Audit of employee offboarding
On this page
- 1. Background
- 2. Audit Findings
- 2.1 Communication and instructions for managers, enabling and support functions should be strengthened to be clear, concise, timely, and role-specific
- 2.2 The Departures module supports the revocation of system access and return of IT assets. However, delays occurred in both revoking access and returning assets
- 2.3 Software and information access for departing employees and those changing roles within ESDC needs improvement
- 2.4 Processes to revoke physical access are decentralized across all regions and the security briefing process needs to be strengthened
- 2.5 Oversight and monitoring of the employee offboarding process requires enhancement to support timely reporting on results
- 3. Conclusion
- 4. Statement of Assurance
- Appendix A: Audit Criteria Assessment
Alternate formats
Audit of employee offboarding [PDF - 592 KB]
Large print, braille, MP3 (audio), e-text and DAISY formats are available on demand by ordering online or calling 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105.
List of abbreviations
- ADM
- Assistant Deputy Minister
- AMP
- Access Management Portal
- BMS
- Branch Management Services
- CFOB
- Chief Financial Officer Branch
- CIO
- Chief Information Officer
- ESDC
- Employment and Social Development Canada
- HRSB
- Human Resources Services Branch
- ISB
- Integrity Services Branch
- KPI
- Key Performance Indicators
- MAP
- Management Action Plan
- IT
- Information Technology
- IITB
- Innovation Information and Technology Branch
- RMS
- Regional Management Services
1. Background
1.1 Context
The Treasury Board Secretariat Policy on Financial Management and the Directive on Security Management (June 2024) requires that the Department withdraw all access rights and departmental assets from departing employees, including physical access to facilities and digital access to systems and networks. The Employment and Social Development Canada (ESDC) Asset Management Policy mandates that all managers and employees are responsible for safeguarding assets and for the proper use of assets owned by the Department.
The ESDC employee offboarding process was significantly streamlined in July 2023 following the implementation of the Departures module in myEMS (PeopleSoft). The module provides a single and integrated point of entry for tasks of all involved enablers. It generates a checklist tasking managers and employees, and integrates notifications to key enabling functions, including Human Resources Services Branch (HRSB), Innovation Information and Technology Branch (IITB), Integrity Services Branch (ISB) and Chief Financial Officer Branch (CFOB) for responsibilities within their accountability. The Branch Management Services (BMS) and Regional Management Services (RMS) involvement in supporting managers within their Branches/Regions varies across the Department.
This audit provided an opportunity to assess the functioning and effectiveness of the offboarding process post-implementation of the Departures module and identify areas for improvement.
1.2 Audit Objective
The objective of this audit was to assess the adequacy and effectiveness of ESDC's employee offboarding process including whether: access controls for systems and facilities were in place, IT assets and government owned property were managed appropriately, and oversight, monitoring and reporting processes were established and functioning as intended.
1.3 Scope
The scope of this audit included all enabling functions (HRSB, IITB, ISB and CFOB) and other stakeholders (managers and BMS/RMS) involved in the offboarding process. It included the key elements of the Departures module since its implementation in July 2023 to November 2024.
The scope of this audit excluded the compensation process. Upon review of the associated controls, the residual risk for this element was deemed low. Furthermore, several audits have been conducted in this area in recent years. The scope also excluded acquisition cards, given several controls are in place that limit misuse of the acquisition card.
1.4 Methodology
The audit was conducted using several methodologies including:
- Documentation review and analysis;
- Interviews with management and staff from HRSB, ISB, IITB and CFOB, as well as departmental managers and support stakeholders (BMS/RMS);
- Questionnaires sent randomly to 200 managers from population of managers that completed a Departures request during our scope period, 48 responses were obtained (response rate 24%);
- Questionnaires sent to 43 support staff in the Branch Management Services / Regional Management Services, 25 responses were obtained (response rate 58%); and,
- Data mining and analytics. There were 6,900 departures (5,422 Departures module and 1,478 Access Management Portal (AMP) and 1,099 employee internal moves to other branches during the audit scope period.
2. Audit Findings
When used as intended, the Departures module streamlines the employee offboarding process, improves communication between enabling functions, and facilitates the prompt revocation of access to systems, software, and information, as well as the recovery of IT equipment for departing employees.
2.1 Communication and instructions for managers, enabling and support functions should be strengthened to be clear, concise, timely, and role-specific
While employee offboarding directives, guidelines and guidance exist, they are located across various sources (iService, regional sites and within the Departures module), causing confusion among stakeholders.
Most managers surveyed felt the Departures module has streamlined the offboarding process, however some indicated they did not have sufficient guidance, instructions and training to fully execute their responsibilities.
The BMS/RMS representatives surveyed felt that their support function roles are unclear, with half of respondents not performing any offboarding tasks. Comments provided by the respondents suggested reviewing roles and responsibilities to better distribute tasks between managers and BMS/RMS would be helpful.
Recommendation
1. The Assistant Deputy Minister (ADM) of HRSB should:
- Collaborate with Business and Regional Management stakeholders to define and communicate clear roles and responsibilities of BMS/RMS in the offboarding process.
- Implement clear, concise and comprehensive guidance, instructions and best practises for managers and employees on all offboarding procedures.
Management Response
HRSB agrees with the recommendation to oversee the development and communication of clear roles and responsibilities for BMS/RMS in the employee offboarding process. This includes guidance resources to support managers and employees through the offboarding process. HRSB will collaborate with the appropriate stakeholders to ensure proper dissemination of the above noted materials.
2.2 The Departures module supports the revocation of system access and return of IT assets. However, delays occurred in both revoking access and returning assets
A ticket is automatically generated for IITB to request the recovery of IT equipment and to revoke access to systems the day after departure. However, the return of IT assets and the termination of system access was not consistently executed by IITB. Some tickets remained unresolved even after 60 days.
The IT Access Management portal provides employee-level information on assigned IT assets which is used by IT technicians when resolving tickets. However, this tool is not widely known to managers, who could use it to track IT assets during employee offboarding.
Before implementation of the Departures module, individuals without a myEMS (PeopleSoft) account were offboarded through the Access Management Portal (AMP). In November 2023, a control was implemented to prevent managers from offboarding any employee with a PeopleSoft account through AMP. Despite this control, 79 indeterminate employees with a PeopleSoft account were still offboarded using AMP from December 2023 to July 2024.
Recommendation
2. The Chief Information Officer (CIO) (ADM of IITB) should:
- Collaborate with HRSB to modify the Departures module to include a link to the IT Access Management portal along with adding instructions for managers to verify the IT assets assigned to departing employees are returned.
- Correct the Access Management Portal restriction control that is not effective or periodically monitor the Portal to verify that managers are not using the portal to offboard employees with a PeopleSoft account.
Management Response
Agree. The IT Asset Management system is a tool developed for IT technicians to track all end-user devices connected to the network. While the information it contains is already accessible to managers, it is not promoted because modifications would be required to meet the recommendations, which include making it accessible and bilingual.
The control currently in place is designed to effectively prevent managers from using the Access Management Portal for individuals registered in PeopleSoft. However, since the audit has found discrepancies, IITB will thoroughly review the audit findings to understand why the control was not fully effective and implement any necessary adjustments.
As part of Recommendations #1 and 2b, HRSB will re-communicate current process to submit offboarding (separation clearance) requests using a single digital window (PeopleSoft) to promote understanding of departmental offboarding process. Communication to BMS and managers will be through Business Management Executive (BMX) and HR and Pay Bulletins.
2.3 Software and information access for departing employees and those changing roles within ESDC needs improvement
The Application catalog manages software licenses and usage by computers/devices rather than by employee. Consequently, the audit team, in consultation with IITB analysts, was unable to verify whether software licenses had been properly managed for departing employees and employees changing roles within ESDC. Based on our analysis, access changes for software and information were identified for only a small number of employees who moved to another branch within ESDC.
Restricting access to information necessary for job responsibilities helps ensure the security and privacy of sensitive data by limiting it to those who need it for their specific roles.
Recommendation
3. The CIO (ADM of IITB) should formalize, communicate, and monitor the process for the prompt removal or access adjustment when an employee leaves or changes roles within ESDC.
Management Response
Agree. IITB will continue to work in close collaboration with HRSB to ensure the secure and timely removal of system access for departing employees, in alignment with ESDC and TBS policy requirements. These efforts are supported by the implementation of the PeopleSoft Departures module and reinforced through established tools and processes.
Note: IITB complies with TBS directive to remove access after 90 days of no activity on an employee account.
IITB will support HRSB in enhancing their business processes, including any transition from email-based communications to system-supported solutions for notifying changes in employee roles and departures. To address this, IITB will collaborate closely with HRSB to conduct a comprehensive risk assessment and identify viable solutions.
2.4 Processes to revoke physical access are decentralized across all regions and the security briefing process needs to be strengthened
While managers are accountable to return photo ID/Access cards to ISB, there are no national procedures, guidance or set protocols for their recovery. Processes to promptly revoke physical access for former employees are decentralized across National Headquarters and all regions. There are no tickets generated from the Departures module to the ISB prompting action.
Additionally, managers noted that returning photo ID/Access cards is challenging for staff in different regions, as employees cannot provide them directly to their manager.
ISB has initiated a potential mitigation measure to implement a new Integrated Security System, which is anticipated to be complete by July 2028. This system is expected to provide a standardized, secure access control system across all regions.
While the Departures module requires managers to provide a mandatory security briefing for departing employees, managers expressed uncertainty about how to conduct the briefing session and how to complete the Security Screening Certificate Briefing forms.
Recommendation
4. In the interim, prior to the implementation of the new Integrated Security System, the ADM of ISB should develop and communicate a national guidance for the recovery of photo ID/Access cards. This should include:
- Procedure to inform managers of deactivation and clear guidance when managers and employees reside in different regions.
- Instructions in the Departures module for managers to complete the Security Screening Certificate and Briefing Form.
Management Response
Agree. ISB will develop clear national guidance for the recovery of photo ID/Access cards for managers and employees and will develop national guidance on the security briefing process along with instructions on completing the Security Screening Certificate and Briefing Form.
2.5 Oversight and monitoring of the employee offboarding process requires enhancement to support timely reporting on results
A "Standardized Offboarding Report" was created by HRSB to help BMS/RMS monitor employee departures and was shared with BMS/RMS stakeholders on May 30, 2024. While the standardized offboarding report tracks departures by type, branch, and manager, it does not monitor task completion timeliness. Moreover, results from our BMS/RMS questionnaire indicated that many BMS/RMS staff were unaware of this report.
HRSB's Modernization Programme, Benefits Realization report was issued in May 2024 and covered Departures module results from July 2023 to March 2024. It assessed benefits, cost avoidance, and identified Key Performance Indicators (KPIs), including the recovery of IT assets within 10 days. While KPIs are defined, results are not being tracked or reported on. Data analytics conducted by the audit team showed that a significant number of tickets remaining unresolved for the recovery of IT assets after the 10 day KPI target.
Recommendation
5. The ADM of HRSB, in collaboration with ADMs of IITB, ISB, CFOB, should enhance oversight of employee offboarding to improve efficiency and timeliness. This should include:
- Revising the Standardized Offboarding Report to include timeliness of task completion to assist BMS/RMS in monitoring departures and periodically sending reports to ADMs and directors of BMS.
- Issuing periodic reports to management on KPI results, including access termination and asset recovery.
- Periodically seeking feedback from stakeholders on potential improvements.
Management Response
HRSB agrees to establish what information can be extracted to enhance the standardized report and subsequently provide stakeholders with the report once finalized for their use and monitoring of their respective business lines' use. HRSB will also periodically seek feedback from stakeholders on opportunities to improve the Departures module.
In addition to current commitments, HRSB will assess whether the status of system access termination, physical access termination and equipment return for departed employees could be added to a consolidated report / dashboard that would be disseminated to ADMs and Business Management Executive (BMX).
3. Conclusion
Internal Audit recognizes the Department's substantial efforts in implementing the Departures module, establishing key controls and taking major steps to digitize the employee departure process which has enhanced the Department's ability to manage employee offboarding.
The audit concluded that communication and instructions for managers, enabling and support functions should be strengthened to be clear, concise, timely, and role-specific. While, the Departures module supports the revocation of system access and return of IT assets, delays occurred in both revoking access and returning assets. Software and information access for departing employees and those changing roles within ESDC needs improvement. Additionally, the decentralized process to revoke physical access and the security briefing process requires strengthening. Finally, oversight and monitoring of the employee offboarding process requires enhancement to support timely reporting on results.
4. Statement of Assurance
In our professional judgement, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for the Audit of Employee Offboarding. The evidence was gathered in accordance with the Treasury Board Policy on Internal Audit and the International Standards for the Professional Practice of Internal Auditing.
Appendix A: Audit Criteria Assessment
| Audit criteria | Rating |
|---|---|
| It is expected that access to system, software, and information is promptly revoked to prevent unauthorized access to sensitive data, data breaches or other forms of misconduct. | Controlled, but should be strengthened; medium-risk exposure |
| It is expected that removal or adjustment of system, software, and information access is completed in a timely manner when an employee changes roles within ESDC to prevent unauthorized access to sensitive and personal data where access or adjustment requires removal. | Controlled, but should be strengthened; medium-risk exposure |
| It is expected that physical access to facilities is promptly revoked for former employees to prevent unauthorized access to ESDC facilities and personnel. | Missing key controls; high-risk exposure |
| It is expected that offboarding procedures are in place for tasks where employees are working in a different region then their manager, including the return of access cards and photo IDs. | Controlled, but should be strengthened; medium-risk exposure |
| It is expected that systems used for employee offboarding with regards to access management are aligned and support the ongoing operations within the Departures module. | Controlled, but should be strengthened; medium-risk exposure |
| Audit criteria | Rating |
|---|---|
| It is expected that a policy, directive, or guidelines on the recovery of departmental assets is in place and expectations are communicated to key stakeholders. | Sufficiently controlled; low-risk exposure |
| It is expected that IT assets and government owned property are returned when employees leave the Department. | Controlled, but should be strengthened; medium-risk exposure |
| It is expected that accurate and complete records of IT assets and government owned property are maintained to support the offboarding process. | Controlled, but should be strengthened; medium-risk exposure |
| It is expected that systems used for employee's offboarding with regards to asset management are aligned and support the ongoing operations within the departure module. | Sufficiently controlled; low-risk exposure |
| Audit criteria | Rating |
|---|---|
| It is expected that clearly defined, documented, and communicated roles and responsibilities of employees, managers, support and enabling functions are established within the offboarding process. | Controlled, but should be strengthened; medium-risk exposure |
| It is expected that overall oversight of the employee offboarding process is in place to monitor whether it is operating as intended and implement required improvements. | Missing key controls; high-risk exposure |
| It is expected that stakeholders involved in the departures process have readily access to employee offboarding data to support timely monitoring and reporting on results. | Controlled, but should be strengthened; medium-risk exposure |
| It is expected that employee offboarding communication and instructions are provided to employees, managers and enabling functions that are clear, concise, timely and specific to their responsibilities. | Controlled, but should be strengthened; medium-risk exposure |