Audit of the Separation Clearance Process

1.1 Context

The Treasury Board (TB) Policies on Financial Management and Government Security require that departments withdraw all authorities and property from individuals^{Footnote 1} on termination and remind them of their continuing responsibilities relating to the confidentiality of the sensitive information they had access to in the course of their employment. This includes certifying that all money owed to the Crown or to the employee is accounted for before leaving the department. Delegated departmental officials, in consultation with departmental human resource (HR) advisors, must develop procedures and ensure that debriefings and reclamations are scheduled and conducted as a component of the overall separation process.

In October 2013, Employment and Social Development Canada (ESDC), under the Enabling Services Renewal Program (ESRP)^{Footnote 2}, launched the Separation Clearance Process to improve and streamline internal service delivery through a “click/call/consult” model with increased focus on self-service. The automated Separation Clearance project was intended to be a phased approach using the results of each phase to make improvements until an enterprise-wide tool could be developed to support all interoperability and integration requirements. Although there have been some updates and changes over the past few years, the tool has not evolved past the initial process model which uses existing web-based HR technology.

The Human Resources Service Centre (HRSC) web application^{Footnote 3} was identified as an existing technology that could be delivered within the designated timeline to automate the former manual paper based Separation Clearance Process and realize cost-savings for the Department. 

It has come to our attention, during the audit, that the Human Resources Services Branch (HRSB) is currently leading a new initiative to improve both on-boarding (new hires) and off-boarding^{Footnote 4} (departures). This project is in the early planning stages and will be proposed as part of the departmental Investment Management Process in the Fall of 2018.

1.2 Audit Objective

The objective of the audit was to assess the adequacy of the separation clearance process, including the extent to which existing controls ensure the effective and efficient processing of employee separation.

1.3 Audit Scope

The audit work was conducted between February and June 2018.

The scope of this audit included applicable TB and ESDC policies, directives and guidance. It also included follow-up work to see if previous audit findings identified during the 2014 Audit of Compensation and Benefits were properly addressed.

The audit scope did not include testing of the due diligence relating to employees with privileged access, employees dismissed for just cause or employees who transferred to another position within ESDC. The audit did not examine the completeness and accuracy of inventory for information technology assets, this will be the subject of an upcoming audit. This audit assumes that managers and employees are dealing in good faith when they confirm that physical assets have been returned. Travel was not required for this audit.

1.4 Audit Methodology

The audit was conducted using a number of methodologies including:

• Interviews with the branches supporting the Separation Clearance Process, as well as other ESDC stakeholders as applicable;
• Documentation review and analysis;
• Review of a sample of data on ESDC employees who have permanently or temporarily left the Department from January 1, 2016 to June 30, 2017;
• Review of processes and procedures for permanent or temporary changes in employment status such as retirement, death, resignation or leave without pay for longer than 10 days;
• Review of processes and procedures for individuals hired for a predetermined period of time such as contractors and students; 
• Review of monitoring logs and audit trails in place for the protection of information assets; and
• Data analytics to cross check information between HR databases PROTECTED.

2.1 The separation clearance process does not adequately support the proper off-boarding of employees leaving the Department

2.2 PROTECTED

A completed Separation Clearance Process is meant to provide a certain level of assurance that the Department has withdrawn all authorities and recovered all departmental property from departing employees upon termination and to remind them of their continuing responsibilities relating to the confidentiality of the sensitive information they had access to in the course of their employment.

The signed Separation Clearance Application including the Security Screening Certificate and Briefing Form indicate that the manager has requested PROTECTED, met with the employee to collect physical assets and had a discussion with regards to information of business value and post-employment responsibilities. 

In reviewing the completed requests the audit team found that separation clearance applications are frequently not signed, as prescribed. Managers rely on the good faith of the employee in completing the asset checklist as they do not have access to any lists of government assets (there is no integrated system providing this information). This sign-off is an attestation between employee and manager that assets and information have been recovered and that the employee understands their post-employment responsibilities. 

The audit team found no evidence that enabling services branches followed-up on unsigned forms with the exception of the Security Screening Certificate and Briefing Form PROTECTED.

The audit testing revealed that out of 45% of completed requests for separation, managers initiated 22% after the employee left the Department. As outlined in Diagram 1, 39% of all requests were not completed. Audit testing discovered that incomplete requests are PROTECTED. We spoke to enabling services branches regarding these requests and were informed that:

• PROTECTED
• PROTECTED

The Separation Clearance Process is broken down into eight major components described below:

Step 1: Separation clearance activities are triggered by an employee, the employee's manager or an alternate contact^{Footnote 8} by completing a notice of separation in the form of a Separation Clearance Application found on the HRSC web application. While this process can be started before the employee’s last day it must be completed by the last official day of work, i.e. departure or leave without pay for more than 10 days.

Steps 2 and 3: The manager meets with the employee and reviews the PROTECTED of all assets assigned to the individual leaving the Department. This meeting includes a discussion with the individual on the conflict of interest and post-employment policy requirements.

Signed forms (wet signature) and other related information must be scanned and uploaded to the Separation Clearance Application to serve as a repository and back-up to the hard-copy originals. The manager then sends hard-copies of the Separation Clearance Application and the Security Screening and Briefing Form, to the applicable RSO of ISB. 

Once completed, the manager submits the Separation Clearance for further processing to the Enabling Services Branches: CFOB, ISB, IITB, and HRSB. 

Step 4: CFOB performs a financial review to ensure that departmental employees do not owe the Department any money related to travel advances, relocation advances, petty cash, emergency salary advances, etc. They also remove financial signing authority (Section 34) along with any acquisition or travel cards.

Step 5: ISB receives the Security Screening Certificate and Briefing Form and sends it to the Personnel Security Unit, National Headquarters, to have it placed within the departing employee’s personnel security file where it will remain PROTECTED.

Step 6: HRSB finalizes the compensation and benefits and contacts the Pay Centre to stop pay.

Step 7: PROTECTED.

Step 8: Once the Enabling Services Branches have completed their work, the manager receives an e-mail confirming that the employee has been successfully separated.