Rescinded [2017-10-18] - Pay Administration Control Framework Tool
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Archives
This or these guideline(s) are replaced by:
- Financial Management of Pay Administration, Guideline on [2017-10-18]
- Financial Management of Pay Administration, Guideline on [2017-10-18]
Executive Summary
The Financial Systems Authority (FSA) of the Office of the Comptroller General (OCG) established the Control Framework for Human Resources/Finance Interactions project to improve horizontal linkages and controls between Human Resources (HR) and Finance.
This document defines the Pay Administration Control Framework (PACF), including control objectives, activities, risks, responsibilities and accountabilities. The PACF is system-independent and draws heavily from the Guideline on Common Financial Management Business Process on Pay Administration (FM-BP / PA) (referred hereafter as the Pay Administration Model or PAM), which identifies the common HR/Finance processes, data, authoritative sources, roles and responsibilities. The PAM is a prerequisite of and foundation for the PACF.
The FSA, in close collaboration with the project working group, developed the PACF from June to December 2008. The working group and steering committee consisted of representatives from specific Treasury Board of Canada Secretariat (TBS) organizations, including the Chief Information Officer Branch (CIOB), the Office of the Chief Human Resources Officer (OCHRO), and Financial Management and Analysis Sector, as well as from Public Works and Government Services Canada (PWGSC), Natural Resources Canada, Health Canada, Canadian Heritage, the Integrated Financial and Materiel System (IFMS), and Government of Canada Human Resources Management System (GC HRMS) Clusters. Briefings to multiple departments and agencies and to committees and councils of the HR and Finance communities provided further validation of the PACF.
The PACF is a "should be" model (a tool under the Directive on Financial Management of Pay Administration) that incorporates best practices and requirements under current Government of Canada (GC) policies and legislation and specifically identifies how the policies and legislation, when coupled with the Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework, apply to the pay administration process. Policies, legislation and COSO material informing the PACF include the following:
- Treasury Board Policy on Internal Control
- TBS Integrated Risk Management Framework
- Treasury Board Policy on Internal Audit
- COSO of the Treadway Commission documentation:
- Enterprise Risk Management – Integrated Framework
- Internal Control – Integrated Framework
- Guidance on Monitoring Internal Control Systems, Volume I: Guidance
- Treasury Board Directive on Financial Management of Pay Administration
The PACF is system-independent. Its scope is specific to the common HR/Finance business processes identified in the Pay Administration Model and is focussed on complete, accurate and timely pay. The PACF does not include other HR processes (e.g. staffing processes), other finance processes and their related controls.
The PACF and the analysis that informs it will assist departments in developing, implementing and monitoring internal controls related to pay administration. It is expected that departments and
agencies will tailor the PACF to meet the specific control needs of their HR and financial management systems.
1. Introduction
1.1. Vision
The Financial Systems Authority (FSA) of the Office of the Comptroller General (OCG) established the Control Framework for Human Resources/Finance Interactions project to improve horizontal linkages and controls between Human Resources (HR) and Finance to support the accuracy, reliability and relevance of shared compensation and financial management data and processes. In the course of the project, the Human Resources/Finance Pay Administration Model Guideline (PAM), which focuses on the identification of common HR/Finance processes, data and authoritative sources, was developed. The determination of the roles and responsibilities of key functional owners and stakeholders involved in pay-related functions was a critical component of the analysis, which, in turn, led to the creation of a Pay Administration Control Framework (PACF).
As depicted in Figure 1, multiple initiatives are related to this project. Leveraging information and results from these initiatives as well as continual bilateral consultations are essential for ensuring the project's relevance, validity and overall success.
Figure 1: Project Linkages
Text version: Figure 1: Project Linkages
The HR/Finance Interactions project leverages relevant project results from the deliverables of these other initiatives, particularly from the following two projects with which it is tightly integrated: the Treasury Board of Canada Secretariat's (TBS) Financial Management Framework and the TBS Office of the Chief Human Resources Officer's (OCHRO) Common HR Business Process Initiative. In turn, policy authorities[1] can use the deliverables of this project to develop policy instruments that help improve the accuracy, quality and reliability of information common to Finance and HR.
Departments, Administrative Systems Cluster Groups[2] and service providers[3] can use the deliverables of this project to improve the accuracy, reliability and quality of the information used in processes that traverse the HR and finance functions. Project deliverables will assist departments when responding to independent audit requirements and to financial statement readiness assessments that examine payroll-related expenditures (as part of the preparation of audited financial statements). The deliverables are targeted to all departments and organizations defined as departments within the meaning of section 2 of the Financial Administration Act (FAA), including service providers such as Public Works and Government Services Canada (PWGSC).
Departmental HR and Finance organizations can use the deliverables of this project to improve the accuracy and quality of employee transactions and management reporting for decision-making purposes.
The Chief Information Officer Branch (CIOB) will use the deliverables of this project as input for the service oriented architecture (SOA) initiative between corporate administrative financial and HR systems.
The deliverables of the Control Framework for HR/Finance Interactions project are a necessary first step toward improving interoperability and data sharing, managing overlap and duplication across Finance and HR processes, and contributing to improved management accountability.
1.2. Purpose of this Document
This document defines the PACF (a tool under the Directive on Financial Management of Pay Administration), including control processes, control activities, control objectives and risks, and identifies the parties responsible and accountable for the control activities.
The PACF builds on the Guideline on Common Financial Management Business Process on Pay Administration (FM-BP / PA) (referred hereafter as the Pay Administration Model or PAM) (a guideline under the Directive on Financial Management of Pay Administration) and provides a formal and common approach to controls for pay administration.
1.3. Scope
For the purposes of the PACF, the terms "pay" and "payroll" are limited to gross pay and the pay-related transactions identified in the Regional Pay System (RPS) detailed pay expenditure file,[4] which include:
- Basic pay;
- Allowances;
- Supplementary pay (including overtime); and
- Adjustments and credit backs, including recoveries, garnishments and non-statutory deduction adjustments.
The PACF is system-independent. Its scope is specific to the common HR/Finance business processes identified in the Pay Administration Model and is focussed on complete, accurate and timely pay that complies with laws, regulations, policies and financial reporting requirements. The PACF does not include other HR processes (e.g. staffing processes), other finance processes and their related controls.
Departments and agencies may need to tailor the PACF to incorporate organization-specific or position-specific HR and Finance processes and controls for:
- Operations related to efficiency;
- Monitoring;
- Information and communications activities; and
- Roles and responsibilities.
Though the PACF specifically focuses on PWGSC's RPS, there is more than one payroll system in use in the Government of Canada (GC) and findings are expected to be likewise applicable to those other systems.
Technology-related control objectives, control activities and risks and vendor-specific mapping to HR and financial administrative systems are outside the scope of the PACF.
Control frameworks related to the PACF include the Receiver General Control Framework and PWGSC's Internal Control Framework.[5]
1.4. Approach
1.4.1 Document approach
The following steps were undertaken in developing this document:
- Reviewed applicable policies, procedures, legislation and frameworks to determine control framework and requirements: In accordance with the Treasury Board Policy on Internal Control, the Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework was used as a foundation for this document. The policies, legislation and procedures identified in the Pay Administration Model and listed in the References section of this document were reviewed to identify controls related to compliance, reporting and operations.
- Developed a preliminary Pay Administration Control Framework: The policies, procedures and legislative requirements reviewed in step 1 and the COSO Internal Control – Integrated Framework, specifically its control objectives, control activities, risks and responsibilities, were applied to the common HR/Finance processes identified in the Pay Administration Model.
- Validated and finalized the Pay Administration Control Framework: In a series of meetings, the Working Group reviewed, revised and validated the PACF. The PACF was also validated against the control frameworks provided by Health Canada and Canadian Heritage. The final list of control activities, their associated objectives and risks, as well as identification of roles, responsibilities and accountabilities are included in this document.
1.4.2 References
Policies and related documentation:
- Treasury Board Policy on Internal Control
- TBS Integrated Risk Management Framework
- Treasury Board Policy on Internal Audit
- COSO of the Treadway Commissiondocumentation:
- Enterprise Risk Management – Integrated Framework
- Internal Control – Integrated Framework
- Guidance on Monitoring Internal Control Systems, Volume I: Guidance
- OCG's Internal Audit Sector's Core Management Controls
- Treasury Board Directive on Financial Management of Pay Administration
- Directive on Delegation of Financial Authorities for Disbursements
- Policy on Financial Management Governance
- OCG's Human Resources/Finance Pay Administration Model Guideline including policies, directives and legislation referenced in the document
2. The Pay Administration Control Framework: Underlying Concepts
2.1. The COSO Framework and the COSO Cube
COSO "is a voluntary private-sector organization. COSO is dedicated to guiding executive management and governance entities toward the establishment of more effective, efficient, and ethical business operations on a global basis. It sponsors and disseminates frameworks and guidance based on in-depth research, analysis, and best practices."[6] As part of this mandate, COSO published the Internal Control – Integrated Framework in 1992. The document, which is commonly known as the "COSO Framework" and is frequently depicted as "the COSO Cube,"[7] established and defined common internal controls, standards and criteria against which companies and organizations worldwide assess their control systems.
Treasury Board's Policy on Internal Control recognizes that a suitable control framework is the Enterprise Risk Management (ERM) – Integrated Framework, which includes the COSO Internal Control – Integrated Framework. This Framework is also recognized by the Risk Management and Governance Board of the Canadian Institute of Chartered Accountants (CICA).
Figure 2: The COSO Cube
Text version: Figure 2: The COSO Cube
The COSO Cube, Figure 2, demonstrates the interrelatedness of control objectives, control components and organizational levels of responsibility. Specific levels of the organization are responsible (and accountable) for the control components that ensure control objectives are met.
On the first facet of the COSO Cube, three distinct but overlapping categories of control objectives are identified.
- Effectiveness and efficiency of operations reflects an organization's basic business objectives, including performance and profitability goals and
safeguarding of resources.
The effectiveness of operations related to producing accurate and timely pay is within the scope of the PACF. However, controls related to the efficiency of operations, such as controls that measure the pay administration time cycle, are specific to departments and agencies and, as such, are excluded from the PACF's scope. Departments can add these controls when adapting the PACF to suit their operations.
- Reliability of financial reporting relates to an effective system for internal control over financial reporting, as demonstrated by the
departmental statement
of management responsibility including internal control over financial reporting.[8]
Financial reporting of the GC's pay results is considered to be within the scope of the PACF.
- Compliance deals with an organization's adherence to the applicable laws and regulations to which it is subject.
Compliance with laws, regulations and policy governing pay is considered to be within the scope of the PACF.
The second facet of the COSO Cube consists of five control components that provide a framework for describing and analyzing an organization's internal control system.
- Control Environment: The control environment sets the overall control consciousness of an organization and its people. It is the foundation for all other components of
internal control, providing discipline and structure. Control environment factors include the following: the integrity, ethical values and competence of the organization's people; management's
philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of
directors.
The PACF supports this control component by providing discipline and structure for the creation of control frameworks, though it is recognized that the control environment is typically unique to a department and the prerogative of the Deputy Head and Chief Financial Officer (CFO). Departments and agencies implementing the PACF will therefore need to add additional controls to reflect their organization's unique control environments.
- Risk Assessment: Every organization faces a variety of risks from external and internal sources that must be assessed. A precondition of risk assessment is the
establishment of the organization's control objectives, linked at different organizational levels and internally consistent. Risk assessment is the identification and analysis of relevant risks that
may affect the achievement of objectives, and it forms the basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to
change, mechanisms are needed to identify and deal with the particular risks associated with change.
The PACF identifies risks for the relevant control objectives.
- Control Activities: Control activities are the policies and procedures that help ensure management's directives are carried out. They also help ensure necessary actions
are taken to address the risks that may affect the achievement of the organization's objectives. Control activities occur throughout the organization—at all levels and in all functions.
Wide-ranging and diverse, control activities include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
The PACF identifies the control activities that support the control objectives and mitigate their associated risks.
- Information and Communication: Pertinent information must be identified, captured and communicated in a form and within a time frame that enable people to carry out their
responsibilities. Information systems produce reports containing operational, financial and compliance-related information that makes it possible to run and control the business. These systems deal
not only with internally generated data but also information about external events, activities and conditions necessary for informed business decision making and external reporting. For communication
to be effective, it must flow down, up and across the organization. All personnel must receive a clear message from top management that control responsibilities are to be taken seriously. All
personnel must understand their own role in the internal control system as well as how individual activities relate to the work of others. Personnel must have a means of communicating significant
information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.
The PAM addresses information and communication components related to the timely and accurate completion of pay administration processes; however, control-related information and communication components and their effectiveness, particularly with respect to employee roles and responsibilities for those controls and associated control activities, are recognized as being unique to a department and are therefore considered to be outside the scope of the PACF. Departments and agencies implementing the PACF will need to add a communications component to their framework.
- Monitoring: Internal control systems need to be monitored and the quality of the system's performance assessed over time. This is accomplished through ongoing monitoring
activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It involves regular management and supervisory activities as well as activities
undertaken by personnel when performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring
procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.
The PACF recognizes the need to monitor control activities, both ongoing monitoring and separate evaluations. An effective monitoring program will take into account management and supervisory practices and the specifics of operating processes and will respond to identified control deficiencies. Such practices, processes and deficiencies will be unique to a department or agency; therefore, these control components are considered to be outside the scope of the PACF. Departments and agencies implementing the PACF will need to add a monitoring component to their framework.
The third facet of the COSO Cube addresses organizational levels of responsibility. Roles and their associated responsibilities and accountabilities are assigned for each control activity, based on those identified in the Pay Administration Model's RACI diagrams. Departments and agencies implementing the PACF may require adjustment to their control activities if assigning responsibilities and accountabilities to specific units or individuals in the organization.
2.2. The Pay Administration Model Processes
The Pay Administration Model, Figure 3, categorizes pay administration processes as follows:
- Operational planning—Departmental planning processes, including salary management and recording of commitments, are documented in the OCHRO's Common HR Business Process Initiative and also defined in the Treasury Board Directive on Planning and Budgeting (draft);
- Pre-payroll—PWGSC pay processes and departmental HR and pay processes as defined by the OCHRO's Common HR Business Process Initiative and by requirements under the FAA and related Treasury Board policies for expenditure initiation, such as section 32 of the FAA (s. 32 FAA), section 34 of the FAA (s. 34 FAA), quality assurance of adequacy of s. 34 FAA verification (performed on a prepayment or post-payment basis by the officer authorized under section 33 of the FAA (s. 33 FAA)), s. 33 FAA, and salary management;
- Payroll—PWGSC payroll processes and corresponding activities as defined by PWGSC payroll operations (analysis excludes these processes as they are within PWGSC's domain); and
- Post-payroll—PWGSC and departmental processes and activities for payroll postings and accounting, including completion of s. 34 FAA verification, quality assurance of adequacy of s. 34 FAA verification (performed on a prepayment or post-payment basis by the s. 33 FAA-authorized officer), commitment adjustments and salary management.
Figure 3: Pay Administration Context
3. The Pay Administration Control Framework
The PACF builds on the Pay Administration Model, in which common HR/Finance pay-related processes, data, roles, responsibilities and authoritative sources are documented. The PACF is organized according to the following common HR/Finance touch points:
- Operational Planning, Commitment Control and Salary Management
- HR Pre-Payroll Processes
- Pay Pre-Payroll Processes
- Payroll Processes
- Post-Payroll Processes
The control objectives and control components (activities) of the COSO Cube (described in Section 2 of this document) were applied to the processes examined in the Pay Administration Model to identify their control requirements. The resulting PACF structure, Figure 4, is as follows:
Figure 4: PACF Structure
Text version: Figure 4: PACF Structure
Refer to Appendix A for explanations of key terms used in the PACF.
3.1. Operational Planning, Commitment Control and Salary Management
As indicated in the Pay Administration Model, operational planning, commitment control and salary management are processes that occur concurrently with the other pay administration processes. As such, the associated controls apply from operational planning through to the completion of the post-payroll processes.
Control Process |
Control Activity |
Responsible |
Accountable |
Control Objective |
Control Risks |
ID |
|
---|---|---|---|---|---|---|---|
Create, implement and maintain departmental policies and procedures to manage the interaction between operational planning, commitment control and salary management. |
Corporate Finance / HR |
Deputy Head (commitment control) / Corporate Finance (operational planning and salary management) |
Operations, financial reporting and compliance |
Plans are managed in accordance with approved organizational structure. |
Changes are not approved through the planning process. |
A-1 |
|
Inform managers and Finance of approved organizational model. |
HR |
HR |
Operations (operational planning) |
Plans are managed in accordance with approved organizational structure. |
Changes are not approved through the planning process. |
A-2 |
|
Confirm that proposed actions align with approved organizational model (with supporting evidence) before proceeding. |
HR |
HR |
Operations (operational planning) |
Plans are managed in accordance with approved organizational structure. |
Changes are not approved through the planning process. |
A-3 |
|
Inform HR, managers and Finance of updates to organization model. |
HR/Manager/ Finance (tri-directional) |
HR |
Operations (operational planning) |
Plans are managed in accordance with approved organizational structure. |
Changes are not approved through the planning process. |
A-4 |
|
Confirm initiation of pay-related transaction requests and commitment according to the approved organizational model, with supporting evidence. |
Manager |
Manager |
Operations (commitment control and salary management) |
Forecasts are managed according to approved organizational structure. |
Forecasts are inaccurate, negatively affecting decision making. |
A-5 |
|
Track planned employee- and position-related data against the organizational structure. |
Manager |
Manager |
Financial reporting (salary management) |
Pay expenditures (including anticipated pay expenditures) are accurately forecast. |
Reliance on inaccurate information for decision making. |
A-6 |
|
Confirm availability of funds and record commitments.[9] |
Manager |
Manager |
Compliance (commitment control) |
Planned and forecasted pay expenditures (including anticipated pay expenditures) are recorded. |
Unencumbered balances within the department are insufficient to discharge applicable debts. |
A-7 |
3.2. HR Pre-Payroll Processes
The following controls apply to HR pre-payroll processes, which are processes undertaken by HR (or by the manager) before the pay-related action request is submitted to Compensation.
Control Process |
Control Activity |
Responsible |
Accountable |
Control Objective |
Control Risks |
ID |
|
---|---|---|---|---|---|---|---|
Create, implement and maintain departmental policies and procedures to manage the delegation of financial authorities. |
Corporate Finance |
Deputy Head |
Compliance |
All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. |
Employee pay is in error, incomplete or fraudulent and pay-related processes occur without the necessary financial authority. |
B-1 |
|
Create, implement and maintain formal delegation of authorities matrix. |
Corporate Finance |
Minister / Deputy Head |
Compliance |
All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. |
Pay-related processes occur without the necessary financial authority. |
B-2 |
|
Create, implement and maintain appropriate division of financial responsibilities. |
Corporate Finance |
Minister / Deputy Head |
Compliance |
All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. |
Employee pay is in error, incomplete or fraudulent. |
B-3 |
|
Formally delegate and communicate financial authorities in writing to Finance, Compensation and managers.[10] |
Corporate Finance |
Minister / Deputy Head |
Compliance |
All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. |
Employee pay is in error, incomplete or fraudulent. |
B-4 |
|
Inform Compensation and HR of the delegation of authorities matrix. |
Financial Services |
Corporate Finance |
Compliance |
All pay-related action requests are initiated with the required financial authority. |
Pay-related processes occur without the necessary financial authority. |
B-5 |
|
Create, implement and maintain specimen signature documents. |
Manager |
Corporate Finance |
Compliance |
All pay-related action requests are initiated with the required financial authority. |
Pay-related processes are initiated without the necessary financial authority. |
B-6 |
|
Create, implement and maintain training and certification (learning certification) programs so managers have the necessary knowledge, skills and competencies to effectively carry out their financial management duties. |
Corporate Finance / HR |
Deputy Head |
Compliance |
All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. |
Employee pay is in error, incomplete or fraudulent. |
B-7 |
|
Validate specimen signature documents (includes assurance that managers have the required certification and training). |
Financial Services |
Corporate Finance |
Compliance |
All pay-related action requests are initiated with the required financial authority. |
Pay-related processes are initiated without the necessary financial authority. |
B-8 |
|
Validate that the originator of pay-related transaction requests has the appropriate financial authority. |
HR |
HR |
Compliance |
All pay-related action requests are initiated with the required financial authority. |
Pay-relatedprocesses are initiated without the necessary financial authority. |
B-9 |
|
Create, implement and maintain departmental policies and procedures to manage HR delegations. |
HR |
HR |
Compliance |
All pay-related action requests are authorized with the required HR delegation. |
HR processes are initiated without the necessary delegation. |
B-10 |
|
Create, implement and maintain record of HR delegations. |
HR |
HR |
Compliance |
All pay-related action requests are authorized with the required HR delegation. |
HR processes occur without the necessary delegation. |
B-11 |
|
Validate that the originator of the pay action has the required HR delegation. |
HR (for HR pre-payroll) / Compensa-tion (for pay pre-payroll) |
HR (for HR pre-payroll) / Compensa-tion (for pay pre-payroll) |
Compliance |
All pay-related action requests are authorized with the required HR delegation. |
HR processes occur without the necessary delegation. |
B-12 |
|
Create, implement and maintain training and certification (as appropriate) so employees have the necessary knowledge, skills and competencies to effectively carry out their HR duties. |
HR |
Deputy Head |
Compliance |
All pay-related action requests are authorized with the required HR delegation. |
HR processes occur without the necessary delegation. |
B-13 |
3.3. Pay Pre-Payroll Processes
The following controls apply to the activities undertaken by Compensation when preparing and submitting transactions for payroll processing.
Control Process |
Control Activity |
Responsible |
Accountable |
Control Objective |
Control Risks |
ID |
|
---|---|---|---|---|---|---|---|
Control activities related to the delegation of HR and financial authorities identified under HR Pre-Payroll Processes also apply here. |
C-1 |
||||||
Create, implement and maintain departmental policies and procedures for compliance with s. 34 of the FAA. |
Corporate Finance |
Corporate Finance / CFO |
Compliance |
All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. |
Employee pay is in error, incomplete or fraudulent. |
C-2 |
|
Certify under s. 34 of the FAA that:
|
Manager |
Manager |
Compliance |
Pay-related action requests are processed accurately. |
Inaccurate pay results (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) |
C-3 |
|
Verify under s. 34 of the FAA that: |
Compensation |
Compensation |
Operations |
Pay-related action requests are processed accurately. |
Inaccurate pay results (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) |
C-4 |
|
Ensure that no person exercises s. 34 of the FAA for a payment from which he or she can personally benefit, either directly or indirectly.[11] |
Compensation |
Corporate Finance |
Compliance |
Appropriate segregation of duties |
Fraudulent or inaccurate pay-related action requests |
C-5 |
|
Create, implement and maintain procedures to ensure that s. 33 FAA authority is properly exercised (including mechanisms to verify the legality of the payment and the availability of funds). |
Corporate Finance |
Corporate Finance |
Compliance |
Pay-related action requests are authorized under s. 33 of the FAA. |
Inaccurate pay results (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) |
C-6 |
|
Validate that the required s. 34 FAA certification exists for s. 33 payment. |
Compensation / Corporate Finance |
Corporate Finance |
Compliance |
All pay-related action requests are authorized by persons with the appropriate delegated financial authorities. |
Employee pay is in error, incomplete or fraudulent. |
C-7 |
|
Officers with s. 33 FAA payment authority must ensure that an adequate process is in place to verify accounts under s. 34 of the FAA and that the process is being properly followed. |
Financial Services |
Corporate Finance (CFO) |
Compliance |
Pay-related action requests are authorized under s. 33 of the FAA. |
Inaccurate pay results (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) |
C-8 |
|
Ensure that no person exercises signing authority under both s. 33 and s. 34 of the FAA with respect to a particular payment. |
Corporate Finance |
Corporate Finance |
Compliance |
Appropriate segregation of duties |
Fraudulent or inaccurate pay-related action requests |
C-9 |
|
Ensure that no person exercises s. 33 of the FAA for a payment from which he or she can personally benefit, either directly or indirectly. |
Compensation / Corporate Finance |
Corporate Finance |
Compliance |
Appropriate segregation of duties |
Fraudulent or inaccurate pay-related action requests |
C-10 |
|
Create, implement and maintain procedures to ensure prompt initiation and accurate completion of pay-related requests. |
Manager / Compensation |
Manager |
Operations |
Prevent or minimize overpayments. |
Overpayments cannot be recovered. |
C-11 |
|
Limit access and privileges (of specific functions or specific employees) to authorized users only and review user access and privileges periodically. |
Compensation |
Compensation |
Operations |
Prevent or minimize inaccuracy, fraud and overpayment situations. |
Employee pay is in error, incomplete or fraudulent. |
C-12 |
|
Validate accuracy of employee information. |
Compensation/ HR/Manager |
Compensation |
Compliance |
Pay-related action requests include accurate employee information. |
Inaccurate pay for employees (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) and inaccurate reporting information (expenditures, forecasts) |
C-13 |
|
Validate accuracy of position information. |
Compensation/ HR/Manager |
HR |
Compliance |
Pay-related action requests include accurate employee position information. |
Inaccurate pay for employees (negatively affecting decision making or requiring further pay processing because of underpayments and overpayments) and inaccurate reporting information (expenditures, forecasts) |
C-14 |
|
Create, implement and maintain procedures for the recovery of debts owed to the Crown. |
Financial Services |
Corporate Finance |
Operations |
Prevent or minimize overpayments. |
Overpayments cannot be recovered. |
C-15 |
3.4. Payroll Processes
PWGSC's Internal Control Framework and the Receiver General Control Framework (specifically the components related to the payroll systems[12]) complement the PACF and complete the end-to-end pay administration control processes of departments, agencies and PWGSC. PWGSC's Internal Control Framework identifies controls for both gross and net payroll processing, with the overall control objective of ensuring authorized, complete, accurate and timely payroll. To be consistent with the scope of pay administration in departments and agencies (as described in the Pay Administration Model), the controls listed below only relate to the gross payroll processes of PWGSC, departments and agencies.
Control Process |
Control Activity |
Responsible |
Accountable |
Control Component |
Control Objective |
Control Risks |
ID |
---|---|---|---|---|---|---|---|
Create, implement and maintain controls for reconciliation (gross-to-net), editing and correction of payroll transactions. |
PWGSC Compensation |
PWGSC Compensation |
Operations |
Accurate processing of pay-related action requests |
Inaccurate pay for employees |
D-1 |
|
Maintain and forward a copy of s. 33 FAA specimen signature document to PWGSC. |
Corporate Finance |
Corporate Finance |
Compliance |
Accurate processing of pay-related action requests |
Unauthorized pay transactions will be processed by PWGSC. |
D-2 |
|
Confirm department's s. 33 FAA authority. |
PWGSC Compensation |
PWGSC Compensation |
Compliance |
Accurate processing of pay-related action requests |
Unauthorized pay transactions will be processed by PWGSC. |
D-3 |
|
Forward departmental input file to PWGSC Banking and Cash Management Sector (BCMS) for payment. |
PWGSC Compensation |
PWGSC Compensation |
Operations |
Provide complete, prompt and accurate payment to employees. |
Payments and/or pay statements are not provided to the employee. |
D-4 |
|
Issue payments in accordance with departmental input file. |
PWGSC BCMS |
PWGSC BCMS |
Operations |
Provide complete, prompt and accurate payment to employees. |
Payments and/or pay statements are not provided to the employee. |
D-5 |
|
Identify critical errors, inform the department and perform corrections (see E-2 for error analysis and departmental corrective actions). |
PWGSC Compensation (applicable Pay Office) |
PWGSC Compensation |
Operations |
Pay-related action requests sent to PWGSC are processed promptly, accurately and fully. |
Pay-related action requests sent to PWGSC are delayed, incomplete or inaccurate. |
D-6 |
3.5. Post-Payroll—Error Detection / Register Review / Cheque Recall / Intercept / Payment Release
Error detection, register review, cheque recall and intercept processes are undertaken by the department's Compensation staff, and they occur between the time payroll is run and pay is released. Payment release (approval of payroll register) and custody and distribution of payments are considered post-payroll processes and included in this section. The controls associated with post-payroll processes are described in the table below.
Control Process |
Control Activity |
Responsible |
Accountable |
Control Component |
Control Objective |
Control Risks |
ID |
---|---|---|---|---|---|---|---|
Create, implement and maintain departmental policies and procedures to identify and address potential overpayments (based on pre-determined criteria) before the release of payment. |
Compensation / Corporate Finance |
Corporate Finance |
Operations |
Prevent or minimize overpayment situations. |
Overpayments are not identified in time to prevent the release of payment. |
E-1 |
|
Review errors in PWGSC's error analysis reports; assign corrective actions and monitor. |
Compensation |
Compensation |
Operations |
Pay-related action requests sent to PWGSC are processed promptly, accurately and fully. |
Pay-related action requests sent to PWGSC are rejected (payment has not been created because input was rejected for technical reasons). |
E-2 |
|
Monitor trend reports and the status of errors and corrections for management and operational feedback. |
Compensation |
Compensation |
Operations |
Pay-related action requests sent to PWGSC are processed promptly, accurately and fully. |
Pay-related action requests sent to PWGSC are rejected (payment has not been created because input was rejected for technical reasons). |
E-3 |
|
Review pay-related errors and corrective actions; assign and monitor Human Resources Management System (HRMS) update actions. |
HR/ Manager/ Compensation |
Manager |
Operations |
Departmental HR and PWGSC payroll systems provide consistent information. |
Discrepancies between PWGSC and HRMS information |
E-4 |
|
Follow the processes and procedures to stop payments. |
Compensation |
Compensation |
Operations |
Prevent or minimize overpayment situations. |
Overpayments are not identified in time to prevent the release of payment. |
E-5 |
|
Create, implement and maintain criteria for initiating cheque recall and intercept processes. |
Compensation / Corporate Finance |
Compensation |
Operations |
Prevent the release of payments containing significant overpayments. |
Overpayments are not intercepted before the release of payment. |
E-6 |
|
Document the decision to release or intercept an erroneous payment. |
Compensation |
Compensation |
Operations |
Prevent the release of payments containing significant overpayments. |
Overpayments are not intercepted before the release of payment. |
E-7 |
|
Inform PWGSC of cheque recall and intercept decisions for action to be taken (request made by person with the appropriate delegated authority). |
Compensation |
Compensation |
Operations |
Prevent the release of payments containing significant overpayments. |
Overpayments are not intercepted before the release of payment. |
E-8 |
|
Inform employee of impact, remedial action, and/or options immediately after a release or hold decision is taken. |
Compensation / Financial Services |
Compensation |
Operations |
Prevent the release of payments containing significant overpayments. |
Errors are not communicated to affected employees on a timely basis. |
E-9 |
|
Follow the processes and procedures to stop the release of payments. |
Compensation / Financial Services |
Corporate Finance |
Operations |
Prevent the release of payments containing significant overpayments. |
Overpayments are not recoverable. |
E-10 |
|
Create, implement and maintain procedures for distribution and release of payments. |
Compensation / Financial Services |
Corporate Finance |
Operations |
Provide complete, prompt and accurate payment to employees. |
Payments and/or pay statements are not provided to the employee. |
E-11 |
|
Confirm the accuracy and completeness of payroll registers and other output reports to ensure payments reflect pay input transactions. |
Compensation |
Compensation |
Operations |
Provide complete, prompt and accurate payment to employees. |
Payments and/or pay statements are not provided to the employee. |
E-12 |
|
Control the custody and distribution of cheques and direct deposit payment statements (including validation that the person (or persons) responsible does not have delegated authority in the areas of staffing, classification, compensation administration, staffing transactions or pay input transactions). |
Financial Services |
Corporate Finance |
Operations |
To ensure payments are delivered to the employee |
Payments and/or pay statements are not provided to the employee. |
E-13 |
|
Maintain standardized processes and procedures for undelivered payments. |
Financial Services |
Corporate Finance |
Operations |
To ensure payments are delivered to the employee |
Payments and/or pay statements are not provided to the employee. |
E-14 |
|
Create, implement and maintain procedures to correct erroneous payments promptly and ensure recovery action is initiated. |
Compensation |
Compensation |
Operations |
Prevent the release of payments containing significant overpayments. |
Overpayments are not intercepted before the release of payment. |
E-15 |
|
Maintain up-to-date employee information (address, financial institution). |
Employee/ Manager/ Compensation |
Employee |
Operations |
To ensure payments are properly completed |
Payments and/or pay statements are not provided to the employee. |
E-16 |
3.6. Post-Payroll (Pay-related Finance Processes)
Pay-related post-payroll Finance processes occur once pay has been released. The following controls apply to these processes.
Control Process |
Control Activity |
Responsible |
Accountable |
Control Component |
Control Objective |
Control Risks |
ID |
---|---|---|---|---|---|---|---|
Create, implement and maintain month-end and year-end reconciliation and reporting of departmental pay expenditures and payroll control accounts. |
Manager / Corporate Finance |
Corporate Finance |
Financial reporting |
Accurate, complete and timely reporting of pay expenditures |
Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance) |
F-1 |
|
Review pay expenditures and pay-related practices periodically to ensure the consistent application of s .34 FAA verification and the adequacy of s. 34 FAA account verification. |
Corporate Finance |
Corporate Finance |
Compliance |
Ensure supporting evidence (audit trail) exists for s. 34 FAA verification of pay-related action requests. |
Expenditures may result in non-compliance with financial policies and with the FAA (insufficient funds, inaccurate financial statements). |
F-2 |
|
Complete s. 34 FAA verification of pay expenditures (detailed pay expenditure file postings with supporting evidence) as follows: Verify that the amount paid is accurate and is associated with the correct employee in the correct time period; and Verify that the correct financial coding has been applied to the transaction. |
Manager |
Manager |
Compliance, operations and financial reporting |
Accurate and complete recording of pay expenditures |
Inaccurate, incomplete recording or posting of pay (e.g. overpayments or underpayments not identified) |
F-3 |
|
Reconcile detailed pay expenditures with the payroll control data (Payroll System General Ledger, PS-GL). |
Corporate Finance / Manager |
Corporate Finance |
Financial reporting |
Account for gross payroll. |
Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance) |
F-4 |
|
Process and reconcile manual adjustments received from PWGSC and other pay-related transactions. |
Financial Services |
Corporate Finance |
Financial Reporting |
Account for other pay-related action requests that require specialized accounting, such as internal journal vouchers, garnisheed salaries and salary advances. |
Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance) |
F-5 |
|
Create and reconcile internal journal vouchers and cancelled payment vouchers. |
PWGSC Compensation |
PWGSC Compensation |
PWGSC Compensation |
Forward paper documents to departments (Finance) for processing. |
Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance) |
F-6 |
|
Submit monthly and year-end trial balances of the department's reconciled payroll expenditures and payroll control account to the Central Financial Management Reporting System (CFMRS). |
Corporate Finance |
Corporate Finance |
Financial reporting |
Account for gross payroll. |
Inaccurate reporting in financial statements and inaccurate government-wide reporting (trial balance) |
F-7 |
4. Conclusion
The PACF identifies a common approach for determining, implementing and maintaining controls for pay administration in departments and agencies. While the PACF is system-independent, it is specific to the common HR/Finance business processes identified in the PAM Guideline and is focussed on complete, accurate and timely pay that complies with laws, regulations, policies and financial reporting requirements. The PACF can assist departments when responding to independent audit requirements and to financial statement readiness assessments that examine payroll-related expenditures (as part of the preparation of audited financial statements).
The PACF[13] will assist departments and agencies in developing, implementing and monitoring internal controls related to pay administration. It is expected that departments and agencies will tailor this control framework to meet the specific control needs of their HR and financial management systems.
Together, the Pay Administration Model Guideline and the Pay Administration Control Framework Tool improve the accuracy and quality of employee pay transactions, while enhancing financial reporting and decision making, promoting interoperability and data sharing, managing overlap and duplication across Finance and HR processes, and cultivating prudent stewardship and greater accountability and transparency.
Appendix A - Terminology, Abbreviations and Acronyms
While every attempt has been made to follow generally accepted definitions of common terminology, the following definitions are for the purposes of the PACF only.
For an overview of the specific organizational and individual roles, responsibilities and accountabilities identified in the PACF, see Section 3 of the HR/Finance Pay Administration Model.
Term |
Definition |
---|---|
Accountable |
Individual or organization that can attest to the truth of the information or decision and is ultimately accountable for the completion of the task. There must be exactly one resource accountable for each task. Where organizations have been identified as accountable in both the Pay Administration Model and the PACF, it will be up to departments to determine who specifically within the organization is accountable. |
Account verification and certification |
Primary responsibility for verifying individual accounts rests with officers who have the authority to confirm and certify entitlement pursuant to s. 34 of FAA. Persons with this authority are responsible for the correctness of the payment requested and the account verification procedures performed. As part of the account verification process, transactions should be reviewed for accuracy to ensure that the payment is not a duplicate, that discounts have been deducted, that any charges not payable have been removed, and that the amount has been calculated correctly. These actions together complete the requirement called "section 34 verification and certification." For further description of these requirements, refer to the Treasury Board Directive on Account Verification.[14] |
Approved plan (Operational plan) |
A multi-year plan that specifies the resources required (financial, human, and technical or capital) and the approaches to be taken. It also includes descriptions of the activities to be delivered, planned results and timelines. The operational plan, which is the department's approved plan for the upcoming fiscal year, aligns with the annual budget.[15] In a pay administration context, the approved plan includes the review and approval of the organizational structure and the financial implications of the structure. |
Authoritative source |
The "system" (or "container") that holds the official version of the information or decision. The authoritative source can be automated or manual. |
Administrative systems cluster group |
Departments form interdepartmental partnerships (clusters) for community-based service management and support whereby they share the risks and costs. The collective business planning process focuses all relevant stakeholders on defining the business vision and producing common business and systems requirements.[16] |
Commitment control |
It is government policy that departments enter only into contracts or other arrangements when sufficient unencumbered balances are available in the relevant appropriation, item in the Estimates, or Treasury Board–approved allotment ceiling to discharge any debts incurred under such commitments.[17] In a pay context, pay-related documents meet the definition of "contracts" or "other arrangements." |
Consulted |
Position or organization that is required to provide accurate information or a decision for an action to be completed. There is typically a two-way communication between those consulted and the responsible party. |
Control activities |
Departmental policies and procedures that help ensure management's directives are carried out. They also help ensure necessary actions are taken to address the risks that may affect the achievement of the organization's objectives. Control activities occur throughout the organization—at all levels and in all functions. Wide-ranging and diverse, control activities include approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. |
Control environment |
The control environment sets the overall control consciousness of an organization and its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the following: the integrity, ethical values and competence of the organization's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors. |
Control framework |
A systematic method to categorize controls and the basis for a document outlining the departmental system of internal control that is implemented. Both Treasury Board and the Risk Management and Governance Board of the Canadian Institute Of Chartered Accountants (CICA) recognize the Enterprise Risk Management – Integrated Framework, which has been developed and maintained by the Committee of Sponsoring Organizations (COSO) and includes its Internal Control – Integrated Framework, as a suitable framework. |
Expenditure initiation |
Authority to initiate expenditure is exercised when a decision is made that will result in an eventual expenditure of funds, such as the decision to hire staff.[18] In a pay administration context, expenditure initiation is a decision related to pay that eventually may result in payroll expenditures and be included in the detailed pay expenditure file from the RPS. Individuals (positions) with the delegated expenditure initiation authority and corresponding HR authority initiate pay-related action requests. Note: Some pay-related action requests may span multiple years. |
Federal Accountability Act |
Through the Federal Accountability Act and Action Plan, the Government of Canada has brought forward specific measures to help strengthen accountability and increase transparency and oversight in government operations. The comprehensive Action Plan includes the Act as well as supporting policy and other non-legislative measures.[19] |
Financial Administration Act |
The Financial Administration Act sets out a series of fundamental principles on the manner in which government spending may be approved, expenditures can be made, revenues obtained, and funds borrowed.[20] |
Forecast |
The total amount a manager intends to spend (or charge expenses) and collect (or generate revenues) against the current fiscal year's budget at a given point in time.[21] |
Human Resources/Finance touch point |
A process or data that can trigger or react to (be the recipient of) a Human Resources or Finance process. |
Informed |
Position or organization that is notified of the information or decision after the decision is made. There is typically a one-way communication from the responsible (or accountable) party to those informed. |
Internal control |
A process designed to provide reasonable assurance of achieving objectives in the following categories:
|
Manager |
In the context of this document, the incumbent of a position who has the applicable delegated HR and financial signing authorities for pay-related transactions in accordance with the department's delegation of authorities matrix. In a pay administration context, this can include individuals occupying positions that are typically responsible for an organization (e.g. responsibility centre) or for the department, as in the case of the Deputy Head. |
Pay administration model |
Documentation of common HR and Finance pay-related processes, data, roles and responsibilities, and authoritative sources. |
Pay-related documents |
In a pay administration context, pay-related documents meet the definition of "contracts" or "other arrangements" pursuant to s. 32 of the FAA. Pay-related documents result in payments through the RPS. |
Pay-related transactions |
"Pay" and "payroll" are limited to gross pay amounts and compensation transactions identified in the RPS's detailed pay expenditure file and include the following:
|
RACI |
A RACI approach is used to describe the roles and responsibilities of various teams or individuals for delivering or operating a process. The RACI approach splits tasks into four participatory responsibility types, which are then assigned to different roles in the process (responsible, accountable, consulted and informed). |
Record of commitments |
"The deputy head or other person charged with the administration of a program . . . shall, as the Treasury Board may prescribe, establish procedures and maintain records respecting the control of financial commitments chargeable to each appropriation or item (s. 32 of the FAA)."[22] and "that a process be in place to record and account for salary and wage commitments, as stipulated under s 32 of the Financial Administration Act (FAA)",.[23] |
Responsible |
Position or organization that records the information or decision or does the work to achieve the task and relies on the information from those consulted. There can be multiple resources responsible. |
Risk |
The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of likelihood and impact. |
Risk management |
A process applied in the formulation of strategic direction, designed to identify potential events that may affect the organization and its ability to meet and accomplish its objectives and expected results. Risk management includes steps and actions to counteract the potential risk factors. |
Section 32 of the Financial Administration Act (s. 32 of the FAA)[24] |
S. 32 of the FAA includes the requirements for commitment control and record of commitments (refer to applicable definitions). |
Section 33 of the Financial Administration Act (s. 33 of the FAA)[25] |
Financial officers with delegated s. 33 FAA payment authority must confirm, before releasing payment, that the expense is a lawful charge against the appropriation (including assurance that value has been received) and that the payment would not result in an expenditure in excess of the appropriation or reduce the balance available in the appropriation to an insufficient level to meet the commitments charged against it. S. 33 FAA authority can be delegated to a position other than the senior financial officer (SFO) of the department. In such cases, the SFO, being responsible for the overall quality of financial management, remains entirely responsible for the effectiveness and efficiency of the person exercising that authority. |
Section 34 of the Financial Administration Act (s. 34 of the FAA)[26] |
S. 34 of the FAA includes the requirements for certification and verification (refer to applicable definitions). Before a payment is made for goods or services received, the responsible departmental official must certify that the performance of the work, the supply of the goods or the rendering of services were in accordance with the terms and conditions of the contract and that the price charged is in accordance with the contract or, in the absence of a contract, is reasonable. In a pay administration context, s. 34 FAA certification originates from the entitlements specified as terms and conditions of the letter of offer. |
Abbreviations
Abbreviation |
Description |
---|---|
HRMS |
Human Resources Management System—Could be one or multiple departmental systems (automated or manual) that handle data related to the following: HR planning; classification; staffing; learning and development; compensation, leave, time and reporting; and staff relations. |
Acronyms
Acronym |
Description |
---|---|
BCMS |
Banking and Cash Management Sector (PWGSC) |
CFMRS |
Central Financial Management Reporting System |
CFO |
Chief Financial Officer |
CIOB |
Chief Information Officer Branch (TBS) |
FAA |
Financial Administration Act |
FSA |
Financial Systems Authority |
GC |
Government of Canada |
GC HRMS |
Government of Canada Human Resources System |
IFMS |
Integrated Financial Management System |
OCG |
Office of the Comptroller General |
OCHRO |
Office of the Chief Human Resources Officer |
PAM |
Pay Administration Model |
PS-GL |
Payroll System General Ledger |
PWGSC |
Public Works and Government Services Canada |
RPS |
Regional Pay System |
© His Majesty the King in Right of Canada, represented by the President of the Treasury Board, 2017,
ISBN: 978-0-660-09881-4