Scope 5.1 Auditing standards require us to document and test internal controls in all major systems in government. We classify a major system as any system that processes transactions in excess of $100 million. For most of these systems, we also perform transaction testing. Transaction testing involves selecting a sample of individual transactions and performing detailed testing using a predetermined set of criteria. 5.2 The following table lists the information systems we document and test, the departments which operate the systems and the type of findings for each system. 5.3 In this chapter, we report the results of our system control testing. In chapter 4, we report the results of our transaction testing. Provincial payment system (Oracle) Background System significance 5.4 The Oracle application system is the most significant system operated by the Province. The application is made up of a number of Oracle modules, such as Accounts Payable, General Ledger, Accounts Receivable, Cash Management and Treasury. Combined, these modules process billions of dollars for the Province and their data is used to produce the financial statements of the Province. External vendor contract 5.5 Each year, we have reviewed the controls associated with this complex system and have made recommendations where the Office of the Comptroller (OOC) should improve controls. This year, for a number of reasons, we contracted with an accounting firm that specializes in Oracle control reviews, to conduct a system control review on various modules of the Oracle application. Part of the contract stipulated that our staff would work with the auditors to gain experience and training. Why contract services 5.6 We outsourced the system control review for the following reasons: • The Province implemented two new Oracle modules – Treasury and Cash Management in June 2008. Our auditors have limited experience with these applications and we do not have resources to staff an audit of this size. • Contracting with an accounting firm experienced in auditing Oracle modules provides a valuable training opportunity for our staff. • The work of the contractors would supplement the control work we have done in the past. We have not had the resources or the expertise to document and evaluate complex application controls. If the controls are operating effectively, we should be able to increase our reliance on controls and reduce the time needed for transaction testing in future audits. Scope 5.7 Our audit focused on the design, implementation and effectiveness of the general computer controls for the Oracle application and the application controls for the General Ledger, Accounts Payable, Treasury and Cash Management modules. 5.8 During our audit, we evaluated both automated and manual controls associated with these modules. Results in brief 5.9 During the course of the audit, the external auditors identified twelve issues and made twelve recommendations on areas where the OOC should improve controls. Some of the key findings are outlined below. • The external auditors noted that for a first time control audit, they typically find many more issues than they identified during this audit. • The external auditors found that the change management controls were operating effectively during the period of testing. Having an effectively operating change management process significantly reduces the amount of audit testing needed to form our audit opinion. • We noted that four of the recommendations related to user access. We made recommendations for improving the system access process for granting, transferring, terminating and monitoring system access. • Two of the recommendations related to segregation of duties at the user responsibility level. • We noted that five of the twelve recommendations related to segregation of duties at the IT support level. This is a result of the OOC having a small Information Technology group supporting the Oracle application. Changes to users’ access 5.10 Four of the twelve recommendations related to changing users’ access. We observed the following: • The OOC does not conduct a periodic review of who has access to the Oracle application and database. Without a periodic access review, the risk of unauthorized access to the Oracle database and various modules may go undetected. • The OOC does not have a formal process in place to help ensure application access for transferred users (departmental transfers) remains applicable. Without a process in place to ensure access for users transferred between departments is appropriate, the risk of unauthorized access to the Oracle database and the application increases. • The OOC has a formal process for granting access to users of the Oracle application. In our testing we found three cases where the OOC did not follow this process. Two of the users were members of the IT support team. The risk of unauthorized access to the application and the database increases without appropriate user access requests and approvals. • During our testing of terminated users’ access, we found three users whose Oracle access was not terminated even though these employees were no longer employed by the Province. These three employees no longer had access at the network level so they would be unlikely to have access to the application. Recommendations and responses 5.11 We made four recommendations to the OOC to address the observations noted above. Two of our key recommendations along with the OOC response are as follows: • We recommended management schedule and implement a formal periodic user review, performed at least annually, as a means to validate the on-going appropriateness of all users’ access within the database and the application. • We recommended the Province implement a formal process to ensure user access is updated on a timely basis upon transfers within and between departments. 5.12 The OOC made the following response: A full listing of users and responsibilities will be presented to departments annually for review and sign off. Segregation of duties at the user level 5.13 Two of the twelve recommendations related to segregation of duties at the user level. One issue resulted from some users having “super user” accounts in the production environment. Having super user access enables users to make configuration changes to the Oracle modules directly in production. This increases the risk of unauthorized changes to the Oracle application. 5.14 The second issue was that the OOC had unintentionally assigned three users with conflicting responsibilities. Having access to these conflicting functions/responsibilities increases the risk of unauthorized transactions and payments within the Oracle application to either fictitious or unauthorized vendors. Recommendations and responses 5.15 We recommended users only be provided with access to responsibilities needed to perform their daily jobs. We recommended users only be assigned access to process configuration changes in production on a temporary basis, as part of the formal change management process. The granting of this access should be approved, logged and formally monitored as part of the change management process. 5.16 We recommended the OOC review the responsibilities in conflict to ensure that conflicting functions are either removed or that sufficient monitoring controls are identified and/or implemented to mitigate the risk. 5.17 The OOC issued the following responses: These responsibilities are assigned in order to provide user support for the various modules. We will create a report that runs weekly and is sent to the DISO and Director of Accounting Services that lists all users with access to a responsibility that includes the words “Super User”. We have end dated the non-compatible responsibilities in the specific situations identified. In addition, auditing will be turned on at the table level to track all changes to supplier name and bank accounts. Report(s) will be developed for management to review the audited data. Segregation of duties of IT support group 5.18 Five of the twelve recommendations resulted from the Office of the Comptroller having a small information technology group managing the Oracle application. Ensuring proper segregation of incompatible functions is challenging when an organization is restricted by the number of resources available. Some examples of the types of issues encountered by the auditors are as follows: • The IT group members were sharing generic accounts in production and they had functional user access to various Oracle production modules for troubleshooting. Sharing generic accounts reduces accountability as the OOC would not be able to identify who performed transactions. Providing IT support users with functional access results in segregation of duties issues which increases the risk of data errors in the application and database. • Some powerful system accounts were being used by two database administrators without being monitored. Using these accounts without monitoring may result in the unauthorized changes of database objects. • Logging of key database functions was not enabled. By not logging key functions the risk increases that support users can make changes in production without an appropriate audit trail. • Two database administrators had access to the operating system root account without any monitoring of the activity. By not monitoring the root account, unauthorized changes can go undetected. 5.19 Seven users had both system administrator privileges and also had access to perform Oracle security administration. Providing users with access to both system and security administration privileges increases the risk that changes are made outside of the established security change management process and increases the risk of unauthorized account creation, unauthorized access, and/or unauthorized transactions within the application and database. 5.20 While the issues noted above are not unusual in small IT groups, we made five recommendations to improve controls and to reduce the risks identified above. The OOC response to the recommendations was favorable. In its detailed response, the OOC identified the new control procedures that it will implement to reduce the risks that we identified. Social assistance payment system (NBCase) 5.21 The purpose of this section is to discuss the findings and recommendations from our audit of the NBCase system controls in the Department of Social Development for the year ended 31 March 2009. We made recommendations in the following areas: • Disabling NBCase Users’ Access • NBCase System Error • Completing Client Case Reviews Disabling NBCase users’ access 5.22 In our testing, we found 31 NBCase user accounts had not been disabled after 90 days of inactivity as required by the government’s password standards for user accounts. Regional User Support Analysts (RUSA), who are responsible for requesting access be disabled, did not submit access termination forms when required. Not disabling user accounts in a timely manner increases the risk of unauthorized access to information. Results of testing 5.23 The following table shows the length of account inactivity and the number of users who have not accessed the system in that time period. 5.24 The Department indicated that not disabling user accounts was not a significant risk as users need a network account to access the NBCase system. Network access testing 5.25 We reviewed the 31 NBCase user accounts that were not disabled to ensure that these users’ network accounts had been disabled thus preventing access to the NBCase system. We found that 17 of the 31 users still had an active network account and thus still had access to the NBCase system. 5.26 Relying on network account disabling as a means of controlling access to an application is not an effective control as employees whose job functions change, but still remain in the Department, could still access the application. The Department should develop and implement a process to ensure access to applications is disabled when the access is no longer required by users. Recommendation 5.27 We recommended the Department develop and implement a process to ensure that access to NBCase is disabled when access is no longer required by the users. Departmental response 5.28 The Department will evaluate the current process for disabling access to the network and NBCase system, and address the inefficiencies to ensure that the disabling of employee accounts occurs in a timely fashion. An additional layer of access for users of specific applications such as NBCase and NBFamilies will be added to our current structure. A monthly report of users who have not accessed NBCase in 90 days will be produced and monitored by NBCase Business Support. The Department also has a supervisor’s checklist to be completed for employees who terminate or transfer within the Department. Included is the deletion of the employee’s user IDs. NBCase system error 5.29 During our testing, we found that the NBCase system made an ineligible payment to a client. This error occurred when a case manager approved a five-year-old document in the system, thus triggering the ineligible payment. As this ineligible payment occurred because of a system error, it is possible that the system made similar payments to other clients. 5.30 We discussed this issue with departmental staff and they confirmed that this was an NBCase system error. Staff have set up an overpayment of $1,326, the amount of the ineligible payment. They were also going to request that the system be modified to prevent future ineligible payments of this nature from occurring. Recommendation 5.31 We recommended the Department review past payments to identify cases where ineligible payments were made to clients. The Department should set up overpayments for any ineligible payments that it identifies. 5.32 We recommended the Department modify the system to prevent future ineligible payments of this nature from occurring. Departmental response 5.33 The Department is currently undertaking a review of closed and active cases where retroactive payments were made. In this unusual set of circumstances caused by user action, overpayments will be set up – if applicable. The NBCase system will be modified to redirect retroactive payments to the local office for validation before releasing to the client. Completing client case reviews 5.34 During our audit, we determined that client case reviews for the 2008 fiscal year were not completed because the Department decided not to hire summer students. The Department typically hires summer students to complete client case reviews. These client reviews are required by departmental policy and often result in financial savings to the Department. Not completing client case reviews increases the risk of ineligible social assistance payments. 5.35 In 2007, summer students recommended financial changes in 89 of the client reviews performed. Also, they referred 100 cases to regional investigators for further investigation which could have resulted in further cost savings to the Department. Overdue client reviews 5.36 The following table shows the number of outstanding client case reviews. 5.37 The Department has improved in completing outstanding client case reviews from the prior years. 5.38 For the 2008 year, 21.3% of client cases had overdue case reviews. This is a direct result from the decision not to hire summer students in 2008 and could result in undetected overpayments to clients. Recommendation 5.39 We recommended the Department complete case reviews for social assistance clients on time as required by policy. Departmental response 5.40 The Department has considered the effects of not employing summer students in 2008 to carry out case reviews. It has been decided to hire twenty-three students for the summer of 2009 to complete the outstanding overdue case reviews and then to address a significant portion of those due this year. It is expected to take more than one year to fully address the backlog that has accumulated. Government payroll system (HRIS) Scope 5.41 As part of our audit of the Province’s expenditures, we perform testing on the government’s payroll system (HRIS). Our testing has two parts: • We document and test controls at the Office of Human Resources (OHR) – Human Resource Information Services Branch (the branch). This branch is responsible for the operation of the HRIS and provides central control procedures for the government’s civil service and casual payroll. • We document and test controls at two or three government departments. We also select and test a sample of payroll transactions for these departments. Each year, we select different departments to ensure we visit all departments on a rotational basis. This year we selected the Department of Environment, the Department of Local Government and the Department of Public Safety. 5.42 Excluded from our testing is payroll for the Province’s teachers. The teachers are paid from a different system which is operated by the Department of Education. We rely on the work of the Office of the Comptroller (OOC) for these payments. The OOC conducts detailed testing on school districts’ payroll expenses and we review this testing as evidence to support our audit opinion. Findings 5.43 In our work, we found issues relating to departmental payroll staffs’ knowledge of HRIS and its reports. We communicated our findings to the department, as well as to OHR. We discuss our detailed findings below. HRIS training 5.44 From our work in departments, we believe that departmental payroll officers are not adequately trained on how to use the HRIS. Inadequate training of departmental users increases the risk of departmental payroll officers incorrectly using HRIS and its reports which may result in payroll errors. 5.45 We found three errors which we believe were caused by inadequate training of some payroll staff. When we discussed the errors with staff and management they indicated they needed more guidance on how to review standard HRIS reports. 5.46 We also found in one department, as a result of high turnover, a payroll officer was assigned new tasks that she was not trained to do. The department provided some limited training, but this training was not sufficient for the payroll officer to competently carry out the new duties. 5.47 From our work in the past, we have noticed that high turnover is a common problem in many departments. This has led to a shortage of experienced and properly trained payroll staff. 5.48 Currently, no centralized training program for HRIS users exists; departments are responsible for training their own payroll staff. We believe departments are struggling with how to effectively train payroll staff, as HRIS is a unique and complex system and they lack experienced payroll staff to provide this training. 5.49 We discussed training alternatives with OHR management at the branch. We were told that the branch offers several services to assist payroll officers in their use of the system and it encourages departments to participate in the Pension Benefits User Group meetings and to enroll their payroll officers in courses offered by The Canadian Payroll Association (CPA). We found from our discussions with several departments that they were not aware of some of the services and the CPA courses. 5.50 We believe that since OHR is the system owner of the HRIS, it has a responsibility to ensure its system users are adequately trained. We believe that the branch should periodically inform departments of the support services that it offers and it should provide these services when requested. If the branch does not have the necessary resources to provide these support services, then it should investigate alternative training methods that may be more cost effective, such as webinars or on-line training. Recommendation 5.51 We recommended OHR provide effective support and training to HRIS users. The types of support and training should be communicated to all departments. These services should be available to departments when needed. OHR Response 5.52 [We] agree with your findings. The lack of a comprehensive corporate HRIS training program is an issue we have recognized and struggled with for some time. The demise of corporate training is rooted in successive years of budget restraint that led to an overall HRI Services staff reduction of over 30%, and with it, a loss of expertise in many areas including program and office management, specialized technical/programming, business analysis, and in particular user training skill sets. Since 2002 the unit that once developed and delivered HRIS training was reduced by 75%. 5.53 We have pursued creative solutions with varying degrees of success including an attempt in 2007 to partner with departments to reestablish a corporate training program, and more recently an arrangement with the Department of Finance to have one of their resources administer the Federal Record of Employment application on our behalf, to support this new and more efficient way for departments to manage the program. 5.54 As you have acknowledged, HRIS is unique, meaning any training solution requires internal resources for the development, maintenance, and in most cases the delivery. Considering our constraints we are not positioned to redevelop a centralized training program, however we continue to pursue various alternatives, including: • An update of a self training guide is included on the HRI Services work plan for 2009-10.We have recently used this guide as a training tool for our own staff and recognize its potential for broader use. • Considering certain errors uncovered during the audit appear to be basic payroll knowledge issues, programs offered by the Canadian Payroll Association appear to be relevant. To further promote and communicate this type of training, we will add these programs to the OHR corporate training calendar. • We are nearing the completion of a payroll standardization project. This initiative focused on Policy and Collective Agreement provisions where the payroll implementation rules were not clear. Work was completed in conjunction with the Pay and Benefits User Group Committee and HR Directors to gather information on current practices, inconsistencies, and recommendations. A communication will be prepared outlining procedures and promoting consistency. • The payroll function will transfer to a new shared service agency on April 1, 2010. We have agreed to the secondment of the Director of HRIS to the ISA initiative as a project lead for the transition of the payroll and benefits service to the shared services delivery model. A recent focus group session identified process improvement, standardization, and investment in employee training as critical success factors in this transfer and [the Director of HRIS] will focus efforts on seeing that these requirements are accounted for in the ISA project plan for payroll. • We remain committed to working with HR Directors and the Pay and Benefits User Group and will put a renewed effort into promoting information sharing, identifying areas of weakness, and effectively working with the group to facilitate learning and sharing best practices. • As recommended, we will also communicate your audit findings to departments and remind them of our help desk, on line HRIS documentation, and one on one support services offered. New exception reports 5.55 Branch exception reports should identify employees who do not have pension deductions set up when required. 5.56 We found one error where a department incorrectly set up a new employee in HRIS. The departmental payroll officer used an incorrect commencement code which resulted in the system not deducting pension for the employee. The employee must now pay the pension contribution that should have been deducted by the system. Had this error not been detected, the employee could have experienced difficulties receiving her pension benefits upon retirement. 5.57 The HRIS branch staff believe this error should have been detected by the department if the payroll officer had been verifying the accuracy of the data input. Also, branch staff indicated that the system would have issued an attention message to the payroll officer advising her of the commencement code conflict. The payroll officer would have had to ignore this message. 5.58 From our work at the HRIS branch, we know that the branch staff generate and review a number of exception reports to identify potential data errors, however, cases where pension deductions are missing are not included in these reports. We believe the HRIS branch should develop a new exception report to identify cases where pension deductions are not set up for employees when circumstances indicate that they should be. We discussed this with HRIS branch and they agreed that this was possible. Recommendation 5.59 We recommended the branch generate and monitor an exception report to identify employees who do not have pension deductions set up when required. OHR Response 5.60 It is [our] understanding that system processes are in place to automatically set up the pension deduction based on specific eligibility criteria, along with attention messaging for conflicts and an automatic navigation feature that takes system users to a summary of deductions to support a quality assurance review. Considering the safeguards, this situation appears to be isolated, and of low risk of recurrence. [We] do agree with the significance of the outcome however, and acknowledge that current discrepancy reporting does not cover this case. The HRI Services division will investigate the creation of a new exception report. Property tax system 5.61 We had two issues in our audit of the Property Tax System (PATS) – Improving Audit Efficiency and Preparing an Accounts Receivable Listing. We communicated these issues to the Department of Finance and we discuss them in the paragraphs that follow. Improving audit efficiency 5.62 During our audit we noted three ways we could improve audit efficiency. Making these improvements would reduce the time needed by both our auditors and departmental staff. Information should be provided in a timely manner 5.63 During the audit, we did not always receive the information we requested in a timely manner. For example, we requested one report on February 27th but we did not receive it until June. Delays of this nature are unnecessary and greatly increase the time needed to complete assignments. Departmental staff should be available during the audit 5.64 During the year-end audit, two key staff members were often unavailable for various reasons such as meetings, vacation and illness. Even though we tried to mitigate the risk of staff being on vacation by setting the audit date in advance and verifying that staff members would be available, we still experienced delays because of staff vacations. The audit time would be reduced if one key staff member was available for a short period of time each day for questions. Reconciliations should be completed by departmental staff prior to our audit 5.65 A step in our audit process is to complete specific reconciliations for both revenue and receivables. Completing these reconciliations during the audit is time consuming for both departmental staff and our auditors. We would all save time if departmental staff completed these reconciliations prior to the start of the year-end audit. 5.66 As our audit work becomes more complex due to changes in accounting and auditing standards and as our staff resources are reduced due to budget cuts, it is essential that our auditors and departmental staff work together to find ways to reduce the time needed to complete the audit. Recommendation 5.67 We recommended the Department provide all requested information in a timely manner. Departmental response 5.68 The department agrees that existing reports should be provided in a timely manner during the audit. Although the example identified was accurate, we feel this particular report delay was the exception to our normal practice. This was not a Department of Finance report and, therefore, had to be requested. However, we concur that the non-receipt of the report should have been escalated sooner than it was. To the extent possible in future, should your auditors identify any necessary reports in advance of the audit, this will also assist in minimizing delays. Recommendation 5.69 We recommended the Department have key staff available to us during the audit to help ensure the timely completion of the audit. Departmental response 5.70 The department accepts that the availability of key staff is necessary to achieve a timely completion of audits. The Account Management Unit has a very heavy workload demand; nevertheless, best efforts will be made to have required staff more readily available in future. Both the Office of the Auditor General and the Department of Finance should strive to ensure that the annual audit is completed prior to the onset of the traditional vacation season. Recommendation 5.71 We recommended the Department complete revenue and receivable reconciliations prior to the start of the year-end audit. Departmental response 5.72 The department prepares its annual financial statements within the deadlines set by the Office of the Comptroller. This process requires that reconciliations of revenue and receivable accounts be completed. We believe this recommendation relates to the completion of reconciliation spreadsheets that have been specifically designed by the auditors as a form of verification tool to ensure the accuracy of the financial statements. These spreadsheets were utilized in the most recent audit and can be completed, upon request, in addition to the department’s reconciliations prior to the commencement of next year’s audit. Accounts receivable listing 5.73 Finance does not have a detailed listing of its accounts receivable as of 31 March. Departmental staff indicated that this is because the receivable listings are pre-programmed to download from the property tax system on specific dates, i.e. the first Friday of the month after a full week. This year the download was run on April 10th in relation to the 31 March balance. 5.74 Many adjustments go through the property tax system each day, including receipt of payments and changes in assessments. Therefore in order to ensure the balance reported in the 31 March financial statements is complete and accurate, we must reconcile the April 10th download to the figure reported in the financial statements. Completing this reconciliation is very time consuming because many changes take place within this ten-day time span. 5.75 We believe Finance should provide us with an accounts receivable listing as at 31 March. If this is not possible, then Finance should reconcile the downloaded receivables listing to the receivable balance reported in the financial statements. Finance should provide us with this reconciliation as part of the year-end audit package. Recommendation 5.76 We recommended the Department provide our Office with an accounts receivable listing as at 31 March. If this is not possible, then the Department should reconcile the accounts receivable balance in the financial statements to the latest download of accounts receivable from the Property Tax System before our year-end audit begins. Departmental response 5.77 Although the department receives summary receivable reports as at March 31 and detailed receivable reports shortly thereafter, the department is able to produce a March 31 detailed receivable report and this report will be provided to the Office of the Auditor General as at 31 March 2010. Property tax system – follow up Background 5.78 In this section, we discuss the status of the recommendations we made in our 2007 Report, Volume 1, Chapter 4. In the 2007 chapter, we presented findings and made 17 recommendations on the property tax system (PATS) and the Account Management section in the Department of Finance (the Department). Summary of results 5.79 The following exhibit shows the status of our 2007 recommendations. Detailed results Implemented recommendations 5.80 We are pleased to see that the Department has implemented the following five recommendations. • Two individuals (who are independent from the person inputting tax rates) are verifying the accuracy of the tax rates. • The Department is reconciling the cash suspense accounts monthly and someone is reviewing the reconciliations to ensure they are completed properly and in a timely manner. • The Province is showing the balance of the municipal property tax receivable in the year end receivable balance. • The Department has removed accounts receivable owed by other departments from its year-end receivable balance. Partially implemented recommendations 5.81 The Department has partially implemented nine of our 2007 recommendations. Exhibit 5.1 lists the recommendations and the Department’s progress in implementing the recommendations. Exhibit 5.1 Partially implemented recommendations Recommendations not implemented 5.82 The Department has not implemented the following three recommendations. 5.83 We recommended the Department develop and implement an action plan to deal with the risks associated with the age of the PAT system. Departmental response 5.84 The Department believes that the current system is “extremely stable and reliable and continues to meet the needs of the Department ... While the Department will continue to assess business opportunities to replace PATS, there are no immediate plans to do so ...” 5.85 We recommended the Department staff authorize the release of program changes to production by instructing the Data Centre staff to only make changes that are approved by the Department. Departmental response 5.86 ... The Department believes that providing the Data Centre with a copy of the signed-off approval provides no additional control over the approval process. In this situation, reliance must be placed on the programmer to submit the same changes to be released to production that were previously confirmed and accepted by the Department in “test” mode. 5.87 We recommended the Department ensure the completeness of the “Assessment of Tax Notices” by predetermining the number of notices that should be produced and agreeing this number to the actual number produced. Departmental response 5.88 The Department matches the number of notices that the PATS indicates is to be produced with the number actually issued. As this report is produced from the PATS at the time the notices are to be prepared, the Department believes this to be an adequate verification procedure.