Follow-up Audit of Finance and Corporate Branch's IT Controls over Financial Systems
This audit was included in the departmental Risk-Based Audit Plan 2010–2013 as approved by the Deputy Minister, upon the recommendation of the External Audit Advisory Committee.
Within Environment Canada, the IT controls that support the production of auditable annual financial statements are the responsibility of the Finance and Corporate Services Branch (FCB) and the Chief Financial Officer (CFO).
When the Federal Accountability Act was introduced in 2006, it required departments to be able to produce audited financial statements capable of supporting a controls-based audit. This was subsequently changed to a requirement to produce auditable financial statements.
Each department was to conduct a baseline assessment of its capacity to comply with this requirement and to report annually to the Office of the Comptroller General (OCG) on its progress toward compliance.
At Environment Canada, the audit readiness assessment was contracted to an outside firm (Ernst & Young) and conducted in two phases, beginning in 2007. The Phase 2 Report on the Audit Readiness Assessment (March 2009) highlighted several issues, including 25 in the area of information technology (IT) financial controls. The Department implemented an action plan to remedy the issues identified, by the end of March 2011.
The 25 issues requiring remediation to enable an efficient controls-based audit were in the areas of user access management (i.e. identifying and controlling user access), database account management (i.e. identifying and controlling database privileges), and change management (i.e. documentation and monitoring).
Generally referred to as identity and access management (IAM), these three areas constitute the process of managing which users have access to what information, and how and when they can access it. Amongst other things, effective IAM improves operating efficiency and transparency, along with the effectiveness of key business initiatives. It would be very difficult for any department to conduct a controls-based audit on its auditable financial statements without effective IAM.
In order to scope out the planned audit on the Department’s capacity to conduct a controls-based audit, a preliminary review of background information and a risk assessment highlighted many possible objectives for this engagement. Documentation, including legislation, policies and directives, was reviewed and interviews were conducted with management from the Finance and Corporate Branch and the Chief Information Officer Branch to gain an understanding of the financial control environment and priority requirements, and their impact on Environment Canada.
Specific risks related to the IT financial controls environment were subsequently identified and evaluated as part of the audit planning. Ongoing activities such as the Corporate Accountability and Administrative Renewal (CAAR) project and the planned migration to a newer version of the database management system to support our financial systems were also taken into account.
The CAAR project includes many activities that are meant to address deficiencies identified during the Audit Readiness Assessment. [Text removed to protect the security of the system]
The audit focused on IAM issues in Merlin, the financial system IT application in use at Environment Canada. This approach was taken to avoid duplication of efforts and to add the most value for the Department. The approach took into consideration the results of the Phase 2 Audit Readiness Assessment, which had already focused on IAM issues in many of its IT-related findings. The most effective way of assessing IAM issues in Environment Canada’s financial systems, then, was to follow up on the action plan addressing the 25 issues from the Phase 2 Audit Readiness Assessment report.
This audit therefore followed up on the Phase 2 Audit Readiness Assessment report of March 2009 by reviewing the completion of the action plan to remedy the 25 IT financial control issues identified in the report, and to ensure that the control weaknesses had been resolved.
The work was carried out in the National Capital Region. Regional involvement was limited to determining whether the controls are implemented in a consistent way across all regions. Further, as the system underwent a major change in platforms in November 2010, testing of IT controls was restricted to those that were operating between the implementation of the new system and March 31, 2011, the end of fiscal year 2010–2011.
Audit fieldwork took place between December 2010 and April 2011, using input from two teams. The first team, which was from Audit Services Canada, reviewed through interviews the processes that were proposed as action items as a result of recommendations arising from the Phase 2 Audit Readiness Assessment report. The second team, which was from Ernst & Young, provided assurance by conducting tests of the data and processes, performing a thorough documentation review, and conducting interviews to establish that the recommendations have indeed been implemented and the resulting controls are working as planned. Testing included running scripts to extract information from various IAM-related tables in the application, the database and the operating system, selecting judgemental samples from these extracts and reviewing the files and other related evidence to determine whether the controls had operated effectively.
Although the intent of the timing of the audit work was to be optimized to coincide with the availability of system resources, it became apparent that the resources of the Finance and Corporate Services Branch were involved in the implementation of the major change in platforms in November of 2010 and a major upgrade to test the required controls in February of 2011 (so that they could be implemented in production on April 1, 2011). To further complicate the timing of the audit, Finance and Corporate Services Branch was also busy with the work involved for the financial year-end. This posed a challenge with the audit scheduling and evidence testing. To minimize disruptions to operations at a critical time, the audit team conducted interviews, observations and testing at the same time as the operations staff was performing the implementation testing.
While all of the controls were in place during the audit period, by the time that testing began in April of 2011 there had been insufficient activity to test 11 of the controls. To compensate for the lack of test data, the audit team performed additional review procedures to support the conclusions of this report.
This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Policy on Internal Audit of the Treasury Board of Canada.
In our professional judgement, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on a comparison of the situations, as they existed at the time, against the audit criteria.
- Date modified: