Introduction 3.1 In this chapter we discuss our significant findings and recommendations relating to our audit of the Province’s financial statements. Scope 3.2 To reach an opinion on the financial statements of the Province, we carry out audit work on the major programs and activities in departments. In addition, we audit major revenue items and a sample of expenditures chosen from departments. We also test internal controls of significant computerized systems. 3.3 Because of the limited objectives of this type of audit work, it may not identify matters which might come to light during a more extensive or special examination. However, it often reveals deficiencies or lines of enquiry which we might choose to pursue in future audit work. 3.4 In almost every audit, there are matters arising that need to be discussed with management. These matters, although significant, are not sufficiently large in dollar terms to affect our opinion on the financial statements. It is our practice to report these matters to senior officials of the departments concerned, and to ask for a response. Some of these findings may not be included in this Report, because we do not consider them to be of sufficient importance to bring to the attention of the Legislative Assembly, or because public attention to weaknesses in accounting controls, before they are corrected, could possibly result in loss of government assets. 3.5 Our examination of the matters included in this chapter of our Report was performed in accordance with Canadian generally accepted auditing standards, including such tests and other procedures as we considered necessary in the circumstances. The matters reported should not be used as a basis for drawing conclusions as to compliance or non-compliance with respect to matters not reported. Responsibilities of Government 3.6 The government is responsible for the preparation and the content of the Province’s financial statements. The Statement of Responsibility at the front of Volume 1 of the Public Accounts is signed by the Minister of Finance on behalf of the government. The Comptroller is responsible for preparing the financial statements in accordance with Canadian public sector accounting standards. When preparing the financial statements, the government must make significant estimates, as not all information is available or determinable at the time of finalizing the statements. Examples of areas where management has made estimates in the financial statements are: allowances on investments, employee future benefits and tangible capital assets. Responsibilities of the Office of the Auditor General 3.7 Our Office is responsible for auditing the financial statements. An audit provides reasonable, but not absolute, assurance that the Province’s financial statements are free of material misstatement. Material misstatement refers to an item or group of items that, if omitted or misstated, would alter the decisions of reasonably knowledgeable financial statement users. The tolerable level of error or misstatement is a matter of judgment. 3.8 We obtain reasonable assurance on the financial statement figures because it would not be cost effective to obtain absolute assurance - our auditors cannot test every transaction. By applying audit procedures to test the accuracy or reasonableness of the figures appearing in the financial statements, we achieve our desired level of assurance. We use audit procedures such as tracing samples of transactions to supporting documents, testing the effectiveness of certain internal controls, confirming year-end balances with third parties and reviewing the reasonableness of estimates. Our Opinion on the Financial Statements 3.9 In our opinion, the financial statements present fairly, in all material respects, the financial position and results of operations of the Province of New Brunswick in accordance with Canadian public sector accounting standards. Matters Arising from our Audit 3.10 The following table shows audit areas where we had significant findings, the department or agency responsible and the page number where our findings are located. Audit Findings Department/Agency Page Accounting and Reporting Office of the Comptroller 55 Provincial Accounts Payable and General Ledger System (Oracle) Office of the Comptroller 63 Accounts Payable Input and Approval (IPM) Process New Brunswick Internal Services Agency (NBISA) 68 Payroll System (HRIS) New Brunswick Internal Services Agency (NBISA) 72 Property Tax System Department of Finance 79 Social Assistance System (NBCase) Department of Social Development 81 Long-term Care System (NBFamilies) Department of Social Development 84 Office of the Comptroller Accounting and Reporting Public Sector Accounting Board Standards (PSAB) Tangible Capital Asset (TCA) Policy 3.11 The province currently does not capitalize computer hardware and software as part of its TCA policy. This policy is not in compliance with PSAB. A draft TCA policy for capitalizing computer hardware and software had been developed by the Office of the Comptroller, but the policy has not been implemented. Recommendation 3.12 We recommended the Office of the Comptroller determine the value of significant computer hardware and software (e.g. Medicare system) and account for those items in compliance with PSAB. A computer hardware and software policy should be implemented that meets PSAB requirements. Comments from Management 3.13 My Office will review the tangible capital asset policy related to the capitalization of computer hardware and software and make a recommendation to Board of Management regarding a specific change to the policy. Capital Asset Policy – P3 and DOT arrangements 3.14 There was a significant adjustment in the current year financial statements relating to the Public-Private Partnership (P3) entered into by the NB Highway Corporation. Currently there is no provincial policy in place with respect to accounting for P3 arrangements. With the increase in the number of such P3 arrangements, the province should develop a policy on accounting for P3’s. Recommendation 3.15 We recommended a comprehensive policy be developed for P3 accounting which at minimum considers recognition criteria, measurement considerations, vetting of significant estimates and betterment identification considerations. Comments from Management 3.16 The substance of P3 arrangements needs to be evaluated on a case by case basis with reference to existing standards and policies. In some cases the result is the acquisition of an asset (or the deemed acquisition through the transfer of risks and benefits of ownership) and should be treated as assets or asset betterments. As my Office reviews the tangible capital asset policy, we will look for areas where clarification around P3 arrangements can be added. Lease Analysis 3.17 During the audit we requested a sample of detailed calculations from the Department of Supply and Services related to new lease contracts. The information provided to us in one instance indicated that the lease met the criteria to be capitalized. The lease had been incorrectly accounted for as an operating lease. Recommendation 3.18 We recommended significant lease contracts and arrangements be reviewed to determine the proper accounting treatment has been adopted. We further recommended such analysis be performed early in the financial reporting year to ensure timely reporting, communication and proper financial statement presentation. Comments from Management 3.19 The Department of Supply and Services currently reviews all significant building leases. It is my understanding that the lease you refer to was relatively insignificant from a financial statement perspective and therefore may not have been analyzed to the same level of detail by departmental staff. I believe that the material leases were properly classified and accounted for. My Office will work closely with Supply and Services and other departments to ensure proper consultation and communication with respect to proper accounting treatment for leases. Sick Leave Accrual 3.20 PSAB 3255 requires that governments recognize a liability and an expense for sick leave benefits, if they are significant in nature. In order to validate the significance of the obligation, a documented estimate should be prepared. Management should prepare a documented estimate of the sick leave obligation and expense and, if significant, an accrual should be made in the financial statements. Recommendation 3.21 We recommended the Office of the Comptroller document an estimate for sick leave obligation and record it in the financial statements if it is significant. The documentation pertaining to the estimate should include how management identifies transactions, events and conditions which give rise to the need for an accounting estimate or a change in estimate, how management made the accounting estimate including details on the estimate model, the use of any experts, a list of, and support for, any assumptions, and how management has addressed estimation uncertainty. Comments from Management 3.22 My Office will undertake to expand on the documentation we currently have related to the sick leave liability. Netting of Expenditures 3.23 In the past, we commented that certain provincial tax expenditure programs have been netted against tax revenue. This treatment understates provincial revenue and expenditures. A new PSAB standard coming into effect for fiscal years beginning on or after April 1, 2012 provides guidance on the proper treatment of tax expenditure programs. We were pleased that the Office of the Comptroller had early-adopted this standard for several programs in the Public Accounts this year, and encourage them to continue reviewing other such programs to ensure they are consistently accounted for. Recommendation 3.24 We recommended the Office of the Comptroller continue to review tax expenditure programs to ensure they are accounted for consistently. Comments from Management 3.25 My Office and the Tax Revenue Branch of the Department of Finance have an ongoing project (since winter 2011) to review and analyze the various tax expenditure and other programs to determine proper accounting for each. It is our intention to be fully compliant with the accounting standard by the time it is effective in the fiscal year ending March 31, 2013. We are pleased with the amount of work completed in this area for the year ended 31 March 2011 and early adoption for those programs we could identify, analyze and quantify in a short period of time. Moncton Land Purchase 3.26 During the fiscal year, the province began negotiating an agreement to purchase land for a new school in the Moncton area. Funds were put in trust with external legal counsel for the land purchase, and the land was recorded by the province as a tangible capital asset at 31 March 2011. As the risks and rewards of the land had not yet transferred to the Province, it was not in compliance with PSAB to record the land purchase. Management’s Use of Estimates 3.27 Under the new Canadian Auditing Standards, we are required to perform new audit procedures on estimates and management’s process to develop and select accounting estimates. In connection with this we note there are several financial statement items where management estimates are used to calculate the amount reported. Examples of where management estimates are used include future employee benefits, allowances, provisions, reserves, and contingencies. Uncertainty exists around accounting estimates due to the availability and reliability of information used to calculate estimates, which increases the risk of misstatement in the financial statements. 3.28 In order to address the effect of estimation uncertainty we need to ascertain that management has performed due diligence to evaluate or consider all alternative assumptions or outcomes and determine if the chosen alternatives are reasonable. We also need to evaluate the reasonableness of significant assumptions used by management, their validity compared to recent actual results and management’s intent and ability to carry out specific courses of action. 3.29 Throughout the audit we discovered several areas where accounting estimates were used and management did not have adequate documentation maintained for these estimates. Below are some of the issues arising from management’s use of estimates. Provisions and Allowances 3.30 Management estimates are used when calculating provisions and allowances. There are numerous provisions and allowances in the provincial financial statements, some examples include: allowances on accounts and interest receivable, allowances on loans, provisions and reserves on property tax, and general provision on outstanding lawsuits. We recommended enhanced documentation be developed in advance of next year’s audit to demonstrate the process followed to calculate, evaluate and review significant management estimates. When documenting support for estimates the documentation should include how management identifies transactions, events and conditions which give rise to the need for an accounting estimate or a change in estimate, how management made the accounting estimate including details on the estimate model, the use of any experts, a list of, and support for, any assumptions, the effectiveness/precision of the estimate by review of past estimates and the actual results achieved, and how management has addressed estimation uncertainty. Discount Rates 3.31 There are a number of account balances which require the use of discount rates to calculate the estimated future liabilities. These include, but are not limited to, retirement allowances, pensions, sick leave accruals and workplace health and safety accruals. The rates used in the calculation are determined by management in conjunction at times with external experts. Due to the nature and size of these liabilities, a small change in the rate could cause a material impact to the financial statements. We recommended these rates be subject to annual review and formal documentation of the process and their calculation should be maintained. Further, for unfunded obligations (such as Worksafe NB liability, hospital self insurance liability and retirement allowance liability) the Province should establish one discount rate for these unfunded liabilities and apply the rate consistently in all calculations, or document with support why the discount rate chosen is appropriate relative to discount rates used on other unfunded provincial liabilities. P3 Accounting – Vetting Process 3.32 Estimates were made in determining the amount of rehabilitation payments to capitalize for P3 highway projects. The estimates were derived from an original reference case for each project. These calculations are subject to significant judgment respecting timing of expenditures and related amounts. Due to the significant judgment involved in these calculations, the vetting process of these estimates should be well documented and reviewed. In addition we recommended the original reference cases should be periodically reviewed to determine whether past estimates are accurate and a reflection of what is actually occurring under these contracts. Recommendation 3.33 We recommended the Office of the Comptroller ensure supporting documentation for significant estimates is maintained and reviewed. Comments from Management 3.34 My Office will continue to document significant estimates used and enhance the documentation where possible and feasible. In addition, we will request that departmental staff enhance their documentation of estimates used for accounting entries such as the capitalization of rehabilitation costs incurred by third parties who are contracted to maintain New Brunswick highways. Government Reporting Entity (GRE) 3.35 PSAB standards state that the GRE should comprise the organizations that are controlled by the government. Periodic review of the GRE and what is contained within is needed to ensure the current reporting of provincial organizations is appropriate and to reconfirm the completeness of the entity. We noted the New Brunswick Systems Operator was not included in the GRE. 3.36 We also believe that the relationship between New Brunswick nursing homes and the Province should be reviewed to determine whether nursing homes belong in the GRE. Recommendation 3.37 We recommended the Office of the Comptroller review and document the boundaries of the GRE to reconfirm all appropriate entities are captured. We further recommended the relationship with nursing homes be reviewed to determine whether they should be included in the GRE. The relationship with the New Brunswick System Operator should also be examined with analysis documented to support conclusions reached. Comments from Management 3.38 My Office will endeavor to establish a cyclical review of all entities currently included in the GRE to ensure they still meet the criteria for inclusion, as well as a review of others who may have been excluded in the past. A more specific review of the control relationship with Nursing Homes will be carried out by Staff from OoC and Social Development. If the New Brunswick System Operator is going to once again be part of the NB Power Group of Companies, no review will be required. Otherwise, a review will be conducted to determine if they should be part of the GRE. Other Matters for Consideration 3.39 During the audit several matters arose that we believe management needs to consider. We have documented these matters and have listed them below. Consolidation adjustments 3.40 The timing of the Office of the Comptroller consolidation work and analysis of entries is occurring very late in the audit process. This is resulting in an undesirable delay in the review of the consolidation analysis and reconciliation of consolidation variances. Recommendations 3.41 We recommended the consolidation work be performed earlier in the audit process, at minimum two weeks prior to signing of the audit opinion. 3.42 We recommended any consolidation variances identified during the audit as significant, but not material, should be resolved prior to the next audit cycle. 3.43 We also recommended the steps followed in the consolidation process used by the Province be documented with the related work with evidence of review noted. Service Organization Reports 3.44 There are several external service organizations used by the province (e.g. Student Loan Program and RBC Dexia). When using a service organization it is important for management to be assured that the service organization has the proper controls in place to safeguard transactions that are processed on behalf of the Province. If management does not have such reports on file, management should request reports from service providers on the effective operation of controls. Management should review the report, follow up on exceptions and document their findings as to whether the proper controls are present to ensure that management can rely on the service organization. 3.45 Similarly, management did not have on file for review documentation supporting the effective operations of controls at organizations (e.g. Service New Brunswick) where a significant volume of transactions are processed on behalf of central government. Management receipt and review of this information is necessary to determine if controls are operating effectively and to permit adequate review/analysis of exceptions prior to system reliance. Recommendation 3.46 We recommended management document the information obtained regarding the effective operation of controls and their review of this information, where the processing of significant volumes of transactions is outsourced from central government. Chancery Place Accounting and Contract Management 3.47 Significant professional judgment was required in the determination of the appropriate accounting for Chancery Place. The audit team performed numerous interviews with employees involved in the purchase and reviewed various documentation to ensure that the accounting treatment properly reflected the substance of the transaction. We were ultimately satisfied that the accounting treatment for the purchase of Chancery Place reflected the substance of the transaction. 3.48 However, due to the imprecise wording in the contract, significant professional judgment was required as noted above to determine if the agreement to purchase did in fact constitute a purchase for accounting purposes at 31 March 2011. In addition we had a concern regarding the timing or speed of such a large transaction so close to the Province’s fiscal year end. We believe such concerns could be avoided by entering into agreements earlier and, to the extent possible, ensuring that agreements indicate clearly that the property, as well as the risks and rewards of ownership, have passed to the Province. 3.49 Moreover, the Province has not yet been able to move its employees into the building and has paid a significant amount of money to the City of Fredericton for the building. We understand that completion of the building is considerably behind schedule. We are not aware of any penalties or other remedies in force to effectively reduce delays and to speed up the Province’s possession of the building. Recommendation 3.50 We recommended that the Province review the Chancery Place purchase process to ensure future purchases can, to the extent possible, clearly be seen to have taken place in the fiscal year recorded and that future agreements protect the Province as much as possible against performance gaps / delivery delays. Office of the Comptroller Provincial Accounts Payable and General Ledger System (Oracle) Background 3.51 The Provincial Accounts Payable and General Ledger System (Oracle) is one of the most significant systems operated by the Province. The accounts payable module is responsible for making the majority of the government’s payments. The General Ledger (GL) module is used for recording all of the Province’s transactions and the information stored in the GL is used to generate the Province’s financial statements. The Office of the Comptroller operates the system, but all government departments use it for making payments. Because of the significance of this system, every year we test its internal controls and we select and test a sample of transactions that it processed. 3.52 In our 2009 report, we reported findings and recommendations resulting from our contract with an external vendor who specialized in Oracle control reviews. This year we followed up on these recommendations to determine if they were implemented. In the following paragraphs, we discuss the recommendations that were not implemented and make additional recommendations for improvements. Lack of Segregation of Duties Excessive Access by IT Support to Oracle 3.53 We noted excessive access by IT support to the Oracle database using APPS account. In response to this 2009 finding, the Office of the Comptroller (OOC) attempted to perform an update of the database, which would allow IT support users to login as ‘APPSRO’ and give them read- only user access. This would have eliminated the issue regarding IT support user accountability when accessing the database. However, the upgrade could not be completed due to hardware failure during testing. The database administrator indicated that read-only access through the use of the ‘APPSRO’ account will be available once Oracle is upgraded next year. Recommendation 3.54 We recommended this continue to remain a priority for OOC to address as the Oracle system upgrade is completed. Comments from Management 3.55 This will remain a priority. Due to continued constraints on our ability to make modifications to our current platform, the production implementation of this change will be deferred until the Oracle R12 upgrade is completed in January 2013. IT Support access to production modules 3.56 IT Support users have access to all production modules. In response to this 2009 finding, the OOC created a weekly report that detailed changes made to IT support staff’s user access during the period. This report is being reviewed periodically by the Director of Accounting Services, however, currently the review is not being completed frequently enough to be effective. In order for this control to be effective, the report should be reviewed on a weekly basis. Recommendation 3.57 We recommended the OOC review the changes to IT support access on a weekly basis to ensure the access is appropriate. Comments from Management 3.58 Changes have been made recently to make the report more readable. The Director of Accounting Services is now reviewing the report weekly. User ‘SYSADMIN’ Oracle functions 3.59 User ‘SYSADMIN’ permits business user functions in Oracle. Currently, the Oracle user SYSADMIN is permitted business user functions through responsibilities assigned to this user account. This is inconsistent with proper segregation of duties in an electronic environment as system administrators should not have business user responsibilities. Recommendation 3.60 We recommended the OOC review the SYSADMIN user account to determine appropriate responsibilities are assigned and that there are no segregation of duties conflicts between system administrators and business users. Comments from Management 3.61 The “business user functions” available to the account have been disabled. The password to this account has been changed and only known to Database Administrators. Configuration Change Access (Accounts Payable Module Super Users) 3.62 All six OOC IT Support staff members have been assigned Accounts Payable super user accounts in production. This provides the users with the ability to process configuration changes to the module directly within production. Recommendation 3.63 We again recommended users only be assigned access to process configuration changes in production on a temporary basis. The granting of this access should be approved, logged and formally monitored as part of the change management process. This is an important control to address electronic segregation of duties within the system. Comments from Management 3.64 Access to these accounts are sometimes required as part of the support process. The small size of the team means each member fills multiple roles. OoC is investigating whether read-only versions of the super user responsibilities can be created and assigned to users who currently have the full version. Other Matters Review of Oracle Application Access 3.65 Periodic review of access within the Oracle application is not conducted. In response to this 2009 finding, the OOC implemented an annual process whereby confirmation of the appropriateness of Oracle user access is conducted for each department. For 2011, confirmation requests were sent in January of 2011. As at 15 June 2011, responses were still outstanding for four of the twenty-one departments contacted. This issue is exacerbated by the fact that two of the outstanding departments (New Brunswick Internal Services Agency (NBISA) and New Brunswick Community College) were created in 2010 and therefore could potentially be at an increased risk for inappropriate user access assignments. Recommendation 3.66 We recommended a further step be added to the access review process whereby departments that do not respond to the request are contacted for follow up until the required confirmation has been received. We recommended any remaining outstanding responses be obtained and reviewed. Comments from Management 3.67 There will be a major review of responsibilities during the Oracle R12 project. Departments that have not completed the annual review will be contacted and the process will continue to be performed on an annual basis. Review of Changes to Supplier Information in Oracle 3.68 Monitoring of changes to supplier information is currently not being reviewed. The OOC developed a biweekly report that allowed them to monitor changes to supplier information. However, the report has not been reviewed since April 2011 due to time constraints from the year end process. Accounting staff also indicated that the details of any unusual activity, identified during the performance of this function, were forwarded to NBISA with a request for follow up. As at 5 June 2011, there has been no response from NBISA regarding any of the requests. Recommendation 3.69 We recommended the monitoring of changes to supplier information resume as soon as possible. This control is an important step in ensuring the validity and appropriateness of supplier payments. We also recommended the OOC, in conjunction with NBISA, designate a key contact at NBISA that will be responsible for follow up on activity flagged by the OOC and to report the results to the OOC in a timely manner. Comments from Management 3.70 The GNB approach to supplier set up and changes to supplier databases have been considered problematic for some time, from a control point of view. This area is in need of a thorough study and overhaul that goes beyond reviewing reports of changes. In conjunction with NBISA and horizontal teams working on government renewal projects, my Office will work towards a better (more efficient and improved internal controls) procure-to-pay process that is closer to best practice than existing GNB processes. Review of Database Access in Oracle 3.71 The use of SYS and SYSTEM database accounts is not being monitored. The OOC enabled Oracle’s database logging function and the accounting staff attempted to review the account activity for the period October 2009 to July 2010. However, this attempt was unsuccessful due to issues regarding the output obtained from Oracle. A request was made to refine this data to make the report more functional, however, the request is still outstanding and no effort at follow up has been made to date. Recommendation 3.72 We recommended further action be taken prior to the end of the 2011-12 fiscal year to refine the database logging data and render it functional in order for the OOC to perform an effective review of the SYS and SYSTEM activity. Such a review will assist in identifying inappropriate system access or activity. Comments from Management 3.73 In order for monitoring of database access to be effective, the reviewer needs to understand both the report and the impact of the access. My Office is currently involved in discussions with the Department of Finance IT Branch with respect to having the DISO in Finance oversee this function. Administration Manual Policy AD-6402 3.74 We noted the new payment process implemented by the NBISA does not comply with administration manual policy AD-6402 – Approval of Payments. AD-6402 requires the person who is exercising payment authority to: * add the invoice (this is no longer completed for all invoices), and * ensure that spending authority has been properly exercised (with the new process, payment authority is now exercised prior to spending authority). Recommendation 3.75 We recommended the OOC consult with the NBISA with regard to policy AD-6402 and revise the policy to reflect current payment approval requirements for processing government transactions. In addition, we recommended certain acts (e.g. Financial Administration Act & Public Purchasing Act) be reviewed to ensure they are consistent with the electronic processing environment and NBISA involvement. Comments from Management 3.76 Over the past two years my Office, in consultation with NBISA and others, has expended a significant amount of time and effort with a view to revising administration manual policy AD6402. During the process it became evident that the existing policy is not only out of date for processes introduced by a shared services environment, but also due to processes with case management applications feeding Oracle Accounts Payable that are not in keeping with the outdated policy. My Office anticipates working on this project in conjunction with the Oracle R12 upgrade and a move to a more integrated procurement process. Most likely changes will not be finalized until spring 2013. In terms of reviewing the Financial Administration Act and the Public Purchasing Act – both are included in the mandate of NBISA. My Office will work closely with NBISA on these projects. NBISA - Accounts Payable Input and Approval (IPM) Process Background 3.77 As a result of NBISA assuming responsibility during fiscal 2010-11 for processing a significant volume of transactions for central government, we are commenting on our findings from testing of NBISA systems in this section of the report. Change Management 3.78 We noted NBISA only started tracking system changes to the IPM system in February 2011. A change management process was not in place for the entire year. By not having an effective change management process, the risk of unauthorized and inaccurate changes increases. This could lead to invalid payments being made by the system. 3.79 The NBISA provided us standard operating procedures for IT Operations which it now follows for change management on the IPM system. The NBISA indicated that it was following the spirit of these procedures as opposed to the exact detail. Recommendation 3.80 We recommended the NBISA review the change management process, and tailor it so that it can be used for the IPM system. The NBISA should follow the revised changed management process. Comments from Management 3.81 An IPM change management process is in place and is being used. Formal documentation outlining the details of the process was not available at the time of the audit therefore the reference material from the IT Operations process that covered the same basic approaches and principles was provided along with the qualification. 3.82 A Standard Operating Procedure (SOP) which will detail the IPM change management procedures that are in place is being prepared and will be completed by November 1, 2011. Segregation of Duties 3.83 We noted in testing of segregation of duties one employee who had the ability to apply payment authority to invoices, as well as add vendors to the supplier maintenance file. Typically the functions relating to creating vendors and applying payment authority are segregated to prevent inappropriate activity in the system. The NBISA indicated that this access was an exception and subsequently, it removed the access. The individual who had this access did not have the ability to apply spending authority for payments. Both payment and spending authority is required before a payment will be made. Recommendation 3.84 We recommended the NBISA identify potential segregation of duties with respect to user access. When assigning access to users, the NBISA should ensure that users do not receive access which results in segregation of duties weaknesses. Comments from Management 3.85 The agency is conscious of duty segregation requirements and the design of the IPM workflow and support functions take duty segregation requirements into account. Individuals are not provided with access that would permit them to independently complete transactions from end to end or cause a payment to be made. While the noted case did not permit such end to end processing, it was contrary to the standard process flow design and stemmed from the rolling wave of deployments and the movement of staff between functions as the agency was being set up. As part of the access administration process, the agency will ensure that users do not receive access which results in segregation of duties weaknesses. Partnership Agreements 3.86 We noted the NBISA did not have service partnership agreements with departments in place during the fiscal year. These agreements set out roles and responsibilities for the NBISA and departments. This is important in order to set up an appropriate structure for the operations of the NBISA. This is especially important in the case of the Office of the Comptroller who is responsible for ensuring there are proper controls over the disbursements made by the Province. We understand the NBISA was waiting for services to be deployed to all departments before obtaining signed service partnership agreements with departments and that it had a memorandum of understanding with each department and for each service. Recommendation 3.87 We recommended the NBISA have signed service partnership agreements with each department for which the NBISA provides services. Management’s Comments 3.88 Service Partnership Agreements (SPA’s) are a critical element of a shared services agency. Draft SPA’s have been provided to all departments and review meetings have been conducted. The final agreements will be sent to each department on November 10th for signature. The anticipated completion date is November 30, 2011. Delegation of Payment Authority 3.89 We noted the NBISA’s payables staff deploying from various departments began exercising payment authority for payments upon arrival at the NBISA and after training. However, the deployed staff were often involved in processing payments from all deployed departments. The appropriate documentation for these staff to approve payments for other departments was not on file (i.e. the NBISA had no documentation on file delegating this authority). By not having documented delegated payment authority for NBISA staff, payments were not in compliance with Administration manual policy AD-6402 – Approval of Payments. Recommendation 3.90 We recommended the NBISA ensure employees who are exercising payment authority have the appropriate documented delegation from department heads. Comments from Management 3.91 Through Service Partnership Agreements with client departments payment authority is delegated to NBISA. The president of NBISA has delegated payment authority to all employees within the Accounts Payable section of NBISA. Administration Manual Policy AD-6402 3.92 We noted the new IPM process implemented by the NBISA does not comply with administration manual policy AD-6402 – Approval of Payments. AD-6402 requires the person who is exercising payment authority to: * add the invoice (this is no longer completed for all invoices), and * ensure that spending authority has been properly exercised (with the new process, payment authority is now exercised prior to spending authority). 3.93 The NBISA indicated that it has consulted with the Office of the Comptroller (OOC) on this matter and that together, they are working on changes to the administration manual to reflect current requirements. Recommendation 3.94 We recommended the NBISA continue to consult with the OOC with regards to policy AD-6402 to help ensure this policy is revised to reflect current payment approval requirements for processing government transactions. Comments from Management 3.95 Both NBISA and the Office of the Comptroller recognize and agree that Policy AD 6402 must undergo a fundamental review. Through discussions, both parties recognize a need to address authority delegation inconsistency at the department level, to incorporate the concepts of risk and materiality, to address overlaps between spending and payment authority responsibilities, and to address the variation between spending authority forms and the concept of TOSA. NBISA will continue to work with the Office of the Comptroller to align Policy 6402 with the current shared services delivery model. Table of Spending Authority (TOSA) 3.96 The TOSA contains the information used by the IPM system to determine who can apply spending authority to payments. Keeping the TOSA up-to-date is critical in ensuring proper spending authority is applied to payments. 3.97 When reviewing updates to the TOSA, we found that some of the change requests from departments were stored off line on NBISA employees’ hard drives rather than stored in a central location. Having this information stored on employees’ hard drives increases the risk that the information will become lost or inaccessible. 3.98 We also noted the NBISA sent to departments listings of the employees recorded in the TOSA for the departments to confirm the accuracy of the employees listed. Ensuring the accuracy of the entries in the TOSA helps ensure that only authorized departmental employees have the ability to approve payments. Not all departments replied to the request and the NBISA did not follow up with departments who did not reply. When we tried to review this work, we were told that all of the replies were lost (as they were emails from departments stored on an employee’s hard drive). Recommendation 3.99 We recommended the NBISA continue to confirm the employees recorded in the TOSA on a yearly basis. Comments from Management 3.100 The annual follow up with departments to confirm the content of their TOSA is part of the fiscal year end process which will continue. In the future responses will be tracked and follow up will be performed on outstanding responses. Recommendation 3.101 We recommended the NBISA follow up with departments who do not reply to the above request. We recommended the NBISA ensure all requests to add, change or delete information from the TOSA, including the yearly department updates, be stored in a central location to ensure the information can be easily located. Comments from Management 3.102 Actions have been taken to ensure records associated with TOSA maintenance are properly stored and backed up. Logging of Administrator Duties 3.103 We noted the IPM system has ten system administrators. These individuals have the ability to both enter payments and approve transactions in the system. Three of these administrators also have the ability to change programs and move them to production. The NBISA indicated that the work of these administrators is logged, however, there is no process in place to monitor the logs. Without monitoring the logs, the NBISA and the Province are at risk that unauthorized payments could be made. The NBISA recognizes that this monitoring process is needed and plans to implement this in the future. Recommendation 3.104 We recommended the NBISA review the activity of the system administrators to ensure all activity is appropriate. This review should be documented as evidence that the monitoring was performed. Comments from Management 3.105 Reporting has been created to support an independent assessment of system administrator activities. A review will be completed at least twice annually by the Accounts Payable Compliance unit to ensure the activities carried out by administrators are appropriate and properly supported. NBISA –Payroll System (HRIS) Background 3.106 The Payroll System (HRIS) is another significant system in the Province that we test every year. Starting in the 2011 fiscal year, the New Brunswick Internal Services Agency (NBISA) operated this system and processed the payroll transactions for Civil Service and pension payrolls. Changes to Salary and Deduction Tables 3.107 In our testing of changes to salary and deduction tables, we found one case in a sample of 20 where the salary rate was changed but no evidence of a secondary verification of the rate was on file. By not having a secondary verification of all salary rate and deduction changes, the risk increases that incorrect amounts could be entered into the payroll system resulting in incorrect payment amounts to employees. Discussion with Management 3.108 The NBISA was not certain why this control deviation occurred. The change in question related to a salary rate that was input and activated on the same day. The verification may have been done on-line and the documentation may not have been printed. Recommendation 3.109 We recommended all changes to salary and deduction tables be verified by a second individual and evidence of this verification be documented and filed. Comments from Management 3.110 Standard operating procedures are documented and include a verification process. The deviation discovered in audit appears to be an isolated incident. We have since reinforced the importance of following the specified process. Transfer of Information to Oracle 3.111 The NBISA does not agree information transferred to Oracle from the Human Resource Information System (HRIS). By not agreeing information transferred to Oracle to HRIS, the risk increases that incomplete or inaccurate information could be transferred to Oracle. 3.112 On 1 April 2010, the Office of the Comptroller (OOC) and NBISA changed the way HRIS transfers data to Oracle. Under the new method, NBISA receives an email from the OOC indicating the transfer to Oracle was successful. In this case, successful means that the debits equal the credits in Oracle and all lines were accepted by Oracle. It does not mean that the correct dollar value was transferred. We believe NBISA should verify the completeness and accuracy of the information transferred to Oracle, by agreeing the Oracle amounts to HRIS. Recommendation 3.113 We recommended the NBISA agree information transferred to Oracle from HRIS to ensure all information has been transferred completely and accurately. Comments from Management 3.114 We have begun to develop a process to ensure compliance. Payroll System Error 3.115 Permanent payroll officers, who were previously employed as casual employees, can enter time sheets for their previous casual employee numbers. By having the ability to enter time sheets for your own employee number, the risk of payroll fraud increases. 3.116 We noted this system issue in our work in 2008. The Office of Human Resources, who was responsible for HRIS at the time, indicated that this problem would be fixed in the next system release. Since that time, the next system release occurred, however, the problem mentioned above was not corrected. Recommendation 3.117 We recommended the NBISA modify HRIS so that permanent employees are no longer able to enter time sheets on their previous casual employee number or develop controls to mitigate this risk. Comments from Management 3.118 In order to remedy this issue, a release is required for the system. In the interim we have begun to develop a short term solution to the problem in the form of a weekly post payroll report which will identify any changes or pay adjustments made to any payroll officer. The online system has built in edits to prevent adjustments to their own records and the new report will identify an attempt to input a timesheet using their previous casual records. Other checks and balances are also in place. Retirement Allowance – Calculation Errors 3.119 The number of years of service for two retirement allowances was calculated incorrectly. By miscalculating the number of years of service, retirement allowance payments will be incorrect. 3.120 In the first case, the error related to the determination of the number of years of service which was calculated as 24 years instead of 22. This error was pointed out to a payroll supervisor at the NBISA who was able to put a stop payment on the cheque and a new cheque was issued. The amount of the potential overpayment was $1,748. 3.121 The second case related to a retirement allowance that was not calculated by the NBISA staff. In this case, the employee was 20 days away from receiving 14 years of service. The department in question decided to pay the employee for 14 years of service rather than the 13 years that the employee was entitled to. Administration policy AD-2407, indicates that retirement allowances should be calculated on the total of full years of continuous service. Discussion with Management 3.122 We inquired with the Office of Human Resources whether or not Deputy Ministers have discretion in determining the years of service. We were told that “there is no flexibility under the policy for Deputy Ministers to have discretion when calculating the years of service and we are not aware of any instances where this would have been done in the past.” This money was already paid out to the employee. The amount of the error was $1,521.50. Recommendation 3.123 We recommended NBISA implement procedures to ensure retirement allowances are calculated correctly in accordance with government policy. Comments from Management 3.124 We have begun to redesign the form used to calculate retirement allowances building in calculation formulas to reduce the potential for manual calculation errors. We have also implemented a pre-processing review to validate calculations before they are processed. Retirement Allowance – Changes needed to form 3.125 The form used by the NBISA for calculating retirement allowances does not align with the Administration Manual policy AD-2407. Increased errors in the calculation of retirement allowances could occur by using a form that promotes calculating retirement allowances differently than specified by policy. 3.126 The retirement allowance form suggests retirement allowances be calculated by multiplying the completed years of service with the weekly salary amount. The policy requires retirement allowances be calculated by using the number of days worked less the number of pre-retirement leave taken. This number is then multiplied by the employee’s regular rate of pay. 3.127 We see two problems with the way the form is designed: 1. Persons completing the form could forget to deduct pre- retirement leave, thus over paying the employee. 2. If employees receive pay increases in between the time they took their pre-retirement leave and the time they retire, the amount of the retirement allowances could be calculated incorrectly and the employees could be over paid. Recommendation 3.128 We recommended the NBISA revise the retirement allowance form so that it aligns with the calculation method suggested in the administration manual policy. Comments from Management 3.129 Please see [previous] response. Redesign will adhere to the requirements of policy AD2407. Blue Cross Reconciliations Not Current 3.130 Blue Cross reconciliations are not up-to-date. By not reconciling Blue Cross data on a timely basis, the Province is at risk of overpaying or underpaying Blue Cross for employee insurance amounts. 3.131 The responsibility for the reconciliation of the Blue Cross invoices has been passed on to the NBISA from departments. The NBISA is behind in completing the reconciliations mostly because departments were behind when the NBISA took on this responsibility. The NBISA should make completing Blue Cross reconciliations a priority and complete them in a timely manner. Recommendation 3.132 We recommended the NBISA reconcile Blue Cross billings with payroll information on a timely basis to ensure the correct amounts are paid to Blue Cross. Comments from Management 3.133 Upon deployment of Payroll and Benefits to NBISA, it was discovered that a number of departments had failed to reconcile Blue Cross billings. NBISA accepts responsibility for Blue Cross reconciliations from the date of deployment of each department to NBISA. We have assigned resources to ensure reconciliation on a go forward basis. 3.134 A strategy needs to be developed for those arrears outstanding at the time of a department’s deployment to NBISA. We recognize the importance of these reconciliations and will work with OHR and OoC to develop an approach. Standardized Payroll Procedures Required 3.135 The NBISA should develop standardized payroll procedures and train all payroll staff on how and what procedures should be followed. By not having standardized procedures, the risk increases that internal controls will not be performed consistently by all staff resulting in potential payroll errors. 3.136 In our discussions, the payroll manager indicated that payroll supervisors are required to “audit” the payroll. This means the supervisors verify commencements and terminations 100% and spot check other adjustments. From our discussions with payroll supervisors, we learned that not all payroll supervisors are following these procedures. One payroll supervisor indicated that she does not verify commencements and terminations 100% - she spot checks this information. She mentioned that she does not verify casual commencements data to HRIS which is an important step in ensuring that the payroll entry is correct. Another payroll supervisor indicated that she does verify the information communicated to us by the payroll manager. 3.137 We also conducted work in one department which resulted in us examining payroll controls in district offices. We noted that some districts did not maintain authorized general change forms (GCF) nor authorized HRIS screen shots as evidence that the payroll officers verified the accuracy of their input to HRIS. Discussion with Management 3.138 Management noted that it is in the process of developing standardized procedures. We believe the NBISA should communicate and train all staff (head office and district offices) on these procedures. The standardized procedures should apply to both payroll officers and payroll supervisors. Recommendation 3.139 We recommended the NBISA develop standardized payroll procedures for payroll supervisors and payroll managers to follow. Staff, in both head office and district offices, should be trained on how to perform the procedures. Comments from Management 3.140 We recognize that standardization is the key to achieving the efficiency that the Agency is aiming for. We have launched a continuous process improvement (CPI) approach to examine various processes and transactions in the Hire to Retire stream. We have also implemented standardized checklists and provided staff with standard reference material. A process to address the specific incident mentioned in your report has been developed and staff have been trained. Payroll and Benefits Service Requests not on File 3.141 Payroll and Benefits service request forms were not on file for items in our sample. The Payroll and Benefits service request form is the mechanism used by departments and the NBISA to request changes to payroll information. By not having the form on file for all changes, the NBISA does not have the authority to make the changes to employees’ payroll information. This puts the NBISA at risk if an error should occur in the payroll as a documented audit trail authorizing the change does not exist. 3.142 In our sample of 20 commencements and terminations, we found six cases where the Payroll and Benefits service request form was not on file. Recommendation 3.143 We recommended for changes where a Payroll and Benefits service request form is required, the NBISA ensure authorized forms are received before payroll data is changed. Comments from Management 3.144 Standard operating procedures are documented. We have since reinforced the importance of following the specified process. Documenting Vacation Leave Payout 3.145 The NBISA should improve its documentation relating to the payout of vacation pay for terminated employees. By not properly documenting vacation payout for employees, the risk increases that incorrect payments could be made. 3.146 In two of the five regular employee terminations, we saw nothing on file to indicate the payroll officers ensured the employees’ leave records were up-to-date prior to paying out the employees’ vacation pay credits. This increases the risk that employees will be paid for vacation they have already taken. 3.147 Also, in three cases the HRIS leave records were not updated to reflect the payout of the vacation pay. Updating the HRIS leave records once the vacation has been paid out will help ensure employees are not paid twice for accumulated vacation. Recommendation 3.148 We recommended the NBISA ensure payroll officers verify that all employee leave has been recorded in HRIS before paying out vacation pay to terminated employees. We also recommend payroll officers ensure the HRIS leave records are updated once employee vacation is paid out. Comments from Management 3.149 Documenting vacation leave payout has been added to the checklist that staff use and a report is run in Forest and Trees to determine any outstanding balances. Staff will be asked to include a screen shot from HRIS with the calculation for audit purposes. GCF Not Signed 3.150 Payroll staff did not always authorize general change forms (GCFs) for commencements prior to sending them to departments. Authorizing GCFs provides evidence that someone verified the data input into HRIS is correct. It also provides an audit trail on who input the information into the system. 3.151 In our testing in one department, we found three cases in our sample of five positioned employees where the GCFs for commencements filed in the department were not signed by the staff at the NBISA. Recommendation 3.152 The NBISA should ensure payroll officers sign GCFs on commencement as evidence that payroll information was input correctly into the system and that an audit trail exists indicating who performed the transaction. Comments from Management 3.153 Standard operating procedures are documented and available to staff. We have since reinforced the importance of the general change form (GCF) to staff and reiterated the importance of ensuring that they are properly signed off. Department of Finance - Property Tax System Background 3.154 The Property Tax system is another key government system which we audit. It processes property tax revenue for the Province. The system is operated by both Service New Brunswick and the Department of Finance (Finance). The scope of our work focuses primarily on the system aspects operated by Finance. Documenting System Changes 3.155 We noted documentation of change management procedures needs to be improved. Properly documenting change management procedures helps to ensure that all system changes are properly approved, adequately tested and authorized for production. This reduces the risk of unauthorized or invalid changes being made to the system. 3.156 During our audit, we tested eleven property tax system changes made during the year. For five of the changes, we found no documented evidence indicating that the change requests were approved. Although we saw evidence that testing was completed successfully, there was no formal testing sign off. We also found one case where the document authorizing the system change to production could not be located. Recommendation 3.157 We recommended all system change approvals, testing result sign-offs and authorization to production approvals be documented and filed properly. Comments from Management 3.158 The Department of Finance agrees with the recommendation and steps have already been taken to incorporate a formal Testing Sign-off in the Change Management process. Emphasis will also be placed on ensuring that all appropriate approvals are received, documented and filed properly. Reconciliation of Canada Post Data Files 3.159 Service New Brunswick (SNB) and Finance are both responsible for reconciling Canada Post data files to property tax information. This reconciliation is a two step process. SNB is responsible for reconciling the property tax roll to a billing file and Finance is responsible for reconciling the billing file to the Canada Post data files. 3.160 We noted issues relating to this reconciliation process: * The process seems to be two distinct pieces prepared by two separate organizations, rather than one reconciliation of property tax information. * Although we were able to successfully reconcile the amounts, we found explanations were not readily available for discrepancies in the SNB reconciliation. 3.161 We believe Finance should coordinate the reconciliations ensuring that both reconciliations are complete prior to issuing the bills. This well help to ensure the billing process is complete and accurate. Recommendation 3.162 We recommended the Department of Finance ensure the Canada Post data files are properly reconciled with the property tax system information prior to issuing the property tax bills. All discrepancies should be followed up and adequately explained. Finance should also maintain a copy of the SNB reconciliation for its records. Comments from Management 3.163 The Department of Finance agrees with the recommendation and discussions have already taken place with SNB to modify the existing reconciliation process to ensure that the two existing verifications, performed by Finance and SNB, are reconciled and documented. Finance agrees to maintain both documents for its records. Department of Social Development – Social Assistance System (NBCase) Background 3.164 The Social Assistance System (NBCase) is another significant system in the Province. The Department of Social Development (Social Development) operates the system and it makes payments to social assistance clients in the Province. It processes transactions of approximately $232 million. Access Controls – Disabling Inactive Users 3.165 Social Development is not disabling all inactive NBCase user accounts after 90 days of inactivity. We have reported this issue and made recommendations to Social Development for the past three years. Disabling inactive user accounts on a timely basis reduces the risk of unauthorized access to information. 3.166 During our testing, we noted that 46 NBCase user accounts had not been disabled after 90 days of inactivity as required by government policy. We found that of these 46 NBCase users, only 12 of these had valid reasons for not being disabled. We noted 11 users were no longer with the department and no longer had access to the departmental network reducing the risk of unauthorized access. The remaining 23 users, however, had access to both the Social Development network and the NBCase system. These users should have been disabled as per the Government Information Technology Systems Security policy, dated November 2006 which states “Access to GNB information systems, applications and computing resources shall be based on each user’s business requirement.” Social Development is not complying with this policy as Social Development employees have access to confidential information not required for their job functions. Discussion with Social Development 3.167 Social Development indicated that it should more closely scrutinize the current process it has in place for monitoring NBCase User account activity. It should be able to address this issue by measures already implemented. Recommendation 3.168 We recommended Social Development should follow our prior year recommendations and disable NBCase user accounts after 90 days of inactivity to minimize the risk of unauthorized access. Comments from Management 3.169 As previously advised in response to earlier reports, it is not necessary to disable NBCase accounts after 90 days because all Active Directory Accounts are disabled after 30 days of inactivity. If a user does not have an Active Directory account, they will not be able to access NBCase. There is no risk to security. Training NBCase Users 3.170 There is no formal training process in place to ensure NBCase users are properly trained. The risk of payment errors increases when users are not properly trained on how to use the system. 3.171 During our audit, we found various situations that indicated that NBCase user training is an issue for Social Development. 1) We found four cases where the information in NBCase was not updated properly. Examples of these errors are: * One client’s date of death was not entered into the system resulting in the client’s file not being terminated properly. * One client had two client files in the system rather than the Case Manager using an already existing file. * Two clients had been terminated in NBCase due to their age but were not notified of the termination. 2) Of the client payment errors found in the Caseload Sampling Unit’s testing, it was reported that case managers could have detected these errors in 14% to 42% of the cases examined. This indicates a deficiency in Case Manager training. (The Caseload Sampling Unit audits a random sample of client payments to ensure clients are receiving the correct type and amount of assistance.) 3) Training issues were also identified in our discussions with NBCase users. We contacted thirteen NBCase users in all eight regions to discuss NBCase training. * Nine users identified training as an issue and wanted to receive more system training. * Some users had received training initially when they first started using NBCase, however, no additional training has been provided. * Eleven users indicated that they find the on-line help tool time consuming and difficult to use. * We found no consistency between regional training programs. In one region a user received a half day training session, in another region a user received no formal training and in a different region a user received one week of training. * From our discussions, it appears that the majority of training is informal. Needs assessors or case managers ask more experienced co-workers to help them with their NBCase issues. Discussion with Social Development 3.172 Social Development indicated that it is looking into the training issue. In our discussions, departmental representatives conveyed that they also believe training is not solely the cause of the issues discussed above and that case managers do not have adequate time to dedicate to their tasks. Recommendation 3.173 We recommended Social Development should develop a formalized training program for NBCase users. This will help to minimize risk of improper system use and/or payment errors. Comments from Management 3.174 NBCase system training will be addressed through the implementation of the new User Support Model and through the implementation of new initiatives such as Social Assistance Reform and the Canada Revenue Agency Set-off Program. Recommendation 3.175 We recommended Social Development should review the case manager resourcing issue identified in our discussions. If it is determined a lack of resources could cause a risk of improper payments, additional controls may need to be implemented. Comments from Management 3.176 The Department agrees with this recommendation. Caseload Sampling Unit Testing Schedule 3.177 The Caseload Sampling Unit is not completing its file review and report of findings in a timely manner. Social Development relies on the Caseload Sampling Unit as a control to ensure that clients are eligible to receive and are receiving the proper amount of social assistance payments. If this reporting is not completed in a timely fashion, the senior departmental officials are not kept up-to-date of current progress which could impact decision making. 3.178 The Caseload Sampling Unit audits a random sample of client payments from all eight regions to ensure clients are receiving the correct type and amount of assistance. 3.179 Over the past two years, this unit has fallen behind in completing the final steps of this process – client file review and report of findings. For fiscal year 2009-10, the Caseload Sampling Unit only completed reports for two regions relating to that fiscal year. For the year 2010-11, the unit only completed the report for one region relating to that fiscal year. The remaining completed reports related to the previous fiscal year. 3.180 We rely on the work of this unit to ensure clients are eligible to receive social assistance payments. This unit frequently identifies areas where assistance payments are over or under stated. To increase the effectiveness of this control, the reporting should be completed in a timelier manner. Discussion with Social Development 3.181 Social Development indicated that Caseload Sampling reporting has been delayed due to staffing issues, including a vacant position in one of the regions. Social Development is completing these reports, but not as quickly as it would like. Recommendation 3.182 We recommended Social Development should complete Caseload Sampling Unit’s reporting in a timely manner to ensure this important risk management step is operating as anticipated. Senior departmental officials should be kept up-to-date of current progress or delays. Comments from Management 3.183 The department agrees with this recommendation. The department would note that the operation of the Caseload Sampling Unit was impacted by staffing challenges which have since been resolved. Department of Social Development - Long-term Care System (NBFamilies) Background 3.184 The Long-term Care System (NBFamilies) is another significant system in the Province that we test every year. Social Development operates the system and it processes transactions of approximately $265 million for child protection and long-term care programs. The system also tracks information on clients, service providers and adult residential facilities. The NBFamilies system provides information to the provincial Oracle system which, in turn, produces payments to various service providers or clients. 3.185 Various internal controls are built into the system to ensure only authorized payment information is transferred to the Oracle system for payment. The NBFamilies system has an electronic interface which enables service providers to electronically input information into the system. Various controls are in place to verify the accuracy of this information before a payment is made. 3.186 Our work covered payments made in both the long- term care and child protection programs. We also examined internal controls in place for system access and change management. We tested 20 payments processed in all eight regions during the fiscal year of 2010-2011. In the following paragraphs, we discuss our significant findings from our testing. Disabling Inactive Users 3.187 The NBFamilies system has approximately 756 users. During our testing, we found 68 users had not been disabled after 90 days of inactivity. Disabling inactive user accounts on a timely basis reduces the risk of unauthorized access to information and is required by government policy. 3.188 Social Development did not provide us with a reason why the user accounts were not disabled. It did indicate that some of the user accounts are required for the reporting structure and cannot be disabled. Social Development did not inform us, however, of how many of the 68 accounts are mandatory and could not be disabled. 3.189 The above results have improved from the previous year when we found 95 NBFamilies users had not been disabled after 90 days of inactivity compared to the 68 inactive accounts for the current year. Social Development indicated that it is trying to review inactive user accounts on a quarterly basis. This review has not happened, however, because of time constraints and staff transitioning to the New Brunswick Internal Services Agency. Recommendation 3.190 We recommended Social Development disable NBFamilies user accounts after 90 days of inactivity to reduce the risk of unauthorized access to information. Comments from Management 3.191 Active directory accounts are disabled automatically after 30 days of inactivity. Users are not able to login to the NB Families System without a working Active Directory Account. We feel that this procedure effectively meets the security concern requirement for disabling NB Families account access after 90 days of inactivity. Proper Spending Authority 3.192 Approval of Payments policy AD-6402 defines spending authority as “approval to spend funds out of the approved budget prior to making a purchase or commitment. Approval indicates sufficient funds are available to pay for the purchase.” The Province requires that all payments must have spending authority approval before they are paid. 3.193 Deputy Ministers are charged with the responsibility to delegate spending authority to their staff. They do this by signing a spending authority delegation form which specifies who can approve purchases and what the spending limit is for the approver. 3.194 For NBFamilies payments, employees exercise spending authority electronically. Social Development inputs into a system table a list of who can approve payments and the spending limits for each approver. Only users listed in this table can approve payments. 3.195 As part of our testing, we ensured that each payment in our sample had proper spending authority. We did this by agreeing the electronic spending authority with the Deputy Minister approved spending delegation form. 3.196 This year we found 3 cases where the spending authority in NBFamilies did not agree with the Deputy Minister delegation form. This has decreased significantly from last year when we found 11 spending authority errors. We believe the decrease results from supervisors approving more payments that are above the social workers’ spending limits. 3.197 In all cases where spending authority errors were found, the amount approved in NBFamilies was greater than the amount designated on the Deputy Minister delegation form. There were two cases where social workers, with a spending authority limit of $700, approved Adult Residential Facility fixed payment amounts ranging from $910.54 to $4,549.22 per month. The remaining case was a similar circumstance where an administrative support worker, with a spending authority limit of $0, approved an Adult Residential Facility fixed payment of $2,250.83. 3.198 Social Development advised that as long as an individual has spending authority, they have the ability to approve a fixed rate requisition. 3.199 We understand that employees need the ability to approve fixed rate requisition amounts but this authority should be specifically delegated by the Deputy Minister on the delegation form. Recommendation 3.200 We recommended Social Development ensure all employees who provide spending authority for payments have been delegated this authority by the Deputy Minister on the spending authority delegation form. Employees should not authorize payment amounts that exceed the authorized limits delegated by the Deputy Minister. Comments from Management 3.201 The Department agrees with this recommendation. Payment Agrees to Contract 3.202 Social Development signs contracts on an annual basis with service providers authorizing them to provide services to departmental clients at specified rates. The contract also sets out terms and conditions that the service providers must meet. As part of our testing, we agree service provider invoices to the rates in the approved contracts. 3.203 During our testing, we had six items where contracts were required. We found one case in the Chaleur region where Social Development did not provide us with the contract for the service provider, even though we requested this information from Social Development on several occasions. We concluded, therefore, that Social Development made payments to service providers who did not have signed contracts with Social Development. We did confirm, however, that the rate being paid for the in- home service was the general rate being used by Social Development for that time period. Recommendation 3.204 We recommended Social Development only make payments to service providers who have signed contracts with Social Development. Comments from Management 3.205 The Department agrees with this recommendation. Backup Supports Payment – Electronic Invoicing Errors 3.206 Social Development offers service providers the option to electronically submit their invoices through a web-based invoicing system. As part of our audit process, we ask Social Development to contact service providers and obtain supporting documentation for selected electronic invoices. We review the supporting documentation to ensure it agrees with the amounts paid to service providers. 3.207 In our sample of 20 items, Social Development made six payments to suppliers who submitted invoices electronically. We found one error in these six payments. The error was in the Moncton region. The error occurred because the service provider submitted an invoice requesting payment for 21.5 days of services provided. When we examined the backup, we determined that the service provider should only have billed for 19.5 days. This resulted in an overpayment of $66.00 to the service provider. 3.208 As part of our testing, we also examined the client attendance records for the same service provider covering the period of April 2010 to February 2011 to determine if the service provider was billing the actual days it provided services to clients. We found that the service provider billed the same amount each month regardless of the number of days it provided services to clients. For example, the service provider billed for 21.5 days of services each month, but did not provide 21.5 days of service in any of the months. This would result in an overpayment in each of the 11 months examined. 3.209 For the past three years, we have reported problems with electronic payments and made recommendations in this area. From our testing this year, we believe that Social Development’s strategy for managing this inherent error in the electronic invoice payment process still needs to be reviewed and modified to reduce the level of error. Recommendation 3.210 We recommended Social Development should review and modify its process for managing electronic payments so that the inherent error in this process is reduced to an acceptable level. Comments from Management 3.211 The Department agrees with this recommendation. Financial Documentation and Client Contribution Error 3.212 Clients are required to contribute to the services they receive through NBFamilies if their income is above a certain amount. There are two financial documents that must be completed to determine the amount of the client contribution – a financial declaration form and a financial contribution form. The financial declaration form is completed by the client and it records the client’s income. Using this information, Social Development completes a financial contribution form which uses a pre-determined formula to calculate the amount of the client contribution. 3.213 One of our audit criteria was to ensure that the financial documents were up-to-date and on file for each client. We also verified that the amount of client contribution was calculated correctly. Social Development’s policy requires it to complete client financial reassessments every two years. If a client is receiving social assistance, this reassessment is not required. 3.214 In the 20 payments tested, we found three cases where the financial documents were not up-to-date or not on file which resulted in two cases where the client contribution was incorrect. The errors can be broken down as follows: * 3 – financial documentation were out-of-date leading to 1 client contribution error; * 1 – financial information was not provided leading to 1 client contribution error. Recommendation 3.215 We recommended Social Development complete financial reassessments within a two year timeframe for clients as required by policy. Data which needs to be updated should be input into the system in a timely manner. This will assist in ensuring the accuracy of information affecting the calculation of ongoing payments to clients. Comments from Management 3.216 The Department agrees with this recommendation. The Department is currently undertaking a project whereby a monitoring system has been set up for regions to verify that all financial information is up-to-date and inputted into the electronic system. Out-of-Date Case Plans 3.217 Social Development requires that case plans be completed annually or as required by the system so that clients’ services and requirements are documented in the system. The case plan helps to ensure that clients receive the proper level of care. 3.218 In the 20 payments we tested, we found three cases in two regions where clients had out-of-date case plans. Recommendation 3.219 We recommended Social Development update client case plans annually or as required by the system to ensure authorized services for clients are regularly reviewed and documented. Comments from Management 3.220 The Department agrees with this recommendation. Long-term Care Assessments 3.221 In the 20 payments we tested, we found three clients had either a long-term care assessment that was out-of-date or not on file. 3.222 In the first case, the client was receiving in-home care and the last long-term care assessment was from April 2008. In the second case, the client was in an Adult Residential Facility (ARF) level two and the most recent long-term care assessment was from March 2006. We found no evidence indicating that client reviews had been performed since the date of the long-term care assessments. 3.223 In the final case, the client was receiving services under the Alternate Family Living Arrangements (AFLA) program and Social Development was unable to provide a long-term care assessment. We found no evidence that client reviews had ever been performed. When discussed with a social worker in Social Development, the social worker indicated that on average long-term care social workers have between 240 and 260 cases. The social workers do not have time for annual reviews, however, if they have a request for additional services or if there is a crisis, they will visit the client. 3.224 Departmental guidelines suggest that an annual case review be conducted on clients receiving services in-home, through the AFLA program or from an adult residential facility. Regular case reviews and client contact helps ensure clients continue to receive an appropriate level of care to meet their needs and to ensure the services currently being provided continue to remain necessary. Recommendation 3.225 We recommended Social Development conduct client reviews on a regular basis. The client reviews should be documented in the NBFamilies system as evidence that the reviews were completed by Social Development. Such reviews will help ensure clients continue to receive an appropriate level of care to meet their needs and to ensure the services currently being provided continue to remain necessary. Comments from Management 3.226 The Department agrees with this recommendation. Documenting Annual Client Reviews 3.227 This year in our testing of long-term care assessments, we found evidence that the social workers had contact with clients in 17 of the 20 items tested. This contact, however, was not well documented. The Long-term Care Policy Manual provides guidance on the areas to review when conducting an annual case review. They are: * Client’s condition – The social worker is to assess whether the client’s condition and needs have remained unchanged during the past year. * Adequacy of services – The social worker is to ensure that the method by which LTC services are provided to the client and/or family caregiver is still adequate. * Client’s satisfaction – The social worker is to determine if the client and/or family caregiver is satisfied with the current supports and services. * Client’s financial situation – The social worker is to ensure that the client has submitted a recent copy of his/her Income Tax Notice of Assessment. 3.228 From our review of the notes in NBFamilies, we did not see any evidence that the social workers assessed the four areas described above. We did see evidence that the social workers contacted the clients and that the clients’ case plans were updated. Recommendations 3.229 We recommended social workers assess and document the client’s condition, the adequacy of services, the client’s satisfaction with services and the client’s financial situation when conducting annual case reviews. 3.230 We recommended Social Development develop a form or template to help social workers document the information required when completing annual client case reviews. 3.231 We recommended Social Development ensure all social workers are adequately trained on how to conduct and document an annual client case review. Comments from Management 3.232 The Department agrees with these recommendations. The Department will develop a form to document the information required when completing an annual review of a client’s case. Adult Residential Facility Inspection and Licensing Documentation 3.233 Social Development is required to inspect all Adult Residential Facilities (ARF) before issuing a license to the facility. This license is called a Certificate of Approval. Social Development’s standards require a complete annual inspection at least 60 days prior to the expiry date of this certificate. This 60 day time period gives the ARFs time to fix any non-compliance issues before their certificates expire. If an ARF has non-compliance issues and its certificate is going to expire, Social Development can issue a temporary license for a period of six months. This time period allows the ARF to fix the non-compliance issues and for Social Development to revisit the ARF to ensure all significant non-compliance issues are fixed before Social Development issues a renewal certificate of approval. 3.234 As part of our audit procedures, we ensure that ARF’s are inspected and licensed as required by Departmental policy. We reviewed all licensing and inspection documentation provided for the six payments in our sample that related to ARFs. We found two reportable items which are discussed below. 3.235 We found one instance where Social Development did not provide us with any evidence that departmental inspectors had performed a full inspection of an ARF before issuing a Certificate of Approval. Departmental standards require inspectors to complete a standard inspection form as evidence that an inspection was completed prior to issuing a Certificate of Approval. 3.236 We found one case where Social Development did not provide us with the ARF operator application for certificate covering the period of payment. As per discussion with Social Development, an operator application should have been on file covering that period. Recommendations 3.237 We recommended Social Development complete and receive all licensing documentation prior to issuing a Certificate of Approval to an ARF. 3.238 We recommended Social Development ensure all documentation be kept on file to support Certificates of Approval. Comments from Management 3.239 The Department agrees with these recommendations. Other Findings 3.240 During our testing, we found one payment made to an Agency which administers a part of the AFLA program. Social Development entered into a purchase of service agreement with this Agency. The agreement indicates that Social Development pays the Agency a monthly administration fee, as well as amounts that should be paid to third parties based on departmental approved client case plans. The Agency in turn makes these payments to the third parties. We were told that Social Development has no process in place to ensure that the Agency pays the third parties all of the money it received from Social Development. Based on the agreement, however, we noted the Agency is required to provide financial and program reports to Social Development on occupancy and activities. Social Development was unable to provide these reports to us for the payment in our sample. 3.241 These Agencies that act as administrators of the AFLA program should provide some form of documentation to Social Development showing that it paid the third parties the correct amounts. Recommendations 3.242 We recommended Social Development obtain documentation that provides evidence that Agencies are paying the correct amounts to third parties involved in the AFLA program. 3.243 We recommended Social Development ensure it receives written financial and program reports on occupancy and activities from Agencies involved in administering the AFLA program as required by contract. Comments from Management 3.244 The Department agrees with this recommendation. Losses through Fraud, Default or Mistake 3.245 Section 15(2) of the Auditor General Act requires us to report to the Legislative Assembly any case where there has been a significant deficiency or loss through fraud, default, or mistake of any person. 3.246 During the course of our work we became aware of the following significant losses. Our work is not intended to identify all instances where losses may have occurred, so it would be inappropriate to conclude that all losses have been identified. Department of Education Missing equipment and cash in various school districts and head office $11,881 Department of Environment Lost equipment $ 370 Department of Justice Missing cash $ 300 Department of Natural Resources Missing equipment from various regions $ 2,730 Department of Transportation Missing equipment from various districts $13,500 3.247 Losses reported by our Office only include incidents where there is no evidence of break and enter, fire, or vandalism. 3.248 The Province reports in Volume 2 of the Public Accounts the amount of lost tangible public assets (other than inventory shortages). 3.249 In 2011, the Province reported lost tangible public assets in the amount of $29,290 compared to a loss of $39,826 reported in 2010. Matters Arising from our Audit of the Financial Statements of the Province Chapter 3 Chapter 3 Matters Arising from our Audit of the Financial Statements of the Province 94 Report of the Auditor General - 2011 53 Report of the Auditor General - 2011