Rescinded [2017-04-01] - Directive on Electronic Authentication and Authorization of Financial Transactions
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
1 Effective date
1.1 This directive takes effect on March 1, 2012.
1.2 It replaces the Policy on Electronic Authorization and Authentication (dated July 15, 1996).
2 Application
2.1 This directive applies to departments as defined in section 2 of the Financial Administration Act.
2.2 Section 6.5.2 of this directive that provides for the Comptroller General to monitor compliance with this directive within departments and request departments take corrective action, does not apply with respect to the Office of the Auditor General, the Office of the Privacy Commissioner, the Office of the Information Commissioner, the Office of the Chief Electoral Officer, the Office of the Commissioner of Lobbying, the Office of the Commissioner of Official Languages and the Office of the Public Sector Integrity Commissioner. The deputy heads of these organizations are solely responsible for monitoring and ensuring compliance with this directive within their organizations, as well as for responding to cases of non-compliance in accordance with any Treasury Board instruments that address the management of compliance.
2.3 This directive does not apply to electronic requisitions sent to the Receiver General (RG) for payments and settlements out from the Consolidated Revenue Fund (CRF) as they are governed by the requirements contained in the Payments and Settlements Requisitioning Regulations, 1997.
2.4 Departments may choose to apply the principles of this Directive to non-financial transactions.
3 Context
3.1 This directive supports the Policy on Internal Control by outlining the responsibilities of Chief Financial Officers and others in maintaining the integrity of electronic financial transactions and related electronic authentications and authorizations.
3.2 With the continuing advancement of the technology and the importance of making operations as effective and efficient as possible, government administrative systems are increasingly moving toward online systems that include processing financial transactions through electronic authentications and authorizations, allowing the elimination of paper-based signatures.
3.3 Appropriate and effective controls, whether manual or electronic, are fundamental for financial transactions. The integrity of controls that govern authority to make payments in government is paramount to sustaining public trust. This is why the Financial Administration Act (FAA) (including sections 34 and 33) specifies the types of approvals and certification necessary before any payments are made from the CRF. Those who exercise the authority to make payments out of the CRF are accountable for the use of appropriations and therefore must have confidence in the validity of the transaction prior to any approvals or certifications. Similar controls must be in place for revenues and deposits made into the CRF and for any accounting transactions and adjustments made that affect the Central Accounting System. The supporting Information Technology (IT) systems and their internal controls must be able to provide the necessary assurances.
3.4 Departments are, therefore, expected to ensure that they have effective controls in place to preserve the integrity of their electronic financial transactions. This includes electronic authentication and authorization processes provided by IT which may be applied in conjunction with non-IT controls.
3.5 Integrity of electronic financial transactions implies that transactions and the related electronic authentications and authorizations are safeguarded against unauthorized access, authority or disclosure, repudiation, destruction, removal, modification, misuse, incompleteness and inaccuracy. It includes ensuring that the electronic authorization is unique for each individual, that the authorizer can be identified, that authorization integrity is maintained to ensure the accountability and protection of the person assuming responsibility and, in cases where electronic delegation matrices are used, that the integrity of the matrices is also preserved.
3.6 Consistent with the Policy on Internal Control and the Policy on Government Security, departments are expected to establish effective controls that are balanced with and proportionate to the risks they aim to mitigate, taking into account the type of financial transactions.
3.7 In doing so, departments are expected to assess and determine the appropriate level of assurance or acceptable security requirements based on the risks involved for each type of financial transaction utilizing electronic authentications and authorizations. This includes identifying and documenting the key risks associated with each step of the authorization and identification processes, mapping them to the applicable assurance level, validating that the controls are in place as designed and that they achieve the required assurance level, and periodically monitoring and reassessing key controls to ensure they function well over time and remain effective. These key risks and controls are part of the broader system of internal controls over financial reporting. They include controls at the corporate or entity level, the business process level, and the general IT or network level.
3.8 Throughout this process of due diligence, Chief Financial Officers along with other senior departmental managers have key roles to play. There is also a shared responsibility between Chief Information Officers or equivalents, senior departmental managers responsible for information management, and departmental security officers (DSOs), who all have specific responsibilities and expertise pertaining to systems-based controls.
3.9 This directive is issued pursuant to section 7 of the Financial Administration Act.
3.10 The directive supports the Policy on Internal Control. In addition the Policy on Government Security requires that government information, assets and services are protected, there is a continuous assessment of risk, and there is ongoing monitoring and maintenance of internal controls in this context. The directive is also to be read in conjunction with the following:
- Directive on Departmental Security Management
- Guideline on Defining Authentication Requirements
4 Definitions
Definitions to be used in the interpretation of this directive can be found in the Appendix.
5 Directive statement
5.1 Objective
The integrity of electronic financial transactions is maintained through appropriate authentications and authorizations and the associated internal controls are commensurate with risks.
5.2 Expected results
- Risks related to electronic authentication and authorization are effectively mitigated through the use of effective internal controls that take into account the type of the financial transactions and their related risks.
- Integrity of electronic financial transactions and related authentications and authorizations effectively mitigates unauthorized access, authority or disclosure, repudiation, destruction, removal, modification, misuse, incompleteness and inaccuracy.
6 Requirements
6.1 Chief Financial Officers are responsible for the following:
6.1.1 Leading and coordinating the establishment and maintenance of effective departmental systems of internal control to ensure the integrity of financial transactions through electronic authentications and authorizations.
6.1.2 Obtaining an appropriate level of assurance that risks to the integrity of financial transactions have been properly assessed and that appropriate key controls to mitigate these risks are documented, in place as designed, and operating effectively in an ongoing manner. Effective controls ensure the following:
- Access to electronic systems that store or process financial or finance-related transactions is restricted to those who require it to perform their duties;
- User authentication information, such as identifiers and passwords, are properly safeguarded and managed, and users understand their accountabilities;
- At the time of authorization, the identity of the authorizer is authenticated, and the proof of authorization is linked to every transaction that was authorized;
- Authorized individuals approving transactions, including those exercising account verification, monitor the accuracy and appropriateness of the transactions and are informed of their accountabilities;
- Authorization is consistent with the approved departmental delegation of authorities matrices in place at the time of authorization and appropriate separation of duties; and
- An audit trail is maintained and records retention and disposition are managed in accordance with appropriate legislation, regulations and policy instruments so that the sequence of events and the transactions processed can be reconstructed for the purposes of an audit, investigation or review.
6.1.3 Recommending to the deputy head whether, how and when capabilities for electronic authentication and authorization of financial transactions can be introduced, given the type of the financial transactions, their associated risks and the key controls in place.
6.2 Departmental chief information officers or equivalents are responsible for the following:
6.2.1 Providing assurances to the Chief Financial Officer that key information management and information technology internal controls falling under their areas of responsibility are in place and working effectively to support the ongoing integrity of electronic financial transactions and related authentications and authorizations.
6.3 Departmental security officers (DSOs) are responsible for the following:
6.3.1 Providing assurances to the Chief Financial Officer that key security management controls falling under their areas of responsibility are in place and working effectively to support the ongoing integrity of electronic financial transactions and related authentications and authorizations.
6.4 Senior departmental managers are responsible for the following:
6.4.1 Providing assurances to the Chief Financial Officer that key controls falling under their areas of responsibility are in place and working effectively to support the ongoing integrity of electronic financial transactions and related authentications and authorizations.
6.5 Monitoring and reporting requirements
6.5.1 Chief Financial Officers are responsible for supporting their deputy head by overseeing the implementation and monitoring of this directive in their departments, bringing to the deputy head's attention any significant difficulties, gaps in performance or compliance issues and developing proposals to address them, and also reporting significant performance or compliance issues to the Office of the Comptroller General.
6.5.2 The Comptroller General is responsible for monitoring departments' compliance with the requirements of this directive and for conducting a review within five to eight years.
7 Consequences
7.1 In instances of non-compliance, deputy heads are responsible for taking corrective measures within their organization with those responsible for implementing the requirements of this directive.
7.2 To support the responsibility of deputy heads in implementing the Policy on Internal Control, the Policy on the Stewardship of Financial Management Systems and related instruments, Chief Financial Officers are to ensure that corrective actions are taken to address instances of non-compliance with the requirements of this directive. Corrective actions can include additional training, changes to procedures and systems, the suspension or removal of delegated authority, disciplinary action, and other measures as appropriate.
7.3 Individuals are reminded that sections 76 to 81 (Civil Liabilities and Offences) of the Financial Administration Act as well as sections 121 (Frauds against the Government), 122 (Breach of Trust), 322 (Theft) and 380 (Fraud) of the Criminal Code may apply.
8 Roles and responsibilities of government organizations
This section identifies other departments with significant roles with respect to this directive. In and of itself, it does not confer an authority.
8.1 The Treasury Board Secretariat, Office of the Comptroller General, is responsible for development, oversight and maintenance of this directive and for providing interpretative advice.
8.2 The Treasury Board Secretariat, Chief Information Officer Branch, is responsible for the following:
- Developing and communicating policies on security, IT and IM; and
- Developing and communicating policies, directives, standards and guidelines regarding electronic authentication and authorization.
8.3 The Receiver General of Canada is responsible for:
- Processing, monitoring and controlling of the public money on behalf of the Government of Canada;
- Controlling the issue, redemption and validation of payment instruments out of the CRF;
- Managing government-wide systems for payment, deposit, central accounting and reporting; and
- Providing advice and direction on payment and deposit related issues as well as on accounting and reporting issues.
8.4 Public Works and Government Services Canada (PWGSC) is responsible for:
- Administration of government wide pay and pension systems; and
- Providing IT shared services, including credential management and authentication services that support departmental online delivery of programs and services..
8.5 Library and Archives Canada (LAC) is responsible for administering the Library and Archives of Canada Act. In particular, for:
- Providing direction and assistance on recordkeeping for the Government of Canada;
- Identifying, selecting, acquiring and preserving government records, as defined in the Library and Archives of Canada Act, in all media considered to be of enduring value to Canada as documentary heritage;
- Issuing records disposition authorities, pursuant to section 12 of the Library and Archives of Canada Act, to enable departments to carry out their records retention and disposition plans;
- Managing and protecting the essential records and less frequently referenced material of federal government departments; and
- Assisting federal government departments in ensuring that all of their published information is easily accessible to decision-makers.
9 References
9.1 Other relevant legislation and regulations
9.2 Related policy instruments and publications
- Policy on Internal Control
- Policy on the Stewardship of Financial Management Systems
- Policy on Government Security
- Policy Framework for Information Technology
- Policy on Information Management
- Policy on Management of Information Technology
- Directive on Account Verification
- Directive on Delegation of Financial Authorities for Disbursements
- Directive on Payment Requisitioning and Cheque Control
- Directive on Departmental Security Management
- Directive on Information Management Roles and Responsibilities
- Directive on Recordkeeping
- Operational Security Standard: Management of Information Technology Security (MITS)
- Guideline on Defining Authentication Requirements
- Electronic Records as Documentary Evidence, Canadian General Standards Board (CAN/CGSB-72.34 2005)
- Microfilm and Electronic Images as Documentary Evidence, Canadian General Standards Board (CAN/CGSB-72.11-93)
10 Enquiries
Please direct enquiries about this directive to your departmental headquarters. For interpretation of this directive, departmental headquarters should contact:
Financial Management Policy Division
Financial Management Sector
Office of the Comptroller General
Treasury Board of Canada Secretariat
L'Esplanade Laurier, 8th Floor, West Tower
300 Laurier Avenue West
Ottawa ON K1A 0R5
Email: fin-www@tbs-sct.gc.ca
Telephone: 613-957-7233
Fax: 613-952-9613
Appendix—Definitions
- audit trail (piste de vérification)
- Refers to all the elements and evidence involved in tracking a complete process including authentication or authorization. Elements and evidence include delegation of authority matrices, user profiles and any data and files required to reconstruct the sequence of events and transactions processed.
- electronic authentication (authentification électronique)
- Is the process by which an individual (a person, an organization or device) is verified as a unique and legitimate user.
- electronic authorization (autorisation électronique)
- Is the process by which an authenticated user is granted the capability to render electronic approvals and discharge those authorities in electronic financial transactions.
- financial transaction (opération financière)
- Is any event, request, action or commitment that has a monetary implication such as the acquisition, disposition or use of assets or resources; the increase or reduction in a liability; or the receipt, payment and disbursement of funds.
- integrity of electronic financial transactions (intégrité des transactions financières électroniques)
- Means transactions that are appropriately safeguarded against unauthorized access, authority or disclosure, destruction, removal, modification, repudiation, incompleteness and inaccuracy.
- user authentication information (information d'authentification de l'utilisateur)
- Includes information to support electronic authentication of a user such as passwords, identifiers, biometrics, shared secrets, usage patterns, etc.