Design effectiveness assessment of the Canada Education Savings Program compliance review framework

1.1 Context

Since its introduction in 1998, the Canada Education Savings Program (CESP) has provided savings incentives to encourage and reinforce the importance of early and sustained saving for a child’s post-secondary education specifically using Registered Education Savings Plans (RESPs). An RESP is a contract between a subscriber (i.e. the person opening the account, a parent) and one of the 88 promoters in the financial services industry. Typically, the subscriber is the child’s parents, a grandparent, another family member, or a friend of the family. The subscriber names one or more beneficiaries and may make contributions on their behalf. The beneficiary can be of any age, although beneficiaries over the age of 17 are not entitled to receive CESP incentives. As of December 2014, the 88 promoters administered $44.4B in RESP assets. Some of the larger promoters administer hundreds of millions of dollars in federal and provincial savings incentives.

The CESP provides two savings incentives linked to RESPs:

• The Canada Education Savings Grant (CESG) is money offered by the Government of Canada to help families start saving early for their children’s post-secondary education. The CESG has been available since 1998 and is calculated based on contributions made to an RESP for an eligible beneficiary until the end of the calendar year in which the beneficiary turns 17 years of age. The CESG provides a basic grant of 20% on the first $2,500 in annual contributions to an RESP. This grant is available to all Canadians regardless of their family income. An additional grant of 10% or 20% is available on the first $500 of annual contributions made by middle- and lower net income families. This additional grant is not retroactive. Since its 1998 inception, the program has paid $8.84B of CESG to 5.12M beneficiaries.
• The Canada Learning Bond (CLB) is an entitlement for children born on or after January 1, 2004 who are from low-income families (i.e. eligible for the National Child Benefit Supplement), or are under the care of a public trustee. It provides an initial payment of $500 followed by payments of $100 each year the child remains eligible, up to age 15 (for a maximum of $2,000). While the CLB is paid directly into an RESP, eligible families do not need to contribute to the RESP in order to receive it. The CLB is also retroactive: previous entitlements are also deposited with no contribution required. Since inception, 716,714 children have received a CLB for a total payment of $605M.

The Minister of Employment and Social Development Canada (ESDC) can enter into agreements with provincial governments to administer similar provincial education savings programs on a cost recovery basis. ESDC has active administrative agreements in place with Alberta, Saskatchewan and British Columbia for the delivery of their programs.

As part of its integrity and control framework, CESP conducts risk-based compliance reviews on all RESP providers, to ensure that their processes and procedures comply with CESP legislation, regulations, and with the conditions of their RESP Promoter Agreements with ESDC. The compliance framework includes several documents, procedures and standards which assist with promoter selection, determining the scope of the review and conducting the reviews in a standard way. Given the wide use of the program by Canadian families (the CESG take-up rate is nearing 50% of Canadian children), and the program’s maturity, CESP management asked Internal Audit Services Branch to undertake an independent design effectiveness assessment of its existing compliance review framework.

1.2 Assessment objective

The objective of this assessment was to determine if the CESP compliance review framework continues to provide sufficient assurance that controls are in place to mitigate risks in RESP promoter administration of the grants.

1.3 Scope and methodology

The scope of this assessment was limited to the design effectiveness of the CESP compliance review framework. Our assessment was conducted using a number of methodologies which included but was not limited to interviews and document review.

In this assessment, Internal Audit tested the design effectiveness of selected controls. It was assumed that program controls were operating as prescribed and exercised by individuals possessing the necessary authority and competence. Given this assumption, Internal Audit assessed whether the controls satisfied the program’s control objectives and could prevent or detect error or fraud.

2.1 Processes and controls supporting promoter enrolment and industry testing are adequately designed

Internal Audit assessed the design effectiveness of controls over promoter enrolment. We expected that CESP management would have established controls to ensure that promoters qualify for program delivery. Since the introduction of the program in 1998, the population of promoters offering it has been stable in the last few years. Controls around promoter enrolment are not as critical as they were at program inception when new promoter enrolment was riskier due to higher volume. In the last three years, there have been less than 15 new promoters that enrolled into the delivery of the CESP. Of those, most (80%) were off-shoots, spin-offs or subsidiaries of current promoters which means that the Department already has risk information about these “new” promoters.

Overall, the controls supporting the process for the enrolment of new promoters are well designed. RESP promoters have to enrol as such with the Canada Revenue Agency (CRA) by providing the Agency with specimen plan for each incentive they want to offer. CRA provides the Department with these new specimen plans. The Department then enters into a formal agreement with the promoter. The promoter is identified by legal name and business number but CRA is actually responsible to provide a level of assurance on the promoter’s identity. Agreements are created from a standard template and are signed by the Assistant Deputy Minister of the Learning Branch.

Internal Audit also assessed to what extent risk management was factored into the enrolment process. We expected CESP management would have an assessment methodology to identify risks associated with promoters at enrolment and that it would use results from their risk assessment to inform the frequency and scope of compliance reviews. The Department uses two tools to collect risk information on new promoters: self-assessment questionnaire and a preliminary assessment. The self-assessment questionnaire mainly gathers information on the systems used by the promoter to administer the program. Based on the answers, the Department will perform additional reviews and phone interviews to clarify certain points ahead of the on-site visit that is part of the preliminary assessment.

The self-assessment questionnaire allows CESP management to better focus their efforts during the site visits. We found that overall, CESP management uses risk management principles in the administration of the program to better target their controls where risk warrants it. However, the assessment process and risk factors could benefit from being better documented since it currently mostly relies on the extensive knowledge of key team members.

CESP management also has implemented controls to reduce the number of rejected transactions and grant denials by ensuring that promoters provide high quality and accurate data. For example, training is offered to promoters on the transactional and system information and how it is managed throughout the production cycle. These training sessions are provided on a monthly basis alternating between Montreal, Toronto or Vancouver. Webinars are also possible as well as customized training sessions.

In addition to training, CESP promoters have to undergo and pass industry testing to ensure that the systems used by the promoters can communicate with the CESP system in the correct manner so that there is reliable two-way communication. Although industry testing is important, it provides limited insight as to how the data itself is created. This aspect is included in the preliminary assessment and is also examined during the compliance review which is discussed in Section 2.2. Overall, controls around data integrity work well together and provide an environment that allows for the adequate management of the program (less than 2% of all transactions are rejected).

2.2 Compliance reviews processes and controls are adequately designed

Over the years, CESP management has evolved its risk-based approach to select promoters for compliance reviews. In 2003, the Department assessed the risk attached to a promoter based on its size and number of transactions. This assessment methodology was formalized in 2007 with the introduction of a tool to assist management in producing repeatable assessments. The tools kept being refined throughout the years where different weights were assigned to each risk factor such as materiality to determine which promoter would be selected for review. In 2012, issues arose with some promoters that were not “captured” by the risk assessment methodology and the model was adapted to better respond to emerging risks. The current strategy for compliance reviews consists of the following:

• For the six riskiest promoters, a compliance review is performed on a yearly basis.
• For the next 20 riskiest promoters, a compliance review is performed every two to three years. Scope is decided beforehand and can be tailored to focus review efforts on higher risk areas within the promoter’s organization. This is usually based on previous reviews as well as data from the preliminary assessment (see Section 2.1).
• All other promoters are subjected to a compliance review every three to five years.

Overall, all promoters will be subjected to a compliance review over a five year period. Of note, 95% of all money paid by the CESP resides with the top 26 promoters (subjected to a review at least every two to three years).

Any arising change at any of the promoter’s organization can result in the scheduling of a compliance review. For example, if a promoter changes their system or adds a new incentive to their specimen plan, CESP management would notice a change in the monthly data sent and could bring forward a compliance review.

CESP management has established adequate controls and tools to assess the promoters’ compliance with legislative, financial and administrative requirements. As part of the compliance review, CESP management conducts fact-finding interviews with a promoter’s administrative and managerial staff. They also evaluate the promoter’s system functionality as well as job-shadow some of the promoter’s RESP administrative staff. This is done to provide assurance that the promoter follows its own stated procedures. As part of the site visit, every opportunity is taken to educate the promoter’s staff on their various responsibilities. Finally, from a control perspective, testing of actual transactions that have been processed is performed to verify accuracy.

The 2013–14 summary of promoters’ performance in the administration of CESP incentives, as measured through Compliance and Monitoring activities, captures the results of the 27 reviews performed that year. The following table summarizes the conclusions of those reviews.

All promoters who received an “Attention required” rating were scheduled for a subsequent follow-up review. Most common recurring issues are related to:

• Unfilled transactions: These are transactions that the promoter has recorded but has failed to submit to the program. Some of these transactions have a financial impact (e.g. unfilled grant repayment transactions). As a result, compliance officers have developed additional control objectives to identify such unfilled transactions when performing on-site visits. With the recent focus on such transactions, reasonable assurance can now be provided that the remaining unfilled transactions are not financially material.
• Grant repayment transactions: Most errors are related to transactions transmitted with improper codification of the reason for repayment. These errors have no financial impact.
• Termination adjustment transactions: Most errors in this category are due to the promoters’ system submitting transactions in error (i.e. when they should not have been). Few errors affected the actual grant balance (mostly due to redemption fees).
• Unregistered account: Errors in this category are often due to unregistered account having a registered status at the promoters. This has no financial impact but can create reporting issues.

Compliance review results are communicated to each promoter in a report which details the findings, critiques the promoter’s administrative processes, and usually provides detailed instructions to the promoter on how to resolve observations of non-compliance, and how to address any emerging risks that have been identified. Promoters are required to submit action plans to correct deficiencies identified in the report. If a promoter’s action plan is deemed reasonable by CESP management, a follow-up review is scheduled within one year after the implementation of the action plan.

If the promoter does not make adequate progress on their action plan, the Department can ultimately opt to invoke official escalation steps against the promoter. The CESP’s Escalation Policy details the repercussions that may be faced by non-compliant promoters. Staff interviewed by Internal Audit indicated they had sufficient leverage to incite promoters to resolve issues as they are raised.

Current staffing levels are adequate though compliance reviews require specialized knowledge and succession planning is difficult. In the event two employees would leave the compliance review unit at any given time, it would become difficult to provide the required level of assurance based on the current promoter base.

CESP management has established mechanisms to maintain the confidentiality, integrity and authenticity of transactions with ESDC. Files are transferred using the Managed Secure File Transfer (MSFT), a Public Works and Government Services Canada service used to transmit up to Protected B files. Each promoter has its own folder in the system and cannot access other promoters’ files. Files are taken from the MSFT and imported into departmental systems. The MSFT provides controls around confidentiality, integrity and authenticity of data. As part of compliance reviews, information protection controls are assessed at the promoter’s site. In cases where the promoter uses a third party to deliver the program, third party agreements are reviewed to ensure that protection of information is included in the agreement.

Criteria

It is expected that CESP management:

1. Established controls to ensure that promoters qualify for program delivery.
   
   Rating: sufficiently controlled, low risk exposure
2. Has an assessment methodology to identify risks associated with promoters at enrolment.
   
   Rating: sufficiently controlled, low risk exposure
3. Uses results from their risk assessment to inform the frequency and extent of compliance reviews.
   
   Rating: best practice
4. Has implemented controls to reduce the number of rejected transactions and grant denials by ensuring that promoters provide high quality and accurate data.
   
   Rating: sufficiently controlled, low risk exposure
5. Adopts a risk based approach to select promoters for compliance reviews.
   
   Rating: best practice
6. Established adequate controls, support and tools to assess the promoters and their service providers’ compliance with legislative, financial and administrative requirements.
   
   Rating: sufficiently controlled, low risk exposure
7. Has mechanisms to assess the capacity of promoters to maintain the confidentiality, integrity and authenticity of transactions with ESDC.
   
   Rating: sufficiently controlled, low risk exposure
8. Has reporting and escalation mechanisms as well as follow-up processes to incite promoters to resolve issues as they are raised.
   
   Rating: sufficiently controlled, low risk exposure