Introduction

In 2009, the Government of Canada began to transform the way it processes pay for its employees. Public Services and Procurement Canada (PSPC) was responsible for this Transformation of Pay Administration Initiative. This initiative centralized pay services in one pay centre for approximately half of all departments and agencies. Before this initiative, each department and agency processed pay for its own employees and had its own pay advisors. The government’s pay system had many manual processes, which were completed by pay advisors.

The system chosen to replace it was a PeopleSoft commercial pay system, customized to meet the government’s needs, which was to automate many of those manual processes. This system, called Phoenix by PSPC, was implemented in early 2016. The Phoenix system has required federal departments to implement additional pay administration controls, and to provide assurance that these controls are effective.

This article explains how the Internal Control team at Environment and Climate Change Canada (ECCC) supported the department in reaching the ongoing monitoring status on pay administration in October 2019 in a more timely and effective manner. Ongoing monitoring status is reached when:

• the effectiveness of the process’s design and operation has been tested,
• potential actions have been planned to address the gaps and weaknesses identified, and
• follow-up has started to ensure these actions are implemented.

The team achieved this by taking a leadership role – going further than the traditional assurance provider approach, and systemically using data analytics tools.

Phoenix implementation and new pay administration controls

Since the Phoenix system was launched in 2016, the Government of Canada has introduced a series of measures to:

• ensure accurate payments are issued,
• strengthen governance in pay administration,
• provide better data for decision-making,
• increase collaboration between PSPC and departments and agencies, and
• improve support to employees.

About the Author

Hicham Agoumi is Director, Financial Policy, Systems and Controls at Environment and Climate Change Canada. He is a process auditing and internal controls specialist, with 20 years of international experience in audit, internal controls, and investment management.

Hicham has a deep knowledge of best practices for sound risk management, notably in the area of financial controls, financial systems, financial market asset management, mutual funds, treasury management, and human resources.

Contact the author at:

hicham.agoumi@canada.ca

One of these measures was the Treasury Board of Canada Secretariat’s revised Guideline on Financial Management of Pay Administration, issued in October 2017.

Through related guidelines, the Treasury Board of Canada Secretariat recognized that there are significant interdependencies between departments and PSPC. Departments rely on the effectiveness of the Phoenix system primarily for pay processing and for time and labour reporting. Departments, specifically those that are fully serviced by PSPC like ECCC, also rely on the effectiveness of the centralized pay centre activities and practices, including controls. Similarly, PSPC relies on the effectiveness of departmental activities and practices to ensure that information provided to Phoenix and the pay centre, where applicable, is valid, timely, complete, and accurate.

ECCC was proactive in addressing potential issues around the implementation of the Phoenix pay system. The department reviewed the pay administration process and implemented additional controls to better align the process with Treasury Board of Canada Secretariat guidance. The updated pay administration process mirrors the Secretariat’s Guideline on Financial Management of Pay Administration (FMPA) requirements. It is also aligned with the Secretariat’s March 2019 practitioners’ guide on implementing a departmental financial management control framework for pay administration.

ECCC’s enhancements to its pay administration process included establishing a quality assurance program, which included the following elements:

• post-payment verification of pay transactions,
• periodic analysis,
• payment issues reporting, and
• clarification of roles and responsibilities in order to provide additional assurance on the accuracy of salary expenditures.

Furthermore, additional ECCC resources continue to analyze data from Phoenix and the departmental human resources management system, in order to identify root causes of pay transaction issues and mitigate against future problems.

What was our risk-based approach to providing assurance?

In order to meet very tight project timelines (see Figure 1), our assurance work was meant to be quick, agile, and timely. We focused on activities controlled by ECCC and we considered inherent risks during our discussions and validations with stakeholders.

The Internal Control team conducted a preliminary gap analysis and concluded that the traditional assurance approach of mapping existing controls and then assessing them would not result in a timely and value-added assessment.

We invited the multiple stakeholders—essentially from ECCC’s Human Resources Branch and Corporate Services and Finance Branch—to document the design of the pay administration controls. This design needed to adhere to the Treasury Board of Canada Secretariat guidelines on the financial management of pay administration and not just the controls based on the existing process. Using our thorough knowledge of the pay administration framework and a very assertive approach, we were able to influence the stakeholders in adopting best practices. Our approach was factual and objective, but it was not always independent as we supported stakeholders in redesigning controls that were not effective in some instances. Our approach included assessing related risks using quantitative (value, volume) and qualitative (monitoring reports) criteria.

How did we do things differently?

Our assertive, risk-based approach presented above needed a strong and factual basis. This was mainly provided by the recent development of a detailed Treasury Board of Canada Secretariat framework, in addition to our extensive use of data analytics to support assertive risk assessments.

We systematically used data analytics to test key controls of the pay administration process whenever the information allowed us to apply this approach. We did this because data analytics allowed us to complete two key tasks:

• We could automatically test the full population of transactions, as opposed to only a fraction when using a traditional sampling approach. This is more effective and efficient because no manual testing is involved. In addition, discussions with stakeholders are no longer about the risk level assessment, but are instead focused on how to fix an issue presented to them as a fact (in other words, the risk actually materialized).
• We could merge and select complex data from ECCC’s departmental financial management system (SAP-ERP), human resources management system (My GCHR), and the Phoenix pay system. This provided a comprehensive database of transactions to be tested—as opposed to separate sets of data—and made the analysis more efficient.

As part of our approach, we experimentally tested some controls with both a sampling method and a data analytics method. This allowed us to compare the value added of each method in terms of level of assurance provided and efficiency. For example, we tested the following key financial controls:

• Phoenix access and authorization controls (with more than 1,100 employee access configurations tested), including around 40 segregation of duties rules based on the Phoenix External Segregation of Duties Matrix. The segregation of duties matrix is an important tool that notably minimizes fraud by limiting the combinations of roles that a user can have.
• Performance of payment authority (under section 33 of the Financial Administration Act) for 14 departmental paylists, which included 168,000 transactions and a total tested amount of $263 million.

Based on these tests, we concluded that using data analytics provided more accurate and specific insights than the traditional sample-based approach. Our assurance approach therefore relied on data analytics to provide more assurance through full-population analysis.

 

 

Page 1 of 2