Controls over Financial Information

February 2009

Executive Summary

Introduction
Risk Addressed by the Audit
Objective
Scope
Overall Audit Opinion
Statement of Assurance
Summary of Internal Control Strengths
Summary of Internal Control Weaknesses

Detailed Report

Methodology and Criteria
Observations, Recommendations, and Management Action Plan

Appendices

A: Audit Criteria and Conclusions
B: Overview of FreeBalance Interfaces

Executive Summary

Introduction

The internal audit of Controls over Financial Information is part of the Risk-Based Annual Internal Audit Plan 2008-2009 approved by the Canadian Institutes of Health Research (CIHR) Governing Council. For processing its financial information, CIHR uses the FreeBalance Accountability Suite, a commercial off-the-shelf integrated financial management information system commonly used in the federal government.

Risk Addressed by the Audit

In accordance with the Treasury Board of Canada (TB) Policy on Internal Audit, this audit addresses risks, controls, and governance processes associated with the activity under review. The risks are:

Inappropriate disclosure of information – Poor security could result in the unauthorized disclosure of sensitive or confidential information.
Unauthorized, inaccurate, and incomplete information – Errors in input, processing, and reporting of information could yield misstated results and cause inappropriate management decisions based on those results.
Fraud – An inadequately controlled system is vulnerable to illegal or unethical activities.
Unavailability of the system – If the system were not available, there could be an interruption in CIHR's financial operations.

The risks relate to the TB Management Accountability Framework (MAF) elements of Stewardship, which requires that the departmental control regime (assets, money, people, services, etc.) be integrated and effective, and its underlying principles be clear to all staff; and Results and Performance, which requires that relevant information on results (internal, service, and program) is gathered and used to make decisions, and public reporting is balanced, transparent, and easy to understand.

Objective

The audit objective is to assess the adequacy and effectiveness of internal controls over the confidentiality, integrity, and availability of information in FreeBalance.

Scope

The audit covers automated and manual controls over input, processing and output of information in the following FreeBalance modules: Financials (Appropriations; Budget Controls; General Ledger, Accounts Receivable, and Accounts Payable; Expenditures; and Reporting), Revenue (Invoicing; Billing Management; and Receipts), and Purchasing (Requisitions and Purchase Orders; Supplier Invoices; and Goods Receipts). The scope includes information transferred through interfaces with the Electronic Information System (EIS); GX Salaries; Crystal Reports; and the Receiver General's Pay System (PSGL), Standard Payment System (SPS), and Central Financial Management Reporting System (CFMRS).¹ The audit excludes enterprise-wide business continuity planning, and the testing and approval of modifications to network infrastructure and communications software, both of which were addressed by the internal audit of the Electronic Information System (EIS), October 2007. It also excludes controls related to financial statements preparation and reporting, which are addressed in the Office of the Auditor General's (OAG) audit of CIHR's annual financial statements.

Overall Audit Opinion

The audit has concluded that the internal control framework for financial information requires significant improvement.

Statement of Assurance

In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided in this report. The audit of controls over financial information was conducted in accordance with the Federal Government Policy on Internal Audit and related professional standards. The audit opinion is based on a comparison of conditions that existed at the time of the audit against established audit criteria that were agreed upon with management. The evidence is sufficient to provide senior management with proof of the opinion.

Summary of Internal Control Strengths

The audit team observed several internal controls that were designed properly and operating effectively:

Physical access to computer equipment is restricted to individuals who require such access to perform their job responsibilities, authorized by management, and monitored.
All modifications to the system (for example, in response to user requests and for upgrades and fixes released by the vendor) are approved by management and implemented if consistent with CIHR's information technology plans or user functional requirements.
New systems and modifications to systems are tested in accordance with test plans that include, as appropriate, system and unit testing, interface testing, parallel testing, capacity testing, integration testing, and user acceptance testing.
Processing is monitored by management, including a review and resolution of any exceptions, to ensure successful and timely completion.
Backup and retention of data and erasure and release of media when retention is no longer required are planned and executed as scheduled.
Retention and release records are periodically reviewed by management.

Summary of Internal Control Weaknesses

The following aspects of controls over financial information require management's attention:

Controls over access to financial information need to be improved.
Segregation of duties related to financial processing and information need to be enhanced.
Controls over the accuracy and completeness of transactions recording need to be strengthened.
Control activities for the review and approval of documents and transactions entered in FreeBalance need to be consistently implemented.
An audit trail of control activities is required to demonstrate due diligence.
Change management control over master files needs to be improved.

Other, lower-risk findings have been issued in a letter to management's attention.

Internal Audit thanks management and staff for their excellent cooperation in this audit.

Dev Loyola-Nazareth

Chief Audit Executive
Canadian Institutes of Health Research

Top of Page

Detailed Report

Methodology and Criteria

The assessment of the adequacy and effectiveness of controls over financial information was conducted in accordance with the TB Policy on Internal Audit. The principal audit techniques used included:

interviews with management and staff at Resource Planning and Management (Finance) and Information, Technology and Administration Management Services (ITAMS);
reviews of system documentation;
walkthroughs of control procedures;
analysis of the system of automated and manual controls within FreeBalance; and
analysis of the system of internal controls within the IT infrastructure supporting FreeBalance.

Controls were assessed as adequate if their design and implementation were sufficient to minimize the risks that threatened the achievement of objectives. Controls were assessed as effective if they operated as intended over a period of time.

The criteria used for assessing the audit objective were derived from the Information Systems Audit and Control Association/IT Governance Institute's (ISACA/ITGI) Control Objectives for Information and related Technology (COBIT®). Detailed criteria and conclusions are contained in Appendix A to this report.

The audit was conducted between September and December 2008.

Observations, Recommendations, and Management Action Plan

The following are audit observations, recommendations, and management action plans that address weaknesses in controls over financial information.

Observation	Recommendation	Management Action Plan
1. Controls over access to financial information need to be improved.
a. There is no process in place to ensure that access to FreeBalance is formally approved by management before being granted to users. There is also no process in place to review access on a regular basis to ensure that it remains appropriate. Moreover, it was noted during testing that many users had access to FreeBalance functionality that was not required for performing their jobs. The absence of clearly defined policies and procedures for approving the appropriateness and extent of access to FreeBalance increases the risk of unauthorized access, which can compromise the confidentiality and integrity of data. Without proper management reviews of user access, there is an increased risk that inappropriate user access privileges will remain undetected and that logical security is ineffective.	It is recommended that the Chief Financial Officer (CFO) develop and implement policies and procedures to ensure that access to FreeBalance is approved by management before being granted to users, and then reviewed on a regular basis to ensure it remains appropriate. Procedures should include analysis of incompatible roles to ensure that, if users have more than one role, the roles do not present a conflict of duties risk; and retention of documentation on control activities for audit trail purposes. The policies and procedures should apply to all FreeBalance users, not just those in Resource Planning and Management. The CFO, being the ultimate owner of the system and the data within it, also "owns" the policies and procedures.	Responsibility: Director, Financial and Corporate Planning and Reporting and Director, Financial Operations and Monitoring Action: The Director, Financial Operations and Monitoring will work with staff to develop policies and procedures that ensure user access to FreeBalance is approved by management prior to being granted and that the appropriate user access rights are reviewed on a regular basis. The Director, Financial and Corporate Planning and Reporting, who is responsible for the day to day management of FreeBalance, will ensure these policies and procedures are implemented and that analysis of incompatibility of user roles and the retention of documentation on control activities for audit purposes are carried out. Timeline: June 2009
b. Access to the following functions related to Revenue is excessive: Of 3 users who have access to create and modify sales vouchers, 1 does not require this access for his job. Of 4 users who have access to release sales vouchers, 2 do not require this access for their jobs. Of 3 users who have access to create and modify cash receipts, 1 does not require this access for his job. Of 22 users who have access to post transactions to prior periods, 20 do not require this access for their jobs. Of 4 users who have access to create and modify customer master records, 2 do not require this access for their jobs. Excessive access to revenue business functions may result in the recording of inaccurate, invalid, or incomplete revenue transactions, as well as misstated revenue-related account balances, thereby impacting the integrity of FreeBalance data.
c. Access to the following functions related to Expenditures is excessive: Of 28 users who have access to enter commitments, 11 do not require this access for their jobs. Of 13 users who have access to create and modify purchase orders, 9 do not require this access for their jobs. Of 16 users who have access to create and modify expense vouchers, 2 do not require this access for their jobs. Of 22 users who have access to post transactions to prior periods, 20 do not require this access for their jobs. Of 30 users who have access to create and modify vendor master records, 9 do not require this access for their jobs. Of 11 users who have access to approve payments, 8 do not require this access for their jobs. Excessive access to expenditure business functions may result in the recording of inaccurate, invalid, or incomplete expense transactions, as well as misstated expense related account balances, thereby impacting the integrity of FreeBalance data.
d. Access to the following functions related to budgeting is excessive: Of 8 users who have access to create, modify, and delete budgets, 3 do not require this access for their jobs. Excessive access to budgeting functions may result in the recording of inaccurate, invalid, or incomplete budgets in FreeBalance and impact the integrity of FreeBalance data.
e. Access to the following General Ledger functions is excessive: Of 27 users who have access to create and modify journal vouchers, 9 do not require this access for their jobs. Excessive access to general ledger functions may allow users to circumvent business controls configured in FreeBalance and result in the recording of inaccurate, invalid, or incomplete transactions, thereby impacting the integrity of FreeBalance data.
2. Segregation of duties needs to be enhanced.
a. There is a lack of segregation of duties between support and end-user access in FreeBalance. The Financial Systems Officer who is responsible for FreeBalance configuration also has access to business functions employed by end-users. Lack of segregation of duties between support and end-user access in FreeBalance increases the risk to the confidentiality and integrity of financial records.	It is recommended that the CFO develop and implement policies and procedures to ensure proper segregation of duties for FreeBalance functions.	Responsibility: Director, Financial and Corporate Planning and Reporting and Director, Financial Operations and Monitoring. Action: The Director, Financial Operations and Monitoring will work with staff to develop policies and procedures that ensure proper segregation of duties for FreeBalance functions. The Director, Financial and Corporate Planning and Reporting, who is responsible for the day to day management of FreeBalance, will ensure these policies and procedures are implemented and that user accounts are reviewed on a regular basis to provide assurance that the segregation of duties within Free Balance is maintained. Timeline: June 2009
b. During the review of business cycle controls, it was noted that 3 users have access to both create/modify and release sales vouchers in FreeBalance. Access to both create/modify and release sales vouchers increases the risk that an independent review of the sales voucher will not be done and errors will go undetected, impacting the integrity of FreeBalance data.
c. A user has access to both create/modify sales vouchers and process receipt of payments. Access to both create/modify sales vouchers and process receipt of payments increases the risk that a valid sales voucher amount will be modified and the receipt of payments misappropriated.
d. 8 users have access to both record and approve purchases for payment in FreeBalance. Access to both record and approve purchases increases the risk that a fictitious purchase can be created and paid for.
e. 6 users have access to both approve purchases made and approve payments of purchases made. Access to both approve purchase and payment of goods and services increases the risk that section 34 approval will be circumvented and no independent review performed on the transaction.
f. 2 users have access to both verify that goods and services have been received and approve payments of purchases made. Access to both verify receipt and payment of goods and services increases the risk that section 32 approval will be circumvented and no independent review performed on the transaction.
g. All users can approve manual journal vouchers in someone else's name. Lack of accountability for the review of manual journal vouchers increases the risk of unauthorized transactions.
3. Controls over the accuracy and completeness of transactions recording need to be improved.
There is a lack of controls to ensure that all salary recoveries related to secondment agreements are received and processed by Accounting Operations for entry in FreeBalance and for invoicing. In addition, there is no control to ensure that overpayments or other credits for salary recoveries are detected and corrected. Lack of these controls increases the risk that repayment will not be received and related income statement and balance sheet accounts will be misstated.	It is recommended that the CFO develop and implement policies and procedures to ensure that all secondment agreements are processed for invoicing and all overpayments or other credits are detected and corrected in a timely manner.	Responsibility: Director, Financial Operations and Monitoring Action: The Director, Financial Operations and Monitoring will work with the Manager, Labour Relations and Compensation and the Manager, Financial Operations to develop and implement policies and procedures that ensure all secondment agreements are processed for invoicing and that all credits, i.e., overpayments and other salary recoveries, are detected and corrected on a timely manner. Timeline: June 2009
4. Control activities for the review and approval of documents and transactions entered in FreeBalance need to be consistently implemented.
During the review of business cycle controls, it was noted that the following control activities have not been consistently implemented: Purchase orders were processed without proper sign-off for section 32 approval. Purchase orders were processed without sign-off to evidence review by an independent procurement officer. Manual journal vouchers were processed in FreeBalance without sign-off to evidence independent review by the Accounting Operations Supervisor or Manager. There is no process to ensure that the Accounting Operations Supervisor or Manager receives all manual journal vouchers for review and approval. Insufficient control activities related to the review and approval of documents and transactions entered in FreeBalance increase the risk that FreeBalance data are inaccurate or invalid.	It is recommended that the CFO develop and implement policies and procedures to ensure that the review and approval of documents and transactions entered in FreeBalance are consistently performed.	Responsibility: Director, Financial Operations and Monitoring Action: The Director, Financial Operations and Monitoring will work with the Manager, Financial Operations and the Manager, Procurement to develop and implement policies and procedures that ensure source documents and transactions entered in FreeBalance are reviewed and approved on a consistent basis. Timeline: June 2009
5. An audit trail of control activities is required to demonstrate due diligence.
During the review of business cycle controls, it was noted that evidence of the performance of reviews and/or sign-offs for a number of manual control activities could not be found. Examples include: Responsibility Centre Managers' review of monthly operating budget, commitments, and expenditures reports, and Responsibility Centre Managers' approval of adjustments to budgets, including budget allocations. The lack of evidence of the performance of control activities increases the risk that due diligence has not been performed consistently or at all. If the control activities are not carried out, there is an increased risk that errors may go undetected, impacting the integrity of FreeBalance data.	It is recommended that the CFO develop and implement policies and procedures to ensure that an audit trail of control activities is maintained.	Responsibility: Director, Financial and Corporate Planning and Reporting Action: The Director, Financial and Corporate Planning and Reporting will work with the Manager, Financial Planning to put in place controls over the review of monthly operating budget reports and budget adjustments. Timeline: May 15, 2009
6. Change management control over master files need to be improved.
There are no controls in place to ensure that additions, changes, or deletions of customer and vendor master files are reviewed and approved by management. In addition, there is no regular review of customer and vendor master files to ensure they remain pertinent. The lack of change management controls over customer and vendor master files increases the risk that the master files will become inaccurate or invalid. In addition, there is an increased risk that assets may be misappropriated and fraud concealed.	It is recommended that the CFO develop policies and procedures to ensure that all additions, changes, and deletions of customer and vendor master records are approved by management and that customer and vendor master files are reviewed by management on a regular basis to ensure that they remain pertinent.	Responsibility: Director, Financial and Corporate Planning and Reporting and Director, Financial Operations and Monitoring Action: The Directors of Financial and Corporate Planning and Reporting and Financial Operations and Monitoring will work together to ensure that all additions, changes, or deletions of customer and vendor records are subject to approval and that vendor and customer master files are reviewed on a regular basis to ensure they remain pertinent. Timeline: June 2009

Observation

Recommendation

Management Action Plan

1. Controls over access to financial information need to be improved.

a. There is no process in place to ensure that access to FreeBalance is formally approved by management before being granted to users. There is also no process in place to review access on a regular basis to ensure that it remains appropriate.

Moreover, it was noted during testing that many users had access to FreeBalance functionality that was not required for performing their jobs.

The absence of clearly defined policies and procedures for approving the appropriateness and extent of access to FreeBalance increases the risk of unauthorized access, which can compromise the confidentiality and integrity of data.

Without proper management reviews of user access, there is an increased risk that inappropriate user access privileges will remain undetected and that logical security is ineffective.

It is recommended that the Chief Financial Officer (CFO) develop and implement policies and procedures to ensure that access to FreeBalance is approved by management before being granted to users, and then reviewed on a regular basis to ensure it remains appropriate.

Procedures should include analysis of incompatible roles to ensure that, if users have more than one role, the roles do not present a conflict of duties risk; and retention of documentation on control activities for audit trail purposes.

The policies and procedures should apply to all FreeBalance users, not just those in Resource Planning and Management. The CFO, being the ultimate owner of the system and the data within it, also "owns" the policies and procedures.

Responsibility:
Director, Financial and Corporate Planning and Reporting and Director, Financial Operations and Monitoring

Action:
The Director, Financial Operations and Monitoring will work with staff to develop policies and procedures that ensure user access to FreeBalance is approved by management prior to being granted and that the appropriate user access rights are reviewed on a regular basis. The Director, Financial and Corporate Planning and Reporting, who is responsible for the day to day management of FreeBalance, will ensure these policies and procedures are implemented and that analysis of incompatibility of user roles and the retention of documentation on control activities for audit purposes are carried out.

Timeline:
June 2009

b. Access to the following functions related to Revenue is excessive:

Of 3 users who have access to create and modify sales vouchers, 1 does not require this access for his job.
Of 4 users who have access to release sales vouchers, 2 do not require this access for their jobs.
Of 3 users who have access to create and modify cash receipts, 1 does not require this access for his job.
Of 22 users who have access to post transactions to prior periods, 20 do not require this access for their jobs.
Of 4 users who have access to create and modify customer master records, 2 do not require this access for their jobs.

Excessive access to revenue business functions may result in the recording of inaccurate, invalid, or incomplete revenue transactions, as well as misstated revenue-related account balances, thereby impacting the integrity of FreeBalance data.

c. Access to the following functions related to Expenditures is excessive:

Of 28 users who have access to enter commitments, 11 do not require this access for their jobs.
Of 13 users who have access to create and modify purchase orders, 9 do not require this access for their jobs.
Of 16 users who have access to create and modify expense vouchers, 2 do not require this access for their jobs.
Of 22 users who have access to post transactions to prior periods, 20 do not require this access for their jobs.
Of 30 users who have access to create and modify vendor master records, 9 do not require this access for their jobs.
Of 11 users who have access to approve payments, 8 do not require this access for their jobs.

Excessive access to expenditure business functions may result in the recording of inaccurate, invalid, or incomplete expense transactions, as well as misstated expense related account balances, thereby impacting the integrity of FreeBalance data.

d. Access to the following functions related to budgeting is excessive:

Of 8 users who have access to create, modify, and delete budgets, 3 do not require this access for their jobs.

Excessive access to budgeting functions may result in the recording of inaccurate, invalid, or incomplete budgets in FreeBalance and impact the integrity of FreeBalance data.

e. Access to the following General Ledger functions is excessive:

Of 27 users who have access to create and modify journal vouchers, 9 do not require this access for their jobs.

Excessive access to general ledger functions may allow users to circumvent business controls configured in FreeBalance and result in the recording of inaccurate, invalid, or incomplete transactions, thereby impacting the integrity of FreeBalance data.

2. Segregation of duties needs to be enhanced.

a. There is a lack of segregation of duties between support and end-user access in FreeBalance. The Financial Systems Officer who is responsible for FreeBalance configuration also has access to business functions employed by end-users.

Lack of segregation of duties between support and end-user access in FreeBalance increases the risk to the confidentiality and integrity of financial records.

It is recommended that the CFO develop and implement policies and procedures to ensure proper segregation of duties for FreeBalance functions.

Responsibility:
Director, Financial and Corporate Planning and Reporting and Director, Financial Operations and Monitoring.

Action:
The Director, Financial Operations and Monitoring will work with staff to develop policies and procedures that ensure proper segregation of duties for FreeBalance functions. The Director, Financial and Corporate Planning and Reporting, who is responsible for the day to day management of FreeBalance, will ensure these policies and procedures are implemented and that user accounts are reviewed on a regular basis to provide assurance that the segregation of duties within Free Balance is maintained.

Timeline:
June 2009

b. During the review of business cycle controls, it was noted that 3 users have access to both create/modify and release sales vouchers in FreeBalance.

Access to both create/modify and release sales vouchers increases the risk that an independent review of the sales voucher will not be done and errors will go undetected, impacting the integrity of FreeBalance data.

c. A user has access to both create/modify sales vouchers and process receipt of payments.

Access to both create/modify sales vouchers and process receipt of payments increases the risk that a valid sales voucher amount will be modified and the receipt of payments misappropriated.

d. 8 users have access to both record and approve purchases for payment in FreeBalance.

Access to both record and approve purchases increases the risk that a fictitious purchase can be created and paid for.

e. 6 users have access to both approve purchases made and approve payments of purchases made.

Access to both approve purchase and payment of goods and services increases the risk that section 34 approval will be circumvented and no independent review performed on the transaction.

f. 2 users have access to both verify that goods and services have been received and approve payments of purchases made.

Access to both verify receipt and payment of goods and services increases the risk that section 32 approval will be circumvented and no independent review performed on the transaction.

g. All users can approve manual journal vouchers in someone else's name.

Lack of accountability for the review of manual journal vouchers increases the risk of unauthorized transactions.

3. Controls over the accuracy and completeness of transactions recording need to be improved.

There is a lack of controls to ensure that all salary recoveries related to secondment agreements are received and processed by Accounting Operations for entry in FreeBalance and for invoicing. In addition, there is no control to ensure that overpayments or other credits for salary recoveries are detected and corrected.

Lack of these controls increases the risk that repayment will not be received and related income statement and balance sheet accounts will be misstated.

It is recommended that the CFO develop and implement policies and procedures to ensure that all secondment agreements are processed for invoicing and all overpayments or other credits are detected and corrected in a timely manner.

Responsibility:
Director, Financial Operations and Monitoring

Action:
The Director, Financial Operations and Monitoring will work with the Manager, Labour Relations and Compensation and the Manager, Financial Operations to develop and implement policies and procedures that ensure all secondment agreements are processed for invoicing and that all credits, i.e., overpayments and other salary recoveries, are detected and corrected on a timely manner.

Timeline:
June 2009

4. Control activities for the review and approval of documents and transactions entered in FreeBalance need to be consistently implemented.

During the review of business cycle controls, it was noted that the following control activities have not been consistently implemented:

Purchase orders were processed without proper sign-off for section 32 approval.
Purchase orders were processed without sign-off to evidence review by an independent procurement officer.
Manual journal vouchers were processed in FreeBalance without sign-off to evidence independent review by the Accounting Operations Supervisor or Manager.
There is no process to ensure that the Accounting Operations Supervisor or Manager receives all manual journal vouchers for review and approval.

Insufficient control activities related to the review and approval of documents and transactions entered in FreeBalance increase the risk that FreeBalance data are inaccurate or invalid.

It is recommended that the CFO develop and implement policies and procedures to ensure that the review and approval of documents and transactions entered in FreeBalance are consistently performed.

Responsibility:
Director, Financial Operations and Monitoring

Action:
The Director, Financial Operations and Monitoring will work with the Manager, Financial Operations and the Manager, Procurement to develop and implement policies and procedures that ensure source documents and transactions entered in FreeBalance are reviewed and approved on a consistent basis.

Timeline:
June 2009

5. An audit trail of control activities is required to demonstrate due diligence.

During the review of business cycle controls, it was noted that evidence of the performance of reviews and/or sign-offs for a number of manual control activities could not be found. Examples include:

Responsibility Centre Managers' review of monthly operating budget, commitments, and expenditures reports, and
Responsibility Centre Managers' approval of adjustments to budgets, including budget allocations.

The lack of evidence of the performance of control activities increases the risk that due diligence has not been performed consistently or at all. If the control activities are not carried out, there is an increased risk that errors may go undetected, impacting the integrity of FreeBalance data.

It is recommended that the CFO develop and implement policies and procedures to ensure that an audit trail of control activities is maintained.

Responsibility:
Director, Financial and Corporate Planning and Reporting

Action:
The Director, Financial and Corporate Planning and Reporting will work with the Manager, Financial Planning to put in place controls over the review of monthly operating budget reports and budget adjustments.

Timeline:
May 15, 2009

6. Change management control over master files need to be improved.

There are no controls in place to ensure that additions, changes, or deletions of customer and vendor master files are reviewed and approved by management. In addition, there is no regular review of customer and vendor master files to ensure they remain pertinent.

The lack of change management controls over customer and vendor master files increases the risk that the master files will become inaccurate or invalid. In addition, there is an increased risk that assets may be misappropriated and fraud concealed.

It is recommended that the CFO develop policies and procedures to ensure that all additions, changes, and deletions of customer and vendor master records are approved by management and that customer and vendor master files are reviewed by management on a regular basis to ensure that they remain pertinent.

Responsibility:
Director, Financial and Corporate Planning and Reporting and Director, Financial Operations and Monitoring

Action:
The Directors of Financial and Corporate Planning and Reporting and Financial Operations and Monitoring will work together to ensure that all additions, changes, or deletions of customer and vendor records are subject to approval and that vendor and customer master files are reviewed on a regular basis to ensure they remain pertinent.

Timeline:
June 2009

Top of Page

Appendices

A: Audit Criteria and Conclusions

The audit uses the following definitions to make its assessment of the internal control framework.

Conclusion on Audit Criteria	Definition of Opinion
Well Controlled	Well managed, no material weaknesses noted or only minor improvements are needed.
Moderate Issues	Control weaknesses, but exposure is limited because either the likelihood or the impact of the risk is not high.
Significant Improvement Required	Requires significant improvement in the area of material financial adjustments or control deficiencies represent serious exposure.

Overall Conclusion
The audit has concluded that the internal control framework for financial information requires significant improvement.

Criteria	Reference to Observations	Conclusion
1. Confidentiality of Information Adequate and effective internal controls have been established to ensure that FreeBalance information is treated with appropriate confidentiality, in accordance with the Government of Canada's laws, policies, and guidelines.
1.1 System-specific risk management requirements of the Government of Canada have been addressed, including a threat and risk assessment, a privacy impact assessment, and a certification and accreditation report.	Management Letter Observation #2	Moderate Issues
1.2 Physical access to the computer equipment is restricted to individuals who require such access to perform their job responsibilities, authorized by management, and monitored.	N/A	Well Controlled
1.3 Access to information resources (e.g., data files, utilities, transactions, programs) is restricted to appropriate persons and authorized by management.	Internal Audit Report Observation #1a Management Letter Observation #1a	Significant Improvement Required
User Access: 1.4.1 The nature and extent of user access privileges are authorized by the system owner. 1.4.2 Privileges are reviewed periodically by the system owner for appropriateness. 1.4.3 User access is controlled through passwords or other mechanisms. 1.4.4 Passwords are changed periodically.	Internal Audit Report Observation #1a Management Letter Observation #1	Significant Improvement Required
2. Integrity of Information Adequate and effective internal controls have been established to ensure that FreeBalance information is authorized, accurate, and complete.
2.1 All modifications to the system (for example, in response to user requests and for upgrades and fixes released by the vendor) are approved by management and implemented if consistent with CIHR's information technology plans or user functional requirements.	N/A	Well Controlled
2.2 New systems and modifications to systems are tested in accordance with test plans that include, as appropriate, system and unit testing, interface testing, parallel testing, capacity testing, integration testing, and user acceptance testing.	N/A	Well Controlled
2.3 Access to the test and production environments is appropriately restricted.	Internal Audit Report Observation #2a Management Letter Observation #1a	Significant Improvement Required
2.4 System Operator-Developer segregation of duties is appropriate and system access is restricted to authorized personnel.	Internal Audit Report Observation #2a Management Letter Observation #1a	Significant Improvement Required
2.5 Access to production processing control language and executable programs is defined to restrict the ability to execute, modify, delete, or create to appropriate individuals authorized by management.	Management Letter Observation #1a,1c,1d	Moderate Issues
2.6 All and only authorized transactions are input accurately, completely, and on a timely basis.	Internal Audit Report Observation #1b, 1c, 1d, 1e, 2e, 3, 4, 5 Management Letter Observation #3	Significant Improvement Required
2.7 All and only authorized transactions are processed accurately, completely, and on a timely basis.	Internal Audit Report Observation #1b, 1c, 1d, 1e, 2e, 3, 4, 5	Significant Improvement Required
2.8 All and only authorized transactions are recorded accurately and completely in CIHR's accounts in the proper period.	Internal Audit Report Observation #1b, 1c, 1d, 1e, 2e, 3, 4, 5	Significant Improvement Required
2.9 Reports used for decision making are accurate, complete, and timely.	Internal Audit Report Observation #1, 2, 3, 4, 5, 6	Significant Improvement Required
2.10 All and only authorized additions or changes to master data files are input completely, accurately, and in a timely manner.	Internal Audit Report Observation #1b, 1c, 6 Management Letter Observation #4	Significant Improvement Required
2.11 Segregation of duties is appropriate. In an ideal system, different employees perform each of these four major functions: authorization, custody, record keeping, and reconciliation.	Internal Audit Report Observation #2, 5	Significant Improvement Required
2.12 Processing is monitored by management, including a review and resolution of any exceptions, to ensure successful and timely completion.	N/A	Well Controlled
Availability of Information Adequate and effective internal controls have been established to ensure that FreeBalance information is available to users when needed for business operations.
3.1 Backup and retention of data and erasure and release of media when retention is no longer required are planned and executed as scheduled.	N/A	Well Controlled
3.2 Retention and release records are periodically reviewed by management.	N/A	Well Controlled

B: Overview of FreeBalance Interfaces

Overview of FreeBalance Interfaces

Interface	Description
Grants & Awards Interface (EIS to FreeBalance)	Payments for Grants and Awards is administered through the EIS system. Outright commitments and approved payment transactions for grants and awards are exported to FreeBalance via batch processes manually invoked in EIS by the Grants and Awards Officers.
Salary Forecasting Interface (GX Salaries to FreeBalance)	CIHR payroll is maintained on and calculated through the Receiver General Pay System (PSGL) at PWGSC. Payroll transactions (journal vouchers) are transferred from PSGL to GX Salaries by a Financial Planning Analyst through a manually invoked batch process. The payroll journal vouchers are then transferred to FreeBalance by the Financial Planning Analyst through another manually invoked batch process, which interfaces GX Salaries to FreeBalance.
Payments Interface (SPS to FreeBalance)	The control of the Consolidate Revenue Fund (CRF) remains under the responsibility of PWGSC. The expense vouchers are received at CIHR, entered in FreeBalance and processed for payment. The payment information is then electronically transferred (via text files) by Accounting Operations to PWGSC through the Standard Payment System (SPS). The issuance of cheques is made by PWGSC.
Trial Balance Interface (CFMRS to FreeBalance)	The Central Financial Management Reporting System (CFMRS) builds a general ledger for the Government of Canada from the certified trial balances fed to it by every government department and agency at the end of every month. These monthly trial balances contain the opening and closing balances of the department's accounts, including the control account balances. This validation and balancing process ensures that all payments made and monies received by departments are accounted for in the books of Canada. Each month, Accounting Operations generates a trial balance from FreeBalance, which is then uploaded to CFMRS through a single sign-on utility supplied by PWGSC.
Crystal Reports Interface (FreeBalance to Crystal Reports)	Monthly reporting for RC managers is processed by Financial Advisors using Crystal Reports. Crystal Reports queries a snapshot of the FreeBalance database. The database snapshot is refreshed through a batch process on a monthly basis following the period closing process for FreeBalance.

Please see Appendix B: Overview of FreeBalance Interfaces

Breadcrumb trail

Controls over Financial Information

Table of Contents

Executive Summary

Introduction

Risk Addressed by the Audit

Objective

Scope

Overall Audit Opinion

Statement of Assurance

Summary of Internal Control Strengths

Summary of Internal Control Weaknesses

Detailed Report

Methodology and Criteria

Observations, Recommendations, and Management Action Plan

Appendices

A: Audit Criteria and Conclusions

B: Overview of FreeBalance Interfaces