Audit of Shared Services Canada Personnel Onboarding and Offboarding Processes

A. Introduction

A.1 Background

Shared Services Canada (SSC) is committed to delivering reliable and secure technology services to the Government of Canada (GC). To achieve this goal, SSC implemented its enterprise approach^{Footnote 1}, which emphasizes the importance of building departmental capacity and skills. To deliver on its digital and IT service transformation objectives, SSC prioritized the transformation of its internal organization to enable, empower and engage employees while creating accountabilities and rethinking processes across the organization.

The business process owner of personnel onboarding and offboarding processes is the Director General of the Human Resources and Workplace (HRW) division. In 2019, the Chief Information Officer (CIO) was identified as the project sponsor for the Onboarding and Offboarding Process Improvement Initiative (OOPII). As per the project charter, the OOPII’s overarching objective was to improve the effectiveness and timeliness of the onboarding and offboarding experience at SSC.

The OOPII was ongoing during the examination period of the audit. The audit assessed and considered the changes to the processes up to March 2023 when issuing the audit findings and recommendations. Following the completion of the OOPII, the transfer of management of both processes from the OOPII team to HRW division will be facilitated through a phased approach; however, this had not yet occurred and there is no defined date for the transition.

Onboarding is the process designed to integrate new employees into the workplace during their first 6 to 12 months of employment. It includes providing employees with the information, skills, socialization, tools, and resources needed to become productive and contributing members of the organization. Effective onboarding promotes employee engagement and retention. It clarifies roles, responsibilities, and expectations, and increases employee understanding of organizational policies, programs, and practices. Onboarding processes must align with the Treasury Board (TB) Policy on People Management.

Offboarding is the process of managing an employee’s exit from the organization after their work relationship ends (i.e., contract expiration, retirement, termination, or voluntary departure). Effective offboarding supports the safeguarding of physical and digital security, effective management of data and information, and timely recovery of departmental assets. Offboarding processes must align with the TB Directive on Public Money and Receivables, and the Directive on Security Management, among others.

In the aftermath of the COVID-19 pandemic, the onboarding process had to adapt to new employees working remotely, and incurred delays in the delivery of IT equipment. Such delays prevented some new hires from being able to begin work on their scheduled start date. The COVID-19 pandemic also impacted the offboarding process, as hybrid work added complexity in coordinating the return of assets, such as IT equipment and access cards, from departing employees.

Impacts stemming from the COVID-19 pandemic changed the work environment for new and departing employees, placing greater emphasis on the need for effective processes, with appropriate controls, to support onboarding and offboarding.

A.2 Rationale for the audit

Onboarding and offboarding processes are essential for successful integration of employees and their eventual departure from the organization. Implementing guidance, tools, and controls to support management throughout these processes is critical for a productive workforce, a stronger culture, securing IT systems and assets, and a desired rate of retention.

SSC management has identified improper onboarding processes as an impediment to operations. Delayed completion of onboarding tasks can lead to retention issues, straining operational capacity and project delivery. When offboarding process activities are not completed properly, they pose risks that may lead to physical and digital security breaches and possible financial losses if asset returns are not effectively managed.

A.3 Audit authority

The Audit of SSC Personnel Onboarding and Offboarding Processes was approved in June 2022 by the President, as part of the 2022-2025 Risk-Based Audit Plan, as recommended by the Departmental Audit Committee.

A.4 Objective of the audit

The objective of this audit was to provide assurance that processes, including roles and responsibilities, guidance, and tools, were in place to effectively onboard and offboard SSC personnel in a timely manner. See Annex A for lines of enquiry.

A.5 Scope

The scope of this audit included SSC’s onboarding and offboarding processes and controls, including those for provisioning access to physical and information systems. The audit covered the period of April 1, 2022, through March 31, 2023.

Compensation activities directly related to onboarding and offboarding, the inventory for IT assets, language competency, and security requirements were not included in the scope of the audit.

A.6 Methodology

The audit was conducted through:

• interviews with relevant partners^{Footnote 2} and stakeholders^{Footnote 3}
• surveys administered to directors, managers, and administrative support staff involved in the onboarding and offboarding processes
• focus groups from samples of survey respondents
• walkthroughs of key processes and procedures
• process testing using data analytics of key controls
• documentation reviews

A.7 Statement of conformance

This audit engagement was conducted in conformance with the Institute of Internal Auditors International Professional Practices Framework and the TB Policy on Internal Audit, as supported by the results of Office of Audit and Evaluation’s quality assurance and improvement program.

B. Findings, recommendations and management response

B.1 Governance and accountability

B.1.1 Roles, responsibilities, and accountabilities

Audit criterion

Onboarding and offboarding roles, responsibilities, and accountabilities are clearly defined, documented, and communicated to relevant partners and stakeholders.

Finding

Onboarding and offboarding roles, responsibilities, and accountabilities for relevant partners and stakeholders were not clearly defined and documented, and were ineffectively communicated.

The lack of clearly defined, documented and communicated roles, responsibilities, and accountabilities for the onboarding and offboarding processes could cause inconsistencies and confusion in the implementation of processes, and disengagement among partners and stakeholders.

The HRW division is the business process owner of the onboarding and offboarding processes. The key stakeholders involved in both processes are the employees, the directors, the managers, and the administrative support staff.

The audit team found that SSC did not have an overarching policy instrument that governs the various activities related to the onboarding and offboarding processes. The review of the Hiring and Onboarding Guide and the Departure and Offboarding Guide, which are key documents for these processes published on MySSC+, found limited information on roles, responsibilities, and accountabilities.

This was further confirmed by survey results (detailed at Annex B) indicating that more than 70% of all respondents found that their roles and responsibilities for onboarding and offboarding were not clearly documented, communicated, and understood. Lack of awareness of the information available on MySSC+ led some individuals to create their own tools to clarify roles, responsibilities, and accountabilities within their teams.

The OOPII charter identifies the People and Workplace Board as the project steering committee for the duration of the initiative and includes roles related to review, update, and approval for both processes, but not for monitoring and reporting. Furthermore, responsibility for governance and oversight for both processes once the OOPII is completed was not documented.

The several high-level process maps, developed by the OOPII team, described key activities of each process; however, these process maps were not communicated to stakeholders. Development by the OOPII team of an operational framework, which would include onboarding and offboarding roles, responsibilities, and accountabilities was incomplete at the time of the audit, and thus was not assessed.

The recommendation associated with this finding is presented at Recommendation 1 (B.2.1.1).

B.2 Internal controls

B.2.1 Policies, processes, and controls

Audit criterion

Policies, processes, and relevant controls for onboarding and offboarding have been developed at the Departmental level to support its culture, mission, vision, and mandate, and are aligned with relevant Treasury Board policy instruments.

B.2.1.1 Policies, processes and controls are in place to support SSC’s culture, mission, vision, and mandate during the onboarding process

Finding

At the departmental level, there were no controls or policies in place to ensure that SSC’s culture, mission, vision, and mandate were conveyed to employees; however, a program existed within the onboarding process to communicate this information.

Lack of a clear departmental policy, well-defined processes, and effective controls in place during the onboarding process to communicate SSC’s culture, mission, vision, and mandate to new employees, may negatively impact SSC's retention rates, absenteeism, employee morale, and achievement of performance objectives.

Although the OOPII did not explicitly communicate SSC's culture, mission, vision, and mandate, initiatives such as the Buddy Program and the New Employee Orientation Program were implemented. The Buddy Program, piloted in fiscal year 2020-21 and launched as a departmental-wide program in 2022-23, assigned buddies to support new employees upon arrival. Buddies were responsible for communicating the organization’s culture and mission. However, there were no mechanisms to confirm this information was communicated.

The New Employee Orientation Program includes the New Employee Orientation Guide and virtual orientation sessions offered twice a year. These sessions provide information on SSC’s culture, mission, vision, and mandate; however, attendance was optional and not tracked.

The survey results indicated that the Buddy Program is not a well-known resource among stakeholders, with less than 30% of respondents being aware of its existence. As a result stakeholders had to find this information themselves or develop their own tools to convey SSC’s and their branch’s culture, mission, vision, and mandate to their respective staff.

Recommendation 1

High priority

The Senior Assistant Deputy Minister, Enterprise IT Procurement and Corporate Services Branch, should develop 1 or more departmental-wide policy instruments to clearly define, document, and communicate roles, responsibilities, and accountabilities for:

1. all partners and stakeholders involved in both onboarding and offboarding activities
2. governance structure and oversight
3. monitoring and reporting

Management response

The Enterprise IT Procurement and Corporate Services Branch (EITP-CSB) agrees with this recommendation. Policy instrument(s) will be useful tools to provide clarity for departmental onboarding and offboarding stakeholders, support the onboarding and offboarding functional oversight and service delivery, and to reduce security, financial, asset and information risk to SSC.

While onboarding and offboarding processes already exist at SSC, the Onboarding and Offboarding Oversight function is net new to the department and will require adequate resourcing to effectively support departmental needs. However, its implementation, along with audit recommendations, will drive efficiencies and reduce duplication across SSC.

B.2.1.2 Controls for onboarding and offboarding are aligned with Treasury Board (TB) requirements

Finding

The IT systems used to support the onboarding and offboarding processes are working in silos. Controls to support data integrity, accuracy and consistency and to ensure alignment with TB requirements were insufficient and ineffective.

In the absence of robust controls to ensure data integrity, accuracy and consistency across various systems used to process onboarding and offboarding activities, senior management may lack crucial information for decision-making and TB policy requirements may not be met. This could lead to security breaches, reputational damage and financial losses for SSC.

The 3 main TB policy instruments with requirements related to onboarding and offboarding are:

• The Policy on People Management – provides foundational support in developing and sustaining a high-performing workforce.
• The Directive on Security Management – includes requirements related to access to digital and physical information.
• The Directive on Public Money and Receivables – covers topics related to the return of public property upon an employee’s departure.

Separate systems were used to capture and manage information and actions for both processes, including Peoplesoft, Government of Canada Service eXpress (GCSX), SM9, and the Active Directory. These systems are siloed, and not fully automated or integrated. The audit identified the following issues within the datasets provided for testing that led to some limitations in data analysis.

• There was no unique identifier to connect a person between the different systems used. The fields and formats used to capture information within each system were inconsistent.
• Crucial information, such as the nature of the requested tasks (e.g., “return equipment”, “delete accounts”), was embedded in memo fields instead of a dedicated field, making it difficult to perform logical analyses on the datasets.
• There were no input field controls or data validation controls for some key data points, such as the name and date fields.

Furthermore, employees responsible for actioning the requests were required to manually transfer data from GCSX to SM9, resulting in data entry errors.

The focus of the audit team was on the offboarding process due to the higher risk of misuse of departmental assets and IT systems. The audit team used PeopleSoft to identify 1,889 departure records of employees who left SSC between April 1, 2022 and March 31, 2023.

The main control for the offboarding process is the departure request initiated by the manager through the GCSX system. From this request, some automated actions are triggered, such as the revocation of access, and the return of assets. The completion and signature of a departure form by the manager and the departing employee is also required. Once completed, this form must be submitted to MySSC Pay Desk to certify the fulfillment of all employment departure requirements and post-employment obligations^{Footnote 4}.

The audit team randomly selected 42 departure records from across all SSC Branches to test whether departure forms were completed, but only 9 forms were available and received. Results showed that 79% of records had no departure forms on file and for the 21% (9 forms) reviewed, the departure date differed between the form and the date identified in Peoplesoft. There was no evidence of monitoring to ensure that the departure form was correctly completed, signed, and submitted.

The audit team noted that there was no specific service standard established to assess the timeliness of asset returns or access revocation following the departure. The audit tests related to the return of assets showed that:

• Closing a record in SM9 does not guarantee the return of IT assets, nor does it trigger a notification to managers confirming the return. Given that the audit scope did not encompass an IT inventory assessment, the audit could not confirm whether IT assets were returned.
• [Redacted]
• The management of desks and chairs for home usage is manually tracked using Excel spreadsheets with no interactions with the other offboarding systems.
  • Out of the 59 records of offboarded employees reviewed who had received a desk, only 18 (31%) had either returned it or transferred it to another department. The audit team was unable to determine the status of desks issued to the remaining 41. This represents a significant potential loss of assets.
  • Out of the 116 records of offboarded employees reviewed who had been issued a chair, less than 10 people had returned it. The status of chairs issued to the remaining employees could not be determined. This represents a significant potential loss of assets.
• No issues were found related to taxi chits and acquisition cards with regards to offboarding procedures.
• The audit team did not assess the return of mobile devices. This would have added a layer of complexity to the audit since it required a review of an additional external system for their management. SSC acknowledged the data limitations and challenges related to the management of mobile devices and an initiative was in progress to address this at the time of the audit.

The audit tests related to access revocation showed that:

• The Digital Identity and Directory Management (DIDM) team defines 1 day as the ideal standard for access revocation. Only 21% (154 out of 744) of records were revoked within 1 day of departure.
• [Redacted]
• [Redacted]

The audit team noted that the DIDM team had established a good practice of monitoring the risk of unauthorized access post-departure by analyzing the information found in the Active Directory. This led to proactively deactivating accounts of employees who left SSC even if departure requests were not submitted in GCSX.

Annex C provides additional details related to the results obtained with the various tests conducted.

Recommendation 2

High priority

The Senior Assistant Deputy Minister, Enterprise IT Procurement and Corporate Services Branch, should ensure that the systems used for onboarding and offboarding processes include:

1. controls to support data integrity, accuracy, and consistency
2. connectivity and communication between the various systems to decrease manual transfer of information
3. controls in the systems to enable tracking ensuring alignment with Treasury Board requirements related to security of physical and digital information (revocation of access) and return of assets

Management response

EITP-CSB agrees with this recommendation. Ensuring that the systems used in onboarding and offboarding incorporate controls and enable connectivity between systems is essential for improving process delivery, enhancing the client and stakeholder experience, and reducing risk to the department.

B.2.2 Guidelines, procedures, and tools

Audit criterion

Guidance, procedures, and tools, including these related changes and improvements, have been developed and communicated to users to enable effective onboarding and offboarding process implementation.

Finding

Some guidance, including procedures and tools, was developed, but not well communicated to stakeholders to enable effective implementation of the onboarding and offboarding processes.

In the absence of clear and well-communicated guidance, procedures and tools, the implementation of onboarding and offboarding activities may be ineffective, and could potentially lead to duplicated efforts.

Both the Hiring and Onboarding Guide and the Departure and Offboarding Guide provided detailed descriptions of their respective activities, including step-by-step instructions, resources, and contact details.

The Hiring and Onboarding Guide covered the process of hiring through the integration of employees. This created confusion among stakeholders as to where the onboarding process actually started. The guide also included support tools such as the Buddy Program and the New Employee Orientation Program. Survey results (detailed at Annex B) indicated that about 70% of respondents were aware of the Hiring and Onboarding Guide with about 75% of those using the guide. Of the directors and managers who onboarded an employee, 57% indicated that the onboarding process allowed them to successfully welcome new employees.

However, 78% of survey respondents agreed that the onboarding process needed improvements. Despite the existence of the New Employee Orientation Program, the development of an orientation and welcome package was among the most popular suggestion for improving the onboarding process. Other suggestions included automating and streamlining the process; better communication of responsibilities; and reducing processing time for the delivery of IT equipment.

The Departure and Offboarding Guide outlined the necessary steps related to all departure activities, including the recovery of assets and revocation of physical and digital accesses. Survey results indicated that around 60% of respondents were aware of the guide with 49% of them using it. Of the directors and managers who have offboarded an employee:

• about 55% indicated that the offboarding process was effective and allowed completion in a timely manner
• about 65% agreed that the offboarding process still needed improvement. The most popular suggestions included: focusing on better communication; automating and streamlining the process; implementing stronger asset recovery controls; and providing notifications confirming the return of IT assets to managers.

Process updates have been made, primarily through the OOPII, and were communicated a few times throughout the year, through emails, the Managers’ and Executives’ Networks, and the SSC Gazette. However, these communication mechanisms were ineffective in reaching relevant stakeholders. Survey results showed that more than 60% of respondents were not aware of any improvements made to either process. Despite its noted ineffectiveness, most respondents indicated a preference for receiving updates via email.

The difficulty in locating current and comprehensive onboarding and offboarding information on MySSC+ led individuals to develop their own tools, resulting in duplicated efforts and potential inconsistencies in process execution across the department.

Recommendation 3

High priority

The Senior Assistant Deputy Minister, Enterprise IT Procurement and Corporate Services Branch, should:

1. develop a communication plan to improve awareness of available guidance and procedures to all partners and stakeholders involved
2. develop, document and communicate additional tools such as, but not limited to, checklists, governance structure and processes overview to improve implementation of the onboarding and offboarding processes

Management response

EITP-CSB agrees with this recommendation. In its oversight role for the Onboarding and Offboarding function, the Branch will ensure that service providers develop tools in support of their service delivery and that these tools will be incorporated into the integrated onboarding and offboarding processes and guides.

B.3 Monitoring and reporting

B.3.1 Monitoring and reporting

Audit criterion

Monitoring and reporting related to onboarding and offboarding processes and activities are in place at SSC to effectively identify risks, gaps, weaknesses, and opportunities for improvement.

Finding

Monitoring and reporting activities, including feedback mechanisms, to support continuous improvement of the onboarding and offboarding processes were not in place.

In the absence of monitoring and reporting mechanisms to evaluate the performance of onboarding and offboarding processes, inefficiencies may remain undetected and unaddressed. This can hinder informed decision-making, impede efforts to support continuous improvement of both processes, and jeopardize compliance with TB policies.

Outside of the activities conducted through the OOPII, such as Kaizen sessions and active networking with partners and stakeholders, there were no defined mechanisms for gathering feedback, performance reporting, or identifying issues and opportunities for improvement for either process.

While focus group participants interviewed by the audit team indicated that feedback was informally provided to their respective Branch Business Planning teams, this was seen to have brought little change. The HRW division and the OOPII team recognized the need for formalized feedback processes in support of continuous improvement.

There was little evidence of branches conducting their own performance monitoring and reporting. Less than 15% of directors and managers surveyed indicated that their branches actively monitored these processes by reviewing and updating their own tools, or by gathering feedback through discussions with new or departing employees.

The OOPII team has built a dashboard that provides a limited view of the onboarding process. It has only 1 Key Performance Indicator (KPI) that measures the timeliness of IT asset delivery to new employees. However, the KPI does not reflect the entire IT asset delivery process. SSC lacks access to the delivery confirmations from external providers which would show the efficiency of asset delivery. There was no evidence of monitoring and reporting activities being conducted for the offboarding process.

Compliance with relevant TB policies (i.e., Policy on People Management, Directive on Security Management, Directive on Public Money and Receivables) was also not being monitored or reported.

Recommendation 4

High priority

The Senior Assistant Deputy Minister, Enterprise IT Procurement and Corporate Services Branch, should ensure that monitoring and reporting activities are in place that include:

1. identification of clear standards for completing onboarding and offboarding activities in a timely manner to enable reporting of results
2. development and implementation of performance indicators to measure and enable reporting on effectiveness for both processes
3. development of mechanisms to gather feedback from partners and stakeholders involved and ensure that this information is used to continuously improve both processes
4. identification of relevant TB policy instruments, and their requirements, to ensure that both processes are in alignment with them

Management response

EITP-CSB agrees with the recommendation. The business process owner will engage with onboarding and offboarding service providers to collect their service standards and to design meaningful performance indicators to monitor and report on the effectiveness of service delivery for the end-to-end processes.

C. Conclusion

Well-executed onboarding and offboarding processes are key to a positive workplace and achieving organizational goals. Effective onboarding boosts employee engagement and retention, clarifies expectations, and minimizes errors, while proper offboarding supports organizational security, asset recovery, and knowledge management.

The audit team found that existing onboarding and offboarding processes were not effective to onboard and offboard SSC personnel in a timely manner. While onboarding and offboarding process guides are published on MySSC+, the audit found that:

• roles, responsibilities, and accountabilities for governance and oversight bodies, the business process owner, the partners, and the stakeholders were not clearly defined and documented, and were ineffectively communicated
• although some guidance, including procedures and tools had been released, not all stakeholders were aware of them
• controls to ensure communication of SSC’s culture, mission, vision, and mandate within the onboarding process did not exist
• processes operated in separate, unintegrated systems and applications, resulting in silos, manual data entry, and ensuing data entry errors
• monitoring and reporting activities to assess effectiveness of controls in​ place for each process, compliance with TB requirements, and to support continuous improvement were not in place

Of note, through the OOPII led by the CIO, and in partnership with the HRW division, SSC has demonstrated awareness and a commitment to refining both processes by addressing these issues and focusing on user needs in support of continuous improvement as outlined in this audit.

Annex A – Specific lines of enquiry and audit criteria

Line of enquiry 1: Governance and accountability

Line of enquiry: Roles, responsibilities and accountabilities

Audit criteria:

• 1. Onboarding and offboarding roles, responsibilities, and accountabilities are clearly defined, documented, and communicated to relevant partners and stakeholders.

Line of enquiry 2: Internal controls

Line of enquiry: Policies, processes, procedures, tools, and guidance

Audit criteria:

• 2.1 Policies, processes, and relevant controls for onboarding and offboarding have been developed at the Departmental level to support its culture, mission, vision, and mandate, and are aligned with relevant Treasury Board policy instruments.
• 2.2 Guidance, procedures and tools, including related changes and improvements, have been developed and communicated to users to enable effective onboarding and offboarding process implementation.

Line of enquiry 3: Monitoring and reporting

Line of enquiry: Monitoring and reporting

Audit criteria:

• 3. Monitoring and reporting related to onboarding and offboarding processes and activities are in place at SSC to effectively identify risks, gaps, weaknesses, and opportunities for improvement.

Annex B – Detailed survey results

A survey was administered to directors, managers, and administrative support staff, with the following response rates:

Stakeholder group	Number of surveys administered	Number of surveys completed	Response rate
Directors	393	117	30%
Managers	1683	515	31%
Administrative support staff	375	145	39%

Additional details for Section B.1.1:

For the onboarding process:

Of those surveyed, results indicated that for their own roles and responsibilities,
23% of directors and managers 32% of administrative support staff	found they were clearly documented, effectively communicated, and well understood.
35% of directors and managers 28% of administrative support staff	found they were not clearly documented, effectively communicated, and well understood.
27% of directors and managers 26% of administrative support staff	found they were either clearly documented, effectively communicated, or well understood.
15% of directors and managers 14% of administrative support staff	noted a combination of 2 of the following: clearly documented, effectively communicated, or well understood.

For the offboarding process:

Of those surveyed, results indicated that for their own roles and responsibilities,
16% of directors and managers 28% of administrative support staff	found they were clearly documented, effectively communicated, and well understood.
41% of directors and managers 37% of administrative support staff	found they were not clearly documented, effectively communicated, and well understood.
30% of directors and managers 27% of administrative support staff	found they were either clearly documented, effectively communicated, or well understood.
13% of directors and managers 8% of administrative support staff	noted a combination of 2 of the following: clearly documented, effectively communicated, and well understood.

Additional details for Section B.2.2:

Guidance / Tool	Awareness	Usage
Hiring and Onboarding Guide	71% of directors, 68% of managers, and 67% of administrative support staff were aware of the guide.	Of all respondents who were aware of the guide, 71% of directors, 79% of managers, and 73% of administrative support staff had used the guide. Of respondents who had onboarded an employee, 56% of the directors and 58% of the managers indicated that the onboarding process allowed them to successfully welcome new employees and ensured employees were productive as quickly as possible.
Buddy Program (included the New Employee Orientation Guide and Program)	The majority of directors, managers, and administrative support staff were unaware of the program. By considering the respondents who selected both the Buddy Program and the Hiring and Onboarding Guide, the awareness of Buddy Program increased to 28% for directors, 21% for managers and 26% for administrative staff.	Of all respondents who were aware of the Buddy Program, only 21% of directors, 27% of managers, and 29% of administrative support staff had used the program to onboard a new employee.
Departure and Offboarding Guide	62% of directors, 57% of managers, and 59% of administrative support staff were aware of the guide.	Of respondents who were aware of the guide, 51% of directors, 47% of managers, and 48% of administrative support staff had used the guide. Of respondents who had offboarded an employee, 56% of the directors and 57% of the managers indicated that the offboarding guidance was effectively helping them to timely offboard an employee.

Annex C – Data analysis results

Based on information received, the audit team used Peoplesoft as the source of truth to identify 1,889 departure records of employees who left SSC within the audit scope period.

This annex presents detailed results of the various analyses conducted to assess compliance and alignment with TB requirements from section B.2.1.2 of the report.

Assessment results

Timeliness of return of IT assets

Out of the total 1,889 departure records reviewed from PeopleSoft, only 640 records were used for assessment for the Return of IT assets. The remaining records were not assessed as they were either blank, missing information or closed before departure.

[Redacted]

Upon further review of the 335 tickets that were assessed as closed within 1 to 10 days as shown on the table above, the audit team observed that the closure comments indicate notes such as: “Device is to be returned”, “Peripheral equipment to be returned”.

[Redacted]

Timeliness of revocation of access to the SSC network/information

Out of the total 1,889 departure records reviewed from PeopleSoft, only 744 records were identified for assessment of access revocation. The remaining records were not assessed as they were either blank or missing information.

No specific service standard was clearly established for measuring the timeliness of access revocation by the HRW division or the OOPII team. For the DIDM team, the ideal standard should be within 1 day of the employee’s departure. As a result, the audit team used this standard for assessing the timeliness of revocation.

[Redacted]

Completion of departure form

To assess the completion of departure forms, a random sample of 42 departure records was selected out of the 1,889 departure records.

Out of the 42 departure forms requested, only 9 departure forms could be provided by MySSC Pay Desk, as the other employee files had no signed departure forms on file.

The results of the analysis of the 9 forms received showed that the completion rate across each of the 8 categories in the departure form, as depicted in Figure 1 below, was:

• between 63 and 89% for the employees
• between 78 and 89% for the managers

Figure 1: Completion rate per category in the departure form

Figure 2 below illustrates the response to each of the questions as listed on the departure form. The number at the top of the column represents the question number on the form. Under each question, the first column is for the managers of the departing employees and the second column is for the departing employees.

Figure 2: Response to each question on the departure form

Further analysis showed that:

• a GCSX request was initiated for only 5 out of the 9 records, 3 of the 5 requests were initiated before the departure date but not 2 weeks prior the departure as prescribed by the process. The other 2 requests were initiated after the departure date.
  • The remaining 4 records out of 9 did not have a GCSX request initiated; however, all 4 had been signed, certifying that all required actions had been completed.
• 1 of the 9 records indicated that none of the questions were completed, despite the form being signed off by both the employee and manager.

Return of desks and chairs

Desks

A total of 1,362 records requesting a desk in GCSX were analyzed.

• 81 records were found to have employee departure dates for fiscal year 2022-23.
• Out of the 81 records, there were a total of 59 departures with no intention of rehiring indicated.
  • Only 18 records out of the 59 indicated the individual’s desk was either returned or transferred to another department.
  • It could not be determined if the desks issued to the remaining 41 employees were returned or transferred to another department.

Chairs

A total of 2,956 records requesting a chair in GCSX were analyzed.

• 158 records were found to have employee departure dates for fiscal year 2022-23.
• Out of the 158 records, there were a total of 116 departures with no intention of rehiring indicated.
  • Less than 10 records indicated the individual’s chair was either returned or transferred to another department.
  • It could not be determined if the chairs issued to the remaining employees were returned or transferred to another department.

Annex D – Acronyms

CIO

Chief Information Officer

DIDM

Digital Identity and Directory Management

EITP-CSB

Enterprise IT Procurement and Corporate Services Branch

GC

Government of Canada

GCSX

Government of Canada Service eXpress system

HRW

Human Resources and Workplace

IT

Information Technology

KPI

Key Performance Indicator

OOPII

Onboarding and Offboarding Process Improvement Initiative

SM9

SSC application used to process GCSX requests

SSC

Shared Services Canada

TB

Treasury Board

Annex E – Glossary

Glossary

Term	Description
Focus group	As part of the audit, a sample of survey participants were invited to attend focus groups to share additional details of their experience with the onboarding and offboarding processes. Focus groups were held with 3 stakeholder groups: directors, managers, and administrative support staff.
Manager	Refers to an employee’s manager and may include both managers and directors within SSC, unless referenced otherwise, for example, when presenting survey results.
Offboarding	Process of managing an employee’s exit from an organization after the cessation of their work relationship (i.e., contract expiration, retirement, termination, or voluntary departure).
Onboarding	Process designed to integrate new employees into the workplace during their first 6 to 12 months of employment. It includes providing employees with the information, skills, socialization, tools, and resources needed (e.g., departmental priorities, policies, equipment, and system access) in order for them to ultimately become productive and contributing members of the organization.
Partner	SSC functional areas responsible for providing guidance and instructions for completion of the activities within both the onboarding and offboarding processes.
Record	In relational databases, a record is a collection of fields that contain data about a given entity, and is typically stored as a row in a table.
Stakeholder	Any individual with a vested interest in, or being affected by, onboarding and offboarding activities such as the directors, managers and administrative support staff.

Annex F – Audit recommendations prioritization

Internal engagement recommendations are assigned a rating by the Office of Audit and Evaluation in terms of recommended priority for management to address. The rating reflects the risk exposure attributed to the audit observation(s) and underlying condition(s) covered by the recommendation along with organizational context.

Recommendations legend

Rating	Explanation
High priority	Should be addressed as a priority for management. Controls are inadequate. Important issues are identified that could negatively impact the achievement of organizational objectives. Could result in significant risk exposure (e.g., reputation, financial control or ability to achieve departmental objectives). Provide significant improvement to the overall business processes.
Medium priority	Should be addressed over the next year or reasonable timeframe. Controls are in place but are not being complied with sufficiently. Issues are identified that could negatively impact the efficiency and effectiveness of operations. Observations could result in risk exposure (e.g., reputation, financial control or ability to achieve branch objectives) or inefficiency. Provide improvement to the overall business processes.
Low priority	Changes are desirable within a reasonable timeframe. Controls are in place, but the level of compliance varies. Observations identify areas of improvement to mitigate risk or improve controls within a specific area. Provide minor improvement to the overall business processes.