Language selection

Government of Canada / Gouvernement du Canada

Search

Audit of compensation processes and controls: Appendix D

HR-to-Pay internal controls

We reviewed and tested the following HR-to-Pay internal controls. The testing results are identified as follows:

  • Control is operating effectively
  • Control is operating ineffectively
  • Control is not adequately designed or documented

Activity: Adding employees to payroll

Control

  • Staffing requests are reviewed and approved (Border Services Officers)
  • Staffing requests are reviewed and approved (employees other than Border Services Officers)
  • Compensation Advisors validate new hire's first pay
  • Peer review of Compensation pay actions processed via Compensation Form and completion of checklist by Compensation Advisors (two controls)
  • Delegated staffing and financial authority sign off Human Resources Action Requests, 325-10 form and Letter of Offer (all employees) (two controls)
  • Delegated staffing and financial authority have received the appropriate training

Activity: Payroll modifications

Control

  • Approval of payroll modifications by delegated staffing and/or financial authority (maternity leave, leave without pay, change in tenure of employment, etc.) through a signed Human Resources Action Request, form 325-10 and/or signed Letter of Offer (two controls)
  • Staffing review and approve the authoritative documents for the payroll modifications

Activity: Time approval

Control

  • Chief approves border services officer time sheets related to overtime, shift premiums and other entitlements
  • Chief validates time sheet entries in Employee Self-Service (ESS) against attendance logs and ensures the pay codes identified are accurate and valid

Activity: Recording of payroll expenditures

Control

  • Corporate Accounting prepare year-over-year payroll expenditure analysis
  • Corporate Accounting prepare adjustments for prior year payroll expenses
  • Regional Finance (or Financial Management Advisor) review year-end payroll payable and/or receivable accrual prior to submission to Corporate Accounting
  • Corporate Accounting receives the year-end payroll payable and/or receivable by email from the different groups for input in CAS

Activity: Payroll monitoring

Control

  • Corporate Compensation reviews I050 Phoenix file to check for overpayments, missing pay, etc. during the bi-weekly pay period
  • NFTC Review and approve Phoenix pay transactions over $15,000
  • Corporate Accounting reconciles CAS-FI Module and PSPC-GL
  • Corporate Accounting reconciles salary expenditures between CAS-HR and CAS-FI Modules
  • Quarterly Corporate Accounting performs personal record identifier by personal record identifier variance analysis by reconciling Phoenix I050 file with CAS to identify retroactive payments, missing pay, overpayments, etc. for payroll journal recording purposes

Activity: Removing employees from payroll

Control

  • Cost Centre Manager review and approve departure form and resignation letter (two controls)
  • Compensation Advisor validate employee's last pay (two controls)
  • Compensation Advisor process and review the one-time payment owed to employee upon departure, including vacation leave without payout (two controls)
  • Compensation Advisor calculate severance pay for terminated employees

Activity: CAS IT user access

Control

  • CAS users only have one unique user profile
  • CAS user role structure maintains appropriate segregation of duties
  • Row-level security is configured to restrict access to employee data by organization
  • Payroll actions within CAS for Taken on Strength, Timesheet Approval and Payroll Processing is restricted to authorized individuals and the respective roles are appropriately segregated
  • Access to enter manual journal payable/receivable (payable at year-end/receivable at year-end) year-end journal entries is restricted to the Corporate Accounting team
  • Supervisors of users authorize the nature and extent of user access privileges
  • Management regularly reviews the list of users

Activity: CAS IT automated controls

Control

  • Automated transfer of HR data from CAS-HR to CAS-FI and ensure successful transfer of data
  • Automated batch processing to update employee's status as 'Struck of Strength' in CAS
  • Automated batch transmission of Section 34 approved timesheets in CAS
  • Overtime hours cannot be entered in ESS in advance
  • Daily automated upload of Phoenix I049 files in CAS
  • Weekly automated calculation of salary based on ESS time sheet entries and payroll posting calendar
  • CAS-ESS is configured to prevent employees approving their own time sheet
  • ESS routes time sheet per the organization structure maintained in CAS
  • ESS submitted time sheets are automatically routed to appropriate supervisor
  • Rejected time sheets are automatically routed back to the employee to address issues identified by the Supervisor
  • Approve Time Reports in ESS (Section 34)
  • Unapproved Section 34 time sheets are escalated to next level Section 34 approver per the organizational structure in CAS

Activity: Phoenix IT user access

Control

  • Phoenix users only have one unique user profile
  • Phoenix user role structure maintains appropriate segregation of duties
  • Payroll processing actions within Phoenix is restricted to authorized individuals
  • Supervisors of users authorize the nature and extent of user access privileges
  • Quarterly review of Phoenix user access list
Date modified: