Introduction 4.1 On October 4, 2013 our Office signed an unqualified audit opinion on the consolidated financial statements of the Province of New Brunswick. The opinion indicates the Province's consolidated financial statements are fairly presented in accordance with Canadian public sector accounting standards. 4.2 To reach an opinion on the consolidated financial statements of the Province, we carry out audit work on the major programs and activities in departments. In addition, we audit major revenue items and a sample of expenditures chosen from departments. We also examine internal controls of significant computerized systems. 4.3 In almost every audit, there are audit findings to be discussed with management. While significant, the findings from our March 31, 2013 audit are not sufficiently large in dollar terms to affect our opinion on the consolidated financial statements. It is our practice to report these matters to senior officials of the departments concerned, and to ask for a response. Our significant findings and recommendations from the audit of the Province's consolidated financial statements with departmental responses are presented in this chapter. In Chapter 3 we also presented our significant findings on pension plans and NB Power. 4.4 It should be noted though that not all findings are included in our Report, because in some instances we do not consider them to be of sufficient importance to bring to the attention of the Legislative Assembly, or because public attention to internal control weaknesses, before they are corrected, could possibly result in loss of government assets. For further background on our audit objectives refer to Appendix I. 4.5 We had several findings from the March 31, 2013 audit of the Province's consolidated financial statements. We review the findings identified to determine which findings from our work are significant. When considering which findings are significant we assess: * dollar magnitude of the item; * the risk the finding could result in a large loss or error in future; * the number of instances the finding has occurred; * if the finding has occurred in multiple departments; * if the finding was reported in a prior year; and * if we believe the finding is overall significant in nature. Highlights and Recurring Themes 4.6 Highlights of our significant findings and recurring themes are presented in Exhibit 4.1. ? Exhibit 4.1 - Highlights of our significant findings and recurring themes Theme Finding Finding addressed to Prior Year Finding Page Number Accounting Standards Pension accounting OOC¹ No 70 Government transfers 77 Environmental liabilities 73 Consolidation of the Government Reporting Entity 76 Tax revenue Finance No 83 Future Considerations Audit timelines OOC¹ No 71 Documentation Deficiencies Pension plan calculations OOC¹ No 75 Provision for loans No 72 Injured workers’ liability No 76 Allowance for doubtful accounts – loans, accounts receivable, property tax OOC¹, Finance Partial 77, 85 Property assessment road reviews SNB² Yes 87 Information Technology Segregation of duties OOC¹, Economic Development, NBISA³, SNB², Finance Partial 81, 91, 95, 95, 95 Security and other findings Various Partial 82 Monitoring/Review Review of service organization reports OOC¹, NBISA³ Yes 74, 95 Economic Development loans OOC¹ No 72 Fraud Risk Assessment OOC¹ No 78 Property Tax Account Reconciliations Finance Yes 83 Audit Committee OOC¹ Yes 79 Policy Update/Compliance Information technology security policy OCIO4 Yes 95 Approval of payments OOC¹ Yes 79 Purchase card policy 80 Long-term care financial assessments Social Development Partial 88 Social assistance and long- term care reviews 89 ¹ Office of the Comptroller, Department of Finance ² Service New Brunswick ³ New Brunswick Internal Services Agency 4Office of the Chief Information Officer 4.7 We are concerned that a number of these findings were observed across different departments. As a result of the same issue arising in different departments we saw recurring themes emerge over the course of our work. Exhibit 4.1 shows the departments where we noted these recurring themes. Due to the significance of the issues and/or the number of instances observed, we have chosen to highlight these recurring themes in this chapter. 4.8 We are concerned at the trend of findings not being corrected by departments in advance of the next year's audit cycle. Exhibit 4.1 shows which recurring themes represent repeat findings. 4.9 In general, the responses from the departments were in agreement and they intend to address the concerns in the coming year. 4.10 While we have not noted any significant fraud, theft or error as discussed in Appendix II, the existence of the findings noted in Exhibit 4.1 increases the risk of loss or mistake in the Province's consolidated financial statements. These items should be addressed prior to the next audit cycle. Details of Significant Findings 4.11 Our observations, recommendations and departmental responses to our significant findings are presented in this section of our Report. Office of the Comptroller Accounting and Reporting Pension Accounting Observation 4.12 During the audit we noted management did not have a formal plan in place to account for the implementation of the new shared risk pension plans (SRPPs). Actuarial and accounting expertise was obtained directly by management. However, the accounting expertise was engaged late in the process and did not appear to fully assess the accounting treatment for the plans giving consideration to all applicable accounting standards. 4.13 As changes to the structure of the Province’s plans are ongoing, and changes to accounting standards may occur, the Office of the Comptroller should engage appropriate expert pension accounting resources to evaluate and select accounting options. Ideally, this work should be completed no later than February 2014 and options assessed should include a documented examination of Public Sector Accounting Standards (PSAS), International Financial Reporting Standards (IFRS) and other accounting frameworks as may be appropriate to deal with the uniqueness of accounting for SRPPs. Recommendation 4.14 We recommend the Department of Finance / Office of the Comptroller acquire expert pension accounting resources to document an updated assessment of appropriate accounting treatment for SRPPs given continued changes to the Province's pension plans and to allow for consideration of different accounting frameworks and new developments in pension accounting. A formal plan should be in place including goals and timelines to permit completion of this work ideally no later than February 2014. Comments from Management 4.15 The Department of Finance/Office of the Comptroller performed an analysis of the pension plans converted to the Shared Risk Pension Model during the fiscal year covered by this audit. During this analysis, the characteristics of the converted plans were evaluated against existing accounting standards. This exercise resulted in management arriving at a proposed accounting treatment for the converted plans. External expert advice was then sought to validate the accounting decision made by management. We acknowledge the uniqueness of plans under the shared risk model and, as more plans are converted, the characteristics of each plan will be analyzed in relation to the applicable accounting frameworks. Audit Timelines Observation 4.16 There were delays in issuing the Province's financial statements and our audit opinion due to complex accounting matters that required significant time and analysis. It is our understanding that the planned release date of the Province’s March 31, 2014 audited consolidated financial statements is in late July. In order to achieve this, year end financial statement preparation processes will need to be revised. Complex accounting issues, if any, must be dealt with prior to year end. Our Office would be willing to participate in order to add audit considerations to the streamlining exercise. Recommendation 4.17 We recommend the Office of the Comptroller / Department of Finance revise the year end financial statement preparation processes accordingly to accommodate the 2014 planned financial statement release date. Comments from Management 4.18 The Department of Finance and the Office of the Comptroller is currently undertaking a process improvement project with the goal of improving the year-end financial statement preparation process. We welcome the participation of the Office of the Auditor General in streamlining the process as the participation of the Office of the Auditor General is viewed as essential to the success of this effort. Provision for loans administered under the Economic Development Act Observation 4.19 Doubtful loans administered under the Economic Development Act are provided for on an individual basis. In addition to these judgmental provisions, a 3% general provision is applied to each loan, other than those deemed to have very little associated risk and loans for which there is already a full provision. The rationale for setting this general provision was determined in 2000 and has not been re-evaluated since. The rationale for the general provision should be updated annually, and applicable rates used should be supported. Recommendation 4.20 We recommend the Department of Economic Development and the Office of the Comptroller document the rationale for using a general provision for doubtful loans, update this documentation annually and document support for rates used. Comments from Management 4.21 The Office of the Comptroller will work with the Department of Economic Development to ensure the rationale and other factors considered in the determination of the provision requirement for loans administered under the Economic Development Act are documented annually. Liability for Contaminated Sites Observation 4.22 We requested from the Office of the Comptroller and the Department of Environment and Local Government a list of contaminated sites. We received a list however an amount had not been determined for each site, therefore no liability could be audited or evaluated. 4.23 In addition, there is a new accounting standard, PS 3260 – Liability for Contaminated Sites, effective for the period ending March 31, 2015, which will require a significant amount of time and effort to implement. The Office of the Comptroller should ensure this standard is addressed in the coming year to allow sufficient time to analyze the Province’s exposure, hire experts if necessary, and estimate the liability to be reported in the consolidated financial statements. This analysis should include a detailed list of all contaminated sites under the authority of the Province. Recommendations 4.24 We recommend the Office of the Comptroller prepare an analysis of the new standard, including a list of contaminated sites, and its impact on the financial statements of the Province. 4.25 We recommend the Office of the Comptroller ensure a list of contaminated sites is prepared including possible liability amounts to allow for evaluation and audit on the consolidated financial statements. Comments from Management 4.26 The Office of the Comptroller will continue to prepare for the implementation of this standard effective for the fiscal period ending March 31, 2015. Loan Monitoring Observation 4.27 During the course of our audit we noted not all borrowers of loans administered under the Economic Development Act were meeting their compliance requirements as noted in their respective loan agreements. Certain borrowers did not provide audited financial statements within the timeframe prescribed by the agreement. Recommendation 4.28 We recommend the Department of Economic Development monitor the requirements in each loan agreement to ensure compliance with criteria and required documentation for loan monitoring is received in the specified time frame. Comments from Management 4.29 The Office of the Comptroller will discuss with the Department of Economic Development the importance of continued monitoring of compliance with loan agreements. Service Organization Reports Observation 4.30 In prior year findings we reported there were several external service organizations used by the Province. It is important for management to be assured that the service organizations have proper controls in place to safeguard transactions that are processed on behalf of government. This assurance is provided through a service organization internal control report. Management should review the report, follow up on exceptions and document their findings as to whether the proper controls are present to ensure management can rely on the service organization. If weaknesses are noted in service organization reports, compensating controls at the Province may need to be implemented. There was no evidence of documented review of such reports available during our audit. 4.31 In addition, the Province entered into a third party service level agreement for payment processing services where there were no third party assurance reports made available to the Province to provide comfort over the adequacy of effective internal controls outsourced to the third party service provider. In response, the Province contracted services externally to perform this at an additional cost. Recommendation 4.32 We recommend the Office of the Comptroller annually review the service organization reports, follow up on exceptions and document their findings as to whether the proper controls, and any necessary compensating controls at the Province, are present. Comments from Management 4.33 The Office of the Comptroller receives and reviews service organization internal control reports. This process resulted in the contracting of an external party to review the internal controls of one service provider to ensure controls were adequate. The Office of the Comptroller will document this review process as well as the results of the reviews. Recommendation 4.34 We recommend the Office of the Comptroller advise departments that when entering into service provision agreements with third parties for significant transaction streams, a clause be included in the agreement to ensure third party assurance reports are provided to the Province to provide comfort over the design and operating effectiveness of internal controls implemented by the provider. Comments from Management 4.35 The Office of the Comptroller will communicate to departments the importance of including a clause in their service provision agreements requiring a third party assurance report be provided to the department annually. Support for Key Pension Plan Calculations Observation 4.36 We noted documentation used in the calculation to determine and isolate NB Power's portion of the Public Service Superannuation Plan net pension liability has not been updated since 2001 and is still referred to in the actuarial valuation. This documentation should be reviewed and updated to determine the information provided in it is still correct and relevant. Recommendation 4.37 We recommend the Office of the Comptroller / Department of Finance ensure documentation used in pension calculations, such as the basis for separating NB Power's share of the pension liability, be reviewed and updated to ensure the assumptions and information contained therein are still correct and relevant. Comments from management 4.38 The Office of the Comptroller believes that the method used for separating NB Power’s portion of the Public Service Superannuation Plan is correct and relevant. A starting point was determined in 2001 and that starting point is adjusted annually for contributions made by NB Power as well as benefit payments for which NB Power is responsible. In addition, balances are adjusted for NB Power’s proportional share of administrative expenses and investment income. The Office of the Comptroller has discussed this matter with our external actuarial consultants to confirm that the methodology being applied and the assumptions contained therein are still correct and relevant for accounting purposes. New Brunswick Agricultural Insurance Commission Observation 4.39 During our audit it was noted New Brunswick Agricultural Insurance Commission was included in the consolidated financial statements through the transaction method. This entity is required to be consolidated as per PS 2500 - Basic Principles of Consolidation. 4.40 In addition, the Province has reported a loan receivable from the New Brunswick Agricultural Insurance Commission in the amount of $7.1M. Due to the entity not being consolidated and the history of losses, we believe there is a high risk of non- collection for the resulting asset, therefore the asset should be written down. Recommendation 4.41 We recommend the Office of the Comptroller consolidate New Brunswick Agricultural Insurance Commission as required per PS 2500 – Basic Principles of Consolidation. If such consolidation does not occur, the loan balance should be fully provided for. Comments from Management 4.42 The Office of the Comptroller commits to reviewing PS2500 – Basic Principles of Consolidation and its applicability to the New Brunswick Agricultural Insurance Commission. 4.43 As part of year end processes, the Office of the Comptroller reviewed an actuarial assessment prepared in 2011 which indicated that NBAIC is still self-sustaining. Discussions with NBAIC management confirmed that no significant events have occurred since the date assessment which would not be reflected in the assessment or would significantly impact the assessment. The Office of the Comptroller will continue to monitor the allowance requirement in relation to this loan as part of its year end processes. Injured Worker’s Liability Observation 4.44 Management’s estimate of the injured worker’s liability reported on the consolidated financial statements is derived from documentation provided by WorksafeNB. The liability calculated by WorksafeNB is prepared based on International Financial Reporting Standards, not the same basis of accounting as used by the Province. 4.45 Management should perform an analysis of the valued amounts to ensure the amounts reported by the Province are an accurate estimate of the Province’s liability. They should analyze the impact of the valuation being prepared under a different basis of accounting to ensure differences are not material to the consolidated financial statements of the Province. Recommendation 4.46 We recommend the Office of the Comptroller complete a documented analysis of the injured worker’s liability and analyze the impact of the different accounting framework. Comments from Management 4.47 The Office of the Comptroller will conduct a documented analysis of the injured workers’ liability amount, including any impact on the valuation of the liability due to its preparation based on International Financial Reporting Standards. Allowance for Doubtful Accounts – Loans and Accounts Receivable Observation 4.48 Calculation of allowance for doubtful accounts (AFDA) in certain departments is not based on past collection history and actual results are not compared after year end to ensure the estimate was accurate. In some cases, we noted no review or formal approval of the AFDA estimate. AFDA estimates should be formally reviewed, documented and compared for accuracy subsequent to year end to ensure the estimate process is thorough and robust. Recommendation 4.49 We recommend the Office of the Comptroller advise departments that AFDA estimates should be formally reviewed, documented and compared to actual results for accuracy subsequent to year end. Comments from Management 4.50 The Office of the Comptroller will continue to work with Departments to ensure the methodology for calculating allowance for doubtful accounts is updated, appropriate and approved. Government Transfers Observation 4.51 During the course of our audit we noted there was no documented analysis available prior to year end on the adoption of PS 3410 – Government Transfers with respect to transfers made by departments of the Province of New Brunswick to certain other entities. Payments made should be analyzed by departments with the assistance of the Office of the Comptroller as required, to determine whether PS 3410 - Government Transfers is applicable. 4.52 We noted instances with grants (government transfers) in the Department of Social Development and Post-Secondary Education, Training and Labour where we believe the new standard applied. Recommendation 4.53 We recommend Departments, with the assistance of the Office of the Comptroller, prepare a documented analysis of Province of New Brunswick payments to determine if PS 3410 - Government Transfers is applicable to payments made. Comments from Management 4.54 We see the merit of obtaining a documented analysis of the application of PS 3410 – Government Transfers from each department as it relates to transfers it issues and receives. We will endeavour to develop and obtain such documentation for the 2013/2014 audit. 4.55 The Office of the Comptroller prepared a documented analysis of the application of PS 3410 – Government Transfers for certain grants. This analysis supported the accounting treatment of these payments. Fraud Risk Assessment Observation 4.56 We obtained reasonable assurance about whether the consolidated financial statements as a whole are free from material misstatement, whether due to fraud or error. Our procedures included reviewing management’s internal control risk assessment; however we noted no documented fraud risk assessment was completed. Documenting a fraud risk assessment would assist management and internal auditors to focus control and monitoring efforts on key risk areas. The absence of this risk assessment is an indication of a deficiency in internal control. Recommendation 4.57 We recommend, on an annual basis, the Office of the Comptroller complete or update a documented fraud risk assessment as part of continuous monitoring. Comments from Management 4.58 The Office of the Comptroller recognizes the benefit of a fraud risk assessment and will investigate alternatives for establishing a process which provides adequate coverage and can be updated on a regular basis. Audit Committee Observation 4.59 Canadian auditing standards require auditors to communicate to those charged with governance of an entity (e.g. audit committees or boards of directors) certain matters that may assist them in their governance roles and in overseeing management’s financial reporting and disclosure processes. Matters that require communication include but are not limited to: * Significant audit adjustments and/or deficiencies in financial statement disclosures; * Significant weaknesses in internal control; * Disagreements with management; * Significant issues discussed, or subject to correspondence, with management; * Significant difficulties encountered during the audit; and * Fraud and illegal acts. 4.60 As noted in prior year management letter, the Province of New Brunswick has no formal audit committee. Recommendation 4.61 We again recommend the Department of Finance establish an audit committee for the Province of New Brunswick. Comments from Management 4.62 The Department of Finance agrees with this recommendation. Administration Manual Policy AD-6402 Observation 4.63 As noted in prior year, the process used by NBISA for making payments does not comply with administration manual policy AD-6402 – Approval of payments. This policy is out of date for processes used by the shared services environment, as well as other payment system interfaces used by various government departments. Recommendation 4.64 We recommend the Office of the Comptroller consult with the New Brunswick Internal Services Agency with regard to administration manual policy AD-6402 and revise the policy to reflect current payment approval requirements for processing government transactions. Comments from Management 4.65 The Office of the Comptroller agrees with the recommendation and targets bringing forward a revised policy to Board of Management in 2014. Purchase Card Policy Observation 4.66 We noted the Province does not currently have a policy in place regarding the use of purchase cards. Annual purchase card transactions total over $30 million. A draft policy from 2005 does exist, however, it has never been finalized. In our work, we noted some departments have increased the purchase card limit from the default limit of $1,500. While the increase was approved by a departmental manager, without a documented policy we cannot determine if this is the appropriate level of approval for such exceptions. Recommendation 4.67 We recommend the purchase card policy be finalized as soon as possible. Comments from Management 4.68 The Office of the Comptroller agrees with the recommendation and targets bringing forward a revised policy to Board of Management in 2014. ? Office of the Comptroller Oracle System Segregation of Duties – Developers’ Access to Production Data Observation 4.69 During our review of Oracle R12 application system administration security, we noted the developers had full access to the production application and were also assigned transaction processing capability. This segregation of duties conflict allows users with powerful access privileges to override/circumvent the designed system controls. We further noted no monitoring process was in place to monitor and control access to the transaction processing responsibilities granted to the developers. Effective monitoring controls are critical given developers have access to the production application. Recommendation 4.70 We recommend developer access to the production environment be restricted. Where access is required based on valid business reasons, it should be logged and appropriate monitoring controls should be implemented to cap the risk to an acceptable level. Comments from Management 4.71 To provide the necessary system support, FIS Support Team members share responsibility for operational and functional support, help desk support and development. The current structure necessitates access to the production environment. 4.72 In recognition of the risk of this structure, a weekly security report has been created which outlines the last update date for responsibilities assigned to FIS support team members. This report is sent to the Director of Accounting Services and the Managers of Financial System Support. Review procedures for this report and procedures for assigning responsibilities to FIS support team members are being formalized and documented. These procedures will include documenting the business reason for granting access and end dating access when it is no longer required. Recommendation 4.73 We recommend the access of financial information support (FIS) team members to the Oracle R12 application be restricted to System Administration functions and any functional Oracle responsibilities that provide transaction processing capability be end-dated unless they are required for valid business reasons (in which case the access should be monitored to ensure no unauthorized transactions or changes are done in the production environment). Comments from Management 4.74 A monthly process will be implemented to report all responsibilities assigned to FIS team members. This report will be reviewed and responsibilities end-dated as necessary. Recommendation 4.75 We recommend, if FIS team members’ functional access is required for a valid business reason, appropriate monitoring controls be established as compensating controls to log, track and review changes made by FIS team members. Comments from Management 4.76 The Department has implemented auditing at the forms level for FIS team member and SYSADMIN accounts. Procedures for reviewing these audit logs will be developed and documented. Recommendation 4.77 We recommend the use of privileged system accounts be adequately controlled and monitored as these provide enhanced levels of access and could be used to circumvent the system security. Comments from Management 4.78 SYS and SYSTEM accounts are accessed only by the DBA. The APPS and SYSADMIN accounts are accessed by the FIS Support Team only when necessary. The passwords are secured in a password protected spreadsheet to which only the FIS Support Team has access. 4.79 The Department will investigate the possibilities for monitoring and controlling access for these accounts. Department of Finance Property Tax System Accounting for Tax Revenue Observations 4.80 Public Sector Accounting Standards section 3510 Tax Revenue came into effect during the current fiscal year. The section provides guidance on accounting for and presentation of tax revenue. In our work, we noted the Department performed an analysis of the classification of its tax programs to determine the accounting treatment recommended by the handbook section. We noted, however, some cases where the recommendations in the section were not properly treated and/or applied by the Department prior to our audit. For example, revenue adjustments for some concessions and penalties with an absolute value of $7.3 million were not in accordance with the guidance provided in the section. We also noted interest and penalty revenue of $15.1 million was incorrectly reported on the same financial statement line as the related tax revenue. The Department corrected both of these situations. Recommendation 4.81 We recommend the Department review its tax accounting practices and follow all the guidance recommended in Public Sector Accounting Standards section 3510 Tax Revenue when accounting for property tax and its related accounts. Comments from Management 4.82 The Revenue and Taxation Division will work with the Office of the Comptroller to ensure all requirements under PS 3510 are met in the future. Account Reconciliations Observations 4.83 During our audit, we noted several cases where incorrect amounts were used by the Department when preparing account reconciliations. One case resulted in staff of the Department and the Office of the Comptroller expending significant effort during our audit process to resolve the matter. This situation related to Local Service District revenue and resulted in an adjustment of approximately $10.1 million. Two other cases resulted in minor adjustments to account balances. 4.84 From our work we note the following: • Detailed review of account reconciliations is required. The Department indicated property tax account reconciliations were reviewed by the manager and/or the executive director responsible. Given the errors encountered in our testing, however, the level of review for these accounts should be increased. • Property tax accounting staff at the Department of Finance should continue to receive training to increase their knowledge and understanding of the property tax accounting process. • The Department should continue to review the various entries posted to the 1121 account (municipal revenue suspense) as these entries have a direct impact on the amount of provincial revenue recorded. • The Department should also review the entries to the 0666 account (accrued municipal property taxes payable) as this account has had significant errors in its ending balance for the past two years. This year a correcting adjustment of $14.2 million was posted to this account during the audit. Recommendation 4.85 We recommend the Department managers perform a detailed review of property tax account reconciliations in a timely manner so that any errors or omissions are detected and corrected prior to the start of the audit. Evidence of this review should be documented. Comments from Management 4.86 The Department of Finance agrees with the recommendation and will review the current process and continue to make necessary improvements to the reconciliation review currently in place. Recommendation 4.87 We recommend property tax accounting staff continue to increase their understanding of the property tax accounting process and receive additional training on the preparation of year end account reconciliations to reduce the risk of errors in the year end account balances. Comments from Management 4.88 The Department of Finance agrees with the recommendation and will continue to build on the training and knowledge transfer to the property tax accounting staff. Recommendation 4.89 We recommend the Department perform a detailed analysis of the entries made to the municipal revenue suspense account and the accrued municipal property taxes payable account. This will help eliminate posting errors to the accounts. Comments from Management 4.90 The Department of Finance agrees with the recommendation and will implement a procedure for the review of the municipal revenue suspense account. Supporting Documentation for Property Tax Reserve, Provision and Allowance for Loss Accounts Observations 4.91 The Department has three main accounts where estimates are used as a basis for determining account balances. In the past, we recommended the Department document the rationale used to calculate the estimates. During our audit, we noted the Department has made some progress in implementing this recommendation, however, more work is needed. In particular, the Department should compare actual results with its estimates to determine the reasonableness of the estimate and it should provide support to illustrate how risk factors and percentages are determined. 4.92 We also found the Department’s documentation for the various accounts and accounting practices should be improved. The documentation provided by the Department was out-of-date and incomplete. At a minimum the documentation should include definitions and appropriate use of each account. Recommendations 4.93 We recommend the Department clearly document the steps required and the rationale used to calculate the provision, reserve and allowance for loss accounts. In particular, the Department should compare actual results with its estimates to determine the reasonableness of the estimates and it should provide support to illustrate how risk factors and percentages are determined. 4.94 We recommend the Department improve its documentation of the reserve, provision and allowance for loss accounts. Comments from Management 4.95 The Department of Finance agrees with the recommendation and will improve the documentation related to the calculations for the provision, allowance for loss and reserve accounts. 4.96 However, the Revenue and Taxation Division currently doesn’t have the resources and data to perform an exhaustive review of its current assumptions and will approach the Office of the Comptroller to jointly review these assumptions and the rationale used. ? Service New Brunswick Property Tax Assessment System (EvAN) Road Review Documentation for Property Assessment Changes Observations 4.97 We noted in the property assessment process documentation deficiencies in the road review performed for property assessment purposes. A road review is conducted by the assessor and the office manager to verify methodology used and evaluate the equitable level of property tax assessments. We found some evidence of road reviews being kept on file, however, this documentation should be improved. Currently, if a road review results in a change to an assessment value, a new value is written on the road review report. No evidence is recorded on the report to show who proposed the change and whether or not the change was input into the system. If a road review results in no change to an assessment value, the reviewer does not record anything on the report to show the road review was performed. Strengthening the documentation surrounding this process is important as road reviews serve as a key control in verifying the accuracy of assessment data. Recommendation 4.98 We recommend a documented sign off of the road review by the assessor and manager who conduct the road review and by the employee who inputs the updated assessment data in the EvAN system. This documentation should be recorded and retained for all road reviews conducted, regardless of whether or not they result in changes to the assessment data Comments from Management 4.99 SNB will ensure road reviews are signed off by the Assessor and Manager upon completion. The documentation will be recorded and retained for all road reviews conducted, regardless of whether or not they result in changes to the assessment data. ? Department of Social Development Long-term Care and Social Assistance NBFamilies – Financial Assessments/Client Contributions Observations 4.100 As part of our testing, we determine whether the financial assessments are up-to-date in accordance with departmental policy and whether the calculation of client contributions is correct. The amount of the client contributions affects the Department’s payments to service providers for clients’ care. 4.101 During our testing, we found two out of fifteen cases (13%) where the financial assessments were not up-to-date. The assessments had been completed in 2004 and 2008 for these cases. 4.102 We also found six out of fifteen cases (40%) where client contributions were incorrect. In the first case, the last financial assessment had been completed in 2004. The assessment was incorrectly completed and insufficiently documented. This resulted in the client overpaying at least $3,900 for their services. The Department is in the process of correcting this issue. 4.103 In the second case, the client was assessed properly, however, the contribution was not entered into the system, which resulted in the Department overpaying the vendor by approximately $1,740. This overpayment has since been recovered by the Department. 4.104 In the remaining four cases, the clients were receiving Old Age Security and Guaranteed Income Supplement benefits. The amount of these benefits increases quarterly. Even though the clients’ financial assessments were within the two-year timeframe, as required by departmental policy, the client contributions were not adjusted for quarterly benefit increases ranging from two to four quarters. Recommendation 4.105 We recommend the Department of Social Development: * complete financial reassessments for clients within a two-year timeframe as required by policy; * properly document financial assessments and client contribution calculations and enter this information into the system on a timely basis; * implement controls to verify the accuracy of client contribution calculations and client contribution data entry; and * implement a process whereby client files are updated with rate increases for Old Age Security and Guaranteed Income Supplement benefits where applicable. Comments from Management 4.106 Work has been done to incorporate the financial calculation directly into NBFamilies. Thus, no time delay in entering data. 4.107 A Lean 6 Sigma project has been completed on the client contribution process. It is expected this will enable assessments on an annual basis. It will allow for immediate rate increases for Old Age Security and Guaranteed Income Supplement in the NBFamilies system as well. Client Reviews – NBFamilies and NBCase Observations 4.108 During our testing of transactions for the NBFamilies and NBCase systems, we noted cases where client reviews were not performed in accordance with departmental policy. In our sample of fifteen NBFamilies items, four case reviews were not up to date. In our sample of twelve NBCase payments, one client review was not up to date. Regular case reviews and client contact help to confirm clients remain eligible to receive the level of care or benefits they are provided. Recommendation 4.109 We recommend the Department of Social Development perform client reviews in the timeframe required by policy. Comments from Management 4.110 We agree with your recommendation. The Provincial Program Consultant will reiterate this requirement during the next meeting with Long Term Care regional supervisors and will reinforce the necessity of documenting this work in NBFamilies. A degree of the non-compliance with policy has to do with workload and case load size of the front-line managers. NBCase – Expense Cut- Off Observations 4.111 We examined twelve payments processed by the NBCase system as part of our testing. One of the items related to the prior fiscal year, however, it was not accrued by the system. From discussions with the Department, we determined the NBCase system is not properly recording daily pay runs which need to be allocated between fiscal years. We understand the time required to diagnose and fix the problem is not known. In the meantime, the Department should review the accounting for the pay runs and appropriately allocate the amounts to the proper fiscal year. Recommendation 4.112 We recommend the Department of Social Development improve its year end cut-off process for NBCase daily payments so that expenses are recorded in the proper fiscal year. Comments from Management 4.113 We agree with your recommendation. ? Department of Economic Development Nortridge Loans System Segregation of Duties Observations 4.114 During our audit, we noted a number of observations relating to segregation of duties. We found one individual is the primary user of the system. This individual is responsible for receiving cheques, entering transactions, preparing system reconciliations to the Oracle general ledger, preparing bank deposits and performing system administration functions. Having one individual responsible for performing all of these functions results in a segregation of duties conflict 4.115 We also make the following observations: * We noted no one is reviewing the work of the primary user to verify the accuracy of the input or the accuracy and completeness of the Oracle general ledger reconciliations. * The primary user has been assigned the role of system administrator and is responsible for performing administrator functions, such as creating users and assigning system access. An activity report is available which identifies all transactions and functions performed by a user. Currently, no one is printing and reviewing this report to determine the appropriateness of the transactions and functions being performed by the primary user. * We noted the lack of a consistent process for the receipt of client loan repayments. All cheques should be received in a consistent manner, logged and stamped at the original point of origin. The log should then be forwarded to the accounting officer for input into the system. The accounting officer should not be receiving the cheques and preparing the bank deposit. Having a consistent process for receiving payments reduces the risk of fraud and/or cheque loss. Recommendations 4.116 We recommend the Department review the process in place for the Nortridge Loans system and ensure key functions are appropriately segregated so that one individual is not responsible for entering transactions, reconciling the system and preparing the bank deposits. 4.117 We recommend the Department have a separate individual review and verify the accuracy of the data entered into the Nortidge Loans system and the accuracy and completeness of the reconciliation of the system to the Oracle general ledger. These reviews should be performed on a regular basis (i.e. monthly), appropriately documented and maintained for audit purposes. 4.118 We recommend the Department have an independent individual review the transactions completed by all Nortridge users to determine the appropriateness of the transactions. We also recommend the Department assign the administrative role for the Nortridge Loan system to an individual who is not responsible for processing transactions. 4.119 We recommend the Department implement a consistent process for receiving client loan repayments whereby cheques are received and logged by one individual. The cheque log should then be forwarded to the accounting officer for input into the system. Comments from Management 4.120 Due to the size of the Financial Services office in the past, segregation of duties was more difficult to assure. With the recent restructuring, we are now able to incorporate segregation of duties where necessary. 4.121 While we acknowledge the lack of segregation, we feel that the following compensating controls reduce our risk. * The Accounting Officer ensures deposits are done weekly and on the last day of each month. If a deposit is greater than $500,000, it is done immediately. All deposits and related journals are signed off by the Manager of Accounting Services. * Monthly statements are sent to loan recipients * The Account Assistant distributes every two weeks a Past Due report to the Financial Officers to review. 4.122 We have instituted the following recommendations: * The Manager verifies the accuracy of new loans and guarantees entered into the NLS and reviews the reconciliation of the NLS to the Oracle general ledger on a monthly basis as evidenced by signature. * Another individual logs all incoming cheques and forwards the log to the Accounting Officer for input into the system. 4.123 The administrative role for the NLS has been reassigned to the Information Technology Section. Once this responsibility has been reassigned, we do not feel it is necessary to review transactions completed by all NLS users as only two employees will have the ability to enter transactions. ? Information Technology (IT) Findings Background 4.124 In order to express an opinion on the Province’s financial statements, we document controls and test transactions processed by significant financial IT systems. Some of this work is performed on a cyclical basis. We also document the controls associated with the Province’s overall IT infrastructure. Exhibit 4.2 lists the IT systems we examined. Exhibit 4.2 – IT Systems Examined Department Audit Education and Early Childhood Development (EECD) Teachers’ Payroll Economic Development (ED) Nortridge Loans Finance Property Tax System New Brunswick Internal Services Agency (NBISA) HRIS Payroll System Oracle Input System (IPM) IT Infrastructure Office of Chief Information Officer (OCIO) Policy Review Office of the Comptroller (OOC) Oracle R12 Financials (R12) Service New Brunswick (SNB) Property Tax Assessment System Social Development (SD) NBFamilies¹ NBCase² ¹ Long-Term Care System (NBFamilies) ² Social Assistance System (NBCase) Key Themes 4.125 We are not publishing the details of all of our IT system work given the technical nature of many of our findings, and as noted previously in this chapter, the risk of possible loss of government assets if the details of such findings are reported. Exhibit 4.3 presents key themes of our findings summarized by the responsible department. Exhibit 4.3 Information Technology Findings – Key Themes Theme Finding Finding addressed to IT Segregation of Duties Developers’ access to production OOC (R12) Segregation of duties ED Excessive permissions SNB, NBISA (HRIS), OOC (R12), NBISA (IT Infrastructure) Corporate payroll reconciliation NBISA (HRIS) Change management Finance (Property Tax) System Replacement Property tax system Finance Teachers’ payroll system EECD IT Security Encryption of data SNB, NBISA (Infrastructure) Monitoring – Administrators, Third-party service, Logs OOC (Oracle R12), SNB, NBISA (IT Infrastructure), SD (NBFamilies) Compliance with government’s security policy NBISA (HRIS), SD (NBFamilies), ED, NBISA (Infrastructure), NBISA (IPM) Approval of Access SNB, NBISA (HRIS) Review/Confirmation of Access SNB, NBISA (HRIS), NBISA (IPM) Management of network access NBISA (IT Infrastructure) Disaster Recovery / Backup of Key Staff Disaster recovery plan SNB, OOC (R12) Backup of key personnel SNB, ED Outdated backup policies NBISA (IT Infrastructure) IT Policy Security policy update OCIO Security monitoring policy OCIO Reconciliations Assessment system to property tax system SNB Departmental payroll reconciliations NBISA (HRIS) Verification of Data Inputs Assessment data SNB Review of data inputs EECD Approvals Spending and payment authority not provided SD Approval of firewall changes NBISA (IT Infrastructure) Spending authority in excess of authorized limit SD Client review Compliance with policy SD (NBFamilies & NBCase) Application Testing Change management EECD 4.126 We are not aware of any loss of government assets or errors which resulted from the findings noted in Exhibit 4.3, however, we are concerned about the potential for future loss of assets or error as well as potential for loss of confidentiality and privacy inherent in the above noted findings if they remain uncorrected. 4.127 It should be noted this work was performed with a focus on the financial statement audit impact. Risks arising as a result of operational or confidentiality/privacy concerns are noted where observed but were not the main focus of our work. 4.128 Given the significance of certain findings and that similar findings occurred across multiple departments, additional information on the key themes noted in Exhibit 4.3 is provided below. IT Segregation of Duties 4.129 We noted five segregation of duties findings in our work. We discuss, in detail, two significant findings relating to Oracle R12 and the Nortridge loans system in paragraphs 4.69 and 4.114. Proper segregation of duties is necessary to reduce the risk of fraud and error in the accounting records. 4.130 Allowing users excessive access to systems and data increases the risk of segregation of duties conflicts and of individuals gaining unauthorized access to financial information or system functionality. These circumstances increase the risk of fraud or error in the accounting records. System Replacement 4.131 In our work, we recommended two out-dated IT systems be replaced or modernized. In the case of the Property Tax system, we found the system is written in an out-dated programming language making it difficult to change and we question the reliability of the system as we noted a number of large system errors occurring during the year. The Department of Finance is in the process of replacing this system and expects the first release to be complete by 2014. 4.132 In the case of the teachers’ payroll system, we found access security is extremely weak, support is provided by a single contractor with no backup and the system runs on old, out-dated hardware. The system is over 20 years old and is at a risk of failure. EECD noted NBISA is responsible for determining a new teachers’ payroll system and the replacement date is not known. In the interim, we recommended EECD review the teachers’ payroll system to determine if any new risks exist and to implement an appropriate risk response to address any identified risk. IT Security - Encryption of Data 4.133 We noted findings relating to encryption in both SNB and NBISA (IT Infrastructure). Given the confidential nature of the information involved, encryption is recommended to help safeguard information and reduce the risk of a breach of confidentiality. IT Security – Monitoring of Administrators, Service Providers, Access Logs 4.134 In two systems, we noted a lack of monitoring of system administrators’ activity. See paragraph 4.73, for a discussion of the Oracle R12 system. In the case of SNB, the database administrator’s activity is logged but the log is not reviewed. IT Security - Compliance with Security Policy 4.135 We found multiple instances where departments did not comply with the guidelines recommended in the Province’s IT security policy. Violations were mostly around restricting the limit of failed login attempts and complying with the password requirements, such as password complexity, password change frequency, password length, password expiry, and password reuse settings. IT Security - Approval of Access 4.136 We had findings in two systems relating to the approval of system access. We noted in the NBISA (HRIS) system, the same person was creating and approving system access. We noted in the SNB system, the access requests were bypassing the IT service desk and thus the requests were not approved by the system owner. Proper controls relating to creating system access are required so only authorized employees obtain access to the system. IT Security – Review/Confirmation of Access 4.137 We had findings in three systems relating to access: SNB, NBISA (HRIS) and NBISA (IPM). We also noted issues with the annual review/confirmation of user accounts. An annual review of user accounts reduces the risk of unauthorized system access by limiting the number of users to only those who require access in order to fulfill their job responsibilities. Disaster Recovery and Backup Support 4.138 In our work, we noted two key systems where disaster recovery plans either do not exist or are not up-to-date. The new SNB EvAN assessment system does not have a disaster recovery plan and the OOC Oracle R12 system has a disaster recovery plan but it is out-of-date. An up-to-date, documented and tested disaster recovery plan is necessary so that organizations can recover operations in a timely manner in the event of a disaster. 4.139 We also noted a lack of backup personnel for the SNB EvAN assessment system and the ED Nortridge loans system. Trained backup of personnel is necessary to help ensure transactions continue to process when personnel are absent or terminate employment, and to help reduce the risk of fraud. IT Policy – Security Policy Update 4.140 In our work, we noted the Province’s information technology security policy has not been updated since November 2006. This policy provides guidance, directives and requirements for all employees and other stakeholders within the Province. Without an updated policy, controls may not be consistently applied resulting in deficiencies in processes such as user termination, password setting and data encryption. Reconciliations 4.141 In our SNB work, we noted the reconciliation between the SNB EvAN assessment system and the Finance property tax system is not being completed on a regular basis. Reconciliations should be completed on a regular basis, such as weekly, to verify the data transfer between the systems is complete and accurate. Verification of Data Inputs 4.142 In our work, we found three cases where the data input into applications is not being verified or approved. We found this in SNB where there is no review of assessment data entered into the system and in EECD where data input and approval controls should be strengthened for leave tracking, teachers’ summer pay accrual and commencement information. Having data input reviewed and verified reduces the risk of inaccurate information being recorded in the financial accounting records. ? Appendix 1 - Audit Objectives 4.143 Our examination of the matters included in this chapter of our Report was performed in accordance with Canadian generally accepted auditing standards, including such tests and other procedures as we considered necessary in the circumstances. The matters reported should not be used as a basis for drawing conclusions as to compliance or non-compliance with respect to matters not reported. 4.144 We obtain reasonable assurance on the financial statement figures because it would not be cost effective to obtain absolute assurance - our auditors cannot test every transaction. 4.145 By applying audit procedures to test the accuracy or reasonableness of the figures appearing in the financial statements, we achieve our desired level of assurance. We use audit procedures such as tracing samples of transactions to supporting documents, testing the effectiveness of certain internal controls, confirming year-end balances with third parties and reviewing the reasonableness of estimates. 4.146 Because of the limited objectives of this type of audit work, it may not identify matters which might come to light during a more extensive or special examination. However, it often reveals deficiencies or lines of enquiry which we might choose to pursue in future audit work. Responsibilities Pertaining to the Audit Process 4.147 The government is responsible for the preparation and the content of the Province’s financial statements. The Statement of Responsibility at the front of Volume 1 of Public Accounts is signed by the Minister of Finance on behalf of the government. The Comptroller is responsible for preparing the financial statements in accordance with Canadian public sector accounting standards. When preparing the financial statements, the government must make significant estimates, as not all information is available or determinable at the time of finalizing the statements. Examples of areas where management has made estimates in the financial statements are: provision for loss on loans and accounts receivable, contingencies, employee future benefits and tangible capital assets. 4.148 Our Office is responsible for auditing the Province’s financial statements. An audit provides reasonable, but not absolute, assurance that the Province’s financial statements are free of material misstatement. Material misstatement refers to an item or group of items that, if omitted or misstated, would alter the decisions of reasonably knowledgeable financial statement users. The tolerable level of error or misstatement is a matter of judgment. ? Appendix II - Loss through Fraud, Default or Mistake 4.149 Section 15(2) of the Auditor General Act requires us to report to the Legislative Assembly any case where there has been a significant deficiency or loss through fraud, default, or mistake of any person. 4.150 During the course of our work we became aware of the following losses. Our work is not intended to identify all instances where losses may have occurred, so it would be inappropriate to conclude that all losses have been identified. Department of Education and Early Childhood Development Missing equipment in various school districts $ 11,032 Department of Justice and Attorney General Missing cash $ 7,543 Service New Brunswick Missing bank deposit $ 5,048 Department of Natural Resources Missing equipment from various regions $ 2,020 Department of Health Missing laptop $ 1,500 Department of Transportation and Infrastructure Missing diesel fuel $ 600 Department of Environment and Local Government Missing cash $ 311 4.151 Losses reported by our Office only include incidents where there is no evidence of break and enter, fire, or vandalism. 4.152 The Province reports in Volume 2 of the Public Accounts the amount of lost tangible public assets (other than inventory shortages). 4.153 In 2013, the Province reported lost tangible public assets in the amount of $27,954 compared to a loss of $49,172 reported in 2012. Matters Arising from our Audit of the Financial Statements of the Province Chapter 4 Chapter 4 Matters Arising from our Audit of the Financial Statements of the Province 100 Report of the Auditor General - 2013 67 Report of the Auditor General - 2013