The Financial Systems Authority (FSA) of the Office of the Comptroller General (OCG) established the Control Framework for Human Resources/Finance Interactions project to improve horizontal linkages and controls between Human Resources (HR) and Finance.

This document defines the Pay Administration Control Framework (PACF), including control objectives, activities, risks, responsibilities and accountabilities. The PACF is system-independent and draws heavily from the Guideline on Common Financial Management Business Process on Pay Administration (FM-BP / PA) (referred hereafter as the Pay Administration Model or PAM), which identifies the common HR/Finance processes, data, authoritative sources, roles and responsibilities. The PAM is a prerequisite of and foundation for the PACF.

The FSA, in close collaboration with the project working group, developed the PACF from June to December 2008. The working group and steering committee consisted of representatives from specific Treasury Board of Canada Secretariat (TBS) organizations, including the Chief Information Officer Branch (CIOB), the Office of the Chief Human Resources Officer (OCHRO), and Financial Management and Analysis Sector, as well as from Public Works and Government Services Canada (PWGSC), Natural Resources Canada, Health Canada, Canadian Heritage, the Integrated Financial and Materiel System (IFMS), and Government of Canada Human Resources Management System (GC HRMS) Clusters. Briefings to multiple departments and agencies and to committees and councils of the HR and Finance communities provided further validation of the PACF.

The PACF is a "should be" model (a tool under the Directive on Financial Management of Pay Administration) that incorporates best practices and requirements under current Government of Canada (GC) policies and legislation and specifically identifies how the policies and legislation, when coupled with the Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework, apply to the pay administration process. Policies, legislation and COSO material informing the PACF include the following:

The PACF is system-independent. Its scope is specific to the common HR/Finance business processes identified in the Pay Administration Model and is focussed on complete, accurate and timely pay. The PACF does not include other HR processes (e.g. staffing processes), other finance processes and their related controls.

The PACF and the analysis that informs it will assist departments in developing, implementing and monitoring internal controls related to pay administration. It is expected that departments and agencies will tailor the PACF to meet the specific control needs of their HR and financial management systems.

The Financial Systems Authority (FSA) of the Office of the Comptroller General (OCG) established the Control Framework for Human Resources/Finance Interactions project to improve horizontal linkages and controls between Human Resources (HR) and Finance to support the accuracy, reliability and relevance of shared compensation and financial management data and processes. In the course of the project, the Human Resources/Finance Pay Administration Model Guideline (PAM), which focuses on the identification of common HR/Finance processes, data and authoritative sources, was developed. The determination of the roles and responsibilities of key functional owners and stakeholders involved in pay-related functions was a critical component of the analysis, which, in turn, led to the creation of a Pay Administration Control Framework (PACF).

As depicted in Figure 1, multiple initiatives are related to this project. Leveraging information and results from these initiatives as well as continual bilateral consultations are essential for ensuring the project's relevance, validity and overall success.

Figure 1: Project Linkages

Figure 1: Project Linkages

The HR/Finance Interactions project leverages relevant project results from the deliverables of these other initiatives, particularly from the following two projects with which it is tightly integrated: the Treasury Board of Canada Secretariat's (TBS) Financial Management Framework and the TBS Office of the Chief Human Resources Officer's (OCHRO) Common HR Business Process Initiative. In turn, policy authorities[1] can use the deliverables of this project to develop policy instruments that help improve the accuracy, quality and reliability of information common to Finance and HR.

Departments, Administrative Systems Cluster Groups[2] and service providers[3] can use the deliverables of this project to improve the accuracy, reliability and quality of the information used in processes that traverse the HR and finance functions. Project deliverables will assist departments when responding to independent audit requirements and to financial statement readiness assessments that examine payroll-related expenditures (as part of the preparation of audited financial statements). The deliverables are targeted to all departments and organizations defined as departments within the meaning of section 2 of the Financial Administration Act (FAA), including service providers such as Public Works and Government Services Canada (PWGSC).

Departmental HR and Finance organizations can use the deliverables of this project to improve the accuracy and quality of employee transactions and management reporting for decision-making purposes.

The Chief Information Officer Branch (CIOB) will use the deliverables of this project as input for the service oriented architecture (SOA) initiative between corporate administrative financial and HR systems.

The deliverables of the Control Framework for HR/Finance Interactions project are a necessary first step toward improving interoperability and data sharing, managing overlap and duplication across Finance and HR processes, and contributing to improved management accountability.

This document defines the PACF (a tool under the Directive on Financial Management of Pay Administration), including control processes, control activities, control objectives and risks, and identifies the parties responsible and accountable for the control activities.

The PACF builds on the Guideline on Common Financial Management Business Process on Pay Administration (FM-BP / PA) (referred hereafter as the Pay Administration Model or PAM) (a guideline under the Directive on Financial Management of Pay Administration) and provides a formal and common approach to controls for pay administration.

For the purposes of the PACF, the terms "pay" and "payroll" are limited to gross pay and the pay-related transactions identified in the Regional Pay System (RPS) detailed pay expenditure file,[4] which include:

  • Basic pay;
  • Allowances;
  • Supplementary pay (including overtime); and
  • Adjustments and credit backs, including recoveries, garnishments and non-statutory deduction adjustments.

The PACF is system-independent. Its scope is specific to the common HR/Finance business processes identified in the Pay Administration Model and is focussed on complete, accurate and timely pay that complies with laws, regulations, policies and financial reporting requirements. The PACF does not include other HR processes (e.g. staffing processes), other finance processes and their related controls.

Departments and agencies may need to tailor the PACF to incorporate organization-specific or position-specific HR and Finance processes and controls for:

  • Operations related to efficiency;
  • Monitoring;
  • Information and communications activities; and
  • Roles and responsibilities.

Though the PACF specifically focuses on PWGSC's RPS, there is more than one payroll system in use in the Government of Canada (GC) and findings are expected to be likewise applicable to those other systems.

Technology-related control objectives, control activities and risks and vendor-specific mapping to HR and financial administrative systems are outside the scope of the PACF.

Control frameworks related to the PACF include the Receiver General Control Framework and PWGSC's Internal Control Framework.[5]

1.4.1 Document approach

The following steps were undertaken in developing this document:

  1. Reviewed applicable policies, procedures, legislation and frameworks to determine control framework and requirements: In accordance with the Treasury Board Policy on Internal Control, the Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework was used as a foundation for this document. The policies, legislation and procedures identified in the Pay Administration Model and listed in the References section of this document were reviewed to identify controls related to compliance, reporting and operations.
  2. Developed a preliminary Pay Administration Control Framework: The policies, procedures and legislative requirements reviewed in step 1 and the COSO Internal Control – Integrated Framework, specifically its control objectives, control activities, risks and responsibilities, were applied to the common HR/Finance processes identified in the Pay Administration Model.
  3. Validated and finalized the Pay Administration Control Framework: In a series of meetings, the Working Group reviewed, revised and validated the PACF. The PACF was also validated against the control frameworks provided by Health Canada and Canadian Heritage. The final list of control activities, their associated objectives and risks, as well as identification of roles, responsibilities and accountabilities are included in this document.

1.4.2 References

Policies and related documentation:

COSO "is a voluntary private-sector organization. COSO is dedicated to guiding executive management and governance entities toward the establishment of more effective, efficient, and ethical business operations on a global basis. It sponsors and disseminates frameworks and guidance based on in-depth research, analysis, and best practices."[6] As part of this mandate, COSO published the Internal Control – Integrated Framework in 1992. The document, which is commonly known as the "COSO Framework" and is frequently depicted as "the COSO Cube,"[7] established and defined common internal controls, standards and criteria against which companies and organizations worldwide assess their control systems.

Treasury Board's Policy on Internal Control recognizes that a suitable control framework is the Enterprise Risk Management (ERM) – Integrated Framework, which includes the COSO Internal Control – Integrated Framework. This Framework is also recognized by the Risk Management and Governance Board of the Canadian Institute of Chartered Accountants (CICA).

Figure 2: The COSO Cube

Figure 2: The COSO Cube

The COSO Cube, Figure 2, demonstrates the interrelatedness of control objectives, control components and organizational levels of responsibility. Specific levels of the organization are responsible (and accountable) for the control components that ensure control objectives are met.

On the first facet of the COSO Cube, three distinct but overlapping categories of control objectives are identified.

  • Effectiveness and efficiency of operations reflects an organization's basic business objectives, including performance and profitability goals and safeguarding of resources.

    The effectiveness of operations related to producing accurate and timely pay is within the scope of the PACF. However, controls related to the efficiency of operations, such as controls that measure the pay administration time cycle, are specific to departments and agencies and, as such, are excluded from the PACF's scope. Departments can add these controls when adapting the PACF to suit their operations.

  • Reliability of financial reporting relates to an effective system for internal control over financial reporting, as demonstrated by the departmental statement of management responsibility including internal control over financial reporting.[8]

    Financial reporting of the GC's pay results is considered to be within the scope of the PACF.

  • Compliance deals with an organization's adherence to the applicable laws and regulations to which it is subject.

    Compliance with laws, regulations and policy governing pay is considered to be within the scope of the PACF.

The second facet of the COSO Cube consists of five control components that provide a framework for describing and analyzing an organization's internal control system.

  • Control Environment: The control environment sets the overall control consciousness of an organization and its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the following: the integrity, ethical values and competence of the organization's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors.

    The PACF supports this control component by providing discipline and structure for the creation of control frameworks, though it is recognized that the control environment is typically unique to a department and the prerogative of the Deputy Head and Chief Financial Officer (CFO). Departments and agencies implementing the PACF will therefore need to add additional controls to reflect their organization's unique control environments.

  • Risk Assessment: Every organization faces a variety of risks from external and internal sources that must be assessed. A precondition of risk assessment is the establishment of the organization's control objectives, linked at different organizational levels and internally consistent. Risk assessment is the identification and analysis of relevant risks that may affect the achievement of objectives, and it forms the basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the particular risks associated with change.

    The PACF identifies risks for the relevant control objectives.

  • Control Activities: Control activities are the policies and procedures that help ensure management's directives are carried out. They also help ensure necessary actions are taken to address the risks that may affect the achievement of the organization's objectives. Control activities occur throughout the organization—at all levels and in all functions. Wide-ranging and diverse, control activities include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

    The PACF identifies the control activities that support the control objectives and mitigate their associated risks.

  • Information and Communication: Pertinent information must be identified, captured and communicated in a form and within a time frame that enable people to carry out their responsibilities. Information systems produce reports containing operational, financial and compliance-related information that makes it possible to run and control the business. These systems deal not only with internally generated data but also information about external events, activities and conditions necessary for informed business decision making and external reporting. For communication to be effective, it must flow down, up and across the organization. All personnel must receive a clear message from top management that control responsibilities are to be taken seriously. All personnel must understand their own role in the internal control system as well as how individual activities relate to the work of others. Personnel must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.

    The PAM addresses information and communication components related to the timely and accurate completion of pay administration processes; however, control-related information and communication components and their effectiveness, particularly with respect to employee roles and responsibilities for those controls and associated control activities, are recognized as being unique to a department and are therefore considered to be outside the scope of the PACF. Departments and agencies implementing the PACF will need to add a communications component to their framework.

  • Monitoring: Internal control systems need to be monitored and the quality of the system's performance assessed over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It involves regular management and supervisory activities as well as activities undertaken by personnel when performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.

    The PACF recognizes the need to monitor control activities, both ongoing monitoring and separate evaluations. An effective monitoring program will take into account management and supervisory practices and the specifics of operating processes and will respond to identified control deficiencies. Such practices, processes and deficiencies will be unique to a department or agency; therefore, these control components are considered to be outside the scope of the PACF. Departments and agencies implementing the PACF will need to add a monitoring component to their framework.

The third facet of the COSO Cube addresses organizational levels of responsibility. Roles and their associated responsibilities and accountabilities are assigned for each control activity, based on those identified in the Pay Administration Model's RACI diagrams. Departments and agencies implementing the PACF may require adjustment to their control activities if assigning responsibilities and accountabilities to specific units or individuals in the organization.

The Pay Administration Model, Figure 3, categorizes pay administration processes as follows:

  • Operational planning—Departmental planning processes, including salary management and recording of commitments, are documented in the OCHRO's Common HR Business Process Initiative and also defined in the Treasury Board Directive on Planning and Budgeting (draft);
  • Pre-payroll—PWGSC pay processes and departmental HR and pay processes as defined by the OCHRO's Common HR Business Process Initiative and by requirements under the FAA and related Treasury Board policies for expenditure initiation, such as section 32 of the FAA (s. 32 FAA), section 34 of the FAA (s. 34 FAA), quality assurance of adequacy of s. 34 FAA verification (performed on a prepayment or post-payment basis by the officer authorized under section 33 of the FAA (s. 33 FAA)), s. 33 FAA, and salary management;
  • Payroll—PWGSC payroll processes and corresponding activities as defined by PWGSC payroll operations (analysis excludes these processes as they are within PWGSC's domain); and
  • Post-payroll—PWGSC and departmental processes and activities for payroll postings and accounting, including completion of s. 34 FAA verification, quality assurance of adequacy of s. 34 FAA verification (performed on a prepayment or post-payment basis by the s. 33 FAA-authorized officer), commitment adjustments and salary management.

Figure 3: Pay Administration Context

Figure 3: Pay Administration Context

The PACF builds on the Pay Administration Model, in which common HR/Finance pay-related processes, data, roles, responsibilities and authoritative sources are documented. The PACF is organized according to the following common HR/Finance touch points:

  • Operational Planning, Commitment Control and Salary Management
  • HR Pre-Payroll Processes
  • Pay Pre-Payroll Processes
  • Payroll Processes
  • Post-Payroll Processes

The control objectives and control components (activities) of the COSO Cube (described in Section 2 of this document) were applied to the processes examined in the Pay Administration Model to identify their control requirements. The resulting PACF structure, Figure 4, is as follows:

Figure 4: PACF Structure

Figure 4: PACF Structure

Refer to Appendix A for explanations of key terms used in the PACF.

As indicated in the Pay Administration Model, operational planning, commitment control and salary management are processes that occur concurrently with the other pay administration processes. As such, the associated controls apply from operational planning through to the completion of the post-payroll processes.

Operational Planning, Commitment Control and Salary Management

Control Process

Control Activity

Responsible

Accountable

Control Objective

Control Risks

ID

Create, implement and maintain departmental policies and procedures to manage the interaction between operational planning, commitment control and salary management.

 

Corporate Finance / HR

Deputy Head (commitment control) / Corporate Finance (operational planning and salary management)

Operations, financial reporting and compliance

Plans are managed in accordance with approved organizational structure.

Changes are not approved through the planning process.

A-1

 

Inform managers and Finance of approved organizational model.

HR

HR

Operations (operational planning)

Plans are managed in accordance with approved organizational structure.

Changes are not approved through the planning process.

A-2

 

Confirm that proposed actions align with approved organizational model (with supporting evidence) before proceeding.

HR

HR

Operations (operational planning)

Plans are managed in accordance with approved organizational structure.

Changes are not approved through the planning process.

A-3

 

Inform HR, managers and Finance of updates to organization model.

HR/Manager/ Finance (tri-directional)

HR

Operations (operational planning)

Plans are managed in accordance with approved organizational structure.

Changes are not approved through the planning process.

A-4

 

Confirm initiation of pay-related transaction requests and commitment according to the approved organizational model, with supporting evidence.

Manager

Manager

Operations (commitment control and salary management)

Forecasts are managed according to approved organizational structure.

Forecasts are inaccurate, negatively affecting decision making.

A-5

 

Track planned employee- and position-related data against the organizational structure.

Manager

Manager

Financial reporting (salary management)

Pay expenditures (including anticipated pay expenditures) are accurately forecast.

Reliance on inaccurate information for decision making.

A-6

 

Confirm availability of funds and record commitments.[9]

Manager

Manager

Compliance (commitment control)

Planned and forecasted pay expenditures (including anticipated pay expenditures) are recorded.

Unencumbered balances within the department are insufficient to discharge applicable debts.

A-7

The following controls apply to HR pre-payroll processes, which are processes undertaken by HR (or by the manager) before the pay-related action request is submitted to Compensation.

HR Pre-Payroll Processes

Control Process

Control Activity

Responsible

Accountable

Control Objective

Control Risks

ID

Create, implement and maintain departmental policies and procedures to manage the delegation of financial authorities.

 

Corporate Finance

Deputy Head

Compliance

All pay-related action requests are authorized by persons with the appropriate delegated financial authorities.

Employee pay is in error, incomplete or fraudulent and pay-related processes occur without the necessary financial authority.

B-1

 

Create, implement and maintain formal delegation of authorities matrix.

Corporate Finance

Minister / Deputy Head

Compliance

All pay-related action requests are authorized by persons with the appropriate delegated financial authorities.

Pay-related processes occur without the necessary financial authority.

B-2

 

Create, implement and maintain appropriate division of financial responsibilities.

Corporate Finance

Minister / Deputy Head

Compliance

All pay-related action requests are authorized by persons with the appropriate delegated financial authorities.

Employee pay is in error, incomplete or fraudulent.

B-3

 

Formally delegate and communicate financial authorities in writing to Finance, Compensation and managers.[10]

Corporate Finance

Minister / Deputy Head

Compliance

All pay-related action requests are authorized by persons with the appropriate delegated financial authorities.

Employee pay is in error, incomplete or fraudulent.

B-4

 

Inform Compensation and HR of the delegation of authorities matrix.

Financial Services

Corporate Finance

Compliance

All pay-related action requests are initiated with the required financial authority.

Pay-related processes occur without the necessary financial authority.

B-5

 

Create, implement and maintain specimen signature documents.

Manager

Corporate Finance

Compliance

All pay-related action requests are initiated with the required financial authority.

Pay-related processes are initiated without the necessary financial authority.

B-6

 

Create, implement and maintain training and certification (learning certification) programs so managers have the necessary knowledge, skills and competencies to effectively carry out their financial management duties.

Corporate Finance / HR

Deputy Head

Compliance

All pay-related action requests are authorized by persons with the appropriate delegated financial authorities.

Employee pay is in error, incomplete or fraudulent.

B-7

 

Validate specimen signature documents (includes assurance that managers have the required certification and training).

Financial Services

Corporate Finance

Compliance

All pay-related action requests are initiated with the required financial authority.

Pay-related processes are initiated without the necessary financial authority.

B-8

 

Validate that the originator of pay-related transaction requests has the appropriate financial authority.

HR

HR

Compliance

All pay-related action requests are initiated with the required financial authority.

Pay-relatedprocesses are initiated without the necessary financial authority.

B-9

Create, implement and maintain departmental policies and procedures to manage HR delegations.

 

HR

HR

Compliance

All pay-related action requests are authorized with the required HR delegation.

HR processes are initiated without the necessary delegation.

B-10

 

Create, implement and maintain record of HR delegations.

HR

HR

Compliance

All pay-related action requests are authorized with the required HR delegation.

HR processes occur without the necessary delegation.

B-11

 

Validate that the originator of the pay action has the required HR delegation.

HR (for HR pre-payroll) / Compensa-tion (for pay pre-payroll)

HR (for HR pre-payroll) / Compensa-tion (for pay pre-payroll)

Compliance

All pay-related action requests are authorized with the required HR delegation.

HR processes occur without the necessary delegation.

 B-12

 

Create, implement and maintain training and certification (as appropriate) so employees have the necessary knowledge, skills and competencies to effectively carry out their HR duties.

HR

Deputy Head

Compliance

All pay-related action requests are authorized with the required HR delegation.

HR processes occur without the necessary delegation.

B-13

The following controls apply to the activities undertaken by Compensation when preparing and submitting transactions for payroll processing.

Pay Pre-Payroll Processes

Control Process

Control Activity

Responsible

Accountable

Control Objective

Control Risks

ID

Control activities related to the delegation of HR and financial authorities identified under HR Pre-Payroll Processes also apply here.

C-1

Create, implement and maintain departmental policies and procedures for compliance with s. 34 of the FAA.

 

Corporate Finance

Corporate Finance / CFO

Compliance

All pay-related action requests are authorized by persons with the appropriate delegated financial authorities.

Employee pay is in error, incomplete or fraudulent.

C-2

 

Certify under s. 34 of the FAA that:

  • the payee is entitled to or eligible for the payment;
  • the payment conforms to the relevant contract or agreement terms and conditions;
  • the transaction is accurate and financial coding has been provided;
  • the transaction complies with all relevant statutes, regulations, Orders in Council and Treasury Board policies, such as overtime policies; and
  • verification procedures have been performed.

Manager

Manager

Compliance

Pay-related action requests are processed accurately.

Inaccurate pay results (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments)

C-3

 

Verify under s. 34 of the FAA that:
the payee is entitled to or eligible for the payment;
the payment conforms to the relevant contract or agreement terms and conditions;
the transaction is accurate and complete; and
the transaction complies with all relevant statutes, regulations, Orders in Council and Treasury Board policies, such as overtime policies.

Compensation

Compensation

Operations

Pay-related action requests are processed accurately.

Inaccurate pay results (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments)

C-4

 

Ensure that no person exercises s. 34 of the FAA for a payment from which he or she can personally benefit, either directly or indirectly.[11]

Compensation

Corporate Finance

Compliance

Appropriate segregation of duties

Fraudulent or inaccurate pay-related action requests

C-5

Create, implement and maintain procedures to ensure that s. 33 FAA authority is properly exercised (including mechanisms to verify the legality of the payment and the availability of funds).

 

Corporate Finance

Corporate Finance

Compliance

Pay-related action requests are authorized under s. 33 of the FAA.

Inaccurate pay results (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments)

C-6

 

Validate that the required s. 34 FAA certification exists for s. 33 payment.

Compensation / Corporate Finance

Corporate Finance

Compliance

All pay-related action requests are authorized by persons with the appropriate delegated financial authorities.

Employee pay is in error, incomplete or fraudulent.

C-7

 

Officers with s. 33 FAA payment authority must ensure that an adequate process is in place to verify accounts under s. 34 of the FAA and that the process is being properly followed.

Financial Services

Corporate Finance (CFO)

Compliance

Pay-related action requests are authorized under s. 33 of the FAA.

Inaccurate pay results (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments)

C-8

 

Ensure that no person exercises signing authority under both s. 33 and s. 34 of the FAA with respect to a particular payment.

Corporate Finance

Corporate Finance

Compliance

Appropriate segregation of duties

Fraudulent or inaccurate pay-related action requests

C-9

 

Ensure that no person exercises s. 33 of the FAA for a payment from which he or she can personally benefit, either directly or indirectly.

Compensation / Corporate Finance

Corporate Finance

Compliance

Appropriate segregation of duties

Fraudulent or inaccurate pay-related action requests

C-10

Create, implement and maintain procedures to ensure prompt initiation and accurate completion of pay-related requests.

 

Manager / Compensation

Manager

Operations

Prevent or minimize overpayments.

Overpayments cannot be recovered.

C-11

 

Limit access and privileges (of specific functions or specific employees) to authorized users only and review user access and privileges periodically.

Compensation

Compensation

Operations

Prevent or minimize inaccuracy, fraud and overpayment situations.

Employee pay is in error, incomplete or fraudulent.

C-12

 

Validate accuracy of employee information.

Compensation/ HR/Manager

Compensation

Compliance

Pay-related action requests include accurate employee information.

Inaccurate pay for employees (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) and inaccurate reporting information (expenditures, forecasts)

C-13

 

Validate accuracy of position information.

Compensation/ HR/Manager

HR

Compliance

Pay-related action requests include accurate employee position information.

Inaccurate pay for employees (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) and inaccurate reporting information (expenditures, forecasts)

C-14

 

Create, implement and maintain procedures for the recovery of debts owed to the Crown.

Financial Services

Corporate Finance

Operations

Prevent or minimize overpayments.

Overpayments cannot be recovered.

C-15

PWGSC's Internal Control Framework and the Receiver General Control Framework (specifically the components related to the payroll systems[12]) complement the PACF and complete the end-to-end pay administration control processes of departments, agencies and PWGSC. PWGSC's Internal Control Framework identifies controls for both gross and net payroll processing, with the overall control objective of ensuring authorized, complete, accurate and timely payroll. To be consistent with the scope of pay administration in departments and agencies (as described in the Pay Administration Model), the controls listed below only relate to the gross payroll processes of PWGSC, departments and agencies.

Payroll Processes

Control Process

Control Activity

Responsible

Accountable

Control Component

Control Objective

Control Risks

ID

Create, implement and maintain controls for reconciliation (gross-to-net), editing and correction of payroll transactions.

 

PWGSC Compensation

PWGSC Compensation

Operations

Accurate processing of pay-related action requests

Inaccurate pay for employees

D-1

 

Maintain and forward a copy of s. 33 FAA specimen signature document to PWGSC.

Corporate Finance

Corporate Finance

Compliance

Accurate processing of pay-related action requests

Unauthorized pay transactions will be processed by PWGSC.

D-2

 

Confirm department's s. 33 FAA authority.

PWGSC Compensation

PWGSC Compensation

Compliance

Accurate processing of pay-related action requests

Unauthorized pay transactions will be processed by PWGSC.

D-3

 

Forward departmental input file to PWGSC Banking and Cash Management Sector (BCMS) for payment.

PWGSC Compensation

PWGSC Compensation

Operations

Provide complete, prompt and accurate payment to employees.

Payments and/or pay statements are not provided to the employee.

D-4

 

Issue payments in accordance with departmental input file.

PWGSC BCMS

PWGSC BCMS

Operations

Provide complete, prompt and accurate payment to employees.

Payments and/or pay statements are not provided to the employee.

D-5

 

Identify critical errors, inform the department and perform corrections (see E-2 for error analysis and departmental corrective actions).

PWGSC Compensation (applicable Pay Office)

PWGSC Compensation

Operations

Pay-related action requests sent to PWGSC are processed promptly, accurately and fully.

Pay-related action requests sent to PWGSC are delayed, incomplete or inaccurate.

D-6

Error detection, register review, cheque recall and intercept processes are undertaken by the department's Compensation staff, and they occur between the time payroll is run and pay is released. Payment release (approval of payroll register) and custody and distribution of payments are considered post-payroll processes and included in this section. The controls associated with post-payroll processes are described in the table below.

Post-Payroll—Error Detection / Register Review / Cheque Recall / Intercept

Control Process

Control Activity

Responsible

Accountable

Control Component

Control Objective

Control Risks

ID

Create, implement and maintain departmental policies and procedures to identify and address potential overpayments (based on pre-determined criteria) before the release of payment.

 

Compensation / Corporate Finance

Corporate Finance

Operations

Prevent or minimize overpayment situations.

Overpayments are not identified in time to prevent the release of payment.

E-1

 

Review errors in PWGSC's error analysis reports; assign corrective actions and monitor.

Compensation

Compensation

Operations

Pay-related action requests sent to PWGSC are processed promptly, accurately and fully.

Pay-related action requests sent to PWGSC are rejected (payment has not been created because input was rejected for technical reasons).

E-2

 

Monitor trend reports and the status of errors and corrections for management and operational feedback.

Compensation

Compensation

Operations

Pay-related action requests sent to PWGSC are processed promptly, accurately and fully.

Pay-related action requests sent to PWGSC are rejected (payment has not been created because input was rejected for technical reasons).

E-3

 

Review pay-related errors and corrective actions; assign and monitor Human Resources Management System (HRMS) update actions.

HR/ Manager/ Compensation

Manager

Operations

Departmental HR and PWGSC payroll systems provide consistent information.

Discrepancies between PWGSC and HRMS information

E-4

 

Follow the processes and procedures to stop payments.

Compensation

Compensation

Operations

Prevent or minimize overpayment situations.

Overpayments are not identified in time to prevent the release of payment.

E-5

Create, implement and maintain criteria for initiating cheque recall and intercept processes.

 

Compensation / Corporate Finance

Compensation

Operations

Prevent the release of payments containing significant overpayments.

Overpayments are not intercepted before the release of payment.

E-6

 

Document the decision to release or intercept an erroneous payment.

Compensation

Compensation

Operations

Prevent the release of payments containing significant overpayments.

Overpayments are not intercepted before the release of payment.

E-7

 

Inform PWGSC of cheque recall and intercept decisions for action to be taken (request made by person with the appropriate delegated authority).

Compensation

Compensation

Operations

Prevent the release of payments containing significant overpayments.

Overpayments are not intercepted before the release of payment.

E-8

 

Inform employee of impact, remedial action, and/or options immediately after a release or hold decision is taken.

Compensation / Financial Services

Compensation

Operations

Prevent the release of payments containing significant overpayments.

Errors are not communicated to affected employees on a timely basis.

E-9

 

Follow the processes and procedures to stop the release of payments.

Compensation / Financial Services

Corporate Finance

Operations

Prevent the release of payments containing significant overpayments.

Overpayments are not recoverable.

E-10

Create, implement and maintain procedures for distribution and release of payments.

 

Compensation / Financial Services

Corporate Finance

Operations

Provide complete, prompt and accurate payment to employees.

Payments and/or pay statements are not provided to the employee.

E-11

 

Confirm the accuracy and completeness of payroll registers and other output reports to ensure payments reflect pay input transactions.

Compensation

Compensation

Operations

Provide complete, prompt and accurate payment to employees.

Payments and/or pay statements are not provided to the employee.

E-12

 

Control the custody and distribution of cheques and direct deposit payment statements (including validation that the person (or persons) responsible does not have delegated authority in the areas of staffing, classification, compensation administration, staffing transactions or pay input transactions).

Financial Services

Corporate Finance

Operations

To ensure payments are delivered to the employee

Payments and/or pay statements are not provided to the employee.

E-13

 

Maintain standardized processes and procedures for undelivered payments.

Financial Services

Corporate Finance

Operations

To ensure payments are delivered to the employee

Payments and/or pay statements are not provided to the employee.

E-14

Create, implement and maintain procedures to correct erroneous payments promptly and ensure recovery action is initiated.

 

Compensation

Compensation

Operations

Prevent the release of payments containing significant overpayments.

Overpayments are not intercepted before the release of payment.

E-15

 

Maintain up-to-date employee information (address, financial institution).

Employee/ Manager/ Compensation

Employee

Operations

To ensure payments are properly completed

Payments and/or pay statements are not provided to the employee.

E-16

Pay-related post-payroll Finance processes occur once pay has been released. The following controls apply to these processes.

Post-Payroll (Pay-related Finance Processes)

Control Process

Control Activity

Responsible

Accountable

Control Component

Control Objective

Control Risks

ID

Create, implement and maintain month-end and year-end reconciliation and reporting of departmental pay expenditures and payroll control accounts.

 

Manager / Corporate Finance

Corporate Finance

Financial reporting

Accurate, complete and timely reporting of pay expenditures

Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance)

F-1

 

Review pay expenditures and pay-related practices periodically to ensure the consistent application of s .34 FAA verification and the adequacy of s. 34 FAA account verification.

Corporate Finance

Corporate Finance

Compliance

Ensure supporting evidence (audit trail) exists for s. 34 FAA verification of pay-related action requests.

Expenditures may result in non-compliance with financial policies and with the FAA (insufficient funds, inaccurate financial statements).

F-2

 

Complete s. 34 FAA verification of pay expenditures (detailed pay expenditure file postings with supporting evidence) as follows:

Verify that the amount paid is accurate and is associated with the correct employee in the correct time period; and

Verify that the correct financial coding has been applied to the transaction.

Manager

Manager

Compliance, operations and financial reporting

Accurate and complete recording of pay expenditures

Inaccurate, incomplete recording or posting of pay (e.g. overpayments or underpayments not identified)

F-3

 

Reconcile detailed pay expenditures with the payroll control data (Payroll System General Ledger, PS-GL).

Corporate Finance / Manager

Corporate Finance

Financial reporting

Account for gross payroll.

Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance)

F-4

 

Process and reconcile manual adjustments received from PWGSC and other pay-related transactions.

Financial Services

Corporate Finance

Financial Reporting

Account for other pay-related action requests that require specialized accounting, such as internal journal vouchers, garnisheed salaries and salary advances.

Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance)

F-5

 

Create and reconcile internal journal vouchers and cancelled payment vouchers.

PWGSC Compensation

PWGSC Compensation

PWGSC Compensation

Forward paper documents to departments (Finance) for processing.

Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance)

F-6

 

Submit monthly and year-end trial balances of the department's reconciled payroll expenditures and payroll control account to the Central Financial Management Reporting System (CFMRS).

Corporate Finance

Corporate Finance

Financial reporting

Account for gross payroll.

Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance)

F-7

The PACF identifies a common approach for determining, implementing and maintaining controls for pay administration in departments and agencies. While the PACF is system-independent, it is specific to the common HR/Finance business processes identified in the PAM Guideline and is focussed on complete, accurate and timely pay that complies with laws, regulations, policies and financial reporting requirements. The PACF can assist departments when responding to independent audit requirements and to financial statement readiness assessments that examine payroll-related expenditures (as part of the preparation of audited financial statements).

The PACF[13] will assist departments and agencies in developing, implementing and monitoring internal controls related to pay administration. It is expected that departments and agencies will tailor this control framework to meet the specific control needs of their HR and financial management systems.

Together, the Pay Administration Model Guideline and the Pay Administration Control Framework Tool improve the accuracy and quality of employee pay transactions, while enhancing financial reporting and decision making, promoting interoperability and data sharing, managing overlap and duplication across Finance and HR processes, and cultivating prudent stewardship and greater accountability and transparency.

While every attempt has been made to follow generally accepted definitions of common terminology, the following definitions are for the purposes of the PACF only.

For an overview of the specific organizational and individual roles, responsibilities and accountabilities identified in the PACF, see Section 3 of the HR/Finance Pay Administration Model.

Term

Definition

Accountable

Individual or organization that can attest to the truth of the information or decision and is ultimately accountable for the completion of the task. There must be exactly one resource accountable for each task.

Where organizations have been identified as accountable in both the Pay Administration Model and the PACF, it will be up to departments to determine who specifically within the organization is accountable.

Account verification and certification

Primary responsibility for verifying individual accounts rests with officers who have the authority to confirm and certify entitlement pursuant to s. 34 of FAA. Persons with this authority are responsible for the correctness of the payment requested and the account verification procedures performed.

As part of the account verification process, transactions should be reviewed for accuracy to ensure that the payment is not a duplicate, that discounts have been deducted, that any charges not payable have been removed, and that the amount has been calculated correctly.

These actions together complete the requirement called "section 34 verification and certification." For further description of these requirements, refer to the Treasury Board Directive on Account Verification.[14]

Approved plan (Operational plan)

A multi-year plan that specifies the resources required (financial, human, and technical or capital) and the approaches to be taken. It also includes descriptions of the activities to be delivered, planned results and timelines. The operational plan, which is the department's approved plan for the upcoming fiscal year, aligns with the annual budget.[15] In a pay administration context, the approved plan includes the review and approval of the organizational structure and the financial implications of the structure.

Authoritative source

The "system" (or "container") that holds the official version of the information or decision. The authoritative source can be automated or manual.

Administrative systems cluster group

Departments form interdepartmental partnerships (clusters) for community-based service management and support whereby they share the risks and costs. The collective business planning process focuses all relevant stakeholders on defining the business vision and producing common business and systems requirements.[16]

Commitment control

It is government policy that departments enter only into contracts or other arrangements when sufficient unencumbered balances are available in the relevant appropriation, item in the Estimates, or Treasury Board–approved allotment ceiling to discharge any debts incurred under such commitments.[17] In a pay context, pay-related documents meet the definition of "contracts" or "other arrangements."

Consulted

Position or organization that is required to provide accurate information or a decision for an action to be completed. There is typically a two-way communication between those consulted and the responsible party.

Control activities

Departmental policies and procedures that help ensure management's directives are carried out. They also help ensure necessary actions are taken to address the risks that may affect the achievement of the organization's objectives. Control activities occur throughout the organization—at all levels and in all functions. Wide-ranging and diverse, control activities include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Control environment

The control environment sets the overall control consciousness of an organization and its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the following: the integrity, ethical values and competence of the organization's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors.

Control framework

A systematic method to categorize controls and the basis for a document outlining the departmental system of internal control that is implemented. Both Treasury Board and the Risk Management and Governance Board of the Canadian Institute Of Chartered Accountants (CICA) recognize the Enterprise Risk Management – Integrated Framework, which has been developed and maintained by the Committee of Sponsoring Organizations (COSO) and includes its Internal Control – Integrated Framework, as a suitable framework.

Expenditure initiation

Authority to initiate expenditure is exercised when a decision is made that will result in an eventual expenditure of funds, such as the decision to hire staff.[18]

In a pay administration context, expenditure initiation is a decision related to pay that eventually may result in payroll expenditures and be included in the detailed pay expenditure file from the RPS. Individuals (positions) with the delegated expenditure initiation authority and corresponding HR authority initiate pay-related action requests. Note: Some pay-related action requests may span multiple years.

Federal Accountability Act

Through the Federal Accountability Act and Action Plan, the Government of Canada has brought forward specific measures to help strengthen accountability and increase transparency and oversight in government operations. The comprehensive Action Plan includes the Act as well as supporting policy and other non-legislative measures.[19]

Financial Administration Act

The Financial Administration Act sets out a series of fundamental principles on the manner in which government spending may be approved, expenditures can be made, revenues obtained, and funds borrowed.[20]

Forecast

The total amount a manager intends to spend (or charge expenses) and collect (or generate revenues) against the current fiscal year's budget at a given point in time.[21]

Human Resources/Finance touch point

A process or data that can trigger or react to (be the recipient of) a Human Resources or Finance process.

Informed

Position or organization that is notified of the information or decision after the decision is made. There is typically a one-way communication from the responsible (or accountable) party to those informed.

Internal control

A process designed to provide reasonable assurance of achieving objectives in the following categories:

  • Effectiveness and efficiency of operations;
  • Reliability of financial and related non-financial reporting and disclosures; and
  • Compliance with applicable laws, regulations and policies.

Manager

In the context of this document, the incumbent of a position who has the applicable delegated HR and financial signing authorities for pay-related transactions in accordance with the department's delegation of authorities matrix.

In a pay administration context, this can include individuals occupying positions that are typically responsible for an organization (e.g. responsibility centre) or for the department, as in the case of the Deputy Head.

Pay administration model

Documentation of common HR and Finance pay-related processes, data, roles and responsibilities, and authoritative sources.

Pay-related documents

In a pay administration context, pay-related documents meet the definition of "contracts" or "other arrangements" pursuant to s. 32 of the FAA.

Pay-related documents result in payments through the RPS.

Pay-related transactions

"Pay" and "payroll" are limited to gross pay amounts and compensation transactions identified in the RPS's detailed pay expenditure file and include the following:

  • Basic pay;
  • Allowances;
  • Supplementary pay (including overtime); and
  • Adjustments and credit backs, including recoveries, garnishments, non-statutory deduction adjustments, etc.

RACI

A RACI approach is used to describe the roles and responsibilities of various teams or individuals for delivering or operating a process. The RACI approach splits tasks into four participatory responsibility types, which are then assigned to different roles in the process (responsible, accountable, consulted and informed).

Record of commitments

"The deputy head or other person charged with the administration of a program . . . shall, as the Treasury Board may prescribe, establish procedures and maintain records respecting the control of financial commitments chargeable to each appropriation or item (s. 32 of the FAA)."[22] and "that a process be in place to record and account for salary and wage commitments, as stipulated under s 32 of the Financial Administration Act (FAA)",.[23]

Responsible

Position or organization that records the information or decision or does the work to achieve the task and relies on the information from those consulted. There can be multiple resources responsible.

Risk

The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of likelihood and impact.

Risk management

A process applied in the formulation of strategic direction, designed to identify potential events that may affect the organization and its ability to meet and accomplish its objectives and expected results. Risk management includes steps and actions to counteract the potential risk factors.

Section 32 of the Financial Administration Act (s. 32 of the FAA)[24]

S. 32 of the FAA includes the requirements for commitment control and record of commitments (refer to applicable definitions).

Section 33 of the Financial Administration Act (s. 33 of the FAA)[25]

Financial officers with delegated s. 33 FAA payment authority must confirm, before releasing payment, that the expense is a lawful charge against the appropriation (including assurance that value has been received) and that the payment would not result in an expenditure in excess of the appropriation or reduce the balance available in the appropriation to an insufficient level to meet the commitments charged against it. S. 33 FAA authority can be delegated to a position other than the senior financial officer (SFO) of the department. In such cases, the SFO, being responsible for the overall quality of financial management, remains entirely responsible for the effectiveness and efficiency of the person exercising that authority.

Section 34 of the Financial Administration Act (s. 34 of the FAA)[26]

S. 34 of the FAA includes the requirements for certification and verification (refer to applicable definitions). Before a payment is made for goods or services received, the responsible departmental official must certify that the performance of the work, the supply of the goods or the rendering of services were in accordance with the terms and conditions of the contract and that the price charged is in accordance with the contract or, in the absence of a contract, is reasonable. In a pay administration context, s. 34 FAA certification originates from the entitlements specified as terms and conditions of the letter of offer.

Abbreviations

Abbreviation

Description

HRMS

Human Resources Management System—Could be one or multiple departmental systems (automated or manual) that handle data related to the following: HR planning; classification; staffing; learning and development; compensation, leave, time and reporting; and staff relations.

Acronyms

Acronym

Description

BCMS

Banking and Cash Management Sector (PWGSC)

CFMRS

Central Financial Management Reporting System

CFO

Chief Financial Officer

CIOB

Chief Information Officer Branch (TBS)

FAA

Financial Administration Act

FSA

Financial Systems Authority

GC

Government of Canada

GC HRMS

Government of Canada Human Resources System

IFMS

Integrated Financial Management System

OCG

Office of the Comptroller General

OCHRO

Office of the Chief Human Resources Officer

PAM

Pay Administration Model

PS-GL

Payroll System General Ledger

PWGSC

Public Works and Government Services Canada

RPS

Regional Pay System

Policy authorities include TBS and the Public Service Commission (PSC).Administrative System Cluster Groups include the Integrated Financial and Materiel System (IFMS) Cluster, and the Government of Canada Human Resources Management System (GC HRMS) Cluster.Service providers include, but are not limited to, PWGSC.Chapter 6: Payroll Systems (PS) and Departments, Receiver General Manual, PWGSCThis document is available from PWGSC's Accounting, Banking and Compensation Branch.For more information on COSO, please refer to http://www.coso.org.The remainder of this section recapitulates standard definitions found in the COSO Framework.Treasury Board Policy on Internal ControlCommitment control and updates to the recording of commitments apply throughout the payroll processes—from operational planning to post-payroll. The approach to commitment control, the recording of commitments and specific controls will vary from department to department because the Deputy Head is responsible for developing and implementing departmental policies and procedures.As stated in the TB Directive on Delegation of Financial Authorities for Disbursements, "No person is permitted to exercise financial authorities unless the appropriate minister or the deputy minister has formally delegated these authorities as established under sections 33 and 34 of the Financial Administration Act and the incumbent's supervisor or superior has formally designated that person. When financial authorities are to be delegated under a memorandum of understanding between departments or in other circumstances, the signature of either the minister or deputy minister is obtained."In accordance with the TB Directive on Delegation of Financial Authorities for Disbursements, this control activity also applies to expenditure initiation and commitment control where "A person must not exercise . . . spending authority for a transaction from which he or she can benefit personally."Refer to Chapter 6: Payroll Systems (PS) and Departments of the Receiver General Manual and the Receiver General Control Framework.Control frameworks related to the PACF include PWGSC's Internal Control Framework and the Receiver General Control Framework.Treasury Board Directive on Account VerificationTreasury Board Directive on Financial Planning and Budgeting (draft)Shared Systems Initiative Report (1994), TBSTreasury Board Directive on Expenditure Initiation and Commitment ControlTreasury Board Directive on Delegation of Financial Authorities for Disbursements Federal Accountability ActThe Financial Administration Act: Responding to Non-compliance—Meeting the Expectations of CanadiansTreasury Board Directive on Planning and Budgeting (draft)Treasury Board Directive on Planning and Budgeting (draft)Treasury Board Guideline on Financial Management of Pay AdministrationFor a full definition, consult the FAA.Ibid.For a full definition, consult the FAA.

This diagram identifies nine different projects or initiatives.

From the Stakeholder community, we have Public Service Staffing Modernization.

From PWGSC we have the Shared Travel Services Initiative and Pay and Pension Modernization

From Treasury Board Secretariat we have the remaining six linkages to the Common HR Business Process imitative, to other HR Modernization initiatives, to the Service Oriented Architecture Bridge, Corporate Administrative Shared Services, The Financial Management Framework , and to this project, the HR/Finance Interactions project.

On the first facet of the COSO Cube, three distinct but overlapping categories of control objectives are identified.

  1. Operations
  2. Financial Reporting; and
  3. Compliance

The second facet of the COSO Cube consists of five control components that provide a framework for describing and analyzing an organization's internal control system. They are:

  1. Control Environment
  2. Risk Assessment
  3. Control Activities
  4. Information & Communication; and
  5. Monitoring.

The third facet of the COSO Cube addresses organizational levels of responsibility.

The business processes are categorized into four main categories as follows:

  • Operational planning—Departmental planning processes, including Salary Management and recording of commitments, are documented in the OCHRO's Common HR Business Process Initiative and also defined in the Treasury Board (TB) Directive on Planning and Budgeting (Draft);
  • Pre-payroll—PWGSC pay processes and departmental HR and pay processes as defined by the OCHRO's Common HR Business Process Initiative and by requirements under the FAA and related TB policies for Expenditure Initiation, s. 32 FAA, s. 34 FAA, quality assurance of adequacy of s. 34 FAA verification (performed by the s. 33 FAA officer on a prepayment or post-payment basis), s. 33 FAA, and Salary Management; within this category we see a number of HR processes. The first grouping includes Select Candidate, Define and maintain position information, manage employee performance, manage employee learning and development, manage employee recognition, manage grievances, manage complaints, manage employee discipline, manage Occupational Health and Safety Events, manage continuous employment and manage modified work arrangements. These HR processes are called "HR Pre payroll processes", as they are performed by non-compensation staff. HR Pre-payroll processes lead to a second grouping of processes, which are Document and Integrate employee, maintain employee compensation information, manage permanent separation, process temporary separation and manage workforce scheduling. This second grouping of functions are performed by Compensation, along with the function Administer pay, all of which are called "Pay Pre Payroll Processes"
  • Payroll—PWGSC payroll processes and corresponding activities as defined by PWGSC payroll operations (analysis excludes these processes as they are within PWGSC's domain but the functions generally involve the processes Produce Payments and Account for Payroll.
  • Post-payroll—Processes and activities related to payroll postings and accounting, including completion of s. 34 FAA verification, quality assurance of adequacy of s. 34 FAA verification (performed by the s. 33 FAA officer on a prepayment or post-payment basis), commitment adjustments, and Salary Management.

This diagram shows the organization of the control activities table, and how the components of the table relate to the COSO Cube.

There is a control activities table for each process category from the Pay Administration Model.

The first two columns of the table, the Control Process and Control Activity are COSO Cube Control Components.

The next two columns of the table, Responsible and Accountable, respond to the COSO Cube Organizational Responsibilities.

The fifth column, control Objective is the equivalent of the COSO Cube Control Objective

The Sixth column, Control Risks, is another COSO Cube Control Component.

A seventh column, ID has been added to uniquely identify each control activity.