Audit of the Management of Grants and Contributions at Health Canada
Table of Contents
- Executive summary
- A – Introduction
- B – Findings, recommendations and management responses
- C – Conclusion
- Appendix A – Lines of enquiry and criteria
- Appendix B – Scorecard
List of acronyms
- Grants and Contributions
- Chief Financial Officer Branch
- Management Control Framework
- Information Technology General Controls
- Grants and Contributions Information Management System
- Indigenous and Northern Affairs Canada
- First Nations and Inuit Health Branch
- Strategic Policy Branch
- Transfer Payments Management Services (CFOB)
- Senior Management Committee (FNIHB)
- Director Committee on Grants and Contributions (FNIHB)
- Capacity, Infrastructure and Accountability Division (FNIHB)
- Office of Grants and Contributions (SPB)
- Corporate Risk Profile
- Risk Priority Areas
- Corporate Overview of Organizational Plans
- Standard Operating Procedures
- Sex and Gender Based Analysis
- Monthly Variance Report
- Strategic Policy Planning and Information Directorate (FNIHB)
- Management Operational Plan
- pan-Canadian (health organizations funded by SPB)
Health Canada (“HC” or “the Department”) uses Grants and Contributions (G&Cs) to provide funding to First Nations and other recipients, as part of fulfilling the departmental mandate and its strategic outcomes. Departmental spending on G&Cs amounted to more than $1.8B in each of the past three fiscal years.
G&Cs represent transfer payments by the Government of Canada, and are a major commitment of government resources. They are governed by the Treasury Board's Policy on Transfer Payments and Directive on Transfer Payments, which took effect on October 1, 2008 and were last updated April 1, 2012. The objective of the Policy and Directive is to manage transfer payment programs with integrity, transparency and accountability, taking into account risk, ensuring that programs are effectively focused on citizens and beneficiaries, and designed to achieve various Government of Canada priorities and expected results.
Within the Department, in order to provide an integrated framework for the management of G&Cs and to facilitate adherence to the principles and expectations of the Policy on Transfer Payments, the Chief Financial Officer Branch (CFOB) has put in place the Management Control Framework (MCF) for Grants and Contributions.
The MCF for G&Cs establishes organizational level roles and responsibilities for the delivery of G&Cs and represents the Department's expectations for G&Cs management. To this end, it sets out controls grouped under two defined G&Cs management functions: Program Management and Transfer Payment Management.
The objective of the audit was to assess the MCF related to the planning, implementation, management, monitoring, and reporting of G&Cs programs, in compliance with the Treasury Board's Policy on Transfer Payments.
The audit focused on governance, risk management and internal controls and processes related to the ‘Program Management Functions', as defined in the Department's MCF for G&Cs and include:
- the development of policies, procedures, support tools, IT/IM systems, and training in support of program roll-out and ongoing management; and,
- directives, processes, and activities already in place to inform program management of performance, financial results, and program-level risks, as well as to monitor the application of program requirements in the regions.
As a result of interviews, examination of documentation, and testing procedures, sufficient and appropriate audit evidence was obtained to support the audit conclusion.
The audit concluded that there is an adequate MCF in place including governance, risk management processes, and related internal controls to support program management functions for G&Cs. Areas where effective processes and sound management practices were identified include:
- robust committee structures supporting effective governance, recipient and multi-stakeholder engagement, and information sharing;
- clear and comprehensive central guidance provided to programs, supported by responsive centres of expertise and functional areas within all branches;
- collaboration within the Department and inter-departmentally resulting in significant standardization of processes, tools and management practices;
- well-controlled processes for managing design, re-design and renewal of programs and related submissions; and,
- a strong planning process that demonstrates alignment of planned activities with identified departmental and branch priorities, and is effective in managing financial resources.
However, opportunities for improvement to further strengthen the framework for program management functions related to G&Cs were identified in the areas of:
- undertaking of systemic risk-based monitoring and quality assurance of G&Cs management activities;
- developing and implementing a more systemic and structured process for monitoring G&Cs program management functions and related reporting to senior management; and,
- improving access controls and change management practices relating to the G&Cs Information Management System.
Management agrees with the recommendations in this report and has provided an action plan addressing the agreed-upon recommendations to further strengthen the MCF.
A – Introduction
Health Canada's mandate is to help Canadians maintain and improve their health. The Department plays five core roles in order to deliver its mandate, namely: leader and partner, funder, guardian and regulator, service provider, and information provider.
In its role as a funder, Health Canada is responsible for providing grants and contributions (G&Cs) to First Nations and Inuit organizations and communities to deliver community health services and programs. The Department also provides G&Cs to a range of other organizations in order to address government priorities.
G&Cs are in a category of expenditures called ‘transfer payments'. Transfer payments are distinct from other expenditures in that the Government of Canada does not receive goods, services or assets in return. The transfer payment recipient undertakes expenditures and activities that further the Government's mandate. As such, transfer payments are a key instrument in delivering results. The Treasury Board's Policy on Transfer Payments (the Policy) and relatedDirective set out the government-wide expectations for transfer payments.
The two branches within Health Canada that administer and manage G&Cs are the First Nations and Inuit Health Branch (FNIHB) and the Strategic Policy Branch (SPB).
During fiscal years 2015-16 and 2016-17, FNIHB and SPB delivered G&Cs programs totalling approximately $1.9B and $2.0B respectively, as summarized in the table below.
|Number of recipients||687||95||782||776||93||869|
|Grants||N/A||$ 97M||$ 97M||N/A||$ 56M||$ 56M|
|Contributions||$ 1,521M||$ 257M||$ 1,778M||$ 1,677M||$ 304M||$ 1,981M|
|Total G&Cs||$ 1,875M||$ 2,037M|
FNIHB administers transfer payments to support First Nations and Inuit recipients in providing the following:
- basic primary care services and home and community care in remote and isolated communities;
- public health programs, including communicable disease control (outside the territories); and,
- community-based health programs focusing on children and youth, mental health and addictions.
FNIHB also provides a limited range of medically necessary, health-related goods and services to eligible First Nations and recognized Inuit, when not otherwise provided through other public programs or private insurance plans.
SPB is the focal point for G&Cs in Health Canada for non-First Nation and Inuit health initiatives. Funding is provided to a range of recipients, including provinces and territories, pan-Canadian (Pan-Can) health organizations, health care professional associations, community-based organizations, and educational and oversight bodies, to address government priorities. As Government of Canada interests evolve, the focus and scope of SPB's programs can shift.
The Chief Financial Officer Branch (CFOB) has established Transfer Payments Management Services (TPMS). TPMS is responsible for the coordination of HC requirements with regards to the Grants and Contribution Information Management System (GCIMS), which is hosted and managed by Indigenous and Northern Affairs Canada (INAC) under an interdepartmental service arrangement. TPMS is also responsible for training, reporting, and providing policy advice on transfer payments. TPMS has developed the Management Control Framework (MCF) for Grants and Contributions to promote consistency across the Department in managing transfer payment programs and in compliance with the Policy and the related Directive. The MCF defines the control framework for the following program management and transfer payment management levels:
- Program Management functions: activities for the design and approval of transfer payment programs, program implementation, planning, and program management monitoring and reporting
- Transfer Payment Management functions: activities related to managing selection of eligible recipients and projects, selection and implementation of funding agreements and, administration and monitoring of the recipient agreements.
The Office of Audit and Evaluation (OAE) regularly conducts internal audits of individual or clusters of grants and contributions (G&Cs) programs (10 audits since 2010). These audits have primarily focused on transfer payment management functions, including program operations and recipient agreement management. Recent audits have included FNIHB audits of the Resolution Health Support, Home and Community Care, and Health Facility programs, as well as SPB audits of transfer payments to the Canadian Partnership Against Cancer Corporation, Canadian Agency for Drugs and Technology in Health and Mental Health Commission of Canada.
The last horizontal audit that included elements of the program management functions was tabled in June 2011 (Audit of the Management Control Framework for Contribution Programs). The audit report made four recommendations that were accepted and fully implemented by management. The recommendations addressed issues found in regards to clarifying roles and responsibilities, improving expenditure approval processes, reinforcing controls to minimize possible conflicts of interest, and improving project file documentation. Since then, programs have been added, removed or modified, responsibilities have been reorganized, and technology has evolved, including the adoption of GCIMS.
Note: FNIHB was transferred to the new Department of Indigenous Services Canada (DISC) and is no longer a part of Health Canada. The audit recommendations and management responses relating to FNIHB in this report were developed before the Branch was moved to DISC. Follow-up on the management action plans was transferred to the Audit and Evaluation Sector in DISC.
Rationale for the audit
At Health Canada, G&Cs represented 49% of the Department's overall budget of $3.66 billion in fiscal year 2015-16 and are the main implementation vehicle for a significant portion of HC's mandate.
Furthermore, significant changes have occurred in recent years to build a Department-wide regime for the management of transfer payments, including the documentation of a Department-wide Management Control Framework (MCF), the implementation of GCIMS, and a re-alignment of roles and responsibilities among program branches and CFOB.
2. Audit Objective
The objective of the audit was to assess the management control framework (MCF) related to the planning, implementation, program management, monitoring, and reporting of transfer payment programs, in compliance with Treasury Board's Policy on Transfer Payments.
3. Audit Scope
The scope included program management processes in place and activities undertaken, during fiscal years 2015-16 and 2016-17. It included the two branches (FNIHB and SPB) within Health Canada responsible for managing grant and contribution (G&Cs) funding, as well as CFOB, which is responsible for providing central support. The administration of the British Columbia Tripartite Health Governance funds was excluded from the scope of this audit, as it was examined in the Audit of Health Canada's Management of the Administration of the British Columbia Tripartite Framework Agreement (March 2017).
Specifically, the program management functions within the G&Cs cycle included in the scope are: program planning and implementation, and program management monitoring and reporting. Areas of focus within these management functions included structures and processes for governance, risk management and internal controls.
The audit also included a review of Information Technology General Controls (ITGCs) for GCIMS, which is the system used to manage the administration of G&Cs at HC. As GCIMS is an application hosted and managed by Indigenous and Northern Affairs Canada (INAC), the scope of ITGC examination was limited to select IT controls, related to user account management and change management, over which HC could exercise significant control. Accordingly, IT controls related to computer operations and configuration management managed by INAC and Shared Services Canada were not examined.
4. Audit Approach
This audit was conducted at Health Canada's headquarters (HQ) in the National Capital Region.
Procedures employed to obtain audit evidence included, but were not limited to:
- In-person and telephone interviews with key branch, regional, program, and CFOB personnel;
- Solicitation of regional and HQ program management responses via completion of focused questionnaires; and
- Review and analysis of framework documents, policies, plans, directives, procedures, tools, guidance and training documents, governance committee terms of reference, agendas and meeting minutes, as well as risk assessment, monitoring and reporting documentation.
The examination of ITGCs related to GCIMS was based on the COBITFootnote 1 framework and included interviews and focused testing procedures.
5. Statement of Conformance
In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit against established criteria that were agreed upon by management. Furthermore, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.
B – Findings, recommendations and management responses
1.1 Program Oversight
Audit criterion: Oversight mechanisms are in place and operating effectively to provide monitoring and strategic direction for grants and contributions programs.
A governance framework is a set of rules and practices by which an organization ensures accountability, fairness and transparency with all its stakeholders. In the grants and contributions (G&Cs) context, effective governance includes clear roles, responsibilities and accountabilities, and the provision of leadership, oversight and challenge functions.
The audit found that the departmental Management Control Framework (MCF) for G&Cs outlines roles and responsibilities for G&Cs management at a general level for branch programs (HQ and regions) and for the Chief Financial Officer Branch (CFOB). In turn, the two branches responsible for the delivery and management of G&Cs programs have designed and implemented governance structures that reflect their individual operational environments.
First Nations and Inuit Health Branch (FNIHB)
FNIHB delivers G&Cs programs primarily through regional offices. The branch has developed and documented the FNIHB Accountability Framework to support the accountability relationship between headquarters (HQ) and the regions. Review of the Framework document confirmed that it describes how core horizontal and program functions apply in the context of HQ and regional structures, and outlines key responsibilities for HQ and the regions related to the various functions. Core horizontal and program functions identified and addressed in the document include, among others: Operations, Risk Management, Planning and Performance, Program Policy, and Program Operational Support.
Oversight of G&Cs within the branch is exercised through the Senior Management Committee (SMC) structure, comprised of two principal committees that reflect their key functions: the SMC-Policy and Planning and the SMC-Operations Committee.
Review of the overall committee structure within FNIHB, the SMC terms of reference, and SMC committee meeting minutes resulted in the following observations that support the effective functioning of the SMC as an oversight body:
- the SMC is adequately represented by senior branch management at both HQ and regional levels, and key functional organizational units;
- recipient engagement and transparency of decisions related to policy and planning is supported by representation of the Assembly of First Nations (AFN) and Inuit Tapiriit Kanatami (ITK) on the SMC-Policy and Planning;
- Agenda items and discussions reflect the mandates of the committees and issues of importance as identified and requested by senior branch management. Such key items included, but are not limited to: presentations and updates by AFN and ITK on various issues and initiatives, review of management operational plans, status updates on Management Response Action Plans (MRAPs), ministerial audit status updates, and review of the Branch Risk Register.
Key forums that support the governance structure for G&Cs and the SMC were also identified:
The Regional Executive (RE) Forum is comprised of all REs and acts as a mechanism for knowledge exchange and support among regions. Through the REs participation in the SMC, the RE forum provides an opportunity for:
- developing unified regional positions on G&Cs management;
- presenting regional G&Cs perspectives and challenges to HQ program management; and,
- adequately influencing the SMC agenda.
The Director Committee on Grants and Contributions (DCGC) is a director-level forum with representation from all regions and key functional areas, including the Capacity, Infrastructure and Accountability Division (CIAD), CFOB HQ, and Accounting Operations. The Committee serves as a forum for: discussing emerging issues and disseminating information related to G&Cs management, informing and coordinating the development of policy and procedural documents, and discussing collaborative initiatives internally and interdepartmentally. It is chaired by the Executive Director, CIAD, who is a member of the SMC, thus providing an important link to inform the SMC of operational level issues and the DCGC of senior management decisions and concerns.
Through interviews with program management and reviews of related documentation, the audit identified that there are numerous committees in place, at HQ and in the regions, that support and enable governance, and facilitate key activities at the individual program levels, including: engagement of recipients and priority setting, information-sharing, and coordination of activities among stakeholders. Examples of such committees include, but are not limited to:
- Inter-professional Advisory Committee;
- Planning and Reporting Steering Committee;
- National Capital Program Review Committee;
- Regional Accreditation Managers Group;
- Medical Transportation Working Group;
- HSIF Regional Coordinators Teleconference; and
- GCIMS Operations and Advisory Support Committee; GCIMS Executive Advisory Committee; and the GCIMS ADM Steering Committee.
in the regions:
- Accountability Working Group, Health Plan Review Committee - (Manitoba);
- Regional Senior Management Committee, Regional Operations Committee and Health Co-Management Committee - (Alberta);
- Community Focussed Teams (CFTs, Atlantic First Nations Partnership, Canada Nova Scotia Mi'kmaq Tripartite Committee - (Atlantic);
- Regional Executive Committee - (Ontario);
- G&C's Community of Practice, (Northern region);
- Action Forum, Finance Committee, Comité aviseur en intervention – Québec; and
- Health Funding Arrangement Working Group, HFA Quality Improvement Working Group, Home & Community Care Working group - (Saskatchewan).
Strategic Policy Branch (SPB)
G&Cs programs funded by SPB are centrally managed at HQ, with the majority of funding being provided to single-named recipients. Accordingly, SPB is not faced with the complexity of delineating regional and HQ-specific responsibilities and accountabilities for G&Cs management, which is reflected in its accountability and governance structures.
Within SPB, G&Cs oversight is supported primarily by the G&Cs Managers' Forum and the Pan-Can Forum.
The G&C Managers' Forum is a consultative and advisory body with representation from all SPB managers with responsibility for G&Cs programs, chaired by the Executive Director of the Health Programs and Strategic Initiatives Directorate to whom the Office of Grants and Contributions (OGC) reports. The forum supports the OGC in addressing common concerns, in providing advice for the continuous improvement of G&Cs management within SPB, and in sharing best practices. The Manager's Forum succeeded a previous DG Forum, after it was determined that most topics were more operational in nature. The OGC continues to raise issues to the DG and Branch Executive Committee as required, or if the matter is not resolved at the Managers' Forum level.
The Pan-Can Forum is composed of representation from all branch directorates managing G&Cs funding to Pan-Canadian Health Organizations. The meetings are co-chaired by a representative from the OGC. The forum provides its members with an opportunity for discussion, exchange of best practices and linkages between programs, consultation on emerging issues and challenges, and the development of advice and recommendations to management.
The audit also identified various forums operating within the context of individual programs, or at the branch or interdepartmental level, whose operation informs G&Cs program management and further supports effective governance within programs, and for the branch overall. Examples of such forums include:
- National Anti-Drug Strategy Prevention and Treatment Sub-Working Group;
- National Treatment Indicators Working Group;
- Health Portfolio Data Working Group;
- Jordan's Principle Oversight Committee; and
- GCIMS Operations and Advisory Support Committee, GCIMS Executive Advisory Committee and the GCIMS ADM Steering Committee.
Interviews with managers did not identify any impediments to committee operations. Review of terms of reference, agendas, and minutes of a sample of committees established that, overall, committees meet with regularity and address issues within the scope of their mandates.
For FNIHB, review of senior management committee agendas and minutes, as well as follow-up enquiries, identified that senior management committee information requirements related to G&Cs, and related reporting schedules, have not been formally established. For example, review of SMC – Operations meeting agendas identified that the overwhelming majority of agenda items were for discussion and information purposes only. It was also noted that, while agenda items and topics were identified through requests by the Senior ADM, the ADM of Regional Operations, or various directorates or functional areas wishing to make presentations, regular reporting to address specific and pre-defined information requirements have not been established as a regular standing item on meeting agendas.
Within SPB, G&Cs issues are discussed at the operational level, including at the G&Cs Managers' and Pan-Can forums. It was stated that when issues and matters are not resolved at the operational level, they are brought to the attention of senior management. Interviews with stakeholders and review of internal emails confirmed that G&Cs operational reporting to senior management occurs primarily on an ad hoc basis and through bilateral discussions. However, there is no process for regular, structured reporting to individual senior managers or the Branch Executive Committee, as it relates to G&Cs management activities.
Defining G&Cs information requirements and establishing a process for regular reporting of information to senior management and senior committees would enhance senior management's ability to exercise its oversight function over G&Cs management.
The audit concludes that, overall, governance structures for both FNIHB and SPB are well-defined and well-implemented. Committees and forums have been established and are operating at all levels, supporting effective dissemination of information, discussion of evolving issues, engagement of stakeholders and recipients, and the harmonization of efforts within the Department and interdepartmentally. The audit concludes that the oversight function over G&Cs management could be further enhanced through the identification of G&Cs information requirements for program performance, and standardization of processes for associated reporting to senior management. (Refer to Recommendation 2 in section 3.3 related to reporting).
2. Risk Management
Audit criterion: A risk management framework for grants and contributions programs is established and operating effectively.
The Treasury Board of Canada's Guide to Integrated Risk Management (May 2016) notes the importance of risk management as a core element of effective public administration. The effective management of risk contributes to improved decision-making and better allocation of resources. The Guide states that a cohesive and integrated set of mechanisms for identifying, assessing, responding to, communicating, and monitoring risk, in the form of a risk management process, can enable programs to manage risks more systemically.
Corporate and Branch Level Risk Management
A key component of the integrated risk management approach at Health Canada is the annual Corporate Risk Profile (CRP). Review of the Health Canada 2016-17 CRP established that the document:
- identifies Risk Priority Areas (RPAs) and clearly describes related risk elements that could potentially affect the Department's ability to deliver on its mandate;
- links RPAs to program alignment architecture, strategic outcomes and organizational priorities;
- identifies risk response strategies for each risk element, and assigns responsibility at the branch level; and
- identifies indicators, targets, methods, and frequency of collection of data for monitoring progress against risk response strategies.
RPAs identified in the CRP most relevant to G&Cs programs are: RPA3, related to the risk to delivery of health services to First Nation communities due to inadequate health facilities and, RPA4, related to risk to delivery of health services to First Nation communities due to limited nursing capacity. FNIHB is identified as the office of primary interest for both RPA3 and RPA4. SPB has not been identified as an office of primary or secondary interest for any RPAs. It is, however, identified as one of the branches linked to certain risk elements under RPA1, relating to the risk of loss of confidence in the safety of health and consumer products due to Health Canada not being regarded as a trusted regulator or a credible source of information.
Monitoring of risk management strategies identified in the CRP has been undertaken, and reporting is being provided to senior management. The 2016-17 mid-year review of the CRP identifies progress made to-date on various risk responses and related initiatives. The report indicates the status of response strategies by key risk element, including explanations for major deviations, and lists key accomplishments achieved, relative to established performance measures.
At the branch level, FNIHB has developed a Branch Risk Register that aligns with the CRP and further expands on CRP risk priority areas for which the branch has been identified as the office of primary interest. Risk responses are identified and linked to responsible lead offices within the branch. The document identifies indicators and related targets to gauge implementation of risk responses, as well as requirements for bi-annual monitoring and progress reporting. Interviews confirmed that there were no updates or documented reports on the progress and status of the Branch Risk Register in 2016-17.
SPB's key risk areas have been identified in the 2016-17 Corporate Overview of Operational Plans (COOP). The risk analysis presented in the document identifies three high-level risk management strategies, including: engagement with provinces and territories, seeking input from key stakeholders, and developing high-quality policy analysis and options for the new Health Accord. However, no branch-specific risk register has been developed by SPB, and there is no documented process for measuring, monitoring and reporting progress against risk management strategies.
Both FNIHB and SPB have documented Risk Tolerance Strategies (RTSs) for managing risk at the recipient or funding agreement level. The documents reflect, in concise format, various Health Canada and branch-specific policies and directives. The RTSs outline risk management and mitigation activities to be considered and undertaken based on recipient risk levels, determined through a formal General Assessment exercise conducted annuallyFootnote 2.
Program Level Risk Management
The FNIHB Accountability Framework assigns responsibility to FNIHB (both HQ and the regions) to identify program operational risks and develop risk mitigation strategies. Similarly, the Grants and Contributions Standard Operating Procedures Manual (2011), states that the program risk assessments, developed as part of seeking approval for program authorities, should be evergreen documents that are reviewed and updated on an annual basis.
Interviews with program managers identified that there was considerable awareness and appreciation of the importance of considering risk when planning and undertaking activities. However, the risk management processes and related activities identified by management focused primarily on risk assessment and management at the individual recipient or agreement level (i.e., the General Assessment process and related risk tolerance strategies). Although it was stated that program risks may be discussed and addressed in program or branch committee meetings and similar forums, consideration and management of risks at a program level is generally not established as a formal, documented activity either at HQ or in the regions. With the exception of two of the nine programs and initiatives examined in both branches, there was no evidence of formal identification and regular update of program-level risks and associated management strategies.
Risks that could be considered, and which may be relevant to varying degrees, in the management of specific G&Cs programs include risks related, but not limited, to:
- privacy issues;
- capacity of a class of recipients in a specific area;
- inequitable funding of recipients or projects, and eligible expenditures;
- inconsistent evaluation of proposals or recipient reporting due to the complexity of subject matter;
- stacking of government funding;
- non-adherence to emerging legislative requirements; and
- conflict of interest or fraud scenarios
Overall, the audit concludes that there is a high level of risk awareness amongst program management. The two branches adequately identify branch-level risks and risk management strategies in pursuing departmental and branch priorities through G&Cs. However, the audit also observes that risk management related to G&Cs activities may be further enhanced through a formalized and regularly updated process for documenting, monitoring, and updating risks at the program level, and for monitoring and reporting of related risk strategies and results. Potential benefits of such a process include:
- a solid basis for a risk-based monitoring and quality assurance process over program management activities, and identification of minimum program information monitoring and reporting requirements;
- support for the effective update of program policies and procedures, and the undertaking of focused training initiatives;
- support for the effective allocation of program resources in areas of greatest need;
- enhanced demonstration of the alignment of individual program risks and risk strategies with branch and corporate risks; and
- support for the effective coordination of risk management strategies across programs, and within departments.
The audit acknowledges that, for certain programs where branch level risk management is deemed sufficient, or for programs that may be centrally delivered or have a relatively narrow mandate or involve single, named recipients, formal program-level risk assessments may result in only marginal benefits to program management and delivery, and may not be necessary. Accordingly, it is expected that decisions for the formalization of risk management processes at the individual program level will consider potential benefits in light of related incremental program administrative efforts and costs.
3. Internal Controls
3.1 Support for the Management Control Framework
Audit criterion: The Management Control Framework (MCF) is supported by branch or departmental policies, procedures, guidance and training.
Effective policies, procedures, and guidance support management and staff in discharging their responsibilities according to expectations and are critical in ensuring a level of consistency and exercising control.
Policies, Procedures and Guidance
At the departmental level, the MCF for G&Cs establishes the expectations for key G&Cs management functions throughout the lifecycle of programs. The document includes an extensive list of control criteria for each key management function and directs HQ and regional managers to demonstrate adherence to the criteria in managing their programs. Analysis of the MCF and comparison to the TBS Policy on Transfer Payments (the Policy) and related Directive, established that the MCF for G&Cs, and the control criteria therein, are aligned with, and effectively promote, compliance with the Policy. The framework also identifies various other central agency and departmental policies, as well as support documents and tools, and links them to program management functions to further assist managers in adhering to departmental expectations for G&Cs management. These documents and tools include, but are not limited to:
- Guide to Developing Performance Measurement Strategies;
- Tool-kit for preparing TB submissions;
- Tool-kit for the General Assessment process;
- Program-specific terms and conditions;
- Funding agreement tools, policies and templates;
- Budget Management Framework and Monthly Variance Report (MVR) processes;
- Default Prevention and Management Policy and tools; and
- Recipient Audit Tools and Policy.
Within the First Nations and Inuit Health Branch (FNIHB), the Capacity, Infrastructure and Accountability Division (CIAD) has developed a procedural and training manual, entitled Knowledge in a Book (KIAB), as a means of establishing a standard approach to managing G&Cs programs throughout the branch. KIAB was most recently updated in March 2017. It is a comprehensive document that outlines, in a structured approach, how FNIHB manages the delivery of transfer payments to First Nation and Inuit communities. The document:
- outlines the principles and accountabilities related to G&Cs management and effectively links to the departmental MCF for G&Cs and branch strategic objectives;
- serves as a manager's guide by providing an overview of the transfer payment lifecycle and key considerations, and criteria in administering funding arrangements; and
- identifies specific policies and provides step-by-step procedures to assist managers and officers in navigating through the branch's business processes for funding arrangement implementation and management, including but not limited to:
- determining recipient readiness, as well as the funding approach and arrangement;
- managing scheduling and release of payments, debt management and accounts receivable;
- managing financial and non-financial reporting;
- monitoring recipient compliance; and
- preventing and managing recipient default.
A suite of supporting guides and procedures is also available to program managers and officers, including, but not limited to, specific directives and tools for:
- funding approaches and funding arrangement management;
- default management;
- reporting management; and
- addressing text deviations from template agreements.
These directives, guidance documents, and tools are available to managers and staff on the FNIHB intranet site. Interviews with HQ and regional stakeholders confirmed that managers and staff are aware of policies, standards, and related guidance documents, and have access to them.
Guides and procedures have also been developed for the benefit of program managers and for recipients (including many that are specific to individual FNIHB programs and initiatives). Examples include, but are not limited to:
- guides for developing and assessing recipient Health and Multi-year Work Plans;
- guides to recipient reporting;
- guides to ministerial audits;
- guides to completing project templates and conducting project technical reviews;
- the Health Infrastructure and Capital Protocol;
- the NIHB Contribution Agreement Funding Guidelines and associated funding tools; and
- a site visit protocol and site visit template guide.
Within SPB, there is no comprehensive guidance document specific to G&Cs management. Branch program management and the Office of Grants and Contributions (OCG) within SPB refer to the HC G&Cs Standard Operating Procedures (SOP) manual as one source of guidance for G&Cs management. Review of the document established that, while for the most part the document is still relevant in providing guidance on many aspects of G&Cs management, it is dated (2011), and in some key respects, does not reflect current and updated G&Cs management processes within the Department. These omissions include key areas of recipient risk assessment and related tools, nature and type of funding arrangements, and the identification of, and alignment with, key functional units supporting G&Cs management.
The above notwithstanding, the audit noted a suite of individual procedures, forms and templates in use within the branch that, along with the SOP manual, provide adequate guidance for overall management and administration of G&Cs funding. Examples of these documents include, but are not limited to:
- Amendment Review Committee Procedures;
- the Amending Agreement Template;
- checklists for file closure and for quality assurance of amendments and agreements;
- Recipient Audit Roles and Responsibilities;
- the SPB Risk Tolerance Strategy; and
- various contribution agreement templates.
Furthermore, it was also shown that guidelines and procedures have been developed by some individual programs to support program managers and recipients. Examples include:
- program guidelines for applicants;
- letter of intent and proposal templates, and related assessment grids;
- a program reporting guide;
- a program specific monitoring framework; and,
- Standard Operating Procedures – Controls for Thalidomide Financial Support Program Personal Information.
It was noted that the extent and nature of program guidance reflects the complexity of program delivery (national vs regional delivery, multi-recipient vs single, named recipients, and solicited vs non-solicited funding applications).
Interviews with managers and staff within both branches also confirmed that their G&Cs centres of expertise, CIAD and the Office of Grants and Contributions (OGC), within FNIHB and SPB respectively, play an integral part in G&Cs operations, providing a challenge function, as well as advice and support on routine matters, and as situational scenarios or challenges arise.
The audit concluded that, overall, adequate policies, standards, procedures and guidance are in place at both the departmental and branch levels to support G&Cs management. However, with regards to the 2011 G&Cs SOP manual, the audit notes that the Department should consider the intended use of the manual in the future, and explore options accordingly to discontinue it, update it, or replace it with a new comprehensive set of standard procedures, specifically addressing SPB requirements. It is noted that the SOP manual was referred to as a guidance document only by SPB and not FNIHB, where Knowledge in a Book was cited as the manual in use.
Training enhances and supports the understanding of policies and procedures, and provides a crucial link between policy and practice. Effective training initiatives should be supported by adequate need assessments and should, to the extent possible, be targeted to specific audiences and tailored to identified needs.
Training related to G&Cs is provided both at the departmental and branch levels. At the departmental level, Transfer Payment Management Services (TPMS) offers training primarily related to the use of the Grants and Contributions Information Management System (GCIMS). This training is provided pursuant to a training plan and is delivered primarily via e-learning. In certain situations, in-class training is also provided upon request. The “Required GCIMS Training – course outline” document (Jan 2017) sets out various GCIMS training modules that include:
- System Overview and Navigation;
- Arrangement Management;
- the General Assessment process administered within GCIMS (for assessing risk of individual recipients and projects);
- Payables at Year End (PAYEs);
- Debt Management, and;
- “Train the Trainer” courses.
Reviews of the course descriptions, expected results, and associated trainer's manuals have identified that this training focuses on the technical aspects (skills and steps) required to complete the workflow of various G&Cs activities through GCIMS.
TPMS also provides training on the MCF. Review of related MCF training material noted that it was a reproduction of the MCF document in deck presentation form. Notwithstanding various links to supporting standards and tools in the document, there is no evidence of further guidance related to specific elements or requirements set forth by the MCF. For example, the MCF requires that program branches be responsible for the development of program-specific control frameworks, but no guidance is provided as to the minimum requirements for such frameworks, and no supporting templates or examples are indicated. As a result, certain elements of frameworks may not be adequately addressed by branches or individual programs. For example, the general absence of a program-level risk assessment and management process, as previously discussed in Section 2 of the report.
Branch-specific training is also undertaken. At FNIHB, training is provided by CIAD. Training provided during fiscal year 2016-17 focused on health planning and funding arrangement management (Funding Arrangement 101). Planned training for 2017-18 is related to funding arrangements, reporting, default prevention, unexpended funding, and general assessment and risk tolerance strategies. Statistics on the number of participants by region were maintained, and input was solicited related to training provided.
In SPB, OGC provides G&Cs-related training on topics including GCIMS, performance measurement, and how to read audited financial statements of not-for-profit organizations. Funding arrangement training is available upon request, and webinars on topics such as knowledge translation are also available to staff.
A robust process related to training was evidenced for the Health Systems Integration Fund, where in the past, a comprehensive exercise had been developed to assess training needs of program stakeholders.
Interviews established that, for both branches, at the program level, training is primarily on-the-job instruction and mentoring of new staff by more senior officers or managers, supported by program-specific guidance documents and tools.
The audit found that, overall, training initiatives have been associated primarily with the introduction of new processes or structures, as in the case with the adoption of GCIMS and the use of new funding arrangements. Interviews confirmed that the initiatives are also generally the result of individual training plans and individual requests, general learning priorities identified by branch senior management, or are driven by government-wide focus on emerging issues and topics, such as requirements for Sex- and Gender-based Analysis (SGBA). For both branches, the only mandatory training for G&Cs is related to the use of GCIMS and is a requirement for access to the system. Transfer Payments Management Services (TPMS), supported by OGC and CIAD, maintain statistics on training provided.
Review of statistics provided by TPMS found that they are primarily limited to capturing the number of participants by region for each training topic area. Furthermore, the statistics indicate that training participation within FNIHB may not be reflective of the G&Cs activity level of individual regions. For example, the Atlantic region had more participants than any other region (except HQ) for MCF training provided by CIAD, despite being a relatively small region in G&Cs activity. For all training provided by the Chief Financial Officer Branch (CFOB), Atlantic had almost the same participation as Ontario and Alberta, and more than Manitoba, all regions with far greater G&Cs activity. HQ, which manages the least of G&Cs funding, had by far the greatest participation. Although not definitive, these observations are indicators that training strategies and approaches may need to be more formalized and focused.
Furthermore, within FNIHB, a review of SMC committee minutes identified that less than 60% of the allocated budget for training was expended in 2016-17. Concerns were expressed by a senior program manager, supported by a Regional Executive, that this had resulted in a certain level of employee demoralization regarding training opportunities.
While the audit found that training is provided in response to new processes and requirements, emerging issues, and to individual requests or interests, there is no evidence of comprehensive, formal training strategies at the national level that systemically identify the training requirements and coordinate related activities for all aspects of G&Cs training at the regional or program levels. Key elements of such strategies would include:
- formal needs assessments for key positions, by program and within regions, based on required competencies;
- formal analyses and processes that link root causes of compliance, review and quality assurance findings to the development of appropriate training programs; and
- establishment of mandatory training requirements for key positions.
The audit concludes that, although G&Cs-related training is being delivered, training activities would further benefit from more comprehensive training strategies at the national level, with more focus on identifying and addressing program-specific training needs, in addition to training that addresses administrative requirements. Such strategies would be informed, to a significant degree, by individual program risk assessments and results of compliance monitoring and quality assurance activities discussed in Sections 2.1 and 3.3 respectively.
3.2 Program Planning and Implementation
Audit criterion: Program planning and implementation reflects the strategic direction, including the identification, approval and monitoring of resource requirements.
The audit expected that there are established processes and controls in place to ensure that adequate due diligence is exercised in the development or renewal of G&Cs in alignment with TBS policy requirements. Furthermore, the audit expected that planned priorities for G&Cs are aligned with the strategic outcomes of the Department, and that sound operational planning processes are in place to support and monitor the use of resources in the delivery of planned priorities.
Program development / renewal
The audit found that the Management Control Framework (MCF) for Grants and Contributions (G&Cs) document provides a clear, documented process for the design and re-design of G&Cs programs. Specifically, the process sets out:
- requirements for new programs and program renewals requiring major or minor amendments, or no amendments at all;
- a detailed description of the process, from inception to ministerial approval and submission to the Treasury Board; and
- identification of departmental organizations accountable and responsible for related activities.
Interviews and documentation reviewed confirmed that:
- functional areas within each branch work closely with programs to develop the content for the design of new programs and initiatives, and of program terms and conditions; and
- the Corporate Resource Management Review (CRMS) directorate guides the submission process through a series of internal reviews and approvals, as well as approval by TBS. Furthermore, that detailed TBS- and HC-specific guidance is made available for this purpose, including but not limited to:
- Guidelines on HC's TB Submission Process;
- HC 5 phases TB Submission Process presentation;
- HC CFO Attestation Guidance document and related summary template; and
- numerous checklists for specific requirements and considerations, including privacy requirements, communications plans, environmental assessments, and other.
The audit reviewed supporting documentation related to the internal review and challenge process for four recent submissions and confirmed that the process is operating as intended. The supporting documentation included evidence of review and sign-off by functional areas, including, but not limited to: Legal Services, CFO, the Branch Senior Financial Officer, the Office of Audit and Evaluation, Corporate Services, Communications and Public Affairs, Official Languages, Sex and Gender Based Analysis (SGBA), and Transfer Payments Management Services (TPMS).
The audit concludes that the process for design, re-design and renewal of programs is well-supported and effectively controlled.
Annual Planning Process for G&Cs
The audit found that Health Canada's Strategic Outcomes (SOs) were clearly defined in the Department's annual Report on Plans and Priorities (RPP) for 2015-16 and 2016-17.
Review of the Corporate Overview of Operational Plans (COOP) document confirmed that annual program planning reflects the Department's RPP and links to SOs through the identification and pursuit of annual departmental priorities. SOs to be addressed are identified and linked to planned priorities for each branch during the year. The audit found that there are established, standardized annual planning processes within each branch to capture planned activities and allocate resources.
A mid-year report on the COOP and the Monthly Variance Reporting (MVR) process are effective in reviewing commitments and identifying unspent funds or budget deficits in G&Cs programming, in order to facilitate re-allocation within programs and between branches. Review of summary year-end Free Balance reports provided by the Chief Financial Officer Branch (CFOB) confirmed that funding was effectively allocated and re-allocated, resulting in negligible unspent funding of G&Cs for 2015-16 and 2016-17 (0.11% and 0.3% of budgeted spending, respectively).
For the Strategic Policy Branch (SPB), the annual planning process reflects the centralized management of G&Cs programs by branch directorates at HQ. SPB directorates each prepare a detailed work plan that outlines planned activities by cost centre or division, and identifies milestones, deliverables, and anticipated timelines for each activity. The plans also identify the number of full-time equivalents and allocate funds accordingly.
Directorates prepare a one-page overview document that summarizes work plan highlights, including activities and key deliverables by division or cost centre. It also presents a discussion of major challenges anticipated, and key interdependencies within the branch, interdepartmentally or with recipient organizations.
Reporting on the COOP is done through the mid-year report. Reporting on directorate plans is developed through bi-lateral meetings with DGs or during branch executive committee meetings, before being presented to the ADM.
For the First Nations and Inuit Health Branch (FNIHB), where program delivery is managed predominantly at the regional level, the operational planning process is centrally administered by the Strategic Planning and Accountability Division within the Strategic Policy, Planning and Information Directorate (SPPID). It includes the preparation of the Branch Operational Plan, which represents the collective management operational plans (MOPs) from programs and regions, supported by standardized planning templates. The operational plans are reviewed and approved by senior management at both the regional and national levels. A renewal process during the year serves as an effective means for identifying pressures, as well as requesting and re-allocating resources among and within programs and regions.
The audit examined regional and directorate MOPs for fiscal years 2015-16 to 2017-18. The audit found that they are comprehensive documents that incorporate all programming delivered, and present key activities aligned to the Program Alignment Architecture (PAA) at the sub-sub-activity level that are linked to the branch's strategic goals, priorities, and risk profile. They identify quarterly milestones, performance indicators, and performance targets.
However, it was noted that there are inconsistencies in the level of detail and the nature of information presented in the MOPs, related to activity deliverables and milestones and associated performance indicators and targets. For example, some MOPs define quarterly milestones in relatively general terms, such as ‘provide funding to communities' and ‘ongoing management', while others offer more detail, such as specific training initiatives, and the number of community visits or advisory meetings to be conducted. Furthermore, some plans have defined expected results, performance indicators and targets more explicitly, and have aligned them with HC operational activities related to program areas, while others have aligned them along program performance indicators or have defined them in broad terms. The following example, related to one program area, underscores this variability in plan content:
- one regional plan defines performance measures and targets in terms of the number of children receiving referral and diagnostic services, number of partnership meetings and number of students graduating from a certain program;
- for the same program, another plan defines performance measures and targets as the number of health funding arrangements to be signed by a certain date; and
- a third plan defines the performance indicator as ‘reducing and preventing FASD births' and the performance target as ‘March – 2017'.
The inconsistencies identified above suggest that there is not a common understanding with regards to the preparation and expected use of the MOPs. They also suggest that the utility of MOPs as effective tools for directing and managing operational efforts, as well as supporting the alignment of resources with operational activities, varies among regions. Furthermore, the variance in content inhibits the ability of programs to conduct roll-ups and meaningful analyses of, or to provide a challenge role related to, regionally planned activities and related results.
The audit concludes that, overall, there is an effective process for planning activities, and allocating and re-allocating G&Cs resources within the Department.
Within FNIHB, there is an opportunity to further enhance the planning process through more consistent content in regional MOPs. This will better demonstrate regional efforts in directing and managing operational activities and resources, and in monitoring attainment of related results. Towards this end, the branch should take actions to promote and reinforce a more common understanding of the requirements for MOP content. Such actions may include focused training and further guidance, as part of more comprehensive training strategies and plans discussed in Section 3.1.
3.3 Program Management Monitoring and Reporting
Compliance Monitoring/Quality Assurance
Audit criterion: Program monitoring and reporting processes are established and operating effectively.
The Treasury Board's Policy on Transfer Payments (the Policy) requires that deputy heads monitor compliance to the Policy and its supporting directives through periodic audits and other assessments. Furthermore, the departmental Management Control Framework (MCF) for grants and contributions (G&Cs) assigns responsibility to program branches (HQ) for ‘consistent compliance with the Policy, as well as departmental policies and directives' and also states that the Chief Financial Officer Branch (CFOB) is responsible for ‘conducting focused compliance reviews examining high risk elements of the MCF for G&Cs.'
Through interviews and documentation review, the audit established that there is a strong framework to support compliance with the Policy and departmental policies and directives. This includes active and responsive guidance provided by CFOB, and by the Capacity, Infrastructure and Accountability Division (CIAD) and Office of Grants and Contributions (OGC), within the First Nations and Inuit Health Branch (FNIHB) and Strategic Policy Branch (SPB) respectively, and a comprehensive suite of supporting procedural documents and related tools available to program managers and staff.The audit found that during the period in scope, the branches have undertaken some active monitoring and quality assurance activities related to transfer payment management, but that the scope of these activities has been limited:
- the CFOB undertakes quality assurance and monitoring activities of G&Cs, but these have a financial focus, as they are part of the branch's overall monitoring strategy related to Internal Controls over Financial Reporting (ICFR);
- the OGC, within SPB, conducts ongoing quality assurance and review of funding agreements to ensure that agreements contain minimum requirements, adhere to program authorities and branch established templates, and that amendments to agreements undergo the necessary due diligence;
- CIAD has obtained attestations from regional management that HQ program requirements related to activities undertaken in the regions have been met and that related policies have been adhered to.
The above notwithstanding, a comprehensive and systemic compliance monitoring and quality assurance function has not been in place to effectively and regularly monitor and report on G&Cs program management activities and their adherence to the Policy and departmental, branch or program specific expectations that may include, but not be limited to:
- specific requirements (control criteria) of the departmental MCF for G&Cs and due diligence undertaken by program staff in funding application review and assessment;
- review and assessment of required recipient documents, including plans and activity reports;
- active monitoring of recipient activities; and
- file closure requirements.
The establishment of an active monitoring, follow-up and quality assurance function at the national level would enhance adherence to the Policy and departmental policies, and would benefit G&Cs management overall by:
- identifying areas of concern requiring management action;
- promoting a common understanding of guidelines and expectations and consistent management practices to the extent possible; and,
- effectively informing the development of guidance documents and focused training initiatives.
The scope and frequency of the activities of this function should be risk-based and be informed and guided by input including, but not limited to: branch and program risk assessments, prior audits and reviews, and the concerns of senior program and branch management and functional areas.
The audit notes that within FNIHB, subsequent to commencement of this audit, CIAD has launched an initiative to conduct an annual assessment of management activities related to individual funding agreements with recipients, and has developed a comprehensive checklist for this purpose. The approach is to select 10 percent of all active arrangements in each region, including HQ, to assess the extent to which management activities and file documentation adhere to departmental and branch expectations. As of the time of completion of the conduct phase of this audit, there was no information on results available for any assessments conducted to date. It was stated that prior to this current initiative, no such assessments have been conducted since 2009.
It is recommended that the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch (FNIHB) and the Assistant Deputy Minister, Strategic Policy Branch (SPB), take steps to enhance, within their respective branches, the existing processes for monitoring and quality assurance of G&Cs programs to ensure all key elements of the departmental MCF for G&Cs are adequately addressed. This would include consideration of a documented risk-based approach that better demonstrates the alignment of quality assurance and monitoring activities with identified risk areas related to the management of individual programs and the integration of applicable control criteria outlined in the departmental MCF for G&Cs.
Management agrees with the recommendation.
FNIHB, in consultation with its regions, will develop a Monitoring Directive to ensure that G&Cs program management functions are strategically monitored for quality assurance, and results are reported to senior management and other key decision-makers.
SPB currently conducts quality assurance activities on new agreements, amendments, program terms and conditions, and performance measurement strategies.
In addition, SPB will undertake an annual risk analysis of key management functions and control criteria outlined in the departmental MCF for G&Cs, in consultation with senior management, to identify annual focus areas for monitoring and quality assurance activities.
The results of monitoring and quality assurance activities will be reported to SPB senior management annually, at minimum.
The HC MCF for G&Cs, for the management function of program monitoring and reporting, identifies the following as control criteria:
- For communication of results: performance results of programs are accurately reported within the Departmental Performance Report (DPR) and linked to strategic priorities and plans.
- For program performance monitoring: performance information is collected and analyzed and results are consolidated to demonstrate program performance and effectiveness.
Reporting of Program Results
Programs have established performance measurement strategies and performance indicators to support reporting on results. The funding agreements are the primary means of soliciting and collecting data from recipients to address performance indicators.
Within FNIHB, where multiple programs and programming elements are funded for single recipients, Data Collection Instruments (DCIs) have been developed to facilitate data collection. The DCIs are linked to funding agreements and programming elements, and are supported by recipient reporting guides. Data is collected via other means, including surveillance efforts and surveys conducted by the Surveillance Health Information Policy and Coordination Unit within the Strategic Policy Planning and Information Directorate (SPPID).
Performance reporting is summarized annually through the Departmental Results Report (DRR), formerly known as the Departmental Performance Report (DPR), as part of the overall Departmental Integrated Operational Planning Process (DIOPP). The DIOPP is administered by the Planning and Corporate Management Practices Directorate within CFOB.
Reporting through the DRR is aligned with established program performance measurement strategies. Interviews and documentation reviewed confirm that there is an established and adhered-to process in place, with set timelines, that includes:
- initial solicitation of performance-related information from branches and programs;
- analysis and feedback provided to branches by CFOB;
- revisions by branches, as applicable; and
- final review by Executive Committee and approval by the Deputy Minister.
However, the audit also identified that within FNIHB, there is a need to better align data collection requests and related reporting by recipients with the information needs of programs, and the Department overall. For example, including the various regional versions, there are presently over one hundred DCIs listed on the 2016-17 Reporting Guide.
Follow-up with representatives of the Performance Measurement Unit within SPPID confirmed that this has been recognized as an area requiring attention and a data alignment project is currently underway to address this issue. Furthermore, the Department is in the process of developing and refining the Departmental Results Framework and the attendant program information profiles, to address requirements of the TBS Policy on Results (effective July 1, 2016).
Given the aforementioned management initiatives, the audit makes no recommendation related to corporate reporting on program performance. The issue related to data collection and information requirements is further discussed in the next section, in the context of program performance monitoring and internal reporting.
Monitoring and Reporting of G&C Management Functions to Senior Management
The audit also examined the processes in place for program monitoring and reporting for internal management purposes.
It was found that programs' financial results are effectively monitored and reported primarily through the Monthly Variance Report (MVR) process. Through this process, financial information, including G&Cs-related information, is produced on a monthly basis from the departmental financial system. The information is reviewed and budget variances are identified and reported to senior management. This allows for challenge and validation of information, and the ability to effectively identify opportunities for re-allocation of resources. The process is administered by CFOB and supported by policies and procedures outlined in the HC Budget Management Framework handbook. To some extent, other less formal or routine processes are also in place to track and report financial information, such as maintenance of spreadsheets for purposes of tracking soft and hard commitments, in order to compliment the MVR process.
The audit examined the processes in place to monitor and report on non-financial program information for management purposes. The audit found that reporting is provided to senior branch management, often in the form of ‘dashboard' reports presented to senior management committees. This process effectively tracks and reports the status of selected risks and progress on sensitive files that are of priority interest to senior management.
However, the audit also found that, outside of this reporting on ‘selected' issues that are of interest to senior management, requirements and processes for regular monitoring and reporting on non-financial program information and performance have not been adequately defined or standardized. To a large degree, this type of reporting happens informally through bilateral meetings with senior managers or information updates, and is often ad hoc in nature or exception-based. The following observations further support the finding that there is a lack of regular, formalized monitoring and reporting of non-financial G&Cs performance management.
Interviews with regional managers confirmed that, although ad hoc information requests are made from HQ program management, there are no established requirements for such reporting.
Review of non-financial G&Cs-related information in quarterly reports provided to the CFO by Transfer Payment Management Services (TPMS) was limited to the number of arrangements under third party management, and the number of halt payment overrides in the Grants and Contributions Information Management System (GCIMS). Although anomalies related to halt overrides were identified and reported, including possible cause, these were repeated in all three quarterly reports and there was no follow-up, investigation, nor corrective action suggested. TPMS informed the audit team that these reports to the CFO had been recently discontinued, pending establishment of a Transfer Payment Overview Committee, where it was anticipated such information would be reported and used.
The relevant branches have identified service level standards that they report on. However, the audit identified that these standards are very high-level and are limited to addressing:
- For FNIHB: that template agreements are available for viewing by a certain date, and that a percentage of first payments are made to recipients within a certain timeframe; and
- For SPB: acknowledgement of receipt and assessment of completeness of recipient applications of funding within a certain timeframe.
Service standards at program levels have not been defined and are not being reported to senior program or branch management. A more robust and refined set of service standards at the individual program level would enhance monitoring of program management performance and better demonstrate the Department's citizen- and recipient-focused approach to program management.
Identification and documentation of minimum program management monitoring requirements and a process for regular reporting would enhance the oversight function of senior program and branch management and their ability to take corrective actions in a timely manner.
Adequate delineation of requirements for program results reporting, based on information being collected for internal reporting purposes and for recipient compliance purposes, would facilitate risk-based reporting at the recipient, project, and program levels, and result in further minimizing the reporting burden on recipients.
The audit concludes that, while there is a robust and well-defined process in place for financial results monitoring and reporting, G&Cs program activity, related performance monitoring and reporting to senior program and branch management can be improved.
It is recommended that the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch (FNIHB) and the Assistant Deputy Minister, Strategic Policy Branch (SPB), in collaboration with the Chief Financial Officer, Chief Financial Officer Branch (CFOB), enhance the existing processes for G&Cs program monitoring and reporting. Enhancements to the processes should consider the identification of minimum information requirements and development of associated reporting mechanisms that facilitate regular, structured reporting to program managers and senior management committees.
Management agrees with the recommendation.
FNIHB will continue to update annually the reporting requirements for all program, ensuring data collection is both necessary and useful to measure performance and reporting on departmental results.
SPB has recently revisited reporting requirements for all programs (performance information profiles for 14 programs delivered in the branch), ensuring data collection is both necessary and useful to measure performance and reporting on departmental results.
In addition to existing G&Cs program management information [e.g. Management Variance Report (MVR), multi-year forecasting of funds, annual recipient risk profiles and audit plan], SPB will consult with senior management and CFOB to identify any further information, beyond Recommendation 1, which should be regularly reported to SPB senior management.
SPB senior management will review information and reporting requirements and processes annually and adjust as necessary to ensure their relevance.
3.4 User Access Controls
Audit criterion: Processes to control access to the Grants and Contributions Information Management System (GCIMS) are established and operate effectively.
We expected to find that processes to control access to the Grants and Contributions Information Management System (GCIMS) were established and operated effectively.
There is a process in place to control access to GCIMS. However, there are opportunities to improve the process and further mitigate potential risks related to user access.
GCIMS is the main system used to manage G&Cs in the Department. The system automates the transfer payment business processes and manages funding agreements and related information. Its functionality offers key benefits that are intended to improve overall efficiency control and accountability, including in the areas of:
- creation and management of funding agreements, amendments and adjustments, including built-in controls related to the use of contribution agreement (CA) templates and tracking of the approval processes;
- financial transaction management and reporting through interface with the departmental financial system; and,
- submission, review, and approval of recipient reporting requirements.
GCIMS is hosted, managed and maintained by Indigenous and Northern Affairs Canada (INAC). Health Canada is provided access to GCIMS under an interdepartmental service arrangement.
The process for providing access to GCIMS is governed by the INAC - Financial Applications User Access and Security Framework. This framework outlines the requirements and controls for user access to the corporate financial systems at INAC. These guidelines were established to protect the confidentiality and integrity of system data. This framework enables efficient and effective security monitoring. Any users granted access to these systems must meet security clearance requirements.
Health Canada (HC) does exercise some management responsibility over access to the system by HC users. At the time of audit, Transfer Payment Management Services (TPMS), within the Chief Financial Officer Branch (CFOB), managed the following activities related to user access controls for Health Canada employees:
- managing user access protocols for GCIMS, including various related forms;
- creating and maintaining user accounts for the GCIMS environment;
- coordinating periodic business reviews of authorized users and promptly notifying INAC of required changes to user authorizations; and
- coordinating periodic reviews of GCIMS information.
Interviews were conducted with business managers and TPMS. A sample of access control forms and a list of GCIMS users were also examined, as was documentation relating to user account management, provided by TPMS. The audit found that access to, and use of, GCIMS is based on established user roles and permissions, as defined by the service provider. However, the audit also made the following observations that indicate the process for managing ongoing access to the system by existing users should be improved:
- from a sample of 12 users reviewed, the audit noted three instances where the manager had confirmed that the assigned user account privileges were no longer commensurate with the individual's positions, or where the employees had access to GCIMS when either on assignment or maternity leave;
- a review of GCIMS access granted to departmental staff occurred only once a year, and review of privileged user accounts had not been undertaken during the period within the scope of the audit. Industry best practices for account management require that user access reviews are undertaken more frequently;
- not all user access profiles are supported by up-to-date Access Control Forms; and,
- user accounts are assigned ‘dormant' status after 90 days of inactivity, but they are not automatically disabled and can be reactivated by an individual with the prior access password.
The above-noted deficiencies pose a level of undue risk of unauthorized or inappropriate access to GCIMS, which could have impact on the availability, confidentiality and integrity of the data. It should be noted that, subsequent to the audit fieldwork and effective August 21, 2017, INAC will resume the roles and responsibilities for managing access to GCIMS previously carried out by TPMS. It is further noted that, subsequent to audit fieldwork, the annual process for review of user accounts within HC was enhanced by including system user profiles as part of communication exchanges seeking affirmation of user access from business units.
In conclusion, improvements can be put into place to ensure that access to GCIMS is managed in accordance with the Financial Applications User Access and Security Framework, and in a manner that further mitigates access-related risks.
It is recommended that the Chief Financial Officer, Chief Financial Officer Branch (CFOB), in collaboration with the Assistant Deputy Minister, Strategic Policy Branch (SPB), and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch (FNIHB), ensure that controls over user access to GCIMS are strengthened. Actions that would further strengthen existing controls include:
- a formal process to ensure timely notification by business owners to the service provider of user access change requirements, reinforced by adequate communication of related manager responsibilities; and,
- more frequent reviews and updates of user access profiles and related privileges.
Management agrees with the recommendation.
FNIHB will work with regions to ensure the Access Control Forms are reviewed and updated to reflect appropriate user access profiles.
The departmental departure process has already been formalized for notification of changes to access requirements resulting from departures. CFOB will issue notices to reinforce managers' responsibilities.
CFOB will work with the service provider to ensure that more frequent reviews of user access profiles and related privileges are carried out.
3.5 Change Management Controls
Audit criterion: Processes and procedures used to manage changes to the Grants and Contributions Information Management System (GCIMS) are established and operating effectively.
We expected to find that processes and procedures used to manage changes to the Grants and Contributions Information Management System (GCIMS) were established and operated effectively.
There was a process in place for managing changes to GCIMS, but it was not always followed or did not use change management practicesFootnote 3 that would be expected to be used to ensure successful implementation of changes made to GCIMS.
The importance of following a strong change management process is that it will increase the likelihood that a change made to GCIMS will be successful. Best-practice controls ensure that ongoing changes to programs and related infrastructure components are requested, authorized, performed, tested, and implemented to achieve management's application control objectives.
The typical subcomponents of program change management include:
- management of maintenance activities;
- specification, authorization, and tracking of change requests;
- testing and quality assurance;
- implementation to production; and
- segregation of duties (programmer access to production).
The change management process for GCIMS is described in the service level agreement between INAC and HC. There is a governance structure in place to manage changes to GCIMS. The structure consists of the GCIMS Operations and Support Committee, the GCIMS Executive Advisory Committee, and the GCIMS ADM Steering Committee, each having distinct roles and responsibilities in the overall review and approval process.
Two major changes/releases to GCIMS implemented in 2016-17 were examined during the course of the audit. Several interviews were held with business users. In addition, correspondence between business users and the service provider was examined. The audit team also reviewed Records of Decisions from both the GCIMS Operations and Support Committee, and the GCIMS Executive Advisory Committee. Finally, the team reviewed documentation provided by business users of changes made to GCIMS for the period under review. The audit noted that processes and procedures to manage change for GCIMS do not always follow necessary practices, specifically:
- documentation pertaining to changes made to GCIMS, including updates of the associated Standard Operating Procedures (SOPs), is not comprehensive or timely; and,
- changes are being put into production without sufficient testing by business users, who are not provided enough time to conduct user acceptance testing or not all users participate in GCIMS release testing.
Interviews with business users and reviewed correspondence indicated that the shortcomings in the change management process affected the functionality of GCIMS, which resulted in inefficient workarounds, difficulty getting buy-in from users to the proposed changes to GCIMS, and a lack of consistent procedures to process agreements. A further challenge faced by users in managing changes to GCIMS was the lack of adequate in-house technical knowledge, which limited their ability to challenge or have meaningful input into proposed changes by the system administrators. It was identified that a resource with expertise in this area, such as a business analyst, would bridge the knowledge gap between system users and the system administrator's technical support services. . Furthermore, it was stated that during the GCIMS implementation and adaptation phases, and during initial system changes, users felt some pressure to ‘accept' changes in cases where their concerns and issues may not have been fully addressed or resolved.
The noted deficiencies identified above increase the risk that users may become disgruntled and decide to bypass controls or adopt secondary systems to manage G&Cs, either of which can have an adverse impact on the integrity of the information in GCIMS and on efficiency of operations.
The audit concludes that improvements are required to the change management process related to GCIMS.
It is recommended that the Chief Financial Officer, Chief Financial Officer Branch (CFOB), in collaboration with the Assistant Deputy Minister, Strategic Policy Branch (SPB), and the Senior Assistant Deputy Minister, First Nations and Inuit Health Branch (FNIHB), and the service provider, ensures that changes to GCIMS affecting HC operations are supported by sufficient user testing within HC that includes adequate input from HC technical subject-matter experts and a re accompanied by updates to system documentation in a timely manner.
Management agrees with the recommendation.
This recommendation has been addressed. Consultation with all parties is now an integral part of the design and development phase for any new functionality.
GCIMS materials will be made available for review at the time of User Acceptance Testing. In addition, there is now more that needs to be reviewed or tested (i.e. materials), therefore, more time has been allocated for User Acceptance Testing in the project plan prepared by Indigenous and Northern Affairs Canada (INAC), allowing for retesting where required. The deployment of any new functionality can be delayed until internal documentation is updated and trainers become proficient with the material prior to rolling out training.
Starting with the December 2017 release of GCIMS, materials will be made available for review at the time of User Acceptance Testing. In addition, a greater amount of time has been allocated for User Acceptance Testing in the project plan prepared by INAC. The deployment of any new functionality can be delayed until internal documentation is updated and trainers become proficient with the material prior to rolling out training.
C – Conclusion
The audit concludes that there is an adequate management control framework (MCF) in place, including governance, risk management processes, and related internal controls, to support program management functions for Grants and Contributions (G&Cs). Areas where strong practices were identified included:
- robust committee structures supporting effective governance, recipient and multi-stakeholder engagement, and information sharing;
- clear and comprehensive central guidance provided to programs, supported by responsive centres of expertise and functional areas within all branches;
- effective collaboration within the Department and inter-departmentally, resulting in significant standardization of processes, tools, and management practices;
- an effective and well-controlled process for managing design, re-design, and renewal of programs and related submissions; and
- a strong planning process that demonstrates alignment of planned activities with identified departmental and branch priorities and is effective in managing financial resources.
However, opportunities for improvement to further strengthen the framework for program management functions related to G&Cs were identified in the areas of:
- undertaking of risk-based monitoring and quality assurance of G&Cs management activities in a systemic manner;
- developing and implementing a more systemic and structured process for G&Cs program management monitoring and related reporting to senior management; and
- developing and implementing enhanced access controls and change management practices relating to the Grants and Contribution Information Management System.
The areas for improvement that have been noted in this audit report will collectively strengthen the effectiveness of the control framework over program management functions in the Department.
Appendix A – Lines of enquiry and criteria
|Criteria Title||Audit Criteria|
|Line of Enquiry 1: Governance|
|1.1 Program Oversight||Oversight mechanisms are in place and operating effectively to provide monitoring and strategic direction for grants and contributions programs.|
|Line of Enquiry 2: Risk management|
|2.1 Risk Management Framework||A risk management framework for grants and contributions programs is established and operating effectively.|
|Line of Enquiry 3: Internal Controls Processes|
|3.1 Support for the Management Control Framework||The Management Control Framework is supported by branch or departmental policies, procedures, standards, tools, training and guidance.|
|3.2 Program Planning and Implementation||Program planning and implementation reflects the strategic direction, including the identification, approval and monitoring of resource requirements.|
|3.3 Program Management Monitoring and Reporting||Program monitoring, management and reporting processes are established and operating effectively.|
|3.4 User Access Controls||Processes to control access to the Grants and Contributions Information Management System are established and operate effectively.|
|3.5 Change management Controls||Processes and procedures used to manage changes to the Grants and Contributions Information Management System are established and operating effectively.|
Appendix B – Scorecard
|1.1 Governance/Oversight||Needs Minor Improvement||An established governance framework is in place. Opportunity exists to strengthen the oversight function of senior management through better defined and more formalized monitoring and reporting related to program management functions.||Links to 2|
|2.1 Risk management||Needs Minor Improvement||There is a high level of risk awareness. However there should be documentation, updates and reporting of risks and related risk management strategies at the individual program level.|
|3.1 Support for the Management Control Framework||Needs Minor Improvement||There are comprehensive policies, standards and guidance documents, as well as responsive functional areas in support of G&Cs management. There is an opportunity to enhance support for the MCF through the development and formalization of more comprehensive strategies and plans for identifying program-specific training needs and delivering related training activities informed by program-specific risk assessments, compliance monitoring and quality assurance results.|
|3.2 Program Planning and Implementation||Needs Minor Improvement||Opportunity exists for improvement of the planning process by ensuring that First Nations and Inuit Health Branch (FNIHB) regional operating plans are more consistent in defining and presenting planned activities, related milestones, and performance indicators to facilitate performance monitoring.||Links to 1 and 2|
|3.3 Program Management Monitoring and Reporting||Needs Improvement||A need exists for systemic, risk-based compliance monitoring and quality assurance functions over program management activities.||1|
|Monitoring and reporting should be enhanced through clear identification of minimum program management monitoring requirements and a formal, documented process that better demonstrates regular reporting of the information to senior management.||2|
|3.4 ITGC – User Access Controls||Needs Minor Improvement||There is a process in place to grant access to GCIMS based on user roles and defined permissions. There is opportunity for the Department to strengthen management of continued user access to the system through a more formal process for notifying system administrators of user access changes and conduct of more frequent user access reviews.||3|
|3.5 ITGC – Change Management Controls||Needs Moderate Improvement||There is a process in place for managing changes to GCIMS. Improvement to the process should be made to ensure that acceptance and implementation of changes is adequately informed by input from HC technical subject-matter experts and sufficient user testing and is supported by timely updates to system documentation.||4|
Rating: Satisfactory - Needs Minor Improvement - Needs Moderate Improvement - Needs Improvement - Unsatisfactory - Unknown; Cannot Be Measured
- Footnote 1
Control Objectives for Information and Related Technology – a globally recognized information technology management and governance framework, created by the Information Systems Audit and Control Association (ISACA).
- Footnote 2
The General Assessment process and risk management at the recipient/funding agreement level will be examined in greater detail in a phase II audit of the Management of Grants and Contributions that will focus on Transfer Payment Management Functions.
- Footnote 3
As outlined in COBIT.
Report a problem or mistake on this page
- Date modified: