Management Action Plan – Evaluation of Internal Controls over Salaries and Employee Benefits

The Office of the Information Commissioner of Canada (OIC) developed this Management Action Plan (MAP) following receipt of 3370364 Canada Inc (Monique Cousineau) report on the Evaluation of Internal Controls over Salaries and Employee Benefits.

The objective of the evaluation is to obtain assurance that adequate payroll controls are in place and functioning effectively within OIC to ascertain the integrity of pay transactions, including leave and overtime transactions.

The evaluation focused on the appropriateness and effectiveness of the existing management framework in place to support pay, leave, and overtime activities and transactions, and compliance with relevant regulations and policies. The scope of the audit included various types of employee pay transactions and two full pay periods selected during the period of April 1, 2020, to March 31, 2021.

The approach for this project was to work closely with the Finance and Human Resource staff identified during the review. We communicated with staff to gain access to OIC’s relevant files, provide status reports and address issues as they surfaced. Walkthroughs of detailed processes were prepared and provided to serve as the basis for the work undertaken.

Management Action Plan – Evaluation of Internal Controls over Salaries and Employee Benefits

Contractor’s  observations and recommendations

OIC response

OIC commitment (action items)

Lead

Target date

Progress

1. Pre-payroll phase

Staffing pay-related action 

1.A  Observation:

Documenting staffing pay-related actions should be the first step undertaken by the individual responsible to sign off under S.34, usually the RCM. Forms examined under the review process to support the pay-related actions included the Human Resources Action Request (HRAR) form, the Letter of Offer, the Arrival form, the Leave application and absence report and the Assignment / Secondment form.

Overall, we found that the forms needed to support pay-related actions are used properly in situations linked to standard HR practices such as the hiring of employees, the promotion to a new position, the assignment to an acting position and the transfer of staff under a secondment agreement with another department.

We noted, however, that unusual transactions such as payment of accumulated leave upon retirement and return from parental leave are not supported by a formal document demonstrating approval by the delegated authority. The use of a formal HR document will ensure that all pay-related actions have been certified by the appropriate delegated authority.

Recommendation #1:

It is recommended that Human Resources and Compensation ensure that all pay-related actions are supported by a document certified by the appropriate delegated authority.

1.B Observation:

The Office of the Information Commissioner has developed an Internal Control Exercise checklist designed to document staffing pay-related actions. The checklist includes certification at different levels by the delegated authorities, with everyone involved confirming the completion of specific steps in the pre-payroll phase.

The checklist implemented to support the staffing-pay related actions is extensive and identifies the controls implemented to ensure accuracy and completeness of pay-related information in the systems. We noted, however, that the checklist is not used to support certain types of pay-related actions. For example, there is currently no checklist to support activities such as returns from maternity leave, the hiring and re-hiring of casual employees and the management of secondment of resources from other departments. The use of the checklist for all types of pay-related transactions will support the integrity of the information and the appropriateness of the approval process.

Recommendation #2:

It is recommended that Human Resources ensure that all pay-related actions are supported by an Internal Control Exercise checklist to support the integrity of the information and the appropriateness of the approval process.

2. Payroll phase

Timesheet Payroll Reconciliation

2.A  Observation:

We have examined the timesheets of casual employees and the reconciliation of actual hours worked to the hours paid during the relevant pay periods. While we found that the payments issued to employees were accurate and complete, we note that the process is cumbersome and that the validation of time sheets to the payroll process is not documented through an internal control exercise checklist that would provide an appropriate audit trail of the approval process.

We have been advised that the Phoenix system offer an option for casual employees to submit their timesheets electronically through direct input into the system. If timesheets were kept in Phoenix, the resulting data in the system could be used by HR to validate the number of hours to the contract, by the Manager to approve the hours pursuant to S.34 and by Finance to approve S.33.  Consequently, the process would be more efficient, and the risk of errors reduced as manual interventions are reduced to a minimum.

Recommendation #3:

It is recommended that HR implement the use of electronic timesheets supported by Phoenix to improve the efficiency of the payroll process linked to casual employees and reduce the risk of errors. Until the electronic timesheets are implemented, it is further recommended that the Compensation Officer complete an Internal Control Exercise Checklist whenever timesheets are received to provide an adequate audit trail that the work has been performed.

On-cycle review and Section 33 approval

2.B Observation:

The OIC has developed efficient tools using Excel to review on-cycle payments and ensure accuracy, completeness and timely issuance of payments to employees. The Excel spreadsheets are updated as needed and support the payments issued to employees. Confirmation under S.33 of on-cycle payments can be found on the spreadsheets through a screen shot of the information pulled from the “Approve On-Cycle Payroll” tab of the payroll system.

The work being done by Finance to support the issuance of payments to employees is well documented in the spreadsheets prepared for every pay period. However, there is currently no visible indication of who completed the work and who approved the issuance of payments as the screen shots included on the worksheets do not provide this information. The implementation of a specific internal control exercise checklist supporting the S.33 approval process of on-cycle payments would provide such information and would become an adequate audit trail of the controls in place.

Recommendation #4:

It is recommended that Finance develop an internal control exercise checklist to support the S.33 approval process of on-cycle payments.

Off-cycle review and section 33 approval

2.C Observation:

The Office of the Information Commissioner has developed efficient tools using Excel to review off-cycle payments and ensure their accuracy, completeness and timely issuance of payments to employees. The Excel spreadsheets are updated as needed and support the payments issued to employees. Confirmation under S.33 of off-cycle payments can be found on the spreadsheets through a screen shot of the information pulled from the payroll system.

The work being done by Finance to support the issuance of payments to employees is well documented in the spreadsheets prepared for every pay period. However, there is currently no visible indication of who completed the work and who approved the issuance of payments, as the screen shots included on the worksheets do not provide this information. The implementation of a specific internal control exercise checklist supporting the S.33 approval process of off-cycle payments would provide such information and would become an adequate audit trail of the controls in place

Recommendation #5:

It is recommended that Finance develop an internal control exercise checklist to support the S.33 approval process off-cycle payments.

  1. Post-payroll phase

Bi-weekly pay reconciliation

3.A  Observation:

The payroll information is extracted to the I050 file and used by the Finance Officer to prepare a variance analysis in Excel by comparing the actual data to the forecast. The resulting information is then transferred to a separate tab where it is grouped under a list of headings.

This spreadsheet is shared with HR to enable them to address any issues that must be resolved by HR prior to the issuance of payroll. The transfer of information to HR is done by email and identifies the issues that need to be addressed by HR.

The work being done by Finance to resolve issues prior to signing off under S.33 is well documented in the spreadsheets prepared for every pay period. However, there is currently no visible indication of who completed the work and who approved it except for the email sent to HR by the Finance Officer. The implementation of a specific internal control exercise checklist supporting the payroll reconciliation process would provide such information and would become an adequate audit trail of the controls in place.

Recommendation #6:

 It is recommended that Finance develop an internal control exercise checklist to support the bi-weekly pay reconciliation.

Pay process in financial system

3.B  Observation:

Validation of coding by the Finance team is done prior to the posting of the journal vouchers to the system. While the results of the posting will be subject to examination by the RCM during the Salary Verification and Certification process, there is currently no visible confirmation of the work performed as the individuals do not confirm completion of their task by signing an Internal Control Exercise Checklist.

Recommendation #7:

It is recommended that Finance develop an internal control exercise checklist to support the work performed to confirm coding and posting to the financial system.

This mainly refers to mandatory payments following retirement (severance pay). Human resources will ensure that the proper documents and authorization are received before proceeding with payment by ensuring that the section 34 from the RC manager is received before proceeding with payment.

During the evaluation period, we were still in a transition period to the new internal control form for payroll actions. There were a few files for which there was no control sheet. This has since subsided.  

The HR Directorate, more particularly the Compensation Advisors Unit, has updated its procedures/processes accordingly to support the usage of the checklist.

The HR Directorate adjusted its staffing log to make sure it reflects the confirmation that the Internal Control Exercise checklist is complete upon every staffing transactions.

The HR will continue working on improvements related to recommendation no. 1 and 2. HR has recently obtained the collaboration of the IT/Finance groups to autotomize key payroll and staffing processes.

As for the electronic timesheets available in Phoenix, OIC has previously tried to use them. However, this was not a successful experiment as it resulted in several errors (e.g. overpayment, lack of pay, etc.) and delays in the processing of files. This caused an additional workload as errors had to be corrected and the approval cycle was more difficult to manage. It was then determined by HR and Finance that the manual input of timesheets was the most effective for the organization for 2021-22.

In the meantime, looking at the possibility of using Phoenix's electronic process for casuals and students, it is recommended that each PDF timesheet received by Human Resources be certified received and complete using the internal control sheet in place. If no action is required to adjust the employee's pay, it was decided to simply indicate it in the form and forward it to finance. This demonstrates and leaves the trace that all sheets are received each pay period and consulted by key stakeholders. Currently, only timesheets requiring Phoenix adjustment have a control form.

The ATIP division have been using the electronic timesheet on a pilot basis during 2021-2022.

Finance combined #4 & #5 as they are essentially the same, the difference being one is for on-cycle the other off-cycle but process/procedures are done on a pay cycle basis which covers both on and off cycle payments

The Finance team looked into and unfortunately there is not a great report in Phoenix but  a workaround was created  that summarizes what was done in Excel/Phoenix to review and approve payments

See Recommendation #4

1.1 Human Resources and Compensation ensure that all pay-related actions are supported by a document certified by the appropriate delegated authority; they will also remind all HR staff about the importance of this aspect.

1.2 Human Resources ensure that all pay-related actions are supported by an Internal Control Exercise checklist to support the integrity of the information and the appropriateness of the approval processes. A tracking system has been put in place when it comes to tracking purposes.

1.3 Human Resources will ensure that a monitoring process is in place and perform regularly.

1.4 HR will also make sure that the observations be given consideration upon the review and update of the Delegation Instrument of Human Resources Authorities

1.5 HR to initiate the development of an electronic HR and pay request, related forms and Internal control checklist which would be available to all throughout the internal Intrac system (case management application).

2.1 Until the electronic timesheets are implemented, it is further recommended that the Compensation Officer complete an Internal Control Exercise Checklist whenever timesheets are received to provide an adequate audit trail that the work has been performed. Meanwhile, HR Directorate has modified its internal procedure by completing an internal control exercise checklist for every timesheet that may require changes or modifications (Recommendation no. 3).

2.2 HR will implement the use of electronic timesheets supported by Phoenix to improve the efficiency of the payroll process linked to casual employees and reduce the risk of errors in 2022-2023 fiscal year. OIC will also have to develop a proper procedure/process and providing some internal awareness and training to its manager/employees that may be affected by this change (Recommendation no. 3).

2.3 It is recommended that Finance develop an internal control exercise checklist to support the S.33 approval process of on-cycle payments in collaboration with HR (Recommendation no. 4).

2.4 It is recommended that Finance develop an internal control exercise checklist to support the S.33 approval process of off-cycle payments in collaboration with HR (Recommendation no. 5).

3.1 Finance to develop an internal control exercise checklist to support the bi-weekly pay reconciliation in collaboration with HR (Recommendation no. 6).

3.2 Finance to develop an internal control exercise checklist to support the work performed to confirm coding and posting to the financial system (Recommendation no. 7)

Human Resources

Human Resources

Human Resources

Human Resources

Human Resources

(with IT and Finance)

Human Resources

Human Resources

Finance (HR)

Finance (HR)

Finance (HR)

Finance (HR)

Finance

January 2021

March 2023

June  2022

(HR delegation)

March 2023

January 2022

September 2022

January 2022

January  2022

July/August 2021

July/August 2021

July/August 2021

1.1 Completed

1.2 Completed

1.3 On going

1.4 In progress

1.5 In progress

2.1 Partially implemented

2.2 Planned

2.3 In progress

2.4 Completed

3.1 Completed

3.2 Completed

Completed

Management Action Plan – Payroll Controls

Management Action Plan – Payroll Controls

Auditor’s observations

OIC Commitments

Action item

Lead

Target Date

Progress

           
Date modified:
Submit a complaint