Continuous audit of the implementation of internal controls over financial reporting, 2014 (2024)

Table of Contents

• Executive Summary
• Statement of Conformance
• 1.0 Introduction
  • 1.1 Background
  • 1.2 The Salary Process at CSC
  • 1.3 Internal Audit Sector Role
• 2.0 Audit Objectives and Scope
  • 2.1 Audit Objectives
  • 2.2 Audit Scope
• 3.0 Audit Approach and Methodology
• 4.0 Audit Findings and Recommendations
  • 4.1 Management Framework for Non-regular Pay Process
    • 4.1.1 Policy and Legislative Framework
    • 4.1.3 Monitoring and Reporting
  • 4.2 Assessment of the Adequacy and Effectiveness of Internal Controls for Non-Regular Pay Process
    • 4.2.1 General Findings and Observations
      • 4.2.1.1 Segregation of duties
      • 4.2.1.2 File Documentation and Audit Trail
    • 4.2.2 Findings and observations related to specific allowances
      • 4.2.2.1 Mileage Allowance
      • 4.2.2.2 Call Back
      • 4.2.2.3 Leave Without Pay
• 5.0 Overall Conclusion
• Annex A - List of Non-regular Pay Transactions Expenses
• Annex B - Audit Objectives and Criteria
• Annex C - Definition of the Allowances Examined in the Audit
• Annex D - Acronyms

Correctional Service Canada (CSC)’s Risk-Based Audit Plan (RBAP) of 2012-2015 identified the internal controls over financial reporting as a continuing area of high audit priority. This audit was conducted as part of CSC’s Internal Audit Sector’s mandate.

One process, salary, was ranked as of particular importance and high risk due to its materiality and complexity. A significant error in CSC’s salary expenditure could result in a material misstatement of CSC’s annual financial statements.

Salary expenditures for fiscal year 2012-2013 represented $1.3 billion (53%) out of a total annual departmental budget of $2.4 billion. These expenditures included 110 different types of salary allowances from regular pay to non-regular pay such as overtime, stand-by pay, and bilingual bonuses.

The overall goal of this audit was to provide assurance that the internal controls in place were adequate and effective to ensure the non-regular pay transactions selected for examination were free of material misstatements.

The audit objectives were to:

• assess the adequacy of the management control framework with regard to key internal controls over financial reporting for the non-regular pay process; and
• assess the adequacy and effectiveness of internal controls for selected non-regular pay transactions processes.

The audit was national in scope and included visits to NHQ and all five regions of CSC. It included an examination and testing of key controls for 11 non-regular pay allowance processes and covered the timeframe of April 1st, 2012 to March 31st, 2013. The 11 non-regular pay allowances were selected because they were considered to be high risk, based on their materiality and complexity.

In relation to the first audit objective, the CSC policy framework related to key internal controls was consistent with Government of Canada legislation, Treasury Board (TB) policies and directives. All documentation was available to staff; roles and responsibilities were defined and documented; and key controls, as identified by the Internal Financial Control Team (IFCT), were tested on a regular basis.

Nonetheless, two areas require ongoing attention, specifically:

• sufficient time had not elapsed to assess the impact of the implementation of new measures to ensure clarity of the roles and responsibilities of the compensation advisors with regard to their responsibilities related to section 34 of the FAA. The Internal Audit Sector will follow up in this area in future audits; and
• the results of ongoing monitoring by the finance group of the key internal controls for the time period of the audit were not yet reported in a final format. The Internal Audit Sector will follow up in this area in future audits.

With respect to the second objective, audit testing demonstrated that key internal controls were in place. However, concerns were identified with regard to:

• a lack of supporting documentation on files to provide evidence that transactions were accurate and appropriate;
• a short-coming in the segregation of duties related to non-regular pay process, as they were neither appropriate nor effective in detecting and correcting errors and preventing the risk of fraudulent activities at the time of the audit. Management has taken action since then to address the situation; and
• an increased risk of error for the call back, mileage and leave without pay processes.

Recommendations have been included in the report to address these areas.

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the area examined.

The audit conforms to the Internal Auditing Standards for Government of Canada, as supported by the results of the quality assurance and improvement program. The evidence gathered was sufficient to provide senior management with proof of the opinion derived from the internal audit.

Correctional Service Canada (CSC)’s Risk-Based Audit Plan (RBAP) of 2012-2015 identified the internal controls over financial reporting as a continuing area of high audit priority. This audit was conducted as part of CSC’s Internal Audit Sector’s mandate.

Internal controls are a key process in the financial management of a department. The Treasury Board Policy on Internal Control^{Footnote 1} (the Policy) states that organizations must establish and maintain broad systems of internal control. It stipulates that the deputy head is responsible for ensuring the establishment, maintenance, monitoring and review of the departmental system of internal controls to mitigate risks in the following broad categories:

• the effectiveness and efficiency of programs, operations and resource management, including safeguarding of assets;
• the reliability of financial reporting; and
• compliance with legislation, regulations, policies and delegated authorities.

The Policy also requires that the deputy head sign an annual departmental Statement of Management Responsibility Including Internal Controls over Financial Reporting. In addition, the deputy head and the chief financial officer are required to sign an annual letter of representation to the Auditor General and the Deputy Receiver General in support of the Public Accounts of Canada covering their responsibilities for internal control and assertions over the integrity of financial information.

As part of its efforts to meet these requirements, in 2006, CSC’s Corporate Services Sector conducted an audit readiness assessment of its financial statements. From this work, 22 processes were identified and deemed to be significant with regard to CSC’s financial statements. One process, salary, was ranked as of particular importance and high risk due to its materiality and complexity. A significant error in CSC’s salary expenditure could result in a material misstatement of CSC’s annual financial statements.

According to the RBAP, the Internal Audit Sector was mandated by the Departmental Audit Committee (DAC) to conduct the Audit of the Internal Controls over Financial Reporting-Salary Process. The last audit on this topic was the 2012 Continuous Audit of the Implementation of Internal Controls over Financial Reporting – Audit of Salaries and Review of Management Action Plans for Hospitality (hereafter called the September 25, 2012 audit).

There are a variety of different policies, rules and regulations that provide guidance for the pay allowances; some are relatively straightforward while others are more complex and require interpretation and particular attention to ensure appropriate and accurate payments.

In terms of the administration of salary payments, various sectors and groups within CSC have responsibilities, including: Human Resources Sector; the finance function (at NHQ, in the regions and the sites across the country); and the sub-delegated managers. Finance officers are delegated Section 33 authorization as per the Financial Administration Act (FAA) and managers are delegated FAA Sections 32 and 34 authorization.

As mentioned in section 1.1, in 2012 the Internal Audit Sector (IAS) conducted the September 25, 2012 audit that focused on internal controls over the salary process. This audit concluded that the controls were adequate and effective to ensure pay transactions were free of material misstatements. Some areas for improvement were identified, and the following recommendations were presented to the offices of primary interest:

• roles and responsibilities of financial officers and compensation advisors in relation to the verification and validation of pay transactions needed to be clarified;
• the results of the monitoring of key controls performed by the Internal Financial Controls Team (IFCT) should be reported in a timely manner;
• the controls over the initiation of pay actions should be reinforced to ensure timely submission of supporting documentation to compensation advisors;
• the controls over the management of salary overpayment should be strengthened to ensure effective monitoring and efficient recovery of outstanding amounts; and
• specimen signature cards needed to be accurate and easily accessible to compensation advisors.

In addition to the issues identified and addressed in the September 25, 2012 audit report, the auditors noted other areas of concern that were outside the scope of the audit but required attention. They were reported to the Assistant Commissioner Human Resources Management (ACHRM) and the Assistant Commissioner Corporate Services (ACCS) through a management letter. There were three areas of concern:

• the risk associated with overtime pay transactions;
• the inconsistency in the application of the compensation call back process for certain employees; and
• the significant number of key controls identified in the financial control matrix for the salary process.

In March 2013, the Departmental Audit Committee (DAC) approved the addition of a new audit in the 2013-2016 RBAP, specific to non-regular pay transactions. Given the materiality, complexity and volume of transactions, these pay transactions may be predisposed to error, manipulation or fraud and consequently were identified as high risk.

Originally the audit team was asked to examine all 109 non-regular pay allowances, but their inclusion would have rendered the audit unwieldy and would have required excessive internal audit resources and time. Senior management agreed to start with a selection of pay allowances that were identified by the Internal Audit Sector (IAS) as being more material, higher risk and more complex. This process decreased the number of types of transactions to be tested first to 11 (see Annex A and Annex C for further information).

The overall goal of this audit, as outlined in the RBAP, was to provide assurance that the internal controls in place were adequate and effective to ensure that non-regular pay transactions processes selected for this audit were free of material misstatements.

The audit objectives were to:

• assess the adequacy of the management control framework with regard to key internal controls for the non-regular pay process; and
• assess the adequacy and effectiveness of internal controls for the non-regular pay transactions.

The specific criteria related to each of the objectives are included in Annex B.

The audit was national in scope, and included visits to NHQ and all five regions. It included an examination and testing of key controls for 11 non-regular pay allowance processes.

Information technology general controls and the entity level controls were excluded from this audit, as at the commencement of this audit they were not yet documented nor had their design effectiveness been evaluated and tested by the IFCT. At the time of this audit IFCT is in the process of completing this work.

The audit covered the timeframe of April 1st, 2012 to March 31st, 2013.

The pay allowances recommended by IAS for inclusion in the audit were based on a thorough risk assessment. The risk factors included in the analysis were: materiality; previous audit work results; complexity of the allowances; and, requests of senior management.

The pay allowances that were recommended as a starting point by the auditors were approved by the deputy head, in his capacity as chair of the DAC, as follows:

Audit evidence was gathered through a number of methods.

• Interviews: Interviews were conducted with the Comptrollers, Chiefs of Finance, Financial Analysts/Officers and Compensation Advisors involved in the management and administration of the non-regular pay transaction process in the regions, as well as other staff involved in the non-regular pay process at both NHQ and RHQ.

• Review of documentation: Relevant documentation, such as legislation, Commissioner’s Directives (CDs), and corporate documents, such as process maps, reports, and planning exercises, were reviewed.

• Testing: Test plans (including tests, methodology and analytical procedures) and tools were developed based on the non-regular pay processes described in the Internal Financial Control Manual in order to audit the non-regular pay allowances selected. Testing was done by determining if internal controls in place were able to detect and correct errors and prevent the risk of fraud by examining a sample of transactions selected based on a continuous audit approach. It was conducted on key internal controls as identified by IFCT and related to each of the selected non-regular pay allowances.

• Sampling: A selection of samples from the 11 pay allowances was examined.

The sample of transactions was selected using a continuous auditing approach. It was limited to the period of April 1, 2012 to March 31, 2013 for the selected non-regular pay allowance transaction processes. The testing of controls was conducted at the RHQ in each region and at NHQ. Based on this methodology, the audit team selected 817 employee files.

The continuous auditing approach focused on unusual^{Footnote 3} entries and transactions; therefore the probability of errors was elevated.

We expected to find that CSC financial directives, guides and manuals were in place and consistent with Government of Canada legislation and Treasury Board (TB) policies and directives. We further expected to find that these documents were available to staff.

CSC financial directives, guides and manuals were consistent with Government of Canada legislation, TB policies and directives and were available to staff.

The audit found that CSC has a suite of financial directives, guides, manuals, instructions and bulletins that were consistent with TB policies and directives. These documents were available to staff on CSC’s intranet website (the Infonet).

We expected to find that CSC roles and responsibilities related to the non-regular pay process were defined, documented and communicated.

CSC roles and responsibilities related to the non-regular pay process were defined and documented and were available to all staff on the Infonet; however, specific responsibilities required clarification.

The audit team reviewed CSC’s Payroll and Personnel Cycle^{Footnote 4} to identify CSC staff involved in the management of the salary process, and more specifically, the non-regular pay processes. This work included an examination of roles and responsibilities to determine if they were defined and documented and if the segregation of duties was appropriate.

The audit found that roles and responsibilities were defined and documented and were available to all staff on the Infonet. We also found that roles and responsibilities related to the non-regular pay processes were further documented in various CSC financial directives, manuals, and national generic work descriptions. The CSC’s Payroll and Personnel Cycle was consistent with this documentation.

In the September 2012 audit, it was found that there was a lack of clarity regarding the application of section 34 of the Financial Administration Act (the FAA), specifically between the role of budget managers and that of compensation advisors. At that time, the audit team interviewed five compensation managers, all of whom stated that, in their opinion, the responsibility of section 34 of the FAA is exclusive to budget managers and their role as compensation managers is limited to processing transactions authorized by appropriate budget managers. As per the TB Guideline on Common Financial Management Business Process 5.1 – Pay Administration, compensation advisors are required to ensure the appropriateness of non-regular salary payments. Therefore, compensation advisors are responsible for ensuring that the authorized source documents supporting pay transactions are received and that pay transactions are completed, accurate and processed in a timely manner.

A lack of clarity in the roles and responsibilities of compensation advisors could lead to a deficiency in this key internal control, namely the review process of pay forms submitted, thereby increasing the risk of inappropriate and unauthorized payments.

This concern was reported within the September 25, 2012 audit, as part of Recommendation 1. The Assistant Commissioner Human Resources Management (ACHRM) and the Assistant Commissioner Corporate Services (ACCS) committed to implement their action plan by March 31, 2013.

On April 1st, 2013, Labour Relations, Compensation and Wellness Branch issued a pay verification and payment release procedure stating that compensation advisors are responsible for ensuring that the authorized source documents supporting pay transactions are received and that pay transactions are completed, accurate and processed in a timely manner. Moreover, the compensation advisor with the role of verifier is responsible for the accuracy of pay input with the budget manager and is ultimately accountable to the deputy head for this activity. The verifier is also granted signing authority under section 34 of the FAA to perform his or her role. Training was also provided to the verifiers with regards to the section 34 of the FAA.

Sufficient time had not elapsed for the audit team to assess the impact of the implementation of new measures put in place to ensure clarity of the roles and responsibilities of the compensation advisors with regard to their responsibilities related to section 34 of the FAA; however the approach seems reasonable as stated. The IAS will follow up in this area in future audits.

We expected to find that key financial controls for the salary process and non-regular pay processes, as identified by the IFCT were: assessed on a regular basis; that testing results were reported by IFCT; improvements were identified; and changes were made and reported when testing results were issued to process owners and management, within three months following testing completion, as stated in the action management plan of the September 25, 2012 audit.

Key internal controls, as identified by IFCT, were tested on a regular basis; however at the time of this audit, the 2012-2013 report was still in a draft format.

The audit team examined supporting documentation to determine if the monitoring of key controls for non-regular pay transactions occurred, was documented, reported, and if any improvements required, were identified and implemented.

The audit found that monitoring, reporting, and processing requirements were defined in CSC’s Pay Verification Directive (FOPs-DIR-2013-326) and the internal controls around the processes were further defined in CSC’s Internal Financial Controls Manual. The documentation includes direction on the sampling methodology and approach used for testing, compiling and reporting the results.

Testing results were issued to process owners and discussed with regional comptrollers for remediative action, within the required timeline, following testing report on the results of the testing of the key controls surrounding the post-payment verification, but the report was still in draft format at the time of the audit.

With regard to the first objective, the audit found that:

• the policy framework related to key internal controls was consistent with Government of Canada legislation, TB policies and directives;
• documentation was available to staff;
• CSC roles and responsibilities related to the salary process were defined and documented and available to staff on the Infonet; and
• key controls, as identified by IFCT, were tested on a regular basis.

Nonetheless, two areas require ongoing attention, specifically:

• sufficient time had not elapsed to assess the impact of the implementation of new measures to ensure clarity of the roles and responsibilities of the compensation advisors with regard to their responsibilities related to section 34 of the FAA. The IAS will follow up in this area in future audits; and
• the results of ongoing monitoring by the finance group of the key internal controls for the time period of the audit were not yet reported in a final format. The IAS will follow up in this area in future audits.

Due to the large number of pay allowances examined and the number of criteria in Objective Two (found in Annex B), the audit results were summarized in Table B of this report. They are listed by pay allowance type, with results and comments for each.

We expected to find that key internal controls were in place and working as intended to ensure that transactions were properly and accurately processed and were free of material misstatement as set out in the Objective Two, so that:

• transactions were recorded in a timely manner in the IFMMS^{Footnote 5} system as required and represented events that actually occurred during the audited period;
• all non-regular pay transactions which actually occurred during the audited period were recorded;
• all non-regular pay transactions were authorized by persons with the appropriate delegated financial authorities;
• all non-regular pay transactions were properly coded and mathematically accurate; and
• all non-regular pay transactions were properly described, sorted and classified.

Audit examination work revealed that some key internal controls in place were not effective as they could not ensure that non-regular pay transactions were free of material misstatement and did not detect and correct errors or prevent the risk of fraudulent activities.

In our testing of all non-pay transactions in the salary process, we expected to find an appropriate segregation of duties related to the processing and verification of non-regular pay transactions. An appropriate segregation of duties should be designed and implemented to prevent an employee or group of employees from perpetrating and concealing errors or fraudulent activities in the normal course of their duties.

The audit found that the segregation of duties was neither appropriate nor effective.

The auditors commented on the segregation of duties in the September 25, 2012 audit and at that time, noted that the segregation of duties for the Regional Pay System (RPS), as set up by CSC, did not prevent the same compensation advisor from entering, reviewing and processing the same transaction.

In response to the September 2012 audit, management stated that a peer review process had been in place that would counter this situation. The current peer review consists of a system where the transactions entered by a compensation advisor are reviewed by another compensation advisor (a reviewer or a pay verifier) before the transaction is processed for payment.

In order to test the effectiveness of this key internal control, the audit team selected a sample of duplicate transactions that had two identical dollar amounts for the same pay period, for the same allowance and employee.

Evidence of the ineffectiveness of the peer review process was discovered through this testing. In one region, the internal control process was unable to identify 55 inappropriate and unauthorized transactions that were processed and improperly paid. The transactions were processed and reviewed by the same compensation advisor who had the capability to enter and review the same transactions and to change bank accounts and then subsequently approve those changes. Details of this situation were discussed with senior management and action has been taken to address the matter. To prevent a reoccurrence of this situation, it is critical that no one individual has the ability to process a pay transaction and to modify bank account information.

In addition, the audit examination also revealed seven other situations of duplicate payments in other regions, none of which ultimately resulted in inappropriate transactions. These payments were processed and paid because the internal controls system of RPS, which is designed to prevent the processing of double entry transactions, was overridden by the compensation advisor processing the transaction. The auditors interviewed five compensation managers in each region and based on the information provided to the auditors, confirmed that all regions were susceptible to this control weakness.

Since then, the Corporate Services and Human Resources sectors have undertaken a number of actions to resolve the issue. CSC may also consider consulting with the department responsible for the RPS to determine if there are ways to address this situation.

We expected to find evidence of review by compensation advisors to confirm the accuracy and completeness of the non-regular pay transaction payments, and that all supporting documentation was on file for the purpose of an audit trail.

With the exception of one region, there was no evidence that the internal control was performed as designed.

The audit found that 16% (130/817) of the files audited were missing key documents (letters of offer, leave without pay forms, timesheets, etc.) that supported the decisions around the payment of the allowances.

An absence of documentation puts the organization at risk as it may be unable to support decisions around the payment of non-regular pay allowances and therefore process ineligible allowances. As well, CSC could lack sufficient and appropriate details for audit trail purposes.

Another documentation issue concerned the transfer of employee pay files. The auditors found when 10 employees were transferred to other departments from CSC, their files were transferred with them without maintaining a minimum amount of documentation at CSC to support final pay transactions. Even though there is an exit process including a checklist, documentation is not retained. This lack of documentation made it difficult to perform the post-verification procedure for those transactions. As a result, it was not possible for the auditors to obtain reasonable assurance that these transactions were free of misstatement, authorized, accurate and appropriate.

Table B below includes high level results related to each non-regular pay allowance examined. Further information included beneath the Table in sections 4.2.2.1, 4.2.2.2 and 4.2.2.3 relate to specific findings for three particular pay allowances.

During the examination phase, any specific minor issues identified (minor calculation errors with no impact on the assessment of the internal controls) were reported to responsible staff within the regions, to be addressed on an individual basis. Corrective actions were taken for immediate remediation and evidence of this work was obtained by the audit team.

As mentioned in section 3.0, the auditors selected the sample for testing based on unusual^{Footnote 6} transactions, such as duplicates or anomalies. As a result, the rate of error is, by definition, higher than it would be if compared to the general population of transactions. The purpose however, was to test whether controls would or could detect those anomalies.

The following three sections describe findings specific to part of a pay allowance and require further explanation.

The first finding concerned the applicability of rules to the payment of mileage for some employees.

Some of the mileage allowance transactions examined by the audit team were submitted by one classification group of staff for travel between their homes and workplaces when they worked overtime shifts. A mileage allowance is not included in their collective agreement but on enquiry from the audit team, CSC’s Labour Relations team explained that payment is based on Section 3.1.11 of the National Joint Council (NJC) Travel Directive. Rationale for the use of this entitlement is that working overtime is a disruption of the normal commuting pattern.

The audit team questioned the use of this subsection for payment because it is preceded by a sentence at the beginning of Section 3, which states that: "The provisions outlined in this module apply when an employee is away from the workplace on government travel within the headquarters area in Canada or worldwide."

The CSC Labour Relations team provided the auditors with recent jurisprudence from the National Joint Council that addressed the use of section 3.1.11 of the Travel Directive. This ruling indicates that use of this section was appropriate for the particular group of employees in question. Further, the Labour Relations team provided the auditors with correspondence from the Office of the Chief Human Resources Officer, Treasury Board, confirming this practice.

However, given the costs associated with this expense, we would strongly encourage CSC to formalize its approach.

The audit found that there was no standard methodology, CSC-wide, to calculate mileage claimed, whether either finance or compensation staff were involved in the approval process. The audit also found that in some instances, the request for mileage submitted was for distances that were farther than the distances between home addresses listed in HRMS^{Footnote 7} and the workplace.

The audit also found that the employees’ home addresses were not always up to date in HRMS^{Footnote 8}. Inconsistent and outdated information can lead to incorrect payments of mileage expenses.

In the September 25, 2012 audit, the audit team noted instances where call back compensation claims appeared to be high, based on the Health Services Collective Agreement, specifically in relation to Article 10 (Call Back) and Article 11 (Stand-by) of the collective agreement. It was determined by Labour Relations after consultation with Treasury Board, that some claims were in fact higher than they should have been and subsequently, measures were taken to clarify and rectify the situation.

During the current audit, we found continued inconsistencies in this application of the Health Services Collective Agreement. However, on May 7, 2013 after completion of the examination phase of the audit, the audit team received a copy of new CSC guidelines for the tracking and payment of call-back for all employees, which addressed aforementioned issues. The practice has now been clarified and the audit team will follow up to determine if the practice has been corrected throughout CSC.

As mentioned in section 3.0, the auditors selected the sample for testing based on unusual transactions. An inherent effect of this methodology is that the rate of error is significantly elevated in comparison to a traditional statistical sampling technique. This was particularly the case with the examination of leave without pay transactions.

Leave without pay (LWOP) is, by its definition (see Annex C), an allowance that does not involve pay. However, there are circ*mstances where there are salary recoveries required, and the auditors examined these transactions.

We expected to find that LWOP recovery transactions were completed in a timely and accurate manner. The sample selection process commenced with the overall population of employees with LWOP requiring recoveries. For the audit examination period, there were 4,370 employees in this situation. Some LWOP recorded was for short periods of time, others for much longer, including leave with income averaging. The audit team selected a total sample population for the period for LWOP of 60 employee files covering 622 transactions. The 60 files included 10 employees selected on a random basis from the 4,370 employee files and 50 whose files included transactions that appeared to be unusual.

The auditors found that CSC employees, whose files were included in the audit sample, took leave without completing the leave application form prior to departure. Specifically, 490 of the 622 (79%) total transactions for the sample were authorized after the leave period. These employees and their managers completed the leave application forms on return to work. The remaining 132 transactions were authorized prior to the leave and were processed after the leave was completed within a reasonable amount of time due to the timing of the pay process.

It was noted by compensation advisors that this practice may be a result of the special circ*mstances surrounding particular leave situations. CSC staff take leave due to illness or other unanticipated reasons and then remain on leave for a period of time longer than anticipated and consequently, run out of paid leave options. When this situation arises, the employee goes into leave arrears and requires LWOP. However, the employee may continue to be paid until the time the responsible manager notices the discrepancy and stops the pay.

Nonetheless, the audit found that there were some files in the sample where the recovery dollar amounts were significant. These figures were beyond that which would have been expected for a short time period to allow managers to note leave shortfalls and take corrective action. There were 13 employees out of 60 (22%) tested with an average recovery amount of $10,165. The total recovery amount for those 13 employees represented 80% ($132,165) of the total amount of $165,895 of 622 LWOP transactions tested.

For those employees who are covered by the Scheduling and Deployment System^{Footnote 9} (SDS), the reconciliation process between SDS and HRMS is an existing internal control which could prevent the creation of large negative balances in an employee’s sick and annual leave accounts if completed in a timely manner.

The five regional compensation managers informed the audit team, through interviews, that reconciliations between SDS and HRMS are not always completed in a timely manner which may contribute to the delay in stopping pay.

The audit testing results confirmed that the lack of a timely reconciliation between SDS and HRMS can lead to large negative balances in these accounts and debts to the Crown.

There is a risk to the organization that it may be challenging to recover leave without pay overpayments especially if the employee remains away from work or leaves the organization.

With regard to Objective Two of this audit, while the audit found that key internal controls are in place, there are two areas of concern with regard to the overall management of the non-regular pay allowance transactions. First, there was a lack of documentation on files and second, the segregation of duties related to non-regular pay process was not effective and could not detect and correct errors and prevent the risk of fraudulent activities. However, in reference to the latter, management has taken action and IAS will continue to monitor progress.

Additional concerns were noted specific to some of the non-regular pay allowances:

• the rationalisation over the payment of mileage needs to be clarified and based on clear, authoritative documents;
• the calculation of mileage requires further guidance and clarification; and
• internal controls and management of leave balances including reconciliation also require further attention.

In relation to the first audit objective, the CSC policy framework related to key internal controls was consistent with Government of Canada legislation, Treasury Board (TB) policies and directives. All documentation was available to staff; roles and responsibilities were defined and documented; and key controls, as identified by the Internal Financial Control Team (IFCT), were tested on a regular basis.

Nonetheless, two areas require ongoing attention, specifically:

• sufficient time had not elapsed to assess the impact of the implementation of new measures to ensure clarity of the roles and responsibilities of the compensation advisors with regard to: their responsibilities related to section 34 of the FAA. The IAS will follow up in this area in future audits; and
• the results of ongoing monitoring by the finance group of the key internal controls for the time period of the audit were not yet reported in a final format. The IAS will follow up in this area in future audits.

With respect to the second objective, audit testing demonstrated that key internal controls were in place. However, concerns were identified with regard to certain non-regular pay transactions:

• a lack of supporting documentation on files to provide evidence that transactions were accurate and appropriate;
• a short-coming in the segregation of duties related to non-regular pay process, as they were neither appropriate nor effective in detecting and correcting errors and preventing the risk of fraudulent activities at the time of the audit. Management has taken action since then to address the situation; and
• an increased risk of error for the call back, mileage and leave without pay processes.

Recommendations have been included in the report to address these areas.

Annex C — Definition of the Allowances Examined in the Audit^{Footnote 11}

ACCS

Assistant Commissioner Corporate Services

ACHRM

Assistant Commissioner Human Resources Management

CD

Commissioner's Directive

CSC

Correctional Services Canada

DAC

Departmental Audit Committee

FAA

Financial Administration Act

HRMS

Human Resources Management System

IAS

Internal Audit Sector

IFCT

Internal Financial Control Team

IFMMS

Integrated Financial and Material Management System

LWOP

Leave Without Pay

NHQ

National Headquarters

NJC

National Joint Council

OSA

Offender Supervision Allowance

PFA

Penological Factor Allowance

RBAP

Risk-Based Audit Plan

RHQ

Regional Headquarters

RPS

Regional Pay System

SDS

Scheduling and Deployment System

SLE

Second Language Evaluation

TB

Treasury Board