Audit of CIHR’s Core Management Controls – Procurement and Human Resources
Table of Contents
Executive Summary
Introduction
The Internal Audit of CIHR’s Core Management Controls – Procurement and Human Resources (CMC) was part of the 2012-13 Risk-Based Annual Internal Audit Plan (RBAP) which was approved by the Canadian Institutes of Health Research’s (CIHR) Governing Council (GC).
The Canadian Institutes of Health Research
The Canadian Institutes of Health Research is the Government of Canada's agency responsible for funding health research in Canada. CIHR was created in June 2000 under the authority of the CIHR Act and reports to Parliament through the Minister of Health. CIHR's mandate is to "excel, according to internationally accepted standards of scientific excellence, in the creation of new knowledge and its translation into improved health for Canadians, more effective health services and products and a strengthened Canadian health-care system." CIHR comprises 13 "virtual" institutes – each headed by a Scientific Director, who is assisted by an Institute Advisory Board – which bring together all partners in the research process – the people who fund research, those who carry it out, and those who use its results – to share ideas and focus on what Canadians need: good health and the means to prevent and fight disease. Each Institute supports a broad spectrum of research in its topic areas and, in consultation with its stakeholders, sets priorities for research in those areas. CIHR funds over 14,000 researchers and trainees in universities, teaching hospitals, and other health organizations and research centres in Canada and abroad.
Core Management Controls
Core management controls are the key internal controls reasonably expected to be in place in most, if not all, federal departments and agencies. These may represent the fundamental controls that support each of the elements of the Management Accountability Framework, or they can be other controls that are unique to an organization’s mandate or environment.
The Office of the Comptroller General (OCG) has developed audit criterion to address the ten areas of CMC that should exist in all federal departments and agencies.
The 2012–2015 RBAP identified CMC as a recurring annual project, and the ten primary areas identified by the OCG will form the basis of what this audit and subsequent audit projects will examine. Given the resources available to Internal Audit, it is expected that each annual project will examine on a rotating basis two or three of the areas identified by the OCG. This audit project reviewed the controls relating to procurement, and the management of non-permanent employees, performance pay, and pay administration.
Risk Addressed by the Audit
The audit addresses the risk that CIHR’s CMC are not operating in the manner intended and that the organization could be impacted by events (i.e. fraud, reputational damage, security breach, etc.) these controls were intended to prevent. This risk is related to the TBS Management Accountability Framework (MAF) elements of Policy and Programs, Stewardship, and Accountability.
Objective
The audit assessed whether the core management controls related to procurement and the management of non-permanent employees, performance pay, and pay administration are operating effectively at CIHR.
Scope
The audit focused on the controls that relate to the management of the procurement process at CIHR, as well as non-permanent employees, performance pay, and payroll administration.
Overall Audit Opinion
The audit has concluded that the CIHR’s CMC surrounding the procurement process, as well as non-permanent employees, performance pay, and payroll administration are well controlled, with minor opportunities for improvement.
Statement of Conformance
In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided in this report. The audit of CMC was conducted in accordance with the Federal Government’s Policy on Internal Audit and related professional standards. It conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of a quality assurance and improvement program.
Summary of Strengths
Through the course of the audit, the following Core Management Control strengths were observed:
- A robust procurement process exists that properly manages and documents contract initiation, bid solicitation, bid evaluation and contract amendment;
- Sole-source and non-competitive contracts are appropriately justified;
- Security requirements and intellectual property rights in contracts are appropriately managed;
- CIHR adhered to the proactive disclosure requirements in place during the period reviewed;
- A robust process exists to commit funds, verify accounts, initiate expenditures and issue payments for procurement and CIHR’s performance pay;
- The terms and conditions for hiring term employees and students are followed;
- Employees are properly screened before being hired;
- Adequate segregation of duties exists in the pay administration roles; and
- Departure procedures are appropriately followed.
Summary of Improvement Opportunities
The following aspects of CIHR’s CMC require management’s attention:
- Retroactive contracts and confirming orders are not recorded in CIHR’s financial management system or reported on CIHR’s website as part of the policy on procurement’s requirement for proactive disclosure;
- CIHR’s bid solicitation documents do not address all of the requirements of the Government of Canada procurement guidelines regarding former public servants; and
- Departure procedures are not formalized for employees on paid and unpaid leave
Internal Audit thanks management and staff for their assistance and cooperation throughout the audit.
Martin Rubenstein
Chief Audit Executive
Canadian Institutes of Health Research
Management agrees with the conclusions of this audit.
Thérèse Roy
CFO/VP, Resource Planning and Management
Detailed Report
Methodology and Criteria
The internal audit of CIHR’s Core Management Controls was conducted in accordance with the Federal Government Policy on Internal Audit. The principal audit techniques used included:
- interviews with management and staff at the Canadian Institutes of Health Research;
- examination of relevant documentation, policies, reports and electronic records used as part of the procurement and human resources processes; and
- recalculation of salary and procurement amounts.
Controls were assessed as adequate if they were sufficient to minimize the risks that threaten the achievement of objectives. Detailed criteria and conclusions are contained in the Appendix to this report.
The audit was conducted between September, 2012 and June, 2013.
Observations, Recommendations, and Management Action Plan
The following are audit observations, recommendations, and management action plans to address the weaknesses identified during the audit.
| Observation | Recommendation | Management Action Plan |
|---|---|---|
| 1. Retroactive contracts and confirming orders are not recorded in CIHR’s financial management system (FMS) or reported on CIHR’s website as part of the procurement policy’s requirement for proactive disclosure. | ||
|
Retroactive contracts and confirming orders are used for work that vendors have started or completed in the absence of an appropriate, signed contract. Every year a minimal number of retroactive contracts and confirming orders must be managed by the Procurement unit when CIHR employees do not follow the proper contracting policies and procedures. Although these items are adequately scrutinized and manually processed individually, they are not recorded in CIHR’s financial system, regularly analyzed or proactively reported on CIHR’s website. Risk and impact Failing to record contracts in CIHR’s FMS makes it more difficult to aggregate and analyze these contracts. Failing to disclose these contracts means CIHR may not be in compliance with the requirements regarding proactive disclosure. |
|
Responsibility Manager, Financial Operations and Procurement Actions
Expected completion October, 2013
Expected completion October, 2013 |
| 2. CIHR’s bid solicitation documents do not adequately address recent changes to Government of Canada procurement guidelines regarding former public servants (FPS). | ||
|
The procurement guidelines for the hiring of former public servants (FPS) were modified in 2012 to require proactive disclosure of contracts with FPS (see section 3.90 of the Buy and Sell supply manual). This resulted in changes to bid solicitation procedures to enable appropriate disclosure. CIHR’s procurement procedures do not adequately address this change and there is currently no plan to meet the policy requirements for FPS. In addition to the changes to the proactive disclosure requirements, other guidelines regarding the hiring of FPS were changed in the past year:
Risk and impact Failing to update CIHR’s procurement documents regarding FPS means CIHR may not be in compliance with these requirements. In addition, failing to disclose these contracts could expose CIHR to public scrutiny or criticism, |
|
Responsibility Manager, Financial Operations and Procurement Action
Expected completion October, 2013
Expected completion Completed |
| 3. Departure procedures are not formalized for employees on parental leave or leave without pay. | ||
|
Former employees have formal checks completed upon their departure for money owed to the Crown (i.e. travel advances), physical (i.e. laptops, Blackberries) or information assets (i.e. files from Records). However, for employees who take an extended period of leave without pay (such as maternity or parental leave), similar checks do not occur. A modification to the employee departure workflow to include a ‘Temporary Departure Process’ was initiated in 2011 but was put on hold until early 2013. Based on the audit findings and at the prompting of HR, ITAMS adjusted priorities and began modifying the workflow in August, 2013. Risk and impact Employees may permanently depart CIHR while on an extended leave without pay and it is more difficult to re-acquire these assets after this point. In addition, other employees may need the information assets during the leave period. |
The checks used as part of the regular departure process should be applied to employees starting extended leaves without pay. |
Responsibility Manager, Labour Relations and Compensation Action Agree. The Manager, Labour Relations and Compensation will continue to work with the Information Technology, Administration and Management Services branch to ensure the “Temporary Departure Process” is built into the departure workflow. Expected completion December 31, 2013 |
Overall conclusion
The overall conclusion considers the cumulative risk exposure related to the audit observations in the context of the above criteria. The audit has concluded that the core management controls over procurement, non-permanent employees, performance pay, and payroll administration are well controlled, with minor opportunities for improvement.
In the course of our audit, some minor opportunities for improvement were identified that could improve systems of internal control, streamline operations and/or enhance financial reporting processes. We have documented these observations in a management letter.
Appendix
Audit criteria
The audit uses the following definitions to make its assessment of the internal control framework.
| Conclusion on Audit Criteria | Definition of Opinion |
|---|---|
| Well controlled | Well managed, no material weaknesses noted or only minor improvements are needed. |
| Moderate issues | Control weaknesses, but exposure is limited because either the likelihood or the impact of the risk is not high. |
| Significant improvements required | Control weaknesses either individually or cumulatively represent the possibility of serious exposure. |
| Criteria | Reference to Observations | Conclusion |
|---|---|---|
| Procurement | ||
| 1. The statement of requirements was defined before bids were solicited. | ||
| 1.1 Proper contacting authorities are involved in the contracting process as necessary. | Internal audit report observation 1 | Moderate issues |
| 1.2 Work/goods requirements, specifications, cost estimates, and deliverables are clearly defined in the SOW document. | No exceptions | Well controlled |
| 1.3 Statement of work is defined before bids are solicited. | No exceptions | Well controlled |
| 2. There is documentation on file to support the justification for non-competitive procurement contracts in accordance with section 6 of government contract regulations. | ||
| 2.1 Justification on file for sole sourcing is appropriately documented and substantiated. | Internal audit report observation 4 and management letter | Well controlled |
| 2.2 Appropriate analysis is performed to achieve best value from the planning to appraise alternative contract. | No exceptions | Well controlled |
| 2.3 There is no evidence of contract splitting. | No exceptions | Well controlled |
| 2.4 Security requirements are addressed to ensure compliance with the provisions of the Government Security Policy. | Management letter | Well controlled |
| 2.5 Intellectual Property (IP) rights are identified and addressed. | Management letter | Well controlled |
| 2.6 Former Public Servant services are justified and documented. | Internal audit report observation 2 | Moderate issues |
| 2.7 Contracts with former public servants respect the twelve months "cool-off period".Footnote i | Internal audit report observation 2 | Moderate issues |
| 3. Appropriate tendering processes for bids are used in the proper circumstances. | ||
| 3.1 The appropriate procurement vehicle is used. | Management letter | Well controlled |
| 3.2 The contracting vehicle chosen is used in compliance with its terms and conditions. | No exceptions | Well controlled |
| 3.3 There is no evidence of contract splitting. | No exceptions | Well controlled |
| 4. Bid evaluation criteria were provided on Request for Proposal (RFP) documents and were used for contractor selection in an open, fair and transparent manner. | ||
| 4.1 Bid selection method and evaluation criteria are clearly outlined in the bid solicitation document before the Request for Proposal is issued. | One exception, no recommendations | Well controlled |
| 4.2 For competitive processes, the Statement of Work (SOW), work description and evaluation criteria are open, fair and transparent and defined before bids are solicited. | One exception, no recommendations | Well controlled |
| 4.3 Contractors or goods were selected in accordance with the terms and conditions of the bid. | No exceptions | Well controlled |
| 4.4 The evaluation report has been signed by all the evaluators. | One exception, no recommendations | Well controlled |
| 5. Funds commitment availability is certified by someone with the delegated authority prior to the expenditure initiation at the value expected to be incurred. | ||
| 5.1 Expense is approved by the appropriate authority. | One exception, no recommendations | Well controlled |
| 5.2 Expense is approved prior to the event. | No exceptions | Well controlled |
| 5.3 Commitment is recorded at the value expected to be incurred. | No exceptions | Well controlled |
| 6. Contracts and contract amendments were approved prior to the receipt of any goods or services or the expiration of the original contract and supporting documentation is retained on file. | ||
| 6.1 A copy of the signed, written contract is on file. | No exceptions | Well controlled |
| 6.2 The contracts are signed by someone with the proper delegated authority. | No exceptions | Well controlled |
| 6.3 Contract and amendments are issued before goods or services are received. | No exceptions | Well controlled |
| 6.4 Contract amendments are properly justified and substantiated. | One exception, no recommendations | Well controlled |
| 6.5 Contract amendments are approved by authorized officers. | No exceptions | Well controlled |
| 6.6 Contract amendments are issued before contract expiry date. | No exceptions | Well controlled |
| 7. The performance of account verification is done by someone with the delegated authority to do so, is accomplished on a timely basis and verifies the correctness of the payment requested. | ||
| 7.1 Account verification is performed by the appropriate delegated authority. | Management letter | Well controlled |
| 7.2 Invoice certified is properly supported with proof of execution and cost. | No exceptions | Well controlled |
| 7.3 Account verification is conducted on a timely basis. | Management letter | Well controlled |
| 8. The payment and settlement is carried out by someone with proper delegation of authority and for the correct dollar amount and to the right vendor on a timely basis. | ||
| 8.1 Invoice payment is issued for the correct amount, within the contract limit, and to the correct vendor. | No exceptions | Well controlled |
| 8.2 S.33 was signed by an employee with proper delegated authority. | No exceptions | Well controlled |
| 8.3 S.33 is completed before the payment is released. | No exceptions | Well controlled |
| 8.4 S.33 is processed on a timely basis, within payment terms. | Management letter | Well controlled |
| 9. Contacts valued at over $10,000 are publicly disclosed. | ||
| 9.1 S.33 is processed on a timely basis, within payment terms. | No exceptions | Well controlled |
| Human Resources | ||
| 1. Treasury Board terms and conditions requirements for student employees and CIHR’s Term Employment Policy for term employees are being administered correctly. | ||
| 1.1 The hiring of term employees follows the authorities, applications and responsibilities identified in CIHR’s Term Employment Policy. | No exceptions | Well controlled |
| 1.2 Student employee terms are approved to exclude vacation leave and include 4% remuneration in lieu. | No exceptions | Well controlled |
| 1.3 Student employee remuneration and benefits are set within defined provisions. | No exceptions | Well controlled |
| 2. Employee's security screening is managed properly and subject to proper delegated authority. | ||
| 2.1 Security assessments and reliability checks levels are defined and determined as conditions of employment. | No exceptions | Well controlled |
| 2.2 Individual who will access government information and assets are security screened at the level defined before the commencement of their duties. | No exceptions | Well controlled |
| 2.3 Security clearance and reliability checks are reviewed and approved by an authorized delegated authority. | No exceptions | Well controlled |
| 3. Performance pay is administered correctly and approved by the appropriate delegated authority. | ||
| 3.1 Annual Performance Review is based on pre-set objectives and are completed and documented on a yearly basis. | No exceptions | Well controlled |
| 3.2 Performance pay is allocated only to eligible employees. | No exceptions | Well controlled |
| 4. Funds commitment availability is certified by someone with the delegated authority prior to the expenditure initiation at the value expected to be incurred. | ||
| 4.1 Expense is approved by the appropriate authority. | No exceptions | Well controlled |
| 4.2 Expense is approved prior to the event. | No exceptions | Well controlled |
| 4.3 Commitment is recorded at the value expected to be incurred. | No exceptions | Well controlled |
| 5. The performance of account verification is done by someone with the delegated authority to do so, is accomplished on a timely basis and verifies the correctness of the payment requested. | ||
| 5.1 Account verification is performed by the appropriate delegated authority. | Management letter | Well controlled |
| 5.2 Expense certified is properly supported with proof of execution and cost. | No exceptions | Well controlled |
| 5.3 Account verification is conducted on a timely basis. | No exceptions | Well controlled |
| 6. The payment and settlement is carried out by someone with proper delegation of authority and for the correct dollar amount and to the right employee on a timely basis. | ||
| 6.1 Performance payments are issued for the correct amount, to the correct employee, and within approved limits. | No exceptions | Well controlled |
| 6.2 S.33 was signed by an employee with proper delegated authority. | Management letter | Well controlled |
| 6.3 S.33 is completed before the payment is released. | No exceptions | Well controlled |
| 6.4 S.33 is processed on a timely basis, within payment terms. | No exceptions | Well controlled |
| 7. Adequate segregation of duties exists in pay administration roles. | ||
| 7.1 Adequate segregation of duties exists in pay administration roles. | Two exceptions, no recommendations | Well controlled |
| 8. Departure procedures for the department are followed. | ||
| 8.1 Departmental procedures are in place and followed concerning departures to certify that all money owing to the Crown, or any other assets, are accounted for before an employee leaves the organization. | Internal audit report observation 3 | Moderate issues |
Footnotes
- Footnote i
-
Note that criterion 2.7 makes reference to a one-year “cooling off” period for FPS; this criterion was drawn from the now-archived Values and Ethics Code for the Public Service. Between the planning and reporting phases of the audit, this document was replaced with the Policy on Conflict of Interest and Post-Employment which does not specify a cooling-off period, though the still-active Code of Conduct for Procurement does. Due to the complexity of the issue and now-obsolete initial criteria, no specific recommendation is made regarding a cooling off period. Instead a general review of contracting with FPS is recommended.
- Date modified: