Background 4.1 The Legislative Assembly approves the budget that sets out the government’s financial plans. The duties imposed on our Office require us to audit the actual financial results and report our findings to the Legislative Assembly. 4.2 Our audit work encompasses financial transactions in all government departments. As well, we audit pension plans and other trust funds, including the Fiscal Stabilization Fund. 4.3 We also audit the Crown Corporations, Boards, Commissions and other Agencies which are listed below. We have issued audited financial statements of all these agencies for the year under review. 4.4 Agencies included in the Public Accounts: • Advisory Council on the Status of Women • Algonquin Golf Limited • Algonquin Properties Limited • Kings Landing Corporation • Lotteries Commission of New Brunswick • NB Agriexport Inc. • New Brunswick Credit Union Deposit Insurance Corporation • New Brunswick Crop Insurance Commission • New Brunswick Highway Corporation • New Brunswick Municipal Finance Corporation • New Brunswick Public Libraries Foundation • New Brunswick Research and Productivity Council • Premier’s Council on the Status of Disabled Persons • Provincial Holdings Ltd. • Regional Development Corporation • Regional Development Corporation - Special Operating Agency • Youth Council of New Brunswick 4.5 Other Agencies: • Le Centre communautaire Sainte-Anne • Legal Aid New Brunswick Scope 4.6 To reach an opinion on the financial statements of the Province, we carry out audit work on the major programs and activities in departments. In addition, we audit major revenue items and a sample of expenditures chosen from departments. We also test controls surrounding centralized systems. 4.7 We take a similar approach to our testing of the Province’s pension plans. Our objective in doing this work is to reach an opinion on the financial statements of each plan. 4.8 Because of the limited objectives of this type of audit work, it may not identify matters which might come to light during a more extensive or special examination. However, it often reveals deficiencies or lines of enquiry which we might choose to pursue in our broader scope audit work. 4.9 It is our practice to report our findings to senior officials of the departments concerned, and to ask for a response. Some of these findings may not be included in this Report, because we do not consider them to be of sufficient importance to bring to the attention of the Legislative Assembly, or because public attention to weaknesses in accounting controls before they are corrected could possibly result in loss of government assets. 4.10 Our work in Crown agencies is usually aimed at enabling us to give an opinion on their financial statements. During the course of this work, we may note errors in accounting records or weaknesses in accounting controls. We bring these matters to the attention of the agency, together with any recommendations for improvement. 4.11 This chapter of our Report summarizes issues related to departments and Crown agencies which we consider to be significant to the members of the Legislative Assembly. 4.12 Our examination of the matters included in this chapter of our Report was performed in accordance with Canadian generally accepted auditing standards, including such tests and other procedures as we considered necessary in the circumstances. The matters reported should not be used as a basis for drawing conclusions as to compliance or non-compliance with respect to matters not reported. Office of Human Resources - Human Resources Information System Background Scope 4.13 Our Office has a long-range plan to review all key computer systems in the Province of New Brunswick. This review is used to support our audit opinion on the provincial financial statements. We identified the Human Resource Information (HRI) system in the Office of Human Resources (OHR) as one of these key systems because of the magnitude of the dollars processed by the system. 4.14 The objective of our audit was to review and assess the adequacy of the internal controls in the computer environment and in the computer application. 4.15 The scope of our audit was limited to regular, seasonal and casual payrolls of the Civil Service. These payrolls process approximately $500 million in expenditures. Regular payroll represents approximately 93% of the $500 million payroll and is comprised of positioned, full-time or part-time employees of the provincial government. Computer environment Conclusion 4.16 Based on our examination, we determined that the HRI system computer control environment is adequate to support the operation of the HRI system. However, we noted a number of areas where improvements should be made. Development of a business continuity plan 4.17 From our discussions, we determined that OHR does not have a formal documented business continuity plan (BCP). A BCP is important as it identifies critical business processes and establishes the information and resources that are needed to ensure that these processes continue to operate in the event of a disruption in service. A subset of a business continuity plan is an Information Technology (IT) recovery plan. This plan focuses on the recovery of the computer environment needed to support the critical business processes if a disruption should occur. 4.18 We determined that OHR has taken some steps to reduce the impact of business disruptions. OHR indicated that it has an assortment of documents that address various components of a BCP. However, these documents are not organized into one “plan” that clearly identifies them as being the procedures to follow in the event of a disruption. Not having these documents organized into one plan could increase system down time if employees are unclear of their responsibilities or of what procedures to follow should a disruption occur. A situation such as this could result in the inability to meet the payroll obligations of the government. 4.19 We are pleased to report that OHR is currently participating in a departmental contingency planning process commissioned by the Department of Public Safety and we encourage the completion of this project. Although we have not reviewed the progress of this project, we expect it will result in a comprehensive BCP that will ensure the human resources needs of the government will continue to be met if a disruption in service should occur. Recommendation 4.20 We recommended that OHR develop and document a BCP to help ensure the human resources needs of the government are met in the event of a disruption. The BCP should incorporate a tested information technology recovery plan for the HRI system. The BCP plan should be reviewed and updated periodically to ensure it reflects changes in infrastructure and the organization. Departmental response 4.21 Some elements of a Business Continuity Plan (BCP) are already in place including detailed procedures supporting the system management, system development, and system operation processes. These include procedures related to system backup, recovery, security, etc. While no environment exists that will permit the staging of a mock disaster and the actual testing of a recovery plan, many existing system testing processes (for example those used when system enhancements are implemented) which are used on a regular basis provide a level of assurance that the system could be recovered if necessary. Additional work will be done to extend these components of a BCP (especially for payroll related activities) over time and the material will be ... updated as required. Training for new system users 4.22 From our review, we noted that both OHR and departmental payroll personnel provide HRI system training to new users. Because of the complexity of the system, we believe that all new users should receive a minimum level of training. Given that this training is provided by a number of different sources, we believe OHR should establish minimum training standards to promote a consistent training approach throughout client departments. These standards would help to reduce the risk of departmental inefficiencies and procedural errors being passed on to new users. Recommendation 4.23 We recommended that OHR establish minimum training standards to be used by all departments when training new system users. These standards would help ensure that new users of the system are appropriately trained. Departmental response 4.24 A training program guide will be developed which will outline minimum recommended training coverage for each of the relevant functional areas of the application. This will include linkages to the HRIS Operational System documentation posted on the HRID Intranet Web Site, and will allow training efforts to be aligned with the duties of the individual being trained. This program will be distributed to departmental HR directors for implementation. Regular review of inactive accounts 4.25 As part of our audit, we reviewed HRI system user accounts to ensure that inactive accounts are disabled on a timely basis. Based on our discussions with OHR staff, we determined that the system does not automatically disable user accounts after a specified period of inactivity. Instead, the OHR manually reviews inactive accounts periodically. At the time of our audit, we noted that this review had not been performed since February 2000. OHR subsequently performed a review and disabled any accounts that had not been accessed in over twelve months. 4.26 The new password standards, implemented by the Department of Supply and Services in June 2003, require user accounts that have been inactive for more than 90 days be disabled. We believe that OHR should comply with this standard by either modifying the system such that inactive accounts are automatically disabled or by reviewing user accounts every three months and manually disabling the inactive accounts. Recommendation 4.27 We recommended that OHR modify the HRI system so that user accounts are automatically disabled after 90 days of inactivity. If this option is not feasible or economical, a manual review should be performed and user accounts that have not been accessed for 90 days should be disabled. Departmental response 4.28 OHR agrees with this recommendation and a manual procedure will be implemented to review account activity and inactivate dormant accounts. Application controls Conclusion 4.29 Based on our examination, we determined that we can rely on the HRI system application controls to express an opinion on the financial statements of the Province of New Brunswick. However, we noted a number of areas where improvements should be made. Clear communication of payroll accrual information to departments 4.30 During the course of our work, we determined that the HRI system automatically calculates the payroll accrual for regular payroll. However, depending on the type of earnings, the system either allocates all of the earnings to the old fiscal year or prorates the earnings between old year and new year (e.g. all overtime earnings are allocated to the old year, but regular earnings are prorated between old year and new year). 4.31 While the different accounting treatment for these expenditures is reasonable, OHR should notify departments on how the accrual for these expenditures is calculated. From our discussions with departments, this was not the case. In our testing we found two cases where accruals were prepared for expenditures that were already accrued by the system. Recommendation 4.32 We recommended that OHR clearly communicate to departments the earnings that are accrued by the HRI system at year end and how the accrual is calculated. This communication should be addressed to the appropriate departmental employees in both the payroll and the accounting divisions. Departmental response 4.33 A communication will be distributed to HR Directors and Directors of Finance reminding them of how the HRIS accrual process works. This will make reference to this audit finding as well as a reminder to utilize the existing HRIS report that details the accrual amounts. Review of controls to ensure adequate management of payroll risks 4.34 We reviewed the various risks associated with a payroll system. We found that in some cases, these payroll risks could be further reduced by improvements in the system of internal control, such as ensuring: • payroll officers always agree system input to system output; • management consistently review payroll reports; and • departments maintain adequate segregation of incompatible duties. Recommendation 4.35 We recommended that OHR review the controls in the HRI system. Where significant risk exists, OHR should modify the system or manual procedures to manage the risk to an appropriate level. Departmental response 4.36 OHR indicated that the HRI system “application is designed to support segregation of duties through both its security module and reporting structure,” so “there is no requirement to modify the HRIS application.” OHR “will communicate this audit finding to HR Directors and remind them of the importance of duty segregation, as well as the existing features of the HRIS application supporting this principle.” 4.37 OHR also responded that “system reporting fully supports the ability to perform ... [input to output] validations” and agrees “this is an important control procedure.” OHR “will communicate this audit finding to departmental HR directors, stressing the importance of input to output reconciliation.” Other observations 4.38 We identified and made recommendations in two areas where we believed OHR could improve the efficiency of payroll procedures. One recommendation related to the possibility of electronically reconciling Blue Cross information with the HRI system rather than each department manually checking this data. The other recommendation related to an improvement in the method in which overtime wages are input into the system. 4.39 The department indicated that electronic reconciliation of Blue Cross data may be possible once Blue Cross implements an electronic billing system. The department also responded that improvements in the method of inputting overtime wages would be considered for inclusion in a future OHR work plan. Service New Brunswick - Service Agreements with Departments and Agencies Background 4.40 Service New Brunswick (SNB) is a provincially owned Crown corporation with a mission to make government services more available to citizens and businesses and to be stewards for authoritative information. The Service New Brunswick Act specifies that the corporation is “to be the principal provider for the Government of the Province of non-specialized customer services, through both physical offices and electronic channels”. The concept of one-stop shopping is an integral part of the philosophy of SNB. 4.41 The corporation has four lines of business which include property assessment, registries, geographic information infrastructure, and government service delivery. Government services are delivered through three channels - service centres (36), TeleServices, and the internet. Over 140 services are delivered by SNB on behalf of fifteen provincial government departments and agencies, 43 municipalities and a number of other organizations. SNB considers each of them to be business partners. Services delivered on behalf of the business partners include licences and permits, collection of fees and payments, and provision of information on government products and services. 4.42 During 2002-03, SNB processed 4.3 million transactions and inquiries and collected $348 million on behalf of its business partners. Given the large number of services “outsourced” to SNB by its business partners, the importance of clearly defining the responsibilities of both SNB and the business partners should not be underestimated. Service agreements 4.43 The document that is used to formalize the arrangement for service provision between SNB and the business partner is called the service agreement. A well-written service agreement is an important tool in business partner relations as it identifies and defines the business partner’s needs and the roles of each partner, it provides a framework for understanding, and it identifies and addresses areas of possible conflict. It also alleviates the strain on business relations that can result from unclear expectations. 4.44 We feel that a service agreement should include a wide range of provisions, particularly the following: • The specific services that are to be delivered, the manner in which they are to be delivered, and the duties and responsibilities of the business partner. This will reduce the risk of duplication, overlap, and inefficiencies in service delivery as well as eliminate gaps in responsibility. • The applicable fees charged to the business partner for services delivered on their behalf. • Provisions for performance monitoring and reporting by both partners to ensure there is no loss in the level and quality of service delivery or weakness in controls. • Provisions for problem management, legal compliance, and resolution of disputes. • Provisions for security and confidentiality of information. • Provisions for termination of the agreement. Preliminary review 4.45 We began a preliminary review within SNB during the summer of 2003. The focus of our review was on service agreements for government services delivered by SNB on behalf of other government departments and agencies. Our findings 4.46 During our review, we discovered that the Office of the Comptroller (OoC) performed an audit on SNB in 2001 entitled, “Customer Service Delivery Review”. The OoC concluded that, with the exception of a fee arrangement with the Department of Health and Wellness to deliver Medicare services from the TeleServices Centre, SNB did not have written agreements that reflected current service delivery arrangements with business partners. The OoC recommended that SNB formalize arrangements for service provision with each of its business partners. 4.47 SNB agreed that formal service agreements should be developed for all existing business partner arrangements as well as for future new service arrangements. SNB stated that agreements would be developed for existing service arrangements beginning with departments with whom they had the largest volume. 4.48 We found that current service agreements do not exist for many services that were part of the original transfer of responsibility from the Department of Finance to SNB. However, we found that, for new service responsibilities assumed since the OoC audit, SNB negotiates agreements with its business partners for all specific services it conducts on their behalf. 4.49 Of the nine service arrangements that were without written agreements at the time of the OoC audit, two agreements will be in full force by the end of the current year and these are the two largest business partners (one is in place now and one is in its second draft). SNB’s Business Plan for 2002-2005 noted March 2003 as an anticipated deadline for completion of all agreements, but this was not met. SNB staff informed us they intend to complete two agreements per year in the coming years until all agreements are completed. They indicated this will take approximately three to four years. 4.50 In its audit report, the OoC gave direction on issues that should be addressed by the agreements. Some of these issues included: • extent and location of services offered by SNB (service centres, TeleServices, and internet); • responsibility for purchase of equipment for service delivery; • responsibility for the provision of field staff support (including after-hours support); • responsibility for the development and reporting of service standards; • reporting internal audit activity; and • training requirements. 4.51 We reviewed all current agreements in place between SNB and its business partners and found that they comply with the direction given by the OoC. We also reviewed the agreements for a number of provisions not addressed by the OoC such as confidentiality and agreement termination. We found that these provisions were included in all agreements with the exception of the most recent service agreement with SNB’s largest business partner. We were informed that this agreement will be used as a model for future service agreements for existing services. To protect the interests of both parties, the model agreement should be modified to include these provisions. Recommendation 4.52 We recommended that all service agreements include provisions for confidentiality and termination. Agency response 4.53 Both Service New Brunswick and the Departments on behalf of which we provide services are subject to the Protection of Personal Information Act (POPIA) as well as the Right to Information Act. We have taken strong leadership in developing procedures and training to ensure our compliance with POPIA. Future agreements will include clauses relating to confidentiality and protection of personal and other information. ... we recognize the value of [a provision for termination of services] ... and will incorporate one in future agreements ... 4.54 We were pleased to see SNB taking the initiative for negotiating and developing service agreements with its business partners. While we were encouraged to see a deadline of March 2003 for this initiative noted in SNB’s Business Plan for 2002-2005, we were disappointed to learn that it actually might be 2007 before all service agreements are in place. Recommendation 4.55 We recommended that SNB seek the prompt implementation of formalized service agreements for all of its existing business partner arrangements and future new service arrangements. Agency response 4.56 Progress on agreements for existing services is significantly dependent on the effort our business partners are willing to commit to the development of these agreements. We now have a good template in the agreement with [the Department of Public Safety] and are actively working on another three. Each department has some unique issues that must be addressed individually. If we are able to move expeditiously with the full cooperation of our business partners, we would like to have agreements with all eight departments completed by the end of 2004/05. Conclusion 4.57 We decided not to pursue an audit of the service agreements between SNB and its business partners as we feel SNB is adequately addressing the OoC’s concerns and is making progress towards formalizing service agreements for all existing business partner arrangements as well as for future new service arrangements. Department of Family and Community Services - NB Housing 4.58 The Department of Family and Community Services offers a variety of programs to assist certain sectors of the population with their housing needs. Included in programs made available through NB Housing are those designed to help low and modest income individuals and families, off-reserve native and non-native households in small rural communities, and those with special needs. During the year, we completed an examination of the internal controls around the NB Housing systems. Computer systems aging 4.59 During our audit we were told by many individuals that the computer systems currently in place are outdated. Since the applications used are old, there is a risk that there may not be appropriate technical support when it is needed in the future. 4.60 Our audit also found that separate systems for most housing programs exist and are run independently of one another. Without data integration, processing of payments from clients involved in more than one housing program is difficult and there is a higher risk of error in processing. System applications do not accommodate all programs 4.61 Canada Mortgage and Housing Corporation (CMHC) is running a program for NB Housing. In the event that CMHC were to abandon this arrangement in the future, there is no application at NB Housing that could run this program. Proper control and monitoring of the program could be jeopardized if adequate information systems are not developed. No recent review of disaster recovery plan 4.62 A disaster recovery plan is important for the continuity of operations in the event of an emergency situation. As new uses for technology, and new products for enforcing a secure environment, are developed, policies and procedures need to be reviewed, updated and tested to protect a database environment in the event of a security breach or disaster. During our audit we were told that the disaster recovery plan had not been updated since the work done for the year 2000. Recommendations 4.63 The Department should consider implementing new computer systems to address the weaknesses noted above. 4.64 The Department should review and update their disaster recovery plan so that operations can continue in the event of a disruption. Departmental response 4.65 We will consider the implementation of a new computer system for our Housing programs. Our disaster recovery plan will be reviewed and updated. New Brunswick Housing Act requires updating 4.66 In reviewing the New Brunswick Housing Act, we discovered many instances where the Act is outdated. An example of this is Section 18, which includes legislation requiring the New Brunswick Housing Corporation to submit a report to the Minister within three months of each fiscal year end. The Act outlines what should be included in the report, such as the financial statements of the Corporation and the report of the Auditor General. This information no longer exists. Recommendation 4.67 The Department should review and update the New Brunswick Housing Act. Departmental response 4.68 We agree that the Act requires review and updating. However, to undertake such a review would require significant input from legislative resources outside the department. Therefore, we expect that this task could take considerable time to complete. Department of Training and Employment Development - Training and Skills Development Program 4.69 The Department of Training and Employment Development has a Training and Skills Development Program (TSD) aimed at ensuring that the education and skills of the New Brunswick labour force meets the current and emerging demands of the labour market. This is accomplished by moving more people off short-term ‘make work’ projects and into long-term training programs. The focus of our audit in this Department was an examination of the controls around the TSD system. Non-compliance with Administrative Guidelines 4.70 The administration of the TSD program is governed by the Training and Skills Development Administrative Guidelines which state that it is a requirement that the Attendance and Progress Reviews are to be completed (by the educational and training providers) and returned to the employment counsellors every two months. 4.71 During the course of our audit we found that in one of the six items tested in a regional office, a progress review had never been received for a client who had been in a training program for over three months. A manager in the regional office told us that it is the employment counsellor’s responsibility to contact the training provider if they do not send this information. Failure to obtain this information would make it difficult to ensure that clients are receiving the training. Recommendation 4.72 We recommended that the Administrative Guidelines be followed and that Attendance and Progress Reviews be obtained and kept in the client files. Departmental response 4.73 ... The Attendance and Progress Reviews have been problematic for some time and therefore the Department is currently developing a new electronic Internet based approach to capture and report this information. This new system will be in place by December 2003. Until this new system is in place, regional staff will be reminded to work with training institutions to obtain this information. Results of programs not monitored 4.74 We were informed during our audit that, in many cases, clients do not contact the employment counsellor to tell them when they have finished the program or if they have found employment. We would have expected to see a follow-up mechanism in place in order to provide information for the assessment of programs as to whether they are achieving the intended objectives. Many government programs have instituted a holdback of a certain percentage of the contracted amount until all of the obligations under the agreement have been fulfilled. 4.75 If amounts were held back from clients, this would serve as an incentive for them to contact the counsellor at the end of the program to give them the required information, thus assisting in program assessment. Recommendation 4.76 The Department should implement measures to ensure that all of the required information is gathered from clients. Departmental response 4.77 Although TSD clients are required to inform their employment counsellor when they finish the program or find employment, ultimately it is the employment counsellor’s responsibility to follow up with their individual clients and capture this information in Contact NB (case management system). In order to ensure that this is done the following will be verified and implemented: • Ensure that the current Contact NB “Bring Forward” function that reminds employment counsellors to follow up with their client upon training end date works properly; • Ensure that the current Contact NB function that brings forward files that have been inactive for 6 months works properly; • Finally, establish monitoring measures to ensure that employment counsellors are entering this information in Contact NB. 4.78 In addition, the Department recently introduced a comprehensive evaluation framework of its 5 employment programs. Program evaluation results are now presented to Board of Management on an annual basis. Cash handling and receivables 4.79 During our testing in a regional office we discovered in a client file a cheque made payable to the Minister of Finance for an amount in excess of $5,000. The cheque, over eight months old at the time, was from a school and represented reimbursement of tuition for a client who withdrew from the program he was enrolled in. According to the Policy Manual, all refunds must be sent to Central Office to be deposited. It was evident that proper controls are not in place with respect to cash handling. 4.80 Further, with respect to this same client, we found that a receivable had not been set up for the monthly entitlements he had already received, approximately $3,000 per month. Recommendation 4.81 Internal controls with respect to cash handling should be reviewed and improved by the Department. All staff should be instructed on how to properly process cheques when they are received. Receivables should be set up as soon as a client withdraws from a program. Departmental response 4.82 Additional information will be added to the Policy Manual with respect to cash handling. All Regional Directors will be asked to review this section of the Policy Manual with all staff delivering TSD. A Work Group will be established to look into additional internal controls that could be implemented to avoid this situation in the future. Losses through fraud, default or mistake 4.83 Section 13(2) of the Auditor General Act requires us to report to the Legislative Assembly any case where there has been a significant deficiency or loss through fraud, default or mistake of any person. 4.84 During the course of our work we became aware of the following significant losses. Our work is not intended to identify all instances where losses may have occurred, so it would be inappropriate to conclude that all losses have been identified. Department of Finance • Lost or stolen laptop computer and LCD machine $6,000 Department of Education • Missing equipment, money and supplies in various school districts $24,061 Department of Transportation • Missing equipment and supplies in various districts $10,650 Department of Training and Employment Development • Missing equipment and money in various community colleges $24,397 Department of Family and Community Services • Cheques cashed by persons not eligible to receive the funds $12,121 Department of Natural Resources and Energy • Missing equipment $19,866 Department of Justice • Payments to wrong beneficiaries and cash shortages $3,142 4.85 Losses reported by our Office only include incidents where there is no evidence of break and enter, fire, or vandalism. 4.86 The Province reports in Volume 2 of the Public Accounts the amount of lost tangible public assets (other than inventory shortages). 4.87 In 2003, the Province reported lost tangible public assets in the amount of $108,065 compared to a loss of $135,471 reported in 2002.