Foreign Affairs and International Trade Canada
Symbol of the Government of Canada

Foreign Affairs and International Trade Canada

international.gc.ca

Archived Document

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated since it was archived. Web pages that are archived on the Web are not subject to Government of Canada Web Standards; as per the Communications Policy of the Government of Canada, you can request alternate formats by contacting us.

Audit of Electronic Authorization and Authentication (EAA) Keys and Integrated Management System (IMS) User Profiles

PDF Version (47 Kb) *

(September 2007)

Table of Contents

1.0 Background

1.1 On behalf on the Office of the Comptroller General (OCG), Audit Services Canada (ASC) recently completed the audit fieldwork of Phase II of the Horizontal Audit, Delegation of Signing Authority. During the conduct of their fieldwork, the Audit Division of the Department of Foreign Affairs and International Trade Canada (DFAIT) and ASC had several discussions regarding the methodology for Phase II. Internal Audit Division determined that the scope of Phase II did not include the examination of the segregation of duties with respect to personnel at headquarters (HQ) who possessed an Electronic Authorization and Authentication (EAA) key. It was felt that this area should be reviewed as it is an important control in carrying out the requirements of the Treasury Board Secretariat's (TBS) Policy on Delegation of Authorities. Moreover, it is a key financial management control that will be repeatedly considered in future years as DFAIT moves to annually audited financial statements.

2.0 Audit Objective, Scope, Criteria, Approach and Timing

2.1 Audit Objective

2.1.1 The objective of this engagement was to determine whether personnel at HQ with an EAA key are in compliance with the segregation of duties control criteria as outlined in the TBS Policy on Delegation of Authorities.

2.2 Audit Scope and Criteria

2.2.1 The scope of the audit included an examination of the:

  1. List of HQ personnel who possessed an EAA key; and,
  2. Integrated Management System (IMS) user profiles of the personnel from a).

2.2.2 With respect to the Delegation of Signing Authority chart maintained by the Financial Management and Accountability Policy Division (SMO), its use was limited to verifying whether personnel with an EAA key had been granted Section 33 financial signing authority. (See Appendix A for description of the relevant Sections of the Financial Administration Act.)

2.2.3 ZIV used the following audit criteria to assess departmental practices with respect to EAA keys:

The department should be able to demonstrate that proper segregation of duties with respect to EAA keys are in place and in accordance with the TBS Policy on Delegation of Authorities, Appendix A, guideline 6.1(a) which states that

"Persons who are delegated authority to make decisions may be delegated either spending or payment authority, but usually not both. However, in small establishments, this distinction is not always possible, especially when an officer is assigned responsibilities as an alternate for another officer or when a financial officer administers a budget. In such circumstances, it may be necessary to delegate both types of authority to a single officer. Whenever this is done, the officer will never exercise both types of authority on the same payment."

2.3 Audit Approach and Timing

2.3.1 The audit was conducted in accordance with Canadian generally accepted auditing standards. The audit took place during the period of May to June 2007.

2.3.2 The audit approach consisted of completing the following major tasks: interviewing appropriate personnel with knowledge of the payment cycle, obtaining a report listing the personnel with an EAA key along with their IMS user profiles and performing analytical procedures to determine if there was a lack of segregation of duties (i.e. if an individual with an EAA key could input and process a payment through IMS).

2.3.3 During the performance of the fieldwork, it was determined that the main financial control was the certification of a payment in accordance with Section 33 of the Financial Administration Act (FAA). As such, our focus shifted from the EAA of payments to their certification.

Observations and Recommendations

3.0 Segregation of Duties

3.1 The audit team observed that there is a lack of segregation of duties occurring in multiple areas. In each of the following scenarios (3.2 through 3.4), the lack of segregation of duties allows the IMS user to circumvent the control associated with Section 33.

3.2 Incompatible access within IMS.

There are fifteen users who have payment and modification rights in the IMS financial module. Four of the fifteen users have not been delegated Section 33 authority as per the Department's Delegation of Signing Authority chart. Nine of the fifteen users also have input rights.

3.3 Incompatible duties assigned to a position.

The audit team observed that *** has access to the blank manual cheques as well as the cheque signature block. *** user profile also provides input and modification rights in the IMS financial module. This creates a segregation of duties issue as *** can process an invoice, approve its payment and print, sign and issue a manual cheque.

Recommendations

Director General, International and Domestic Financial Management (SMF)

3.4 For the fifteen individuals with incompatible access within IMS, review the responsibilities associated with their current position and immediately revoke non-required IMS rights. In addition, for the four individuals that have not been delegated Section 33 authority, immediately revoke their payment rights within IMS.

3.5 Review, in consultation with Corporate Financial Systems (SMSF), the IMS user profile assigned to each position within Financial Operations, Domestic (SMFH) with the objectives of ensuring proper segregation of duties and maintaining operational efficiency.

Director General, Budgeting, Analysis and Reporting (SME)

3.6 Develop and implement procedures that ensure, prior to granting payment rights within IMS, that the Departmental Delegation of Signing Authority chart and the individual's specimen signature card are examined to verify that the user has been delegated Section 33 authority.

Management Action Plan and Timeframe

3.4 This recommendation has been implemented. The four individual who are not in positions with delegated FAA Section 33 authority have had their payment rights removed from IMS.

A review of the responsibilities of individuals with the ability to create/modify documents in IMS and perform a payment run is underway. Where operation necessity requires both of these functions, mitigating controls will be implemented, such as a review of documents created by the individual. This review will be completed by the end of fiscal year 2007-08. When possible, the transaction codes used to create vendor invoices will be removed from these users.

3.5 A review of IMS user profile assigned to each position is underway. Currently, only *** have access to both the blank cheque stock and the cheque signature stamp. As these two positions also have the ability to create documents and perform payment runs, a procedure to review manual cheques will be created. The transaction codes used to create vendor invoices will be removed from these users. Additionally, the necessity of being a cheque printing site will be reviewed. These reviews will be completed by the end of fiscal year 2007-08.

In conjunction with the review of the responsibilities of individuals with the ability to create/modify documents in IMS and perform a payment run, quarterly Segregation of Duty (SOD) Reports will be produced by Financial Systems and provided to International and Domestic Financial Management (SMF) for confirmation that mitigating controls still exist for employees who are in conflict of segregation of duties, the reports are to be signed off by the Director SMF.

3.6 This recommendation has been implemented.

Form 1764 must be authorized by Deputy Director or Management Consular Officer and above. These managers assign roles as defined on the 'Management Systems' website and are based upon job duties. FAA S.32, 33, and 34 are not included in the core role definition but may be assigned depending on position and/or organizational requirements. Managers who authorize this access must ensure the incumbent occupies an appropriate position on the Delegation of Authorities Chart and completes a specimen signature card.

Effective October 2007, a new procedure was implemented that requires the written approval of SMF on mission and HQ F110 Payment Run Authorization prior (SMS) providing access.

In addition, quarterly Segregation of Duty (SOD) Reports and FAA Section 33 reports will be produced by Corporate Financial Systems (SMSF) and provided to SMF to confirm that mitigating controls are in place for employees who have been identified as having potentially conflicting roles in IMS. SMF will also be required to validate the continued requirement for FAA S.33 authority in the system.

4.0 Payment Process Cycle

4.1 The audit team noted a number of observations regarding the payment process cycle that did not relate specifically to segregation of duties issues. These observations are described below.

4.2 Business process documentation. The audit team observed that documentation does not exist which describes the business process for certifying a payment under Section 33 of the FAA and carrying out the EAA approval process. This creates a risk of inconsistency in the application of both processes.

4.3 Granting and removing IMS user rights. There are no formal guidelines or procedures established for granting and removing IMS user rights. This creates a risk of inconsistency and inefficiency in operations. The audit team also noted that a departmental form does not exist for purposes of identifying when IMS user rights are to be modified (i.e. when an user changes positions). As a result, IMS users could exercise financial authorities not assigned to their new position.

4.4 Acting situations. The audit team observed inconsistency in the application of procedures with respect to acting appointments. The current process to regulate IMS user rights between substantive and acting positions is an automated time expiry feature. This feature ensures that IMS rights are removed at the end of an acting appointment with the concurrent reinstatement of the rights associated with the user's substantive position. However, this automated time expiry feature is not being applied to all acting situations.

4.5 Specimen signature cards (SSR). The audit team observed that there were missing, out-dated and duplicate SSR cards on the "I" drive. SMFH resources may not, therefore, have access to complete and accurate SSRs when exercising Section 33 authority.

Recommendations

Director General, International and Domestic Financial Management (SMF)

4.6 Prepare documentation describing the Section 33 certification and the EAA business processes.

4.7 Ensure that the scanned SSR cards on the "I" drive are properly maintained and kept up to date.

Director General, Budgeting, Analysis and Reporting (SME)

4.8 Develop documentation that:

  1. Describes the business process for granting and removing IMS user rights, including acting situations; and,
  2. Specifies the level of approval required if an exception to the IMS user profiles per 3.5 is requested as well as the corresponding mitigating control.

4.9 Revoke the current IMS rights of a user before new IMS rights are granted when approving the EXT 1764.

4.10 Develop a departmental form to notify SME of the need to remove the IMS rights of a user under pre-defined situations.

Management Action Plan and Timeframe

4.6 Documentation describing the FAA Section 33 certification and the EAA business process will be prepared by the end of fiscal year 2007-08.

4.7 A procedure on Specimen Signature Cards will be developed that will include their creation, maintenance, verification and safeguarding in HQ and Missions. The procedure will propose that a review of the Specimen cards validity be conducted every six months, and that the electronic/hard copy documents be updated accordingly. This review will be performed as part of the rollout of the new delegation instrument in January 2008, which incidentally follows the summer rotation of employees abroad. (This is the draft response provided in both Phase I and Phase II Audit of Delegation of Financial Authorities.)

4.8 This recommendation has been implemented:

  1. Document exists in regards to granting IMS user rights and is located on the Corporate Finance, Planning and Systems (SMD) System's website (IMS Roles), and in DFAIT's IMS Security Monitoring Procedures Document.
  2. Refer to Section 3.6. SMSF, in conjunction with SMF, the Financial Management and Accountability Division (SMO), and Contracting Policy, Monitoring and Operations (SPP), will review authorities needed for additional access for financial and material management roles. SMO also provides ongoing support to SMF for complying with financial policy requirements on proper segregation of duties.

4.9 This recommendation has been implemented. When an individual changes positions, SME removes previous access and provides new access based on the new 1764 form as authorized by the manager.

4.10 This recommendation has been implemented. A departmental form is being used. The 1764 form, section 11(a) indicates (Delete Account).

Appendix A - Financial Administration Act (FAA) Relevant Sections

Visit Department of Justice

Section 32

No contract or other arrangement providing for a payment shall be entered into with respect to any program for which there is an appropriation by Parliament or an item included in estimates then before the House of Commons to which the payment will be charged unless there is sufficient unencumbered balance available out of the appropriation or item to discharge any debt that, under the contract or other arrangement, will be incurred during the fiscal year in which the contract or other arrangement is entered into.

Section 33

No charge shall be made against an appropriation except on the requisition of the appropriate Minister of the department for which the appropriation was made or of a person authorized in writing by that Minister.

Section 34

No payment shall be made in respect of any part of the public service of Canada unless, in addition to any other voucher or certificate that is required, the deputy of the appropriate Minister, or another person authorized by that Minister, certifies:

  1. In the case of payment for the performance of work, the supply of goods or the rendering of services,
    1. That the work has been performed, the goods supplied or the service rendered, as the case may be and that the price charged is according to the contract, or if not specified by the contract, is reasonable,
    2. Where, pursuant to the contract a payment is to be made before the completion of the work, delivery of the goods or rendering of the service, as the case may be, that the payment is according to the contract, or;
    3. Where, in accordance with the policies and procedures prescribed under subsection (2), payment is to be made in advance of verification, that the claim for payment is reasonable, or;
  2. In the case of any other payment, that the payee is eligible for or entitled to the payment.

Office of the Inspector General

* If you require a plug-in or a third-party software to view this file, please visit the alternative formats section of our help page.

Footer

Date Modified:
2012-11-01