Background 4.1 The Canadian Institute of Chartered Accountants’ auditing standards require us to document and test internal controls in all major systems in an organization. We classify a major system as any system that processes transactions in excess of $100 million. For most of these systems, in addition to internal control testing, we also test specific transactions. Transaction testing involves selecting a statistical sample of individual transactions from payments and performing detailed testing using a predetermined set of criteria. To express our opinion on the financial statements of the Province, we combine the results of both our internal control and our transaction testing. Scope 4.2 The following table lists the information systems for which we document and test the internal controls, the departments which operate the systems, the type of transactions processed and the type of findings for each system. The table below shows that the majority of the systems we examine are payment systems. 4.3 We communicated our observations and recommendations to each department for both the internal controls and transaction testing. In this chapter, we report the results of our work by information system. Provincial payment and general ledger system (Oracle) Background 4.4 The provincial payment and general ledger system (Oracle) is one of the most significant systems operated by the Province. The accounts payable module is responsible for processing the majority of the government’s payments. The general ledger (GL) module is used for recording all of the Province’s transactions and the information stored in the GL is used to generate the Province’s financial statements. The Office of the Comptroller operates the system, but all government departments use it to process transactions. Because of the significance of this system, every year we test its internal controls and we select and test a sample of transactions processed by the system. Findings 4.5 In our tests of controls, we concluded that controls were operating effectively for the period of review. We also followed up on our previous year’s recommendations and determined that the Office of the Comptroller is making significant progress in implementing our internal control recommendations. 4.6 Our transaction testing covered payments made by 13 departments during the fiscal year ended 31 March 2010. We selected and tested 101 items which totaled approximately $261 million. Our testing criteria covered a variety of areas ranging from proper spending and payment authority to ensuring transactions were recorded in the correct period, otherwise known as “proper cut-off”. Our criteria were drawn from our knowledge of financial statement assertions and related controls. 4.7 We found departments had improved significantly in most testing criteria from the prior year. This year, we made recommendations to only one department. Exhibit 4.1 Number of items tested, the dollar value tested and the number of errors by department. Testing criteria and results 4.8 Exhibit 4.2 shows the testing criteria that we used for each item we selected in our statistical sample. In the past, we found many spending and payment authority errors. We are pleased to see departments improved significantly on these testing criteria. Exhibit 4.2 Number of errors for each testing criteria. Department of Transportation 4.9 Even though we found no errors in our standard audit testing criteria, we made the following comments to the Department of Transportation as a result of our testing. Evaluating tender bids 4.10 During our 2008 and 2009 testing, we found many cases where total payments for a contract exceeded the amount authorized on the original tendered contract. In 2008, in order to determine the extent of this issue, we decided to look at all contracts in our sample. In our sample of twenty-five contracts, we found twelve cases where the total payments for the contracts exceeded the authorized contract amounts. This continued in 2009. Discussion with the Department indicated this is normal as tender submissions are based on estimates and during the course of a project actual materials required could exceed the original estimates. 4.11 In almost all cases, the tendering evaluation process results in the Department accepting the lowest bid. However, where these bids contain major variables, the departmental process should consider the unit costs of these variables, as well as the overall cost of the bid. That is, if two bids are relatively close in overall cost, but one bid has a major variable with a per unit cost that is significantly lower than the other, the bid with the lower unit cost could result in a lower cost for the Department, even though the overall cost of the bid is slightly higher. We believe evaluating the unit cost on items with variable quantities might lead to cost savings given the large number of times actual quantities exceed original estimated quantities. Recommendation 4.12 We recommended the Department review its tender evaluation process to see if it can reduce costs by considering the unit costs of major variables in the bids, as well as the overall cost of the bids. Departmental response 4.13 After considering your recommendation to review the tender evaluation process it is felt that the present process is sufficient. The tender process results in the department accepting the lowest of the compliant bids. DOT staff is accountable for project management and cost control is a function of project management. The districts and head office closely monitor construction contracts, including changes in estimated quantities, and provide approvals via change orders. Senior managers also monitor overall the capital program performance at monthly forecast meetings and are aware of contract overages. During these meetings our Chief Engineer verbally authorizes the continuation of projects. In accordance with my memo to you on July 28, 2009, the Chief Engineer now documents his approval by signing the monthly financial forecast. Contracts for asphalt 4.14 One test item was for the purchase of asphalt for road maintenance. This purchase was not tendered and bids were not requested from different suppliers. While this is not a violation of the Public Purchasing Act, we believe the Department should determine if requesting bids from suppliers would result in cost saving opportunities for the Province. Recommendation 4.15 We recommended the Department review its purchase process for asphalt to determine if obtaining bids from asphalt suppliers would save the Province money. Departmental response 4.16 We agree with your recommendation that the purchase process for asphalt needed to be reviewed and in fact this process was recently undertaken. Quotations from various asphalt concrete suppliers are now solicited. The quotations are adjusted on a monthly basis, based on the change in the MTO Binder Price Index. When choosing an asphalt supplier, the price, haul distance and productivity of work operations to complete the work are considered in order to obtain the most cost efficient supplier. Social assistance payment system (NBCase) Background 4.17 The social assistance payment system (NBCase) is another significant payment system in the Province. The Department of Social Development operates the system and it makes payments to social assistance clients in the Province. It processes transactions of approximately $232 million. The majority of our audit assurance for this system is obtained through tests of controls; we do not select a statistical sample of transactions. Because of the significance of this system, every year we test the system’s internal controls and perform other audit tests to obtain our assurance. Overall findings 4.18 This year we made recommendations in the following areas: • access controls – disabling inactive users; • training NBCase users; • verifying retroactive payments; and • recommendations of Overpayment Committee. Access controls – disabling inactive users Issue 4.19 During our testing of the NBCase system, we found that 44 NBCase user accounts had not been disabled after 90 days of inactivity. Disabling inactive user accounts on a timely basis reduces the risk of unauthorized access to information. Findings 4.20 Of the 44 users’ accounts that were inactive for at least 90 days, only 14 had valid reasons for not being disabled. The remaining 30 accounts are classified as follows: • 6 users had terminated with the Department and their active directory account was disabled; • 1 user had terminated with the Department on September 30, 2009 and the user’s active directory account was still active in February 2010; and • 23 users were employees with the Department but the Department did not have valid reasons why the users’ access was still active. 4.21 These 30 accounts should all have been disabled. For two of the 30 accounts, the users indicated that they require the access. These accounts should be properly reclassified as “required” if they are to remain as active users. Observations 4.22 From our discussions with the Department, we noted that it does have a process in place to disable inactive users, however based on the results of our testing, the Department should improve this process. 4.23 For the 6 users who are no longer employees of the Department and who do NOT have an active directory account, the risk of unauthorized access to information is remote. However, disabling inactive users would help the Department manage software licenses and comply with government standards that require user accounts be disabled if they have been inactive for 90 days. 4.24 For users who are still employed with the Department, the risk of unauthorized access to information increases as these employees have access to confidential information not required for their job functions. This is a violation of the Government Information Technology Systems Security Policy which states “Access to GNB information systems, applications and computing resources shall be based on each user’s business requirement.” Recommendations 4.25 We recommended the Department disable NBCase user accounts after 90 days of inactivity. 4.26 We recommended the Department disable active directory user accounts as soon as an employee terminates from the Department. Departmental response 4.27 It is not necessary to disable NBCase accounts after 90 days because all Active Directory Accounts are disabled after 30 days of inactivity. If a user does not have an Active Directory account they will not be able to access NBCase. There is no risk to security. 4.28 In addition, we have in place a process to keep the NBCase accounts up to date as per the recommendation made by the Auditor General in 2009. We advised the Auditor General of our process in our response in April 2009 and we continue to educate and stress to those involved in the account maintenance process, the importance of submitting the proper forms in a timely manner to ensure that changes to user accounts are up-to-date. Training NBCase users Issue 4.29 Not all NBCase users are adequately trained on how to use the NBCase system. The risk of error in payments increases when users are not adequately trained on how to use the system properly. Findings 4.30 We tested 20 retroactive payments made to social assistance clients. We found 9 errors in these payments that were caused by case manager error. The causes of the errors were as follows: • case manager modified records instead of end-dating records and creating new records; • case manager made errors entering information into the system and then ignored system messages that would have indicated an error occurred; • case manager set up income as a wrong benefit type; • case manager did not correctly “undo terminate” special benefits when required; • case manager entered incorrect termination date for client; and • case manager did not fix client overpayment correctly. 4.31 As a result: • 7 clients were overpaid by $7,444.38; • 1 client was underpaid by $216.30; and • 1 client’s overpayment was reduced by $200. Discussion with the Department 4.32 Discussions with staff indicated training NBCase users is an issue that the Department has identified. The Overpayment Committee identified training as the number one priority in the Overpayment Committee Action Plan. The Department has begun a “User Support Model” review which has identified training of NBCase users as a key issue. Recommendation 4.33 The Department should ensure all users of the NBCase system are adequately trained. Departmental response 4.34 NBCase system training will be addressed through the implementation of the new User Support Model and through the implementation of new initiatives such as Social Assistance Reform and the Canada Revenue Agency Set-Off Program. Verifying retroactive payments Issue 4.35 During our testing, we found nine errors in retroactive payments to clients. By not ensuring retroactive payments to clients are correct, the Department is making invalid payments to clients. This results in: • higher expenses for the Department; • increases in accounts receivable when the overpayments are discovered; and • additional burden on clients as repaying overpayments reduces their monthly cheques by 5%. Findings 4.36 As part of our testing, we reviewed a sample of clients who received more than the expected number of payments in a year. These extra payments result from retroactive payments to clients. This year, we tested 20 retroactive payments and found 9 invalid payments. The majority of these payments occurred when case managers made changes to client files. 4.37 From our discussions with the Department, we were told that these errors were not detected because of a system change which caused retroactive payments to be directly deposited into clients’ bank accounts. We reported this problem in our 2009 letter to the Department. We were told that this system change affected retroactive payments issued between October 2008 and June 2009. 4.38 We believe because of the high error rate we encountered in our retroactive payments testing, the Department should verify the accuracy of all retroactive payments issued between October 2008 and June 2009. 4.39 In addition, we were told that starting in July 2009, the system is forwarding all cheques for retroactive payments directly to the regional offices. Starting in July 2009, the case managers must review the cheques for validity and then authorize their release to clients. We would like the case managers to be trained on how to verify the validity of these retroactive cheques. This will help ensure the case managers do not inadvertently release invalid payments to clients. Recommendations 4.40 We recommended the Department verify the accuracy of all retroactive payments made to clients in the timeframe affected by the NBCase system change. 4.41 We recommended the Department train case managers how to verify the accuracy and validity of retroactive payments. Departmental response 4.42 The issue was specific to daily payments issued on cases set- up for Direct Bank Deposit. The automated process of redirecting the daily payments on these cases was re-implemented in July 2009. Retroactive payments issued between October 2008 and June 2009 on these cases will be reviewed for accuracy. A procedure and training will be developed in relation to reviewing retroactive payments. Recommendations of Overpayment Committee Issue 4.43 The Department has not begun implementing the recommendations made by the Overpayment Committee. The Department formed a Social Assistance Overpayment Committee (the Committee) to examine the prevention, detection and administration of overpayments. By not implementing the recommendations of the Committee, the number of overpayments made to social assistance clients will continue to increase. This will lead to an increase in expenditures and accounts receivable for the Province. Findings 4.44 The Committee was formed in March 2007 and had a two year mandate. The Committee provided us with a draft report of its findings and recommendations. 4.45 In July 2009, the Committee completed an Action Plan which was presented to departmental directors in October 2009. The Action Plan prioritized 10 recommendations and described how implementing the recommendations would impact long-term resources and overpayments. 4.46 We would like to commend the Department for creating the Committee to address the increasing amount of overpayments. We would, however, like to ensure the Department addresses appropriately the Committee’s recommendations. 4.47 At the time of our audit, the Department had not progressed in implementing the recommendations of the Committee. We saw very little evidence that the Department has implemented the recommendations in the action plan. Recommendations 4.48 We recommended the Department review and implement the relevant recommendations of the Overpayment Committee. 4.49 We recommended the Department identify time deadlines for implementing the recommendations noted in the action plan. Departmental response 4.50 The recommendations identified by this committee will be addressed through other initiatives that are currently taking place in the Department. As we continue to implement the initiatives from the Poverty Reduction Initiative, including social assistance reform, we will ensure that mechanisms are in place to train staff in relation to the prevention and detection of overpayments. Consideration will also be given to the other committee recommendations that relate to the implementation of Social Assistance Reform. The Canada Revenue Agency Set-Off Program has been approved for our department and we are in the process of identifying accounts eligible for this program. This initiative will also address improvements to the administration and monitoring of overpayment accounts. Long-term care payment system (NBFamilies) Background 4.51 The long-term care payment system (NBFamilies) is another significant system in the Province that we test every year. The Department of Social Development operates the system and it processes transactions of approximately $265 million for child protection and long-term care programs in the Department. The system also tracks information on clients, service providers and adult residential facilities. The NBFamilies system provides payment information to the provincial Oracle payment system which, in turn, produces payments to various service providers or clients. 4.52 Various internal controls are built into the system to ensure only authorized payment information is transferred to the Oracle system for payment. The NBFamilies system has an electronic interface which enables service providers to electronically input payment information into the system. Various controls are in place to verify the accuracy of this information before a payment is made. 4.53 The majority of our audit assurance for this system is obtained through tests of controls, as well as a statistical sample of transactions. Overall findings 4.54 This year we made recommendations in the following areas: Results of internal control testing • system program changes; and • disabling active users. Results of statistical sample testing • proper spending authority; • backup supports payment; • financial documentation and client contribution; • out-of-date case plans; • long-term care assessments; • documenting annual case reviews; and • Adult Residential Facility inspection and licensing documentation. Co-operation of Department 4.55 We would like to thank the staff in the Department’s Information Technology Services branch for the help they provided to our auditors in carrying out this year’s audit. The staff were very quick to answer our requests and this in turn enabled us to complete our control testing much faster. We also found it easier to obtain information from the regions this year. Regional staff provided information in a much timelier manner thus reducing our audit time. Improved results over prior year 4.56 This year in our statistical testing, we found the Department improved over the prior year in most testing criteria. The criteria of client financial documentation and client long-term care assessments had the biggest positive change. Only the spending authority criterion had an unfavorable change. Also, the number of errors per item decreased. This year in our sample of 28 items, we found 29 errors. Last year in our sample of 38 items, we found 48 errors. Results of internal control testing System program changes 4.57 In our 2008 Report, we made three recommendations in the area of program changes. During our 2008 audit, we also found obtaining backup for system program changes time consuming and difficult. This year, we found the Department improved significantly in documenting and filing information relating to system program changes. 4.58 We tested ten NBFamilies program changes and we made two observations relating to our testing. • Two maintenance releases were not formally approved in the meeting minutes, although discussion with staff indicated that these maintenance releases would have been verbally approved. • We found no evidence of testing for three of the ten system program changes. Normally, employees who test changes document their results in a test plan and then notify a departmental coordinator that the testing is complete. For three cases, the test plans were not updated and the departmental coordinator was unable to find copies of the emails which indicated that the changes were tested. The departmental coordinator indicated that sometimes testers forget to put the testing results in the test plans but the coordinator is confident that all the changes were tested. Recommendation 4.59 We recommended the Department ensure all maintenance releases are formally approved by the Department in maintenance release meeting minutes. Departmental response 4.60 Social Development will work with CGI to ensure that changes to the current process will be made to formally note where the approval of release content is given in the maintenance release content meeting. In addition, we will look to adopt a similar process that we currently use for the approval of Change Requests so that the content of the release would potentially be approved by both an e- mail approval and also have the content approved and noted in the minutes of the maintenance release content meeting as specified above. Recommendation 4.61 We recommended all employees responsible for testing program changes document the results of their testing in the applicable test plans. Departmental response 4.62 The Social Development test coordinator will work with the test team on the importance of making sure that all test results are documented in the applicable test plans. Disabling inactive users 4.63 During our testing, we found 95 NBFamilies user accounts had not been disabled after 90 days of inactivity. We also found two active directory accounts had not been disabled on a timely basis when employees terminated with the Department. Disabling inactive user accounts on a timely basis reduces the risk of unauthorized access to information. Findings 4.64 Of the 95 users who had not logged into the system in the last 90 days, we noted the following: • 20 users had terminated with the Department and their active directory account was disabled; • 2 users had terminated with the Department but their active directory account was NOT disabled; • 16 users had never accessed the NBFamilies system; • 2 users had not accessed the system since 2006; • 3 users had not accessed the system since 2007; • 13 users had not accessed the system since 2008; and • 39 users had not accessed the system since 2009. 4.65 The Department did not provide us with a reason why the user accounts were not disabled after 90 days of inactivity. It did indicate that some of the user accounts are required for the reporting structure and cannot be disabled. The Department did not inform us of how many of the 95 accounts are mandatory and could not be disabled. In March 2003, the government released the “Password Standard for User Accounts”. These standards require user accounts be disabled if they have been inactive for 90 days. Observations 4.66 We believe that the Department does not have a process in place to ensure user accounts are disabled in a timely manner. By not disabling inactive users, the risk that unauthorized users can access the NBFamilies system information increases. 4.67 For users who are no longer employees of the Department and who do not have an active directory account, the risk of unauthorized access is remote. However, disabling inactive users would help the Department manage software licenses and comply with the government’s standards. 4.68 For users who are still employed with the Department, the risk of unauthorized access to information increases as these employees have access to confidential information not required for their job functions. This is a violation of the Government Information Technology Systems Security Policy which states “Access to GNB information systems, applications and computing resources shall be based on each user’s business requirement.” Recommendation 4.69 The Department should disable NBFamilies user accounts after 90 days of inactivity. Departmental response 4.70 Active Directory accounts are disabled automatically after 30 days of inactivity. Users are not able to login to the NBFamilies System without a working Active Directory Account. We feel this procedure effectively meets the security concern requirement for disabling NBFamilies account access after 90 days of inactivity. 4.71 To supplement this process, Social Development employs an NBFamilies Quarterly Account review process which actively monitors and prompts regional review of accounts which have not accessed the system in 90 days. These reports are typically split and sent through to the regions via the RUSAs (5 regionally located user analyst staff) for review and response. Through this process, RUSA staff are to identify exceptions (e.g. Regional directors, Program Managers, etc. – people who have access to the system for both the reporting structure and the very rare exceptional spending authority request, essentially people who are not liable to normally log into NBFamilies, but need access on a rare occasion). RUSAs are also asked to complete account modification/termination requests as are appropriate based on these reports. This is the document which triggers the disabling of the NBFamilies account. Recommendation 4.72 The Department should disable active directory user accounts as soon as employees terminate from the Department. Departmental response 4.73 We do not feel it is either possible or practical to disable AD accounts as soon as employees are terminated. This is why a 30-day inactivity process is in place. 4.74 Currently, we rely on the RUSAs advising IT Services that an employee is terminating, and the RUSAs are relying on the individual managers/supervisors advising them of the termination in a timely fashion. 4.75 IT Services disables Active Directory accounts as soon as they are notified of an employee termination through the account modification/termination request. As a further safeguard, the 30 day inactivity process is also in place. Results of statistical sample testing 4.76 Our work covered payments made in both the child protection and the long-term care programs. We tested 28 payments processed by various regions throughout the fiscal year 2010. The following chart shows the types of payments tested. Summary of results by region 4.77 Our sample covered seven of the eight regions in the Department. Our findings are reported by region and by audit criteria. The following table shows the number of payments tested for each region and the number of reportable items by region. 4.78 As you can see from the table, we found a number of errors in each region, except for the Edmundston region. Our statistical sample did not produce any test items from the Miramichi region. Summary of test results by criteria 4.79 Our testing criteria covered a variety of areas ranging from proper payment and spending authority to ensuring clients were eligible to receive payments. We based our criteria on our knowledge of the departmental programs and related system controls. Our testing criteria and testing results are summarized in the table below. 4.80 We are pleased to find no errors in the following testing criteria: • proper payment authority; • proper program and account coding; • proper cutoff; • payment agrees to contract; • payment is supported by a requisition; and • service provider is eligible to receive payment. Summary of test results by region by criteria 4.81 The following table shows the number of errors by testing criteria and by region. Proper spending authority 4.82 The Province’s Approval of Payments policy defines spending authority as “approval to spend funds out of the approved budget prior to making a purchase or commitment. Approval indicates sufficient funds are available to pay for the purchase.” The Province requires that all payments must have spending authority approval before they are paid. 4.83 Deputy Ministers are charged with the responsibility to delegate spending authority to their staff. They do this by signing a spending authority delegation form which specifies who can approve purchases and what the spending limit is for the approver. 4.84 For NBFamilies payments, employees exercise spending authority electronically. The Department inputs into a system table a list of who can approve payments and the spending limits for each approver. Only users listed in this table can approve payments. 4.85 As part of our audit, we ensured that each payment in our sample had proper spending authority. We did this by agreeing the electronic spending authority with the Deputy Minister approved spending delegation form. 4.86 We found 11 cases where the spending authority in NBFamilies did not agree with the Deputy Minister delegation form. This is a significant increase over last year when we found only one spending authority error in our testing. In all of these cases, the amount approved in NBFamilies was greater than the amount designated on the Deputy Minister delegation form. 4.87 Of these 11 cases, we found five cases where long-term care social workers, with a spending authority limit of $700, approved ARF fixed payment amounts ranging from $2,250.83 to $3,546.93 per month. We also found five cases where system case administrators, with a spending authority limit of $700, approved ARF fixed payment amounts ranging from $2,250.83 to $3,546.93 per month. The remaining case was a similar circumstance where a long-term care social worker, with a spending authority limit of $700, approved a fixed rate requisition for a client to receive care in an Alternate Family Living home at a cost of $2,717.60. 4.88 We understand that employees need the ability to approve fixed rate requisition amounts, but this authority should be specifically delegated by the Deputy Minister on the delegation form. Recommendation 4.89 We recommended the Department ensure that all employees who provide spending authority for payments have been delegated this authority by the Deputy Minister on the spending authority delegation form. Employees should not authorize payment amounts that exceed the authorized limits delegated by the Deputy Minister. Departmental response 4.90 The Regional User Support Analyst (RUSA) and the NBFamhelp team input spending authority limits in the NBFamilies electronic table based on the employee’s role. To ensure that the electronic table matches the Spending Authority Delegation forms signed by our Deputy Minister, Accounting Services will provide Regions with a copy of the electronic table for reference and validation purposes when the SAD forms are completed for the fiscal year 2011-2012. Backup supports payment 4.91 The Department offers service providers the option to electronically submit their invoices through a web-based invoicing system. As part of our audit process, we ask the Department to contact service providers and obtain supporting documentation for selected electronic payments. We review the supporting documentation to ensure it agrees with the amounts paid to service providers. 4.92 In our sample of 28 items, the Department made seven payments to suppliers who submitted invoices electronically. We found one error in these seven payments in the Saint John region. The error occurred because the service provider submitted an invoice requesting payment for 126 hours of work. When we examined the backup, we determined that the service provider should only have billed for 122 hours of work. This resulted in an overpayment of $57.04 to the service provider. 4.93 While in this case, the dollar amount of the overpayment is not significant, the error rate in our test is significant. In our sample of 28 payments, only seven were paid using electronic invoicing. Finding one error in a sample of seven items results in a 14% error rate. In each of the past two years, we also found an error in electronic invoice payments resulting in approximately a 10% error rate. We consistently find errors in these types of payments each year. This leads us to conclude that an inherent error rate of 10% to 14% exists in this population. 4.94 The NBFamilies system processes over 555,000 payments in a year. Not all of these payments are made through electronic invoicing. We estimate that approximately 43% or 238,000 payments are made using electronic invoicing. Using a 10% and 14% error rate and assuming a $50 error in payments, we roughly project the error in electronic invoice payments to be approximately $1.0 to $1.7 million. 4.95 We reported on this issue and made recommendations in this area in the past two years. From our testing this year, we believe that the Department’s strategy for managing this inherent error in the electronic invoice payment process should be reviewed and modified to reduce the level of error. Recommendation 4.96 The Department should review and modify its process for managing electronic payments so that the inherent error in this process is reduced to an acceptable level. Departmental response 4.97 On a quarterly basis, Accounting Services generates a 10% audit sample containing electronic invoices submitted by suppliers through the web base application for NBFamilies. To complete the validation process, the regions are required to obtain the supporting documentation from the suppliers within a 30 day period. If these conditions are not met, the regions return the verification report to Accounting Services with instructions to recover deficiencies. 4.98 The Electronic Invoice Verification Process, in section 6 of the Electronic Invoice Business Process user support document, will be amended to include a termination clause as specified in the Electronic Invoicing Agreement, increased sample size of audits for non-compliance, and increased frequency of audits. Financial documentation and client contribution 4.99 Clients are required to contribute to the services they receive through NBFamilies if their income is above a certain amount. There are two financial documents that must be completed to determine the amount of the client contribution – a financial declaration form and a financial contribution form. The financial declaration form is completed by the client and it records the client’s income. Using this information, the Department completes a financial contribution form which uses a pre-determined formula to calculate the amount of the client contribution. 4.100 One of our audit criteria was to ensure that the financial documents were up-to-date and on file for each client. We also verified that the amount of client contribution was calculated correctly. The Department’s policy requires it to complete client financial reassessments every two years. If a client is receiving social assistance, this reassessment is not required. 4.101 In the 28 payments tested, we found three financial documentation errors and one client contribution error. This is a significant improvement from prior years. The errors can be broken down as follows: • 3 – financial documentation was out-of-date; and • 1 – financial information was not input into system in a timely manner resulting in one client contribution error. 4.102 In three cases, the clients’ financial declarations were out-of- date. This information was dated in the years 2000, 2001 and 2003. In all three cases, the clients were not required to make client contributions. 4.103 In one case, the financial subsidy information for the client was recalculated in October 2009, however, the information was not input into the system until January 2010. This resulted in the client over contributing for her care for the months of October, November and December. The client’s contribution should have been reduced by $11.23 per month. Recommendation 4.104 We recommended the Department complete financial reassessments within a two year timeframe for clients not on social assistance as required by policy. This information should be input into the system in a timely manner. Departmental response 4.105 We agree with this recommendation. Out-of-date case plans 4.106 The Department requires that case plans be completed annually or as required by the system so that clients’ services and requirements are documented in the system. A case plan helps to ensure that clients receive the proper level of care. 4.107 In the 28 payments we tested, we found five cases in two regions where clients had out-of-date case plans. These regions were Chaleur and the Acadian Peninsula. Chaleur region 4.108 In two of the three items tested in this region the case plans were out-of-date. Both case plans were for individuals in adult residential facilities and were last updated in April 2005 and September 2007. Acadian Peninsula region 4.109 In this region, we found three of the four items tested had out- of-date case plans. For the first item, the case plan was for a client receiving in-home services and the case plan was last updated in April 2007. For the other two items, the case plans were for clients in ARFs and were last updated in September 2004 and September 2006. Recommendation 4.110 The Department should ensure that client case plans are updated annually or as required by the system. Departmental response 4.111 We agree with this recommendation. Section 2.10 of the Long Term Care Manuel suggests that case reviews be conducted annually. Section 9.1 of the Disability Support Program Manual states that case reviews will be conducted annually. Case plans should be updated at that time. Long-term care assessments 4.112 In the 28 payments we tested, we found one client’s long-term care assessment was not on file. We also found three clients where the LTC assessment was out-of-date and annual client case reviews were not on file. 4.113 For the one client where the LTC assessment was not on file, we saw a partial assessment in the system but the social worker could not find a completed assessment. We were told that an assessment would be completed for this client within the next six months. 4.114 For the three cases where the assessments were out-of-date, we saw no evidence that a social worker was in contact with the clients since the date of their last assessments in 2007. Two of these clients were receiving in-home care and their needs could have changed in the last three years. The Department should have conducted an annual case review on these clients. Documenting annual case reviews 4.115 Departmental guidelines suggest that an annual case review be conducted on clients in an adult residential facility or at home. Regular case reviews and client contact helps ensure clients continue to receive an appropriate level of care to meet their needs. 4.116 In our testing of prior years, we found situations where departmental social workers had no contact with clients for many years. This led us to question whether or not clients were receiving the appropriate level of care. This year in our testing of long-term care assessments, we found evidence in all but three cases that the social workers either had updated the long-term care assessment or had contact with the client. In ten cases, however, we are uncertain if this contact qualified as an annual case review because it was not well documented in the system. 4.117 The Long-Term Care Policy Manual provides guidance on the areas to review when conducting an annual case review. They are: • Client’s condition – The social worker is to assess whether the client’s condition and needs have remained unchanged during the past year. • Adequacy of services – The social worker is to ensure that the method by which LTC services are provided to the client and/or family caregiver is still adequate. • Client’s satisfaction – The social worker is to determine if the client and/or family caregiver is satisfied with the current supports and services. • Client’s financial situation – The social worker is to ensure that the client has submitted a recent copy of his/her income tax Notice of Assessment. 4.118 From our review of the notes in NBFamilies, in ten cases we did not see any evidence that the social workers assessed the four areas described above. We did see evidence that the social workers contacted the clients and that the clients’ case plans were updated. Recommendation 4.119 We recommended the Department conduct client reviews on a regular basis. The client reviews should be documented in the NBFamilies system as evidence that the reviews were completed by the Department. Departmental response 4.120 We agree with this recommendation. Section 2.10 of the Long Term Care Manual suggests that case reviews be conducted annually. Section 9.1 of the Disability Support Program Manual states that case reviews will be conducted annually. The reviews can be documented in NBFamilies through the events log. Recommendations 4.121 We recommended social workers assess and document the client’s condition, the adequacy of services, the client’s support satisfaction and the client’s financial situation when conducting annual case reviews. 4.122 We recommended the Department develop a form or template to help social workers document the information required when completing annual client case reviews. 4.123 We recommended the Department ensure that all social workers are adequately trained on how to conduct and document an annual client case review. Departmental response 4.124 We agree with these recommendations. The Department needs to standardize this process. We are currently in the process of developing a template to conduct annual client surveys including questions around client satisfaction, client’s condition, adequacy of services and client financial information. These surveys could be used to indicate the need for a full review/reassessment. The use of the template will be included in training given to staff involved in the Long-Term Care and Disability Support Program. Adult Residential Facility inspection and licensing documentation 4.125 The Department is required to inspect all Adult Residential Facilities (ARFs) before issuing a license to the facility. This license is called a Certificate of Approval. The Department’s standards require a complete annual inspection at least 60 days prior to the expiry date of this certificate. This 60 day time period gives the ARFs time to fix any non-compliance issues before their certificate expires. If an ARF has non-compliance issues and its certificate is going to expire, the Department can issue a temporary license for a period of six months. This time period allows the ARF to fix the non- compliance issues and for the Department to revisit the ARF to ensure all significant non-compliance issues are fixed before the Department issues a renewal certificate of approval. 4.126 As part of our audit process, we ensure that ARFs are inspected and licensed as required by departmental policy. We reviewed all licensing and inspection documentation provided for the 12 payments in our sample that related to ARFs. We found four reportable items which are discussed below. Chaleur region 4.127 We found one case in this region where a home was not licensed for four months. This occurred because an ARF’s certificate of approval expired in February 2009 and a new one was not signed until July 2009. The Department indicated that it was without an inspector for a period of time and ARF inspections fell behind. Restigouche region 4.128 We found one case in this region where the home was not licensed for a period of five months. In this case the ARF’s certificate of approval expired in August 2009 and a new one was not issued until February 2010. The Department indicated that there was a backlog for inspections in this region and it is just catching up. Moncton region 4.129 We found one case in this region where the Department issued a Certificate of Approval even though an ARF had a number of infractions listed on the standard inspection form. We saw no evidence that the ARF operator fixed the infractions. 4.130 We found one case where an ARF operator did not complete the standard application form but the Department issued a Certificate of Approval. Recommendations 4.131 We recommended the Department complete and receive all licensing documentation prior to issuing a Certificate of Approval to an ARF. 4.132 We recommended the Department ensure that all ARF inspections are performed at least 60 days prior to the expiry of the Certificate of Approval. 4.133 We recommended the Department ensure that Certificates of Approval are issued on a timely basis. Departmental response 4.134 Social Development has recently completed an important transition phase with several new Adult Residential Facility Coordinators. It is expected that the situation will improve very soon. Government payroll system (HRIS) Background 4.135 The government payroll system (HRIS) is another significant system in the Province that we test every year. The Office of Human Resources (OHR) operates this system and it processes payroll transactions for the Civil Service and pension payrolls. 4.136 Our testing has two parts: • We document and test controls at the OHR – Human Resource Information Services Branch (the branch). This branch is responsible for the operation of the HRIS and provides central control procedures for the government’s civil service and casual payroll. • We document and test controls at two or three government departments. We also select and test a sample of payroll transactions for these departments. Each year, we select different departments to ensure we visit all departments on a rotational basis. This year we selected the Department of Health and the Department of Social Development. 4.137 Excluded from our testing is payroll for the Province’s teachers. The teachers are paid from a different system which is operated by the Department of Education. We rely on the work of the Office of the Comptroller (OOC) for these payments. The OOC conducts detailed testing on school districts’ payroll expenses and we review this testing as evidence to support our audit opinion. Overall findings 4.138 This year we made recommendations in the following areas: • authorization of production control paperwork; and • access to the Genesys server production environment. Authorization of production control paperwork Issue 4.139 HRIS staff do not always approve the change request production control documents before sending them to Bell Aliant, the service provider of the data center. These documents authorize Bell Aliant to promote programs to production. Sending unapproved production control documents to Bell Aliant increases the risk that unauthorized program code changes could be promoted to production. Findings 4.140 During our audit, we tested five change requests at HRIS. We discovered one instance where there was no approval on the change request production control documentation. We discussed the error with the Technical Team Manager and because he was new to the position he was unaware that someone was still required to approve the production control documents. Discussion with management 4.141 We discussed this issue with the Acting Director at HRIS. He believes this was an isolated error that can be attributed to a time when the Technical Team Manager position was vacant and the re- alignment of duties among remaining staff had not yet been clarified. He believes that the Technical Team Manager should approve the production control documents. The Acting Director has notified Bell Aliant they are not to promote programs to production without (one of) the Technical Team Manager, the Acting Director or the Corporate Payroll Manager’s signature on the production control documents. Recommendation 4.142 We recommended OHR ensure that the appropriate HRIS staff approve the change request production control documents before HRIS sends these documents to Bell Aliant authorizing programs to be promoted to production. Departmental response 4.143 Steps have already been taken with respect to your recommendation on the authorization of production control paperwork. Access to the Genesys server production environment Issue 4.144 The Acting Director at HRIS has write access to the Genesys server production environment. Allowing write access to the Genesys server production environment increases the risk that unauthorized and improperly tested program code could be put into production. Findings 4.145 In March 2009, HRIS implemented a new server and version of the Genesys software which is used to calculate employee payroll. During our audit at HRIS, we determined that the Acting Director of the Branch has full access to the Genesys server production environment. Before this new environment and support procedures were implemented, only authorized employees at Bell Aliant had access to the production environment as this program code was stored on the mainframe. These Bell Aliant employees changed production code only when they received production control documents from HRIS authorizing them to promote specific program code to production. Discussion with management 4.146 We discussed this issue with the Acting Director at the Branch who believes that having write access to the production environment was an operational necessity in order to efficiently set up and test the pre-production implementation of phase II of the system. Once phase II is implemented, the Acting Director would no longer need access to the production environment. We believe that allowing anyone other than Bell Aliant staff write access to the production environment compromises security control procedures that protect the integrity of the system code. Recommendation 4.147 We recommended only authorized Bell Aliant employees have write access to the Genesys server production environment. Departmental response 4.148 We agree this was a short term situation due to the work involved with Phase II of the upgrade on Genesys. Medicare system Background 4.149 The Medicare system is another significant system in the Province that we test every year. The Department of Health operates this system and it processes transactions of approximately $270 million for payments to physicians. The majority of our audit assurance for this system is obtained through a statistical sample of transactions. Overall findings 4.150 This year we made recommendations in the following areas: • proper spending authority; and • arithmetic accuracy of payments. Proper spending authority 4.151 We noted one case in our Medicare testing where the payment document did not have proper spending authority. The error occurred because the employee signed for an activity not listed on the employee’s spending authority delegation form. 4.152 The Department indicated that this was a new activity code created during the fiscal year and that the employee’s spending authority delegation form had not been updated. The Department indicated that it will ensure that the sheet is updated to reflect changes since it was last prepared. Recommendations 4.153 We recommended the Department ensure that the delegation forms are updated during the fiscal year to reflect changes in signing responsibility. 4.154 We also recommended the Department ensure that proper authority is exercised on documents prior to payment. Departmental response 4.155 We have updated this year’s forms to the current user’s authority. Arithmetic accuracy of payments 4.156 We also noted during our audit one instance where a payment amount was improperly calculated. This caused a physician to be overpaid by $232. The reason for this error was that the physician was paid an after-hours premium when the time on the claim indicated that the after-hours premium should not have applied. 4.157 Discussion with the staff indicated that there is a field for time in the system but the system is unable to read the time. Therefore, unless the claim is processed manually or flagged by the system for assessment, the system will pay what the physician billed. 4.158 Staff indicated that they would make an adjustment to this claim to recoup the overpayment. Recommendations 4.159 We recommended the Department investigate whether a system edit on the time field is possible so that the Department only pays after-hours premiums when the physician is eligible. 4.160 We also recommended the Department adjust the claim found in our sample to recover the overpayment. Departmental response 4.161 We have taken steps to have this time field validation read and calculated within the new system for accurate payment. The claim where our current system did not calculate the step-down payment has been adjusted to the correct lesser fee.