Audit of Grants and Contributions Recipient Information

Official title: Audit of Grants and Contributions Recipient Information – February 2017

Alternate formats

Audit of Grants and Contributions Recipient Information – February 2017 [PDF - 462 KB]

Large print, braille, MP3 (audio), e-text and DAISY formats are available on demand by ordering online or calling 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105.

Executive summary

The Employment and Social Development Canada (ESDC) 2016 to 2017 Report on Plans and Priorities presents $1.7 billion of planned expenditures on voted Grants and Contributions (Gs and Cs) programsFootnote 1. Payments made to Gs and Cs recipients represent a significant commitment of ESDC's resources and affect the everyday lives of Canadians. Gs and Cs recipients are organizations and individuals that have been approved to receive payments as a result of their participation in Gs and Cs programs administered by the Program Operations Branch (POB) and the Processing and Payment Services Branch (PPSB), respectively.

The Common System for Grants and Contributions (CSGC) is the system of record of Gs and Cs recipient information. Client records containing Gs and Cs recipient information are stored in the Project Life Cycle (PLC) Module of CSGC for organizations and in the Client Module of CSGC for individuals.

The five key components of the Gs and Cs recipient information stored in CSGC include the recipient's: name, postal address, business number or Social Insurance Number (SIN), direct deposit banking information and contact information of the recipient's primary contact representative. The integrity and accuracy of the Gs and Cs recipient information is important to ensure payments issued by ESDC are made to the right recipient.

An audit of Gs and Cs Recipient Information, formerly named as the Vendor Management Phase 2 audit, was approved as part of the 2015 to 2017 Risk-Based Audit Plan.

Audit objective

The objective of this audit was to assess the design and operating effectiveness of key controls that ensure the integrity of Gs and Cs recipient information and ongoing monitoring of Gs and Cs recipient information.

Summary of key findings

  • For the Apprenticeship Completion Grant (ACG) and Apprenticeship Incentive Grant (AIG) programs administered by PPSB, key controls to validate the integrity of the Gs and Cs recipient information are designed and operating effectively.
  • For Gs and Cs programs administered by POB that receive applications through Grants and Contributions Online Services (GCOS), which represented 5.2% of applications received during fiscal year 2015 to 2016, key controls to validate the integrity of the Gs and Cs recipient information are designed and operating effectively.
  • For Gs and Cs programs administered by POB that receive paper applications and applications through Interactive Fact Finding Service (IFFS), which represented 94.8% of applications received during fiscal year 2015 to 2016, key controls and informal validation activities used to validate the integrity of the Gs and Cs recipient information vary among the three categories of Gs and Cs programs identified by POB (Transactional Programs: low dollar value agreements, high number of recipients, Client-Based and Organizational Programs: moderate dollar value agreements, Community Programs: high dollar value, complex agreements).
  • Informal validation procedures are performed to verify Gs and Cs recipient information in the PROTECTED. POB informally validates the legitimacy of well-known recipients during the Assessment and Recommendation and Approval phases.
  • Some key controls are in place and informal validation activities are performed to verify components of the Gs and Cs recipient information in the categories of PROTECTED programs and PROTECTED programs.
  • Key controls related to roles and responsibilities and segregation of duties in managing Gs and Cs recipient information are designed and operating effectively.
  • Updates to Gs and Cs recipient information in CSGC and corresponding audit trails in CSGC are completed correctly and in a timely manner through key controls that are designed and operating effectively.
  • Key controls for monthly reconciliations between CSGC PLC module and Systems Applications and Products (SAP) are designed and operating effectively to ensure Gs and Cs recipient information is accurately reflected in both systems.
  • Key monitoring controls related to the analysis of the Gs and Cs recipient information are designed and operating effectively for PROTECTED and PROTECTED as four of the five key components of the Gs and Cs recipient information is being validated. The analysis completed for these two programs is a useful tool to identify anomalies and unusual items in recipient information which should be used for the remaining eight programs examined in our audit.

Audit conclusion

Overall, the audit concluded that a control environment, comprised of key controls and compensating controls, is in place to validate the integrity of Gs and Cs recipient information. For Gs and Cs programs administered by POB that receive paper applications and applications through IFFS, some key controls combined with informal validation activities are being performed to verify selected components of Gs and Cs recipient information. For Gs and Cs programs administered by PPSB and for programs administered by POB that receive applications through GCOS, key controls are in place to verify the integrity of all components of Gs and Cs recipient information. Monitoring controls related to the analysis of the Gs and Cs recipient information such as the identification of anomalies are operating effectively for two of the ten Gs and Cs programs examined.

Recommendation

The Assistant Deputy Minister of POB should implement a risk-based approach to validate and monitor the integrity of Gs and Cs recipient information.

1.0 Background

1.1 Context

The ESDC 2016 to 2017 Report on Plans and Priorities presents $1.7 billion of planned expenditures on voted Gs and Cs programsFootnote 1. Payments made to Gs and Cs recipients represent a significant commitment of ESDC’s resources and affect the everyday lives of Canadians. Gs and Cs recipients are organizations and individuals that have been approved to receive payments as a result of their participation in Gs and Cs programs administered by POB and PPSB, respectively.

The CSGC is the system of record of Gs and Cs recipient information. Client records containing Gs and Cs recipient information are stored in the PLC Module of CSGC for organizations and in the Client Module of CSGC for individuals.

1.2 Audit objective

The objective of this audit was to assess the design and operating effectiveness of key controls that ensure the integrity of Gs and Cs recipient information and ongoing monitoring of Gs and Cs recipient information.

1.3 Scope

A statistically valid sample comprising Gs and Cs payments administered by POB and Apprenticeship Grants payments administered by PPSB from the fiscal year 2015 to 2016 was tested to assess the design and operating effectiveness of key controls pertaining to the validation of Gs and Cs recipient information in CSGC. Gs and Cs programs administered by POB in the PLC Module of CSGC included in the scope of this audit were the PROTECTED. The scope also included the AIG and ACG programs administered by PPSB in the Client Module of CSGC.

The audit focused on the validation of the five key components of the Gs and Cs recipient information stored in CSGC which include the recipient's: name, postal address, business number or SIN, direct deposit banking information and contact information of the recipient's primary contact representative.

The process of changing Gs and Cs recipient information was also tested to assess whether the change was completed by authorized personnel and agreed to supporting documentation on file. The quality monitoring review process completed for the AIG and ACG programs was tested to assess whether the monitoring was completed, the corrective actions taken if errors were identified in the payments processed and whether the results of the reviews were correctly included in the monitoring reports sent to National Headquarters (NHQ).

Granting and termination of user access to CSGC were tested to determine if the access requested was properly authorized and if the access termination was completed in a timely manner. Monthly reconciliations between the transactions recorded in CSGC PLC Module and SAP prepared by the Chief Financial Officer Branch (CFOB) were tested for proper completion and review of the reconciliations.

1.4 Methodology

This audit used a number of methodologies during the conduct phase completed between May and July 2016 including:

  • Documentation review and analysis;
  • Sampling and file review testing;
  • Process observation and analysis;
  • Interviews with management and staff from POB, PPSB, CFOB and Shared Services Canada;
  • On-site observations and walkthroughs at NHQ and regional processing centers; and
  • Data analysis to identify duplicate, erroneous information and other irregularities such as identical banking information, addresses and use of postal box address.

Travel to regional processing centres located in Calgary, Alberta, Sainte-Foy, Quebec and Miramichi, New Brunswick took place in July 2016.

2.0 Audit findings

2.1 Various key controls and informal activities are in place to validate Gs and Cs recipient information

The auditors expected to find a departmental requirement to validate the integrity of Gs and Cs recipient information through a formal process across all Gs and Cs programs. This formal process would include documented validation of the Gs and Cs recipient information for all Gs and Cs programs. The five key components of the Gs and Cs recipient information stored in CSGC that the auditors expected to be validated are the recipient's: name, postal address, business number or SIN, direct deposit banking information and primary contact information.

Duplicate, non-existent or invalid Gs and Cs recipients

Unique business numbers and SINs are consistently used across all Gs and Cs programs to help prevent duplicate recipients.

Gs and Cs programs administered by PPSB

For the AIG and ACG programs administered by PPSB, we found that key controls in the validation process are designed and operating effectively. PPSB consistently validates the SIN in an automated manner using information in the Social Insurance Register database before payment processing is completed. Key components of the Gs and Cs recipient information are corroborated to documentation provided by recipients before payment processing is completed which reduces the risk of payment to an illegitimate recipient.

Gs and Cs programs administered by POB to Applications through GCOS

For Gs and Cs applications received through GCOS (5.2% of applications received in fiscal year 2015 to 2016), we found that key controls in the validation process are designed and operating effectively. The GCOS account registration process includes standard procedures that require the validation of the recipient organization's name, business or registration number, address and the identity of the Primary Officer (PO) with the Canada Revenue Agency database. An authorization code is mailed to the head of the organization to verify the PO as the authorized representative. The GCOS account registration process is completed once the PO enters the authorization code in GCOS to confirm their authority to act as a PO. It is the audit team's opinion that validation procedures completed as part of the GCOS account registration process reduce the risk that illegitimate recipients may be able to set up an account before submitting a Gs and Cs application.

Gs and Cs programs administered by POB – Paper applications and applications received through IFFS

For Gs and Cs paper applications and applications received through IFFS (94.8% of applications received in fiscal year 2015 to 2016), POB has implemented some key controls and performs informal validation activities to verify the integrity of the Gs and Cs recipient information. We were informed that POB classifies Gs and Cs programs into three categories and uses these categories for their Gs and Cs validation activities.

The PROTECTED programs consist of Gs and Cs programs that have PROTECTED. POB interacts with these recipients regularly during the Assessment and Recommendation and Approval phases and informally validates their legitimacy before contribution agreements are approved through meetings, on-site visits and correspondence. We found that two of the ten Gs and Cs programs included in the audit scope (PROTECTED)Footnote 2 from this category had no formal validation procedures performed during fiscal year 2015 to 2016. Although these two Gs and Cs programs have the largest approved funding budgets, the risk of funding being provided to illegitimate applicants is the lowest because of ongoing interactions with applicants that are well known to POB and normally have had previous Gs and Cs agreements with the Department.

The PROTECTED programs consist of Gs and Cs programs that have PROTECTED. We were informed that Gs and Cs recipient information in this category is informally validated by POB Program Delivery Staff contacting recipients on a regular basis. Five of the ten Gs and Cs programs (PROTECTED)Footnote 2 examined within the audit were in this category. During fiscal year 2015 to 2016, four of these five programs validated one key component, the recipient’s business number, using tools they developed independently such as pre-screening grids. We did not find any formal validation procedures completed in the PROTECTED program. Validation of all key components of Gs and Cs recipient information for programs in this category may mitigate the risk of approving funding for illegitimate applicants.

The PROTECTED programs consist of Gs and Cs programs that have PROTECTED that POB is not in contact with on a regular basis. Three of the ten Gs and Cs programs (PROTECTED)Footnote 2 included in the scope of this audit were from this category. We found that PROTECTED has implemented an Applicant Verification Checklist that properly validates the key components of Gs and Cs recipient information. The PROTECTED program implemented a pre-screening criteria grid that validates the recipient’s business number. The PROTECTED program developed an Applicant Verification Checklist; however, not all regions are aware of the checklist and we also found there is no requirement to use the checklist. As a result, the checklist is used on an ad hoc basis when a Program Officer determines that the legitimacy of an organization needs to be verified. The PROTECTED program had PROTECTED in agreed departmental funding and more than PROTECTED applications in fiscal year 2015 to 2016. The absence of a formal process to validate Gs and Cs recipient information for PROTECTED programs with PROTECTED approved funding budgets increases the risk that illegitimate applicants may not be identified in a timely manner.

Taking into account the nature of existing Gs and Cs programs and the degree of interaction with recipients outlined above, the risk of approving funding for illegitimate applicants varies among the three categories of Gs and Cs programs. The audit team believes that a formal risk-based process to validate all key components of the Gs and Cs recipient information may mitigate the risk of approving funding for illegitimate applicants.

Segregation of duties and system access controls

Key controls related to roles and responsibilities and segregation of duties in managing Gs and Cs recipient information are designed and operating effectively. Roles and responsibilities for managing Gs and Cs recipient information are well communicated, segregated and understood through annual training, procedure manuals and supervision. Adequate segregation of duties was in place between approval of the contribution amount, expense claim and release of payment during fiscal year 2015 to 2016. Key controls for granting and termination of access to CSGC are designed and operating effectively.

Modifications to Gs and Cs recipient information

Modifications to Gs and Cs recipient information in CSGC and corresponding audit trails in CSGC are completed correctly and in a timely manner through key controls that are designed and operating effectively. A sample of changes to Gs and Cs recipient information during fiscal year 2015 to 2016 for Gs and Cs programs included in the audit scope was tested. Changes were completed by authorized personnel, agreed to supporting documentation on file and properly documented in CSGC.

Reconciliations between CSGC and SAP

Monthly reconciliations between transactions recorded in CSGC PLC Module and SAP prepared by CFOB are designed and operating effectively. Key controls in POB's verification of banking information for recipients using the direct deposit payment method, Section 34 review, and approval of claims were designed and operating effectively during fiscal year 2015 to 2016.

The audit recommendation pertaining to the validation of Gs and Cs recipient information is included within Section 2.2 below.

2.2 Monitoring mechanisms to analyse Gs and Cs recipient information need to be improved

The auditors expected to find a risk-based monitoring mechanism to analyze the five key components of the Gs and Cs recipient information including changes to these components. Monitoring results could help identify unusual trends or anomalies and, where appropriate, results could be reported to Senior Management in a timely manner.

The auditors found that key monitoring controls to analyze Gs and Cs recipient information are designed and operating effectively for PROTECTED and PROTECTED, for four of the five key components. For both programs POB identifies anomalies and unusual items in the four key components of the Gs and Cs recipient information. However, PROTECTED information is not analysed. Examples of analytical work being performed include reviewing reports completed during the intake process to proactively identify suspect proposals through possible links to previous projects which have had issues, and analyzing administrative data to identify outliers. POB also completes data cleaning elements reports for PROTECTED and PROTECTED to identify errors in the recipient's address, business number and telephone numbers that need to be addressed before the anomalies analysis is performed.

The audit team did not identify any unexplained unusual items or anomalies in the data provided by POB and PPSB for fiscal year 2015 to 2016. We believe that the adoption of a risk-based monitoring practice may reduce the risk that anomalies in the Gs and Cs recipient information may not be identified, reported and actioned in a timely manner.

Recommendation

The Assistant Deputy Minister of POB should implement a risk-based approach to validate and monitor the integrity of Gs and Cs recipient information.

Management response

Management agrees with the recommendation and will proceed with the development of options to standardize the validation process based on a risk based approach for applications received outside of GCOS. Actions are expected to be completed by March 2017.

3.0 Conclusion

Overall, the audit concluded that a control environment, comprised of key controls and compensating controls, is in place to validate the integrity of Gs and Cs recipient information. For Gs and Cs programs administered by POB that receive paper applications and applications through IFFS, some key controls combined with informal validation activities are being performed to verify selected components of Gs and Cs recipient information. For Gs and Cs programs administered by PPSB and for programs administered by POB that receive applications through GCOS, key controls are in place to verify the integrity of all components of Gs and Cs recipient information. Monitoring controls related to the analysis of the Gs and Cs recipient information such as the identification of anomalies are operating effectively for two of the ten Gs and Cs programs examined.

4.0 Statement of assurance

In our professional judgement, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for the assessment of key controls pertaining to the Gs and Cs programs' recipient information examined in the audit. The evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

Appendix A: Audit criteria assessment

  • Audit Criteria: It was expected that the Department has designed and implemented controls to prevent duplicate, non-existent or invalid Gs and Cs recipients in CSGC.
    • Rating: Controlled, but should be strengthened, medium risk exposure
  • Audit Criteria: It was expected that the Department has developed roles and responsibilities for managing Gs and Cs recipient information that are well defined, communicated and consistently applied.
    • Rating: Sufficiently controlled, low risk exposure
  • Audit Criteria: It was expected that the Department has designed and implemented controls and appropriate segregation of duties to ensure that only officers with authorized access to CSGC can set up or modify Gs and Cs recipient information.
    • Rating: Sufficiently controlled, low risk exposure
  • Audit Criteria: It was expected that the Department has developed and implemented processes to ensure that updates of Gs and Cs recipient information in CSGC are completed correctly in a timely manner.
    • Rating: Sufficiently controlled, low risk exposure
  • Audit Criteria: It was expected that the Department has completed reconciliations between CSGC and SAP on a regular basis to ensure Gs and Cs recipient information is accurately reflected in both systems for Gs and Cs payments completed.
    • Rating: Sufficiently controlled, low risk exposure
  • Audit Criteria: It was expected that the Department has mechanisms to monitor Gs and Cs recipient information and ensure that unusual changes to Gs and Cs recipient information are reported to appropriate levels of management and corrective actions are completed in a timely manner.
    • Rating: Controlled, but should be strengthened, medium risk exposure
  • Audit Criteria: It was expected that the Department has controls in place to ensure that audit trails are produced and retained following modifications to Gs and Cs recipient information.
    • Rating: Sufficiently controlled, low risk exposure

Appendix B: Glossary

ACG: Apprenticeship Completion Grant

AIG: Apprenticeship Incentive Grant

CFOB: Chief Financial Officer Branch

CSGC: Common System for Grants and Contributions

ESDC: Employment and Social Development Canada

Gs and Cs: Grants and Contributions

GCOS: Grants and Contributions Online Services

IFFS: Interactive Fact Finding Service

NHQ: National Headquarters

PLC: Project Life Cycle

PO: Primary Officer

POB: Program Operations Branch

PPSB: Processing and Payment Services Branch

SAP: Systems Applications and Products

SIN: Social Insurance Number

PROTECTED

PROTECTED

PROTECTED

PROTECTED

PROTECTED

Page details

Date modified: