WxT Language switcher

Evaluation of Internal Controls over Salaries and Employee Benefits

May 2021

Presented to

The Office of the Information Commissioner –
Financial Services, Procurement, Administration and Security

Table of contents

1. Background

As an Agent of Parliament, the Commissioner is solely responsible for the Office of the Information Commissioner of Canada’s (OIC) compliance with Treasury Board Financial Management Policy and related instruments and for responding to any instance of non-compliance. In that respect, management is committed to sustaining and continuously improving its effective system of internal controls over financial management (ICFM), including carrying out ongoing monitoring to ensure that the key controls meet the expectations of management and stakeholders, and appropriately mitigate associated risks.

2. Objective and scope of the mandate

The objective of the evaluation is to obtain assurance that adequate payroll controls are in place and functioning effectively within OIC to ascertain the integrity of pay transactions, including leave and overtime transactions.

The evaluation focused on the appropriateness and effectiveness of the existing management framework in place to support pay, leave, and overtime activities and transactions, and compliance with relevant regulations and policies. The scope of the audit included various types of employee pay transactions and two full pay periods selected during the period of April 1, 2020, to March 31, 2021.

Work was conducted remotely to conform with the procedures implemented by the OIC to address the health risks linked to Covid-19.

3. Approach and methodology

Approach

Our approach for this project was to work closely with the Manager, Financial Services (Manager) and other staff identified during the review. We communicated with the Manager to gain access to OIC’s relevant files, provide status reports and address issues as they surfaced. Walkthroughs of detailed processes were prepared and provided by the Manager to serve as the basis for the work undertaken.

Methodology

Our review was conducted with the objective of identifying and assessing existing payroll controls to ascertain the integrity of pay transactions, including leave and other off-cycle transactions. The key controls to be assessed as part of the evaluationwere identified as follows:

Section 32: Commitment authority

  • Perform verification of pay transactions in relation to the commitment authority.
  • Charge pay-related expenditures to the relevant appropriation.

Section 34: Certification authority

  • Authorize the transaction before payment is issued.
  • Validate the pay after the payment has been issued.

Section 33: Payment authority

  • Exercise quality assurance on payroll data before the payment is issued.
  • Exercise quality assurance on payroll data after the payment is issued.
  • Exercise quality assurance on a periodic basis through post-payment verification.

Through consultation with the Manager, the following types of transactions were selected and tested to determine if the financial controls in place are sufficient to address the level of risk corresponding to each type of pay-related action:

  1. Return from maternity leave
  2. Regular pay with no changes
  3. Promotion
  4. Acting pay
  5. New hire – from another government department (OGD)
  6. Re-hire – casual
  7. New hire – casual
  8. Secondment –- in
  9. Payment of accumulated leave – retired employee
  10. Payment of accumulated leave – active employee

In addition to the above transactions, we have reviewed two pay periods to assess the financial controls in place in respect to sections 33 and 34 for the full amount of pay for the following periods:

  1. P000108 – pay period from August 20 to September 2, 2020
  2. P000169 – pay period from November 26 to December 9, 2020

4. Observations and recommendations

4.1 Pre-payroll phase

4.1.1    Staffing pay-related action  

Control objective. Staffing pay-related actions must be supported by documentation to ensure that only funds approved under the Financial Delegation Authority Instrument are committed under S.32 and that staffing pay-related actions are certified by the delegated authority under S.34. Failure to implement these controls can increase the risk of collusion, issuance of inappropriate payments and/or delay the timely issuance of legitimate payments to staff.

Designed control. The Responsibility Centre Manager (RCM) is expected to document staffing actions on Human Resources Action Request (HRAR) or other relevant forms and submit the completed form to Human Resources (HR) and Finance for validation and update of salary forecasts. Once the appropriate authority has signed off on S.32 and the staffing process has been completed, the Delegated Authority under S.34 is expected to sign the Letter of Offer or other appropriate document, which is then passed on to HR liaison for processing in the systems MyGCHR and Phoenix.

The individuals from HR and Finance involved in this part of the process are expected to confirm completion of their task by signing the Internal Control Exercise Checklist.

Observations

Documenting staffing pay-related actions should be the first step undertaken by the individual responsible to sign off under S.34, usually the RCM. Forms examined under the review process to support the pay-related actions included the Human Resources Action Request (HRAR) form, the Letter of Offer, the Arrival form, the Leave application and absence report and the Assignment / Secondment form.

Overall, we found that the forms needed to support pay-related actions are used properly in situations linked to standard HR practices such as the hiring of employees, the promotion to a new position, the assignment to an acting position and the transfer of staff under a secondment agreement with another department. We noted, however, that unusual transactions such as payment of accumulated leave upon retirement and return from parental leave are not supported by a formal document demonstrating approval by the delegated authority. The use of a formal HR document will ensure that all pay-related actions have been certified by the appropriate delegated authority.

Recommendation #1: It is recommended that Human Resources and Compensation ensure that all pay-related actions are supported by a document certified by the appropriate delegated authority.

The Office of the Information Commissioner has developed an Internal Control Exercise checklist designed to document staffing pay-related actions. The checklist includes certification at different levels by the delegated authorities, with everyone involved confirming the completion of specific steps in the pre-payroll phase. The steps identified in the checklist include the following:

  • Data entry in MYGCHR system by the HR representative.
  • Data entry in the Phoenix pay system by the HR representative.
  • Salary forecast updates in the financial system by the Finance representative.
  • Pay action approved in Phoenix pursuant to S.33 by the Finance Representative.
  • Information verified with no action required by the Finance representative.
  • Addition of the documentation to the employee file by the Information Management representative.
  • Quality assurance on the overall control of the action by the HR quality assurance control representative.

The checklist implemented to support the staffing-pay related actions is extensive and identifies the controls implemented to ensure accuracy and completeness of pay-related information in the systems. We noted, however, that the checklist is not used to support certain types of pay-related actions. For example, there is currently no checklist to support activities such as returns from maternity leave, the hiring and re-hiring of casual employees and the management of secondment of resources from other departments. The use of the checklist for all types of pay-related transactions will support the integrity of the information and the appropriateness of the approval process.

Recommendation #2: It is recommended that Human Resources ensure that all pay-related actions are supported by an Internal Control Exercise checklist to support the integrity of the information and the appropriateness of the approval process.

4.1.2    Compensation pay-related actions

Control objective. Compensation/HR liaison uses the information included in the approved and documented pay-related actions to set up payroll information in the MyGCHR and Phoenix systems. The data must be reviewed to ensure that it is accurate and complete as it will be used to support payments to employees and update salary forecast in the financial system GX. Failure to validate the data input may increase the risk that payments are issued for the wrong amount to the wrong person or that a payment is missed, issued twice or unduly delayed. Furthermore, it may increase the risk of overspending by providing misleading information to the Delegated Authority who relies on the salary forecast to approve payroll under S.33.

Designed control. The HR Liaison receives the Letter of Offer or other relevant document and uses the information to complete additional steps in the staffing pay-related actions, such as providing documents to new hires, inputting relevant information into MyGCHR and Phoenix and monitoring changes in the systems to ensure accuracy and completeness. Once the information has been vetted by a peer, it is forwarded to Finance for further validation and update of salary forecast in GX.

The individuals from HR and Finance involved in this part of the process are expected to confirm completion of their task by signing the Internal Control Exercise Checklist.

Observation

Through our examination of various types of transactions, we found that the information reflected in the documents supporting the pay-related actions was recorded properly in the MyGCHR and Phoenix systems and that payments issued to employees were accurate and complete. Furthermore, the pay-related actions performed by staff were identified in the Internal Control Exercise checklist and signed by the individuals who performed the tasks.

4.1.3    Employee pay file e-transfer

Control objective. When OIC hires an employee from another department, the existing pay-related data will be transferred electronically to OIC based on one of the following scenarios.

  • If the other government department (OGD) is served by the Pay Center, OIC can transfer the employee’s information out of the OGD’s pay list onto their own pay-list using a computer provided by Public Services Procurement Canada (PSPC). The Compensation Officer then validates and verifies the pay-related actions, calculates pay changes, inputs pay-related actions in MyGCHR and Phoenix and then monitors the results in Phoenix for completeness and accuracy.
  • If the OGD is self-served, the Compensation Officer must contact the OGD and provide a copy of the Letter of Offer to support the request for transfer of pay-related data. Once the OGD is ready to transfer the data, the Compensation Officer accepts the transfer to the OIC’s pay list, validates and verifies the pay-related actions, calculates pay changes, inputs pay-related actions in MyGCHR and Phoenix and then monitors the results in Phoenix for completeness and accuracy.

Designed control. OIC has secured access to a PSPC’s dedicated computer to facilitate the transfer of data when possible and reduce the possibility of data entry errors. Once the file is received, HR validates the pay data, inputs pay changes in MyGCHR and Phoenix, and ensures accuracy and completeness of the information. Once the file has been created, the information is validated by Finance who then updates the salary forecast in GX.

The individuals from HR and Finance involved in this part of the process are expected to confirm completion of their task by signing the Internal Control Exercise Checklist.

Observation

Upon the hiring of an employee who was already employed by the federal government, the OIC requested the file from the OGD and used it to update its own systems. The validation of the information transferred was subject to the Internal Control Exercise checklist to ensure accuracy and completeness.

4.2 Payroll phase

4.2.1    Timesheet payroll reconciliation

Control Objective. Casual employment is a resourcing option provided to deputy heads to meet short-term, unforeseen, and urgent operational needs of the organization.  The casual workers are hired for specified periods not exceeding 90 days in a calendar year and for a specific maximum number of hours per week. As they are remunerated on an hourly basis, keeping track of hours is necessary to ensure that payments are issued for the correct amount and that salary expenditures recorded in GX are accurate. Failure to validate timesheets may increase the risk that payments are issued for the wrong amount to the wrong person or that a payment is missed, issued twice or unduly delayed. Furthermore, it may increase the risk of overspending by providing misleading information to the Delegated Authority who relies on the salary forecast to approve payroll under S.33.

Designed control. OIC has set up a process to support the payment of casual employees. HR sets up the pay information for the casual worker in MyGCHR and Phoenix as a recurrent pay based on the maximum number of hours approved. Every pay period, it validates the actual number of hours worked through bi-weekly timesheets submitted by the casual employees. Any difference between actual hours and projected hours is corrected and posted to Phoenix to ensure that the pay issued to the employee is based on actual hours worked. Finance validates the data in the system before authorizing payment under S.33. 

The individuals from HR and Finance involved in this part of the process are expected to confirm completion of their task by signing the Internal Control Exercise Checklist.

Observation

We have examined the timesheets of casual employees and the reconciliation of actual hours worked to the hours paid during the relevant pay periods. While we found that the payments issued to employees were accurate and complete, we note that the process is cumbersome and that the validation of time sheets to the payroll process is not documented through an internal control exercise checklist that would provide an appropriate audit trail of the approval process.

We have been advised that the Phoenix system offers an option for casual employees to submit their timesheets electronically through direct input into the system. If timesheets were kept in Phoenix, the resulting data in the system could be used by HR to validate the number of hours to the contract, by the Manager to approve the hours pursuant to S.34 and by Finance to approve S.33.  Consequently, the process would be more efficient, and the risk of errors reduced as manual interventions are reduced to a minimum.

Recommendation #3: It is recommended that HR implement the use of electronic timesheets supported by Phoenix to improve the efficiency of the payroll process linked to casual employees and reduce the risk of errors. Until such time as the electronic timesheets are implemented, it is further recommended that the Compensation Officer complete an Internal Control Exercise Checklist whenever timesheets are received to provide an adequate audit trail that the work has been performed.

4.2.2    On-cycle review and Section 33 approval

Control objective. Review and validation of the on-cycle payroll information is an essential part of the controls needed to ensure that pay amounts are based on accurate and complete data and that they are issued for the correct amounts to the correct employee. Without these controls, there are risks that pay calculations will be incorrect, payments to employees will be inaccurate or not done and that salary forecasts are misstated, leading the Delegated Authority to approve payment under S.33 based on inaccurate information.

Designed control. OIC has implemented a process to support the review of on-cycle payments to ensure accuracy, completeness, and timely issue of pay amounts to employees. The Delegated Authority for S.33 in Finance conducts a series of actions that supports the decision to approve payment, including the following: review of pending transactions and supporting documentation; comparison of payment to GX salary forecast and analysis of variances; salary forecast updates; comparison of individual pay information to previous pay period to identify and explain variances; confirmation of pay for all employees; confirmation of reasonableness of pay amounts; and review of timesheets submitted  by casual employees and students.

The individuals from HR and Finance involved in this part of the process are expected to confirm completion of their task by signing the Internal Control Exercise Checklist.

Observation

The OIC has developed efficient tools using Excel to review on-cycle payments and ensure accuracy, completeness and timely issuance of payments to employees. The Excel spreadsheets are updated as needed and support the payments issued to employees. Confirmation under S.33 of on-cycle payments can be found on the spreadsheets through a screen shot of the information pulled from the “Approve On-Cycle Payroll” tab of the payroll system.

The work being done by Finance to support the issuance of payments to employees is well documented in the spreadsheets prepared for every pay period. However, there is currently no visible indication of who completed the work and who approved the issuance of payments as the screen shots included on the worksheets do not provide this information. The implementation of a specific internal control exercise checklist supporting the S.33 approval process of on-cycle payments would provide such information and would become an adequate audit trail of the controls in place.

Recommendations #4: It is recommended that Finance develop an internal control exercise checklist to support the S.33 approval process of on-cycle payments.

4.2.3    Off-cycle review and section 33 approval

Control objective. Review and validation of the off-cycle payroll information is an essential part of the controls needed to ensure that off-cycle pay amounts are based on accurate and complete data and that they are issued for the correct amounts to the correct employee. Without these controls, there are risks that off-cycle pay amounts will be incorrect, payments to employees will be inaccurate or not done and that salary forecasts are misstated, leading the Delegated Authority to approve payment under S.33 based on inaccurate information.

Designed control. OIC has implemented a process to support the review of off-cycle payments to ensure accuracy, completeness, and timely issue of payments to employees. The Delegated Authority for S.33 in Finance conducts a series of actions that supports the decision to approve payment, including the following: review of pending transactions and supporting documentation; comparison of payment to GX salary forecast and analysis of variances; salary forecast updates; and comparison of individual off-cycle payment to previous pay period to identify and explain variances.

The individuals from HR and Finance involved in this part of the process are expected to confirm completion of their task by signing the Internal Control Exercise Checklist.

Observation

The Office of the Information Commissioner has developed efficient tools using Excel to review off-cycle payments and ensure their accuracy, completeness and timely issuance of payments to employees. The Excel spreadsheets are updated as needed and support the payments issued to employees. Confirmation under S.33 of off-cycle payments can be found on the spreadsheets through a screen shot of the information pulled from the payroll system.

The work being done by Finance to support the issuance of payments to employees is well documented in the spreadsheets prepared for every pay period. However, there is currently no visible indication of who completed the work and who approved the issuance of payments as the screen shots included on the worksheets do not provide this information. The implementation of a specific internal control exercise checklist supporting the S.33 approval process of off-cycle payments would provide such information and would become an adequate audit trail of the controls in place.

Recommendations #5: It is recommended that Finance develop an internal control exercise checklist to support the S.33 approval process off-cycle payments.

4.3 Post-payroll phase

4.3.1    Bi-weekly pay reconciliation

Control objective. Pay is generated bi-weekly through the Phoenix pay system and downloaded to the various department financial management systems to be accounted for in the records of each Department. As Departments do not exercise control over the actual pay process, they must implement a reconciliation process to ensure that the pay that has been allotted to the Department is complete and accurate. In the absence of such reconciliation, there are risks that pay calculations are incorrect and/or that pay actions have not been addressed properly, resulting in inaccurate salary forecast data and possibly overspending.

Designed objective. Relevant pay information from the Phoenix pay system is extracted to the I050 file which is downloaded automatically to the GX financial system where journal vouchers are created to segregate the payroll between OIC and the Office of the Privacy Commissioner. Reconciliation of the I050 file to OIC data is prepared by the Finance Officer who identifies discrepancies that require actions. The discrepancies are reviewed by a peer before they are shared with Compensation for adjustments in the MyGCHR and/or Phoenix systems.

Observation

The payroll information is extracted to the I050 file and used by the Finance Officer to prepare a variance analysis in Excel by comparing the actual data to the forecast. The resulting information is then transferred to a separate tab where it is grouped under the following headings:

  • Identify employees with no pay
  • Questions for HR
  • Underpayments
  • Overpayments
  • Transfers in / Secondments- in
  • Transfers out / Secondments out
  • Employees requiring no actions

This spreadsheet is shared with HR to enable them to address any issues that must be resolved by HR prior to the issuance of payroll. The transfer of information to HR is done by email and identifies the issues that need to be addressed by HR.

The work being done by Finance to resolve issues prior to signing off under S.33 is well documented in the spreadsheets prepared for every pay period. However, there is currently no visible indication of who completed the work and who approved it except for the email sent to HR by the Finance Officer. The implementation of a specific internal control exercise checklist supporting the payroll reconciliation process would provide such information and would become an adequate audit trail of the controls in place.

Recommendations #6: It is recommended that Finance develop an internal control exercise checklist to support the bi-weekly pay reconciliation.

4.3.2    Pay process in financial system

Control objective. Exercising quality assurance on the coding of the data downloaded to the GX system ensures that the pay information reflected in the system is accurate and complete. The absence of a quality assurance process over coding may result in pay information being recorded to the wrong accounts and therefore impact the data used by the delegated authorities when exercising their authority throughout the payroll process.

Designed control. The responsibility for verifying the coding and approving the posting of the pay data is split between the Financial Officer and the Sr Financial Officer or Financial Management Advisor. The Financial Office verifies the coding and corrects it when necessary and the Sr Financial Officer or Financial Management Advisor approves the work and posts the journal voucher.

Observations

Validation of coding by the Finance team is done prior to the posting of the journal vouchers to the system. While the results of the posting will be subject to examination by the RCM during the Salary Verification and Certification process, there is currently no visible confirmation of the work performed as the individuals do not confirm completion of their task by signing an Internal Control Exercise Checklist.

Recommendations #7: It is recommended that Finance develop an internal control exercise checklist to support the work performed to confirm coding and posting to the financial system.

4.3.3    Review of post-payroll S.34 approval

Control objective. Post-payment verification is an additional component of the quality assurance whereby pay transactions are verified for accuracy, completeness, and accurate recording in the MyGCHR and Phoenix systems and certification is matched to the appropriate delegated authority. The verification process will ensure that payments have been certified by the appropriate delegated authority under S.34, including those payments resulting from a non-staffing action. The absence of certification under S.34 can lead to overspending and the issuance of unauthorized payments.

Designed control. The Financial Officer downloads the salary detail report (GX report 21K) and the Salary Verification & Certification document and sends them to the RCM for approval. The GX 21K report and S.34 attestation documents are returned to the Financial Officer once the review is complete. Corrections are recorded through journal vouchers and shared with Compensation for correction in the next pay period, if necessary.

Observation

Post-payroll approval is confirmed when the RCM signs the Salary Verification and Certification form where two elements are addressed: verification of salary assignments and reasonableness of payments based on the 21k salary report. The forms examined as part of our review confirm that they were signed by the designated authorities.

As part of the salary verification and certification process, the RCM also reviews the Monthly Budget Status report to ensure proper coding and allocation. Corrections to payroll identified by the RCM are addressed by Finance as required.

4.3.4    Secondments in

Control objective. Secondments of staff from OGD must be supported by documentation to ensure that funds approved under the Financial Delegation Authority Instrument are committed under S.32 and that the staffing action is certified by the delegated authority under S.34. Furthermore, controls need to be implemented to ensure that payments to OGD are issued in accordance with S.33. The absence of such controls can lead to overspending and/or the issuance of incorrect payments to the OGD.

Designed control. The RCM is expected to document staffing actions on the Assignment/secondment agreement form and submit the completed form to HR and Finance for validation and update of salary forecast. Invoices are submitted to Finance by the Home organization on a quarterly basis, approved by the RCM under S.34, validated by Finance, and paid to the OGD through an interdepartmental settlement JV in GX under S.33.

Observations

As indicated in section 4.1.1, the secondment in process is not validated by an internal control exercise checklist. Notwithstanding this weakness, the payment of invoices submitted by the Home organization is subject to an appropriate approval process whereby the RCM certifies services received under S.34.

Annex A: Summary of key findings

ANNEX A: SUMMARY OF KEY FINDINGS

Type of transaction

Confirmation of pay action on file 

(S.32)

Approval of pay action (S.34)

Update in MyGCHR and/or Phoenix

Update of salary forecast

Internal Control Checklist on file

Timesheets submitted and reviewed (S.34)

Payment approval

(S.33)

Comments

Recommendation
  1. Maternity Leave
  • Arrival form not in employee file but provided by Manager

No

yes

yes

None completed

n/a

yes
  • Exchange of emails on file between management and HR confirming return of employee.
  • Arrival form does not allow Manager to sign off on HR action.
  • Arrival form now completed online since January 2021.
  • All HR actions that will impact payroll should be supported by a form approved by a delegated manager and an Internal Control Checklist
  1. Regular pay – no changes
  • Old employee – info archived with IM

n/a

n/a

n/a

n/a

n/a

yes
  • Approved on Salary Reconciliation
  • None
  1. Acting position
  • Acting appointment request form on file.
  • Letter of offer on file for one-year extension.

yes

yes

yes

yes

n/a

yes
  • Approved on Salary Reconciliation
  • Extension of acting position properly documented and authorized
  • None
  1. New hire – other government department
  • HRAR form on file

yes

yes

yes

yes

n/a

yes
  • E-file transfer completed
  • None
  • Promotion
  • HRAR form on file
  • Letter of offer on file

yes

yes

yes

yes

n/a

yes
  • HRAR includes PM-06 hiring process for various positions.
  • No specific documentation showing approval of hiring process from Senior Management Committee (Dec. 2020)

None
  • Re-hire - casual
  • HRAR form on file
  • Letter of offer on file

yes

yes

yes

no

yes

yes
  • HRAR includes PM-06 hiring process for various positions.
  • No specific documentation showing approval of hiring process from Senior Management Committee (Dec. 2020)
  • No Internal Control Checklist on file to support pay action.
  • Time sheet signed by employee and approved by supervisor.
  • No Internal Control Checklist prepared to confirm that info from time sheets is tracked on Excel document.
  • All HR actions that will impact payroll should be supported by an Internal Control Checklist.
  • Controls over time sheets should be documented in an Internal Control Checklist designed for that purpose only.
  • New hire - casual
  • HRAR form on file
  • Letter of offer on file

Yes

yes

yes

no

yes

yes
  • No Internal Control Checklist on file to support pay action.
  • Time sheet signed by employee and approved by supervisor.
  • No Internal Control Checklist prepared to confirm that info from time sheets is tracked on Excel document.
  • All HR actions that will impact payroll should be supported by an Internal Control Checklist.
  • Controls over time sheets should be documented in an Internal Control Checklist designed for that purpose only.
  • Secondment - in
  • Assignment/ Secondment form

yes

n/a

yes

no

n/a

n/a
  • No Internal control checklist prepared.
  • Invoices submitted by other department validated by Finance.
  • All HR actions that will impact payroll should be supported by an Internal Control Checklist.
  • Payment of leave – active employee

Leave application and absence report

yes

yes

yes

yes

n/a

yes
  • Support documents on file
  • None
  • Payment of unpaid leave – retired employee

Leave application and absence report - not on file

no

yes

n/a

yes

n/a

yes
  • No document initiating the transaction and confirming S.34.
  • Prepare a Leave application and absence report or similar document that will show approval under S.34 and support the payment to the employee who is retiring.
Date modified:
Submit a complaint