-defined response times, etc.).

Level 4

Level 4

iii. Reviewed reports and assessed accuracy and completeness of payroll information (e.g. review of Phoenix error report, Business intelligence tool or other relevant report).

Level 2

Level 2

iv. Other relevant processes as reported by PS: PS has a plan to further improve data quality in SFT to assist with ensuring accuracy and completeness of the payroll information.

Level 1

Level 1

Financial Management – Section 34 Approvals

OAG Recommendation #2(a)

PS should exercise the same level of control and rigour when performing Section 34 approvals for payroll related payments as any other charges against appropriations. Processes should be put in place to monitor that employees performing Section 34 have the delegated authority to do so.

What we found

OAG Recommendation #2(b)

PS, in collaboration with TBS, should identify areas where guidance and training can be provided to improve financial reporting practices and strengthen internal controls.

What we found

OAG Recommendation #2 - IAED Assessment

OAG Recommendations

Minimal Expectations OAG Self-Assessment Tool

Self- Assessment Level

IAED
Assessment Level

2. Financial Management – Section 34 approvals

a) Entities should exercise the same level of control and rigour when performing Section 34 approvals for payroll related payments as any other charges against appropriations. Processes should be put in place to monitor that employees performing Section 34 have the delegated authority to do so.

i. Access to Phoenix and the electronic Pay Action Request "e- PAR" application is restricted to allow only delegated people with s.34 authority to sign-off on pay transactions.

Level 4

Level 1

ii. Procedures are documented and implemented to update the s.34 authorities and FASSR database regularly to account for new, expired or modifications to s.34 authorities.

Level 4

Level 3

iii. Performed monitoring procedures to assess the accuracy of s.34 approvals, supported by source documents (i.e. FASSR).

Level 3

Level 1

iv. Other relevant processes as reported by PS; PS ensures that all s.34 Managers have Authority Delegation Training (ADT) prior to activating their SSR. PS ensures that the list of s.34 Managers in Phoenix corresponds to the list of SSRs maintained in its application. PS also performs an annual review of all SSRs.

Level 4

Level 1

2b) Entities, in collaboration with the Treasury Board Secretariat of Canada (TBS), should identify areas where guidance and training can be provided to improve financial reporting practices and strengthen internal controls.

i. Entity assessed which training is required and also documented their needs.

Level 3

Level 3

ii. Established communication with TBS and other key players to obtain required training.

Level 3

Level 3

iii. Procedures, checklists or other mechanisms exist to provide guidance to individuals performing and/or reviewing section 34 sign-offs.

Level 3

Level 2

iv. Other relevant processes as reported by PS; A third-party internal control assessment of payroll is currently underway to determine if the key controls are designed and operating effectively.

Level 2

Level 5

Financial Management - Section 33 Approvals

OAG Recommendation #3(a)

PS should exercise the same level of control and rigour when performing Section 33 approvals for payroll related payments as any other charges against appropriations.

What we found

OAG Recommendation #3(b)

PS should implement a formal process, such as the salary forecasting tool, to assist in the detection and prevention of inaccurate payments and execution of the Section 33 process.

What we found

OAG Recommendation #3 - IAED Assessment

OAG Recommendations

Minimal Expectations OAG Self-Assessment Tool

Self- Assessment Level

IAED
Assessment Level

3. Financial Management –
Section 33 Approval

a) Entities should exercise the same level of control and rigour when performing Section 33 approvals for payroll related payments as any other charges against appropriations.

i. Pre-payment verification is performed and documented prior to s.33 authorization (usually based on pre-defined thresholds i.e. all payments above certain $, potential duplicate payments, etc.).

Level 4

Level 2

ii. Post-payment verification process on individual pay transactions is performed and documented.

Level 2

Level 1

iii. Other relevant processes as reported by PS; A third-party internal control assessment of payroll is currently underway to determine if the key controls are designed and operating effectively.

Level 2

Level 5

3b) Entities should implement a formal process, such as the salary forecasting tool, to assist in the detection and prevention of inaccurate payments and execution of the Section 33 process. Adequate controls should be designed and implemented to validate the accuracy and completeness of the data used in this process.

i. A formal process was documented and implemented such as analyzing reasonableness of payment amounts prior to performing s.33 authorization (i.e. using Salary Forecasting Tool, variance analysis, etc.)

Level 1

Level 1

ii. Data used in "3b) i." is validated for accuracy and completeness.

Level 1

Level 1

iii. Procedures or checklists exist, are documented and are used to provide guidance to individuals performing and/or reviewing section 33 sign-offs.

Level 2

Level 1

iv. Other relevant processes as reported by PS; A third-party internal control assessment of payroll is currently underway to determine if the key controls are designed and operating effectively.

Level 2

Level 5

 

Financial Management - Reconciliations of the IO50 Report

OAG Recommendation #4 (a) & (b)

(a) PS should regularly reconcile the expected salary expense, the payments made (IO50 reports) and the salary expense recorded in the G/L (SAP).

(b) PS should also understand and document where the information in the IO50 report is posted in the G/L (SAP).

What we found

Reconciliation of I050 to G/L (SAP)

Mapping to G/L

SFT in Comparing Actual to Budgeted Salaries

OAG Recommendation #4 - IAED Assessment

OAG Recommendations

Minimal Expectations OAG Self-Assessment Tool

Self- Assessment Level

IAED
Assessment Level

4. Financial Management – Reconciliations of the IO50 Report

a) Entities should regularly reconcile the expected salary expense, the payments made (IO50 reports) and the salary expense recorded in the G/L.

i. Reconciliation prepared between the I050 pay files and the financial reporting account (FRA) 51311.

Level 3

Level 5

ii. All reconciling items identified and supported by backup.

Level 2

Level 5

iii. Frequency chosen to perform the reconciliation.

Level 2

Level 5

iv. Other relevant processes as reported by PS; A third-party internal control assessment of payroll as well as financial close reporting is currently underway to determine if the key controls are designed and operating effectively.

Level 2

Level 5

4b) Entities should also understand and document where the information in the IO50 reports is posted in the G/L.

i. If overall reconciliation in step a) was not conclusive, obtain the mapping document of pay expenditure by IO50 codes to the entity's GL account. If reconciliation was conclusive, step b) is not applicable.

Level 3

Level 5

ii. Other relevant processes as reported by PS: PS monitors pay suspense accounts and RG control accounts to ensure proper recording of transactions by G/L and fiscal year on a monthly basis and performs corrective accounting entries as required.

Level 4

Level 5

Human Resources Management – Key Document Retention

OAG Recommendation #5

PS, in collaboration with the TBS, should clarify the document retention policies for key human resources management documents to ensure proper personnel files are kept for each employee.

What we found

OAG Recommendation #5 - IAED Assessment

OAG Recommendations

Minimal Expectations OAG Self-Assessment Tool

Self- Assessment Level

IAED
Assessment
Level

5. Human Resources Management – Key Document Retention

a) Entities, in collaboration with the TBS, should clarify the document retention policies for key human resources management documents to ensure proper personnel files are kept for each federal employee.

i. Entity confirmed that the documents retention policies exists, are aligned with Library and Archives guidelines and are used for key human resources management documents. (i.e. TBS' "Employee’s Personnel file Guidelines" or entity's own).

Level 3

Level 3

ii. Communicated their document retention policies within their entity (i.e. what to store, where to store and for how long).

Level 3

Level 3

Human Resources Management –  Section 34 Manager Access to Phoenix

Recommendation #6

Working with PSPC, PS should establish a clear and rigorous process for providing PSPC with evidence that the requests for Section 34 Manager access are authorized.

What we found

OAG Recommendation #6 - IAED Assessment

OAG Recommendations

Minimal Expectations OAG Self-Assessment Tool

Self- Assessment Level

IAED Assessment Level

6. Human Resources Management – Section 34 Manager Access to Phoenix

a) Working with PSPC, entities should establish a clear and rigorous process for providing PSPC with evidence that the requests for Section 34 Manager access are authorized.

i. Procedures are documented and used specifying who is authorized to regularly update the list of s.34 Manager access for any new, expired or modified approvers in the "Time Card Labour" module.

Level 4

Level 3

ii. Completion of standardized form when section 34 access
is required for the "Time Card Labour"

Level 4

Level 3

Internal Controls in Pay Processing

OAG Recommendation #7 (a), (b) & (c)

(a) PS, in collaboration with PSPC, should put in place a process to manage changes to the trusted sources list.

(b) In addition, PS, in collaboration with PSPC, should implement a process to validate that the trusted source authorizations are authentic and appropriate.

What we found

(c) PS should implement a process to monitor the status of PARs. 

What we found

OAG Recommendation #7 - IAED Assessment

OAG Recommendations

Minimal Expectations OAG Self-Assessment Tool

Self-Assessment Level

IAED
Assessment
Level

7. Internal Controls in Pay Processing
a) Entities, in collaboration with PSPC, should put in place a process to manage changes to the trusted sources list.

i. Formalized a communication line between entity and PSPC to discuss procedures required to manage change to the trusted source list.

Level 4

Level 3

ii. Procedures are documented and implemented to manage changes to the trusted sources lists, including who is authorized to initiate changes. (e.g. a standardized form).

Level 4

Level 3

b) In addition, entities, in collaboration with PSPC, should implement a process to validate that the trusted source authorizations are authentic and appropriate.

i. A process discussed with PSPC is documented and in place to provide evidence of the authenticity and appropriateness of the Trusted Source approval of the pay action request (PAR).

Level 3

Level 3

c) Entities should implement a process to monitor the status of PARs.

i. A process discussed with PSPC is documented and in place to provide evidence of the authenticity and appropriateness of the Trusted Source approval of the pay action request (PAR).

Level 1

Level 1

ii. Regular follow-up done on PARs that have not been actioned within a reasonable timeframe.

Level 1

Level 1

Access and Roles

OAG Recommendation #8

PS, in collaboration with PSPC, should obtain a clear understanding of the existing roles granted to their staff in Phoenix. PS should review the roles currently granted to its employees, assess the appropriateness of the access, and modify the assigned role when necessary.

What we found

OAG Recommendation #8 - IAED Assessment

OAG Recommendations

Minimal Expectations OAG Self-Assessment Tool

Self- Assessment Level

IAED
Assessment Level

8. Access and Roles

Entities, in collaboration with PSPC, should obtain a clear understanding of the existing roles granted to their staff in Phoenix. Entities should review the roles currently granted to their employees, assess the appropriateness of the access, and modify the assigned role when necessary.

i. Obtained an understanding of existing roles granted in Phoenix.

Level 4

Level 3

ii. Periodically reviewed the documented roles granted and user access rights to verify appropriateness as well as proper segregation of duties.

Level 3

Level 3

iii. Other relevant processes as reported by PS; The Security Access Control Officer (SACO) ensures that employees are provided with the access to Phoenix that they require for their functions, that the requests are approved by the appropriate authority and that the access follows rules for segregation of duties.

Level 3

Level 3

Training Needs

OAG Recommendation #9

PS, in collaboration with PSPC and the Office of the Chief Human Resources Officer (OCHRO), should assess globally what the training needs are and develop an integrated training plan at all levels to ensure that all stakeholders properly understand their roles and responsibilities within the HR to Pay process. 

What we found

OAG Recommendation #9 - IAED Assessment

OAG Recommendations

Minimal Expectations OAG Self-Assessment Tool

Self- Assessment Level

IAED
Assessment Level

9. Training needs

a) Entities, in collaboration with PSPC and the Office of the Chief Human Resources Officer (OCHRO), should assess globally what the training needs are and develop an integrated training plan at all levels to ensure that all stakeholders properly understand their roles and responsibilities within the HR to Pay process.

i. Entities, PSPC and/or OCHRO have identified areas of training needs and developed a training plan for all levels and different roles and responsibilities of stakeholders in the HR to Pay process.

Level 3

Level 3

ii. Training plan has been communicated to all stakeholders.

Level 4

Level 3

iii. Other relevant processes, as reported by PS:

The SACO ensures that employees are provided with the access to Phoenix that they require for their functions, that the requests are approved by the appropriate authority and that the access follows rule for segregation of duties.

Level 4

Level 3

Follow-Up Audit Conclusion

Annex A: Pay Process Steps 

Pay Process Steps

Accountability

Pay Process Steps

Responsibility Centre Manager (RCM)

Step 1. Expenditure Initiation. The RCM submits a request to Human Resources (HR)-Staffing to request a staffing action or to HR-Compensation for action (for example, acting less than 4 months, overtime etc.).

Step 2. Commitment Control (Section 32 FAA). The RCM with delegated Section 32 FAA authority confirms availability of funds by signing the Request for Human Resources Services (RHRS) document.

Step 3. Section 34 FAA Certification By RCM. The RCM with delegated Section 34 FAA authority certifies entitlement, for example, signs the Letter of Offer, signs the overtime form and or the WEB enabled Extra Duty Pay (EDP) application of the Compensation WEB Application (CWA) etc.

Human Resources

Step 4. Pay Input. HR-Compensation confirms the employee’s eligibility, performs the required calculations and enters the transaction into the Regional Pay System (PHOENIX) and into PeopleSoft.

Step 5. Pay Verification-HR. A second Compensation Advisor verifies the transaction. As auditable evidence, the peer verifier Compensation Advisor stamps, signs and dates the screen printout from PHOENIX.

Finance

Step 6. Section 33 FAA Authorization. The Finance Officer with delegated Section 33 FAA authority approves the transaction in phoenix

  • For salary transactions that have been identified as high risk, a Finance representative carries out the procedures for reviewing salary payments before the Finance Officer with delegated authority for Section 33 FAA approves the transaction (pre-payment verification); and
  • For salary transactions that have been identified as medium or low risk:
    • The Finance Officer with delegated authority for Section 33 FAA approves the transaction; and
    • A Finance representative carries out the procedures for reviewing salary payment on a sample basis after the transaction has been approved for Section 33 FAA (post-payment verification).

Source: Public Safety Canada Section 33 Procedure for Payroll Payment; Certification Authority and Payment Desk-book

Annex B: Rating Scale – Status of Implementation of OAG Recommendations on Payroll Management

Rating Scale*

Level 1

No progress or insignificant progress
Actions such as striking a new committee, having meetings, and generating informal plans should be regarded as insignificant progress.

Level 2

Planning stage
Your organization has created formal plans for organizational changes and had them approved by the appropriate level of management (at a sufficiently senior level, usually executive committee level or equivalent) with appropriate resources and a reasonable timetable.

Level 3

Preparations for implementation
Your organization has made concrete preparation for implementing a recommendation by hiring or training staff, or developing or acquiring the necessary resources to implement the recommendation.

Level 4

Substantial implementation
Your organization has structures and processes in place and integrated within at least some parts of the department, and some achieved results have been identified. Your organization also has a short-term plan and timetable for full implementation.

Level 5

Full implementation
Your organization has structures and processes that are operating as intended and are fully implemented.

Level N/A

Obsolete / Other
Your organization considers the recommendation obsolete or not applicable because of unforeseen events or because the issues superseded by the introduction of a new process or program. Provide explanation when using this rating.

*The rating scale was adopted from the Office of the Auditor General’s Self-Assessment Grid

Annex C: CMB Management Response

Date modified: