1. Executive Summary

Background

The Social Sciences and Humanities Research Council of Canada (SSHRC) is a departmental agency of the Government of Canada and reports to Parliament through the Minister of Industry. As the federal research funding agency that promotes and supports postsecondary-based research and training in the humanities and social sciences, SSHRC focuses on developing Talent, generating Insights and forging Connections across campuses and communities, and strategically supports world-leading initiatives that reflect a commitment to ensuring a better future for Canada and the world.

SSHRC’s Insight Program supports and fosters excellence in social sciences and humanities research intended to deepen, widen and increase our collective understanding of individuals and societies, as well as to inform the search for solutions to societal challenges through its two main funding opportunities: 1) Insight Development Grants (IDG); and, 2) Insight Grants (IG). IG build knowledge and understanding about people, societies and the world, and knowledge that also inform the search for solutions to societal changes. IG funding may be valued at up to $500,000 over duration of the grant (3-5 years), and in its 2012-13 funding cycle, approximately 2,200 applications were received, and the approximate expenditure level was $88 million.

Why it is important

An audit of the SSHRC’s Insight Grants Funding Opportunity was necessary because:

• Insight Grants are a flagship funding opportunity, representing a total funding envelope of over $80 million.
• SSHRC’s Program Architecture Renewal led to changes to key IG processes.
• Since SSHRC’s implementation of Research Portal^{Footnote 1}, its new grants management system, aims to streamline, redesign and harmonize processes to the extent possible, an assessment of IG processes could assist with preparations.  
• SSHRC’s 2013-16 Risk-Based Audit Plan identified the Insight Program as an area that required examination. The RBAP was approved at the March 12th, 2013 meeting of the Independent Audit Committee.

Audit objective and scope

The objectives of this audit were to provide assurance that the Insight Grants funding opportunity operates effectively and efficiently, and to determine whether key risks within this funding opportunity are adequately and effectively mitigated.

The scope of the audit work covered all key areas of the program including governance, internal controls, and management oversight and reporting. The audit work examined documentation, files and information within a two-year timeframe (FY 2011-12, 2012-13).

The scope of the Insight Grants audit did not include:

• The Appeals Process since an audit was recently completed (2013-14); 
• The Financial Monitoring Process since an audit of this area is currently underway;
• The Insight Development Grants (IDG) funding opportunity since IDG is in the process of transitioning to the Research Portal.

Key audit findings

The audit noted positive findings in Insight Grant (IG) governance and pre-award processes. The audit found that IG governance was well-defined and the committees^{Footnote 2} to which program management report received regular and relevant program and operational information. The audit also noted that the overall delivery of IG funding opportunities is robust, well-managed and transparent, and the adjudication process was recently improved so that IG committee formation is now based on the demand and volume of applications in various themes, rather than force-fitting applications into pre-established thematic committees. Within this strong delivery structure, the only areas of improvement identified were a need for a wider understanding of the IG budget allocation process, and administrative improvements to the conflict of interest process.

The audit identified areas within both the Finance and Awards Administration (F&AA) Division and Information and Innovation Solutions (IIS) Division that require attention. First, the audit found that the various guidelines and information related to IG eligibility requirements are available through website, for the research community and institutions, and the agency’s intranet and shared drives, for its program delivery and post award administration staff. It was noted that requirements related to grantees leaving the country require clarification to ensure common understanding by SSHRC, the grant holders, and their institution.

From an Information Technology (IT) control perspective, SSHRC aims to replace its aging Awards Management Information System (AMIS), with the Research Portal (RP) by 2018-19. Although some AMIS control improvements have been made in the past few years, the audit found several weaknesses related to password management, the process for deleting user profiles of departing employees, and change control procedures to protect data integrity. Given the timeline for full RP implementation, compensating controls are required to address these weaknesses in AMIS, and SSHRC should ensure these weaknesses are addressed by the new system. In addition, the audit identified a number of program delivery processes considered to be labor intensive such as volunteer recruitment, committee operations, budget allocation, etc., which could be partially streamlined through automation on the RP platform. 

Conclusion

Recent changes within SSHRC have clearly had a positive impact on the delivery of the Insight Grants funding opportunity. This area has a strong governance structure, has seen improvement in its merit review process and overall, is well managed and efficient. The audit found that some improvements are needed to the supporting systems and post-award processes, including clarifying eligibility guidelines, leveraging technology to ensure process efficiency, and making improvements to grant management system controls. As SSHRC continues to develop and implement the Research Portal, there is a large window of opportunity to examine the current processes, and wherever possible, ensure they are streamlined, redesigned, and automated to yield greater efficiencies, thereby freeing SSHRC’s workforce from manual tasks so they can be redeployed to more rewarding and value-add work.  

---

2. Background

The Social Sciences and Humanities Research Council of Canada (SSHRC) is the federal research funding agency that promotes and supports postsecondary-based research and training in the humanities and social sciences. By focusing on developing Talent, generating Insights and forging Connections across campuses and communities, SSHRC strategically supports world-leading initiatives that reflect a commitment to ensuring a better future for Canada and the world. SSHRC is a departmental agency of the Government of Canada and reports to Parliament through the Minister of Industry.

In 2012, SSHRC completed its Program Architecture Renewal project^{Footnote 3} which transformed SSHRC from an Agency delivering funding to 30 separately branded programs, to three umbrella programs (Talent, Insight, and Connection). SSHRC’s Research Programs Directorate houses the Research Grants and Partnerships Division, through which the Insight Program is administered. The goal of the Insight Program is to build knowledge and understanding about people, societies and the world by supporting research excellence in all relevant subject areas eligible for funding from SSHRC. The Insight Program aims to support and foster excellence in social sciences and humanities research intended to deepen, widen and increase our collective understanding of individuals and societies, as well as to inform the search for solutions to societal challenges.

The Insight Program offers two main funding opportunities: 1) Insight Development Grants (IDG), which support research in its initial stages by enabling the development of new research questions, creating opportunities for experimentation with new methods, theoretical approaches, and ideas; and, 2) Insight Grants (IG) (rebranded from Standard Research Grants under the former Program Architecture) which provide longer-term funding for mature research projects proposed by individuals or teams and may be valued at up to $500,000 over three to five years. Insight Grants build knowledge and understanding about people, societies and the world, and knowledge that also inform the search for solutions to societal changes. In its 2012-13 funding cycle, the Insight Program’s expenditure level was approximately $106 million, consisting of $88 million for IG and $18 million for IDG. During that same year, the Insight Program received approximately 2,200 Insight Grant applications and 1,000 Insight Development Grants applications.

---

3. Audit Objective and Scope

The objectives of this audit were to provide assurance that the Insight Grants funding opportunity operates effectively and efficiently, and to determine whether key risks within this funding opportunity are adequately and effectively mitigated.

The scope of the audit work covered all key areas of the program including governance, internal controls, and management oversight and reporting.  The audit work examined Insight Grants documentation, files and information within a two-year timeframe (FY 2011-12 and FY 2012-13).

The scope of the Insight Grants audit did not include:

• The Appeals Process since an audit was recently completed (2013-14); 
• The Financial Monitoring Process since an audit of this area is currently underway; or,
• The Insight Development Grants (IDG) funding opportunity since IDG is in the process of transitioning to the Research Portal^{Footnote 4}.

---

4. Audit Methodology

The audit began with a planning phase, where preliminary interviews were conducted, and documentation was reviewed in order to understand the processes for the delivery and management of Insight Grants. Following this, a risk assessment was conducted to determine and define the lines of enquiry for the conduct phase. The audit program, including detailed audit criteria and procedures, was then designed based on these lines of enquiry. The audit included a review of a sample of IG award files, testing of controls, and document review.

This audit engagement was conducted in conformance with the Treasury Board’s Policy on Internal Audit, the Internal Auditing Standards for the Government of Canada, and the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing. These standards require that sufficient and appropriate audit procedures be conducted and that evidence be gathered to provide a high level of assurance on the findings contained in this report. The conclusions were based on a comparison of the situations as they existed at the time against the audit criteria.  

---

5. Key Audit Findings

5.1 Governance

Within the Insight Program (rebranded from Standard Research Grants during the Program Architecture Renewal), there are two funding opportunities: Insight Grants (IG) and Insight Development Grants (IDG). The governance structure that supports the delivery SSHRC’s programs is made up of internal management committees, SSHRC Council, and sub-committees of Council.

5.1.1 Management Committees and the Program and Quality Committee is provided with IG information and reports on a regular basis.

The two main committees to which the Insight Program reports are the internal Senior Management Committee^{Footnote 5} (SMC) and the external sub-committee of SSHRC Council called the Programs and Quality (P&Q) Committee^{Footnote 6}. In both cases, the Executive Director Research Grants and Partnerships presents information related to IG, including an annual report on the competition and peer review, as well as other briefings if and when they are required. The audit found that these reports had been provided on time, and as scheduled during the period of review. In addition, the audit also found effective internal reporting processes required for operational approvals and program delivery. For example, IG management prepares an “award recipient” memo that is presented to the Vice-President, and then to the President for approval. Another effective internal reporting process is the sharing of information at various internal management committees, including Management Forum, Business Integration Committee, and Management Accountability Committee. 

5.2 Program Delivery & Operations

SSHRC’s competition for Insight Grants is run on an annual basis, and begins when applicants submit a notice of intent to SSHRC in mid-August. The full application is due the following October, and the Adjudication process runs from January through March. Once applications are received by SSHRC, there are three main application processing steps: 1) External Review: SSHRC assigns external readers whose experience is closely aligned with the area of research of the application. These readers provide independent and thorough reviews of each application to SSHRC, which are forwarded to the adjudication committee members. 2) Merit Review: disciplinary, multidisciplinary and thematic committees are formed; committee members are assigned applications to review (including the reports from external reviewers), after which preliminary scores are used to create an initial rank-ordered list of applications. The committee then finalizes the merit-based ranking of the applications and recommends a budget for applications falling in the fundable range during the adjudication meeting. And, 3) Budget Allocation and Award: SSHRC’s business analyst distributes the total IG budget to highest ranking applicants, and the list of successful applicants is then approved by the Vice-President. Applicants are notified of results of the competition, successful applicants receive a notice of award and then the funding cycle begins.

5.2.1 The Insight Grants external review and merit review processes are robust, transparent and are of value to the adjudication process.

The first step in reviewing Insight Grant applications is the External Review which is performed by at least two specialized readers within the applicant’s field of research. Program staff recruits these external reviewers on an annual basis, coordinates the timely review of applications and ensures assessment reports are obtained in time for the Merit Review process. The audit found that this step has been recognized as an industry best practice^{Footnote 7}, is very robust, and provides a high degree of value, especially when an application proposes research that is obscure, very specialized, or more complicated than average.

The next step of the adjudication process, merit review, was redesigned during the Program Architecture Renewal. Prior to the PAR, merit review committees were established before the competition closed, and applications were submitted to a particular committee. The IG program redesigned its merit review process so that committees are now assembled once applications have been received and categorized. This improved process not only permits SSHRC to put together disciplinary, multidisciplinary or thematic committees with expertise to meet the needs and volume of applicants in the various themes, but also allows SSHRC the flexibility to adjust committee composition and size as a direct result of annual trends.

5.2.2 Reviewer conflict of interest forms are on file, but some lack key personal identification information and effective sign off controls.

In the Canadian research community, and even across international borders, it is common for specialists in given fields of research to have collaborated at some point in their career. For this reason and some other reasons, SSHRC ensures that any conflicts of interest between the applicant and external reviewers or committee members are identified. Conflict of Interest (COI) is a matter taken seriously at SSHRC, and every Merit Review Committee member is required to sign a conflict of interest declaration each time they participate in a competition cycle. In the sample of files reviewed, the audit found that conflict of interest declarations were on file and that several of the volunteers had declared the names of potential conflicts. However, the overall completion of fields was inconsistent and in some cases difficult to associate with an individual because the form only requires volunteers to check a box within the template. As a result, these declarations are not always easily associated with the individual volunteer to who completed the form. 

Recommendation 1: It is recommended that SSHRC adjust the current volunteer conflict of interest (COI) process to ensure volunteer COI sign-offs can be easily linked to individual volunteers and are consistently documented.

5.2.3 Understanding of the grants budget allocation tool for Insight Grants is limited to one employee within SSHRC.

One of the responsibilities of the Merit Review Committee is to approve the financial component of the application, and set the final award amount to be provided to successful applicants. The total IG funding opportunity budget is then allocated to the successful applications, in order of ranking, until the full budget envelope has been allocated. This process is enabled by a formula-driven Excel spreadsheet, which is then used to generate the list of awards eventually approved by the Vice-President. Once approved, the award information for successful applicants is entered into SSHRC’s Awards Management Information System (AMIS), and then verified against the spreadsheet as a quality control step prior to issuing payments.

The audit found that key steps of the grants budget allocation process to awardees were clearly documented, that roles and responsibilities throughout this process were clear and adhered to, and that approvals and sign-offs were obtained. However, it was noted that only one SSHRC business support officer in the program area is responsible for understanding, managing, protecting and completing the work within this key Excel spreadsheet, and that process procedures or guidelines have not yet been documented. Since there is currently no back-up employee to support this position, there is a risk of delays, corporate memory loss, or errors should this employee became unavailable.

Recommendation 2: It is recommended that SSHRC document the successful applications’ budget allocation process (procedures, guidelines), and ensure a broader understanding of this process by training a backup employee to this function.

5.3 Post-award Administration of Insight Grant Awards

Once IG applicants accept their award notification, the management of the grantee and award then becomes mainly the responsibility of SSHRC’s Finance and Awards Administration (F&AA) Division. Three groups within the F&AA are responsible for various parts of post-award administration: 1) Accounting processes award payments and ensures all Financial Administration Act and TBS policy and directive requirements are met; 2) Financial Monitoring performs financial monitoring reviews at the institutional level to ensure financial controls are in place and are functioning as intended; and 3) Post-Award Administration monitors researcher eligibility, answers questions about appropriate use of grant funds, and ensures financial reporting requirements of both grant holders and institutions are met. These teams use AMIS and Freebalance (the financial accounting system) to process payments and manage the grants for the duration of the award.

5.3.1 Guidance related to grant-holder eligibility requires greater clarity.

SSHRC outlines eligibility requirements for applicants and grant recipients in various documents that are made public through its website. Two documents outline the eligibility requirements for IG: the Insight Program literature and the Tri-Agency Financial Administration Guide (TAFAG). The audit found that, when read concurrently, eligibility requirements of Insight Grant applicants and grantees are generally well defined.

It was also noted that the documentation explaining the process and conditions impacting a grantee’s ability to maintain a grant if they left Canada could be improved by providing greater detail to help ensure the consistent and efficient management of these situations. The TAFAG states that:

If the grantee moves to another country before completing the research or related initiative for which the institution has received SSHRC funding, any individual grant that the grantee holds will be continued on condition that the grantee maintains an affiliation with the eligible Canadian institution, where the research funds will continue to be administered during the remainder of the grant period. If the grantee is unable to make such arrangements, the grant will be terminated.

During the file review, the audit noted one case where the documentation provided to support the continued funding of a grant holder who was leaving the country appeared to have met the requirement statement outlined above. The institution invited the departing grantee to become an Adjunct Professor, and had provided this paperwork to SSHRC when notifying that the grantee was leaving. The institution also confirmed they would continue to administer the grant funds. Although these actions align with the criteria outlined in the TAFAG, SSHRC ruled to cancel the grant on the basis that the primary affiliation was outside of Canada. This area requires further clarification to ensure the institutions are not mislead, and to ensure the guidelines are useful and clear.

Recommendation 3: It is recommended that SSHRC clarify the documentation outlining eligibility criteria for grant holders leaving the country, in order to reduce the potential for confusion in this area.

5.4 Grants Management Systems

Internal controls are broadly defined as processes designed to provide reasonable assurance regarding the achievement of objectives related to effectiveness and efficiency of operations, and to compliance with laws and regulations. SSHRC is in the process of replacing its current grants management system, AMIS, with a new platform called Research Portal (RP) which is scheduled for full implementation by 2018-19. The audit assessed existing key controls in AMIS, and also identified areas where IG processes could be automated or streamlined during the transition to Research Portal.

5.4.1 User access control management in AMIS could be more effective. 

AMIS user access controls are assigned based on job profiles and requirements, and the management of this access resides with the Database Administration Group within the Information Innovation Systems (IIS) Division. However, the manager of the new or departing employee initiates the process for adding or deleting user profiles. The audit found that the manual nature of this process results in occasional omission on the part of the manager in the completion of and submission of the required forms person movement forms resulting in active accounts for former employees^{Footnote 8}. Although it was also noted that SSHRC is automating the process for managing incoming employees, an automated process for departing employees is not yet developed, and this project is currently on hold until further notice. In the meantime, managers of departing employees continue to use the old process, and there is currently no compensating control in place to ensure the profiles of deleted employees are closed.

5.4.2 AMIS password management does not demonstrate IT best practices.

Password systems are the simplest form of authentication, and in order to protect them, the following best practices should be in place:

• Original generic passwords should not be used permanently and users should be prompted to select a new personalized password on their first log-on / access.
• Password aging should be strictly enforced, and periodic password refreshing should be required to ensure they do not remain in use for too long.
• Password strength should be enforced intelligently and users should be encouraged to use combinations of upper and lower-case letters, numbers, and symbols in their passwords (rather than dictionary words).

The audit team tested a sample of AMIS user passwords and found that over 45% of those tested were still using the original generic password assigned to new employees by the IIS Division. The AMIS system does not have an automated process in place to prompt users to change the assigned password, or update an existing password on a periodic basis.  These weaknesses combined with the previously identified user access control gap could potentially result in unauthorized AMIS access under false identities, and represents a certain level of risk to the integrity of data.

5.4.3 Improvements to the AMIS audit trail were recently implemented.

Audit trails provide a chronological log of access to a system; a record of additions, changes, or deletions to that system; the personal information of the users who accessed the system, the time of access, and what action was performed. These logs are meant to be inalterable, in order to provide an accurate and reliable system audit trail. In the past few years, improvements were made to the AMIS audit trail capability, which now permits SSHRC to verify the changes made to data elements, including some user profile information and nature of the change. However, audit trail monitoring is only executed upon request if and when an abnormality is suspected. Although this audit trail tool allows SSHRC to investigate suspected issues, the risk remains that unauthorized data changes would not be caught in a timely manner. 

5.4.4 The Agencies’ data change management lacks approval mechanisms for certain levels of information. 

In any system, there are times when manual intervention or modification of data is required, and the change process usually requires a set of rules to govern who can make the change, what changes are allowed, who authorizes the change, and how changes are logged. At SSHRC, any employee working in a program area can initiate the data change management process via email. The MARVAL^{Footnote 9} tracking system then sends a confirmation email to the client, and also sends a service request to the Database Administrators within the IIS team. The audit found that this process does not include controls to ensure data change requests are approved, even though some of these requests relate to critical data (such as payment schedules, grant holder personal information, etc.).  In the absence of a formal approval process, there is a risk that unauthorized or unnecessary change requests could be processed and compounded with other system control weaknesses, the change management process represents an additional level of risk to the integrity of data in AMIS.

Recommendation 4:  It is recommended that SSHRC both explore and implement the required compensating controls to address the AMIS internal control weaknesses while the Research Portal is being developed and until it is fully implemented.

5.4.5 There are opportunities to streamline and automate processes as the Insight Program transitions to Research Portal. 

As noted previously, the Insight Program houses two funding opportunities: Insight Grants, and Insight Development Grants (IDG). The IDG process was one of the first to transition to the new Research Portal system, and given the similarities to IG, the progress in this area, lessons learnt, and current platform could be leveraged by IG. As SSHRC plans for the implementation of RP for IG, there is an opportunity to initiate conversations with the development team to ensure the benefits of this powerful tool are leveraged. The audit noted several opportunities to streamline or automate existing processes such as: automating conflict of interest declarations via the volunteer portal, automating the budget allocation process, moving away from manual email recruitment of external reviewers (where over 15,000 email requests are sent and then managed on an annual basis), moving committee scoring away from a manual excel-based tool, etc. By ensuring the new tool is used to its fullest capacity, SSHRC would reduce the risk of administrative or manual process errors, improve overall process efficiency, and be able to focus its human resources on more rewarding work in value-add areas.

Recommendation 5:  It is recommended that the Insight Program examine its program delivery processes to identify opportunities to streamline and automate key steps, leverage the planning and implementation work of programs already on the system, and initiate conversations with the Research Portal development team to ensure the complexities of the program, and possibilities within the system are well understood.

---

7. Conclusion

The recent changes and improvements within SSHRC have clearly had a positive impact on the overall delivery of the Insight Grants funding opportunity. This area has a strong governance structure, has seen progress and improvement in its merit review process and overall, is robust, well managed and efficient. The audit found that some improvements are needed to this program’s supporting systems and post-award processes, including clarifying eligibility guidelines, leveraging technology to ensure processes are efficient, and making improvements to key controls in grants management systems, both current and new. As SSHRC continues to develop and implement the Research Portal, the experiences of programs that have already transitioned should be incorporated into future work. Also, there is a large window of opportunity to examine the current processes, and wherever possible, ensure they are streamlined, redesigned, and automated to yield greater efficiencies, and thereby freeing human resources from manual tasks so they can be redeployed to more rewarding and value-add work.

---

7. Audit Team

Corporate Internal Audit Division
Chief Audit Executive:          Phat Do
Audit Principal:                      Benjamin Cyr
Senior Auditor:                      Patricia Morrell

---

8. Management Response to Audit Recommendations

Item	Recommendation	Action Plan	Target Date	Suggested timeline for completion*
1.	It is recommended that SSHRC adjust the current volunteer conflict of interest (COI) process to ensure volunteer COI sign-offs can be easily linked to individual volunteers and are consistently documented.	Agreed. SSHRC has started implementing a solution for improving the documentation on conflict of interests.  The new grant management system will further reduce the risk of error with an online mandatory sign off for committee members.	February 2015	Orange: 7 - 12 months
2.	It is recommended that SSHRC document the successful applications’ budget allocation process (procedures, guidelines), and ensure a broader understanding of this process by training a backup employee to this function.	Agreed. SSHRC now has a backup employee in place for the Business Support Officer. The processes linked to this function are currently being documented.	May 2015	Orange: 7 - 12 months
3.	It is recommended that SSHRC clarify the documentation outlining eligibility criteria for grant holders leaving the country, in order to reduce the potential for confusion in this area.	Agreed. Review of this policy had begun when the item came to SSHRC management attention during the audit. Principles for new clearer guidelines have been agreed upon recently, and will be communicated to the research community next Fall.	September 2014	Red: 0 - 6 months
4.	It is recommended that SSHRC both explore and implement the required compensating controls to address the AMIS internal control weaknesses while the Research Portal is being developed and until it is fully implemented.	Agreed. IIS will: review and augment existing account management practices to enable regular reviews and closure of accounts. develop and implement automated password change controls in AMIS and enforce strong password selection; and develop an SOP requiring explicit managerial approval to effect AMIS data changes.	March 2015 September 2014 March 2014	Red: 0 - 6 months
5.	It is recommended that the Insight Program examine its program delivery processes to identify opportunities to streamline and automate key steps, leverage the planning and implementation work of programs already on the system, and initiate conversations with the Research Portal development team to ensure the complexities of the program, and possibilities within the system are well understood.	Agreed. Working groups have been created to identify opportunities for improvements offered by the new grant management system, and many recent improvements to the IDG process will be applicable to IG.	August 2015	Orange: 7 - 12 months

It is customary that internal audit recommendations are addressed within a two-year window and to assist management with this task, the audit team assigns colors to the recommendations to illustrate the urgency with which each recommendation should be addressed. The timelines associated with color-coding are outlined below. 

Colour	Timeline for completion
Red	0-6 months
Orange	7-12 months
Yellow	13-18 months

---

9. Appendix I - Audit Criteria

Criteria used for the audit were established by the Office of the Comptroller General (OCG) for core management controls (CMC) in the Government of Canada^{Footnote 10}

Line of Enquiry	Core Management Controls	Report Ref.
SSHRC’s Governance structure provides advice and direction to the program, and received reporting and information in order to meets its mandate.	G-1: Effective oversight bodies are established G-6: The oversight bodies request and receive sufficient, complete, timely and accurate information.	5.1
Key controls are in place for the delivery of the Insight Grants funding opportunities, including: application, review, adjudication, and budget allocation.	PP-2: The organization has a formal and rigorous approach to policy and program design. PP-4: Guidelines and procedures that are aligned with government-wide policies and expectations have been defined and implemented. ST-10.b: Controls are in place to ensure accuracy of transaction coding and processing (e.g. batch totals, reconciliations, supervisory review, management approval, etc.).	5.2
Key controls are in place for the management of awards for the duration of the grant, including payments, eligibility, account balances, etc.	PP-4: Guidelines and procedures that are aligned with government-wide policies and expectations have been defined and implemented. ST-5: Financial management policies and authorities are appropriately designed to mitigate financial risks and are communicated. ST-7: Compliance with financial management laws, policies and authorities is monitored regularly. ST-10.b: Controls are in place to ensure accuracy of transaction coding and processing (e.g. batch totals, reconciliations, supervisory review, management approval, etc.).	5.3
Key internal controls within SSHRC’s systems (AMIS, Freebalance, and Research Portal) are in place and functioning as intended in areas such as: passwords, data integrity, audit trails, and user profile management.	CFS-4: The organization leverages information technology to enhance user service and access. CFS-4.c: Records, data and information are appropriately secured in compliance with privacy legislation. ST-19: Processes and procedures exist to support the continuity of information and systems. ST-23: Management has designed and implemented effective general computer controls for critical systems. LICM-2: The organization has processes and practices to ensure change initiatives are properly implemented.	5.4