Report on Internal Controls for Financial Reporting—Review of the Work on Internal Controls for Payroll Transactions
Practice Review and Internal Audit—Report on Internal Controls for Financial Reporting Review of the Work on Internal Controls for Payroll Transactions
Table of Contents
At a Glance
The Practice Review and Internal Audit (PRIA) team of the Office of the Auditor General of Canada concluded with a moderate level of assurance that the work performed by the Internal Control Over Financial Reporting (ICFR) team was, with one exception, properly planned and executed to ensure that key controls were
- properly designed and implemented,
- working as intended, and
- in compliance with relevant authorities.
The exception to the PRIA team’s conclusion was for the testing of an internal control related to peer review of payroll transactions for retroactive payments.
Objective
The objective of the review was to provide moderate assurance that the work performed by the Internal Control Over Financial Reporting (ICFR) team of the Office of the Auditor General of Canada (OAG) was properly designed, planned, and executed to ensure that key controls related to payroll
- were in place for financial transactions and the GX financial system;
- worked as intended; and
- supported the OAG’s compliance with relevant legislation and regulations, and with the Treasury Board’s and the OAG’s policies.
See Appendix A for the review criteria.
Why This Internal Review Matters
This internal review is important because it provides a moderate level of assurance that internal controls for payroll transactions are working effectively and as intended. Internal controls are necessary for risk mitigation because they contribute to the effectiveness and efficiency of programs, operations, and resource management, including safeguarding of assets; to the reliability of financial reporting; and to compliance with legislative, regulatory, and policy requirements.
Work Conducted by the Practice Review and Internal Audit Team
The Practice Review and Internal Audit (PRIA) team used a two-phase approach to review the work performed by the ICFR team for the 2018–19 fiscal year.
Phase 1
The PRIA team reviewed the work performed by the ICFR team and assessed the extent to which
- the team that conducted the ICFR work for payroll transactions possessed the competencies necessary to perform the work;
- a person with more experience supervised and reviewed the work performed by the team; and
- the work was well planned and documented, and the conclusion was supported.
Appendix B provides details of the work performed in Phase 1.
Phase 2
Using the “accept-reject” methodology to provide a moderate level of assurance, PRIA team members repeated a sample of tests for payroll transactions to determine whether their conclusions would match those of the ICFR team.
Appendix C provides details of the work performed in Phase 2.
Observations
Phase 1
The PRIA team concluded on the basis of the work performed that the ICFR team’s strategy for testing the key internal controls for the OAG’s payroll process was well planned. In addition, the testing process was well documented, and the team’s work was reviewed in a timely manner by an experienced audit director.
The PRIA team also reviewed the ICFR team’s work on the recommendations the ICFR team had made the previous year regarding payroll. The PRIA team concluded that the ICFR team had properly monitored the progress that management had made on the recommendations.
Phase 2
The ICFR team had identified four instances in which the peer review of payroll transactions for retroactive payments had not been properly conducted. The ICFR team had concluded that this internal control had weaknesses, as it was not working as intended.
When repeating a sample of tests that the ICFR team had performed, the PRIA team identified the same four errors in the internal control related to peer review. However, the PRIA team found an additional error that the ICFR team had not identified. Consequently, on the basis of the accept-reject methodology it used, the PRIA team could not rely on the results of the work performed by the ICFR team for one of the controls related to the retroactive payments. Still, the PRIA team performed sufficient tests on the peer review of the retroactive payments to also observe that this control was not working as intended.
With respect to the other key internal controls, the PRIA team agreed with the ICFR team’s conclusion that the controls were in place and working as intended.
Recommendations
-
Management of the Compensation team should clarify the purpose of the internal control related to the peer review of the payroll transactions for retroactive payments.
Management of the Compensation team’s response: Agreed. Management of the Compensation team is currently investigating the shortfalls identified and the causes. It will strengthen this process and provide additional support to the compensation advisors when they conduct peer reviews of retroactive payments.
-
Management of the ICFR team should plan to test the peer review of the payroll transactions for retroactive payments in the next fiscal year to ensure that it is working as intended.
Management of the ICFR team’s response: Agreed. The ICFR team has reviewed the payroll cycle for the past two fiscal years (2017–18 and 2018–19). Given that management salary revisions are taking place in 2019–20, the ICFR team is planning to look again at the controls for salary revisions. The peer review of pay transactions is considered a key control and will therefore be part of this review.
Conclusion
The PRIA team concluded with a moderate level of assurance that the work performed by the ICFR team was, with one exception, properly planned and executed to ensure that key internal controls were in place, properly designed, working as intended, and in compliance with relevant authorities. The exception to the PRIA team’s conclusion was for the testing of an internal control for payroll transactions.
This review was conducted according to the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and in compliance with the Treasury Board’s 2017 Policy on Internal Audit and 2017 Directive on Internal Audit.
Review Hours
| 2019 Actual hours (estimated) |
2019 Budgeted hours |
Difference | |
|---|---|---|---|
| Review hours | 400 | 400 | Nil |
Appendix A: Review Criteria and Sources
| Review criteria | Sources | Work to be performed |
|---|---|---|
|
The OAG ensures that pay-related actions are valid (authorized by delegated authorities), complete, and accurate according to OAG policies and directives. The OAG also ensures that the actions are supported by appropriate documentation (for example, timesheets, letters of offer, or other OAG forms) before they are entered into the departmental Human Resources Management System (HRMS). The OAG uses checklists or other tools to promote a consistent approach to validation activities. |
Guideline on Financial Management of Pay Administration, Section 4.1.8—Validate and verify pay-related actions, Treasury Board of Canada Secretariat |
|
|
The OAG has assurance that the internal controls for payroll operate as designed and are performed effectively by persons possessing the necessary authority and competence to perform them. The OAG also has assurance that the controls satisfy their objectives and can effectively prevent or detect errors or fraud that could result in material misstatement in the financial statements. |
Policy on Financial Management, Treasury Board OAG Annual Audit Manual:
|
|
|
The ICFR team has performed follow-up on previous years’ recommendations on payroll to determine whether management has implemented its action plan. |
OAG Direct Engagement Manual, Section 8020—Recommendations and Entity Responses |
Review the ICFR team’s follow-up work on previous years’ recommendations. |
|
The ICFR team’s conclusion has been addressed in a report that indicates management’s agreement with the recommendations (if any) and contains an action plan. |
OAG Direct Engagement Manual, Section 8020—Recommendations and Entity Responses |
Review the reporting documentation to ensure that it is in line with the results of the work performed. |
|
Members of the ICFR team have the competencies to perform control testing for payroll. |
OAG Direct Engagement Manual, Section 3062—Engagement Leader Responsibilities for Audit Quality |
Assess staff competencies. |
|
Proper supervision and review are performed in a timely manner. |
OAG Direct Engagement Manual, Section 3062—Engagement Leader Responsibilities for Audit Quality OAG Annual Audit Manual, Section 3071—Review of audit work and documentation |
Review whether TeamMate contains evidence that reviews were performed, and that the proper sign-offs were obtained in a timely manner. |
Appendix B: Work Performed in Phase 1
All work performed by the Internal Control Over Financial Reporting (ICFR) team was documented in TeamMate. The PRIA team obtained “read-only” access of the ICFR team’s TeamMate file and reviewed the documents listed in the following table.
Documents reviewed and assessment
| Document No. | Document reviewed | Assessment |
|---|---|---|
|
1 |
Internal Controls Over Financial Management Strategy |
The PRIA team reviewed the ICFR team’s strategy and determined that it provided a good overview of the work that was planned. |
|
2 |
Monitoring of controls (OAG’s attest audit template) |
The ICFR team documented its overall understanding and evaluation of the internal control components (control environment, risk assessment, information and communication, and monitoring of controls). The PRIA team concluded that the document was thorough and that it provided a good understanding of the process. |
|
3 |
Understand and evaluate control activities (OAG’s attest audit template) |
The ICFR team documented its understanding and evaluated control activities, such as period-end financial reporting (including journal entries). The PRIA team concluded that the document provided a good understanding of the process. |
|
4 |
System description for payroll with Visio |
The PRIA team reviewed the system description, identified the key controls and reviewed their descriptions, and identified the other controls. The system description was completed and well documented. |
|
5 |
ICFR team’s memorandum on economic sampling and testing methodology |
The PRIA team reviewed the memorandum and agreed with the ICFR team’s strategy for testing economic increase. However, the PRIA team questioned the ICFR team’s interpretation of its recalculation strategy, for which one element was considered a substantive test of details. After some discussion, the two teams agreed that it was a test of control. |
|
6 |
PRIA team’s assessment of the completeness of the work performed by the ICFR team |
The PRIA team ensured that the tests planned by the ICFR team were completed. The PRIA team also observed that the working papers were signed as having been prepared by an Audit Professional Student (APS) or Audit Professional 2 (AP2), and as having been reviewed by the Director, and that the signatures were obtained in a timely manner. |
|
7 |
PRIA team documented all key controls tested by the ICFR team |
To ensure that all key controls were identified, the PRIA team reviewed all of the key controls tested by the ICFR team, and the PRIA team documented their descriptions. |
|
8 |
Summary of the ICFR team’s management letters from prior years and of the follow-up |
The PRIA team reviewed the analysis on the ICFR team’s management letters from prior years and performed a review of the ICFR team’s follow-up work. In the PRIA team’s view, the ICFR team performed an appropriate follow-up of the points raised in the management letters. |
|
9 |
ICFR team’s payroll population and sampling methodology |
The PRIA team reviewed and agreed with the ICFR team’s sampling methodology. |
|
10 |
PRIA team’s assessment of whether all key controls were tested by the ICFR team |
The PRIA team assessed whether all key controls reported in the system description were effectively tested by the ICFR team. The PRIA team noted the exceptions and found that the ICFR team had valid reasons for not testing these controls. |
Appendix C: Work Performed in Phase 2
The PRIA team obtained moderate assurance that the work performed by the ICFR team on the internal controls for payroll was properly executed to ensure that key controls
- were in place for the financial transactions and the GX financial system;
- were working as intended; and
- supported the OAG’s compliance with relevant legislation and regulations, and with the Treasury Board’s and the OAG’s policies related to payroll (see the review criteria in Appendix A).
The PRIA team repeated a number of tests using the accept-reject testing methodology specified in the OAG’s Annual Audit Manual, Section 7043—Accept-reject testing and Section 7043.1—A five-step approach to performing accept-reject testing. According to the methodology, when the population contains fewer than 200 items, no exception can be accepted.
The following table provides a list of all the key controls identified, the number of tests performed by the ICFR team, and the number of tests repeated by the PRIA team.
Summary of tests performed by the PRIA team
| Control No. | General description | Key controls tested | No. of tests performed by ICFR team | No. of tests repeated by PRIA team | Conclusion |
|---|---|---|---|---|---|
|
1 |
Transaction commitment approval |
Approval of section 32 |
15 |
10 |
Accept |
|
2 |
Transaction initial approval |
X-1.1 Approved staffing request |
16 |
12 |
Accept |
|
3 |
Transaction approval |
X-1.4 Authorized and signed letter of offer X-1.7 Pay action (S.34) |
16 |
12 |
Accept |
|
X-5a.3 Approved by supervisor |
2 |
1 |
Accept |
||
|
X-4.8 TER pay action print screen |
11 |
9 |
Accept |
||
|
X-4b.4 LWOP Pay action |
6 |
5 |
Accept |
||
|
X-5b.2 Timesheet approved |
2 |
2 |
Accept |
||
|
4 |
Transaction review by a separate compensation advisor |
X-1.8 Peer review of pay action |
16 |
12 |
Accept |
|
X-4.9 Peer review of the TER |
11 |
9 |
Accept |
||
|
5 |
Approval of timesheet by HR |
X-5a.5 Any unusual item reviewed |
2 |
1 |
Accept |
|
X-5b.3 Time and labour Phoenix |
2 |
2 |
Accept |
||
|
6 |
Issuance of the pay |
X-2.4 Salary Management Officer reviews evidence X-7.6 Salary Management Officer performs a post-verification |
1 |
1 |
Accept |
|
7 |
Director, PRSM reviews and approves salary forecast |
X-10.4 Director, PRSM approves salary forecast |
1 |
1 |
Accept |
|
8 |
Economic increases |
X-3.8 Compensation Advisor processes pay action X-3.9 2nd Compensation Advisor performs peer review |
26 |
13 |
RejectNote 1 |