Audit of compensation processes and controls: Findings
Accountability, governance and communication
Roles and responsibilities
22. The Agency's HR-to-Pay process is based on the seamless and timely communication of information between its key internal stakeholders.Footnote 5 For example, Cost Centre Managers are responsible for completing the documentation to hire an employee, which is then sent to Staffing to generate a letter of offer. Compensation receives the signed letter of offer to enter pay information within the HR-to-Pay systems. Once the information is entered and an employee is paid, Corporate Accounting is responsible for reporting payroll expenditure. Given these interdependencies, it is important that all stakeholders understand their roles and responsibilities, as well as how their roles impact the other stakeholders involved.
23. Roles and responsibilities for various activities in the HR-to-Pay process were identified and documented in job descriptions and on the CBSA's intranet pages. Most key stakeholders we surveyedFootnote 6 understand their own roles and responsibilities related to the HR-to-Pay process. However, more than 50% of stakeholders from each functional area responded that they do not understand the roles and responsibilities of other stakeholder groups as they relate to the HR-to-Pay process. The HR-to-Pay process is not centrally documented anywhere, and as such, the interrelations and dependencies between stakeholders are not clearly communicated to all involved.
24. Overall, roles and responsibilities of employees working within the HR-to-Pay processes are clearly defined and communicated. Increasing awareness of the roles and responsibilities of all areas involved in the process would help individual stakeholders better understand how others contribute to the overall efficiency and effectiveness of the HR-to-Pay process.
Internal information sharing and communication
Communication with the Agency's internal HR-to-Pay stakeholders
25. In order for the process to function in a seamless and timely manner, it is important to ensure that the proper information is being communicated to all HR-to-Pay stakeholders. Forty-five percent (45%) of stakeholders surveyed expressed dissatisfaction with communication amongst all internal stakeholders involved in the HR-to-Pay process. Communication among the internal HR-to-Pay stakeholders has traditionally been conducted via email. However a workload management system, known as the Employee Interaction Centre (EIC), was launched in . The EIC allows key documents to be shared electronically between the Staffing and Compensation teams. Despite the fact that the EIC became the national system for all regions to share information in , it has not been fully adopted. Furthermore, while this system has facilitated sharing key documentation between the Staffing and Compensation teams, it does not address other communications issues identified by stakeholders. For example, staff in executive compensation, accounting operations, internal controls and HR systems indicated that they could benefit from more collaboration with other functional areas involved in the process. When compounded with the gaps in understanding other stakeholders' roles and responsibilities, there is a risk that stakeholders may not understand or be involved in the development and execution of the plans and priorities that drive the HR-to-Pay process.
26. As team work and communication between stakeholders is critical for the efficiency and effectiveness of the HR-to-Pay process, it is essential that communication channels and tools be optimal.
Recommendation 1
The Vice-President of the Human Resources Branch, in collaboration with the Vice-President of the Finance and Corporate Management Branch, should improve communication and teamwork between functional areas at the working level of the HR-to-Pay process so that information sharing between key stakeholders be timely, efficient and effective to promote collaboration, and prevent avoidable issues with processing and reporting pay.
Management response: Overall the Vice-President of the Human Resources Branch agrees with this recommendation and will ensure that quarterly meetings take place with stakeholders from within HRB as well as FCMB.
Completion date:
CBSA corporate governance
27. One|HR, Executive Committee – Human Resources, and the Executive Committee are the key internal corporate governance bodies for the HR-to-Pay process. These committees are the forum for bringing HR-to-Pay issues to the attention of the Agency's Senior Management.
28. Per our review of agendas and records of decision, these internal governance committees receive periodic updates on the progress towards the Compensation Backlog Strategy, including HRB's recent timeliness initiative, "Timeliness Pays", demonstrating that the Agency's Senior Management receive information relevant to the current high-priority items periodically.
Communication with employees
29. Each region has implemented their own methods for communicating with their employee-base. This can include communicating directly with employees or by communicating through management and administrative personnel.
30. Communication regarding important pay announcements, general updates to the HR-to-Pay process, as well as new initiatives, are done Agency-wide through the daily newsletter (CBSA Daily), emails from the President, and/or CBSA's internal web pages (i.e. Atlas, Apollo).
31. Despite these efforts, employees responded that they did not receive sufficient information on the HR-to-Pay process in general. In addition, nearly half of the employees (49%) surveyed expressed that they did not receive sufficient communication and support regarding their pay file. This perceived lack of communication with employees can lead to frustration and confusion, making ongoing, clear communication an important element of the HR-to-Pay process.
Communication with external stakeholders and governance bodies
32. Given the influence external stakeholders have on the Agency's HR-to-Pay process, it is important that the Agency be represented at external governance committees when important topics are discussed and decisions are made.
33. The Agency and/or HRB participates in various external committees and working groups to gather information and share the Agency's perspective. Information gathered at these external working groups is shared within the Agency via established internal governance channels, and is used to influence improvements to the HR-to-Pay process. We found that there were sufficient channels for communication between the Agency, Treasury Board Secretariat and CRA.
34. Information shared by PSPC with the Agency is sometimes perceived as limited in value for the CBSA as it does not always apply to web-service organizations.Footnote 7 Specifically, through interviews and survey responses, CBSA employees expressed concerns that communication on training or system updates from PSPC were not always relevant to the Agency's operating environment as a web-service organization and required modifications in order to be relevant. Receiving relevant communications is critical to ensuring that the CBSA is able to react to issues promptly. The survey results are consistent with the findings noted in the PSPC HR-to-Pay Program Office's Environmental scan of Non-Pay Centre Organizations, which identified that communications from PSPC are focused on the Pay Centre service model, and PSPC's stakeholder engagement activities do not consider the needs and concerns of Non-Pay Centre organizations.
Impact of timeliness of communication on pay accuracy
35. Compensation staff (includes both Compensation Operation and Corporate Compensation) stress that information must be entered in the HR-to-Pay systems in a timely manner to avoid impacting an employee's pay. The Office of the Auditor General's Fall 2017 Report on Phoenix Pay SystemFootnote 8 reported that Phoenix is only capable of processing pay actions that are entered in real time, and that retroactive payments require manual intervention in order to not impact an employee receiving timely and accurate pay.
36. More than half (54%) of the survey respondents from Compensation Operations and Staffing were concerned that payroll documentsFootnote 9 were not submitted to them in a timely manner; and 69% responded that the documents were often incomplete for the purposes of processing a pay action in the HR-to-Pay systems.Footnote 10 The submission of incomplete documentation also affects the timely processing of pay actions as compensation advisors may delay processing a transaction until satisfactory documentation is provided.
37. Further to the survey, the high percentage of untimely submissions were confirmed in our review of pay files, where we noted instances where Cost Centre Managers did not provide documentation to Staffing in a timely manner. For example, in a sample of 15 overpayments selected for testing, the timeliness of documents was found to be an issue in about half of them (8 of 15).
38. To address issues with the timely submission of critical payroll documents and prevent payroll errors, the HRB launched a new "Timeliness Pays!" initiative for non-executive pay actions. As of , documents submitted to Human Resources (HR) Staffing Advisors must be sent within the timelines established by the HRB. Exceptions to the timelines are only permitted if approved by the Vice-President or Regional Director General of the requesting branch.
39. Ensuring that the information impacting payroll is initiated and actioned in a timely way is critical to the accuracy of employees' pay. Keeping momentum on strategies related to timeliness and fostering collaboration between key stakeholders will help the Agency reduce compensation errors and backlog.
Recommendation 2
The Vice-President of the Human Resources Branch should monitor and report on the compliance with the service standards for the timely submission of complete documents to HR by Cost Centre Managers (effective ) to ensure that the service standards and approval required for exceptions are being followed.
Management response: Agreed. On , service standards for 14 specific staffing actions were identified, which hiring managers must respect in submitting all required documents. If the established service standards are not respected, HR Staffing has the necessary authority to delay the effective start date.
HRB will monitor and report on all VP/RDG approved exception requests to assess the volume and report back to VP HRB every three months to ensure that the exceptions do not negate the HR-to-Pay timeliness initiative. First report to VP HRB is planned for the end of .
Completion date:
Recruitment, training, guidance and retention
Training and support
40. Adequate guidance, training and support are key to ensuring that all HR-to-Pay stakeholders can effectively execute their responsibilities. The Agency does not have a mandatory or formal compensation training program available for employees. Additionally, any compensation-related training taken by employees is not documented or tracked by the branch. While on-the-job training is provided, only 43% percent of Compensation staff surveyed found it to be sufficient.
41. To address the gaps in formalized and on-the-job training, Corporate Compensation was in the process of developing an in-house reference tool to assist new and existing Compensation Advisors. Additionally, mandatory training in client service delivery was taken to address improvements required for communication with employees on pay file issues.
42. The Agency's Compensation staff also have access to PSPC's training on HR-to-Pay processes. While the PSPC training is intended to be general enough for all users, the environmental scan identified that "almost all organizations indicated they need to adapt training materials to fit their context, which creates an additional burden".Footnote 11 When misapplied, the PSPC training can actually lead to errors, such as when a CBSA Compensation employee performs actions in Phoenix that are only meant for Pay Centre departments (i.e. not a web-service organization). When PSPC training and updates are disseminated to the community, Compensation must adapt and clarify the messaging in order to make it relevant for the CBSA.
43. Similar observations related to the sufficiency of training for compensation advisors have been identified by the OAG during their audit of the CBSA's Financial Statements. For the past two years, the OAG has recommended that the CBSA collaborate with PSPC and other stakeholders to assess training needs and develop training plans.
44. In lieu of training, Compensation staff depend on a number of other tools and guidance, such as standard operating procedures, reference manuals, and policies. However, while valuable, these resources do not replace training for establishing the foundation required to process various compensation actions.
45. A lack of relevant training and support can impact an employee's ability to effectively execute their duties. A formalized training program and supporting tools would assist with the effectiveness and consistency of pay processing, as well as strengthen compensation service delivery.
Recommendation 3
The Vice-President of the Human Resources Branch should finalize and implement a comprehensive compensation training program tailored to the CBSA web-services environment.
Management response: Agreed. Overall the Vice-President of the Human Resources Branch agrees with this recommendation and will ensure that a comprehensive training curriculum for Compensation Advisors, tailored for the CBSA, is finalized and implemented.
Completion date:
Recruitment and retention
46. The Agency requires a sufficiently staffed compensation function to process pay actions in a timely manner. In order to meet work demands, compensation uses a combination of indeterminate, determinate (term), casual and student employees. Most Non-Pay Centre organizations, including the CBSA, have faced challenges in the recruitment and retention of Compensation Advisors. Reports show that Non-Pay Centre Compensation Advisors are leaving their organizations for better classification, pay and training opportunities with the PSPC Pay Centre.Footnote 12
47. Interviews with Compensation staff highlighted a discrepancy in the classification of Compensation Advisors at the Agency when compared to the Pay Centre Compensation Advisors for similar jobs. When surveyed, 38% of Compensation Operations employees indicated that they would consider leaving the Agency for a job at-level elsewhere in the government. Compensation has initiated a review of the classification of job descriptions for operational compensation employees to ensure they are aligned with those of other government departments.
48. The attrition rates of Compensation Advisors we calculated are greater than the overall CBSA rates:
Attrition rate | 2018 | 2019 |
---|---|---|
CompensationFootnote 13 | 12% | 13% |
CBSAFootnote 14 | 6.5% | 5.6% |
49. In our sample of 14 indeterminate Compensation employee departures, five employees transferred to other government departments, and three of the five at the same classification level. The remaining nine employees in the sample retired.
50. Staffing challenges have been identified in the Compensation Backlog Strategy along with a plan to recruit additional Compensation Advisors. They have leveraged the population of retired Compensation Advisors by recruiting some retirees to assist directly with clearing the backlog. Additionally, retention strategies, such as providing opportunities to internal staff, looking at extending a retention allowance to compensation staff and updating job descriptions, have also been identified to facilitate the retention of Compensation Advisors.
51. When commenting on their job satisfaction, 60% of Compensation staff indicated that they were satisfied with their job and 49% felt supported in their career development. Of the employees that identified being satisfied with their job, the most common reasons for job satisfaction included recognition, good relationships, and the challenge in the job, as well as the ability to promote change or help a client. On the other hand, reasons for job dissatisfaction included a lack of proper training, systems issues, lack of recognition, overwhelming or stressful work levels, and unrealistic deadlines.
52. Despite the challenges to maintaining a fully staffed compensation function, HRB continues to implement strategies to recruit and retain qualified resources.
HR-to-Pay controls and systems
HR-to-Pay internal controls
53. The Government of Canada's Policy on Financial Management outlines the requirement for "establishing, monitoring, and maintaining a risk-based system of internal control over financial management" and "ensuring that prompt corrective action is taken when control weaknesses and material unmitigated risks are identified, including the risk of fraud".Footnote 15
54. A well designed internal control framework consists of actions carried out by employees as well as actions designed in a system to ensure a process is properly controlled. The HR-to-Pay internal controls are outlined in Appendix D and include actions such as approvals, reconciliations, peer reviews and IT system restrictions. An internal control framework that is operating effectively ensures that processes are followed and systems are working as intended on a regular basis.
55. Within the HR-to-Pay process, the Agency relies on the internal controls to ensure that:
- pay actions are timely, valid and accurate
- payroll expenditure reporting is free from material errors
- risks to the administration of the Agency's payroll are minimized
56. As part of their mandate, the Agency's Internal Control team (within FCMB) is responsible for documenting the HR-to-Pay Internal Control Framework (framework) and assessing the controls within that framework to ensure they are operating effectively.
57. We used the framework developed by the Internal Control team to assess the key HR-to-Pay controls.Footnote 16 In addition to controls from the framework, we identified and tested IT system controls involved in the HR-to-Pay process. In total, we tested 53 controls consisting of 29 manualFootnote 17 and 24 IT controlsFootnote 18. The controls were tested by sampling 155 pay actions.Footnote 19
58. The results of the control testing are summarized in Table 2. Further details on control descriptions and the results are included in Appendix D.
Control activity | Operating effectively | Operating ineffectively | Designed ineffectively | Not adequately documented |
---|---|---|---|---|
Adding employees to payroll | 1 | 4 | 2 | 1 |
Payroll modifications | - | - | - | 3 |
Time approval | 1 | - | 1 | 1 |
Recording of payroll expenditures | 1 | 2 | - | 1 |
Payroll monitoring | 2 | 2 | 1 | - |
Removing employees from payroll | - | 6 | - | 1 |
CAS IT user access | 4 | 2 | - | - |
CAS IT automated controls | 12 | - | - | - |
Phoenix IT user access | 5 | - | - | - |
Total | 26 | 16 | 4 | 7 |
59. Of the 53 controls, only 26 (49%) controls were deemed to be operating effectively, as there was sufficient evidence to show that the control activity was working as intended for all files sampled. The remaining 27 (51%) controls were either operating ineffectively, designed ineffectively or not adequately documented. While it is expected that some controls will require revisions from time to time, the number of controls that were found to be not documented or designed adequately suggests that the framework is not reflective of what employees are actually doing. Of greater concern was the number of controls found to be ineffective (16 out of 53 or 30%) as this means that important activities, on which we rely for pay accuracy, are not being performed as they should.
60. As shown in Table 2, we identified errors in 16 controls (operating ineffectively) where one or more of the files sampled did not contain sufficient support to show the control was working as intended. For instance, Compensation Advisors are required to prepare a calculation verifying the accuracy of an employee's first pay. In some of the files sampled, a calculation was not completed and a rationale for not preparing the calculation was not on file.
61. Given that the HR-to-Pay process has evolved since being documented, we observed that four control descriptions were outdated. We also noted seven instances where the description of the activity in the framework was no longer aligned with the actual process or the description did not clearly identify the key aspects of the activity. For example, the position who was required to approve a pay action.
62. Our observations also cover internal control weaknesses that have been previously highlighted by the OAG's annual audit of the CBSA's Financial Statements. One of the more notable gaps identified by the OAG in the 2017-2018 audit was a weak process to approve payments (Financial Administration Act Section 33) and identify potential errors related to pay. Despite the amount of time that has passed since this issue has been known, the controls for Financial Administration Act Section 33 approval had not yet been strengthened.
63. Without documented controls that are designed and operating effectively, there is a higher risk of invalid or inaccurate payments. Invalid and/or inaccurate payments can lead to employee frustration, financial loss, reputational damage or inaccurate reporting of payroll expenditure, and, as such, requires immediate attention. It is imperative that the required changes to the framework be made, that the framework be monitored and tested on an ongoing basis and that the importance of properly following established processes and procedures be reiterated.
Recommendation 4
To mitigate the risks associated with the control failures identified in the audit, the Vice-President of the Finance and Corporate Management Branch should immediately ensure that the Corporate Accounting, Financial Policy and Internal Controls Division:
- consult with business process owners in FCMB and HRB to address documentation and design effectiveness issues identified in the audit
- revise the HR-to-Pay internal control framework based on consultations conducted in a)
- issue recommendations to business process owners to rectify control weaknesses identified in the audit
- consult with stakeholders and plan for testing and reporting on the design and operating effectiveness of the revised framework
Management response:
- Agreed. The Vice-President of FCMB will work with HRB (Office of Second Interest, OSI) in order to address the design and documentation deficiencies identified in the audit report. The FCMB working with HRB will strengthen the processes to ensure they are operating as designed and generating the expected outcomes.
- Agreed. The Vice-President of the FCMB will work with HRB in order to re-evaluate the HR-to-Pay internal control framework. The updated framework should address the issues related to internal control documentation and design ineffectiveness. The Revised framework should minimize the risks to the administration of the agency's payroll.
- Agreed. The Vice-President of the FCMB Branch will work with HRB to continue to address opportunities to improve control deficiencies observed in the audit report. Specific recommendations targeting controls not operating effectively will be brought to the attention of the relevant Business Process Owners. A follow-up will ensure that the recommendations are implemented and provide sufficient evidence that the weaknesses are being addressed.
- Agreed. In order to certify that the revised control framework is efficient, the Vice-President of the FCMB Branch will develop a plan to seek assurance by conducting design and operating effectiveness testing of the HR-to-Pay control framework. The tests will be risk-based and aimed to certify/confirm the design and operating effectiveness of the revised control framework.
Completion date:
IT systems
64. The Agency uses two systems that are critical to the HR-to-Pay process: CAS and Phoenix. Phoenix was implemented and is maintained by PSPC and CAS is hosted and maintained by CRA. Since the Agency is a web-service organization, pay actions are entered into CAS and data is transmitted to Phoenix for the issuance of the employee's pay. In order to efficiently and effectively process pay actions, systems must meet the needs of their users. We assessed whether CAS and Phoenix met users' needs and accurately processed transactions.
65. Per the internal audit survey, most of the Compensation staff (81%) stated that they feel the HR systems have the right functionalities for them to do their job. Furthermore, the majority of Compensation Operations, Corporate Compensation and HR Systems employees responded that risks related to the systems have been identified (71%) and that these risks were being actively managed (80%).
66. However, the majority of operational staff (73% of Compensation and 73% of Staffing) are concerned that system limitations, due to integration issues between CAS and Phoenix, prevent the accurate capture of relevant HR information. We were informed that even if a pay action is accurately processed by the Compensation Advisor and entered into CAS, Phoenix may not issue correct payment.Footnote 20 While reviewing pay files, we observed an instance where the compensation advisor entered accurate information in Phoenix that resulted in an invalid payment where a duplicate cheque was issued to the employee.
67. Phoenix also has issues processing payments, such as processing collective agreement changes or late pay actions. In an effort to align CAS and Phoenix payroll data, Corporate Compensation compare employee job data in CAS against data in Phoenix on a daily basis and correct any discrepancies between the two systems. This creates additional work and does not always prevent inaccurate pay, as the discrepancies may not be identified in time to make the necessary corrections. Invalid payments issued by system limitations can cause frustration amongst employees who are either owed pay or have to reimburse the Agency for an overpayment.
68. In order to understand what could affect the validity of payments within the HR-to-Pay systems, we analyzed Phoenix data related to overpayments, to distinguish the potential root cause of the errors. A sample of 15 known overpayments was selected for our analysis. By tracing the payment through the HR-to-Pay process, we were able to determine the following root causes:
- processing late payments (eight payments): late submission of critical information by the cost centre manager (acting end date) or late entry of pay action (e.g. an employee receiving full pay while on leave due to documentation being submitted or entered after the effective date)
- system errors (one payment): Phoenix generated a duplicate cheque, however this was caught and cancelled before payment to the employee
- subsequent revision of timesheets (six payments): an employee reported their time using a paid timecode (overtime compensated as payment, leave with pay) and subsequently changed their reported time to a non-paid timecode (overtime compensated as leave, leave without pay) after the payment was issued
69. The current pay systems and associated interfaces do not always facilitate an accurate end-to-end compensation process. However, with increased focus on communicating and educating employees and managers on the impact various behaviours have on pay accuracy, as well as training for HR systems users and the timely submission and processing of pay actions, the Agency can reduce the issues that are within its control.
IT systems – segregation of duties
70. Segregation of duties (SOD) is required when assigning access rights to users of a system in order to prevent an individual from having incompatible duties (i.e. initiating, approving, and reviewing the same transaction). The restriction in access is designed so users cannot initiate unauthorized transactions. For example, having segregation between individuals who process pay actions and those who approve pay actions reduces the potential for fraud and helps to ensure that only valid actions are entered into systems. In instances where SOD cannot be maintained, it is expected that mitigating controls are in place to prevent inappropriate use or fraud.
71. Incompatible roles in the HR-to-Pay IT systems have been identified by system ownersFootnote 21 of CAS and Phoenix. We assessed whether the SOD was being respected by the CBSA.
Segregation of duties in CAS
72. Each role granted to a user has various combinations of available actions and permissions associated with it. We attempted to assess whether the permissions, known as transaction codes (T-codes), associated with each role were appropriate. However, we were unable to obtain documentation that showed which T-codes are incompatible. Due to this limitation, we assessed segregation of duties at the role level.
73. Compensation Advisors are given the "Compensation – Transaction Processing" role within CAS that allows them to process pay actions. There are four roles with which the "Compensation – Transaction Processing" role cannot be combined. Requests for these roles are submitted through the Agency's IT ticketing system by the employee's manager and then sent to the appropriate authorized individuals to be granted.Footnote 22
74. We identified six users who had incompatible roles in CAS. Four users had the ability to authorize and process pay actions. Two users had the ability to process pay actions and modify the pay list to which an employee is assigned, which would allow them to process pay actions for those employees. All six situations of incompatible roles were removed after we brought them to management's attention.
75. Given that incompatible roles were granted by authorized individuals, it is important that the SOD matrix be consulted prior to granting access to CAS in order to reduce the likelihood that employees receive access to incompatible roles.
Segregation of duties in Phoenix
76. PSPC identified specific roles in the Phoenix SOD matrix that should not be granted in combination with each other. These roles include, among others: Compensation Advisor, Section 33 Approver and HR Systems Analyst. In order to request a role in Phoenix, the employee's manager must submit a form to the Agency's Phoenix Security Access Control Officer.
77. When incompatible roles are unavoidable, an attestation by the Chief Financial Officer is required by PSPC to authorize the override. We found that six users had a combination of incompatible roles, which the Agency's Chief Financial Officer authorized.
78. When granting incompatible roles, the Chief Financial Officer is required to confirm that compensating controls are implemented to manage the risks created by allowing incompatible roles to exist in the system. The Corporate Compensation team has recently initiated a quarterly review of the appropriateness of user access in CAS and Phoenix. However, no compensating controls are in place that would reduce the misuse of the incompatible roles. Business Process Owners in HRB and FCMB for systems related to the HR-to-Pay process do not perform any monitoring of user activity in Phoenix or CAS, specifically for those with incompatible roles. Furthermore, these process owners do not assess incompatible roles across the two systems to ensure that duties are segregated for users with access to both systems.
79. While we did not come across any signs of fraud during the pay file review, the lack of monitoring of user activities within the systems and instances of controls designed or operating ineffectively increase the risk of fraud.
Recommendation 5
To prevent potential misuse of the systems used in the HR-to-Pay process, the Vice-President of the Human Resources Branch, in collaboration with the Vice President of the Finance and Corporate Management Branch, should:
- revise the role approval process for CAS roles used within the HR-to-Pay process to ensure that incompatible roles are avoided, and if necessary, appropriate approval is provided and documented
- ensure compensating controls are in place, including regularly monitoring users who have been granted incompatible roles in the HR-to-Pay systems to ensure their access privileges are not being inappropriately used
Management response: Agreed. The Vice-President of the Human Resources Branch and VP Finance and Corporate Management Branch agree with this recommendation and will ensure that the CAS and Phoenix roles, that are used within the HR-to-Pay process, are reviewed quarterly and include appropriate proof of approval and documentation when incompatible roles are granted.
Completion date:
Page details
- Date modified: