Audit of the Treasury Board of Canada Secretariat's Management Control Framework of the Public Service Health Care Plan

Internal Audit and Evaluation Bureau
Final Report
Approved:

Table of Contents

Statement of Conformance

The Internal Audit and Evaluation Bureau (the Bureau) has completed the audit of the Treasury Board of Canada Secretariat's (the Secretariat's) management control framework of the Public Service Health Care Plan. This audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the Bureau's quality assurance and improvement program.

Executive Summary

Background

The Public Service Health Care Plan (PSHCP or the Plan) is an optional health benefits plan sponsored by the Government of Canada for federal public servants and pensioners, and their eligible dependants. It is the largest employer-sponsored health care plan in Canada.

While responsibility for supporting the Plan is shared by several organizations, the Secretariat plays a key role. Its responsibilities include providing oversight, expertise and recommendations to the Treasury Board on all matters relating to the Plan's strategic policy, program direction, and management. It also oversees the implementation, with a partner organization, of all aspects of the contract for the Plan's administrative services.

Objectives and Scope

The audit objective was to assess the adequacy and effectiveness of the Secretariat's management control framework over the Plan. Specifically, the audit focused on the following areas:

  • Roles and responsibilities;
  • Oversight and monitoring; and
  • Risk management.

The scope included activities undertaken by the Pensions and Benefits Sector (PBS) to manage the Plan. The audit covered the period from to , and considered information received by the audit team until .

Key Findings and Conclusion

The audit concluded, with a reasonable level of assurance, that the management control framework in place was adequate in most respects and served to ensure that the Secretariat managed the Plan effectively. Notwithstanding this conclusion, the framework can be strengthened with respect to succession planning, issues escalation management and risk management. Following are the key findings.

Roles and responsibilities:

  • Roles and responsibilities were communicated, understood and generally well documented at the Secretariat or entity level, and were aligned with the Plan contract;
  • There was limited documentation of the roles and responsibilities of key PBS personnel. While detailed procedures were in place for some processes, most processes relied on individuals' knowledge and experience; and
  • Processes for managing human resources were in place to support the Plan; however, loss of key resources could significantly impact PBS's ability to continue meeting its responsibilities, given the demands on current personnel.

Monitoring and oversight:

  • Monitoring and oversight was in place and worked effectively, supported by a strong governance structure, defined lines of communication, PBS internal mechanisms, and performance measures to monitor the Plan's compliance with the terms of the contract and its achievement of objectives; and
  • Issues were tracked and escalated using an issues logging process. While the process was understood, it was not documented. This meant that reliance was placed on individuals' knowledge and experience. In addition, issue logs did not always set or track dates for issue resolution. This finding could present a risk that some issues may not be monitored and addressed in a timely manner.

Risk management:

  • Risks were identified, assessed and mitigated at both Plan and sector levels; and
  • At the Plan level, risks were managed on an ongoing basis by leveraging the committees and subcommittees in its governance structure. Risks were also managed at the sector level; however, gaps were found in the process used during the examination period. Given that management was in the process of updating its tools and mechanisms, the gaps were addressed, and the process was formalized and documented subsequent to the examination period. In addition, there was a delay in completing the sector level risk assessment. Given that more than a year had elapsed since the previous assessment, this presents a risk that changes to risks were not identified in a timely manner.

Notwithstanding the overall conclusion that the management control framework was effective in most respects, this framework can be strengthened in the following areas:

  1. Succession planning – Formalizing and implementing succession plans for all expert advisors and other key positions, including specific training requirements for all identified successors;
  2. Escalation – Documenting the issues escalation process employed by the committees and subcommittees in the Plan's governance framework, including setting resolution dates for all identified issues; and
  3. Risk management – Implementing the newly formalized PBS risk management process, and monitoring its progress.

Management Response

Management agrees with the findings and conclusion, and has developed a management response (including actions), which is presented in Appendix C. The Bureau is satisfied that if these measures are implemented, the issues identified will be addressed.

1.0 Introduction

1.1 Overview

The Public Service Health Care Plan (PSHCP or the Plan) is an optional health care plan for federal public service employees and retirees, and their eligible dependants, that is designed to supplement employees' provincial health insurance plan.Footnote1 The PSHCP is the largest employer-sponsored health care plan in Canada with total Plan expenditures of $945 million in 2012, of which total benefit expenditures were $903 million. Plan membership was slightly over 630,000 members as of . Including dependants, the PSHCP provides coverage for 1.6 million people.Footnote2

The purpose of the Plan is to reimburse participants for all or a portion of the costs they have incurred for eligible services and products, as identified in the Plan document. Reimbursement takes place only after participants have taken advantage of benefits provided by their provincial or territorial health insurance plan or other third‐party sources of assistance to which a participant has a legal right.Footnote3

The PSHCP falls within the insurance and benefits plans under Vote 20, the funding instrument used to seek appropriations for this purpose through Parliament. Vote 20 is managed in the Office of the Chief Human Resources Officer, Pensions and Benefits Sector (PBS), at the Treasury Board of Canada Secretariat (Secretariat).Footnote4

Plan services are delivered by a contactor in accordance with an administrative services contract that was awarded in 2009. The tendering and implementation of this contract was part of an initiative to significantly modernize the Plan by enabling clients to submit electronic drug claims. More importantly, the contract allows the Government of Canada to own and collect Plan data.

1.2 Roles and Responsibilities

There are four main partners involved in the management and delivery of the PSHCP:

  • Treasury Board of Canada Secretariat, Pensions and Benefits Sector
  • Federal PSHCP Administration Authority (Administration Authority)
  • Public Works and Government Services Canada (PWGSC), Acquisition Branch and Accounting, Banking and Compensation Branch
  • Sun Life Financial (Sun Life)

On , PWGSC, on behalf of the Government of Canada, entered into a contract with Sun Life to provide administrative services for the delivery of PSHCP benefits to employees, pensioners and their dependants. Under this contract, PWGSC's Acquisition Branch is the contracting authority, and PBS is the project authority.Footnote5 While the Office of the Superintendent of Financial Institutions Canada is not a partner, it is a key provider of actuarial support services.

See Appendix A for an entity-level description of the roles and responsibilities of each party.

2.0 Audit Details

2.1 Authority

The Audit of the Treasury Board of Canada Secretariat's Management Control Framework of the Public Service Health Care Plan is part of the approved 2012–15 Risk-Based Audit Plan for fiscal year 2012–13.

2.2 Objectives and Scope

The audit objective was to assess the adequacy and effectiveness of the Secretariat's management control framework over the Plan.Footnote6

The audit examined the management control processes and activities at PBS that support the Secretariat's overall administration and management of the Plan. Specifically, the audit focused on the following management control framework elements:

  • Roles and responsibilities;
  • Oversight and monitoring; and
  • Risk management.

Scope exclusions

The audit did not examine the following:

  • Payment verification process, given that a concurrent project has been undertaken by the Corporate Services Sector's Internal Controls unit to assess the operating effectiveness of internal controls over financial reporting for the PSHCP;
  • Areas that are outside the mandate of the Internal Audit and Evaluation Bureau:
    • Specific activities conducted by the Administration Authority;
    • Services provided by PWGSC;
    • Delivery of the Plan by Sun Life and its reporting activities (except the Secretariat's use of these reports, which is included); and
    • The Office of the Superintendent of Financial Institutions Canada's activities in support of the Plan.

Audit period

The audit covered management of the Plan from to , and considered information received by the audit team until .

2.3 Lines of Enquiry

The audit had the following three lines of enquiry and supporting audit criteria:

  • Roles and responsibilities – A formal framework is in place that clearly articulates PSHCP roles and responsibilities and confirms stakeholders' understanding of them, and provides for sufficient human resources capacityFootnote7 to carry out these roles and responsibilities.
  • Monitoring and oversight – A formal framework is in place that clearly defines monitoring and reporting activities, and includes a mechanism to track and escalate issues.
  • Risk management – The risk management process is sufficient to identify, assess and mitigate risks to the Plan.

The audit criteria were derived from the Office of the Comptroller General's Audit Criteria Related to the Management Accountability Framework: A Tool for Internal Auditors. Detailed audit sub-criteria for each of these audit criteria are presented in Appendix B.

2.4 Approach and Methodology

The audit approach and methodology was risk-based and in conformance with the Internal Auditing Standards for the Government of Canada. These standards require that the audit be planned and performed in a way to obtain reasonable assurance that the audit objectives were achieved.

The examination phase of this audit was conducted from to . The work carried out during this phase consisted of the following:

  • Interviews with key stakeholders;
  • Documentation review;
  • Walk-throughs;Footnote8 and
  • Audit testing.

3.0 Audit Results

The audit results are presented below by line of enquiry.

3.1 Roles and Responsibilities

PSHCP roles and responsibilities were adequately defined, communicated and understood. While processes for managing human resources were in place, loss of key personnel could impact PBS's ability to carry out its responsibilities. Improvements to succession planning are therefore required.

We expected that accountabilities, roles and responsibilities related to the management of the Plan would be clearly defined and communicated, and that training, information resources and tools would be in place. We also expected to find sufficient processes for managing PBS's human resources that would include knowledge transfer and succession planning to support PBS's personnel in carrying out Plan management responsibilities.

Defined accountabilities, roles and responsibilities at the entity level

The audit did in fact find that accountabilities, roles and responsibilities were clearly defined in the Plan contract and supporting documents. However, definition was limited to the entity level of the key organizationsFootnote9 involved in Plan management. There was limitedFootnote10 documentation at the sector level articulating the roles and responsibilities at PBS.

Nevertheless, understanding of these roles and responsibilities was evident. Key individuals consulted at PBS and outside the Secretariat clearly described their respective roles and responsibilities, as well as the roles and responsibilities of those with whom they worked.

Open and effective lines of communication

Open and effective lines of communication were cited, by those consulted, as a contributing factor to understanding roles and responsibilities. Both formal and informal lines of communication were in place during the period of examination.

Formally, the PSHCP governance framework established a structure of committees and subcommittees that facilitated communication among members. These members were drawn from the Secretariat and its partners, and met regularly. In addition, formal reporting mechanisms were in place at PBS, which enabled the discussion of issues and reporting to senior management. These mechanisms are further described in the next section on monitoring and oversight.

Informally, ad hoc communication mechanisms also existed at PBS. For example, meetings took place at the sector for the purpose of information sharing across governance committees.

Sufficient training aligned with roles and responsibilities

The audit found that employees had learning plans and were provided with training. To leverage efficiencies in managing benefit plans, PBS had organized its personnel to manage benefit plans horizontally, rather than by individual plan. Where applicable, courses that were relevant to all plans were pursued over those that were plan-specific.

Management recognized that the PSHCP requires specialized knowledge and expertise due to its complexity, but indicated that specialized training specific to health care benefits was not commonly available within government. Hence, job shadowing was undertaken to some extent as a means to supplement formal, broad-based training and to facilitate knowledge transfer.

Based on discussions with employees and review of sector training, the audit team concludes that, collectively, PBS provided sufficient training aligned with its roles and responsibilities.

Insufficient succession planning and limited capacity to accommodate loss of personnel

Succession planning was in progress for two of the three expert advisors at PBS; however, this was not a formalized or documented process. Succession planning was not in place for key positions such as directors or the information technology (IT) specialist.

While PBS personnel with the appropriate knowledge and experience were in place to support the Plan, the audit found that there was limited capacity in PBS operations to accommodate loss of personnel. Management indicated that in the current cost-containment environment, hiring additional personnel to allow cross-training has been challenging.

Succession planning and knowledge-transfer risks

Given the limited documentation of individual roles and responsibilities, the lack of formal processes to support succession planning and the limited capacity in PBS operations, the loss of a key individual could negatively affect Plan operations. Difficulties in staffing a replacement, for example, or in reallocating responsibilities to other sector staff could present a risk of key activities not being performed.

Management has identified succession planning and knowledge-transfer as risks at PBS's corporate risk profile and risk management workshop. The audit team recommends that management place a high priority on succession planning and implement actions to address risks in this area over the short term.

Recommendation

It is recommended that PBS management formalize and implement its succession plans for all expert advisors and other key positions. Specifically, these plans should be documented and should include specific training requirements for identified successors.

3.2 Monitoring and Oversight

Monitoring and reporting processes were in place and working effectively, supported by performance measures to monitor the Plan's compliance with the terms of the contract and its achievement of objectives. While there were mechanisms to track and escalate issues, these processes need to be documented.

We expected that there would be a process to monitor and report Plan activities that would include a mechanism to track and escalate issues. We also expected that performance measures would be in place to support monitoring and reporting.

Monitoring and reporting in place and working effectively

The audit found that a monitoring and reporting process was in place and working effectively, supported by a Plan governance structure, a PBS management structure, and their respective reporting mechanisms.

The governance structure in place comprises committees and subcommitteesFootnote11 that provide a logical and organized means of monitoring, reporting and escalating issues. This structure serves to guide the flow of information to those involved in managing the Plan. Furthermore, a delivery management plan is used to communicate the type and frequency of required reporting.

Reporting mechanisms support oversight and monitoring of the Plan. Specifically, contract oversight reports address Sun Life's overall performance and issues, and contract compliance reports address compliance against the contract. Both reports are developed by the Administration Authority and produced on a monthly basis. Any issues that arise are discussed at the PSHCP Operations Committee and, as necessary, with the Senior Contract Management Committee, which comprises senior members from PBS, the Administration Authority, PWGSC and Sun Life. In addition, operational reports, such as Sun Life's monthly and quarterly operational results, are reviewed and discussed at subcommittees.

The Plan's audit processes also support oversight and monitoring of the Plan. There are two streams of audits. The first stream, the Audit Services and Detection program, consists of audits conducted and managed by Sun Life to address the contract's audit requirements (e.g., on-site pharmacy audits). The second stream consists of audits conducted and managed by the Administration Authority in the context of a risk-based audit plan developed in consultation with the Secretariat. The audit plan provides a risk assessment of Plan activities and proposes audits required to address identified risks (e.g., spot check audit of physiotherapy claims).

Final audit reports for both streams were reviewed by the Administration Authority and the Secretariat. The results of these audits determined whether changes needed to be made to administrative practices, business processes or the contract. These findings were tracked and were followed up by the respective committees and subcommittees.

PBS reporting mechanisms allowed tracking and sharing of issues, risks and other significant information on an ongoing basis. As required and as determined by the team responsible for managing the Plan, specific items were escalated to PBS's Assistant Deputy Minister. Sector employees described this process as effective and efficient.

Defined performance measures

The audit found that performance measures were defined and were used to monitor the Plan's compliance with the terms of the contract and its achievement of objectives:

  • The above-mentioned contract oversight and contract compliance reports reported against service standards that had been clearly defined in the Plan contract. The compliance report also contained an attestation by the Administration Authority's Chief Executive Officer;
  • Performance measures were clearly defined for the Vote 20 working group, an internal PBS monitoring mechanism. This working group regularly monitored and developed forecasting for all benefit plans, including the PSHCP, to ensure that funding measures were maintained. Its monitoring activities included the review of funding, industry updates, knowledge from insurers and consumer price indexing updates; and
  • Plan objectives were monitored and their achievement was reported. While reporting against objectives addressed specific issues that arose during various stages of the Plan modernization initiative, it did not provide a global report of these modernization objectives. Nevertheless, reporting against objectives was found to be sufficient.Footnote12

Escalation mechanisms require further documentation

During the examination period, established reporting mechanisms were used to escalate issues at the sector level. PBS had regular and ad hoc meetings at various levels, from operations staff to senior management, where ongoing issues were discussed and addressed.

The audit found that at the Plan level, issue logs were used to track issues, and the majority of issues were resolved in the respective subcommittees. In only a few instances was escalation warranted. The audit team examined issue logs and traced the issues that had been escalated from the subcommittees to the more senior committees. The audit found that while this mechanism was effective, the issue logs did not always set or track dates for issue resolution. This finding could present a risk that some issues may not be monitored and addressed in a timely manner.

The audit also found that the escalation process, while understood, was not documented. Specifically, there was no evidence of documented roles and responsibilities, authorities for approval, and escalation timelines. Limited documentation of this process meant that reliance was placed on individuals' knowledge and experience to carry out their responsibilities.

Management has recognized the need for documentation and has engaged consultants who will develop Terms of Reference for committees and subcommittees.

Recommendation

It is recommended that management finalize the Terms of Reference for committees and subcommittees, and ensure that the escalation process is formally defined and documented. Specifically, this documentation should include further clarity around roles and responsibilities, authorities for approval, and escalation timelines. It is also recommended that issue logs require the setting of resolution dates for all identified issues.

3.3 Risk Management

Both Plan and sector risks were identified, assessed, responded to, and monitored. An opportunity exists to refine and update the newly developed framework to ensure that it accurately reflects how the risk management process is subsequently implemented.

We expected that a process would be in place to identify, assess, respond to, and monitor Plan-specific risks, as well as PBS-specific risks related to managing the Plan (e.g., operational risks). We also expected that risks would be updated periodically, and that a process would be in place to prevent the release of confidential plan member information.

Plan risks sufficiently managed

The audit found that risks were identified, assessed, responded to, and monitored at both Plan and sector levels. At the Plan level, risk factors, their impact and likelihood, as well as their respective overall risk rankings were described in a risk assessment report used to support potential areas of audit focus for the risk-based audit plan. These risks were updated on an annual basis.

Also at the Plan level, committee and subcommittee issue logs were in place to identify risks and track the status of mitigating actions on an ongoing basis. In this context, the management of Plan risks, including fraud risks, were allocated to the committee or subcommittee tasked with that subject matter.Footnote13 Furthermore, the audit found that a process was in place to prevent the release of confidential plan member information.Footnote14

Sector risk management process underwent changes

At the sector level, the audit team identified areas for improvement to the risk management process.Footnote15 Specifically, it identified the following gaps during the period of examination:

  • Process for determining the risk rating not documented;
  • Rationale for selecting a risk rating not documented;
  • Monitoring not identified as an action for all identified risks; and
  • Frequency for reassessment not set.

There was a delay in the completion of PBS's risk assessment process. Over the past two years, risks were assessed in Q3 of each year. During the audit examination period, PBS's risk assessment tools and mechanisms were updated and the risk management process was formalized and documented. The risk assessment was underway in Q4, but it was only completed in Q1 of the following year. Given that more than a year had elapsed since the previous assessment, this presents a risk that changes to risks are not being identified in a timely manner.

Subsequent to the period of examination, management provided evidence of its documented risk management framework, completed in . For the most part, the documented framework reflected existing processes and also addressed the four previously mentioned areas that were identified by the audit team for improvement. Even though the framework was completed outside the audit examination time period, the audit team found this work to be significant and took it into consideration. Given that PBS has not undergone a full cycle of its newly formalized process, there is opportunity to refine and update the framework to ensure that it accurately reflects how the risk management process is implemented.

Recommendation

It is recommended that management implement its newly formalized PBS risk management process, monitor its progress, and revisit and update the framework document at the end of its first full cycle, as required.

3.4 Overall Conclusion

We conclude, with a reasonable level of assurance, that the Secretariat's management control framework in place during the period of examination was adequate in most respects and served to ensure that the Secretariat managed the Plan effectively:

  • Roles and responsibilities – PSHCP roles and responsibilities were adequately defined, communicated and understood;
  • Monitoring and oversight – Monitoring and reporting was in place and working effectively, supported by performance measures to monitor the Plan's compliance with the terms of the contract and its achievement of objectives; and
  • Risk management – Both Plan and PBS risks were identified, assessed, responded to, and monitored.

Notwithstanding the above, the management control framework can be strengthened in the following areas:

  • While processes to manage human resources were in place, loss of key personnel could impact PBS's ability to carry out its responsibilities. Improvements to succession planning are therefore required;
  • While a mechanism was in place to track and escalate issues, this process needs to be documented; and
  • An opportunity exists to refine and update the newly developed framework to ensure that it accurately reflects how the risk management process is subsequently implemented.

Appendix A: Roles and Responsibilities of Partners and Service Providers

This section provides an entity-level description of the roles and responsibilities of the following parties:

  • Treasury Board of Canada Secretariat, Pensions and Benefits Sector (PBS)
  • Federal PSHCP Administration Authority (Administration Authority)
  • Public Works and Government Services Canada (PWGSC)
  • Sun Life Financial (Sun Life)
  • Office of the Superintendent of Financial Institutions Canada

Treasury Board of Canada Secretariat – Pensions and Benefits Sector

The Secretariat fulfills its responsibilities primarily through PBS, which is located in the Office of the Chief Human Resources Officer.

PBS is the project authority of the contract with Sun Life. While PBS is accountable for the management and oversight of the Plan, Treasury Board delegates aspects of Plan administration and oversight to administrators and service-delivery agents (e.g., the Plan administrator (Sun Life), the Administration Authority, PWGSC, Office of the Superintendent of Financial Institutions Canada and departments) and holds them to account.Footnote16

Subsection 7.1(1) of the Financial Administration Act (FAA) gives the Treasury Board the authority to establish and modify the Plan, and sections 7.2 through 7.4 give the Treasury Board the authority to establish the Administration Authority, name the majority of Administration Authority directors and its chair, and establish its governance.Footnote17

Regarding PSHCP governance design, implementation and support, PBS is responsible for the design and management of the Plan's governance system, including oversight of the Administration Authority's governance system.Footnote18

PBS also sits on the Partners Committee, which is the senior collaborative forum for the resolution of issues pertaining to the Plan and which is mandated to develop joint recommendations on Plan changes to the Treasury Board. It is composed of seven representatives: three senior officers from the public service, one of whom is the Assistant Deputy Minister of PBS (representing the employer); three senior officers of bargaining agents (representing employees); and one representative appointed by the National Joint Council (representing pensioners).Footnote19

In PBS, benefit plans, including the PSHCP, are managed by the Group Insurance Policy and Programs Directorate. This directorate provides oversight, expertise and recommendations to the Treasury Board on all matters relating to the strategic policy, program direction and management of the government's public sector benefit plans (health, dental, disability and life insurance) provided to employees, pensioners, and other groups. It develops productive, ongoing relationships with multiple internal and external partners and stakeholders, including leading consultations and negotiations with the bargaining agents and pensioner representatives. The directorate is responsible for researching and benchmarking the comparability of these group benefits and for preparing quarterly and annual fiscal projections of the employer's expenses under these programs.

The Federal Public Service Health Care Plan Administration Authority

The Administration Authority is charged with the administration of the PSHCP. It is an arms-length, not-for-profit, shared-governance corporation responsible for monitoring the delivery of benefits by the Plan administrator (currently Sun Life).Footnote20 Its mandate is to ensure that benefits and services to Plan members and their covered dependants, as defined in the PSHCP documentation, are delivered in a manner that ensures the effective and efficient administration of the PSHCP.Footnote21

The Administration Authority is responsible for the design, management and support of its internal governance arrangements, within the terms of its authority under the Letters Patent.Footnote22 Reporting to the Partners Committee, the Administration Authority manages claims appeals, performs audits, reports on misuse and fraud, analyzes claim trends and, on request, advises the Partners Committee and PBS on possible solutions to operational problems identified in the course of its work. It also communicates with members on their individual situations, oversees Sun Life's communications with membersFootnote23 and provides reports to PBS as project authority, as required, confirming that the Plan administrator has fulfilled its obligations under the contract.Footnote24

The Administration Authority's Board of Directors comprises 10 directors.Footnote25 The Administration Authority was established as the secretariat to the Board to support the work of the Board and assist it in fulfilling its mandate. Its operating budget is funded in accordance with a funding agreement between the federal government, represented by the President of the Treasury Board, and the Administration Authority.

Public Works and Government Services Canada

PWGSC's Accounting, Banking and Compensation Branch collects Plan membership eligibility information and contributions from employees who are paid through federal pay systems and certain other organizations, and from retirees. PWGSC is responsible for ensuring the accuracy of the contribution rates entered in their pay system(s). PWGSC provides administrative and other services related to the PSHCP as directed by the Treasury Board through orders-in-council.

PWGSC's Acquisitions Branch manages the contracting process for the Plan. The Acquisitions Branch is the PSHCP's contracting authority, while PBS is the contract's project authority. The contracting authority also works with PWGSC's Canadian Industrial Security Directorate on any security-related matters.

Sun Life Financial

Sun Life, as the administrator of the Plan, is responsible for the consistent adjudication and payment of eligible claims in accordance with the Plan directive. It is also responsible for providing administrative services to PBS and Plan members, as specified in the contract and established service standards.Footnote26 Services include positive enrolment, enquiries handling, contract service management, reporting and communications.

Sun Life provides PBS and the Administration Authority with the information they need to exercise their oversight responsibilities effectively. On PBS's request, Sun Life may suggest improvements to the design and management of the Plan based on its administrative experience with the plans in its book of business.Footnote27 Sun Life provides this advice to PBS via an annual strategic advice and environmental scan report.

Office of the Superintendent of Financial Institutions Canada

The Office of the Superintendent of Financial Institutions Canada, while not officially represented in the Framework for Public Service Health Care Plan Roles and Responsibilities – Entity-Level, is a key service provider. It provides the actuarial services for rate analysis, plan changes, and Public Accounts support and setting of assumptions, the latter in collaboration with PBS and other key sectors in the Secretariat, including the Office of the Comptroller General.

Appendix B: Audit Criteria

Audit criteria were derived from the Office of the Comptroller General's Audit Criteria Related to the Management Accountability Framework: A Tool for Internal Auditors.

Line of Enquiry 1: Roles and Responsibilities

Audit Criterion 1

  • A formal framework is in place that clearly articulates PSHCP roles and responsibilities and confirms stakeholders' understanding of them, and provides for sufficient human resources capacity to carry out these roles and responsibilities.
    Audit Sub-Criterion 1.1
    • Accountabilities, roles and responsibilities are clearly defined and communicated.
      • Accountabilities, roles and responsibilities are clearly defined, accessible and understood by all partners and key service providers.
      • Training, tools and information resources are sufficient to guide managers and employees in fulfilling their roles and responsibilities.
      • Lines of communication are open and effective.
    Audit Sub-Criterion 1.2
    • Sufficient human resources capacity, specialized training, and guidance exist for roles deemed to be key inputs to the achievement of the PSHCP's operational plans and strategic objectives.

Line of Enquiry 2: Monitoring and Oversight

Audit Criterion 2

  • A formal framework is in place that clearly defines monitoring and reporting activities, and includes a mechanism to track and escalate issues.
    Audit Sub-Criterion 2.1
    • The process for identifying and escalating issues is clearly defined and communicated.
    Audit Sub-Criterion 2.2
    • A formal issue resolution and tracking mechanism exists and is utilized effectively.
    Audit Sub-Criterion 2.3
    • Performance measures are clearly defined and include a process for monitoring and reporting on the achievement of Plan activities and results against PSHCP modernization objectives.
    Audit Sub-Criterion 2.4
    • Issues identified in past audits conducted for the Plan by the Administration Authority have been reviewed. Their impacts on the PSHCP have been assessed, and plans are in place to remediate these items.

Line of Enquiry 3: Risk Management

Audit Criterion 3

  • The risk management process is sufficient to identify, assess and mitigate risks to the Plan.
    Audit Sub-Criterion 3.1
    • The risk assessment process is appropriately designed to identify and subsequently determine the impact and likelihood of key risks materializing.
    Audit Sub-Criterion 3.2
    • When key risks are identified, including any risks related to fraud within the PSHCP, a process exists for all implicated partners to respond to and monitor the status of these risks.
    Audit Sub-Criterion 3.3
    • Risks and their response strategies are updated periodically to reflect internal and external changes that impact the PSHCP.
    Audit Sub-Criterion 3.4
    • Processes and practices are in place to prevent the release of confidential Plan information (i.e., Plan member information).

Appendix C: Management Response

Overall Comment

The Pensions and Benefits Sector (PBS) agrees with the conclusion of the audit that the management control framework for the PSHCP is adequate in most respects and serves to ensure effective management of the PSHCP by the Secretariat.

PBS provides the following in response:

The PSHCP was retendered in 2009 under a new modern management platform framed by the Benefits Modernization Initiative, which resulted in a significant transformation of the Plan, including overall Plan governance.

With this transformation came opportunities for improvement. Since the implementation of the transformed PSHCP in , a number of features have already been incorporated, including those noted as strengths by the audit report: the audit process for PSHCP, the Audit Services and Detection subcommittee, and the formalization of procedures for the management of confidential information for the PSHCP.

Implementation of the revised Plan also introduced a new electronic-based claims adjudication process. The shift from a paper-based process has resulted in significant cost savings for the Government of Canada, in addition to lower out-of-pocket spending by the membership.

In summary, PBS welcomes the recommendations of the audit report and appreciates the opportunity to continually improve on business processes and practices in the areas of succession planning, issues escalation management, and risk management.

PBS will examine ways to best address these opportunities for improvement, taking into account the very limited resources available to it. There is a need for key officers to carry out multiple roles or functions for the suite of public sector benefit plans, including the PSHCP.

Recommendation 1

Succession Planning – It is recommended that PBS management formalize and implement its succession plans for all expert advisors and other key positions. Specifically, these plans should be documented and they should include specific training requirements for identified successors.

Priority Ranking: High

We agree with the recommendation.

Actions Completion Date Office of Primary Interest

Comments:

PBS will take steps, again taking into account the limited resources available to it, to identify, document and formalize its key Group Insurance Policy and Programs (GIPP) internal business processes, which will serve as the first step in establishing succession plans and training requirements for key positions.

Actions:

Once this first step is completed, formalize, document and implement succession planning and training for key positions as part of next year's Integrated Business Plan:

  • Identify key personnel and positions
  • Identify any new required positions, and seek appropriate A-base funding as a result of additional business processes
  • Identify key competencies for each position
  • Cooperate with the Human Resources Division in the overhaul of the Personnel Administration Group (PE) classification, and review job descriptions in GIPP
  • Formalize training requirements

Target: Q4,
2016–17

Executive Director, GIPP

Recommendation 2

Escalation – It is recommended that management finalize the Terms of Reference for committees and subcommittees, and ensure that the escalation process is formally defined and documented. Specifically, this documentation should include further clarity around roles and responsibilities, authorities for approval, and escalation timelines. It is also recommended that issue logs require the setting of resolution dates for all identified issues.

Priority Ranking: Medium

We agree with the recommendation.

Actions Completion Date Office of Primary Interest

Comments:

Improvement to business processes for the management of the public sector benefit plans is well underway, including the issues escalation process established by PBS and the Administration Authority under the PSHCP governance framework.

Actions:

  • Task the PSHCP Operations Committee to coordinate with committee and subcommittee chairs to finalize and document the Terms of References for their respective entities and to deliver final outputs to PBS's Director – Group Insurance Program Management (GIPM)
  • Standardize escalation procedures and reporting guide
  • Monitor the effectiveness of the escalation procedures and reporting guide

Target: Q4,
2014–15

Director, GIPM;

Expert Advisor, Program Analysis and Reporting

Recommendation 3

Risk Management – It is recommended that management implement its newly formalized PBS risk management process, monitor its progress, and at the end of its first full cycle, revisit and update the framework document as required.

Priority Ranking: High

We agree with the recommendation.

Actions Completion Date Office of Primary Interest

Comments:

PBS's risk management framework is aligned with the corporate risk profile assessment process. The formal process was initiated in 2012–13 and approved by the sector in .

Actions:

  • Implement the first full cycle of the risk management process (completed in )
  • Continue monitoring the risk management process through 2014–15
  • Update changes to the framework as required

Target: Q4,

2014–15

Executive Director, GIPP

© Her Majesty the Queen in Right of Canada, represented by the President of the Treasury Board, [2015],
[ISBN: 978-0-660-25680-1]

Page details

Date modified: