Audit of CIHR’s Core Management Controls – Procurement and Human Resources

Table of Contents

Executive Summary

Introduction

The Internal Audit of CIHR’s Core Management Controls – Procurement and Human Resources (CMC) was part of the 2012-13 Risk-Based Annual Internal Audit Plan (RBAP) which was approved by the Canadian Institutes of Health Research’s (CIHR) Governing Council (GC).

The Canadian Institutes of Health Research

The Canadian Institutes of Health Research is the Government of Canada's agency responsible for funding health research in Canada. CIHR was created in June 2000 under the authority of the CIHR Act and reports to Parliament through the Minister of Health. CIHR's mandate is to "excel, according to internationally accepted standards of scientific excellence, in the creation of new knowledge and its translation into improved health for Canadians, more effective health services and products and a strengthened Canadian health-care system." CIHR comprises 13 "virtual" institutes – each headed by a Scientific Director, who is assisted by an Institute Advisory Board – which bring together all partners in the research process – the people who fund research, those who carry it out, and those who use its results – to share ideas and focus on what Canadians need: good health and the means to prevent and fight disease. Each Institute supports a broad spectrum of research in its topic areas and, in consultation with its stakeholders, sets priorities for research in those areas. CIHR funds over 14,000 researchers and trainees in universities, teaching hospitals, and other health organizations and research centres in Canada and abroad.

Core Management Controls

Core management controls are the key internal controls reasonably expected to be in place in most, if not all, federal departments and agencies. These may represent the fundamental controls that support each of the elements of the Management Accountability Framework, or they can be other controls that are unique to an organization’s mandate or environment.

The Office of the Comptroller General (OCG) has developed audit criterion to address the ten areas of CMC that should exist in all federal departments and agencies.

The 2012–2015 RBAP identified CMC as a recurring annual project, and the ten primary areas identified by the OCG will form the basis of what this audit and subsequent audit projects will examine. Given the resources available to Internal Audit, it is expected that each annual project will examine on a rotating basis two or three of the areas identified by the OCG. This audit project reviewed the controls relating to procurement, and the management of non-permanent employees, performance pay, and pay administration.

Risk Addressed by the Audit

The audit addresses the risk that CIHR’s CMC are not operating in the manner intended and that the organization could be impacted by events (i.e. fraud, reputational damage, security breach, etc.) these controls were intended to prevent. This risk is related to the TBS Management Accountability Framework (MAF) elements of Policy and Programs, Stewardship, and Accountability.

Objective

The audit assessed whether the core management controls related to procurement and the management of non-permanent employees, performance pay, and pay administration are operating effectively at CIHR.

Scope

The audit focused on the controls that relate to the management of the procurement process at CIHR, as well as non-permanent employees, performance pay, and payroll administration.

Overall Audit Opinion

The audit has concluded that the CIHR’s CMC surrounding the procurement process, as well as non-permanent employees, performance pay, and payroll administration are well controlled, with minor opportunities for improvement.

Statement of Conformance

In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided in this report. The audit of CMC was conducted in accordance with the Federal Government’s Policy on Internal Audit and related professional standards. It conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of a quality assurance and improvement program.

Summary of Strengths

Through the course of the audit, the following Core Management Control strengths were observed:

Summary of Improvement Opportunities

The following aspects of CIHR’s CMC require management’s attention:

Internal Audit thanks management and staff for their assistance and cooperation throughout the audit.

Martin Rubenstein
Chief Audit Executive
Canadian Institutes of Health Research

Management agrees with the conclusions of this audit.

Thérèse Roy
CFO/VP, Resource Planning and Management

Detailed Report

Methodology and Criteria

The internal audit of CIHR’s Core Management Controls was conducted in accordance with the Federal Government Policy on Internal Audit. The principal audit techniques used included:

Controls were assessed as adequate if they were sufficient to minimize the risks that threaten the achievement of objectives. Detailed criteria and conclusions are contained in the Appendix to this report.

The audit was conducted between September, 2012 and June, 2013.

Observations, Recommendations, and Management Action Plan

The following are audit observations, recommendations, and management action plans to address the weaknesses identified during the audit.

Observation Recommendation Management Action Plan
1. Retroactive contracts and confirming orders are not recorded in CIHR’s financial management system (FMS) or reported on CIHR’s website as part of the procurement policy’s requirement for proactive disclosure.

Retroactive contracts and confirming orders are used for work that vendors have started or completed in the absence of an appropriate, signed contract. Every year a minimal number of retroactive contracts and confirming orders must be managed by the Procurement unit when CIHR employees do not follow the proper contracting policies and procedures.

Although these items are adequately scrutinized and manually processed individually, they are not recorded in CIHR’s financial system, regularly analyzed or proactively reported on CIHR’s website.

Risk and impact

Failing to record contracts in CIHR’s FMS makes it more difficult to aggregate and analyze these contracts. Failing to disclose these contracts means CIHR may not be in compliance with the requirements regarding proactive disclosure.

  1. Retroactive contracts and confirming orders should be entered into CIHR’s FMS to allow tracking, reporting and analysis.
  2. Retroactive contracts and confirming orders should be reported on CIHR’s proactive disclosure webpage, noting specifically that they were retroactive contracts and confirming orders.

Responsibility

Manager, Financial Operations and Procurement

Actions

  1. Agree. The Procurement unit will enter retroactive contracts and confirming orders into the FMS the same way that conventional contracts are (to the extent that the accounting system allows).

Expected completion

October, 2013

  1. Agree. The Procurement unit will ensure that all contracts > $10,000 are disclosed on CIHR’s website through the quarterly proactive disclosure exercise. This will commence in the 2nd quarter proactive disclosure exercise.

Expected completion

October, 2013

2. CIHR’s bid solicitation documents do not adequately address recent changes to Government of Canada procurement guidelines regarding former public servants (FPS).

The procurement guidelines for the hiring of former public servants (FPS) were modified in 2012 to require proactive disclosure of contracts with FPS (see section 3.90 of the Buy and Sell supply manual). This resulted in changes to bid solicitation procedures to enable appropriate disclosure. CIHR’s procurement procedures do not adequately address this change and there is currently no plan to meet the policy requirements for FPS.

In addition to the changes to the proactive disclosure requirements, other guidelines regarding the hiring of FPS were changed in the past year:

  • disclosure of FPS receiving a pension (7.65)
  • The involvement of a “cooling-off period”Footnote i

Risk and impact

Failing to update CIHR’s procurement documents regarding FPS means CIHR may not be in compliance with these requirements. In addition, failing to disclose these contracts could expose CIHR to public scrutiny or criticism,

  1. CIHR's bid solicitation documents should be updated to include disclosure of contracts with former public servants.
  2. CIHR’s procurement unit should comprehensively review recent changes to the guidelines regarding former public servants and update its procedures accordingly.

Responsibility

Manager, Financial Operations and Procurement

Action

  1. Agree. CIHR will update its bid solicitation documents and its related procedures to ensure proper disclosure of contracts with public servants.

Expected completion

October, 2013

  1. Agree. The procurement unit has revised its review procedures to ensure that proactive disclosure of contracts with former public servants is complete and accurate.

Expected completion

Completed

3. Departure procedures are not formalized for employees on parental leave or leave without pay.

Former employees have formal checks completed upon their departure for money owed to the Crown (i.e. travel advances), physical (i.e. laptops, Blackberries) or information assets (i.e. files from Records). However, for employees who take an extended period of leave without pay (such as maternity or parental leave), similar checks do not occur. A modification to the employee departure workflow to include a ‘Temporary Departure Process’ was initiated in 2011 but was put on hold until early 2013. Based on the audit findings and at the prompting of HR, ITAMS adjusted priorities and began modifying the workflow in August, 2013.

Risk and impact

Employees may permanently depart CIHR while on an extended leave without pay and it is more difficult to re-acquire these assets after this point.

In addition, other employees may need the information assets during the leave period.

The checks used as part of the regular departure process should be applied to employees starting extended leaves without pay.

Responsibility

Manager, Labour Relations and Compensation

Action

Agree. The Manager, Labour Relations and Compensation will continue to work with the Information Technology, Administration and Management Services branch to ensure the “Temporary Departure Process” is built into the departure workflow.

Expected completion

December 31, 2013

Overall conclusion

The overall conclusion considers the cumulative risk exposure related to the audit observations in the context of the above criteria. The audit has concluded that the core management controls over procurement, non-permanent employees, performance pay, and payroll administration are well controlled, with minor opportunities for improvement.

In the course of our audit, some minor opportunities for improvement were identified that could improve systems of internal control, streamline operations and/or enhance financial reporting processes. We have documented these observations in a management letter.

Appendix

Audit criteria

The audit uses the following definitions to make its assessment of the internal control framework.

Conclusion on Audit Criteria Definition of Opinion
Well controlled Well managed, no material weaknesses noted or only minor improvements are needed.
Moderate issues Control weaknesses, but exposure is limited because either the likelihood or the impact of the risk is not high.
Significant improvements required Control weaknesses either individually or cumulatively represent the possibility of serious exposure.
Criteria Reference to Observations Conclusion
Procurement
1. The statement of requirements was defined before bids were solicited.
1.1 Proper contacting authorities are involved in the contracting process as necessary. Internal audit report observation 1 Moderate issues
1.2 Work/goods requirements, specifications, cost estimates, and deliverables are clearly defined in the SOW document. No exceptions Well controlled
1.3 Statement of work is defined before bids are solicited. No exceptions Well controlled
2. There is documentation on file to support the justification for non-competitive procurement contracts in accordance with section 6 of government contract regulations.
2.1 Justification on file for sole sourcing is appropriately documented and substantiated. Internal audit report observation 4 and management letter Well controlled
2.2 Appropriate analysis is performed to achieve best value from the planning to appraise alternative contract. No exceptions Well controlled
2.3 There is no evidence of contract splitting. No exceptions Well controlled
2.4 Security requirements are addressed to ensure compliance with the provisions of the Government Security Policy. Management letter Well controlled
2.5 Intellectual Property (IP) rights are identified and addressed. Management letter Well controlled
2.6 Former Public Servant services are justified and documented. Internal audit report observation 2 Moderate issues
2.7 Contracts with former public servants respect the twelve months "cool-off period".Footnote i Internal audit report observation 2 Moderate issues
3. Appropriate tendering processes for bids are used in the proper circumstances.
3.1 The appropriate procurement vehicle is used. Management letter Well controlled
3.2 The contracting vehicle chosen is used in compliance with its terms and conditions. No exceptions Well controlled
3.3 There is no evidence of contract splitting. No exceptions Well controlled
4. Bid evaluation criteria were provided on Request for Proposal (RFP) documents and were used for contractor selection in an open, fair and transparent manner.
4.1 Bid selection method and evaluation criteria are clearly outlined in the bid solicitation document before the Request for Proposal is issued. One exception, no recommendations Well controlled
4.2 For competitive processes, the Statement of Work (SOW), work description and evaluation criteria are open, fair and transparent and defined before bids are solicited. One exception, no recommendations Well controlled
4.3 Contractors or goods were selected in accordance with the terms and conditions of the bid. No exceptions Well controlled
4.4 The evaluation report has been signed by all the evaluators. One exception, no recommendations Well controlled
5. Funds commitment availability is certified by someone with the delegated authority prior to the expenditure initiation at the value expected to be incurred.
5.1 Expense is approved by the appropriate authority. One exception, no recommendations Well controlled
5.2 Expense is approved prior to the event. No exceptions Well controlled
5.3 Commitment is recorded at the value expected to be incurred. No exceptions Well controlled
6. Contracts and contract amendments were approved prior to the receipt of any goods or services or the expiration of the original contract and supporting documentation is retained on file.
6.1 A copy of the signed, written contract is on file. No exceptions Well controlled
6.2 The contracts are signed by someone with the proper delegated authority. No exceptions Well controlled
6.3 Contract and amendments are issued before goods or services are received. No exceptions Well controlled
6.4 Contract amendments are properly justified and substantiated. One exception, no recommendations Well controlled
6.5 Contract amendments are approved by authorized officers. No exceptions Well controlled
6.6 Contract amendments are issued before contract expiry date. No exceptions Well controlled
7. The performance of account verification is done by someone with the delegated authority to do so, is accomplished on a timely basis and verifies the correctness of the payment requested.
7.1 Account verification is performed by the appropriate delegated authority. Management letter Well controlled
7.2 Invoice certified is properly supported with proof of execution and cost. No exceptions Well controlled
7.3 Account verification is conducted on a timely basis. Management letter Well controlled
8. The payment and settlement is carried out by someone with proper delegation of authority and for the correct dollar amount and to the right vendor on a timely basis.
8.1 Invoice payment is issued for the correct amount, within the contract limit, and to the correct vendor. No exceptions Well controlled
8.2 S.33 was signed by an employee with proper delegated authority. No exceptions Well controlled
8.3 S.33 is completed before the payment is released. No exceptions Well controlled
8.4 S.33 is processed on a timely basis, within payment terms. Management letter Well controlled
9. Contacts valued at over $10,000 are publicly disclosed.
9.1 S.33 is processed on a timely basis, within payment terms. No exceptions Well controlled
Human Resources
1. Treasury Board terms and conditions requirements for student employees and CIHR’s Term Employment Policy for term employees are being administered correctly.
1.1 The hiring of term employees follows the authorities, applications and responsibilities identified in CIHR’s Term Employment Policy. No exceptions Well controlled
1.2 Student employee terms are approved to exclude vacation leave and include 4% remuneration in lieu. No exceptions Well controlled
1.3 Student employee remuneration and benefits are set within defined provisions. No exceptions Well controlled
2. Employee's security screening is managed properly and subject to proper delegated authority.
2.1 Security assessments and reliability checks levels are defined and determined as conditions of employment. No exceptions Well controlled
2.2 Individual who will access government information and assets are security screened at the level defined before the commencement of their duties. No exceptions Well controlled
2.3 Security clearance and reliability checks are reviewed and approved by an authorized delegated authority. No exceptions Well controlled
3. Performance pay is administered correctly and approved by the appropriate delegated authority.
3.1 Annual Performance Review is based on pre-set objectives and are completed and documented on a yearly basis. No exceptions Well controlled
3.2 Performance pay is allocated only to eligible employees. No exceptions Well controlled
4. Funds commitment availability is certified by someone with the delegated authority prior to the expenditure initiation at the value expected to be incurred.
4.1 Expense is approved by the appropriate authority. No exceptions Well controlled
4.2 Expense is approved prior to the event. No exceptions Well controlled
4.3 Commitment is recorded at the value expected to be incurred. No exceptions Well controlled
5. The performance of account verification is done by someone with the delegated authority to do so, is accomplished on a timely basis and verifies the correctness of the payment requested.
5.1 Account verification is performed by the appropriate delegated authority. Management letter Well controlled
5.2 Expense certified is properly supported with proof of execution and cost. No exceptions Well controlled
5.3 Account verification is conducted on a timely basis. No exceptions Well controlled
6. The payment and settlement is carried out by someone with proper delegation of authority and for the correct dollar amount and to the right employee on a timely basis.
6.1 Performance payments are issued for the correct amount, to the correct employee, and within approved limits. No exceptions Well controlled
6.2 S.33 was signed by an employee with proper delegated authority. Management letter Well controlled
6.3 S.33 is completed before the payment is released. No exceptions Well controlled
6.4 S.33 is processed on a timely basis, within payment terms. No exceptions Well controlled
7. Adequate segregation of duties exists in pay administration roles.
7.1 Adequate segregation of duties exists in pay administration roles. Two exceptions, no recommendations Well controlled
8. Departure procedures for the department are followed.
8.1 Departmental procedures are in place and followed concerning departures to certify that all money owing to the Crown, or any other assets, are accounted for before an employee leaves the organization. Internal audit report observation 3 Moderate issues

Footnotes

Footnote i

Note that criterion 2.7 makes reference to a one-year “cooling off” period for FPS; this criterion was drawn from the now-archived Values and Ethics Code for the Public Service. Between the planning and reporting phases of the audit, this document was replaced with the Policy on Conflict of Interest and Post-Employment which does not specify a cooling-off period, though the still-active Code of Conduct for Procurement does. Due to the complexity of the issue and now-obsolete initial criteria, no specific recommendation is made regarding a cooling off period. Instead a general review of contracting with FPS is recommended.

i

Date modified: