The Financial Systems Authority (FSA) of the Office of the Comptroller General (OCG) established the Control Framework for Human Resources/Finance Interactions project to improve horizontal linkages and controls between Human Resources (HR) and Finance.
This document defines the Pay Administration Control Framework (PACF), including control objectives, activities, risks, responsibilities and accountabilities. The PACF is system-independent and draws heavily from the Guideline on Common Financial Management Business Process on Pay Administration (FM-BP / PA) (referred hereafter as the Pay Administration Model or PAM), which identifies the common HR/Finance processes, data, authoritative sources, roles and responsibilities. The PAM is a prerequisite of and foundation for the PACF.
The FSA, in close collaboration with the project working group, developed the PACF from June to December 2008. The working group and steering committee consisted of representatives from specific Treasury Board of Canada Secretariat (TBS) organizations, including the Chief Information Officer Branch (CIOB), the Office of the Chief Human Resources Officer (OCHRO), and Financial Management and Analysis Sector, as well as from Public Works and Government Services Canada (PWGSC), Natural Resources Canada, Health Canada, Canadian Heritage, the Integrated Financial and Materiel System (IFMS), and Government of Canada Human Resources Management System (GC HRMS) Clusters. Briefings to multiple departments and agencies and to committees and councils of the HR and Finance communities provided further validation of the PACF.
The PACF is a "should be" model (a tool under the Directive on Financial Management of Pay Administration) that incorporates best practices and requirements under current Government of Canada (GC) policies and legislation and specifically identifies how the policies and legislation, when coupled with the Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework, apply to the pay administration process. Policies, legislation and COSO material informing the PACF include the following:
The PACF is system-independent. Its scope is specific to the common HR/Finance business processes identified in the Pay Administration Model and is focussed on complete, accurate and timely pay. The PACF does not include other HR processes (e.g. staffing processes), other finance processes and their related controls.
The PACF and the analysis that informs it will assist departments in developing, implementing and monitoring internal controls related to pay administration. It is expected that departments and
agencies will tailor the PACF to meet the specific control needs of their HR and financial management systems.
The Financial Systems Authority (FSA) of the Office of the Comptroller General (OCG) established the Control Framework for Human Resources/Finance Interactions project to improve horizontal linkages and controls between Human Resources (HR) and Finance to support the accuracy, reliability and relevance of shared compensation and financial management data and processes. In the course of the project, the Human Resources/Finance Pay Administration Model Guideline (PAM), which focuses on the identification of common HR/Finance processes, data and authoritative sources, was developed. The determination of the roles and responsibilities of key functional owners and stakeholders involved in pay-related functions was a critical component of the analysis, which, in turn, led to the creation of a Pay Administration Control Framework (PACF).
As depicted in Figure 1, multiple initiatives are related to this project. Leveraging information and results from these initiatives as well as continual bilateral consultations are essential for ensuring the project's relevance, validity and overall success.
Figure 1: Project Linkages
The HR/Finance Interactions project leverages relevant project results from the deliverables of these other initiatives, particularly from the following two projects with which it is tightly integrated: the Treasury Board of Canada Secretariat's (TBS) Financial Management Framework and the TBS Office of the Chief Human Resources Officer's (OCHRO) Common HR Business Process Initiative. In turn, policy authorities[1] can use the deliverables of this project to develop policy instruments that help improve the accuracy, quality and reliability of information common to Finance and HR.
Departments, Administrative Systems Cluster Groups[2] and service providers[3] can use the deliverables of this project to improve the accuracy, reliability and quality of the information used in processes that traverse the HR and finance functions. Project deliverables will assist departments when responding to independent audit requirements and to financial statement readiness assessments that examine payroll-related expenditures (as part of the preparation of audited financial statements). The deliverables are targeted to all departments and organizations defined as departments within the meaning of section 2 of the Financial Administration Act (FAA), including service providers such as Public Works and Government Services Canada (PWGSC).
Departmental HR and Finance organizations can use the deliverables of this project to improve the accuracy and quality of employee transactions and management reporting for decision-making purposes.
The Chief Information Officer Branch (CIOB) will use the deliverables of this project as input for the service oriented architecture (SOA) initiative between corporate administrative financial and HR systems.
The deliverables of the Control Framework for HR/Finance Interactions project are a necessary first step toward improving interoperability and data sharing, managing overlap and duplication across Finance and HR processes, and contributing to improved management accountability.
This document defines the PACF (a tool under the Directive on Financial Management of Pay Administration), including control processes, control activities, control objectives and risks, and identifies the parties responsible and accountable for the control activities.
The PACF builds on the Guideline on Common Financial Management Business Process on Pay Administration (FM-BP / PA) (referred hereafter as the Pay Administration Model or PAM) (a guideline under the Directive on Financial Management of Pay Administration) and provides a formal and common approach to controls for pay administration.
For the purposes of the PACF, the terms "pay" and "payroll" are limited to gross pay and the pay-related transactions identified in the Regional Pay System (RPS) detailed pay expenditure file,[4] which include:
The PACF is system-independent. Its scope is specific to the common HR/Finance business processes identified in the Pay Administration Model and is focussed on complete, accurate and timely pay that complies with laws, regulations, policies and financial reporting requirements. The PACF does not include other HR processes (e.g. staffing processes), other finance processes and their related controls.
Departments and agencies may need to tailor the PACF to incorporate organization-specific or position-specific HR and Finance processes and controls for:
Though the PACF specifically focuses on PWGSC's RPS, there is more than one payroll system in use in the Government of Canada (GC) and findings are expected to be likewise applicable to those other systems.
Technology-related control objectives, control activities and risks and vendor-specific mapping to HR and financial administrative systems are outside the scope of the PACF.
Control frameworks related to the PACF include the Receiver General Control Framework and PWGSC's Internal Control Framework.[5]
The following steps were undertaken in developing this document:
Policies and related documentation:
COSO "is a voluntary private-sector organization. COSO is dedicated to guiding executive management and governance entities toward the establishment of more effective, efficient, and ethical business operations on a global basis. It sponsors and disseminates frameworks and guidance based on in-depth research, analysis, and best practices."[6] As part of this mandate, COSO published the Internal Control – Integrated Framework in 1992. The document, which is commonly known as the "COSO Framework" and is frequently depicted as "the COSO Cube,"[7] established and defined common internal controls, standards and criteria against which companies and organizations worldwide assess their control systems.
Treasury Board's Policy on Internal Control recognizes that a suitable control framework is the Enterprise Risk Management (ERM) – Integrated Framework, which includes the COSO Internal Control – Integrated Framework. This Framework is also recognized by the Risk Management and Governance Board of the Canadian Institute of Chartered Accountants (CICA).
Figure 2: The COSO Cube
The COSO Cube, Figure 2, demonstrates the interrelatedness of control objectives, control components and organizational levels of responsibility. Specific levels of the organization are responsible (and accountable) for the control components that ensure control objectives are met.
On the first facet of the COSO Cube, three distinct but overlapping categories of control objectives are identified.
The effectiveness of operations related to producing accurate and timely pay is within the scope of the PACF. However, controls related to the efficiency of operations, such as controls that measure the pay administration time cycle, are specific to departments and agencies and, as such, are excluded from the PACF's scope. Departments can add these controls when adapting the PACF to suit their operations.
Financial reporting of the GC's pay results is considered to be within the scope of the PACF.
Compliance with laws, regulations and policy governing pay is considered to be within the scope of the PACF.
The second facet of the COSO Cube consists of five control components that provide a framework for describing and analyzing an organization's internal control system.
The PACF supports this control component by providing discipline and structure for the creation of control frameworks, though it is recognized that the control environment is typically unique to a department and the prerogative of the Deputy Head and Chief Financial Officer (CFO). Departments and agencies implementing the PACF will therefore need to add additional controls to reflect their organization's unique control environments.
The PACF identifies risks for the relevant control objectives.
The PACF identifies the control activities that support the control objectives and mitigate their associated risks.
The PAM addresses information and communication components related to the timely and accurate completion of pay administration processes; however, control-related information and communication components and their effectiveness, particularly with respect to employee roles and responsibilities for those controls and associated control activities, are recognized as being unique to a department and are therefore considered to be outside the scope of the PACF. Departments and agencies implementing the PACF will need to add a communications component to their framework.
The PACF recognizes the need to monitor control activities, both ongoing monitoring and separate evaluations. An effective monitoring program will take into account management and supervisory practices and the specifics of operating processes and will respond to identified control deficiencies. Such practices, processes and deficiencies will be unique to a department or agency; therefore, these control components are considered to be outside the scope of the PACF. Departments and agencies implementing the PACF will need to add a monitoring component to their framework.
The third facet of the COSO Cube addresses organizational levels of responsibility. Roles and their associated responsibilities and accountabilities are assigned for each control activity, based on those identified in the Pay Administration Model's RACI diagrams. Departments and agencies implementing the PACF may require adjustment to their control activities if assigning responsibilities and accountabilities to specific units or individuals in the organization.
The Pay Administration Model, Figure 3, categorizes pay administration processes as follows:
Figure 3: Pay Administration Context
The PACF builds on the Pay Administration Model, in which common HR/Finance pay-related processes, data, roles, responsibilities and authoritative sources are documented. The PACF is organized according to the following common HR/Finance touch points:
The control objectives and control components (activities) of the COSO Cube (described in Section 2 of this document) were applied to the processes examined in the Pay Administration Model to identify their control requirements. The resulting PACF structure, Figure 4, is as follows:
Figure 4: PACF Structure
Refer to Appendix A for explanations of key terms used in the PACF.
As indicated in the Pay Administration Model, operational planning, commitment control and salary management are processes that occur concurrently with the other pay administration processes. As such, the associated controls apply from operational planning through to the completion of the post-payroll processes.
Control Process | Control Activity | Responsible | Accountable | Control Objective | Control Risks | ID | |
---|---|---|---|---|---|---|---|
Create, implement and maintain departmental policies and procedures to manage the interaction between operational planning, commitment control and salary management. | Corporate Finance / HR | Deputy Head (commitment control) / Corporate Finance (operational planning and salary management) | Operations, financial reporting and compliance | Plans are managed in accordance with approved organizational structure. | Changes are not approved through the planning process. | A-1 | |
Inform managers and Finance of approved organizational model. | HR | HR | Operations (operational planning) | Plans are managed in accordance with approved organizational structure. | Changes are not approved through the planning process. | A-2 | |
Confirm that proposed actions align with approved organizational model (with supporting evidence) before proceeding. | HR | HR | Operations (operational planning) | Plans are managed in accordance with approved organizational structure. | Changes are not approved through the planning process. | A-3 | |
Inform HR, managers and Finance of updates to organization model. | HR/Manager/ Finance (tri-directional) | HR | Operations (operational planning) | Plans are managed in accordance with approved organizational structure. | Changes are not approved through the planning process. | A-4 | |
Confirm initiation of pay-related transaction requests and commitment according to the approved organizational model, with supporting evidence. | Manager | Manager | Operations (commitment control and salary management) | Forecasts are managed according to approved organizational structure. | Forecasts are inaccurate, negatively affecting decision making. | A-5 | |
Track planned employee- and position-related data against the organizational structure. | Manager | Manager | Financial reporting (salary management) | Pay expenditures (including anticipated pay expenditures) are accurately forecast. | Reliance on inaccurate information for decision making. | A-6 | |
Confirm availability of funds and record commitments.[9] | Manager | Manager | Compliance (commitment control) | Planned and forecasted pay expenditures (including anticipated pay expenditures) are recorded. | Unencumbered balances within the department are insufficient to discharge applicable debts. | A-7 |
The following controls apply to HR pre-payroll processes, which are processes undertaken by HR (or by the manager) before the pay-related action request is submitted to Compensation.
Control Process | Control Activity | Responsible | Accountable | Control Objective | Control Risks | ID | |
---|---|---|---|---|---|---|---|
Create, implement and maintain departmental policies and procedures to manage the delegation of financial authorities. | Corporate Finance | Deputy Head | Compliance | All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. | Employee pay is in error, incomplete or fraudulent and pay-related processes occur without the necessary financial authority. | B-1 | |
Create, implement and maintain formal delegation of authorities matrix. | Corporate Finance | Minister / Deputy Head | Compliance | All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. | Pay-related processes occur without the necessary financial authority. | B-2 | |
Create, implement and maintain appropriate division of financial responsibilities. | Corporate Finance | Minister / Deputy Head | Compliance | All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. | Employee pay is in error, incomplete or fraudulent. | B-3 | |
Formally delegate and communicate financial authorities in writing to Finance, Compensation and managers.[10] | Corporate Finance | Minister / Deputy Head | Compliance | All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. | Employee pay is in error, incomplete or fraudulent. | B-4 | |
Inform Compensation and HR of the delegation of authorities matrix. | Financial Services | Corporate Finance | Compliance | All pay-related action requests are initiated with the required financial authority. | Pay-related processes occur without the necessary financial authority. | B-5 | |
Create, implement and maintain specimen signature documents. | Manager | Corporate Finance | Compliance | All pay-related action requests are initiated with the required financial authority. | Pay-related processes are initiated without the necessary financial authority. | B-6 | |
Create, implement and maintain training and certification (learning certification) programs so managers have the necessary knowledge, skills and competencies to effectively carry out their financial management duties. | Corporate Finance / HR | Deputy Head | Compliance | All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. | Employee pay is in error, incomplete or fraudulent. | B-7 | |
Validate specimen signature documents (includes assurance that managers have the required certification and training). | Financial Services | Corporate Finance | Compliance | All pay-related action requests are initiated with the required financial authority. | Pay-related processes are initiated without the necessary financial authority. | B-8 | |
Validate that the originator of pay-related transaction requests has the appropriate financial authority. | HR | HR | Compliance | All pay-related action requests are initiated with the required financial authority. | Pay-relatedprocesses are initiated without the necessary financial authority. | B-9 | |
Create, implement and maintain departmental policies and procedures to manage HR delegations. | HR | HR | Compliance | All pay-related action requests are authorized with the required HR delegation. | HR processes are initiated without the necessary delegation. | B-10 | |
Create, implement and maintain record of HR delegations. | HR | HR | Compliance | All pay-related action requests are authorized with the required HR delegation. | HR processes occur without the necessary delegation. | B-11 | |
Validate that the originator of the pay action has the required HR delegation. | HR (for HR pre-payroll) / Compensa-tion (for pay pre-payroll) | HR (for HR pre-payroll) / Compensa-tion (for pay pre-payroll) | Compliance | All pay-related action requests are authorized with the required HR delegation. | HR processes occur without the necessary delegation. | B-12 | |
Create, implement and maintain training and certification (as appropriate) so employees have the necessary knowledge, skills and competencies to effectively carry out their HR duties. | HR | Deputy Head | Compliance | All pay-related action requests are authorized with the required HR delegation. | HR processes occur without the necessary delegation. | B-13 |
The following controls apply to the activities undertaken by Compensation when preparing and submitting transactions for payroll processing.
Control Process | Control Activity | Responsible | Accountable | Control Objective | Control Risks | ID | |
---|---|---|---|---|---|---|---|
Control activities related to the delegation of HR and financial authorities identified under HR Pre-Payroll Processes also apply here. | C-1 | ||||||
Create, implement and maintain departmental policies and procedures for compliance with s. 34 of the FAA. | Corporate Finance | Corporate Finance / CFO | Compliance | All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. | Employee pay is in error, incomplete or fraudulent. | C-2 | |
Certify under s. 34 of the FAA that:
| Manager | Manager | Compliance | Pay-related action requests are processed accurately. | Inaccurate pay results (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) | C-3 | |
Verify under s. 34 of the FAA that: | Compensation | Compensation | Operations | Pay-related action requests are processed accurately. | Inaccurate pay results (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) | C-4 | |
Ensure that no person exercises s. 34 of the FAA for a payment from which he or she can personally benefit, either directly or indirectly.[11] | Compensation | Corporate Finance | Compliance | Appropriate segregation of duties | Fraudulent or inaccurate pay-related action requests | C-5 | |
Create, implement and maintain procedures to ensure that s. 33 FAA authority is properly exercised (including mechanisms to verify the legality of the payment and the availability of funds). | Corporate Finance | Corporate Finance | Compliance | Pay-related action requests are authorized under s. 33 of the FAA. | Inaccurate pay results (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) | C-6 | |
Validate that the required s. 34 FAA certification exists for s. 33 payment. | Compensation / Corporate Finance | Corporate Finance | Compliance | All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. | Employee pay is in error, incomplete or fraudulent. | C-7 | |
Officers with s. 33 FAA payment authority must ensure that an adequate process is in place to verify accounts under s. 34 of the FAA and that the process is being properly followed. | Financial Services | Corporate Finance (CFO) | Compliance | Pay-related action requests are authorized under s. 33 of the FAA. | Inaccurate pay results (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) | C-8 | |
Ensure that no person exercises signing authority under both s. 33 and s. 34 of the FAA with respect to a particular payment. | Corporate Finance | Corporate Finance | Compliance | Appropriate segregation of duties | Fraudulent or inaccurate pay-related action requests | C-9 | |
Ensure that no person exercises s. 33 of the FAA for a payment from which he or she can personally benefit, either directly or indirectly. | Compensation / Corporate Finance | Corporate Finance | Compliance | Appropriate segregation of duties | Fraudulent or inaccurate pay-related action requests | C-10 | |
Create, implement and maintain procedures to ensure prompt initiation and accurate completion of pay-related requests. | Manager / Compensation | Manager | Operations | Prevent or minimize overpayments. | Overpayments cannot be recovered. | C-11 | |
Limit access and privileges (of specific functions or specific employees) to authorized users only and review user access and privileges periodically. | Compensation | Compensation | Operations | Prevent or minimize inaccuracy, fraud and overpayment situations. | Employee pay is in error, incomplete or fraudulent. | C-12 | |
Validate accuracy of employee information. | Compensation/ HR/Manager | Compensation | Compliance | Pay-related action requests include accurate employee information. | Inaccurate pay for employees (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) and inaccurate reporting information (expenditures, forecasts) | C-13 | |
Validate accuracy of position information. | Compensation/ HR/Manager | HR | Compliance | Pay-related action requests include accurate employee position information. | Inaccurate pay for employees (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) and inaccurate reporting information (expenditures, forecasts) | C-14 | |
Create, implement and maintain procedures for the recovery of debts owed to the Crown. | Financial Services | Corporate Finance | Operations | Prevent or minimize overpayments. | Overpayments cannot be recovered. | C-15 |
PWGSC's Internal Control Framework and the Receiver General Control Framework (specifically the components related to the payroll systems[12]) complement the PACF and complete the end-to-end pay administration control processes of departments, agencies and PWGSC. PWGSC's Internal Control Framework identifies controls for both gross and net payroll processing, with the overall control objective of ensuring authorized, complete, accurate and timely payroll. To be consistent with the scope of pay administration in departments and agencies (as described in the Pay Administration Model), the controls listed below only relate to the gross payroll processes of PWGSC, departments and agencies.
Control Process | Control Activity | Responsible | Accountable | Control Component | Control Objective | Control Risks | ID |
---|---|---|---|---|---|---|---|
Create, implement and maintain controls for reconciliation (gross-to-net), editing and correction of payroll transactions. | PWGSC Compensation | PWGSC Compensation | Operations | Accurate processing of pay-related action requests | Inaccurate pay for employees | D-1 | |
Maintain and forward a copy of s. 33 FAA specimen signature document to PWGSC. | Corporate Finance | Corporate Finance | Compliance | Accurate processing of pay-related action requests | Unauthorized pay transactions will be processed by PWGSC. | D-2 | |
Confirm department's s. 33 FAA authority. | PWGSC Compensation | PWGSC Compensation | Compliance | Accurate processing of pay-related action requests | Unauthorized pay transactions will be processed by PWGSC. | D-3 | |
Forward departmental input file to PWGSC Banking and Cash Management Sector (BCMS) for payment. | PWGSC Compensation | PWGSC Compensation | Operations | Provide complete, prompt and accurate payment to employees. | Payments and/or pay statements are not provided to the employee. | D-4 | |
Issue payments in accordance with departmental input file. | PWGSC BCMS | PWGSC BCMS | Operations | Provide complete, prompt and accurate payment to employees. | Payments and/or pay statements are not provided to the employee. | D-5 | |
Identify critical errors, inform the department and perform corrections (see E-2 for error analysis and departmental corrective actions). | PWGSC Compensation (applicable Pay Office) | PWGSC Compensation | Operations | Pay-related action requests sent to PWGSC are processed promptly, accurately and fully. | Pay-related action requests sent to PWGSC are delayed, incomplete or inaccurate. | D-6 |
Error detection, register review, cheque recall and intercept processes are undertaken by the department's Compensation staff, and they occur between the time payroll is run and pay is released. Payment release (approval of payroll register) and custody and distribution of payments are considered post-payroll processes and included in this section. The controls associated with post-payroll processes are described in the table below.
Control Process | Control Activity | Responsible | Accountable | Control Component | Control Objective | Control Risks | ID |
---|---|---|---|---|---|---|---|
Create, implement and maintain departmental policies and procedures to identify and address potential overpayments (based on pre-determined criteria) before the release of payment. | Compensation / Corporate Finance | Corporate Finance | Operations | Prevent or minimize overpayment situations. | Overpayments are not identified in time to prevent the release of payment. | E-1 | |
Review errors in PWGSC's error analysis reports; assign corrective actions and monitor. | Compensation | Compensation | Operations | Pay-related action requests sent to PWGSC are processed promptly, accurately and fully. | Pay-related action requests sent to PWGSC are rejected (payment has not been created because input was rejected for technical reasons). | E-2 | |
Monitor trend reports and the status of errors and corrections for management and operational feedback. | Compensation | Compensation | Operations | Pay-related action requests sent to PWGSC are processed promptly, accurately and fully. | Pay-related action requests sent to PWGSC are rejected (payment has not been created because input was rejected for technical reasons). | E-3 | |
Review pay-related errors and corrective actions; assign and monitor Human Resources Management System (HRMS) update actions. | HR/ Manager/ Compensation | Manager | Operations | Departmental HR and PWGSC payroll systems provide consistent information. | Discrepancies between PWGSC and HRMS information | E-4 | |
Follow the processes and procedures to stop payments. | Compensation | Compensation | Operations | Prevent or minimize overpayment situations. | Overpayments are not identified in time to prevent the release of payment. | E-5 | |
Create, implement and maintain criteria for initiating cheque recall and intercept processes. | Compensation / Corporate Finance | Compensation | Operations | Prevent the release of payments containing significant overpayments. | Overpayments are not intercepted before the release of payment. | E-6 | |
Document the decision to release or intercept an erroneous payment. | Compensation | Compensation | Operations | Prevent the release of payments containing significant overpayments. | Overpayments are not intercepted before the release of payment. | E-7 | |
Inform PWGSC of cheque recall and intercept decisions for action to be taken (request made by person with the appropriate delegated authority). | Compensation | Compensation | Operations | Prevent the release of payments containing significant overpayments. | Overpayments are not intercepted before the release of payment. | E-8 | |
Inform employee of impact, remedial action, and/or options immediately after a release or hold decision is taken. | Compensation / Financial Services | Compensation | Operations | Prevent the release of payments containing significant overpayments. | Errors are not communicated to affected employees on a timely basis. | E-9 | |
Follow the processes and procedures to stop the release of payments. | Compensation / Financial Services | Corporate Finance | Operations | Prevent the release of payments containing significant overpayments. | Overpayments are not recoverable. | E-10 | |
Create, implement and maintain procedures for distribution and release of payments. | Compensation / Financial Services | Corporate Finance | Operations | Provide complete, prompt and accurate payment to employees. | Payments and/or pay statements are not provided to the employee. | E-11 | |
Confirm the accuracy and completeness of payroll registers and other output reports to ensure payments reflect pay input transactions. | Compensation | Compensation | Operations | Provide complete, prompt and accurate payment to employees. | Payments and/or pay statements are not provided to the employee. | E-12 | |
Control the custody and distribution of cheques and direct deposit payment statements (including validation that the person (or persons) responsible does not have delegated authority in the areas of staffing, classification, compensation administration, staffing transactions or pay input transactions). | Financial Services | Corporate Finance | Operations | To ensure payments are delivered to the employee | Payments and/or pay statements are not provided to the employee. | E-13 | |
Maintain standardized processes and procedures for undelivered payments. | Financial Services | Corporate Finance | Operations | To ensure payments are delivered to the employee | Payments and/or pay statements are not provided to the employee. | E-14 | |
Create, implement and maintain procedures to correct erroneous payments promptly and ensure recovery action is initiated. | Compensation | Compensation | Operations | Prevent the release of payments containing significant overpayments. | Overpayments are not intercepted before the release of payment. | E-15 | |
Maintain up-to-date employee information (address, financial institution). | Employee/ Manager/ Compensation | Employee | Operations | To ensure payments are properly completed | Payments and/or pay statements are not provided to the employee. | E-16 |
Pay-related post-payroll Finance processes occur once pay has been released. The following controls apply to these processes.
Control Process | Control Activity | Responsible | Accountable | Control Component | Control Objective | Control Risks | ID |
---|---|---|---|---|---|---|---|
Create, implement and maintain month-end and year-end reconciliation and reporting of departmental pay expenditures and payroll control accounts. | Manager / Corporate Finance | Corporate Finance | Financial reporting | Accurate, complete and timely reporting of pay expenditures | Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance) | F-1 | |
Review pay expenditures and pay-related practices periodically to ensure the consistent application of s .34 FAA verification and the adequacy of s. 34 FAA account verification. | Corporate Finance | Corporate Finance | Compliance | Ensure supporting evidence (audit trail) exists for s. 34 FAA verification of pay-related action requests. | Expenditures may result in non-compliance with financial policies and with the FAA (insufficient funds, inaccurate financial statements). | F-2 | |
Complete s. 34 FAA verification of pay expenditures (detailed pay expenditure file postings with supporting evidence) as follows: Verify that the amount paid is accurate and is associated with the correct employee in the correct time period; and Verify that the correct financial coding has been applied to the transaction. | Manager | Manager | Compliance, operations and financial reporting | Accurate and complete recording of pay expenditures | Inaccurate, incomplete recording or posting of pay (e.g. overpayments or underpayments not identified) | F-3 | |
Reconcile detailed pay expenditures with the payroll control data (Payroll System General Ledger, PS-GL). | Corporate Finance / Manager | Corporate Finance | Financial reporting | Account for gross payroll. | Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance) | F-4 | |
Process and reconcile manual adjustments received from PWGSC and other pay-related transactions. | Financial Services | Corporate Finance | Financial Reporting | Account for other pay-related action requests that require specialized accounting, such as internal journal vouchers, garnisheed salaries and salary advances. | Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance) | F-5 | |
Create and reconcile internal journal vouchers and cancelled payment vouchers. | PWGSC Compensation | PWGSC Compensation | PWGSC Compensation | Forward paper documents to departments (Finance) for processing. | Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance) | F-6 | |
Submit monthly and year-end trial balances of the department's reconciled payroll expenditures and payroll control account to the Central Financial Management Reporting System (CFMRS). | Corporate Finance | Corporate Finance | Financial reporting | Account for gross payroll. | Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance) | F-7 |
The PACF identifies a common approach for determining, implementing and maintaining controls for pay administration in departments and agencies. While the PACF is system-independent, it is specific to the common HR/Finance business processes identified in the PAM Guideline and is focussed on complete, accurate and timely pay that complies with laws, regulations, policies and financial reporting requirements. The PACF can assist departments when responding to independent audit requirements and to financial statement readiness assessments that examine payroll-related expenditures (as part of the preparation of audited financial statements).
The PACF[13] will assist departments and agencies in developing, implementing and monitoring internal controls related to pay administration. It is expected that departments and agencies will tailor this control framework to meet the specific control needs of their HR and financial management systems.
Together, the Pay Administration Model Guideline and the Pay Administration Control Framework Tool improve the accuracy and quality of employee pay transactions, while enhancing financial reporting and decision making, promoting interoperability and data sharing, managing overlap and duplication across Finance and HR processes, and cultivating prudent stewardship and greater accountability and transparency.
While every attempt has been made to follow generally accepted definitions of common terminology, the following definitions are for the purposes of the PACF only.
For an overview of the specific organizational and individual roles, responsibilities and accountabilities identified in the PACF, see Section 3 of the HR/Finance Pay Administration Model.
Term | Definition |
---|---|
Accountable | Individual or organization that can attest to the truth of the information or decision and is ultimately accountable for the completion of the task. There must be exactly one resource accountable for each task. Where organizations have been identified as accountable in both the Pay Administration Model and the PACF, it will be up to departments to determine who specifically within the organization is accountable. |
Account verification and certification | Primary responsibility for verifying individual accounts rests with officers who have the authority to confirm and certify entitlement pursuant to s. 34 of FAA. Persons with this authority are responsible for the correctness of the payment requested and the account verification procedures performed. As part of the account verification process, transactions should be reviewed for accuracy to ensure that the payment is not a duplicate, that discounts have been deducted, that any charges not payable have been removed, and that the amount has been calculated correctly. These actions together complete the requirement called "section 34 verification and certification." For further description of these requirements, refer to the Treasury Board Directive on Account Verification.[14] |
Approved plan (Operational plan) | A multi-year plan that specifies the resources required (financial, human, and technical or capital) and the approaches to be taken. It also includes descriptions of the activities to be delivered, planned results and timelines. The operational plan, which is the department's approved plan for the upcoming fiscal year, aligns with the annual budget.[15] In a pay administration context, the approved plan includes the review and approval of the organizational structure and the financial implications of the structure. |
Authoritative source | The "system" (or "container") that holds the official version of the information or decision. The authoritative source can be automated or manual. |
Administrative systems cluster group | Departments form interdepartmental partnerships (clusters) for community-based service management and support whereby they share the risks and costs. The collective business planning process focuses all relevant stakeholders on defining the business vision and producing common business and systems requirements.[16] |
Commitment control | It is government policy that departments enter only into contracts or other arrangements when sufficient unencumbered balances are available in the relevant appropriation, item in the Estimates, or Treasury Board–approved allotment ceiling to discharge any debts incurred under such commitments.[17] In a pay context, pay-related documents meet the definition of "contracts" or "other arrangements." |
Consulted | Position or organization that is required to provide accurate information or a decision for an action to be completed. There is typically a two-way communication between those consulted and the responsible party. |
Control activities | Departmental policies and procedures that help ensure management's directives are carried out. They also help ensure necessary actions are taken to address the risks that may affect the achievement of the organization's objectives. Control activities occur throughout the organization—at all levels and in all functions. Wide-ranging and diverse, control activities include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. |
Control environment | The control environment sets the overall control consciousness of an organization and its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the following: the integrity, ethical values and competence of the organization's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors. |
Control framework | A systematic method to categorize controls and the basis for a document outlining the departmental system of internal control that is implemented. Both Treasury Board and the Risk Management and Governance Board of the Canadian Institute Of Chartered Accountants (CICA) recognize the Enterprise Risk Management – Integrated Framework, which has been developed and maintained by the Committee of Sponsoring Organizations (COSO) and includes its Internal Control – Integrated Framework, as a suitable framework. |
Expenditure initiation | Authority to initiate expenditure is exercised when a decision is made that will result in an eventual expenditure of funds, such as the decision to hire staff.[18] In a pay administration context, expenditure initiation is a decision related to pay that eventually may result in payroll expenditures and be included in the detailed pay expenditure file from the RPS. Individuals (positions) with the delegated expenditure initiation authority and corresponding HR authority initiate pay-related action requests. Note: Some pay-related action requests may span multiple years. |
Federal Accountability Act | Through the Federal Accountability Act and Action Plan, the Government of Canada has brought forward specific measures to help strengthen accountability and increase transparency and oversight in government operations. The comprehensive Action Plan includes the Act as well as supporting policy and other non-legislative measures.[19] |
Financial Administration Act | The Financial Administration Act sets out a series of fundamental principles on the manner in which government spending may be approved, expenditures can be made, revenues obtained, and funds borrowed.[20] |
Forecast | The total amount a manager intends to spend (or charge expenses) and collect (or generate revenues) against the current fiscal year's budget at a given point in time.[21] |
Human Resources/Finance touch point | A process or data that can trigger or react to (be the recipient of) a Human Resources or Finance process. |
Informed | Position or organization that is notified of the information or decision after the decision is made. There is typically a one-way communication from the responsible (or accountable) party to those informed. |
Internal control | A process designed to provide reasonable assurance of achieving objectives in the following categories:
|
Manager | In the context of this document, the incumbent of a position who has the applicable delegated HR and financial signing authorities for pay-related transactions in accordance with the department's delegation of authorities matrix. In a pay administration context, this can include individuals occupying positions that are typically responsible for an organization (e.g. responsibility centre) or for the department, as in the case of the Deputy Head. |
Pay administration model | Documentation of common HR and Finance pay-related processes, data, roles and responsibilities, and authoritative sources. |
Pay-related documents | In a pay administration context, pay-related documents meet the definition of "contracts" or "other arrangements" pursuant to s. 32 of the FAA. Pay-related documents result in payments through the RPS. |
Pay-related transactions | "Pay" and "payroll" are limited to gross pay amounts and compensation transactions identified in the RPS's detailed pay expenditure file and include the following:
|
RACI | A RACI approach is used to describe the roles and responsibilities of various teams or individuals for delivering or operating a process. The RACI approach splits tasks into four participatory responsibility types, which are then assigned to different roles in the process (responsible, accountable, consulted and informed). |
Record of commitments | "The deputy head or other person charged with the administration of a program . . . shall, as the Treasury Board may prescribe, establish procedures and maintain records respecting the control of financial commitments chargeable to each appropriation or item (s. 32 of the FAA)."[22] and "that a process be in place to record and account for salary and wage commitments, as stipulated under s 32 of the Financial Administration Act (FAA)",.[23] |
Responsible | Position or organization that records the information or decision or does the work to achieve the task and relies on the information from those consulted. There can be multiple resources responsible. |
Risk | The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of likelihood and impact. |
Risk management | A process applied in the formulation of strategic direction, designed to identify potential events that may affect the organization and its ability to meet and accomplish its objectives and expected results. Risk management includes steps and actions to counteract the potential risk factors. |
Section 32 of the Financial Administration Act (s. 32 of the FAA)[24] | S. 32 of the FAA includes the requirements for commitment control and record of commitments (refer to applicable definitions). |
Section 33 of the Financial Administration Act (s. 33 of the FAA)[25] | Financial officers with delegated s. 33 FAA payment authority must confirm, before releasing payment, that the expense is a lawful charge against the appropriation (including assurance that value has been received) and that the payment would not result in an expenditure in excess of the appropriation or reduce the balance available in the appropriation to an insufficient level to meet the commitments charged against it. S. 33 FAA authority can be delegated to a position other than the senior financial officer (SFO) of the department. In such cases, the SFO, being responsible for the overall quality of financial management, remains entirely responsible for the effectiveness and efficiency of the person exercising that authority. |
Section 34 of the Financial Administration Act (s. 34 of the FAA)[26] | S. 34 of the FAA includes the requirements for certification and verification (refer to applicable definitions). Before a payment is made for goods or services received, the responsible departmental official must certify that the performance of the work, the supply of the goods or the rendering of services were in accordance with the terms and conditions of the contract and that the price charged is in accordance with the contract or, in the absence of a contract, is reasonable. In a pay administration context, s. 34 FAA certification originates from the entitlements specified as terms and conditions of the letter of offer. |
Abbreviations
Abbreviation | Description |
---|---|
HRMS | Human Resources Management System—Could be one or multiple departmental systems (automated or manual) that handle data related to the following: HR planning; classification; staffing; learning and development; compensation, leave, time and reporting; and staff relations. |
Acronyms
Acronym | Description |
---|---|
BCMS | Banking and Cash Management Sector (PWGSC) |
CFMRS | Central Financial Management Reporting System |
CFO | Chief Financial Officer |
CIOB | Chief Information Officer Branch (TBS) |
FAA | Financial Administration Act |
FSA | Financial Systems Authority |
GC | Government of Canada |
GC HRMS | Government of Canada Human Resources System |
IFMS | Integrated Financial Management System |
OCG | Office of the Comptroller General |
OCHRO | Office of the Chief Human Resources Officer |
PAM | Pay Administration Model |
PS-GL | Payroll System General Ledger |
PWGSC | Public Works and Government Services Canada |
RPS | Regional Pay System |
This diagram identifies nine different projects or initiatives.
From the Stakeholder community, we have Public Service Staffing Modernization.
From PWGSC we have the Shared Travel Services Initiative and Pay and Pension Modernization
From Treasury Board Secretariat we have the remaining six linkages to the Common HR Business Process imitative, to other HR Modernization initiatives, to the Service Oriented Architecture Bridge, Corporate Administrative Shared Services, The Financial Management Framework , and to this project, the HR/Finance Interactions project.
On the first facet of the COSO Cube, three distinct but overlapping categories of control objectives are identified.
The second facet of the COSO Cube consists of five control components that provide a framework for describing and analyzing an organization's internal control system. They are:
The third facet of the COSO Cube addresses organizational levels of responsibility.
The business processes are categorized into four main categories as follows:
This diagram shows the organization of the control activities table, and how the components of the table relate to the COSO Cube.
There is a control activities table for each process category from the Pay Administration Model.
The first two columns of the table, the Control Process and Control Activity are COSO Cube Control Components.
The next two columns of the table, Responsible and Accountable, respond to the COSO Cube Organizational Responsibilities.
The fifth column, control Objective is the equivalent of the COSO Cube Control Objective
The Sixth column, Control Risks, is another COSO Cube Control Component.
A seventh column, ID has been added to uniquely identify each control activity.