2014 Audit of Financial Monitoring

Table of Contents

Approved by the President on September 12, 2014

1. Executive Summary

Background

The Natural Sciences and Engineering Research Council (NSERC) and the Social Sciences and Humanities Research Council (SSHRC)Footnote 1 support scholarly endeavors in Canada’s post-secondary institutions, and report to Parliament through the Minister of Industry. The Agencies share a Common Administrative Services (CAS) Directorate in which the Financial Monitoring Team (FMT) is housed. The FMT, which is comprised of six employees, reports through the Director General of F&AA (DG Finance) to the Vice President, CAS Directorate (VP, CASD).

When grants and scholarships (collectively referred to as “awards”) are awarded, institutions (universities, colleges, etc.) are responsible for the administration and control of these funds that are earmarked for specific researchers and students. NSERC, SSHRC and the Canadian Institutes of Health Research (CIHR) jointly conduct financial monitoring reviews of the institutions as this function is an important component of the Agencies’ control framework. All three agencies employ the same financial monitoring review methodology and plan.

In 2010, NSERC, SSHRC and CIHR launched the financial monitoring modernization project to further enhance the methodology, expand the coverage of institutions, align the process with current industry practices based on risk and controls, and to implement new technology to increase efficiency. Due to the variety of eligible institutions that require monitoring, this project was divided into three phases: the first phase focused on the traditional universities and hospitals; Phase two of the project addresses Colleges; and Phase three will cover all other institutions, such as not-for-profit organizations or funding opportunities such as the Indirect Costs Program, or the Canada First Research Excellence Fund. While Phase 1 involved all three Agencies, Phases 2 and 3 primarily deal with institutions related to SSHRC and/or NSERC.

Audit Rationale

As part of the risk-based internal audit planning process, the Corporate Internal Audit (CIA) Division identified the Financial Monitoring (FM) function as an area meriting examination. The decision to include this review in the 2014-17 Risk-Based Audit Plan (RBAP) is based on the following:

  • The FMT developed and recently implemented a new review methodology which aimed to improve financial monitoring exercises and to provide better coverage of institutions;
  • The Treasury Board policies and guidelines outline control framework requirements to ensure due diligence, and proper stewardship of public funds;
  • The last audit of Financial Monitoring was conducted in 2004;
  • Au audit of Financial Monitoring was originally identified in the 2013-16 Internal Audit Risk-based Audit Plan that was approved by the Presidents NSERC and SSHRC in March 2013;
  • The audits of the Discovery Grants Program (2011-12) and the Networks of Centres of Excellence (2013-14) identified areas for improvement related to the financial monitoring function.

Audit Objective and Scope

Objective

The objective of the audit is to provide assurance to both Agencies on the effectiveness and adequacy of controls, governance and risk management of the new and modernized financial monitoring framework.

Scope

The audit assessed whether the Agencies have an appropriate and effective financial monitoring review framework in place. This included:

  • Governance of the financial monitoring activities and the modernization project;
  • Risk-based approach that is part of the new framework;
  • Policies and procedures in place;
  • Internal controls embedded in the financial monitoring activities; and
  • Reporting and communication of monitoring findings.

The Agencies have planned to implement the new Financial Monitoring Framework in three sequential phases: phase one was implemented in May 2013; phase two in April 2014; and, the final phase is scheduled to be implemented by April 2015. The scope of this audit covered the two completed phases and included an analysis of the planned final phase. Even though this is a Tri-Agency framework, the CIA Division reviewed the financial monitoring activities administered and controlled by the NSERC and SSHRC FMT, and excluded CIHR.

Key audit findings

The audit concluded that the Modernization of Financial Monitoring project was well managed and included a robust governance structure and a thorough and well-executed work plan. This resulted in a solid, well-balanced financial monitoring framework. The audit findings included:

  • There was clear oversight over Phases 1 and 2 of this modernization project, from inception to completion of the phases.
  • There was exhaustive communication and consultation with institutions during the development of the methodology, including pilot exercises to test the new framework and to gather feedback from institutions.
  • The new framework is risk-based and uses a control-based approach. There are extensive electronic templates and guidelines in place to support the conduct of reviews, which are easily accessible by staff.
  • The new framework provides 100% coverage of eligible institutions over a six-year review period.
  • The FMR reports to institutions are now criteria-based with less narrative, and include a report card that summarizes performance against all the criteria assessed.

The audit also noted a few areas where improvements were needed to further enhance the framework. These included:

  • The clarification and documentation of Tri-Agency roles and responsibilities in relation to delivering the six-year FM plan, and to ensure NSERC & SSHRC FMT resources can be dedicated to the planning and delivery of Phase 3 of the project.
  • Enhancements to existing technology used to communicate and exchange information with institutions to increase the efficiency of all reviews.
  • Improvements to the reporting phase of FMRs by having weighted mandatory criteria and by better articulating the monitoring review results (i.e., failed criteria could have an impact on the eligibility of the institution).

Conclusion

Considering the relatively small size of the NSERC and SSHRC Financial Monitoring Team, the progress in the development, implementation and delivery of the first two phases of the modernized FMR framework is impressive. The new framework and its FMR processes are undoubtedly more efficient in many ways and have resulted in 100% coverage of institutions, which is a significant increase compared to the previous framework. It was noted that some efficiencies could still be gained through clarified Tri-Agency roles, responsibilities, and accountability and further enhancements to the communication tools could be made to support the already robust monitoring and reporting processes.

2. Background

The Natural Sciences and Engineering Research Council (NSERC) and the Social Sciences and Humanities Research Council (SSHRC) support scholarly endeavors in Canada’s post-secondary institutions, and report to Parliament through the Minister of Industry. NSERC supports post-secondary students in their advanced studies, promotes and supports discovery research, and fosters innovation by encouraging Canadian companies to participate and invest in post-secondary research projects in the sciences and engineering. Similarly, SSHRC promotes and supports research and training in the humanities and social sciences. The Agencies share a Common Administrative Services (CAS) Directorate in which the Financial Monitoring Team (FMT) is housed. The FMT is comprised of six employees and reports through the Director General of F&AA (DG Finance) to the Vice President, CAS Directorate (VP, CAS Directorate).

The financial monitoring function is an important component of the Agencies’ control framework. When grants and scholarships (collectively referred to as “awards”) are awarded, eligible institutions (universities, colleges, etc.) are responsible for the administration and control of these funds that are earmarked for specific researchers and students. For an institution to be eligible Footnote 2 to administer funds on behalf of NSERC, SSHRC or CIHR, they must develop and implement effective policies, administrative systems, procedures and other controls to ensure funds are used as effectively as possible; are accounted for to the Canadian people for their use, allocation and outcomes; and, that the activities supported are conducted in accordance with the highest ethical and financial standards. The role of the Financial Monitoring team is to conduct reviews of the financial control frameworks within eligible institutions administering funds on behalf of the Agencies.

In 2010, NSERC, SSHRC and CIHR launched the Modernization of Financial Monitoring Reviews project to further enhance their methodology, expand the coverage of institutions, align the process with current industry practices based on risk and controls, and to implement new technology to increase efficiency. Since the Agencies provide funding to a variety of institutions with different financial control framework designs, this project was divided into three phases: Phase 1 was developed to address the monitoring requirements of financial control frameworks common to traditional universities and hospitals; Phase 2  of the project was designed to monitor financial control frameworks common to Colleges; and Phase 3 is being developed with the goal of covering all other institutions that receive agency funding, such as not-for-profit organizations or funding opportunities such as the Indirect Costs Program, or the Canada First Research Excellence FundFootnote 3. While Phase 1 involved all three Agencies, Phase 2 and 3 primarily deal with funding provided to institutions through SSHRC and/or NSERC.

3. Audit Rationale

As part of the risk-based internal audit planning process, the Corporate Internal Audit (CIA) Division identified the Financial Monitoring function as an area meriting examination. The decision to include this audit in the 2014-17 Risk-Based Audit Plan (RBAP) is based on the following:

  • The FMT developed and recently implemented two phases of its new review methodology which aimed to improve financial monitoring exercises and to provide better coverage of institutions;
  • The Treasury Board policies and guidelines outline control framework requirements to ensure due diligence, and proper stewardship of public funds;
  • The last audit of Financial Monitoring was conducted in 2004;
  • The audit of Financial Monitoring was originally identified in the 2013-16 RBAP that was approved by the Presidents of NSERC and SSHRC in March 2013;
  • The completed audits of the Discovery Grants Program (2012) and the Networks of Centres of Excellence (2014) identified areas for improvement related to the financial monitoring function.

4. Audit Objective and Scope

Objective

The objective of the audit is to provide assurance to both Agencies on the effectiveness and adequacy of controls, governance and risk management of the new and modernized financial monitoring framework.

Scope

The audit assessed whether the Agencies have an appropriate and effective financial monitoring framework in place, including the:

  • Governance of the financial monitoring activities and the modernization project;
  • Risk-based approach that is part of the new framework;
  • Policies and procedures in place;
  • Internal controls embedded in the financial monitoring activities; and
  • Reporting and communication of monitoring findings.

The Agencies have planned to implement the new Financial Monitoring Framework in three sequential phases. Phase one was implemented in May 2013, phase two in April 2014, and the final phase is scheduled for implementation by April 2015. The scope of this audit covered the two completed phases and included an analysis of the final phase. Even though this is a Tri-Agency framework, the CIA Division reviewed the financial monitoring activities administered and controlled by the NSERC and SSHRC FMT, and any related activities by or within CIHR were excluded.

5. Audit Methodology

The audit was carried out in accordance with the International Professional Practices Framework (IPPF) issued by the Institute of Internal Auditors (IIA), the Treasury Board (TB) Policy on Internal Audit and Internal Auditing Standards of the Government of Canada.

During the planning phase of the audit, preliminary interviews were conducted and documentation was reviewed in order to understand the current state of financial monitoring activities, of the financial monitoring modernization project, and of the implementation of the new financial monitoring approach. The audit program, including detailed audit criteria and procedures, was designed based on the information gathered during planning, and focuses on the audit objective defined above. During the conduct phase of the audit, the audit team reviewed relevant documentation, compared the previous and new financial monitoring approaches and frameworks, analyzed internal controls, reviewed a sample of financial monitoring files and reports, and conducted interviews with management and staff.

In the professional judgment of the Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to provide a high level of assurance on the findings contained in this report. The conclusions were based on a comparison of the situations as they existed at the time against the audit criteria. This internal audit was conducted in accordance with the TB Policy on Internal Audit and the standards outlined in the IIA’s International Professional Practices Framework.

6. Key Audit Findings

6.1 Governance of the Financial Monitoring Modernization Project

The Agencies receive their funding through parliamentary appropriations and these public funds must be managed in a manner that is transparent, efficient, and effective; must be used for the purpose for which funds were originally awarded; and are subject to scrutiny in how they are spent. In the case of NSERC and SSHRC, awards are provided to researchers via institutions in the form of grants, certain TB policies, including the Financial Administration Act and the Policy on Transfer Payments, must be adhered to. The Policy on Transfer Payments states that,

Deputy heads are responsible for ensuring that the administrative requirements on recipients are proportionate to the risk level. In particular, that monitoring, reporting and auditing reflect the risks specific to the program, the value of funding in relation to administrative costs, and the risk profile of the recipient.

In addition, the Guideline on Recipient Audits under the Policy and Directive on Transfer Payments states that NSERC and SSHRC:

Have the responsibility for determining when recipient audits (compliance reviews) are necessary and developing and executing a risk-based plan.

As previously mentioned, in May 2010 the Agencies’ Financial Monitoring Team (FMT) and CIHR’s Internal Control Team were mandated by their respective Chief Financial Officers (CFO’s) to modernize the existing financial monitoring framework in an effort to ensure adequate coverage of risks associated with third party administration of grants and awards, to reduce the travel cost of monitoring reviews, and to increase the value of post-award reviews for the Agencies and the institutions. Later that month, the Monitoring Review Modernization Committee (MRMC) was established to provide oversight during the development of this modernization project, and a working group made up of NSERC/SSHRC’s Team Leader from the FMT and CIHR’s Manager of Internal Controls was also created.

6.1.1 The Phase 3 FMR framework, plan and oversight structure is in development

When the Modernization of Financial Monitoring project was launched in May 2010, the Agencies clearly documented the rationale for developing a new FMR framework, analyzed the existing framework to identify weaknesses and strengths, and then used this information to develop a White Paper document that clearly outlined all parts of Phase 1 of the project. This became the key document approved by management to move the project forward. The MRMC was supported by clear and detailed Terms of Reference and Mandate documents, and representatives from the three Agencies reported information and decisions back to their respective organization. In addition, key documents such as a detailed project charter and project plan were also created and approved early-on in the Phase 1 development, which included essential elements, such as: scope; risk identification, mitigation, ownership; roles and responsibilities; resource requirements; information technology, information management requirements; etc. Similarly, the project plan included links to policy and legislative requirements as well as key milestones for Phase 1 of the project implementation (Universities). The Agencies sought an independent third party (KPMG) review of the framework which validated that the framework was complete, risk-based, aligned with industry best practices, and covered all mandatory policy requirements.

Following the completion of Phase 1 roll-out, the FMT relied upon the existing framework to deliver Phase 2 (colleges’ financial monitoring framework) with an objective of adapting the universities’ monitoring methodology to make it applicable to colleges. Oversight of Phase 2 was provided by the NSERC-SSHRC Chief Financial Officer (CFO) since the stakeholders of this phase are institutions that are receiving funding mainly from NSERC. This was an effective approach to the roll-out of Phase 2, but the FMT anticipates that the development of the FMR framework for Phase 3 will be dissimilar enough that it could require a more customized approach and a more formal oversight body. The audit noted that there was not a clearly documented governance structure for Phase 3, nor was there a clearly documented plan or charter in place to address the specifics of the remaining institutions. This could lead to project delays, thereby not meeting the overall objectives of the Modernization of Financial Monitoring project.

Recommendation 1:  It is recommended that the Agencies formalize the framework requirements, project plan, charter and governance structure of Phase 3 of the Financial Monitoring Modernization project.

6.1.2 Tri-Agency roles and responsibilities are not clearly defined

NSERC, SSHRC and CIHR worked together to develop and deliver phase 1 of the new framework, and as a result, the workload to deliver on the six-year financial monitoring review plan is shared between the three Agencies. The audit noted that there is no Memorandum of Understanding (MOU) in place between NSERC, SSHRC and CIHR to describe the responsibilities of each party in delivering various parts of the FMR plan. In the absence of this document, there is a risk that the Tri-Agencies may not have a common understanding of each other’s roles and responsibilities which could result in lapses or delays in delivering the FMR plan. In addition to the roles and responsibilities, the audit noted that key risk information to assess the institutions’ risk level is being collected using CIHR’s ResearchNet system. Without a clear MOU and clearly defined service level agreement between the Agencies, any adverse impacts to ResearchNet could have an impact on the NSERC and SSHRC’s ability to collect the essential risk information that is used to build the FMR plan.  

Recommendation 2:  It is recommended that NSERC, SSHRC and CIHR develop a Memorandum of Understanding that defines financial monitoring roles and responsibilities, to ensure activities and deliverables required to deliver the annual plan are clearly articulated.

6.2 The Modernized Financial Monitoring Review Framework

The overarching goals of the Modernization of Financial Monitoring project were to harmonize the methodology between the three Agencies, adopt a risk-based methodology for prioritizing and scoping reviews, increase coverage to include all institutions, align with industry best-practices based on risk and controls, and adopt new or exploit existing technology to increase efficiencies and decrease travel costs.

6.2.1 The Agencies conducted exhaustive communication and consultation with the research community during the development of the new Financial Monitoring Review (FMR) Framework

Financial Monitoring Reviews (FMR) can have a direct impact on an institution’s control framework for the administration of grant and scholarship funds awarded by NSERC, SSHRC and CIHR. For example, FMRs identify potential areas of control weaknesses within the institution’s financial control framework, and the FMT works collaboratively to monitor the steps taken by institutions to address these weaknesses. Given the nature of this relationship, the Agencies incorporated exhaustive communication into the FMR Framework development process, in ways such as: 

  • Clearly documenting the external communication plan;
  • Sharing the new methodology with the community via presentations to a number of community events, such as AUCC, CAURA, CAUBO, and ADARUQ;
  • Informing the community and sending memos to heads of institutions when the framework was finalized;
  • Obtaining feedback after pilot phases of implementation; and,
  • Sharing tools and guidelines, and processes with institutions in electronic format well in advance of the FMR so institutions have time to ask questions. 

The audit found that these steps ensured community feedback was considered, and that the community was actively engaged prior to the transition to the new framework.

6.2.2 The new framework is risk-based and uses a control-based approach

The former FMR framework relied upon the level of funding received by an institution as the primary criterion to decide whether or not a FMR was required. Although materiality is an important element when assessing the level of risk of an entity, other criteria should also be considered to obtain a well-rounded assessment of risk. One of the main goals of the Modernization of Financial Monitoring project was to ensure that the processes for assigning a risk-rating to an institution, as well as scheduling a FMR at each institution were risk-based.

The audit noted that the new framework uses a Risk Assessment Questionnaire (RAQ) to collect institutional risk information. Then, based on the responses provided, the Agencies rate and categorize institutions into one of three risk groups: High, Medium or Low. The risk ratings from the RAQ form the basis for the review planning (timing of visits) and the depth of the review (which control elements will be assessed). This process provides an extremely rigorous analysis of institutional control frameworks and covers key areas of control for universities and colleges.Footnote 4 In order to assess controls, the FMT obtains a random sample of transactions, which is then supplemented with a judgmental sample to ensure outlier transactions with specific control requirements, or special accounts, are also included in the review process.Footnote 5

6.2.3 Tools and technology are available to support the FMR Framework, but additional technology has not yet been implemented to support efficient virtual FMRs.

The FMT has developed a complete and thorough set of tools, templates, guidelines, testing and sampling methodologies to support the new FMR framework. These tools are stored electronically on the Agencies’ records management system and were developed prior to launching the framework, and then adapted during project’s pilot phase. The FMT can access and refer to these tools, which provide detailed information about all the required steps needed to complete a financial monitoring review. For example, the FMR manual provides a step-by-step description of the work and is integrated in TeamMateFootnote 6, which is the main tool used by FMT to gather and analyze FMR data and information. 

The audit noted that even though the FMT IM/IT business requirements are defined, they have not all been implemented, and that there is no agreement in place between the FMT and the IIS Directorate to enable the delivery of FMT’s business requirements. As a result, the leveraging of the Agencies’ existing IM/IT tools has only occurred partially within the FMT, and the audit noted areas where the current virtual / offsite FMR process creates work for institution employees, is inefficient, and demonstrates poor information management and information security practices. For example, the current FMR process requires institutions to provide evidentiary documents to the FMT and these documents are currently being sent via email. Due to the size of these documents, they often have to be broken up and sent via multiple emails thus creating a potential risk of loss of information. Using the existing SharePointFootnote 7 platform commonly used in the program areas for the sharing of information could be one possible solution to both lower this risk, and increase efficiency. Additionally, to deliver on the project objective to reduce travel costs, the FMT has substituted several face-to-face client interaction points with video-conferencing. During the pilot of the Phase 1, the Agencies’ existing technology for videoconferencing proved to be less than adequate and as a result, teleconferences are more commonly used as the only other option currently available. Teleconferencing is certainly not providing the best interface experience for the FMT or for the institution being reviewed.

Recommendation 3: It is recommended that the Agencies increase the efficiency and quality of Financial Monitoring Reviews by leveraging the existing technologies, and considering new technologies for the FMT to ensure efficient and effective communication with institutions.

6.2.4 Coverage of Financial Monitoring Reviews has increased compared to the previous framework

The previous framework reviewed approximately 10-12 institutions per year, included only universities (and hospitals for CIHR), and the main risk criterion used to select the institutions was the amount of funding they received from NSERC, SSHRC and CIHR. The audit found that the new FMR framework ensures that all eligible institutions with which NSERC, SSHRC, or CIHR have an MOU (over 200 institutions) will be reviewed within a six-year period. That represents a workload of approximately 30 financial monitoring reviews per year for the NSERC and SSHRC FMT, and an additional 10 FMRs for CIHR’s monitoring team. It is a credit to the new framework, tools, and processes that the NSERC and SSHRC FMT, whose staffing levels have not changed since the new framework was launched, is now able to provide full FMR coverage at universities and colleges. In addition, this team is currently planning and developing Phase 3 of the FMR framework, and will soon be delivering that review schedule as well.  

6.2.5 The new FMR reporting to institutions is criteria-based and less narrative than before but some enhancements could improve reporting process efficiency

Once the FMT completes the examination phase of a FMR, they communicate findings to the institution directly. The reporting phase in the previous methodology involved long narrative reports of several pages that highlighted areas where attention was needed. The audit found that the new reporting structure is more detailed, structured and balanced. The draft detailed assessment report shared with the institutions provides a detailed assessment and overall rating (pass / fail) of the criteria assessed. To further improve the new process, the audit noted some areas for improvement in the reporting phase: 1- In the report to the institutions, it is unclear as to what constitutes a pass or fail rating; and, 2- No weight is attributed to the review criteria to allow the institutions to determine which criteria are more critical than others. Providing this information to institutions would not only help clarify the results, but could help institutions interpret and understand the overall assessment of their financial control framework.

Recommendation 4: It is recommended that the new criteria-based dashboard report should identify the core controls that are essential to the financial control framework of all institutions in order to assign weight to mandatory criteria versus categorizing all criteria as having equal importance.

7. Conclusion

Considering the relatively small size of the NSERC and SSHRC Financial Monitoring Team, the progress in the development, implementation and delivery of the first two phases of the modernized FMR framework is impressive. While the project was being developed, there was clear project oversight from inception to complete implementation of Phase 1 and 2. Exhaustive communication with the research community and institutions was also conducted during the modernization project and the new resulting framework is clearly risk-based and uses a thorough and exhaustive control-based approach. The new process is undoubtedly more efficient in many ways and has resulted in a significantly increased review coverage compared to the previous framework, with a similar-sized team. It was noted that some efficiencies could still be gained through improved clarity of Tri-Agency roles, responsibilities, and accountability while moving forward, better communication tools when dealing with institutions, and minor enhancements to some areas of the reporting process.

8. Audit Team

Corporate Internal Audit Division
Chief Audit Executive:          Phat Do
Audit Principal:                      Benjamin Cyr
Senior Auditor:                      Patricia Morrell

9. Management Response to Audit Recommendations

Item Recommendation Action Plan Target Date Suggested timeline for completion*
1. It is recommended that the Agencies formalize the framework requirements, project plan, charter and governance structure of Phase 3 of the Financial Monitoring Modernization project. Agreed.
The project charter is currently being drafted and will be approved by the fall. The charter will address the objectives, deliverables, governance structure and timelines. 		March 2015 Red: 0 - 6 months
2. It is recommended that NSERC, SSHRC and CIHR develop a Memorandum of Understanding that defines financial monitoring roles and responsibilities, to ensure activities and deliverables required deliver the annual plan are clearly articulated.

Agreed.
The three agencies have already formally committed to delivering the initial 3-year monitoring plan and obtained endorsement from the steering committee. But due to different corporate priorities and resource allocations, we agree that this ongoing commitment and other elements need to be formalized. Notably, roles and responsibilities, information sharing, internal reporting, ongoing communications and resource allocations. An initial tri-agency meeting will be organized in early Fall of 2014 with the aim of having a memorandum in place by the end of December 2014.

 March 2015 Orange: 7 - 12 months
3. It is recommended that the Agencies increase the efficiency and quality of virtual Financial Monitoring Reviews by leveraging the existing technologies, and considering new technologies for the FMT to ensure efficient and effective communication with institutions.

Agreed.
Discussions were held with IIS and a formal request was tabled in July 2014 to develop a secure “dropbox” with the purpose of facilitating document exchanges with institutions. The “drop-box” will be developed leveraging existing technology available to the agencies (i.e. Sharepoint). The solution should be working and in use by the end of fiscal year 2014/15.

Discussion will be held with IIS to find a solution to improve the current technology used for videoconferencing.

March 2015



June 2015		 Orange: 7 - 12 months
4. It is recommended that the new criteria-based dashboard report should identify the core controls that are essential to the financial control framework of all institutions in order to assign weight to mandatory criteria versus categorizing all criteria as having equal importance.

Agreed.
F&AA will formally identify and communicate evaluation criteria that would create a serious cause for concern. This will be considered with our CIHR counterparts in early fall 2014 with the goal of having revised risk allocations by early 2015.

Note: The assessment report sent to Institutions currently includes a priority of findings (high, medium or low) for each failed evaluation criteria. We request that institutions address the findings immediately in the case of a high priority finding and we evaluate the proposed solution through the institution’s remediation action plan. This gives us the opportunity to ensure that the deficiency was well understood and that it will be properly addressed in a timely manner. Since the reviews are controls-based, management decided that it was not necessary to give institutions an overall “rating”. Rather, the focus is placed on the individual deficiencies that need to be addressed.  In cases where there is cause for concern, ongoing communications will be established with the institution’s senior management to ensure that the matters are taken seriously. More frequent reporting may be expected. In cases of non-resolution, the Agencies’ Process for Potential Institutional Breaches would be followed and reported to the DCFO and CFO.		 June 2015 Orange: 7 - 12 months

It is good practice that all recommendations be cleared within a two-year window of the approval of an audit report. To that end, the CIA Division uses a color-coded system to assist management with the prioritization of remedial actions.

The color-coding, outlined below, takes into consideration the urgency with which recommendations should be addressed, the complexity of the recommendation and/or the underlying issues or causes for concern, and the level of risk to which the Agency is exposed as a result of the issue identified.

Colour Timeline for completion
Red 0-6 months
Orange 7-12 months
Yellow 13-18 months

 

10. Appendix I - Audit Criteria

Audit Criteria Footnote 8

The FMR Framework project adhered to sound project management practices. Criteria Code
Initiation of the FMR Framework project included a clear rationale (including efficiency assessment), establishment of a governance/oversight structure, and compliance (policy and legislative) requirements. PEMBOKFootnote 9; CMC G-2, CFS-2, AC-1

PEMBOK’s 5 Process Groups of Project Management

Planning of the FMR Framework project included clearly documenting the scope, budget, resource requirements, risks, mitigation strategies, performance indicators, and an implementation plan. PEMBOK; CMC G-7, RP-2, PPL-1; PPL-4; RM-1, ST-1
Executing the FMR Framework implementation included key elements such as project management controls, communication strategy, tools-guidelines-procedures, and a pilot phase prior to full implementation.   PEMBOK; CMC, PP-4, PPL-7, CFS-1, CFS-4, ST-23
The implementation of the FMR Framework was monitored (considering risk, budget, timelines, etc.) and controlled (management oversight & reporting). PEMBOK; CMC, RP-2, RP-3, RM-4, ST-4a,
The close-out of each phase of the FMR Framework implementation was closed out according to best practices (post-mortem, review of resources, ongoing monitoring schedule established, etc.). PEMBOK; CMC, ST-7, PPL-1, RP-3
The new FMR Framework is well-established, and adds value to the Agencies and to Institutions.
The FMR Framework is clear, documented and was well-communicated to the community (both internally and externally). CMC G-2, G-5.b, G-6, AC-4, PPL-4, CFS-4
The FMR Framework is compliant with relevant Government of Canada policies and legislative requirements. CMC G-5.b, PP-4.a, PP-4.c, ST-7
The Agencies have a documented (risk-based) Financial Monitoring Review operational plan. CMC G-4, PPL-1, CFS-3, RM-7, RP-2
The FMR Framework meets the needs of the Agencies and institutions. CMC G-5, CFS-1, PP-4.c

 

Footnotes

Footnote 1

NSERC and SSHRC shall be referred to throughout the reports as “the Agencies.”

Return to footnote 1 referrer

Footnote 2

Eligible institutions are those that meet NSERC and/or SSHRC and/or CIHR eligibility requirements, as outlined in the Agreement on the Administration of Agency Grants and Awards by Research Institutions. Additional eligibility requirements for each Agency are further outlined on their websites.

Return to footnote 2 referrer

Footnote 3

The CFREF will provide $1.5 billion in funding over the next decade.

Return to footnote 3 referrer

Footnote 4

Key areas of control include: general institutional, financial management, process specific, and compliance.

Return to footnote 4 referrer

Footnote 5

For example, the FMT ensures the transaction samples for universities include Networks of Centres of Excellence and Canada Research Chairs program transactions, as well as transactions from the General Research Fund account. This sampling methodology was developed by KPMG.

Return to footnote 5 referrer

Footnote 6

TeamMate is an audit management system that enables the users to move toward a paperless environment and bring efficiencies to all faces of the audit/review process. It helps ensure standards and practices are consistently applied.

Return to footnote 6 referrer

Footnote 7

Microsoft SharePoint is a web application framework and platform developed by Microsoft. SharePoint can provide intranet portals, document & file management, collaboration, social networks, extranets, websites, enterprise search, and business intelligence.

Return to footnote 7 referrer

Footnote 8

The audit criteria were based on the Office of the Comptroller General’s Audit Criteria related to the Management Accountability Framework: a Tool for Internal Auditors, March 2011.

Return to footnote 8 referrer

Footnote 9

PEMBOK’s 5 Process Groups of Project Management

Return to footnote 9 referrer