Audit of the Delegation of Authority Application

Office of the Chief Audit Executive

November 2017

Cette publication est également disponible en français.

© Her Majesty the Queen in Right of Canada, 2018.
Cat No. CH6-58/2018E-PDF
ISBN: 978-0-660-24661-1

Table of Contents

List of acronyms

DAA
Delegation of Authority Application
DCFO
Deputy Chief Financial Officer
EXCOM
Executive Committee
FAA
Financial Administration Act
FINCOM
Finance Committee
HR
Human Resources
I2P
Invoice to pay
NRC
National Research Council
P2P
Invoice to Pay
PCH
Canadian Heritage
PMBOK
Project Management Body of Knowledge
RBAP
Risk-Based Audit Plan
RMD
Resource Management Directorate
SAP
System, Application and Product
TB
Treasury Board

Executive Summary

The Department of Canadian Heritage (PCH) is undertaking a financial management transformation and developing a common procure-to-pay solution. The purpose of the overall Procure-to-Pay (P2P) project is to implement a set of business processes to automate the financial signing authority, invoice approval process and contracting process. This will improve controls and standardize efficient automated processes of authorizing procurement and payments.

The P2P project is being rolled out in three phases:

  1. Delegation of Authority Application (DAA) which automates the delegation of authority process to fund managers;
  2. Invoice to Pay (I2P) which will automate the invoice approval process (section 34 of the FAA);
  3. P2P which will add the contracting and pre-purchase approvals (section 32 of the FAA).

On February 1st 2017, PCH implemented Phase 1 of the P2P electronic authorization solution: The Delegation of Authority Application – Electronic Approvals of Financial Signing Authorities. This module was provided by another government department who had previously implemented the DAA, and customized to the PCH environment over the course of 18 months.

The objective of this audit was to provide assurance on the structure, appropriateness, and operation of the new Delegation of Authority Application, and the effectiveness of the project and change management processes applied throughout the design and implementation of the application. The engagement also focused on the scalability for the next phases of the project, including the I2P and P2P modules.

Audit Opinion and Conclusion

Based on the audit findings, my opinion is that the Delegation of Authority Application has been successfully implemented and is functional in its current purpose. Opportunities for improvement were found with regard to following areas:

  • Implementation of a robust project management framework;
  • Formalized plans related to change management and training that are executed in a timely manner to improve user engagement: and
  • Early engagement of stakeholders to properly scope the project and develop business and technical requirements for the tool.

Statement of Conformance

In my professional judgment as Chief Audit Executive, this audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit, as supported by the results of the quality assurance and improvement program. Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed with management and are only applicable to the entity examined and for the scope and time period covered by the audit.

Original signed by

Natalie M. Lalonde
Chief Audit Executive
Department of Canadian Heritage

Audit Team Members

  • Dylan Edgar, Audit Manager
  • Carolann David, Auditor
  • Houssein Ndiaye, Auditor

With the support of external resources.

1.0 Background

The Treasury Board (TB) Directive on Delegation of Spending and Financial Authorities, issued pursuant to the Financial Administration Act (FAA), sets out a legislative framework of spending and financial authorities that allows for effective management of government expenditures. The expenditure management process comprises of the following authorities:

  • Spending authorities: expenditure initiation authority, commitment authority (FAA, section 32), and transaction authority.
  • Financial authorities: certification authority (FAA, section 34), and payment authority (FAA, section 33).

The delegation of spending and financial authorities is a key control in the expenditure process and is formally established through a delegation chart. Well implemented delegations further the efficient use of resources where responsibility can be most effectively exercised and where accountability for results can be best assigned. 

Delegation of authorities through electronic signatures is becoming a common practice across the Government of Canada. Canadian Heritage (PCH) is undertaking a financial management transformation and developing a common procure-to-pay solution. The purpose of the overall Procure-to-Pay (P2P) project is to implement a set of business processes to automate the financial signing authority, invoice approval process and contracting process to improve controls and standardize efficient automated processes.

The P2P project is being rolled out in three phases:

  1. Delegation of Authority Application (DAA) which automates the delegation of authority process to fund managers;
  2. Invoice to Pay (I2P) which will automate the invoice approval process (section 34 of the FAA);
  3. P2P which will add the contracting and pre-purchase approvals (section 32 of the FAA).

This approach is expected to facilitate the transition at each phase and help identify and mitigate risks at the design, development and implementation stages, and improve the likelihood of achieving desired results.

On February 1st 2017, PCH implemented Phase 1 of the P2P electronic authorization solution: The Delegation of Authority Application – Electronic Approvals of Financial Signing Authorities. This module was provided by another government department, who had previously implemented the DAA, and customized to the PCH environment over the course of 18 months.

Once implemented at PCH, the existing paper-based delegation of authority was decommissioned and replaced with the new system, reducing the number of steps to approve a delegation (from 9 to 4 steps for a new authority and 3 steps for acting). The launch of this new application is an important change initiative for the Department and is expected to improve the efficiency and effectiveness of financial controls. Specifically, the DAA supports managers with delegated financial authority, resource management directorates (RMDs), regional finance personnel and financial operations in the following ways;

  • The DAA automates much of the delegation process reducing the number of details the RMDs and Regions enter and verify in the system such as delegation manager information, delegation limits, and mandatory training; 
  • Delegated managers are no longer required to sign multiple signature cards and now approve delegations and acting assignments online with a few clicks; and
  • Managers, Human Resources (HR), RMDs, and Financial Management can track who has delegated authority at any specific time.

Delegation authorities are automated based on the PCH delegation matrix and HR organizational structures in PeopleSoft. The DAA utilizes financial and HR reporting relationships in PeopleSoft to identify employees’ managers and the level of approval required. Information is extracted from PeopleSoft and loaded daily into the DAA. However, due to the well-known pay system issues, a manual workaround is in place for new employees and interdepartmental transfers.

2.0 About the Audit

2.1 Project Authority

The Office of the Chief Audit Executive has initiated the Audit of the Delegation of Authority Application (DAA) module within the SAP Financial System in accordance with the Risk Based Audit Plan (RBAP) for 2017-18 to 2019-20.

2.2 Objective and Scope

The objective of this engagement was to provide assurance on the structure, appropriateness, and operation of the new Delegation of Authority Application and the effectiveness of the project and change management strategies applied throughout the design and implementation of the application. In addition, this engagement was to garner lessons learned from the DAA implementation that can be directly applicable to the upcoming I2P and P2P implementations.

The engagement focused on the design and implementation of the new Delegation of Authority Application module within SAP.

2.3 Approach and Methodology

All audit work was conducted in accordance with the Treasury Board Policy on Internal Audit. Project management practices were measured against criteria derived from the Project Management Body of Knowledge (PMBOK) Guide and TB policies and procedures. The criteria are aligned with the TBS Checklist of Success Factors Associated with Business Transformation Projects with a Significant IT Component.

The key activities performed as part of this methodology included:

  • simulations on the new system to test the key controls implemented to ensure the application is functioning effectively, efficiently and as intended;  
  • review of the organization’s documentation, guidelines and procedures, and relevant policy and legislation;
  • collection of data through interviews, walkthrough with the entity’s personnel to examine processes; and
  • mapping in a matrix format of the controls identified during the audit.

3.0 Findings and Recommendations

The audit findings are based on a combination of the evidence gathered through the audit methodologies applied for each audit criterion. Appendix A provides a summary of all findings and conclusions for each of the criteria assessed during the audit. Findings of lesser materiality, risk or impact have been communicated with the audit client either verbally or in a management letter.

With the implementation of the DAA being the first phase of the development of P2P, the audit work conducted and the resulting findings and recommendations serve as the basis for establishing a sound foundation for this initiative.

3.1 Governance

Project Management Framework

The initial project management framework was designed at the project onset via a project charter and identification of key project roles, but was limited in its application as individuals, timelines and complexities changed during the project.

Project Framework

A robust and well established project management framework is key for an effective and successful outcome of a project.  The audit team found that a project management framework was designed and initiated at the project onset via the establishment of a project charter. This charter incorporated key elements of project management, including the purpose, objective and scope, and the overall approach, outlining elements such as deliverables, control, schedule, level of effort, and costing estimates.

However, aside from the creation and update of the project charter, the audit team did not find evidence to suggest that the framework was fully implemented. For example, the timeline of the project was impacted due to interdepartmental business requirements scoping and the issues caused when the transfer of the DAA occurred between the PCH environment where the other government department was developing the application and their respective environment. The audit team expected to see reflected in the project management documentation, as defined in the project charter, changes and the necessary customization as result of the developers spending time to resolve these issues. The team did find evidence of a project management tool being used to track tasks.

Project Governance and Oversight

Governance and oversight are key aspects of project management.  Effective application of these aspects ensure roles and responsibilities are adhered to, sound project related decisions are made, timelines are met, and costs remain within budget.

The DAA project charter initially identified key project leadership roles, including the project director, project lead, project manager, technical lead and functional lead. Nevertheless, key project leadership changed with a new director and technical lead joining the team prior to implementation. As a result, the audit team expected to find evidence of project updates, project meetings, and change logs for project goals and timelines or other monitoring mechanisms. While this was not found, the team did observe that the roles were updated in the project charter and that a project management tool was employed. In addition, it was observed that as part of project governance and oversight, briefings were made to various departmental committees and that non-formalized solutions were implemented to ensure the project moved forward.

Overall, the project management framework initially incorporated good practices, with the development of a project charter, and identification of key project roles. However, the charter was limited in its application as individuals, timelines and complexities changed during the project, and monitoring mechanisms were limited. With the movement of key personnel overall project management fell on technical teams. Critical knowledge associated with the project delivery and implementation details rested in the hands of individuals rather than a centralized documentation and knowledge base which could make any future transitions or upgrades difficult. The audit team did find that since the arrival of the new Deputy Chief Financial Officer, there has been notable increase of rigor in project management and project governance and oversight.

Recommendation:

  1. The Chief Financial Officer should apply a rigorous project management approach, in alignment with best practices identified in the PMBOK guidelines, and ensure it is updated as needed as the project evolves through the I2P and P2P phases.

Training and Change Management Approach

A training plan was developed and standardized training was delivered to two distinct groups of users – Resource Management Directorates and managers.

Project communications, using a just-in-time approach, were delivered via presentations, targeted emails, and the PCH Intranet. While a formal change management strategy was developed, plans for that change management and overall stakeholder engagement were not created or executed.

Training Strategy

Training is key for the successful implementation and use of an application. In order for training to be effective and efficient, a strategy and subsequent plan should be developed at the outset of the project with defined targets. A training plan for the DAA was developed and training on the use of the application was subsequently delivered to users. The training was standardized and was delivered to two distinct users groups – the Resource Management Directorates and managers - in person (classroom, group sessions, and one-on-one) and online prior to the roll out of the application. The training sessions focused on requirements to be added to the DAA module, how to use the module for delegations, and the impacts once authority had been delegated. The audit team found that the training was provided late and the plan did not include all relevant user groups.

Change Management Approach

Similarly to project management, change management is a key pillar on implementing or changing a process, application or system. This distinction increases in importance when the change fundamentally alters business processes in the Department. The DAA project was announced via the PCH intranet at least six and then one month prior to implementation of the application. Targeted communication to impacted users, or users for whom training was mandatory was limited. This communication approach was not as effective as intended since many stakeholders interviewed felt they were given little warning of the process change and delays in the project. The audit team did note that there were briefing to the various tables and committees within the Department as part of a limited change management approach.

PCH has created a network of change agents throughout the organization to assist in the management and implementation of changes and overall organizational effectiveness and improvement. This network was engaged at various points in the implementation of this application to provide advice and assist in communication and overall employee and management engagement of this change.

The audit team found evidence to suggest that a formal change management strategy was developed and in place related to the DAA implementation, but plans for that change management and overall stakeholder engagement were not created or executed, resulting in a need for a more robust and better documented approach to change management and stakeholder engagement. This approach was a factor in the lack of understanding of the solution’s impact and use, and an overall negative view of the solution itself from those stakeholders interviewed.

Recommendation:

  1. The Chief Financial Officer should enhance change management practices, such as the development, application and updating of change management and stakeholder engagement plans, and increase active communications.

3.2 Risk Assessment

Mapping of Business and Technical Requirements

Business and technical requirements were mapped after the project kickoff. This resulted in delayed identification of business process complexities and customization requirements, impacting project timelines, key milestones and created implementation issues.

As a normal part of an application implementation, both business and technical requirements are mapped to ensure that there is alignment between the business processes and the capabilities of the technology. This mapping exercise was of importance as part of the DAA implementation as the module itself was taken directly from another department and implemented at PCH where business processes and technical requirements differ between the organizations.

The audit team found the business and technical requirements of the DAA solution were not analyzed in a timely manner as the analysis was conducted after the project was started.  The other government department’s DAA solution is designed for a single legal entity environment, while PCH is more complex with a multi-legal entity environment. Further, PCH has business process complexities and operational differences which made direct implementation of the solution impossible, specifically on how program costs are managed. Extensive customization was required for the solution to work for PCH, which required relying on the other government department’s technical team to execute as they had the rights to make actual code changes. It would be expected that at least some of these business and technical issues would be discovered during the project scoping phase via a gap analysis, instead of after project launch. This resulted in unexpected delays and technical implementation issues throughout the project.

The audit team found the project did not engage the relevant user and stakeholder groups in the design during the scoping phase of the project regarding business requirements.  Engagement did occur during implementation and development of the support structure for the application. The audit team noted that when the application was moved from development to production environment, a mismatch of business and technical requirements occurred resulting in project delays. However, once the PCH technical team was engaged in the project, they identified and addressed critical errors prior to installation in production. This demonstrates PCH technical expertise in SAP and the ability to gather and manage these requirements.

Recommendation:

  1. The Chief Financial Officer should ensure early engagement of stakeholders to properly scope the project and develop business and technical requirements for the tool, including I2P and P2P.

Scalability of the Project for I2P and P2P

After project implementation, the current set-up is adequate and scalable for the future implementation of I2P and P2P functionalities.

The DAA is the first phase of a three-phased procure to pay automation and implementation project culminating in the deployment of P2P.  As DAA is a direct pre-cursor for both modules to work, it is important that any specific components that were implemented are scalable to these future modules and do not prevent key functionalities from working as intended.

From a technical perspective, PCH is well positioned to scale to I2P and P2P as the current technical set-up is aligned with most I2P and P2P requirements. The implementation of these two modules should not be impacted by the current DAA set-up as long as the versions of I2P and P2P have been adjusted to work within a multi-legal entity environment and have been aligned to the unique business and technical requirements of the Department.

The audit team found the other government department’s technical documentation provides extensive, useful details on the technical set-up of their current DAA set-up, including table structures and migration paths.

3.3 Controls

User Access in the Application

Testing revealed that user controls are working as expected.

Key controls related to user access are tested to validate that an application is functioning effectively, efficiently and as intended, and the existing set-up does not eliminate key segregation of duties. During the audit work, testing found that the technical teams had critically analyzed the specific impact of the new system functionalities, and had a strong knowledge of how delegation effected user access. The technical team was aware of the roles and privileges assigned to all users, demonstrating an in-depth knowledge of the solution set-up.

The practice at PCH is that when delegating “acting” access, the “actor” is granted all SAP roles and responsibilities associated with the delegator. This means that they have access and authority to all actions that the delegator had privileges to perform within SAP itself.

Accuracy of Human Resource Data in PeopleSoft

Human Resource data in PeopleSoft drives the DAA tool. There is currently a lag in the updating of PeopleSoft data, resulting in the need for a workaround process.

The audit work included a review of the human resource data that is duplicated between PeopleSoft, SAP, and actual human resourcing processes, to validate that the employee data (which drives the DAA solution) is accurate and timely. The review found that while the HR data is loaded daily into the DAA, at any point in time the PeopleSoft data is not up to date. There are a number reasons for this lag, all of which are outside the scope of this audit.  These include, but are not limited to, the well-known issues with the Government of Canada pay system and the staffing processes currently in use. As a result, HR resources utilize a work around method, via the use of an excel spreadsheet, to ensure critical HR processes can still function, but this does not always include updating the data in the system required for the DAA. This work around process, while being a stop gap measure, leaves room for human error, relies heavily on non-standardized knowledge and processes, and generally increases the risk of errors and inconsistent data. The current impact of the HR data lag is that users will not have access to DAA in a timely manner, which may not align with the business realities (i.e. a manager who needs to delegate authority but is unable to due to the user not being added to the system).

4.0 Conclusion

The objective of this engagement was to provide assurance on the structure, appropriateness, and operation of the new Delegation of Authority Application, and the effectiveness of the project and change management processes applied throughout the design and implementation of the application. After implementation, the overall structure and appropriateness of the DAA module is considered controlled, as the solution currently functions as intended and has adequate controls.

Furthermore, this engagement sought to garner lessons learned from the DAA implementation that could be directly applicable to the upcoming I2P and P2P implementations. The audit team identified opportunities for improvement in relation to the project implementation process and methodology that should be addressed prior to the deployment of the I2P and P2P projects in order to ensure effective, controlled, and timely implementation.

Appendix A — Assessment Scale and Results Summary

The conclusions reached for each of the criteria used in the assessment were developed according to the following definitions.

Score Conclusion Definition
1 Well Controlled

Well managed, no material weaknesses noted; and effective.

2 Controlled Well managed and effective. Minor improvements are needed.
3 Moderate Issues

Requires management focus (at least one of the following criteria are met):

  • Control weaknesses, but exposure is limited because likelihood of risk occurring is not high.
  • Control weaknesses, but exposure is limited because impact of the risk is not high.
4 Significant Improvements Required

Requires immediate management focus: At least one of the following three criteria are met:

  • Financial adjustments material to line item or area or to the Department.
  • Control deficiencies represent serious exposure.
  • Major deficiencies in overall control structure.

The table below includes audit criteria and is used to develop audit conclusion.

Audit Objective: The objective of this engagement was to provide assurance on the structure, appropriateness, and operation of the new Delegation of Authority Application and the effectiveness of the project and change management strategies applied throughout the design and implementation of the application.
Audit Criteria Conclusion
1.1

The project management framework is established with a defined governance structure with decision making authority and roles and responsibilities related to the DAA project are communicated and are being adhered to.

3
1.2

The business and technical requirements for the DAA are sufficiently defined for PCH’s unique environment and aligned with all affected business units within the Department.

3
1.3

A change management strategy, including communication and training plans, is established with defined targets.  The roll-out of this strategy uses existing mechanisms and is appropriately monitored with corrective actions being taken when necessary.

3
2.1

Appropriate internal controls are in place and functioning effectively, efficiently and as intended.

2
3.1

Existing application controls are scalable for next two phases of the Project (I2P and P2P) capturing efficiencies and preventing waste.

2
4.1

Accurate and timely HR data (through PeopleSoft) that supports the solution.

2

Appendix B — Management Action Plan

Recommendations Management Assessment and Actions Responsibility Target Date

Governance

  1. The Chief Financial Officer should apply a rigorous project management approach, in alignment with best practices identified in the PMBOK guidelines, and ensure it is updated as needed as the project evolves through the I2P and P2P phases.

Management agrees with the assessment.  The project was complex to manage with three Departments. NRC has deployed the solution and PCH has since taken over the project consultant.  This has allowed for a more focused and up to date project management approach. 

We will review the PMBOK best practices and adjust the project management approach as required and ensure that documents are properly updated through-out the project.

Manager, Financial Systems

March 2018

  1. The Chief Financial Officer should enhance change management practices, such as the development, application and updating of change management and stakeholder engagement plans, and increase active communications.

Management agrees with the assessment.  The DCFO will develop a more formal change management, engagement and communication plan.

Deputy Chief Financial Officer

February 2018

Risk Management

  1. The Chief Financial Officer should ensure   early engagement of stakeholders to properly scope the project and develop business and technical requirements for the tool, including I2P and P2P.

Management agrees with the assessment. Engagement sessions with Sector and Direct Report Management Tables, Agents of Change, Resource Management Directorates and Regional Finance Directors have taken place and will continue. 

Updates will continue to be provided at Governance Committees (FINCOM, EXCOM) and greater use of DG and Director forums will be deployed.

Deputy Chief Financial Officer

February 2018

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: