Audit Report
November 2017
Project Number: 80590‑101
- Executive summary
- Conformance with Professional Standards
- Introduction
- Background
- Audit objectives
- Scope
- Approach and methodology
- Authority
- Findings, Recommendations and Management Response
- Appendices
- Appendix A: Audit Criteria
- Appendix B: Acronyms
Executive Summary
In 2011, a corporate services transformation initiative, referred to as the Administrative Processes Review and Automation (APRA) project, was undertaken within Statistics Canada to streamline and standardize the delivery of human resources, finance, procurement and other administrative services. This project was undertaken in order to create efficiencies and improve the timeliness of the delivery of its services.
This transformation included the
- centralization of Statistics Canada's corporate service delivery model
- creation of the Centre of Expertise in Travel
- development of a self-service hub for administrative services
- implementation of an electronic approval forms system to support administrative activities including the procurement and payment of goods and services.
Given the extent of the transformation, it is essential that the design of the new service delivery model be supported by a control framework that maintains compliance with key requirements for sound financial management.
The objective of this audit was to provide the Chief Statistician and Departmental Audit Committee (DAC) with reasonable assurance that Statistics Canada has maintained an effective management control framework within the processes that were redesigned as part of the APRA project to ensure compliance with Government of Canada policies and legislation.
Why is this important?
APRA was a major project aimed at increasing the efficiency of financial/administrative processes. Given the level of transformation that resulted from this project, it was deemed critical to confirm that key controls were maintained in compliance with applicable legislation and policies.
Key Findings
Key controls for the payment, travel and express staffing process have been outlined in process maps and documentation. Opportunities exist to identify the types of controls deployed in order to improve the efficiency of internal control testing.
Testing of key controls confirmed that all controls are operating as intended, including information technology controls to control the accuracy and the security of the approval authority records.
Roles and responsibilities under the new APRA project have been clearly defined and communicated to key stakeholders in the redesigned processes including administrative support units, approval authorities, travelers, and hiring managers. Delegated authorities would benefit from additional information on the entire verification process in order to reduce the risk of duplication of controls.
Risks and mitigation strategies have been identified and managed throughout the project and governance committees were effectively involved.
Project outcomes were measured through the use of performance indicators and are being continuously monitored. Issues identified in the monitoring process are being addressed in a timely manner.
Overall Conclusion
Statistics Canada has maintained an effective management control framework within the processes that were redesigned as part of the APRA project to ensure compliance with Government of Canada policies and legislation.
Conformance with Professional Standards
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.
Sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report and to provide an audit level of assurance. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The findings and conclusions are applicable to the entity examined, and for the scope and time period covered by the audit.
_________________________
Steven McRoberts
Chief Audit and Evaluation
Executive
Introduction
Background
In 2011, a corporate services transformation initiative, referred to as the Administrative Processes Review and Automation (APRA) project, was undertaken within Statistics Canada to streamline and standardize the delivery of human resources, finance, procurement and other administrative services. This project was undertaken in order to create efficiencies and improve the timeliness of the delivery of its services.
This transformation included the centralization of Statistics Canada's corporate service delivery model, the creation of a centre of expertise for travel, the development of a self-service hub for administrative services, and the implementation of an electronic approval forms system to support administrative activities including the procurement and payment of goods and services.
Administrative services at Statistics Canada, as a government of Canada department, are governed by the Financial Administration Act (FAA), Treasury Board of Canada (TB) Policies on Finance, Human Resources and Procurement and the Public Service Employment Act (PSEA). As the organization's Accounting Officer, the Chief Statistician is responsible for ensuring departmental programs are delivered in compliance with government legislation and policies.
Given the extent of changes resulting from the APRA project, an audit was included in the Statistics Canada risk-based audit plan in order to confirm that with the redesign of administrative processes, policy and legislative requirements were still being met. Through the risk identification process, the audit team chose to focus on three major process transformations: the payment process, the travel process and the express staffing process.
The payment process is used to authorize the purchase and receipt of goods and services for Statistics Canada's operations. The payment process was redesigned through the APRA project with the introduction of an electronic system that captures all requests for payments and a dedicated centralized administrative unit to verify the validity of payment requests. Prior to the redesign, payments were decentralized in each business unit and paper files and hand written signatures were used to authorize payments.
The travel process is used when employees are required to travel on official business and/or to attend conferences and training events. The APRA project involved the creation of the Centre of Expertise in Travel (CET), which is responsible for processing employees' travel transactions. Statistics Canada established the CET in order to reduce error rates, ensure effective implementation of the Government of Canada's travel booking system and ensure compliance with the new directive on events. Prior to the APRA project, all travel requests were handled separately within each business unit.
The express staffing process is used to support low-risk human resource approvals such as the hiring of casual employees and students. The APRA project introduced a self-service module. Program managers initiate staffing actions without the involvement of staffing advisors, using a digital portal.
Audit Objective
The objective of this audit was to provide the Chief Statistician and Departmental Audit Committee (DAC) with reasonable assurance that Statistics Canada has maintained an effective management control framework within the processes that were redesigned as part of the APRA project to ensure compliance with Government of Canada policies and legislation.
Scope
The scope of this audit included an examination of the payment process, the travel process and the express staffing process, which were redesigned as a result of the APRA project. The audit looked at whether key controls were embedded within the new business model. Specific areas that were examined included the assignment of roles, responsibilities, and accountabilities; the control mechanisms that were established for the redesigned processes, including key controls; and risk management activities.
The audit also assessed whether key controls within the selected processes are compliant with Treasury Board and Statistics Canada policies and guidelines. In order to test the effectiveness of controls, walkthroughs of each process were conducted and a judgmental sample of transactions was selected in order to assess the design of the processes, including compliance to relevant policies and legislation.
Approach and Methodology
The audit work consisted of a comprehensive review and analysis of relevant documentation, interviews with key senior management and personnel, as well as testing of key controls from a sample of processes to assess the adequacy and effectiveness of centralized and redesigned processes as a result of the APRA project.
The audit work also included a review and assessment of the activities undertaken to mitigate and monitor the key risks that may preclude the achievement of the project's outcomes, including the ongoing monitoring of exception and performance reports.
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which include the Institute of Internal Auditors (IIA) International Professional Practices Framework.
Authority
The audit was conducted under the authority of the approved Statistics Canada Integrated Risk-Based Audit and Evaluation Plan 2016/2017 to 2020/2021.
Findings, Recommendations and Management Response
Key controls for the payment, travel and express staffing process have been outlined in process maps and documentation. Opportunities exist to identify the types of controls deployed in order to improve the efficiency of internal control testing.
Testing of key controls confirmed that all controls are operating as intended, including information technology controls to control the accuracy and the security of the approval authority records.
Roles and responsibilities under the new APRA project have been clearly defined and communicated to key stakeholders in the redesigned processes including administrative support units, approval authorities, travelers, and hiring managers. Delegated authorities would benefit from additional information on the entire verification process in order to reduce the risk of duplication of controls.
Risks and mitigation strategies have been identified and managed throughout the project and governance committees were effectively involved. Project outcomes were measured through the use of performance indicators and are being continuously monitored. Issues identified in the monitoring process are being addressed in a timely manner.
Key controls over administrative transactions are in place
The APRA project redesigned the payment, travel, and express staffing process in order to create efficiencies and improve the timeliness of these administrative transactions. In this redesign, it was essential that key controls were maintained in compliance with policies and legislation. This includes the Financial Administration Act (FAA), the Public Service Employment Act (PSEA), and TB directives and policies on financial delegation, travel and hospitality.
To assess whether key controls required for compliance with policies and legislation were maintained, the audit team reviewed both the design of the processes and tested whether the controls were operating as intended.
The assessment of the design of key controls included a review of process documentation, process maps, narrative descriptions and checklists developed for each of the three business units.
The payment process under the APRA redesign is as follows. Invoices are received by the Finance Counter and sent to the Support Centre for Acquisitions. An administrative unit clerk (administrative assistant) verifies the accuracy of the invoice using a predefined account verification checklist. A scanned copy of the invoice is entered into the system. The administrative unit supervisor (business support officer) reviews the account verification to ensure that all key controls were performed. Once the review is complete, an electronic notification of the invoice is sent to the project authority to verify that the goods and services have been received and that the invoice can be paid. Upon verification by the project authority, an electronic notification is sent to the individual with the delegated financial authority to approve the release of the payment.
The audit revealed that two process flowcharts have been developed to document the updated sub-processes relating to payments, including the initiation and processing of invoices; and payment of the invoice. Key controls included the authorization (section 32 of the FAA) and approval of payments (section 34 of the FAA). These controls have been clearly embedded in the process flowcharts.
The travel process under the APRA redesign is as follows. A traveler sends a request to travel and the center for expertise in travel (CET) will begin to research transportation and accommodation options. An administrative clerk within the CET will get in contact with the traveler and provide them with options based on lowest-cost and operational needs. Once the choices have been confirmed, verification will be sent to the delegated authority to approve the travel choices. After travel has taken place, the traveler will submit the receipts for costs incurred to the finance branch who will authorize payment back to the traveler for any out-of-pocket costs. Payment will be made to the traveler in accordance with the payment process mentioned above.
The review of documentation revealed that a process flowchart has been prepared for the travel process. The flowchart outlines the management and processing of travel plans, requests, encumbered balances, commitments, claims, advance requests, performance of payment authority, issuance of payments and blanket authority. Key controls include ensuring that individuals are authorized to travel on government business, accommodations and transportation choices respect Government of Canada policy requirements and rates, and payments to travelers are verified. These controls were clearly imbedded into process flowcharts.
The express staffing process under the APRA redesign is as follows. A self-service hub has been created. The hub enables a hiring manager to initiate requests for low-risk HR processes such as hiring casual employees and students. When authorized individuals make a request within the hub, the administrative unit within the HR group approves the request. The administrative unit uses a checklist to ensure policy and legislative requirements are met prior to approving the request.
The audit discovered that two process flowcharts have been developed for express staffing. Sub-processes involving internal deployment, acting less than four months, extensions and renewal, transfer of employment; as well as hiring staff externally on part-time and casual basis have been formally documented. Key controls for HR requests have been imbedded into the process including ensuring that casual employees do not exceed 90 days in any given calendar year and student hires meet eligibility requirements.
The review confirmed that all key controls have been identified in the process documentation for all three processes. However, process documentation did not identify which controls were manual and which were automated. Given, that the financial management team is required to test internal controls over financial reporting on a regular basis in compliance with the Policy on Internal Controls, identifying the types of controls deployed (manual versus automated) helps with the accuracy and efficiency of the design of internal control testing.
Key controls over administrative transactions are operating as intended
In providing assurance that key controls are operating as intended, the audit team conducted walkthroughs, interviews and testing of a judgmental sample of transactions for each of the three administrative processes.
To perform an effective review for expenditure initiation and certification that goods and services have been received in accordance with the FAA, those having delegated authorities to approve payments must rely on accurate, sufficient, comprehensive and timely information in order to certify that goods and services were received. The testing of a sample of payments confirmed that those with authority to approve payments for goods and services were authorized and that they had sufficient supporting documentation in order to approve transactions. In addition, testing revealed that information technology controls were in place to ensure that there is an accurate record of individuals with approval authority and access to make changes to these records is limited and controlled.
The walkthrough of the travel process confirmed that with the creation of the CET at Statistics Canada, those with delegated authorities to approve travel have access to travel requests, itineraries, claims and supporting documents that have already been prepared and vetted by subject-matter experts from the CET. These supporting documents can be reviewed online via an application system prior to approval. Detailed testing of a sample of travel transactions revealed that travel transactions are following Government of Canada travel policies. This includes requirements for travel authorization, approved accommodations and transportation processes, and per diem allowances.
The review of the Express Staffing Process revealed that there are two requirements that need to be met when processing express staffing actions; ensuring students meet eligibility requirements prior to renewing their term and ensuring that the term for casual employees does not exceed 90 days in any given calendar year. Checklists have been created for this process. Detailed testing revealed however, that the checklists were not always being used. Of the files tested, 4 in 10 included a copy of the checklist showing that key controls were exercised. The audit team conducted follow-up interviews with the HR team. The team pointed out that the checklists are used as a training tool and are not always used to show that key processes are followed. Detailed testing confirmed that all transactions were in compliance with policies and legislation, even though the checklist was not always used.
Roles and responsibilities are in place and communicated; opportunities exist to outline the verification process for delegated authorities in order to reduce risk of duplication
Key stakeholders need to be informed in a timely manner of changes to their roles, responsibilities and accountability. This ensures that they can effectively exercise their duties. In addition, communicating the benefits of system changes helps mobilize support for new initiatives and lead to successful implementation.
The audit team reviewed the process for communicating changes to the roles and responsibilities of administrative units, individuals with delegated financial authority (the authority to approve the procurement and payment of goods and services), travelers, and hiring managers.
A review of documents revealed that an overall communication process was put in place by the APRA team at the beginning of the project and at each stage of the transformation in order to inform all employees of upcoming changes. This included communications provided in the Chief Statistician's Annual Address, information sessions provided to each branch as well as weekly communications through email and on the Statistics Canada Intranet site. A review of documents confirmed that employees across the department were informed of the APRA project's goals, objectives, scope and timelines as well as changes scheduled to take place within each of the business units and the expected impact on operations.
Additionally, the audit team found that information outlining changes to roles, responsibilities, and accountabilities resulting from transformed business models was communicated through a central on-line reference tool referred to as the Hub. The Hub was created as a gateway to initiate everyday requests for administrative, finance, human resources, informatics, information management, communications and facilities services.
The HUB indicates that the roles, responsibilities and accountabilities of individuals tasked with the review and approval of invoices have not changed as a result of the new business model. Standard training is the vehicle used to communicate clients' roles, responsibilities and accountabilities. There is a requirement for these individuals to follow the KLICK training, offered by Statistics Canada as well as the training from the Canada School of Public Service. The audit team tested a sample of individuals' files for evidence of having attended the required training. Testing confirmed that individuals having signing authority had taken the training.
For travel, the responsibilities of the travelers have significantly diminished with the transformation resulting from the APRA project. The Hub provides detailed step-by-step instructions on how to request travel. Links are provided throughout the instructions to ensure that travelers fulfill their responsibilities including ensuring that applicable forms are used and are routed through the appropriate channels based on the type of travel. These include domestic and foreign travel relating to conferences, training and regional operations.
For express staffing, instructions on how to complete and submit requests, including the required supporting documentation, have been clearly documented on the Hub, which outlines expectations for hiring managers in using the self-service module
The audit team conducted detailed interviews with delegated authorities, travelers, and hiring managers to obtain an understanding of whether the key changes to their roles, responsibilities and accountabilities were well understood and to assess whether communication strategies were effective in bringing awareness to users on the intended benefits of the transformation. Interviews corroborated the effectiveness of communication strategies in disseminating the process changes and their intended benefits. There was no indication from these interviews that stakeholders felt that processes were inefficient or over-controlled.
However, interviews with a sample of individuals having delegated authority for the approval of payments revealed that delegated authorities are not fully aware of the verification processes that is undertaken prior and after their review of transactions requiring their approval. Therefore delegated authorities may be verifying invoices in the same manner that was done prior to the APRA project and exercising a greater degree of control than was intended. This could reduce the efficiencies gained through the redesign.
Lastly, the audit team conducted interviews with key personnel within the administrative units of each of the selected processes. Their understanding of the key roles, responsibilities and accountabilities within the new optimized processes was consistent with what was defined and communicated. In addition, the audit team reviewed interdependencies within the processes to determine if they were communicated and considered. The audit revealed that there were no interdependencies between the processes.
Risks to the APRA project were identified, managed and monitored; performance against outcomes is being measured and monitored
Project risks need to be effectively managed to ensure that projects meet their expected outcomes. The management of these risks requires the effective identification, monitoring and implementation of mitigation strategies throughout the various stages of the project.
The audit found that key risks facing the achievement of the project's outcomes have been identified by the APRA project team, in collaboration with the business units, systems and technical subject-matter experts. Risks were identified for each business unit targeted for transformation and mitigation strategies were identified to address these risks.
Each business unit identified risks through the creation of cases that were inputted into the JIRA system that included the likelihood and impact of each risk and mitigation strategies. This was done for each of the three administrative areas reviewed as part of this audit. Cases were presented to the Departmental Project Management Office (DPMO) and the APRA Advisory Committee for review and approval.
Among the risks identified by the project teams, risks relating to the unit's core mandate were identified for ongoing monitoring. These risks included error rates, timeliness of the process and client satisfaction.
Risks were also identified with regards to the implementation of the Electronic Request and Approval (ERA) system. In order to establish the roadmap for implementing the Electronic Automation and Authentication strategy, an analysis of policies was performed by Finance/IT to identifying policy requirements prior to moving from wet signatures to electronic approvals. For each of the various levels of sensitivity of information, required assurance levels were identified and authentication requirements were introduced to mitigate associated risks. A threat and risk assessment was also prepared prior to implementing the ERA system. The documentation identifies a number of inherent risks, all of which were rated at levels of medium to low risk.
The audit team's review of process maps found that risks were not identified within each of the processes under review. As a best practice, process mappings should not only contain key controls, but also provide an indication of where the process is vulnerable to risk factors and linkage to mitigation strategies in place.
Risks were monitored through the JIRA system. The audit team's review of the system contents related to APRA found that each identified risk was assigned to an owner, mostly chiefs responsible for the business unit or the subject matter expert responsible for systems or technical aspects of the process.
Performance standards are used to ensure that project goals are met in terms of process efficiencies, quality control and client satisfaction. Performance standards should be developed based on expected project outcomes and monitored on a regular basis with any deficiencies addressed in a timely manner.
The audit revealed that performance standards were developed for the project and continue to be monitored following the transformation resulting from APRA.
For processes pertaining to payments and travel, information was collected on a number of indicators, including error rates, timeliness of processing transactions, and client satisfaction. When targets were not met, justification was documented and adjustments within the business process were made as appropriate. Information has been produced on a monthly basis and published internally on a quarterly basis.
For the express staffing process, timeliness of the process is a key consideration. Human Resources has set performance standards for the various types of staffing actions falling under express staffing and have implemented means to measure timeliness of the process. Results against set performance standards pertaining to timeliness of processing transactions and satisfaction surveys are expressed in percentage rates and are also published internally on a quarterly basis.
Performance standards were limited and baseline measures were not developed pre-APRA and therefore does not allow for an accurate measure of efficiency gains through the project. Given the move from a decentralized model to a centralized model, performance measurements pre-APRA were difficult to obtain.
Monitoring reports are reviewed by a client relations team created within the Finance branch. Issues are identified and addressed in a timely manner with key staff within each business unit. Performance standards are in place and tracked and follow-up is conducted on transactions not meetings expectations.
Recommendation:
It is recommended that the Assistant Chief Statistician of Corporate Services and Chief Financial Officer ensure that:
- Process documentation identifies whether controls are automated or manual in order to more effectively design the approach to internal control testing.
- Delegated authorities are fully aware of the verification processes that is undertaken prior to and after exercising their responsibilities in order to maximize efficiencies from the redesign of the process.
Management Response
Management agrees with the recommendation.
- Key controls for travel, express staffing and the payment processes will be clearly identified as automated or manual. Once this is completed, this recommendation will be integrated into the agency's internal control testing framework. This aligns with the narrative review conducted under the Policy on Financial Management.
Deliverables and Timeline:
The Director, Financial and Administrative Services Division (FASD) will:
- Identify manual and automated components of key controls within process documentation for travel, express staffing, and the payment process; and integrate this information into the Agency's internal control testing framework by July 31, 2018.
-
For the payment process, a communication strategy targeted to DFSA approvers will be developed and implemented to increase awareness of the verification process that takes place prior to s. 34 approval of a payment. Additionally, the completion of project authority confirmation as part of the account verification process will be clearly identified for the DFSA approver on the electronic payment form.
This will minimize the probability of an approver performing redundant verifications prior to s. 34 approval. This would also ensure that the new tool and process are used to their maximum potential.
The travel solution will be redesigned using the same technology as the payment process. The target is implementation by March 2018. Managers will be informed of the verification actions taken to support s. 32 and s. 34 approval for travel requests and claims.
Deliverables and Timeline:
The Director, Financial and Administrative Services Division (FASD) will:
- develop and fully implement a communication plan for DFSA approvers
- implement changes to the electronic payment form in ERA to indicate to the DFSA approver whether or not payment confirmation has been completed prior to their s. 34 approval, by November 2018.
Appendices
Appendix A: Audit Criteria
Control objectives / Core controls / Criteria | Sub-criteria | Policy instruments / Sources |
---|---|---|
Objective 1: Statistics Canada has maintained an effective management control framework within the processes that were redesigned as part of the APRA project to ensure compliance with Government of Canada policies and legislation. | ||
1.1 Key roles, responsibilities and accountabilities within processes redesigned by APRA have been clearly defined and communicated. | 1.1.1 Key roles, responsibilities and accountabilities of the administrative units have been clearly defined and are communicated. 1.1.2 The roles, responsibilities and accountabilities of the users have been clearly defined and are communicated. 1.1.3 For the review and approval of administrative transactions, individuals with delegated authority have the information they require to discharge their responsibilities. |
|
1.2 Key risks that may preclude the achievement of the APRA project's outcomes have been identified, mitigated and are being monitored and addressed. | 1.2.1 The key risks facing the achievement of the project's outcomes have been identified. Risk mitigation strategies have been developed and communicated to address key risks. 1.2.2 Mitigation strategies have been developed to address identified risks. 1.2.3 Risk monitoring reports are reviewed and any issues are identified and addressed in a timely manner. |
|
1.3 The processes redesigned by APRA have been designed to include the key controls for continued compliance with Statistics Canada and Treasury Board policies and directives. | 1.3.1 Key controls within key administrative processes have been formally documented. 1.3.2 Processes include key controls required for compliance with Statistics Canada and Treasury Board policies and directives. 1.3.3 Interdependencies within updated processes have been identified, communicated and considered. |
|
Appendix B: Acronyms
Acronym | Description |
---|---|
APRA | Administrative Processes Review and Automation Project |
CBA | Corporate Business Architecture initiative |
CET | Centre of Expertise in Travel |
DAC | Departmental Audit Committee |
DPMO | Departmental Project Management Office |
EMB | Executive Management Board |
ICN | Internal Communications Network |
IIA | Institute of Internal Auditors |
MAF | Management Accountability Framework |
PSEA | Public Service Employment Act |
TB | Treasury Board |