Background 7.1 The Legislative Assembly approves the budget that sets out the government’s financial plans. The duties imposed on our Office require us to audit the actual financial results and report our findings to the Legislative Assembly. 7.2 Our audit work encompasses financial transactions in all government departments. As well, we audit pension plans and other trust funds, including the Fiscal Stabilization Fund. 7.3 We also audit the Crown Corporations, Boards, Commissions and other Agencies which are listed below. 7.4 Agencies included in the Public Accounts: • Advisory Council on the Status of Women • Algonquin Golf Limited • Algonquin Properties Limited • Kings Landing Corporation • Lotteries Commission of New Brunswick • NB Agriexport Inc. • New Brunswick Advisory Council on Seniors • New Brunswick Advisory Council on Youth • New Brunswick Credit Union Deposit Insurance Corporation • New Brunswick Crop Insurance Commission • New Brunswick Highway Corporation • New Brunswick Municipal Finance Corporation • New Brunswick Public Libraries Foundation • New Brunswick Research and Productivity Council • Premier’s Council on the Status of Disabled Persons • Provincial Holdings Ltd. • Regional Development Corporation • Regional Development Corporation - Special Operating Agency 7.5 Other Agencies: • Le Centre communautaire Sainte-Anne • Legal Aid New Brunswick Scope 7.6 To reach an opinion on the financial statements of the Province, we carry out audit work on the major programs and activities in departments. In addition, we audit major revenue items and a sample of expenditures chosen from departments. We also test controls surrounding centralized systems. 7.7 We take a similar approach to our testing of the Province’s pension plans. Our objective in doing this work is to reach an opinion on the financial statements of each plan. 7.8 Because of the limited objectives of this type of audit work, it may not identify matters which might come to light during a more extensive or special examination. However, it often reveals deficiencies or lines of enquiry which we might choose to pursue in our broader scope audit work. 7.9 It is our practice to report our findings to senior officials of the departments concerned, and to ask for a response. Some of these findings may not be included in this Report, because we do not consider them to be of sufficient importance to bring to the attention of the Legislative Assembly, or because public attention to weaknesses in accounting controls before they are corrected could possibly result in loss of government assets. 7.10 Our work in Crown agencies is usually aimed at enabling us to give an opinion on their financial statements. During the course of this work, we may note errors in accounting records or weaknesses in accounting controls. We bring these matters to the attention of the agency, together with any recommendations for improvement. 7.11 This chapter of our Report summarizes issues related to departments and Crown agencies which we consider to be significant to the Members of the Legislative Assembly. 7.12 Our examination of the matters included in this chapter of our Report was performed in accordance with Canadian generally accepted auditing standards, including such tests and other procedures as we considered necessary in the circumstances. The matters reported should not be used as a basis for drawing conclusions as to compliance or non-compliance with respect to matters not reported. Department of Education Payroll procedures in school districts Termination procedures 7.13 As part of our audit of the financial statements of the Province for the year ended 31 March 2004, we audited payroll procedures in school districts. 7.14 During the course of our work, we found that school districts do not follow proper procedures when employees are terminated, especially for the termination of teachers. Employees are remaining active in the payroll system beyond their actual termination dates. We did see instances where staff had to re- deposit cheques produced in error for terminated staff. Consequently, we feel there is risk associated with leaving these employees active in the payroll system. 7.15 In addition, teachers who leave the employ of the school district at the conclusion of the school year continue to be paid on a bi-weekly basis until the pro-rated balance owed to them upon termination has been paid. According to the Department’s Payroll Manual for School District Administrators, employees are to be terminated in the system when the employment is ended and are to receive a final cheque upon their termination. Recommendations 7.16 We recommended the Department ensure that employees are terminated in the payroll system on the actual termination date. 7.17 We further recommended that any amounts owing to employees upon termination be paid to employees in the pay period in which the termination date falls. Departmental response 7.18 We will contact our school districts regarding this finding and inform them of the proper procedures to be followed when terminating employees. We will also emphasize the importance of adopting the proper procedures for the payment of teachers that are terminated at the conclusion of the school year. We will revise our payroll procedures to include the process to be followed for the termination and payment of teachers at the end of the school year. Documentation in personnel files 7.19 In two of the three districts tested we found a lack of adequate documentation in the personnel files of casual employees. At a minimum, one would expect to see a document authorizing the hiring of an employee on a casual basis, with an indication of the rate of pay offered for the employment and any other conditions of employment. This information was not always found in the files of casual employees. Recommendation 7.20 We recommended the Department ensure that the districts provide casual employees with proper documentation indicating the terms and conditions of their employment and that a copy of this documentation be maintained in the personnel file. Departmental response 7.21 We will be in contact with our school districts regarding this matter and will stress the importance of having appropriate documentation in all of the school district employee files. Department of Family and Community Services NBCase System Background 7.22 This section of our Report describes the results of our audit of NBCase, the social assistance payment and case management system in the Department of Family and Community Services (FCS). We chose this system because we believe it is a key computer application in the provincial government – it processes payments in excess of $186 million. Our Office has a long range plan to audit all key computer applications in the Province to support our audit opinion on the provincial financial statements. 7.23 NBCase is the automated case management system, developed by Accenture Inc. (formerly Andersen Consulting) and FCS in the mid 1990s. Its main functions include: determining client eligibility, calculating client payment amounts, and maintaining client history information. In 2003, the NBCase system managed on average 27,000 cases representing approximately 50,000 clients and processed over 600,000 financial transactions. In May 2003, FCS and Accenture signed a three-year contract for Accenture to operate and maintain the NBCase system. 7.24 Accenture has a team of eighteen people who are responsible for operating and providing application maintenance and support to NBCase. The two FCS branches that manage the NBCase system are Operational Support and Information Technology Services (ITS). The Operational Support branch is responsible for all operational issues relating to NBCase, for example, prioritizing system changes, and approving system access. The Information Technology Services branch is responsible for monitoring the Accenture contract and providing help desk support to NBCase users. Scope 7.25 In our computer application audits, we have an overall audit objective and use a standard approach to achieve the objective. 7.26 Our overall audit objective was: To determine if we can rely on the NBCase system for purposes of expressing an opinion on the Province’s financial statements for the year ended 31 March 2004. 7.27 Our standard approach is divided into two phases: computer control environment review and application control review. 7.28 In the first phase, we review and assess the adequacy of the computer control environment in which the application operates. To accomplish this, we assess controls such as system security, program changes and business continuity. Internal audit and its role with respect to the computerized application is also included in our review. 7.29 If we determine that the control environment is adequate, we proceed to the second phase of our audit where we examine the controls specific to the application. In this phase, we document the system, determine key system controls that help ensure that transactions are complete, accurate and authorized, and assess whether or not these controls are effective enough for us to rely on them for our financial statement work. Results in brief 7.30 Based on our positive conclusions on the computer control environment and the application controls and transaction testing, we conclude that we can rely on the NBCase system for purposes of expressing an opinion on the Province’s financial statements for the year ended 31 March 2004. We did, however, make a number of observations and recommendations. Phase I: Computer control environment 7.31 During our audit of the NBCase computer control environment, we examined policies and procedures relating to: • access to programs and data, • program change controls, • business continuity planning, • security awareness and administration, and • physical security and environmental controls. Conclusion on the control environment 7.32 Based on our examination, we believe that the NBCase computer control environment is adequate to support the operation of the NBCase system. We noted a number of areas where improvements should be made. These areas are addressed in the following observations and recommendations. Access to programs and data 7.33 As mentioned above, Accenture is responsible for operating and maintaining the NBCase system. To perform these functions, Accenture must have access to the Unix operating system on which NBCase is running. We noted a number of issues relating to this operating system environment. 7.34 In the NBCase user access section, we discuss issues noted in the procedures used by FCS to control system access to NBCase. Unix operating system 7.35 While we did not conduct an in-depth review of the Unix operating system, we noted a number of practices that are not normally associated with “good” security procedures. 7.36 We believe the Department should perform a “threat/risk assessment” for the NBCase system. This would identify all potential threats to the system, the risk of their occurrence and how the Department plans to manage the threats. NBCase user access Approving access requests 7.37 No formal process exists to approve user access requests for the NBCase system. A formal process would help ensure that all users are authorized to use the system. From our discussions with the Department, we learned that a number of informal processes are currently being used. Compliance with government standards 7.38 In March 2003 the Government of New Brunswick released “Password Standard for User Accounts” which outlines baseline security for all user accounts. The NBCase system received a grandfathering exemption for these standards. However, this exemption does not alleviate the Department from its obligation to have security surrounding the system. During our audit, we noted that the NBCase system does meet certain requirements outlined in the standards such as using password masking and inactivity timeout intervals, but we also noted several other requirements that are not being met. In the following paragraphs, we discuss situations where NBCase is not meeting the government standards. • The NBCase system is not automatically disabling accounts after ninety days of inactivity. We found approximately 180 user accounts that had not accessed NBCase in the last ninety days. In fact, 17 users had not logged into the system during the last five years and 43 users had never logged in at all. Not disabling inactive accounts increases the risk of unauthorized system access. The Department should modify the system to perform this function or should manually review and disable inactive accounts. We are pleased to report that the Department has taken steps to identify and disable inactive accounts. • The NBCase system does not require special characters to be used in passwords, nor does it require users to change their passwords every sixty days. Increasing the complexity of passwords and changing them frequently, reduces the risk of unauthorized access to the system. The Department should modify the system to comply with the government standards, or should establish alternate procedures to enhance security. • NBCase users may be assigned more than the minimum system privileges required for them to perform their work. No document is communicated to FCS staff outlining the system privileges of each “desk role”. Users being assigned more privileges than their job requires, increases the risk of unauthorized transactions occurring in the system. Recommendations 7.39 We recommended the Department perform a threat/risk assessment for the NBCase application. This assessment would identify all potential security risks and help the Department to manage these risks. 7.40 We recommended the Department formalize a process to approve new NBCase user access requests. This process should identify individuals who are responsible for approving user access requests. 7.41 We recommended the Department modify the NBCase system to automatically disable user accounts after 90 days of inactivity or develop a manual process to perform this function. 7.42 We recommended the Department modify the NBCase system to comply with the government baseline security requirements for passwords. If modifying the system is not feasible, then the Department should establish alternate procedures to enhance security. 7.43 We recommended the Department provide a document outlining user “desk role” privileges to all people responsible for determining system access. These people should be instructed to provide the minimum access required for users to perform their job duties. Program change controls 7.44 Program changes are necessary for information systems to meet the needs of users. Proper control of program changes ensures that only authorized and tested changes are made. The two types of program changes that are usually made to a system are scheduled and emergency changes. 7.45 With the NBCase system, scheduled changes are made using a release method. With this method, a number of changes are “bundled” together and then implemented at one time. FCS usually implements three or four releases per year. Changes that must be made immediately are performed by changing the program code or by correcting the data (datafixes) depending on the situation. Emergency changes are relatively risky and thus require tight control procedures to ensure that only authorized program changes and data corrections are made. 7.46 We reviewed the process for controlling emergency changes (datafixes) and system releases. From our review, we believe adequate control procedures are in place to control emergency changes. 7.47 We examined the procedures for the November 2003 release and found that all program changes in the release were pre-authorized by FCS, tested by Accenture and FCS, and approved for production by FCS. Business continuity planning 7.48 A business continuity plan (BCP) outlines the procedures to follow and the resources needed to ensure systems continue to operate if an interruption or disaster occurs. Business continuity planning includes such things as a business impact analysis, emergency response procedures and an information technology recovery plan. 7.49 FCS has not formalized many components of a business continuity plan, such as: • determining and documenting the maximum acceptable downtime of the NBCase system (component of a business impact analysis); • documenting backup procedures and contact lists for the Department (component of emergency response procedures); and • assigning responsibilities should a disaster occur (component of emergency response procedures). 7.50 We noted that FCS does have an extensive information technology recovery plan for the NBCase system. Accenture updates the plan whenever the NBCase infrastructure or hardware changes. Each year, part of the plan is tested through the routine transfer of information from the NBCase server to the training server. 7.51 Not having a complete business continuity plan means that the Department may be unable to process social assistance payments if an interruption or disaster occurs. The Department should assess this risk and its impact on the public. Plans to manage these risks should be developed if necessary. Recommendation 7.52 FCS should develop and document a complete BCP to help ensure that social assistance clients are not seriously affected if an interruption or disaster occurs. The BCP should be reviewed and tested whenever changes to the NBCase system occur. Audit Services 7.53 The Audit Services unit is responsible for measuring and evaluating internal control systems. Two sections in the unit are Caseload Sampling and Telephone Case Review. The work of these two sections represents detective controls for the social assistance program. The Caseload Sampling section is responsible for monitoring the continuing eligibility of social assistance clients, while the Telephone Case Review section complements the case management process by confirming client information. They report the results of their work to an Audit and Evaluation Committee which consists of ten members including the Deputy Minister and three Assistant Deputy Ministers. The purpose of the committee is to act as a decision making body and to provide leadership and support to Audit Services. 7.54 We reviewed the work and the findings of the Caseload Sampling and the Telephone Case Review sections to determine if we can rely on their work for our audit opinion. We assessed factors such as the scope, knowledge, competence and due care of the Caseload Sampling and Telephone Case Review sections. We also tested two Caseload Sampling and one Telephone Case Review projects. While we found that we could rely on their work for our purposes, we observed areas where improvements could be made. Caseload Sampling section 7.55 Each year, the Caseload Sampling section (CSS) selects statistical samples of social assistance payments. Samples are divided into two groups – Target and Basic. The target group represents clients who have the potential to become self-sufficient in the near future. The basic group represents clients who have less potential to become self-sufficient and who will likely require a longer period of assistance. 7.56 The CSS tests the continuing eligibility of approximately 1,600 clients each year. For each region, one month is selected and a sample of roughly 145 clients is tested. All errors are provided to case managers for review and correction. The errors are projected over the monthly population. An estimate of both the amount of ineligible payments and the expected error rate for the month is produced. The CSS compares this error rate to the tolerable error rate of 2% set by the Department. The projected error rate exceeds the tolerable level set by the Department 7.57 For the past four years, the average projected error rate for all regions has been greater than the 2% rate set by the Department. For example, the average projected error rate in 2003 was 4.68%. Although the CSS has consistently calculated the error rate for all regions to be above 2%, we saw no evidence that the Audit and Evaluation Committee has tried to determine the cause of this problem or to established a plan to try to reduce the amount of errors. 7.58 To estimate the annual amount of ineligible payments made by FCS, we projected the average monthly error rate over the annual population. While this approach is not statistically correct and assumes that the amount of error is consistent from month to month, we believe it is a reasonable approximation. Using the average error rate of 4.68% and an annual population of $173 million, we estimate the error amount to be approximately $8.1 million. The Department’s tolerable error amount would be $3.5 million based on the 2% tolerable error rate. CSS does not use a risk based approach for sample selection 7.59 The CSS is not using a risk based approach for selecting its statistical sample. Adopting this approach would allow the CSS to focus its limited resources in the areas where errors are most likely to occur. To identify areas of risk or trends, the CSS should analyze its past reports. We examined the reports of the CSS for the past five years and provided Audit Services with the results. We noted the following: • The basic group error rate has improved more than the target group error rate. For example, the basic group error rate improved from 10.82% to 4.19%, while the target group error rate improved from 13.92% to 9.25%. The CSS has not changed its sample selection method despite these results. • On average, the regions with large cities have higher error rates than the regions with smaller communities. For example, the average total error rate was 11.10% for the three regions of Saint John, Moncton and Fredericton, while the average total error rate was 8.83% for the other five regions. On average, the CSS sample sizes are the same for each region. Audit services does not use the results of the regional investigators work 7.60 Audit Services is not using the work of the regional investigators when planning its work. The regional investigators investigate clients based on complaints. We analyzed the detailed results of the regional investigators and found that the Interim Assistance program had the highest error percentage. We believe that this information would be useful to Audit Services when planning its yearly audit so that it focuses its efforts on the riskiest programs. CSS does not verify client payments and overpayments 7.61 CSS is not verifying the calculation of client payments and overpayments as part of its testing. Given the continuous upgrading of the system and the users ability to override system calculated amounts, having the CSS verify these amounts would help ensure the accuracy of client assistance. In our testing, we found one case where an overpayment was identified by CSS, but set up incorrectly by the case manager. The CSS did not discover this error. 7.62 The Office of the Comptroller’s review of the Income Security Program in 2000 also recommended that CSS verify client payment amounts. Department is not implementing CSS recommendations 7.63 We believe that the Department is not successfully implementing the recommendations of the CSS. For example, for the past three reviews, the CSS found that one region did not always comply with FCS policies, procedures and legislation (e.g. third party payment policy). While the CSS discussed these findings with the regional director, the fact that the same issue has occurred for the past three reviews indicates that the problem is not being corrected. 7.64 From our discussions, we learned that the Audit and Evaluation Committee is not receiving the recommendations of the CSS. This information should be provided to the Committee so that it is aware of the problems and can put plans in place to implement the recommendations. This would also allow the Committee to do high-level analysis of issues and trends. Telephone Case Review 7.65 Each year the Telephone Case Review section (TCRS) contacts selected groups of social assistance clients by telephone to confirm client information. Examples of TCRS project groups are: dependants aged 18 and over, and single parents aged 25-30 with no earned income. The TCRS reviews 2 – 4 groups of clients each year. The results of its work are reported to the Audit and Evaluation Committee. In one year, this section identified 91 overpayments in a test group of 2,675 and determined a net monthly savings total of $119,762. We found that the results of the TCRS are not compared to the Caseload Sampling section’s work to identify risk areas or trends. Recommendations 7.66 We recommended the Department review annually the population error rate estimated by the CSS. If this error rate is above the tolerable departmental error rate, the Department should implement additional procedures to reduce the error rate to the tolerable level. 7.67 We recommended the CSS adopt a risk based approach to selecting its audit sample. This would include analyzing trends from its previous years’ reports and the work of both the regional investigators and the TCRS to identify the highest areas of risk in the population. 7.68 We recommended the Audit Services’ Caseload Sampling section verify the calculation of client payments and overpayments as part of its routine testing. 7.69 We recommended the Audit and Evaluation Committee receive all recommendations made by Audit Services. 7.70 We recommended the Audit and Evaluation Committee ensure that appropriate action is taken on the recommendations of the Caseload Sampling section. Phase II: Application controls 7.71 For a social assistance payment system to be effective, we determined that the following five risks must be controlled: • assistance payments are inflated by ineligible clients; • assistance payments are inflated by ineligible benefits; • errors occur in assistance payment calculation; • recovery of overpayments is not correct; and • clients are not paid for all benefits each month and that each month’s payments are not recorded. 7.72 In the sections below, we discuss each of the risks; identify the controls in place that help manage the risks; and recommend changes that will improve the controls’ effectiveness. 7.73 Given the nature of the system, ensuring a client’s continued eligibility is difficult and thus is the highest risk area. Once clients are on assistance, the onus is on the clients to inform the Department if their situation changes. Often clients do not provide this information for various reasons. Therefore, the Department must implement detective controls to identify clients that are no longer eligible to receive assistance. The proper functioning of these detective controls is essential to ensure the continued eligibility of clients. Conclusion on application controls 7.74 Based on our examination, we believe that the NBCase application controls are adequate to ensure transactions are complete, accurate and authorized. We believe we can rely on these controls in combination with tests of transactions for our provincial audit opinion. Risk that assistance payments are inflated by ineligible clients 7.75 We reviewed the key controls which help ensure that assistance payments are not inflated by ineligible clients. We determined that the following controls were in place and working well for fiscal 2004. • Client eligibility is determined appropriately by the NBCase system. This control helps to ensure that only valid clients are paid by the system. • Unclaimed assistance cheques are controlled. This control helps ensure that only eligible clients receive cheques. • Cheque preparation and cheque signing functions are separated. This control helps to ensure that only authorized cheques are produced. • Client eligibility and existence is supported by documents on file. This control helps to ensure that only authorized clients are paid. 7.76 The following controls were in place for fiscal 2004 but need improvement. The first four controls detect instances where clients’ situations have changed. We believe these four controls are essential in confirming the continued eligibility of social assistance clients. • Assistance payments are audited regularly (at least yearly) by Audit Services (discussed previously in Audit Services section). • NBCase data is cross referenced with third party data and discrepancies followed up. • Complaints and internal requests are followed up by regional investigators. • Client reviews are performed regularly. • Medicare and social insurance numbers are validated by the system. NBCase data is cross referenced with third party data and discrepancies followed up 7.77 Discrepancies between NBCase data and third party data are not always followed up in a timely fashion. Our audit revealed that a significant number of discrepancies between NBCase, EI and CPP data have not been reviewed. Case managers are responsible for following up EI and CPP discrepancies. Recommendation 7.78 We recommended the Department continue to perform cross referencing of third-party data and ensure all discrepancies are followed up appropriately. Complaints and internal requests are followed up by regional investigators 7.79 FCS has approximately seventeen regional investigators who investigate client cases for possible ineligibility. These cases are identified by case managers, the public, needs assessors or summer students. The investigators are expected to examine between 28 – 32 cases per month. 7.80 During the course of our audit, we spoke with two regional investigators and analyzed investigation reports. We made the following observations. • We found a number of regional inconsistencies that require further explanation by the Department. For instance there were large variations between regions in the follow-up percentages. • The number of cases reviewed by regional investigators is less than expected. Recommendations 7.81 We recommended the Department obtain explanations for the inconsistencies between regions that we observed. 7.82 We recommended the Department centrally monitor the regional investigators to ensure that their work load is distributed appropriately and that follow up is completed in a timely manner. Client reviews are performed regularly 7.83 FCS policy requires social assistance clients to have regular case reviews. During a case review, an FCS employee meets with a client to update the information on file and to confirm that the client is still eligible to receive assistance. Most clients are required to receive a case review every twelve months. 7.84 Our testing of 26,000 records revealed that a small number (124) of case reviews were at least one year overdue. 7.85 We also analyzed the Audit Services Caseload Sampling testing for 2002/2003 and found that 6.8% of the financial errors related to clients who did not have a timely case review as required by policy. 7.86 We saw evidence that FCS was aware of the overdue case reviews and that it had put procedures in place to complete them by the end of summer 2004. Recommendation 7.87 We recommended the Department ensure all case reviews are completed on time as required by policy. Social insurance and medicare numbers are validated by the system 7.88 FCS policy requires social assistance clients to provide specific information to the Department within four months of being placed on assistance. If this information is not provided, the NBCase system will automatically terminate the client case. The following information must be provided within four months of being placed on assistance: • a social insurance card (SIN) and a Medicare card for each adult client; and • a medicare card and birth certificate for each child under 16. 7.89 We found examples of clients still on the system after four months, even though the above information had not been provided. Recommendations 7.90 We recommended the Department determine why the system did not terminate the clients who were on assistance for more than four months and who were missing SIN and/or Medicare numbers. If exceptions to the policy exist, then the policy should be modified to reflect the exceptions. 7.91 We recommended the Department identify all NBCase clients who have no recorded SIN and/or Medicare number and ensure that these clients comply with departmental policy. Risk that assistance payments are inflated by ineligible benefits 7.92 We reviewed the key controls which help ensure that assistance payments are not inflated by ineligible benefits. We determined that the following controls were in place and working well for fiscal 2004. • Client benefit amounts are determined appropriately by NBCase. This control helps to ensure that clients are eligible for benefits paid. • Exceptions or unusual payments are reviewed. This control helps to ensure payment amounts are approved and appropriate. • Supporting documents are received and approved by case managers or needs assessors. This control helps to ensure that client benefit amounts are accurate. • An audit trail that links system transactions to system users exists. This control helps to ensure that only authorized changes are made to client data. • Information is verified/edited by the system before it is accepted. This control helps to ensure only authorized and accurate information is entered into the system. 7.93 The following controls were in place for fiscal 2004 but need improvement. • Policies and legislation are known by case managers and needs assessors. • Assistance payments are audited regularly (at least yearly) by Audit Services (discussed previously). • Complaints and internal requests are followed up by regional investigators (discussed previously). • Client reviews are performed regularly (discussed previously). Policies and legislation are known by case managers and needs assessors 7.94 A significant number of polices are associated with the NBCase system. Applying these policies consistently and accurately is necessary to ensure that all clients are treated fairly. To do this, NBCase users need to quickly and easily research up-to-date policy information. The research tool they use is on-line help. On-line help is built into NBCase, is available in French and English and is updated regularly by the Department. 7.95 We spoke with eleven NBCase users to determine the usefulness and accuracy of on-line help. Eight users had concerns with the on-line help tool. The most common complaint was that it is difficult and time consuming to use. Users indicated that researching policies could take hours, as information could be searched for in various ways and each way could provide different results. Users noted that they often print out policies and keep their own copies at their desks. This practice increases the risk that users may use out-of-date policies. Recommendation 7.96 We recommended the Department review on-line help and determine if it can be modified so that users can find information faster and easier. If this is not possible, the Department should provide users with training on how to use on-line help more effectively and efficiently. Risk that errors occur in assistance payment calculations 7.97 We reviewed the key controls which help ensure that there are no errors in assistance payments. We determined that the following controls were in place and working well for fiscal 2004. • Assistance payments are calculated by NBCase accurately. This control helps to ensure payments to clients are correct. • System changes are approved and supported by documentation. This control helps to ensure only authorized and accurate changes are made to the system. • Client inquiries are followed up. This control helps to ensure that client payments are authorized and accurate. • Supporting documents are received and approved by a case manager or a needs assessor (discussed previously). • Exceptions or unusual payments are reviewed (discussed previously). • Information is verified/edited by the system before it is accepted (discussed previously). 7.98 The following controls were in place for fiscal 2004 but need improvement. • Training is provided to NBCase users. • Assistance payments are audited regularly (at least yearly) by Audit Services (discussed previously). • Complaints and internal requests are followed up by regional investigators (discussed previously). • Client reviews are performed regularly (discussed previously). Training is provided to NBCase users 7.99 FCS does not have a formal training program for new NBCase users; each region provides its own method of training. The completeness of user training varies from region to region because departmental training standards do not exist. To process social assistance payments correctly, case managers need to learn both the NBCase system, and all of the departmental policies associated with the system. Recommendation 7.100 We recommended FCS develop minimum training requirements for all new NBCase users to complete. These training requirements should focus on system as well as policy training. Risk that recovery of overpayments is not correct 7.101 We reviewed the key controls which help ensure that the recovery of overpayments is correct. We determined that the following controls were in place and working well for fiscal 2004. • Overpayment deductions are calculated automatically by the system. This control helps to ensure that client payments are reduced by the correct amounts if an overpayment is set up. • Cheque stubs are provided to clients giving details of benefits and overpayment deductions. This control promotes third party verification of the accuracy of deductions. • Client inquiries are followed up (discussed previously). 7.102 The following controls were in place for fiscal 2004 but need improvement. • Overpayment amounts are calculated properly by the system. • Training is provided to NBCase users (discussed previously). Overpayment amounts are calculated properly by the system 7.103 Overpayment amounts are calculated automatically by NBCase. In our discussions with FCS staff, several noted concerns with the automatic overpayment calculation function. They noted instances where they believed overpayments were improperly calculated and that they found it difficult to correct an overpayment once it was set up. Recommendation 7.104 We recommended the Department modify the NBCase system to make reviewing, tracing and verifying overpayment amounts easier for system users. Risk that clients are not paid for all benefits each month and that each month’s payments are not recorded 7.105 We reviewed the key controls which help ensure that clients are paid for all benefits each month and that each month’s payments are recorded. We determined that the following controls were in place and working well for fiscal 2004. • Total assistance payments are reconciled to the general ledger. This control helps to ensure that general ledger expenses are complete and accurate. • Client inquiries are followed up (discussed previously). • Supporting documents are received and approved by a case manager or a needs assessor (discussed previously). • Cheque stubs are provided to clients giving details of benefits and overpayment deductions (discussed previously). 7.106 The following controls were in place for fiscal 2004 but need improvement. • Assistance payments are audited regularly (at least yearly) by audit services (discussed previously). • Training is provided to NBCase users (discussed previously). Other observations Delegation of authority 7.107 During the course of our work, we noticed a number of policy exceptions that were “approved by the Minister”. We saw no evidence of the Minister’s written approval authorizing these payments. We reviewed departmental legislation to determine who is authorized to approve all payments (not just exceptions) and act on behalf of the Minister. The Family Income Security Act defines the Minister as “the Minister of Family and Community Services and includes any person designated by the Minister to act on the Minister’s behalf”. We saw no evidence that the Minister has explicitly designated any individual in the Department to act on his behalf. We believe this delegation of authority should be formally documented to comply with legislation and to protect those individuals who are acting on the Minister’s behalf. Recommendation 7.108 We recommended the Minister’s delegation of authority be formally documented. Departmental response 7.109 The Department responded positively to our report, and indicated their agreement with substantially all our recommendations. Department of Justice Pre-arranged Funeral Services Program Background 7.110 The Consumer Affairs Branch of the Department of Justice is responsible for the administration of the pre-arranged funeral services program. 7.111 The Department defines a pre-arranged funeral plan as “a formal agreement with the funeral director which allows a person to make personal funeral arrangements, in consideration of payment in advance by a lump sum or by instalments.” A funeral director who wishes to offer this service must be licensed under the Pre-arranged Funeral Services Act. 7.112 The Act provides for the establishment of a Compensation Fund to ensure better protection for the purchasers of pre-arranged funeral services. The Fund receives fees from the funeral directors and is administered by the Board of the New Brunswick Funeral Directors and Embalmers Association. The balance of this Fund at 31 March 2004 was approximately $1.9 million. 7.113 The Department indicated that as of 31 December 2003 there were 67 licensed funeral directors in the Province and approximately 15,500 pre-arranged funeral service contracts outstanding. This translates into approximately $80 million being held in outstanding pre-arranged funeral service contracts between consumers and the funeral homes. The Act requires that this money be kept in separate trust funds at approved financial institutions. Scope 7.114 The objective of this audit was: To determine if the Province has taken the appropriate steps to protect the interests of the public with respect to pre-arranged funerals. Conclusion 7.115 As a result of our work, we concluded that the role played by the Department and the Province is one that reasonably protects the interests of the public with respect to the pre-arranged funerals program. While we were generally satisfied, we did present a number of recommendations to the Department which we feel could further improve the protection of the public. How compliance with legislation is measured 7.116 The Examinations Branch of the Department is responsible for auditing funeral homes to measure compliance with legislation. The Department has a policy manual in place to organize the audit function. In addition the Department has detailed audit programs that they consistently use when conducting an audit in the funeral home. Based on the results of our examination, the Branch testing appears to adequately cover the sections of the Act that set out the compliance requirements. 7.117 However, we are concerned with the frequency with which the Examinations Branch is auditing funeral homes. The number of funeral home audits by year, for the last five years, was as follows: 7.118 As stated earlier, as of 31 December 2003 there were 67 funeral directors in the Province licensed to sell pre-arranged contracts. The Department indicated they had been trying to visit each funeral home on a two-year cycle. As shown in the table above, this is not happening. At the time of our audit in the Examinations Branch, there were eight vacant positions: six examiner positions, one director position and one manager position. These vacancies had existed for more than three years. There was just one examiner assigned to examine the funeral homes. 7.119 We are concerned about the current audit cycle because the Act only provides a two-year window to pursue a prosecution. Section 9.1 of the Act states: A prosecution for a violation of or a failure to comply with this Act shall be commenced within two years from the time of the violation or the failure to comply. 7.120 It appears that any violation of the Act identified by the examination cycle after the two-year deadline could not be addressed. 7.121 Subsequent to our audit, the Department contracted with an external auditor to perform approximately fifteen examinations. Recommendation 7.122 We recommended the Department make a formal commitment to a standard audit frequency for funeral homes. The Department should ensure that the audit frequency allows them to take action under section 9.1 of the Act when it is necessary. Departmental response 7.123 Once staffing of the Examinations Branch is completed, the audit schedule will be revisited to ensure that all licensees are inspected within a 24 month schedule and are inspected at least once every 24 months thereafter. 7.124 As noted in the report, in the interim, external audit services have been retained and will be continued, pending completion of staffing to permit the performance of audit functions. How compliance with legislation is enforced 7.125 The Department is using the Examinations Branch to identify cases of non-compliance. Once identified, these cases of non-compliance are then reported to the Consumer Affairs Branch of the Department. Consumer Affairs then issues a copy of the report and a letter to the funeral home requesting a written response. Generally they give the funeral home a specified length of time to respond to the points in the report. 7.126 We examined ten cases that were handled by the Consumer Affairs Branch and found three cases where the information was not complete. In each of these three examples there was no response on file from the funeral home. After we pointed out these three situations, the Department completed the necessary follow-up. Recommendation 7.127 The Consumer Affairs Branch should take the necessary steps to ensure the funeral homes submit their responses to the Branch’s enforcement communications on a timely basis. Departmental response 7.128 The Consumer Affairs Branch, since the audit, has taken and will continue to pursue a more regimented follow-up process to require written responses to enforcement communications. The Branch will develop guidelines to trigger further follow-up activity. Losses through fraud, default or mistake 7.129 Section 13(2) of the Auditor General Act requires us to report to the Legislative Assembly any case where there has been a significant deficiency or loss through fraud, default or mistake of any person. 7.130 During the course of our work we became aware of the following significant losses. Our work is not intended to identify all instances where losses may have occurred, so it would be inappropriate to conclude that all losses have been identified. Department of Education • Missing equipment, money and supplies in various school districts $16,137 Department of Family and Community Services • Theft of cash $14,007 Department of Health and Wellness • Missing equipment and money, and ineligible medicare service claims $11,878 Department of Justice • Missing equipment and cash shortages $7,466 Department of Natural Resources • Missing equipment and cash shortages $2,511 Department of Tourism and Parks • Missing equipment $7,700 Department of Training and Employment Development • Missing equipment and cash shortages in various community colleges $19,031 Department of Transportation • Missing equipment and supplies in various districts $8,264 7.131 Losses reported by our Office only include incidents where there is no evidence of break and enter, fire, or vandalism. 7.132 The Province reports in Volume 2 of the Public Accounts the amount of lost tangible public assets (other than inventory shortages). 7.133 In 2004, the Province reported lost tangible public assets in the amount of $204,035 compared to a loss of $108,065 reported in 2003.