Audit of Canada Pension Plan Disability Program – Benefits authorization and payment, December 2015

Executive Summary

Introduced in 1966, the Canada Pension Plan Disability (CPPD) benefit is the largest long-term disability insurance program in Canada. It is designed to provide financial assistance to Canada Pension Plan (CPP) contributors who are not able to work regularly because of a severe and prolonged disability (as defined by the CPP legislation). It operates in nine provinces and territories while the Québec Pension Plan (QPP), a parallel plan, operates in the province of Québec.

In November 2014, the Office of the Auditor General of Canada (OAG) informed the Department of the conduct of an independent examination of the CPPD program to be tabled in Parliament in fall 2015. It was decided that the internal audit of CPPD would be complementary to their audit. As a result, Internal Audit Services Branch (IASB) has collaborated with the OAG auditors to avoid duplication in scope.

The OAG audit focused on the timeliness and consistency in the assessment of CPPD benefits applications and examined whether the Social Security Tribunal (SST) decided CPPD appeals in a timely manner. IASB audit focused on CPPD benefits authorization and payment for domestic claims.

Audit Objective

The audit objective was to assess the adequacy of the control framework to support CPPD benefits authorization and payment and the protection and safeguarding of personal information.

Summary of Key Findings

  • The correct CPPD benefit amounts were paid to applicants.
  • Disability eligibility requirements for authorized benefits were properly supported with evidence on file.
  • Key controls were in place, however, not as part of a formal control framework.
  • File documentation practices varied between the two processing centres visited.
  • Employment and Social Development Canada (ESDC) consistently obtains a signed consent from the applicant to obtain and communicate information to an authorized person. However, personal information may be at risk because the “Clean Desk” guideline was not implemented for both processing centres.

Audit Conclusion

The audit concluded that the controls to support CPPD benefits authorization and payment were adequate. Personal information is protected and safeguarded during its exchange with the applicants and third parties. The audit identified an opportunity to further protect paper files while applications are being processed.

Recommendation

It is recommended that the Senior Assistant Deputy Minister (SADM), Processing and Payment Services Branch (PPSB), ensures the departmental clean desk guideline is implemented and monitored at CPPD processing centres.

1.0 Background

1.1 Context

Introduced in 1966, the CPPD benefit is the largest long-term disability insurance program in Canada. It is designed to provide financial assistance to CPP contributors who are not able to work regularly because of a severe and prolonged disability (as defined by the CPP legislation). It operates in nine provinces and territories while the QPP, a parallel plan, operates in the province of Québec.

According to the Canada Pension Plan, “a person shall be considered to be disabled only if he is determined in prescribed manner to have a severe and prolonged mental or physical disability, and for the purposes of this paragraph, (i) a disability is severe only if by reason thereof the person in respect of whom the determination is made is incapable regularly of pursuing any substantial gainful occupation, and (ii) a disability is prolonged only if it is determined in prescribed manner that the disability is likely to be long continued and of indefinite duration or is likely to result in death” Footnote 1 .

CPPD provides benefits to people who have made enough contributions to the CPP and who are disabled and cannot work at any job on a regular basis. Benefits may also be available to their dependent children. In 2010–2011, about $4 billion in benefits were paid to over 300,000 beneficiaries and 85,000 of their children Footnote 2 .

For 2014, the average monthly CPPD benefit was $901.40 and the maximum monthly amount was $1,236.35. The flat monthly rate a child could receive was $230.72 Footnote 3 .

The CPPD Directorate under the Income Security and Social Development Branch provides policy direction to Service Canada (SC) which is responsible for its application. The Directorate manages relationships with arms-length appeal bodies and provides medical expertise to support cases at the SST and the Federal Court. The Directorate also provides policy and program direction on return to work and vocational rehabilitation support for CPPD beneficiaries. PPSB, in SC, delivers the CPPD program through eight processing centres across Canada. PPSB also provides program direction, training and support to CPPD processing staff.

Additionally, there are CPPD benefits that are administered in accordance with Canada’s International Social Security Agreements (SSAs). These Agreements are international treaties that co-ordinate the operation of Old Age Security (OAS) and CPP with comparable programs in foreign countries that provide pensions for retirement, OAS, disability, and survivorship.

The responsibility for the administration of SSAs rests with the International Operations (IO) Division of SC. IO administers 58 SSAs with 56 Agreements currently in force. There are three IO Centres of Specialization located in Edmonton, Fredericton, and Ottawa which are responsible for the processing of benefits under these Agreements.

1.2 Audit Objective

The objective of this engagement was to assess the adequacy of the control framework to support CPPD benefits authorization and payment and the protection and safeguarding of personal information.

1.3 Scope

In November 2014, the OAG informed the Department of the conduct of an independent examination of the CPPD program to be tabled in Parliament in fall 2015. It was decided that the internal audit of CPPD would be complementary to their audit. As a result, IASB has collaborated with the OAG auditors to avoid duplication in scope.

The OAG audit focused on the timeliness and consistency in the assessment of CPPD benefits applications and examined whether the SST decided CPPD appeals in a timely manner.

The internal audit focused on CPPD benefits authorization and payment as well as the safeguarding of personal information for domestic claims. The audit excluded:

  • The functionality of the Information Technology Renewal Delivery System (ITRDS);
  • QPP disability payments as Québec has its own disability plan;
  • The examination of CPPD eligibility, reconsiderations and the appeals process as these were included in the OAG audit scope; and
  • The examination of CPPD benefits under Canada’s International SSAs as these will be part of a future internal audit planned for 2015–16.

1.4 Methodology

This audit used a number of methodologies including document review, interviews, on-site observations, walkthroughs, as well as sampling and testing. The audit was conducted in March 2015 in two processing centres located in Victoria in the Western Canada - Territories (W-T) region and St. John’s in the Atlantic region. The audit team selected a judgmental sample of 62 CPPD files for which payment activity took place between January 1, 2014 and December 31, 2014. The sample included 30 CPPD benefit payments, 10 CPPD benefit payments for children, 20 combined benefit payments to survivors and 2 appeal payments.

The audit team interviewed representatives from PPSB, W-T, and Atlantic regions in order to obtain a comprehensive view of the operational environment.

2.0 Audit Findings

2.1 The correct CPPD benefit amounts were paid to applicants

ITRDS is a comprehensive client information and benefit processing system. It is used to capture data, adjudicate, maintain and pay all CPPD benefits. Staff interviewed indicated that the system was user friendly, the information was easy to find and available in real-time.

CPPD benefits are calculated by ITRDS based on the date of disability (date of onset) and on CPP contributions and other factors. The monthly disability benefit amount consists of two components: a flat disability rate amount plus 75% of the contributor’s retirement benefit. The effective date of onset is provided to the Service Canada Benefits Officer (SCBO) by the Medical Adjudicator (MA) to determine the payment. ITRDS also determines whether the applicant has sufficient contributory earnings to qualify for a disability benefit prior to meeting the medical requirements and calculating the CPP minimum qualifying period.

The review of the sample of 62 CPPD files indicated the following:

  • CPPD benefit amounts are correctly calculated by ITRDS. The auditors checked the elements of the mathematical formula such as the accuracy of the CPPD flat rate used and the calculation of the 75% of the contributor’s retirement benefit. No discrepancies were noted;
  • The auditors reviewed the amounts calculated by ITRDS and found them to be compliant with the internal built-in formula. These amounts were also the same as the benefits paid to applicants;
  • Disability eligibility requirements, for authorized benefits, were properly supported with evidence on file. These include an application submitted in writing, the applicant is under 65 years of age and is not in receipt of a retirement pension under CPP, a Social Insurance Number (SIN), birth evidence and contributions to CPP;
  • The CPPD application was completed and signed; and
  • Medical reports were verified and signed by a licensed physician.

2.2 Key controls were in place, although not documented in a formal control framework

Sufficient controls were in place for the processing and payment of CPPD benefits. These controls were as follows:

  • Mandatory training was provided to all staff processing CPPD benefits;
  • Functional guidance and procedures, policies, directives, regulations and laws were readily available to staff;
  • A detailed delegation of authority chart was in place for each position;
  • Appropriate segregation of duties existed among staff and in ITRDS for input and authorization; and
  • Valid signature cards under Sections 34 and 33 of the Financial Administration Act were in place for SCBO and Program and Services Delivery Clerk (PSDC).

The processing of CPPD applications consists of four sub-processes: Screening of Application; Non-Medical Adjudication Review; MA Review; and Payment. These steps, which require the collaboration of various individuals, are performed by three different staff positions.

The PSDC screens the application package and enters the information into ITRDS to systematically determine whether or not the applicant qualifies for a disability benefit. The PSDC or SCBO conducts further earnings investigation to determine the applicant’s eligibility for a disability benefit. The MA conducts the medical assessment to determine whether or not the applicant’s disability is “severe and prolonged” and either grants or denies entitlement. The final step, putting the client into pay, is delegated to PSDC or SCBO based on the monetary amount within their delegated authority. For CPPD payments over the threshold amount of $15,000, a manager's approval is required; a director's approval is required for payment amounts over $25,000.

Roles were also segregated in ITRDS for input and authorization. The application functionality to which individuals have access was governed by their predefined role (for example, PSDC doesn’t have the same screen access as SCBO). Our test results showed that all payments were released by the appropriate delegated employees. During our review, we noticed that ITRDS has no feature to ensure that the payments over the threshold amounts are released by individuals with the appropriate delegated authority. PPSB representatives informed the audit team that reports are produced for over the threshold amounts and that ITRDS feature limitation will be corrected as part of a new initiative that is expected to be implemented within the next two years.

2.3 File documentation practices varied between the two processing centres visited

ITRDS Note is a screen used by CPPD processing staff to track and enter all actions and information during the processing of CPPD applications. ITRDS Note is a feature that allows staff to document actions in the CPPD process such as the receipt of an application that has yet to be processed; or that a detailed medical report has been requested or received from a physician.

In one of the processing centres, the audit team had to rely simultaneously on ITRDS Note and the paper files to understand actions taken on CPPD benefit payments for 9.6% of the files reviewed (3/31). It was not possible to get a full picture of the CPPD situation by looking at only one source of information. An additional 9.6% of the files reviewed along with ITRDS Note did not provide any explanation on the retroactive payment to the applicant. Furthermore, in 22.5% of the files reviewed (7/31), there was no evidence on file or on ITRDS Note that the applicant was notified in writing of the decision and the particulars of their payment.

Processing staff at the other processing centre used ITRDS Note consistently, which made it easier and faster to understand actions taken on CPPD files.

The audit team also noticed that no copies of the medical invoices were kept on CPPD files at both locations visited. Keeping a copy of the medical invoice on file constitutes a good practice to avoid payment errors/payment duplication or delays in payment. An opportunity exists for management to obtain greater assurance that actions taken during file processing are documented in ITRDS Note.

2.4 “Clean Desk” guideline was not implemented at the processing centres visited

The audit team observed that all employees had access to the Departmental Policy on Privacy, for reference and application in conjunction with the Privacy Act and the Department of Employment and Social Development Canada Act. General communications were used to advise employees of privacy policies and management conducted activities to ensure personal information is appropriately protected and safeguarded. In addition, privacy matters are frequently discussed in team meetings.

Various consent forms are required to be signed by CPPD applicants to authorize SC to obtain and disclose personal (medical and non-medical) information about them to determine whether they qualify or continue to qualify for CPPD benefits. For correspondence with individuals in relation to CPPD files, SCBOs use a system generated identification number instead of the beneficiary's SIN and address.

The clean desk guideline was established by the Department in October 2014. It is expected that the guideline be followed by all staff to prevent the unauthorized disclosure of sensitive information and the loss of departmental assets or personal items. At the time of the on-site visits to both processing centres in March 2015, the clean desk guideline was not yet implemented. We observed that all CPPD files being processed were kept on SCBOs' desks or in an unlocked common filing cabinet although both locations were on a secure floor and in a secure building.

The Departmental Telework Directive was developed in April 2013 in accordance with the Treasury Board Secretariat’s Telework Policy. It describes the Department’s commitment to considering telework when appropriate and outlines the various requirements to be met when assessing telework arrangements. It also sets out a framework for approving and managing telework arrangements and clarifies the elements required to be met by management and employees in order for ESDC to consider telework as an appropriate work arrangement. For example, telework will not be considered when “duties requiring the handling of sensitive information where the level of risk to the safeguarding of the information requires mitigating measures that are too costly and/or leave too high of a residual risk”.

The audit team was informed that there are some telework arrangements in place with MAs working on CPPD files. Our review showed that the initial start date of the telework arrangements for the MAs was between April 2009 and September 2011. The telework arrangement assessment process includes a threat and risk assessment of the proposed telework location by the Regional Security Office. At the conclusion of our fieldwork, current telework arrangements had been extended from April 1st, 2015 to September 30, 2015 following an approval by the Regional Vacancy Management Committee.

In the auditors’ opinion, the majority of regional positions involved with CPPD files are not suited for telework arrangements given the requirements to protect the privacy and confidentiality of the personal client information entrusted to the Department, such as medical information and banking information for direct deposits.

The audit team encourages program management to review the current teleworking arrangements at CPPD processing centres to ensure consistency among these organizations, and to identify and mitigate ongoing privacy risks.

Recommendation

It is recommended that the SADM, PPSB ensures the departmental clean desk guideline is implemented and monitored at CPPD processing centres.

Management Response

PPSB management recognizes the importance of the findings contained in the audit report and will undertake efforts to ensure greater consistency of notes included in CPPD files and placed in ITRDS. In addition, PPSB management will review current telework arrangements that may be in place for CPPD adjudicators to ensure that all requirements are addressed.

PPSB agrees with the recommendation regarding the clean desk guideline, and will ensure that all employees who adjudicate CPPD files are familiar with and are following the departmental clean desk guidelines. Management will develop a plan for addressing any gaps and monitoring compliance with the guidelines by March 2016.

3.0 Conclusion

The audit concluded that the controls to support CPPD benefits authorization and payment were adequate. Personal information is protected and safeguarded during its exchange with the applicants and third parties. The audit identified an opportunity to further protect paper files while applications are being processed.

4.0 Statement of Assurance

In our professional judgement, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for the Audit of CPPD Benefits authorization and payment performed from January 1, 2014 to December 31, 2014. The evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

Appendix A: Audit Criteria Assessment

Audit Criteria

It is expected that:

  • Controls were designed effectively and were operating as intended for benefits to be authorized and approved for payment by individuals with the appropriate delegated authority.
    • Rating: sufficiently controlled, low risk exposure
  • Controls were designed effectively and were operating as intended to ensure the right benefits amounts were being paid.
    • Rating: controlled, but should be strengthened, medium risk exposure
  • There was appropriate segregation of duties.
    • Rating: sufficiently controlled, low risk exposure
  • Controls were in place to properly safeguard personal information throughout the authorization and payment of CPPD benefits.
    • Rating: controlled, but should be strengthened, medium risk exposure

Appendix B: Glossary

CPP

Canada Pension Plan

CPPD

Canada Pension Plan Disability

ESDC

Employment and Social Development Canada

IASB

Internal Audit Services Branch

IO

International Operations

ITRDS

Information Technology Renewal Delivery System

MA

Medical Adjudicator

OAG

Office of the Auditor General

OAS

Old Age Security PPSB Processing and Payment Services Branch

PSDC

Program and Services Delivery Clerk

QPP

Québec Pension Plan

SADM

Senior Assistant Deputy Minister SC Service Canada

SCBO

Service Canada Benefits Officer

SIN

Social Insurance Number

SSA

Social Security Agreements

SST

Social Security Tribunal

W-T

Western Canada – Territories

Page details

Date modified: