Language selection

Government of Canada / Gouvernement du Canada

Search

Audit of Automatic Enrolment for an Old Age Security Pension Phase 1B, May 2014

Official Title: Audit of Automatic Enrolment for an Old Age Security Pension Phase 1B, May 2014

Executive summary

Automatic enrolment for an Old Age Security (OAS) pension allows the Minister of Employment and Social Development Canada (ESDC) to waive the requirement for an OAS pension application if the Minister is satisfied that the person will meet the eligibility criteria for the pension at age 65.

The automatic enrolment of eligible individuals is one of the components of the OAS/Guaranteed Income Supplement (GIS) Service Improvement Strategy intended to improve service and introduce administrative efficiencies. The other aspects of this multiyear Strategy include the migration of OAS to the Canada Pension Plan (CPP) technology platform, business process re-engineering, enhanced eServices, as well as future phases of proactive enrolment including streamlined enrolment.

Individuals eligible for automatic enrolment need, at age 64, to have a current Canadian address, have participated in the CPP or Québec Pension Plan (QPP) for 40 years or more, and be in receipt of or approved for payment of a CPP or QPP Retirement, Disability or Survivor pension. Only individuals involved in Phase 1B, with Régie des rentes du Québec (RRQ) data, were included in the scope of this audit.

Audit objective

The objective of this audit was to assess the design and operating effectiveness ofPhase 1B of the automatic enrolment for an OAS pension as part of the OAS/GIS ServiceImprovement Strategy.

Summary of key findings

  • The selection and notification of automatically enrolled seniors with RRQ data is well controlled. Controls were adequately designed and are operating as intended to only automatically enrol individuals that meet the eligibility criteria for an OAS pension.
  • Controls that protect the integrity and confidentiality of auto-enrolled accounts have been adequately designed, are operating as intended and meet the provisions outlined in the Information Sharing Agreement (ISA) between the RRQ and ESDC. The ISA was also reviewed and adequately captures the requirements pertaining to the integrity and confidentiality of the information being exchanged.
  • As part of the Submission to Treasury Board (TB), the Department undertook an analysis to compare the accuracy of the automatic enrolment selection criteria against the actual experience of 152,902 beneficiaries meeting the Phase 1A characteristics. This analysis was performed before the signature of the ISA with RRQ. As a result, ESDC did not have access to benefit information for QPP contributors and did not include Phase 1B beneficiaries in its analysis. It was assumed that the QPP recipients would have similar outcomes to CPP recipients. Nonetheless, we advise that this assumption be confirmed going forward to ensure it is founded.

Audit conclusion

The audit concluded that the control environment supporting Phase 1B of the automatic enrolment for an OAS pension has been adequately designed and is operating effectively.

Recommendation

No recommendations were made to management following the audit.

1.0 Background

1.1 Context

The OAS program is the first pillar of Canada’s retirement income system and is funded from general tax revenues. The basic OAS pension is a monthly benefit available to most Canadians 65 years of age or over, based on age, legal status and residence.

Automatic enrolment for the OAS pension allows the Minister of ESDC to waive the requirement for an OAS pension application if the Minister is satisfied that the person will meet the eligibility criteria for the pension at age 65. The automatic enrolment of eligible individuals is one of the components of the OAS/GIS Service Improvement Strategy that aims to improve service delivery of OAS benefits to Canadian seniors while reducing administrative costs. The other components of this multi-year Strategy include automating and streamlining application processes for other benefits, increasing the efficiency of business processes and migrating the delivery of the OAS program to the same information technology platform as the CPP to allow for integrated processing of benefits.

The Processing and Payment Services Branch (PPSB) is the departmental lead responsible for implementing the Strategy, in coordination with the Income Security and Social Development Branch and various other internal stakeholders.

Automatic enrolment is being implemented in a phased approach. Phase 1 includes individuals who, at age 64, have a current Canadian address, have participated in the CPP or QPP for 40 years or more, and who are in receipt of or are approved for payment of a CPP or QPP Retirement, Disability or Survivor pension Footnote 1 .

The first part of Phase 1, Phase 1A (implemented in April 2013), used information that is already available within the Department to identify individuals for possible automatic enrolment (CPP database, including Canada Revenue Agency addresses, and the Social Insurance Register). The second part of Phase 1, Phase 1B (implemented in October 2013), used information accessible through an ISA with the RRQ.

An internal audit of Phase 1A was recently conducted and concluded that the control environment supporting Phase 1A of the automatic enrolment for the OAS pension was adequately designed and is operating effectively. The Department is addressing the single audit recommendation, which pertained to improving performance monitoring and account maintenance.

1.2 Audit objective

The objective of this audit was to assess the design and operating effectiveness of Phase 1B of the automatic enrolment for an OAS pension as part of the OAS/GIS Service Improvement Strategy.

1.3 Scope

The scope of this audit included the design and operating effectiveness of the control framework for Category 1 beneficiaries that:

  • have a current Canadian address;
  • are 64 plus one month and have participated in the CPP or QPP for a total of 40 years or more;
  • are in receipt of or are approved for payment of a CPP or QPP Retirement, Disability or Survivor pension.

Only individuals involved in Phase 1B (with RRQ data) were included in the scope of this audit. Controls for Phase 1A of the automatic enrolment for an OAS pension were already assessed in an audit completed in fiscal year 2013–14.

Updated policies, procedures, processes and practices were reviewed. Internal Audit also assessed to what extent the control framework is aligned with the business process changes introduced by automatic enrolment.

1.4 Methodology

This audit used document reviews as well as key stakeholder interviews as evidence collecting methodologies. A walkthrough of system design documentation as well as a review and analysis of testing strategies were also performed.

Representatives from PPSB, Innovation, Information and Technology Branch, Integrity Services Branch (ISB) and selected region were interviewed in order to have a comprehensive view of the operational environment.

2.0 Audit findings

In the past, when seniors wanted to receive an OAS pension, they had to manually complete an application and send it to the Department for processing. Every month, the Department advises 64 years old seniors with a Canadian address that they could soon be eligible for an OAS benefit through the presumptive application process.

With the implementation of the automatic enrolment for an OAS Pension, the Department can waive the requirement for an application if the Minister is satisfied that the person will meet the eligibility criteria for the pension at age 65. This eliminates the requirement for an application for many seniors. Clients who are eligible for automatic enrolment are notified in the year before they become eligible for an OAS pension while those that do not meet the automatic enrolment criteria continue to receive the presumptive application.

2.1 Selection of auto-enrolled accounts is controlled

The selection and notification of automatically enrolled seniors with RRQ data is adequately controlled. Controls were well designed and are operating as intended to only automatically enrol individuals that meet the eligibility criteria for an OAS pension.

One of the controls to reduce the risk of erroneous selection or inadequate performance of the automatic enrolment procedures is adequate testing before the solution is released in the production environment. For Phase 1B, testing of the creation of the RRQ request and processing of RRQ return file to ensure they meet functional and non-functional requirements was challenging. Testing with a third party always adds complexity and unforeseen behaviour in the production environment is not uncommon.

Despite the execution of all planned tests, two unforeseen issues were identified specific to the RRQ data exchange:

  • Performance issue in processing the RRQ return file. Performance issues when software is released in production are not uncommon. As stated in previous internal audit reports Footnote 2 , the current testing environment is not fully capable of identifying the problems that occur in production because it is too dissimilar to the production environment.
  • Clients with a date of birth in December. In December 2013, almost all accounts received from RRQ were rejected when processed. Accounts were rejected because the automatic enrolment system is expecting 47 years of contribution history (from 18 to 64 years old) but RRQ only returned 46 years. This is because seniors with a date of birth in December were only entitled to contribute to the CPP or RRQ plan the month following their 18th birthday, which would be in January 1968 (1968 to 2013 is only 46 years). Business requirements did not account for this situation when they were written and as such this particular case was not tested.

Both issues were quickly addressed in emergency releases requiring limited effort. No accounts were improperly selected because of either issue.

2.2 Integrity and confidentiality of auto-enrolled accounts is controlled

As the implementation of Phase 1B of automatic enrolment requires information to be shared between RRQ and ESDC, data integrity and confidentiality must be maintained as outlined in the ISA. Internal Audit reviewed the controls that protect the integrity and confidentiality of auto-enrolled accounts and concludes that they have been adequately designed, are operating as intended and meet the provisions outlined in the ISA.

Starting in June 2012, ongoing discussions with RRQ established transfer protocols, conventions and testing approach to allow for effective and secure information sharing. Internal Audit reviewed the testing approach and test results and concludes that controls are in place to protect the confidentiality and integrity of the information being exchanged.

Information transferred between ESDC and RRQ is encrypted when at rest, and is transferred using a secure file transfer protocol. Both the encryption technology used and the secure transfer protocol are recognised industry standards.

The Department has also developed scripts that verify the integrity of the information being received from RRQ. Internal Audit reviewed those scripts and concludes that they constitute sufficient controls around integrity.

2.3 Risks introduced by the automatic enrolment of individuals were assessed and mitigated

As part of the Submission to TB, PPSB, in collaboration with ISB, undertook an analysis to compare the accuracy of the automatic enrolment selection criteria against the actual experience of 152,902 beneficiaries meeting the Phase 1A characteristics.

This analysis was performed before the signature of the ISA with RRQ. As a result, ESDC did not have access to benefit information for QPP contributors and did not include Phase 1B beneficiaries in its analysis. It was assumed that the QPP recipients would have similar outcomes to CPP recipients. There is some empirical evidence to suggest that the assumption is valid. For example, the approximate rate of misdirected mail associated to Annual T4 Tax Slip Mail Outs at the RRQ is less than one percent. This low rate is likely attributed to the fact that address changes are made through one portal in the province of Québec. Nonetheless, we advise that this assumption be confirmed going forward to ensure it is founded.

3.0 Conclusion

The audit concluded that the control environment supporting Phase 1B of the automatic enrolment for an OAS pension has been adequately designed and is operating effectively.

4.0 Statement of assurance

In our professional judgement, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for the automatic enrolment for an OAS pension, Phase 1B. The evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

Appendix A: Audit criteria assessment

Audit Criteria Rating
It is expected that the Department Control Design Control Operating Effectiveness
Designed and implemented controls to automatically enrol individuals that meet the eligibility criteria for an OAS pension. Sufficiently controlled, low risk exposure Effectiveness: Sufficiently controlled, low risk exposure
Designed and implemented controls to preserve data integrity and confidentiality throughout the automatic enrolment processes. Best practice Best practice
It is expected that the Department assessed and mitigated risks introduced by the automatic enrolment of individuals. Sufficiently controlled, low risk exposure Sufficiently controlled, low risk exposure
Designed and implemented processes to record and act on requests received from automatically enrolled individuals (e.g. deferrals, cancellations, corrections or changes to date of birth, address, or residency). Sufficiently controlled, low risk exposure Sufficiently controlled, low risk exposure
Captures information that allows for the monitoring of the accuracy and performance of key aspects of the automatic enrolment processes. Accuracy Monitoring Sufficiently controlled, low risk exposure Sufficiently controlled, low risk exposure
Performance Monitoring Controlled, but should be strengthened, medium risk exposure Controlled, but should be strengthened, medium risk exposure
Monitors the accuracy and performance of key aspects of the automatic enrolment processes. Accuracy Monitoring Sufficiently controlled, low risk exposure Sufficiently controlled, low risk exposure
Performance Monitoring Controlled, but should be strengthened, medium risk exposure Controlled, but should be strengthened, medium risk exposure
Takes corrective actions to resolve issues when required. Accuracy Monitoring Sufficiently controlled, low risk exposure Sufficiently controlled, low risk exposure
Performance Monitoring N/A N/A

Appendix B: Glossary

CPP
Canada Pension Plan
ESDC
Employment and Social Development Canada
GIS
Guaranteed Income Supplement
ISA
Information Sharing Agreement
ISB
Integrity Services Branch
OAS
Old Age Security
PPSB
Processing and Payment Services Branch
QPP
Québec Pension Plan
RRQ
Régie des rentes du Québec
TB
Treasury Board

Page details

2016-07-18