Audit of the delegation of authorities for select human resources processes

Executive summary

Numerous Human Resources (HR) authorities are delegated to deputy heads of departments through various pieces of legislation and central agency policies. The departmental Table of HR Authorities identifies these authorities, the level of approval required and any references, limitations and conditions that may apply. Managers may exercise delegated authority only within their field of jurisdiction or their area of responsibility unless otherwise indicated and within the specified conditions and limitations.

When delegating authorities and providing sub-delegation, the Department must ensure that managers being granted authority meet certain set conditions. The different delegation functions that must be managed are:

• Appointment and appointment-related authorities stemming from the Public Service Employment Act (PSEA) including internal and external appointments to the public service.
• HR related authorities stemming from the Financial Administration Act (FAA) including authorities related to classification of positions, overtime and certain types of leave which require financial delegation.
• All other delegations that are dictated by the National Joint Council (NJC) directives and other acts and regulations. These authorities pertain to areas such as official languages, labour relations and employment equity.

When exercising HR authorities, managers are encouraged to consult with HR officials for advice and guidance. The Human Resources Services Branch’s (HRSB) Centre of Expertise is responsible for managing departmental staffing-related sub-delegation and for providing expert advice regarding HR related authorities.

Since April 13, 2015, the Department is using myEMS (PeopleSoft). With the implementation of PeopleSoft, managers can now electronically authorize a number of HR related transactions for which they have sub-delegated authority.

The audit focussed on non-staffing related processes which are outlined in Appendix A. It also included two staffing related processes, specifically acting appointments and acting extensions. Other staffing processes were not examined as they were covered in 2014 by an external audit.

Audit objective

The objective of this audit was to assess whether controls related to delegated HR authorities for selected processes are adequately designed and operating as intended to support the appropriate authorization of transactions.

Summary of key findings

• Roles and responsibilities, structures providing enabling support as well as awareness and training programs are well defined and adequately implemented. Although they play a foundational role in supporting the management of delegated HR authorities across the Department, they are not sufficient in and of themselves to ensure that only authorized individuals can exercise their delegated authority.
• myEMS (PeopleSoft) is used for leave management and compensatory overtime authorization. Controls within this system are not sufficient to confirm that appropriate financial delegation is in place prior to authorization. This allows individuals to exert authorities they may not possess. The current control environment relies on compensatory controls (such as training and warnings) rather than an effective set of automated controls. Some automated controls are in place for compensatory overtime approval but they do not operate effectively due to discrepancies between the authority table used by myEMS (PeopleSoft) and the financial authority table in myEMS (SAP).
• For processes where delegated authority is manually verified, Internal Audit found that the adequacy of the control environment ranged from adequate (for processes to authorize rates of pay higher than the minimum and to approve payment in cash of unused vacation leave credits) to deficient (for telework agreements). In a number of cases for acting appointments and extensions as well as for telework, records of appropriate approval level for specific transactions were not on file. For these processes, evidence of approval is either not recorded in a central repository or not reliably kept on file which makes monitoring and reporting nearly impossible.
• The level of effort required from the Department to provide Internal Audit with some authorization data (who approved what, and when) was significant. For approvals of changes to linguistic profiles of bilingual positions and approvals related to termination of employment, the burden was so high that Internal Audit decided not to pursue further testing. In those cases, either data extraction required extensive manipulation or approval was recorded on paper forms kept by individual managers (highly decentralized).
• For the HR processes reviewed as part of this audit (see Appendix A), monitoring and reporting was limited to acting appointments and changes to official languages profiles. Internal Audit found little evidence that managers or corporate functions adequately monitored or reported on the approval of telework arrangements, vacation, sick and other leave with pay, advances of sick leave credits and leave without pay.

Audit conclusion

The design adequacy and operating effectiveness of controls supporting the authorization of transactions for HR processes examined vary significantly. Although training, delegation instruments and policies are in place, they are not sufficient to adequately enforce the delegation of authorities for a number of HR processes reviewed in this audit. As such, the current control framework does not ensure that only authorized individuals can exercise their delegated authority.

Recommendations

1. HRSB should implement appropriate automated controls to ensure that transactions submitted through the Human Resources Service Centre portal are in line with the established financial, staffing and managerial authorities required for the transaction submitted.
2. HRSB should modify the authorization process for telework arrangements so the evidence of approval can be recorded centrally, enforced, monitored and reported on.
3. HRSB should develop a risk-based monitoring framework for non-staffing related authorities to verify that only authorized individuals exercise their authority.

1.0 Background

1.1 Context

Numerous HR authorities are delegated to deputy heads of departments through various pieces of legislation and central agency policies. The departmental Table of HR Authorities identifies these authorities, the level of approval required and any references, limitations and conditions that may apply. Managers may exercise delegated authority only within their field of jurisdiction or their area of responsibility unless otherwise indicated and within the specified conditions and limitations.

When delegating authorities and providing sub-delegation, the Department must ensure that managers being granted authority meet certain set conditions. The different delegation functions that must be managed are:

• Appointment and appointment-related authorities that are dictated by the PSEA. The PSEA provides the Public Service Commission (PSC) the authority to make internal and external appointments to the public service. It also authorizes the Commission to delegate appointment and appointment-related authorities. The PSC has delegated its authorities via the Appointment Delegation and Accountability Instrument to the Deputy Minister (DM) of Employment and Social Development Canada (ESDC) to exercise and perform powers, functions and duties within its jurisdiction. The DM is encouraged to delegate many of her authorities and ensure staffing delegation is sub-delegated to as low a level as possible.
• Financial related delegations are regulated by the FAA. If there are financial implications involved with specific HR authorities, then that delegation must be exercised in accordance with financial delegation. For example, authorities related to classification of positions, overtime and certain types of leave require financial delegation.
• All other delegations are dictated by the NJC directives and other acts and regulations. These authorities pertain to areas such as official languages, labour relations and employment equity.

When exercising HR authorities, managers are encouraged to consult with HR officials for advice and guidance. The HRSB Centre of Expertise is responsible for managing staffing-related sub-delegation and for providing expert advice regarding HR related authorities in the following areas:

• Compensation and Benefits
• Health, Safety and Disability Management
• Labour Relations
• Values and Ethics Oversight
• Staffing
• Official Languages
• Employment Equity
• Workforce Adjustment

In order to appropriately manage staffing authorities, the Department is maintaining a database that identifies all sub-delegated managers including acting managers.

The Department is using myEMS (PeopleSoft) effective April 13, 2015. With the implementation of PeopleSoft, it is important that access privileges be consistent with the HR authorities granted for approving transactions within PeopleSoft.

In 2014 the PSC undertook an audit of ESDC’s appointment framework, which included a review of the sub-delegation instrument for staffing. Some observations were noted in the area of capacity, monitoring and compliance. Management has since completed the implementation of the corrective actions outlined in its Management Action Plan.

1.2 Audit objective

The objective of this engagement was to assess whether controls related to delegated HR authorities for selected processes are adequately designed and operating as intended to support the appropriate authorization of transactions.

1.3 Scope

The scope of this audit included key controls pertaining to delegated HR authorities for selected processes (see Appendix A for a complete list). Transactions between January 1, 2015 and May 31, 2016 were selected for testing purposes.

The audit scope did not include staffing delegations (excepted for acting appointments and extensions). This was covered by the PSC Audit of Staffing in 2014 which included ESDC appointment activities between December 1, 2012 and November 30, 2013. In addition the audit excluded the review of the PeopleSoft implementation project and the Phoenix Pay integration module.

1.4 Methodology

• Review of transactions and analysis for selected HR processes (see Appendix A)
• Documentation review and analysis
• Scenario testing of system controls embedded within PeopleSoft
• Interviews with HRSB management and staff

Representatives from HRSB, Chief Financial Officer Branch, Integrity Services Branch and Regional Security offices were interviewed in order to have a comprehensive view of the control environment.

2.0 Audit findings

2.1 Governance and accountability structures are in place

Internal Audit has reviewed the departmental policies supporting delegation of authorities. The Human Resources Policy Framework specifies requirements which are common to all HR policies. Amongst these requirements is the need to comply with delegation as per the Table of HR Authorities. In addition, the new ESDC Staffing Direction has strict provisions on delegated authorities. As such, all staffing sub-delegated managers signed a new attestation form prior to initiating staffing activities on or after April 1, 2016. All of these policies, directives and supporting instruments are clearly documented and easily accessible through the departmental intranet.

The main supporting instrument for delegation is the departmental Table of HR Authorities. The Table establishes a detailed listing of HR authorities and identifies the level to which they are sub-delegated. Internal Audit reviewed the April 2016 version of the Table and found that it aligns with existing Government of Canada accountability related legislations and instruments such as PSEA, the FAA and the NJC directives.

Accompanying the Table of HR Authorities is the departmental Staffing sub-delegation list of managers. This document lists all managers granted staffing sub-delegation by the DM. Updates to the list of staffing authorities are well controlled through a network of branch and regional coordinators. For each branch or region, Assistant Deputy Ministers (ADMs) recommend a list of managers for approval by the DM. Prior to being recommended for staffing sub-delegation, managers must have had valid training from the Canada School of Public Service. In addition, current sub-delegated managers were required to complete an orientation session as part of the implementation of the new departmental staffing direction (in effect since April 1, 2016).

Internal Audit found that the training related to non-staffing authorities was scarce. These authorities are clearly outlined in the Table of HR Authorities and managers and executives are advised to contact HR for guidance if they are unsure whether they have the delegated authority to authorize a particular HR transaction. Nonetheless, we found a number of cases where individuals authorized transactions for which they did not have the delegated authority.

Although governance, policy instruments and training play a foundational role in supporting the management of delegated HR authorities across the Department, they are not sufficient in and of themselves to ensure that only authorized individuals can exercise their sub-delegated authority.

2.2 Automated controls do not adequately support delegated authorities

Since April 1, 2015, myEMS (PeopleSoft) is used for leave management and compensatory overtime. These requests and their approval are created, recorded and routed entirely within the system. The system, and its automated controls, is owned by Treasury Board Secretariat’s Office of the Chief Human Resources Officer. Internal Audit reviewed transactions for four processes which are entirely performed in myEMS (PeopleSoft). The following table outlines the testing results.

In its current configuration, controls within myEMS (PeopleSoft) are not sufficient to confirm that appropriate delegation is in place prior to authorization. This allows individuals to exert authorities they may not possess. The current control environment relies on compensatory manual controls (such as training, warnings and manager due diligence) rather than an effective set of automated controls.

In some cases, automated controls are not as effective as intended. For example, myEMS (PeopleSoft) has built-in controls to verify if a compensatory overtime approver has the required financial authority to approve such transaction. However, our test results showed that the authority table used by myEMS (PeopleSoft) is not reflective of the financial authority table located in myEMS (SAP) creating a 11% error rate.

In other cases (leave with pay and sick leave advance), myEMS (PeopleSoft) does not enforce any control around the authority of the approver. Furthermore, in the case of sick leave advance, the system does not warn the approver that the request will cause a sick leave to be advanced.

Considering the weakness of automated controls in myEMS (PeopleSoft) and the limited influence the Department can exert over enhancements to the application (it is owned by the Treasury Board Secretariat), a risk-based monitoring framework is essential in ensuring that only authorized individuals can exercise their delegated authority (see section 2.4 for audit finding on monitoring and reporting).

2.3 Effectiveness of manual controls around delegated authority varies significantly

There are various HR processes where sub-delegated authority is manually verified. These processes include staffing actions, pay-related actions, and modification to the language requirements of a position. These transactions are submitted using the Human Resources Service Centre portal. For each transaction submitted, the user is asked to submit the name of the delegated manager accountable for the transaction. In its current state, the portal allows any name to be put in that field. As a result, HRSB has to manually verify that the approver has the adequate delegated authority upon receipt of each transaction.

Internal Audit reviewed five processes where sub-delegated authority had to be manually obtained and verified before being enacted. The following table outlines the testing results:

For telework arrangements, HRSB is not responsible for the verification of the sub-delegated authority. The departmental Telework Directive stipulates that ADMs are responsible for approving telework requests and Regional Security Officers track and maintain lists of approved telework agreements.

Our test results indicate that the effectiveness of manual controls around delegated authority varies significantly. In a number of cases for acting appointments and extensions as well as for telework, records of approval could not be located.

For these processes, evidence of approval is either not recorded in a central repository or not reliably kept on file which makes monitoring and reporting nearly impossible. The Department has introduced a new version of the Telework Directive on May 20, 2016. This new version could address some of the issues encountered in our file review such as further limiting the use of telework but the auditors still believe that the revised Directive will not address records keeping issues.

There were two other processes that Internal Audit initially planned to review. However, the level of effort required from the Department to provide the auditors with the authorization data (who approved what, and when) for these processes was so intensive that Internal Audit decided not to pursue further testing:

• Approvals of changes to linguistic profiles of bilingual positions
• Approvals related to termination of employment

2.4 Monitoring and reporting on delegation of authorities is limited

Some monitoring activities are performed to inform senior management of trends and overall performance of the HR function. For example, HRSB has developed a Staffing Risk Assessment Framework effective April 1, 2016. This Framework allows for high-risk staffing actions to be escalated to the ADM level and reported to the Centre of Expertise – Workforce Strategies by the HR Consultant for monitoring purposes and trend analysis. The Framework includes reporting mechanisms to inform the DM of monitoring results at the departmental level. At the conclusion of our audit, we were informed there were no high-risk staffing actions since the Framework was implemented in April 2016.

In addition, adherence to the staffing policy suite is assessed as part of staffing monitoring and annual reporting to the PSC by way of the Departmental Staffing Accountability Report. This complies with the PSC’s requirements for staffing sub-delegation as set out in the Appointment Delegation and Accountability Instrument. The annual monitoring and reporting plan identifies areas for study or review that are of specific interest or concern in terms of the management of the Department’s staffing policies and programs.

Internal Audit found little evidence of monitoring or reporting on delegated authorities for the following non-staffing activities:

• Processes to approve a telework arrangement
• Processes related to termination of employment
• Processes to determine the language requirements of positions and the linguistic profile of bilingual positions
• Processes to approve compensatory overtime
• Processes to approve vacation, sick and other leave with pay
• Processes to approve leave without pay
• Processes to advance sick leave credits up to the maximum prescribed
• Processes related to managing access to disciplinary measures data and Labour Relations grievances data

Internal Audit had to deal with various departmental units and request custom reports from a number of data sources to test the effectiveness of the control environment supporting delegated authorities. Authorization data (who approved what, and when) is either not systematically recorded or recorded in different (sometimes conflicting) data repositories. Given the amount of data manipulation required to analyse this information, we conclude that regular or systematic monitoring is not performed.

Considering the weakness of the control environment for some of these processes, an effective monitoring regime that can detect higher risk or unauthorized transactions is critical to ensuring that only authorized individuals can exercise their delegated authority.

3.0 Conclusion

The design adequacy and operating effectiveness of controls supporting the authorization of transactions for HR processes examined vary significantly. Although training, delegation instruments and policies are in place, they are not sufficient to adequately enforce the delegation of authorities for a number of HR processes reviewed in this audit. As such, the current control framework does not ensure that only authorized individuals can exercise their delegated authority.

4.0 Statement of assurance

In our professional judgement, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for the delegation of authorities for human resources processes selected as part of the scope of this audit (see Appendix A). The evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

Appendix A: Audit criteria assessment

Audit criteria : Governance and accountability structures are in place, including definitions of roles and responsibilities, organizational structures as well as awareness and training programs, to support the management of Delegation of Authority for HR across the Department.

• Rating : Sufficiently controlled, low risk exposure

Audit criteria : Departmental monitoring of and reporting on Delegation of Authority for HR requirements have been implemented.

• A) Acting appointments related processes
  • Rating : Sufficiently controlled, low risk exposure
• B) Non-Staffing related processes
  • Rating : Missing key controls, high risk exposure

Audit criteria : Documented processes are in place, up to date and communicated to all affected staff to ensure that only authorized individuals can exercise sub-delegated authority, consistent with the Department’s Delegation of Authority for HR.

• A) Processes related to acting appointments and acting extensions
  • Rating : Controlled, but should be strengthened, medium risk exposure
• B) Processes to authorize a rate of pay higher than the minimum
  • Rating : Sufficiently controlled, low risk exposure
• C) Processes to approve payment in cash (cash-out) of unused vacation leave credits
  • Rating : Sufficiently controlled, low risk exposure
• D) Processes to approve a telework arrangement
  • Rating : Missing key controls, high risk exposure
• E) Processes to approve leave with income averaging
  • Rating : Controlled, but should be strengthened, medium risk exposure
• F) Processes related to termination of employment
  • Rating : Scoped out (lack of data)
• G) Processes to determine the language requirements of positions and the linguistic profile of bilingual positions
  • Rating : Scoped out (lack of data)

Audit criteria : HR systems implemented or under development have automated controls that are aligned with the Department’s Delegation of Authority for HR.

• A) Processes to approve compensatory overtime
  • Rating : Controlled, but should be strengthened, medium risk exposure
• B) Processes to approve vacation, sick and other leave with pay
  • Rating : Missing key controls, high risk exposure
• C) Processes to approve leave without pay
  • Rating : Missing key controls, high risk exposure
• D) Processes to advance sick leave credits up to the maximum prescribed
  • Rating : Missing key controls, high risk exposure
• E) Processes related to managing access to disciplinary measures data
  • Rating : Controlled, but should be strengthened, medium risk exposure
• F) Processes related to managing access to Labour Relations grievances data
  • Rating : Controlled, but should be strengthened, medium risk exposure

Appendix B: Glossary

ADM

Assistant Deputy Minister

DM

Deputy Minister

ESDC

Employment and Social Development Canada

FAA

Financial Administration Act

HR

Human Resources

HRSB

Human Resources Services Branch

IITB

Innovation, Information and Technology Branch

NJC

National Joint Council

PSC

Public Service Commission

PSEA

Public Service Employment Act