Audit of the Management of Grants and Contributions at Public Health Agency of Canada

November 2018

PDF version - 613 KB

Presented to PHAC Departmental Audit Committee on November 22, 2018

Table of Contents

• Executive summary
• A - Introduction
  • Background
• B - Findings, recommendations and management  responses
  • Governance
  • Risk management
  • Internal controls
    • Support for the Management Control Framework
    • Program Planning and Implementation
    • Program Management, Monitoring and Reporting
    • Agreement Management
    • User Access Controls
    • Change Management Controls
• C - Conclusion
• Appendix A – Scorecard
• Appendix B – About the Audit

List of acronyms

ARRAT

Agreement/ Recipient Risk Assessment Tool

BEC

Branch Executive Committee

BMM 

Business Management Model

BOP

Branch Operational Plan

CA

Contribution Agreement

CGC

Centre for Grants and Contributions

G&Cs

Grants and Contributions

GCIMS

Grants and Contributions Information Management System

GCMOC

Grants and Contributions Management and Oversight Committee

HC

Health Canada

HPCDP

Health Promotion and Chronic Disease Prevention

HSIB

Health Security Infrastructure Branch

IDPC

Infectious Disease Prevention and Control

INAC

Indigenous and Northern Affairs Canada

IRM

Integrated Risk Management

ITGCs

Information Technology General Controls

IT/IM

Information Technology / Information Management

MVR

Monthly Variance Reporting

OCFO

Office of the Chief Financial Officer

OIA

Office of International Affairs

PHAC

Public Health Agency of Canada

RMAD

Resource Management and Advisory Division

RO

Regional Operations

SOP

Standard Operating Procedure

TBS

Treasury Board of Canada Secretariat

TPMS

Transfer Payment Management Services at Health Canada

Executive summary

What we examined

We examined the management control framework related to grants and contributions (G&Cs) program and funding agreement management functions, and its compliance with the Treasury Board’s Policy on Transfer Payments (the Policy).

The audit focused on governance, risk management, internal controls, and processes related to the program and agreement management, as well as administration functions within the G&C cycle including:

• the development and implementation of policies, procedures, support tools, information management systems, and training in support of program roll-out and ongoing management; and,
• processes and activities already in place for the monitoring of contribution agreements. 

This audit did not examine the effectiveness of the results obtained by the recipients of the G&Cs.

Why it is important

G&Cs represent transfer payments by the Government of Canada, and are a major commitment of government resources. They are governed by the Treasury Board’s Policy on Transfer Payments and Directive on Transfer Payments. The objective of the Policy and Directive is to ensure transfer payment programs are managed with integrity, transparency, and accountability, while taking into account risk, ensuring that programs are effectively focused on citizens and beneficiaries, and are designed to achieve various Government of Canada priorities and expected results.

The Public Health Agency of Canada (PHAC or the Agency) uses G&Cs to provide funding to community, voluntary, not-for-profit, and private sector organizations, as part of fulfilling the agency’s mandate and its strategic outcomes. The Agency’s spending on G&Cs amounted to more than $190 million in each of the past three fiscal years.

What we found

We found that there was an adequate management control framework in place which included governance, risk management processes, and related internal controls to support effective management of G&Cs. Management processes and practices were effective in the following areas:

• adequate mechanisms for reporting to senior management through formal and informal processes, highlighting operational status and issues for decision-making;
• clear and comprehensive guidance provided to programs, supported by the Centre for Grants and Contributions (CGC) and functional areas within all branches, which supports meeting the requirements of the Policy and Directive;
• a strong planning process that demonstrates alignment of planned activities with identified departmental and branch priorities which is effective in managing financial resources; and,
• implementation of a comprehensive risk-based monitoring strategy for recipient agreements.  

However, opportunities to address deficiencies were identified in the areas of: 

• updating the Tier 3 governance structure to support timely decision-making in support of the coordinated and efficient delivery of G&Cs;
• reviewing and updating the documentation of roles and responsibilities, with a view to clearly define accountabilities and responsibilities for key players involved in the management and administration of G&Cs;
• developing and implementing formalized processes for documenting, monitoring, updating, and reporting on program-level risks and related risk management strategies;
• developing a comprehensive training strategy to support a shared vision that balances accountability with recipient relationships and program outcomes;
• establishing processes to document the rationale for, and approval of, release or reduction of holdbacks, and reduction of recoverable amounts identified through recipient audits; and,
• improving access controls and change management practices relating to the Grants and Contribution Information Management System.

Management agreed with the recommendations in this report and provided an action plan addressing the agreed-upon recommendations to further strengthen the framework.

A - Introduction

Background

Grants and Contributions

1. Grants and contributions (G&Cs) are part of a category of expenditures called Transfer Payments. Transfer payments are distinguished from other expenditures in that the Government of Canada does not receive goods, services or assets in return. The transfer payment recipient uses the funding for agreed-upon expenditures and activities that further the federal mandate. Transfer payments are a key instrument in delivering results for Canadians. The Treasury Board Policy on Transfer Payments (the Policy) and related Directive set out the government-wide expectations for transfer payments.
2. Grants differ from contributions in the oversight requirements that general government policy imposes on departments and on recipients. Grants are appropriate when the amount of funding can be determined in advance, and eligibility criteria and information obtained before payment provide assurance that the grant will be used for the purpose for which it is provided.  Contributions are appropriate when the department deems it necessary to monitor progress and results, receive an accounting of the use of funds from the recipient, and have the right to carry out a recipient audit^{Footnote 1}.

Grants & Contributions at PHAC

3. The Public Health Agency of Canada (PHAC or the Agency) uses G&Cs to fund community, voluntary, not-for-profit, and private sector organizations for activities that support government policies and priorities. During fiscal year 2016-17, PHAC managed 25 grants and contributions programs, which funded approximately 800 recipients across the country and internationally, with expenditures of $190 million (Table 1). These expenditures accounted for almost one-third of PHAC’s annual budget of $587 million.
4. G&Cs are administered and managed under various programs within the following branches and offices:
   • Health Promotion and Chronic Disease Prevention (HPCDP) Branch;
   • Health Security Infrastructure Branch (HSIB);
   • Infectious Disease Prevention and Control (IDPC) Branch; and,
   • Office of International Affairs (OIA).

The Office of the Chief Financial Officer (OCFO) supports all PHAC Branches and Offices in the administration of G&Cs agreements.  

Table 1: Grants and Contributions - Statistics

Branch responsible	2015-16				2016-17
	Number of recipients	Grants	Contributions	Total	Number of recipients	Grants	Contributions	Total
HPCDP	625	$ 1.2M	$ 147M	$148.2M	645	$ 1.6M	$ 148.1M	$149.7M
IDPC	148	0.3M	29M	29.3M	155	0.7M	30.4M	31.1M
HSIB	17	N/A	7M	7M	6	N/A	6.6M	6.6M
OIA	4	2.8M	14.6M	17.4M	7	2.1M	0	2.1M
Total G&Cs	794	$ 4.3M	$ 197.6M	$201.9M	813	$ 4.4M	$ 185.1M	$189.5M
Extract of data from Agency financial system (SAP) May 2017

Transfer Payment Business Process

5. The Transfer Payment Business Process developed by PHAC outlines the key steps in G&Cs operations and management. The process is more fully described in the Grants and Contributions Business Management Model (BMM), which also documents the accountability and responsibilities of programs and the CGC for key aspects of the G&Cs life cycle.

Centre for Grants and Contributions

6. The CGC, located within OCFO, supports the administration of PHAC’s G&Cs programs. CGC is responsible for the administration of contribution agreements, payments, financial oversight and recipient audits.
7. CGC developed a set of Standard Operating Procedures (SOPs), information and tools to assist staff across the Agency in making informed decisions concerning the management and monitoring of G&Cs programs and agreements.

Programs and Regions

8. Program staff at headquarters are responsible for the overall management of programs, which include stakeholder engagement, program design, assessment of funding requests, funding decisions, monitoring of the agreement and deliverables, and assessment of program outcomes. For certain G&Cs programs, the regions provide support in delivery, management, and performance measurement activities. 

Rationale for the audit

9. The Agency’s spending on G&Cs amounted to more than $190 million in each of the past three fiscal years, and were the main implementation vehicle for a significant portion of PHAC’s mandate.
10. There were significant changes in recent years aimed at building an Agency-wide regime for the management of transfer payments, including the documentation of the BMM, the development of SOPs, the implementation of the Grants and Contributions Information Management System (GCIMS), and a re-alignment of roles and responsibilities among programs, regions, and the CGC. 

B - Findings, recommendations and management  responses

Governance

Oversight structure

11. Overall G&Cs governance structures at PHAC were well-defined given the disparate nature of programs across Branches. The Agency’s governance committee structure consisted of three tiers of committees. Tier 1 included the most senior decision-making and direction-setting committees, and it was supported by the advice and recommendations of Tier 2 committees. Both Tiers 1 and 2 were further supported by Agency-specific committees at the Tier 3 level. All levels of governance complemented the oversight that took place at the branch and centre levels.
12. We found that the Tier 1 and Tier 2 committees were operating effectively in the oversight and monitoring of the delivery of G&Cs across the Agency. The committees conducted periodic reporting on specific G&Cs programs and on key G&Cs management issues, including financial forecasts, analysis of agreements by risk level, statistics on recipient audits, service standards, and status of current and upcoming solicitations.
13. Oversight of G&Cs delivery within branches and centres was exercised through the Branch Executive Committees (BEC) and the Senior Management Committees respectively.
14. PHAC established a horizontal governance structure for G&Cs at the Tier 3 level using the Grants and Contributions Management and Oversight Committee (GCMOC) and the G&Cs Sub-committee to support the coordinated and efficient delivery of G&Cs across the Agency. Review of the Committees’ terms of reference and meeting minutes confirmed that the Committees were adequately represented by management from centres, regions and OCFO. 
15. While the Agency established an appropriate horizontal structure, we found that the GCMOC could be operating more effectively as a decision-making body. In instances where decisions were required to move forward with the implementation of key processes affecting the delivery of G&Cs programs across the Agency, there was no mechanism to ensure that these issues were escalated to GCMOC. As a result, decisions were not being made to resolve issues, resulting in delays, such as in the dissemination of the recipient guide which would improve the delivery of G&Cs.

Recommendation 1

The Chief Financial Officer should collaborate with the Vice Presidents of the Health Promotion and Chronic Disease Prevention (HPCDP) Branch, Health Security Infrastructure Branch (HSIB), and Infectious Disease Prevention and Control (IDPC) Branch, to review the overall governance structure for G&Cs management, including the necessity of the Tier 3 committee, in order to ensure timely decision making in support of the coordinated and efficient delivery of G&Cs across the Agency.

Management response

Roles and responsibilities

17. Programs, the Centre for Grants and Contributions (CGC), and the regions all have a role in the delivery of G&Cs at PHAC. Clear roles and responsibilities need to be defined in order for this matrixed approach to G&C delivery to work effectively.
18. The Agency’s G&Cs Business Management Model (BMM) was developed in 2013, based on the business process reference model for G&Cs issued by the Treasury Board of Canada Secretariat (TBS). The BMM lists the key activities that occur throughout the life cycle of a G&Cs program, and articulates the responsibilities and accountabilities assigned to programs, CGC, and other functions within PHAC for each activity. CGC’s role was to oversee G&Cs administrative functions, such as issuing recipient agreements, payment processing, risk-based recipient monitoring, developing Standard Operating Procedures (SOPs), and ensuring that the Policy and Directive requirements were met. The programs’ role, as content experts, included responsibility for program design, funding decisions, meeting program objectives, monitoring recipient activities and performance, stakeholder engagement, program performance measurement, and addressing Agency priorities. 
19. For some G&Cs programs, Regional Operations (RO) was assigned an active role in monitoring and overseeing regional projects and supporting recipients to ensure that project deliverables were met. Since the regional role varies by program, the BMM and SOPs intentionally did not make mention of RO in any aspect of G&Cs management. The expectation was that programs would use RO-Centre Agreements to document the extent to which RO would be responsible for any aspect of G&Cs delivery that was assigned to programs in the BMM or SOPs. The RO-Centre Agreements were in place until April 2017, but lacked performance measures, clarity of expectations, and precise roles and responsibilities. This made it difficult to evaluate performance under the agreements and effectively enforce accountability.  
20. The BMM and RO-Centre Agreements were developed based on a theoretical view of how the various parties would work together with CGC providing financial policy direction and administrative support and regional colleagues providing on-the-ground insight into community needs and public health capacity. After several years of operating, actual experience highlighted issues possibly stemming from how change in accountability and roles and responsibilities under the centralized model were communicated. 
21. We concluded that the Agency’s existing tools for defining roles and responsibilities for managing G&Cs under a centralized model had resulted in confusion and misalignment between accountabilities and responsibilities. Although programs had overall accountability for program policy and direction, not having full responsibility for carrying out all aspects of program delivery resulted in them having to rely on colleagues in regional operations and CGC for support. With neither CGC nor RO reporting directly to the programs, this relationship created some tension amongst key players as well as confusion with regard to ownership of decisions related to program activity and policy, especially where financial policy was implicated as accountability resided with the OCFO.  

Recommendation 2

The Chief Financial Officer collaborates with the Director General of Regional Operations, and the Vice Presidents of the HPCDP Branch, HSIB, and IDPC Branch, to clarify and define responsibility and accountability structures for all parties involved in the management and administration of G&Cs.

Management response

Risk management

22. We expected to find an established and effectively operating risk management framework for grants and contributions programs.
23. The TBS Guide to Integrated Risk Management (May 2016)states the importance of risk management as a core element of effective public administration. The effective management of risk contributes to improved decision making and better allocation of resources. The Guide also states that a cohesive and integrated set of mechanisms for identifying, assessing, responding to, communicating, and monitoring risk in the form of a risk management process could enable programs to manage risks more systematically.
24. We found that in 2009, the Agency adopted the Health Portfolio Integrated Risk Management (IRM) Framework for Grants and Contributions. The Framework clearly established expectations for the management of risk at the program level. However, we found that the Agency focused its risk management processes and activities on the individual or agreement levels.
25. Even though it was reported in interviews that program risks may be discussed and addressed in program or branch committee meetings and similar forums, the identification, assessment and management of risks at a program level was generally not established as a regular, formal, and documented activity.
26. We found that only two of the five programs examined had evidence of formal identification of program-level risks. However, in these cases, there was no evidence of regular monitoring or updating of program-level risks, and associated risk management strategies.

Recommendation 3

The Chief Financial Officer, supported by the Office of Strategic Policy and Planning, collaborates with the Vice Presidents of the HPCDP Branch, HSIB, and IDPC Branch to develop a formalized process for documenting, monitoring, updating, and reporting risks and risk management strategies at the G&Cs program level, in accordance with the IRM, and to be implemented within the Vice-President’s respective program area.

Management response

Internal controls

Support for the Management Control Framework

27. We expected to find that the management control framework for G&Cs was supported by policies, procedures, tools, guidance and training.

Policies, procedures, tools and guidance

28. The G&Cs SOP Database was developed by CGC to document a standardized approach to managing G&Cs programs throughout the Agency and SOPs were established to support the main activities of the G&Cs process. The SOP Toolbox document summarized the mandatory actions and tools, with references, to explain to users the reasons for a recommended approach.  We found several of the main SOPs (Transfer Payment Agreements, Solicitation, Financial Processes, and Recipient Audit) had been under revision for some time which could be a source of confusion. In addition, programs developed tools and guidance documents to supplement the existing Agency-wide processes for meeting program-specific needs.
29. We found that PHAC had policies, procedures and practices that supported meeting the requirements of the Policy and Directive. Gaps were noted regarding explicit processes or guidance functions for risk assessment and risk-based management at the program level (refer to Recommendation 3). Gaps were also noted in process, guidance, support and challenge functions to ensure that research and program design were done well.
30. GCIMS is the corporate tool for managing G&Cs agreements. It is used for workflow management, transaction processing, and storage of the digital corporate record for G&Cs. CGC staff have access privileges that allow for entries and uploads within GCIMS, while programs and RO have read-only access. Programs and RO send recipient documentation and approval forms via email to CGC for upload into GCIMS. There is an opportunity to increase the efficiency and timeliness of document upload to GCIMS by expanding the access privileges of program and RO staff.

Training

31. At the Agency level, CGC offered training related to the use of GCIMS modules. This training was mandatory for receiving user access in GCIMS and focused on the technical aspects (skills and steps) required to complete the workflow of various G&Cs activities. CGC also provided training with regard to the SOP Database as well as the Solicitation Database. 
32. We found that program-level training was primarily on-the-job instruction and mentoring of new staff by more senior officers or managers, supported by program-specific guidance documents and tools. In addition, many interviewees had completed the Canada School of the Public Service course on Managing Grants and Contributions. Program staff expressed the need for additional training with regard to project management, effective communication, and negotiating skills.  
33. The BMM specifically stated the requirement of a strong commitment to working transparently and collaboratively at all levels. Results of audit interviews highlighted that there was not always a shared vision among those involved in G&Cs delivery of the balance between accountability and fostering recipient relationships. As a result of this imbalance, relationships between CGC, programs and regions were sometimes difficult, resulting in delays and inefficiencies in G&Cs delivery. Key players mentioned that there was a need to increase G&Cs capacity, at all levels, through skills development, knowledge, understanding of internal roles, and sensitivity to the context within which recipients operate. This would form a basis for effective relationship building while ensuring respect of transfer payment requirements, contribution agreements, and prudent and effective use of public funds.

Recommendation 4

The Chief Financial Officer collaborates with the Vice Presidents of the HPCDP Branch, HSIB, and IDPC Branch, to develop a comprehensive training strategy to support a shared vision that balances accountability with recipient relationships and program outcomes.

Management response

Program Planning and Implementation

34. We expected to find that processes to design, plan and implement G&Cs programs were established and operating effectively.

Program design and approval

35. The BMM outlined responsibility and basic steps for program design and re-design. Given the centralized model for G&C administration focused on program implementation, there was no comprehensive documentation providing guidance to ensure that due diligence was exercised in the development and renewal of G&Cs programs, in alignment with the Policy. With the expectation that Programs would work directly with central agencies, they mostly relied on informal support from staff within the Agency or on previous program experience for guidance in the process.
36. For new programs, program management conducted research on the public health environment to gather evidence-based information and identify issues, needs, gaps and commonalities, and engaged with external stakeholders. However, there was no robust process for programs to analyse and determine whether transfer payments were an appropriate and effective method to meet program objectives.  
37. Once a program concept was developed, the process for presenting related information for ministerial approval and submission to Treasury Board was well-defined. The Resource Management and Advisory Division (RMAD) within the OCFO guided the submission process through a series of internal reviews and approvals, as well as scrutiny and approval by the TBS.
38. Programs reported that evaluations were a main impetus for program redesign, as they assessed the continued need for the program, its alignment with government priorities, and achievement of expected outcomes.

Planning process for G&Cs programs

39. Planning for G&Cs programs was captured within the planning activities of their respective centres and branches. Each centre prepared work plans using standardized templates that consolidated planned activities, milestones, deliverables, and timelines for programs. Branch Operational Plans (BOPs) consolidated and augmented the centre-level planning to link branch and centre planning with the Agency’s mandate, strategic outcomes, and annual priorities. BOPs were reviewed and approved by Branch Executive Committees (BECs). A review process conducted over the year served as an effective means of identifying delays in reaching milestones and budget expectations.
40. The annual regional planning process involved communication between programs, centres and Regional Leads as to the extent of activities the centres required from RO. Each region prepared a detailed work plan detailing the work to be done for each centre, and the resources needed to complete this work. An examination of the 2017-18 regional plans found that they were comprehensive and incorporated key activities and deliverables, including recipient monitoring and stakeholder engagement work on behalf of G&C programs.

Program visibility

41. Programs used a variety of mechanisms to make information on solicitations available to potential applicants. Programs often disseminated information on upcoming solicitations through networks, newsletters and other media that provided a link to organizations operating in that specific public health sector. The Government of Canada website was used to provide public information, including a description of each program, eligibility requirements, application process, examples of current approved projects, and contact information for follow-up questions. However, the information was difficult to find on the Government of Canada website and some was out-of-date. 

Program solicitation and recipient selection

42. We found that programs established evaluation panels and committees to evaluate applications. Where applicable, panels and committees included external members, further supporting a fair and transparent assessment process. There was also a process in place for committee members to declare conflicts of interest.
43. Programs developed clear processes for the assessment of project applications through the use of program guides and evaluation tools. Analysis of a sample of assessments across five programs identified that, although the majority of assessments were documented, the rationale for funding recommendations was not always rigorous. For instance, in a recent round of funding, the assessment of what recipients were expected to accomplish with transitional funds, and their alignment with the approved budget, was weak. In addition, we found that recipients’ past performance (i.e., timely submission of reports, financial accountability, and meeting project objectives) was not formally considered in the decision to renew funding agreements, despite the likelihood that a continued relationship would involve a high risk of non-compliance under the agreement and would not respect sound stewardship. While risk of non-compliance based on past performance was not part of the decision making, it was adequately considered under the risk-based strategy for monitoring and reporting.   
44. Overall, we concluded that programs established satisfactory structures and processes to ensure that the selection of projects and recipients is unbiased, fair, transparent, and documented.    

Contribution agreements

45. Contribution agreement (CA) templates were developed by the CGC, in conjunction with Legal Services, to ensure conformance with Policy and Directive requirements. The templates were hosted in GCIMS for version control. Any deviations from the standard templates required justification and approval. Once the CA was approved, CGC and the program held a conference call with the recipient to walk through the entire contribution agreement, in order to ensure that recipients understood the requirements for activities and reporting under this legal binding agreement.

Program Management, Monitoring and Reporting

46. We expected to find that program monitoring, management and reporting processes were established and operating effectively.

Program management and monitorig

47. G&Cs programs typically followed an annual cycle of agreement management activities including: updating recipient work plans, when necessary, receiving and analyzing reports, and issuing payments. G&Cs programs also manage multi-year cycles for program requirements, such as evaluations, recipient training, stakeholder engagement, program renewal, and solicitations. The overlapping demands of this cyclical program work with the ongoing agreement management activities required careful management to ensure that both types of work were staying on schedule. 
48. To manage workloads and identify emerging issues, programs used various databases, trackers, and other tools. For instance, the Solicitation Database was developed to respond to the needs of senior management, as it provides information on key dates in the solicitation process, stages of approval, and forecasts of expenditures broken down by fiscal year.
49. Programs, centres and branches were subject to rigorous financial monitoring through the periodic monthly variance reporting (MVR) process to forecast budget surpluses and address Agency priorities.

Reporting of program results

50. Programs established effective performance measurement strategies and performance indicators to support reporting on results. The reporting requirements in the contribution agreement were the primary means of soliciting and collecting data from recipients to address performance indicators. Programs were mindful to balance the desire for more data to support program performance analysis with the burden increased data tracking and reporting requirements put on recipients. Periodic program evaluations provided a more fulsome analysis of program performance results.

Agreement Management

Monitoring of recipients/agreements

51. We expected to find that monitoring of projects and recipients followed a risk-based strategy and were operating effectively.
52. The majority of the monitoring activities were triggered by recipient reporting requirements. The frequency and nature of recipient reporting was specified in Appendix C of the CA, based on the agreement/recipient risk assessment tool (ARRAT) and the Risk-based Monitoring Strategy. The reporting requirements were set up as workflow checkpoints in GCIMS, which had to be completed before payments can be issued under the agreement. 
53. Responsibility for monitoring activities was split between CGC and the programs (who may also involve the regions). CGC, programs and regions all confirmed that they coordinated this review so that financial and activity reports were compared to reveal any discrepancies or concerns. Programs and regions conducted site visits and structured teleconferences with recipients to augment the monitoring done through written reports. CGC undertook further due diligence reviews of financial information for selected recipients.
54. In the event of non-compliance by recipients (i.e. reports not submitted or agreed-upon activities not undertaken), programs and CGC were guided by the Compliance Guidelines, which outline the appropriate management actions and requirements for escalating the issue to senior management. 
55. Our analysis of a sample of agreement monitoring activities found that these were planned based on the recipient risk profile and were operating effectively to promote compliance with the agreement.

Holdbacks

56. As part of the Risk-based Monitoring Strategy, the CGC established a policy where the Agency is entitled to withhold up to 10% of the contribution from the final year of funding which should only be released once the project is completed and the Agency is satisfied that the recipient’s reporting requirements are met. In the case of ongoing projects that are being recommended for renewal, the initial holdback is released and reapplied to the last payment under the new agreement. Interviews with CGC and programs highlighted that the 10% holdback can be reduced if recipients demonstrate a financial hardship. Our analysis of a sample of 20 agreements found that holdbacks were withheld for each agreement and the percentage varied between 6% and 10%. However, we did find two instances where holdbacks for non-renewed projects were released before final reports were approved. Consequently, this decreases the Agency’s leverage to ensure recipient compliance with the terms of the CA and avoid overpayment. In addition, we found that these deviations from the strategy were not always appropriately documented.

Recipient audits

57. As part of the overall recipient monitoring plan, some recipients were subject to audits. The Recipient Audit Plan aims for the conduct of 25 audits each year, but due to staff shortages, only 10-15 audits were completed in the last year. Each recipient audit report was issued to the respective program director for comments, and to establish a financial plan with the recipient to recover any identified overpayments. Through interviews and document review, we found that programs often reduced the recoverable amount identified by the CGC with limited documentation for the change. Programs stated that reasons for the reductions include: various ineligible costs had not yet been communicated to recipients; ambiguity regarding the terms of pre-paid costs; and costs incurred in the wrong year due to administrative errors. The appropriateness of the recoverable amounts could not be fully assessed given that there was no clear process for programs to document their decision-making process with the goal of obtaining approval. The Chief Audit Executive will conduct an audit on the determination of recoverable amounts to provide reasonable assurance that amounts identified for recovery from G&C recipients are appropriate.

Recommendation 5

The Chief Financial Officer establishes processes to document the rationale and approval for release or reduction of holdbacks, and the reduction of recoverable amounts identified through recipient audits. 

Management response

User Access Controls

58. We expected to find that processes to control access to GCIMS were established and operated effectively.
59. There was a process in place to control access to GCIMS. However, there are opportunities for improvement to the process to further mitigate potential risks related to user access.
60. GCIMS was the main system used to manage G&Cs at PHAC. The system automates the transfer payment business processes, and manages funding agreements and related information. Its functionality offers key benefits that are intended to improve overall efficiency, control and accountability, including in the areas of:
    • creation and management of funding agreements, amendments and adjustments, including built-in controls related to the use of contribution agreement (CA) templates and tracking of the approval processes;
    • financial transaction management and reporting through an interface with the departmental financial system; and,
    • submission, review, and approval of recipient reporting requirements.
61. GCIMS was hosted, managed and maintained by Indigenous and Northern Affairs Canada (INAC). PHAC was provided access to GCIMS under an interdepartmental service arrangement.
62. The process for providing access to GCIMS was governed by the INAC - Financial Applications User Access and Security Framework, which outlined the requirements and controls for user access to the corporate financial systems at INAC. Any users granted access to these systems must meet security clearance requirements.
63. At the time of audit, Transfer Payment Management Services (TPMS) within the Chief Financial Officer Branch at Health Canada (HC), managed the following activities with respect to user access controls for PHAC employees:
    • managing user access protocols for GCIMS, including various related forms;
    • creating and maintaining user accounts for the GCIMS environment;
    • coordinating periodic business reviews of authorized users, and promptly notifying INAC of required changes to user authorizations; and
    • coordinating periodic reviews of GCIMS information.
64. PHAC managers approved the user access given to each PHAC staff member by requesting that TPMS activate certain user roles and permissions. PHAC managers were also responsible for notifying TPMS when these user roles and permissions should have been adjusted.
65. Interviews were conducted with business managers from PHAC and TPMS. A sample of access control forms and a list of GCIMS users were also examined, as was documentation relating to user account management, provided by TPMS. Access to, and use of, GCIMS was based on established user roles and permissions, as defined by the service provider. However, the audit made the following observations that indicate the process for managing ongoing access to the system by existing users should be improved:
    • from a sample of nine PHAC users reviewed, we noted four instances where the manager confirmed that the assigned user account privileges were no longer commensurate with the individual’s position, or where the employees had access to GCIMS either while on assignment or on maternity leave;
    • a review of GCIMS access granted to all PHAC staff occurred only once a year. Industry best practices on account management require that user access reviews are undertaken more frequently;
    • not all user access profiles are supported by up-to-date Access Control Forms; and,
    • user accounts are assigned ‘dormant’ status after 90 days of inactivity, but not automatically disabled, and can be reactivated by an individual with the previous access password.
66. The above-noted deficiencies pose a level of undue risk of unauthorized or inappropriate access to GCIMS, which could have an impact on the availability, confidentiality, and integrity of the data. It should be noted that, subsequent to the audit fieldwork, effective August 21, 2017, INAC resumed the roles and responsibilities for managing access to GCIMS previously carried out by TPMS. It is further noted that, subsequent to audit fieldwork, the annual process for review of user accounts within PHAC was enhanced by including system user profiles as part of the communication exchange seeking affirmation of user access from business units. 
67. In conclusion, improvements can be put into place to ensure that access to GCIMS is managed in accordance with the Financial Applications User Access and Security Framework, and in a manner that further mitigates access-related risks.

Recommendation 6

The Chief Financial Officer ensures that controls over user access to GCIMS are strengthened. Actions that would further strengthen existing controls include:

• a formal process to ensure timely notification by business owners to the service provider of user access change requirements, reinforced by adequately communicating related manager responsibilities; and,
• more frequent reviews and updates of user access profiles and related privileges.

Management response

Change management controls

68. We expected to find that processes and procedures used to manage system changes to GCIMS were established and operated effectively.
69. There was a process in place for managing changes to GCIMS, but it was not always followed or did not use the change management practices^{Footnote 2} that are should be used to ensure successful implementation of changes made to GCIMS.
70. It is important to follow a strong change management process in order to increase the likelihood that a change made to GCIMS will be successful. Best-practice controls ensure that ongoing changes to programs and related infrastructure components are requested, authorized, performed, tested, and implemented to achieve management’s application control objectives.
71. The typical subcomponents of program change management include:
    • management of maintenance activities;
    • specification, authorization, and tracking of change requests;
    • testing and quality assurance;
    • implementation to production; and
    • segregation of duties (programmer access to production).
72. The change management process for GCIMS was described in the service level agreement between INAC and PHAC. There was a governance structure in place to manage changes to GCIMS. The structure consisted of the GCIMS Operations and Support Committee, the GCIMS Executive Advisory Committee, and the GCIMS ADM Steering Committee, each having distinct roles and responsibilities in the overall review and approval process.
73. The processes around two major GCIMS-related changes and releases implemented in 2016-17 were examined through interviews with business users, review of correspondence between business users and the service provider, and Records of Decisions from both the GCIMS Operations and Support Committee and the GCIMS Executive Advisory Committee. Documentation regarding changes made to GCIMS for the period under review, provided by the business users, was also reviewed. We noted that processes and procedures to manage change for GCIMS did not always follow necessary practices, specifically:
    • documentation pertaining to changes made to GCIMS, including updates of the associated standard operating procedures, was not comprehensive or timely; and,
    • changes were put into production without sufficient testing by business users who were not provided enough time to conduct user acceptance testing, or not all business users participated in GCIMS release testing.
74. Interviews with business users and reviewed correspondence indicated that the shortcomings in the change management process affected the functionality of GCIMS, resulting in inefficient workarounds, difficulty in getting buy-in from users to the proposed changes in GCIMS, and a lack of consistent procedures for processing agreements. A further challenge faced by users in managing changes to GCIMS was the lack of adequate in-house technical knowledge, which limited their ability to challenge, and have meaningful input into, proposed changes by the system administrators. It was identified that a resource with expertise in this area, such as a business analyst, would have bridged the knowledge gap between users of the system and technical support services of the system administrator. Furthermore, it was stated that during the GCIMS implementation and adaptation phases, and during initial system changes, users felt some pressure to ‘accept’ changes in cases where their concerns or issues may not have been fully addressed or resolved.   
75. The deficiencies identified above increased the risk that users become disgruntled and decide to bypass controls or adopt secondary systems to manage G&Cs, either of which could have an adverse impact on the integrity of the information in GCIMS, and on efficiency of operations. 
76. We concluded that improvements are required to the change management process related to GCIMS.

Recommendation 7

The Chief Financial Officer and the service provider ensure that changes to GCIMS affecting PHAC operations are supported by sufficient user testing within PHAC, that includes adequate input from PHAC technical subject-matter experts, and are accompanied by updates to system documentation in a timely manner.

Management response

C - Conclusion

76. We found that an adequate management control framework was in place, including governance, risk management processes, and related internal controls to support effective management of grants and contributions (G&Cs). Areas where effective processes and sound management practices were identified include:
    • adequate mechanisms for reporting to senior management through formal and informal processes, highlighting operational status and issues for decision-making;
    • clear and comprehensive guidance provided to programs, supported by the Centre for Grants and Contributions (CGC) and functional areas within all branches, which supports meeting the requirements of the Policy and Directive;
    • a strong planning process that demonstrates alignment of planned activities with identified departmental and branch priorities, and is effective in managing financial resources; and
    • implementation of a comprehensive risk-based monitoring strategy for recipient agreements.  
77. However, opportunities to address deficiencies were identified in the areas of: 
    • updating the Tier 3 governance structure to support timely decision-making in support of the coordinated and efficient delivery of G&Cs;
    • updating the documentation of roles and responsibilities, with a view to clearly define accountabilities and responsibilities for key players involved in the management and administration of G&Cs;
    • developing and implementing formalized processes for documenting, monitoring, updating, and reporting on program-level risks and related risk management strategies;
    • developing a comprehensive training strategy to support a shared vision that balances accountability with recipient relationships and program outcomes;
    • establishing processes to document the rationale and approval for release or reduction of holdbacks, and the reduction of recoverable amounts identified through recipient audits; and,
    • improving access controls and change management practices relating to the Grants and Contribution Information Management System.
78. The areas for improvement that have been noted in this audit report will collectively strengthen the effectiveness of the control framework for program and funding agreement management functions in the Agency.

Appendix A – Scorecard

Audit of the Management of the Grants and Contributions at Public Health Agency of Canada

Criterion	Rating	Conclusion	Rec #
Governance
1.1 Governance / Oversight	One major deficiency	Governance structures are in place, but the effectiveness of the Tier 3 horizontal structure needs improvement. The documentation of roles and responsibilities should be updated to clearly define accountabilities and responsibilities.	1 & 2
Risk Management
2.1 Risk management	One major deficiency	There is a high level of risk awareness but this should be supported by requirements for documentation, update, and reporting of risks and related risk management strategies at the individual program level.	3
Internal Controls
3.1 Support for the Management Control Framework	Minor deficiencies	The management control framework is supported by policies, procedures, systems, tools, and guidelines. Greater efficiency could be attained by allowing programs and RO to upload documentation into GCIMS. The framework should be enhanced with a comprehensive training strategy to support a shared vision that balances accountability with recipient relationships and program outcomes	4
3.2 Program Planning and Implementation	No deficiencies	Processes to design, plan and implement programs are established and operating effectively. However, there is an opportunity for programs to analyse and determine whether transfer payments are the most effective tool in program delivery.
3.3 Program Management Monitoring and Reporting	No deficiencies	Processes for program management, monitoring, and reporting are established and operating effectively
3.4 Agreement management	One major deficiency	Processes for agreement management are established and embedded in the GCIMS system. Holdbacks are included in agreement terms but may not be being used effectively. Programs should document the rationale for reducing recoverable amounts identified by recipient audits.	5
3.5 ITGC – User Access Controls	Minor deficiencies	There is a process in place to grant access to GCIMS based on user roles and defined permissions. There is opportunity to strengthen management of continued user access to the system, through a more formal process for notifying system administrators of user access changes, and conduct of more frequent user access reviews.	6
3.6 ITGC – Change Management Controls	One major deficiency	There is a process in place for managing changes to GCIMS. Improvement to the process should be made to ensure that acceptance and implementation of changes are adequately supported by user testing within PHAC that includes adequate input from PHAC technical subject-matter experts, and are accompanied by updates to system documentation in a timely manner.	7

Appendix B – About the Audit

Audit objective

The objective of this audit was to assess the effectiveness of the management control framework, as it relates to governance, risk management, and internal controls over program management and funding agreement management functions, in compliance with the Treasury Board’s Policy on Transfer Payment and Directive on Transfer Payments.

Audit scope

The audit covered grants and contributions (G&Cs) program and funding agreement management processes in place, and activities undertaken, during the 2015-16, 2016-17 fiscal years and the first quarter of 2017-18. The scope included the three branches that manage the largest grant and contribution programs, Health Promotion and Chronic Disease Prevention (HPCDP), the Infectious Disease Prevention and Control Branch (IDPC), and the Health Security Infrastructure Branch (HSIB), as well as the Office of the Chief Financial Officer (OCFO), which provides central support services. 

The controls at the program and agreement level were tested in five G&Cs programs chosen from the overall G&Cs program population, excluding the International Health Grants Program under the Office of International Affairs (OIA). The criteria used to select the sample programs ensured that multiple branches were represented, and that a variety of programs were covered (newly created or updated, financially material, multiple recipients, regional involvement). The five selected programs include: Collaborating Centres for Public Health, Immunization Partnerships, Community Action Fund, Aboriginal Head Start in Urban and Northern Communities, and Innovation Strategy.

The audit also included a review of Information Technology General Controls (ITGCs) for the Grants and Contributions Information Management System (GCIMS), which is the system used to manage the administration of G&Cs at PHAC. As GCIMS is an application hosted and managed by INAC, the scope of ITGC examination was limited to select IT controls related to user account management and change management, over which PHAC could exercise significant control. Accordingly, IT controls related to computer operations and configuration management managed by INAC and Shared Services Canada were not examined.

Audit approach

This audit was conducted at PHAC’s headquarters in the National Capital Region.

Procedures employed to obtain audit evidence included, but were not limited to:

• In-person and telephone interviews with key branch, regional, program, and CGC personnel; and,
• Review and analysis of framework documents, policies, plans, directives, procedures, tools, guidance and training documents, governance committee terms of reference, agendas and meeting minutes, risk assessment, monitoring and reporting documentation, and select recipient files.

The examination of ITGCs related to GCIMS was based on the Control Objectives for Information and Related Technology (COBIT) framework, and included interviews and focused testing procedures.

Lines of enquiry and criteria

Audit of the Management of Grants and Contributions

Criteria Title	Audit Criteria
Governance
1.1 Program Oversight	Oversight mechanisms are in place and operating effectively providing strategic direction and monitoring for grants and contributions programs.
Risk Management
2.1  Risk Management Framework	A risk management framework for grants and contributions programs is established and operating effectively.
Internal Control Processes
3.1  Support for the management control framework	The management control framework is supported by policies, procedures, standards, tools, training and guidance.
3.2  Program Planning and Implementation	Processes to design, plan, and implement G&Cs programs are established and operating effectively.
3.3 Program Management Monitoring and Reporting	Processes for program management, monitoring, and reporting are established and operating effectively.
3.4 Agreement management	Project and recipient related activities follow a risk-based strategy and are operating effectively.
3.5 ITGC - User Access Controls	Processes to control access to the Grants and Contributions Information Management System are established and operate effectively.
3.6  ITGC - Change management controls	Processes and procedures used to manage changes to the Grants and Contributions Information Management System are established and operating effectively.

Statement of conformance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit against established criteria that were agreed upon by management. Furthermore, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canadaand the International Standards for the Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.