Findings were based upon evidence collected by Audit Services Canada (ASC), by testing, inquiry and document reviews carried out by Ernst & Young, and by inquiry and document review carried out by staff at Internal Audit.
Since the Phase 2 Audit Readiness Assessment report of March 2009, policy requirements surrounding audited financial statements have been reviewed and changed to auditable financial statements. In addition, Environment Canada’s Financial Statement Audit Readiness (FSAR) project was revisited to allow it to address Corporate Accountability and Administrative Renewal (CAAR) initiatives, with the global objective of improving financial management and accountability. Changes to the organization accompanied these changes in financial management renewal.
Since the audit readiness assessment was finalized in March 2009, Merlin has migrated to a new platform (from UNIX to LINUX), has been patched significantly, and has had its functionality enhanced to include asset life-cycle management.
A major upgrade to Merlin, including improvements to its control environment, was carried out on April 1, 2011. At that time, new account access controls were put in place, including password management controls and improvements to the roles-based (“responsibilities”) access controls. Further, reports necessary for the operation of many of the monitoring controls were also moved into production on that date. The recent implementation of these features meant that there was insufficient time for account related transactions to occur in order to test the effectiveness of many of the controls that govern these transactions.
The original audit plan was to establish the adequacy of the controls implemented to address the 25 control issues. This was to be based on testing, or on inquiry and document review.
Of the 15 controls that were to be assessed by testing, there was insufficient evidence available to draw assurance-level conclusions for 11. This lack of evidence was largely due to the recent implementation of associated controls. Further audit work will be required to test these controls once sufficient time has passed to allow for transactional evidence to accumulate.
In this report, the controls related to the Merlin application were generally considered to pose a higher level of inherent risk than the controls related to the database or to the operating system. As justification for this assignment of risk levels, two factors were considered.
First, the failure of operating system or database controls can have a major short-term impact on the availability of the system and of its information; however, to a large extent, compensating controls such as backups and business resumption planning reduce the impact. In contrast, failures of the application controls can lead to an impact on the confidentiality, integrity and availability of the information in the system, posing a far greater risk to the Department in the long term.
The second consideration for establishing the risk levels was the smaller attack surface of the database and the operating system (there are fewer administrators than there are users); in addition, the controls over the segregation of duties that are in place for individual financial primes (Operating System (OS) administrators versus Database (DB) administrators) mitigates risks in the DB and OS realms even further.
Wherever possible, a control should flow naturally from the work that is being controlled. When that is not is possible, controls should be optimized to support the business process. In this way, work done to carry out the control also contributes to the business being conducted, thus reducing the incremental costs imposed by the control. When a control is added on to a business process with little integration or optimization, it simply becomes something else that needs to be done with scarce time and resources.
A number of the monitoring tools that were developed to address the control weaknesses identified in the Phase 2 Audit Readiness Assessment report were found not to have been optimized to help the business units perform the monitoring function. [Text removed to protect the security of the system]
From interviews, it appears that the business and IT areas focused their efforts on meeting the recommendations from the Phase 2 Audit Readiness Assessment. The controls that were implemented will remediate the deficiencies; however, in order for the monitoring to be sustainable over the long term, the automation of certain activities needs to be considered.
The audit team observed that remediation activities were put in place to address monitoring deficiencies using the existing level of resources. Through regular system upgrades and the introduction of new, more robust technologies, IT financial monitoring controls will undergo further improvements and the requirement for manual interventions should diminish. This is a continuous improvement process that is encouraged and that will, over time, maximize new and improved technologies.
The Chief Financial Officer (CFO), in consultation with the Chief Information Officer (CIO), should review the original findings presented in the Phase 2 Audit Readiness Assessment report and the control remediations implemented with an aim of enabling a better automation of the monitoring that is required to address the control weaknesses. Based on an understanding of the business value of the monitoring being recommended, the design of the tools and processes that have been developed should be reviewed to see how they could be modified for better integration into the business process and enhanced value to the business units, given the Department's current reality in terms of risk tolerance and resource availability.
The CFO should develop a plan for re-engineering the monitoring controls over the financial systems within a continuous improvement strategy in order to integrate them into existing business processes, reduce costs and improve sustainability.
Agree. IES is currently developing the Departmental Financial Management System (DFMS) plan, which will ensure continuous system monitoring and address central agency requirements on standard business processes and ensure proper integration.
The audit team faced two difficulties regarding a number of the controls it assessed. In some instances, the team was unable to do the level of testing required to provide a higher level of assurance. In other cases, it found issues with control designs that may or may not constitute an ongoing risk to the Department’s objectives over time.
Many of the controls that were reviewed were only implemented on April 1 of 2011, almost at the end of the audit fieldwork. Consequently there was insufficient time for transactional evidence of account controls to accumulate to allow effectiveness testing to proceed.
To be able to produce auditable financial statements, the CFO will have to reconsider the management action plan provided in response to the Phase 2 Audit Readiness Assessment report. Given the recent implementation of the controls in 2011, a number of items are complete or well advanced, but further work is required to address them fully.
The audit results for the 25 recommendations for improving IT financial controls are presented in Annex 1 to this report and are summarized as follows:
The audit team observed that residual work remains for the 12 low-risk controls and the 2 medium-risk controls. The work would use the results of the audit and the audit team’s own testing to refresh of the original work plan that responded to the Phase 2 Audit Readiness Assessment. Alternately, the team could develop a new work plan to address the outstanding issues. Either approach would make the remaining work more effective, easier to integrate into standard work routines, and more focused on completing the items using a risk managed approach.
The CFO should develop a work plan to address the completion of activities outstanding from the work plan arising from the Phase 2 Audit Readiness Assessment report.
Agree. A work plan that addresses all outstanding items from the Phase 2 Audit Readiness Assessment Report 2009 Audit has been prepared.
To be effective, monitoring activity must be carried out in a consistent manner and must be well documented. In particular, documentation should make it clear why the monitoring is taking place, what distinguishes acceptable performance from unacceptable performance, when the monitoring happened, who carried out the monitoring, what was found and what, if anything, was done as a result of the activity. Finally, we expect to see the results of the monitoring activity reported back to management so that the managers can make decisions about improvements to policy, procedures and controls.
The recommendations arising from the Phase 2 Audit Readiness Assessment require that many controls be subject to periodic review (monitoring). The audit team found that processes surrounding this monitoring are documented and managed as individual activities, and that the monitoring controls are independently designed and operated without reference to what they are meant to accomplish—namely, to provide assurance that the IT financial controls are operating as required in order to make the financial statements auditable.
It appears that, due to the large number of findings that arose from the Phase 2 Audit Readiness Assessment, management decided to tackle the recommendations one at a time rather than trying to come up with a plan for addressing them together.
Dealing with monitoring controls on a case-by-case basis means that the monitoring may not be carried out consistently across controls or by different individuals. Not having an overall strategy for carrying out the monitoring activity may also lead to inefficiencies and may make it more difficult to share lessons learned from one activity to another.
Monitoring of IT financial controls should be considered as a single activity. The monitoring activity should be managed under one umbrella function. The purpose of the monitoring activities should be clearly articulated along with indicators of what constitutes good and bad practice. The monitoring should directly support the financial and IT governance processes and should give management the information it needs to establish that controls are working as planned, and to make decisions about changes in the control environment that are reasonable, given the risk appetite and the availability of resources. Logs of monitoring activity should be maintained as well as evidence necessary for audit follow-up activity. Finally, key indicators should be developed to describe the effectiveness of the IT financial control environment to management.
After completion of the work plan (refreshed or new—per section 2.2 above), a program of continuous monitoring should be implemented by the Finance and Corporate Services Branch (FCB) to track the effectiveness and sustainability of the monitoring controls. The results of this continuous monitoring would assist in quality assurance and the continuous refinement of the monitoring functions so that they remain in an optimal state of maturity for the risk tolerance environment.
The CFO should develop a strategy for the continuous monitoring of IT financial controls, which should be part of an overall strategy of monitoring internal controls.
Agree. The strategy for the continuous monitoring of IT financial controls will be incorporated into the EC DFMS for 2011–2012. In addition, Environment Canada is looking to invest in non-proprietary software to facilitate continuous monitoring of financial controls.
There should only be one system of record for any given piece of information. Wherever practical, systems should leverage existing information from systems of record rather than trying to maintain a separate copy of that information.
The audit team found that many of the controls related to identity and access management, especially those that are detective in nature (such as those involving monitoring), would be more effective if they could leverage information already available in the HR systems (such as, for a given period, lists of employees who had left the Department, lists of employees who had joined the Department and lists employees who had changed their roles).
To accomplish this efficiently, the financial systems would have to include a unique identifier on their user records that is shared with the HR system.
Historically, designers have often ignored the availability of information in HR systems because of the difficulties dealing with associated privacy concerns.
Lack of access to this pre-existing information means that there is no independent source of information with which to validate account management activities that have taken place. This is particularly true for detective controls such as those used for monitoring account management activity after the fact.
Further, it means that data is stored redundantly and must be maintained twice, with the attendant risk of a loss of integrity. The design of the monitoring controls will be less effective without a unique, single source of good-quality information. Without such a single source, monitors who check what account-based activity took place will then have to find substantiating documentation of who authorized the activity. If HR data were available, it would be independent and would improve the segregation of duties and allow for a more automated validation of account activities.
IT financial controls related to identity and access management should leverage information already available in various HR systems. Enabling this activity may require a short-term allocation of resources by the Department and engagement on the part of the Assistant Deputy Minister for HR, the CIO and the CFO.
In particular, the design of detective controls like those used in monitoring account management activities should be optimized to make use of HR information (such as employees who have left the Department in a given period, or employees who have joined the Department and employees who have changed roles or positions).
Further, the account management tables in the financial systems should be modified to include a unique identifier for account holders that are shared with HR and contractors’ management systems.
The CFO and the Assistant Deputy Minister for HR should establish a strategic plan for leveraging existing user identification for use in the financial systems.
Agree. Access to corporate key interfaces will be finalized for enhanced controls over user identification in the system