Table of Contents

1. Executive Summary
   1. 1.1 Background
   2. 1.2 Audit Objective
   3. 1.3 Scope
   4. 1.4 Methodology
   5. 1.5 Key Findings and Recommendations
   6. 1.6 Conclusions
2. Introduction
   1. 2.1 Background
   2. 2.2 Audit Objective
   3. 2.3 Scope
   4. 2.4 Methodology
   5. 2.5 Audit Criteria
3. Regional Processes
   1. 3.1 Financial Transactions
   2. 3.2 Interpreter Services
   3. 3.3 Human Resources Management
4. Common Observations and recommendations
   1. 4.1 Regional Security
   2. 4.2 Financial Transactions
   3. 4.3 Interpreter Payments
5. Eastern Regional office
   1. 5.1 Travel
   2. 5.2 Interpreter Services
   3. 5.3 Interpreter Contracts
   4. 5.4 Interpreter Payments
   5. 5.5 Staffing Process
   6. 5.6 Official Languages
   7. 5.7 Regional Security
6. Central Regional office
   1. 6.1 Travel
   2. 6.2 Procurement
   3. 6.3 Interpreter Contracts
   4. 6.4 Interpreter Payments
   5. 6.5 Official Languages
   6. 6.6 Regional Security
7. Western Regional office
   1. 7.1 Procurement
   2. 7.2 Interpreter Payments
   3. 7.3 Official Languages
   4. 7.4 Regional Security
8. Conclusion
9. Appendix A – Audit Objectives and Criteria
10. Appendix B – Management Response and Action Plan

Acronyms

Acronym	Description
DSO	Departmental Security Officer
EMT	Electronic Management Tool
FAA	Financial Administration Act
FMS	Financial Management System
GSP	Government Security Policy
HQ	Headquarters
HR	Human Resources
HRA	Human Resources Advisor
IAD	Immigration Appeal Division
ID	Immigration Division
IIA	Institute of Internal Auditors
IPS	Interpreter Payment System
IRB	Immigration and Refugee Board of Canada
PSEA	Public Service Employment Act
PWGSC	Public Works and Government Services Canada
RCM	Responsibility Centre Manager
RPD	Refugee Protection Division
RSO	Regional Security Officer
TBS	Treasury Board of Canada Secretariat
TRA	Threat and Risk Assessment

1 EXECUTIVE SUMMARY

1.1 Background

As the largest administrative tribunal in Canada, resolving more than 40,000 immigration and refugee cases per year, the Immigration and Refugee Board of Canada (IRB) fulfills its mandate through its three Divisions: the Refugee Protection Division (RPD), the Immigration Division (ID) and the Immigration Appeal Division (IAD). The IRB delivers administrative justice through its regional offices in Toronto, Montreal and Vancouver. Approximately two-thirds of the IRB's caseload is processed and heard in the Central Region located in Toronto, while the Eastern Regional Office located in Montreal represents 25% and the Western Regional Office located in Vancouver handles 10% of the caseload.

Given the operational importance of the regional offices where the vast majority of the IRB's core business is conducted, the purpose of this audit is to establish the extent to which the IRB's regional offices comply with relevant IRB and Government of Canada policies and procedures to provide a safe, efficient and effective business environment. The independent validation provided by this audit is to ascertain the degree of compliance and the extent to which its management controls are adequate and effective.

1.2 Audit Objective

The objective of this audit was to provide assurance that administrative processes in the regional offices comply with relevant IRB and Government of Canada policies and procedures and to assess the soundness of management controls that are in place in these administrative processes.

1.3 Scope

The scope of this audit included specific administrative processes within the control of the three following IRB regional offices: namely, the Central Regional Office (Toronto), the Eastern Regional Office (Montreal) and the Western Regional Office (Vancouver).

This audit included the following administrative processes to the extent they were performed in the regional offices:

• Financial transactions, such as accounts payable and settlements, travel and procurement;
• Interpreter services, such as interpreter pay and interpreter contracts;
• Human resources (HR) management, such as compliance with the official languages legislation and staffing practices; and
• Security of people and assets, including sensitive personal information pertaining to tribunal users, such as those of refugee protection claimants, appellants and persons concerned.

The audit did not include information technology (IT) functionalities, IT security issues and core business processes, such as case management, tribunal support and adjudicative decision-making.

1.4 Methodology

This audit was conducted in three distinct phases. During the planning phase, the audit team reviewed relevant background documents and conducted preliminary interviews with relevant stakeholders at the Board. During the fieldwork phase, the audit team completed detailed interviews and tested the effectiveness of key controls identified within the scope of the engagement at each regional office. Finally during the reporting phase, the audit report was developed based on the supporting information gathered during the conduct phase.

The objective of this engagement was to test the effectiveness of management controls designed into administrative processes at the regional offices. The selected sampling methodology included the following:

• Through the information gathered on the administrative processes within the regional offices, we gained an understanding of the risks related to these processes in terms of overall compliance with applicable policies and sound financial management;
• The controls designed to mitigate the risks were evaluated for completeness and appropriateness; and
• A judgmental sample of transactions was selected to test the design effectiveness of the controls and based on the frequency of occurrence of each control within a processing period.

1.5 Key Findings and Recommendations

The findings and recommendations related to this audit have been grouped into two categories: those applicable to all regions and those unique to each regional office.

1.5.1 Key Findings Applicable to all Regional Offices

We identified the following issues:

1. Recommendations from the regional threat and risk assessments (TRAs) have not been fully addressed.
2. Lack of a consistent approach to addressing higher risk hearings.
3. Unequal application of evidence of approval dates associated with the Financial Administration Act (FAA) delegated approvals.
4. Limitations in FAA s. 34 verification and FAA s. 33 quality assurance¹ of interpreter payments.

The following recommendations address the above-mentioned findings and apply to all regional offices:

1. Development of a Board-wide regional security framework to fully implement the IRB's Security Policy in the three regional offices. This should include clearer responsibilities for the Regional Security Officials (RSO), the Regional Director and the Departmental Security Officer (DSO) regarding security. Once clearer responsibilities and accountabilities are established for the coordination of implementing IRB's security program, a priority list of outstanding recommendations should be developed and implemented.
2. Development of a procedure outlining the steps required to address high risk hearings, which could be part of the regional security framework.
3. Making use of existing payment related Financial Procedures and provide training to managers on importance of approval dates to support FAA certifications.
4. Update of the Financial Procedure on the Processing of Interpreter Payments to:
   • Clarify responsibilities of Regional Finance Officers; and
   • Develop a FAA s. 33 quality assurance checklist and amend the existing FAA s. 34 verification checklist to make it specific to interpreter payments.

1.5.2 Key Findings Applicable to Specific Regions

Specific findings and recommendations applicable to individual regional offices have been provided in Sections 5.0, 6.0 and 7.0 of this report.

Management responses and action plans associated with all recommendations have been provided in Appendix B.

1.6 Conclusions

The audit of the IRB regional offices was conducted during the period of December 2007 through January 2008. The audit was conducted in accordance with the Treasury Board of Canada Secretariat (TBS) Policy on Internal Audit and the Institute of Internal Auditors' (IIA) Standards for the Professional Practices of Internal Auditing. We believe that sufficient and appropriate audit procedures have been conducted to support the reliability of the observations, recommendations and conclusions contained in this report.

While certain exceptions were identified, our audit procedures support the following conclusions regarding administrative processes in the regional offices:

• Administrative processes generally comply with relevant IRB and Government of Canada policies/procedures, and
• The related management controls generally reflect the design and operational effectiveness objectives associated with the detailed audit criteria listed in Appendix A.

These conclusions are based on the examination of samples of files and transactions dated between April 1, 2007 and November 30, 2007. As such, we do not express an opinion regarding the entire population of administrative transactions performed in the regional offices during that period. Readers are encouraged to consult the findings, observations and recommendations identified throughout this report as they highlight opportunities for management to improve overall compliance and enhance the adequacy and effectiveness of their controls.

2 INTRODUCTION

2.1 Background

The IRB is Canada's largest independent administrative tribunal. On behalf of Canadians, the IRB resolves immigration and refugee cases appearing before it efficiently, fairly, and in accordance with the law. The Chairperson of the IRB reports to Parliament through the Minister of Citizenship and Immigration Canada. The Chairperson provides leadership and guidance to the organization and is responsible for the supervision and direction of the staff and work of the Board.

The IRB fulfills its mandate through its three Divisions: the RPD, the ID and the IAD. The IRB delivers administrative justice through its regional offices locates in Toronto, Montreal and Vancouver. The IRB resolves more than 40,000 cases each year. Approximately two-thirds of the IRB's caseload is processed and heard in Toronto, while Montreal hears 25% and Vancouver 10%. In addition, a small portion of hearings are held in various other locations.

The IRB has a fiduciary obligation to ensure that its operations, including support of its administrative functions, comply with its own policies and procedures as well as the requirements set by the Government of Canada. The Board's reputation is critical to the important role it fills in Canadian society, as a strong management control framework over key financial and administrative processes is key to protecting public funds and safeguarding public trust and confidence.

The IRB continues to invest in various management controls that are designed to ensure the efficient, effective and safe conduct of business. In order to provide the IRB management with information on the adequacy and effectiveness of these controls, an audit of the IRB regional offices was conducted. This audit was designed to provide IRB management a level of independent assurance regarding the design and operating effectiveness of those key controls critical to managing areas of highest risk regarding financial transactions, interpreter services, HR management and security.

2.2 Audit Objective

The objective of this audit was to provide assurance that administrative processes in the regional offices comply with relevant IRB and Government of Canada policies and procedures, and to assess the soundness of management controls that are in place in these administrative processes.

2.3 Scope

The scope of this audit included specific administrative processes within the control of the three IRB regional offices:

• Central Region (Toronto);
• Eastern Region (Montreal); and
• Western Region (Vancouver)

The administrative processes examined, to the extent they were performed in the regional offices, included:

• Financial Transactions
  • Accounts Payable & Settlements
  • Travel
  • Procurement
  • Acquisition Cards
• Interpreter Services
  • Interpreter Contracts
  • Interpreter Payments
• Human Resource Management
  • Official Languages
  • Staffing Practices
• Security
  • Security and Protection of People and Assets and Information
  • Field testing was conducted on-site in each regional office between December 2007 and January 2008. The sample of transactions for testing the effectiveness of management controls, were selected from the period April 1, 2007 to November 30, 2007.
  • The audit did not include IT functionalities, IT security issues and core business processes, such as case management, tribunal support and adjudicative decision-making.

2.4 Methodology

The audit of the IRB regional offices was conducted in three phases:

• Planning phase;
• Fieldwork and analysis phase; and
• Reporting phase.

Planning Phase

The following steps were completed during the planning phase of the engagement:

• Review of relevant background documentation and applicable policies;
• Preliminary interviews with selected senior management representatives at Headquarters (HQ); and
• Preliminary interviews with each Regional Director and relevant regional representatives.

These interviews and process descriptions aimed to validate IRB's needs and identify areas of risk associated with the administrative processes completed within the regions. Audit criteria were developed based on: the results of the interviews, key document review, related risk identification and analysis exercises. The audit criteria correspond to the established audit objectives – see Appendix A for details.

Fieldwork Phase

Fieldwork was conducted on-site at each of the three regional offices, and included the following activities:

• Detailed process walk-throughs for each administrative process included within the audit;
• Testing of the effectiveness of key controls and compliance in each region on a sample of transactions for each administrative process;
• Debrief of management representatives at each regional office prior to the completion of each visit; and
• Summarization and analysis of results for key control weaknesses and commonalities between the regional offices.

The objective of this audit engagement was to test the effectiveness of management controls as designed into administrative processes within the regional offices. The sampling methodology, on which reasonable assurance is based, includes the following:

• Through the information gathered on the administrative processes within the regional offices, we gained an understanding of the risks related to these processes in terms of overall compliance with applicable policies and sound financial management;
• The controls designed to mitigate the risks were evaluated for completeness and appropriateness; and
• A judgmental sample of transactions was selected to test the design effectiveness of the controls based on the frequency of occurrence of each control within a processing period.

Reporting Phase

The reporting phase of this audit included the development of the audit report based on the supporting information gathered during the fieldwork phase of the engagement. The audit team briefed the Ottawa senior management on the results of the review.

The audit of the IRB regional office was conducted in accordance with the Standards for the Professional Practices of Internal Auditing as per the IIA and in accordance with the TBS Policy on Internal Audit.

2.5 Audit Criteria

For the established audit objective, a set of criteria were developed for the administrative processes examined based on applicable policies and regulations, specifically IRB, TBS policies and the FAA. The detailed listing of the criteria applied for this audit has been included in Appendix A to this report.

3 REGIONAL PROCESSES

3.1 Financial Transactions

3.1.1 Procurement

The procurement process within the IRB regional offices includes the purchase of limited goods and services, for example office supplies and video-conferencing equipment. Based on the matrix of delegated authority, spending limits for the regions are low as more significant procurement contracts must be processed through HQ. Contracting for interpreter services are managed through the Registrar.

In accordance with the TBS Contracting Policy and the FAA, the procurement process begins with a Responsibility Centre Manager (RCM) completing a “Requisition Form” for a good or service in accordance with his or her delegated authority for procurement. The RCM is accountable to ensure that sufficient funds exist and to certify under Section 32 of the FAA to commit the funds.

Once the form is completed and verified, the Procurement Officer researches the Public Works and Government Services Canada (PWGSC) database to determine if there is a standing offer agreement (SOA) or a supply arrangement (SA) available and determines the approximate price for the requested good or service. If there is an appropriate SOA or SA, the Procurement Officer creates a call-up against the SOA or SA and receives a quote for the good or service. If there is no SOA or SA available, the Procurement Officer drafts a request for proposal and solicits three (3) bids from companies that provide the goods or services requested, and selects the lowest dollar offer. A purchase order or a Contract for Professional Services is then issued to the company. Since regional offices can only issue low dollar value contracts, one bid is sufficient and justifiable. In the case where there is only one good or service provider available, the RCM must prepare a sole-source justification.

Once a contract or purchase order has been agreed upon, the Procurement Officer enters the contract information into a “Procurement Log” and places the order for the good or service.

3.1.2 Accounts Payable

Accounts Payable is the payment of invoices for goods and services. For goods received, the Procurement Officer confirms that the goods received correspond to the goods that have been ordered and sends them to the RCM who had originally ordered the goods. The invoice is matched with the corresponding supporting documentation and is sent to the RCM for verification and FAA s. 34 approval (as per FAA s. 34 verification checklist). The RCM is accountable for reviewing the invoice, packing slip and ultimately reviewing that the dollar value and the quantity invoiced correspond to the contract.

Once approved, the invoice is returned to the Finance Clerk for final review. The Finance Clerk enters the amount into the Financial Management System (FMS), verifies the account (as per FAA s. 33 quality assurance checklist) and provides it to the Financial Officer to authorize the release of funds for payment (i.e. FAA s. 33 approval).

3.1.3 Acquisition Cards

Acquisition cards are requested for a limited number of regional employees based on need. Consistent with the procurement process, pre-approval of a purchase using the acquisition card is required. Guidance on purchases that can be made using the acquisition card is provided through the Financial Directive issued by HQ. The maximum amount per transaction is $5,000 and the monthly maximum is $25,000.

Once the purchase is completed, the card holder attaches the receipt to the supporting documentation and sends it to the RCM who had originally requested the item or service for FAA s. 34 approval. Once received and verified, the Finance Clerk enters the expense into FMS.

Payment for goods and services purchased using an acquisition card is completed at HQ. Each individual cardholder prepares a purchase log reconciled to their monthly statement for input into the FMS. A reconciliation process is performed in each region to match the charges paid by IRB centrally and the individual transactions approved in the region. A Financial Procedure is in place which documents the full payment related process.

3.1.4 Travel

Members and Tribunal Officers and other employees travel to attend hearings in various cities and facilities. As required, the traveller requests pre-approval by his or her Manager for upcoming travel via the Electronic Management Tool (EMT). The Manager approves the travel on-line and formally signs a printed copy of the travel request for evidence of the FAA s. 32 authorization for the commitment of funds. A Travel Authorization Number is generated upon the manager's on-line approval and provided to the traveller.

The traveller must retain receipts and proof of the business expenses incurred during the travel, and must comply with the TBS Travel Directive. Upon return, the traveler must complete a travel claim, including all relevant receipts, and send it to the RCM for review and approval. The RCM reviews the travel claim and verifies it for compliance with IRB and TBS requirements.

Once the RCM has approved and signed for FAA s. 34 (both on paper and via the EMT), the travel claim is sent to the Financial Officer or unit where it is reviewed for accuracy and compliance, and is then authorized for the release of payment and FAA s. 33 approval. An IRB EMT User Guide was developed to document the travel payment related processes.

3.2 Interpreter Services

3.2.1 Interpreter Contracts

Interpreters are used by IRB during hearings to ensure effective and accurate communication between a claimant and the Member during the course of a hearing. Currently, IRB has the capacity to conduct hearings in 260 languages and dialects.

Each interpreter contracted by IRB is required to complete proficiency testing, possess Enhanced Reliability security clearance, and must sign a standard interpreter contract that outlines the terms and conditions of the services to be provided. This includes the interpreter's rate of pay, duration of contract, and maximum value of the contract.

The contracting process for interpreters is currently under review by the IRB and the TBS to ensure compliance with the Government of Canada's Contracting Policy, while taking into account challenges of the competitive process and limited resources available in the interpreter services industry.

3.2.2 Interpreter Payments

The current design of the interpreter pay process is complex and involves several parties to ensure that interpreters are paid accurately and on a timely basis. As outlined in the interpreter contract, the interpreter is to arrive 15 minutes before a hearing and arrive 30 minutes prior to a detained hearing based on the hearing schedule. A Duty Case Officer will record the time that the interpreter signs in and out in the timesheet log.

Interpreters are paid based on the hours worked based on the following:

• A minimum of 3 hours for a half day where there is no break for lunch;
• A minimum of 6 hours for a full day which includes a half hour break for lunch; and
• A minimum of 5 hours for an IAD case for where there is no break for lunch.

Based on the data entry of the interpreter time in/out into the Interpreter Payment System (IPS), the Interpreter Supervisor (or a designate) will verify all transactions to the supporting documentation for completeness and accuracy and approves them in IPS using an Electronic Authorization and Authentication key. This IPS approval provides evidence of FAA s. 34 verification. The IPS approved transactions are batched and downloaded into FMS. The IPS payment batch is printed from FMS and provided to the Registrar. The Registrar reviews a sample of transactions and approves the batch for FAA s. 34.

Upon receipt of the IPS batch certified pursuant to FAA s. 34, for the purpose of quality assurance of the FAA s. 34 approval, the Financial Officer picks a 5% random sample of transactions from the batch to trace back to supporting documentation (i.e. log, timesheet, IPS and the Interpreter's contract). After the Financial Officer has completed this due diligence, the batch is authorized for payment by approving for FAA s. 33.

3.3 Human Resources Management

3.3.1 Staffing Process

The staffing process within the region begins with the delegated manager in coordination with the HR Officer who initiates a staffing action which is normally based on the annual HR Strategic Plan. The Human Resources Advisor (HRA) will discuss with the RCM specifics related to the position type, the selection process and the duration of the contract. The staffing process can either be external or internal and can either be advertised or non-advertised, as each process has a specific set of procedures which must comply with the Public Service Employment Act (PSEA).

The specific tasks for each staffing action is assisted by a standard staffing checklist provided by HQ that acts as a control. An appropriately HR delegated authority signs off the staffing process on the HR Action Request Form, in addition to the appropriate FAA s. 32 approval in order to commit the funds for the new position.

If the position is external and advertised, a web announcement is posted for a minimum of 48 hours on www.jobs.gc.ca. If the position is internal and advertised, the job is posted on the Public Service Commission (PSC) intranet website. All applications are screened for basic eligibility and those applicants accepted in the process are further assessed using a variety of assessment tools to determine if they meet the essential qualification for the position.

The unsuccessful candidates for internal selection processes are notified when they do not meet the essential requirements of the job. The applicants that have passed all pre-requisites are required to be security cleared. The successful candidates are notified of their admittance to a pool for future availabilities or sent a letter of offer. The letter of offer includes their position, salary and start date.

3.3.2 Official Languages

All positions in the regions have specific language profiles based on the job requirements. Results of all language evaluations are kept in the employee's file. Also, the IRB is expected to provide communications and services to tribunal users and the public in both official languages.

3.3.3 Regional Security

While IRB is subject to the requirements of the Government Security Policy (GSP), security is more critical due to the risks associated with the conduct of specific hearings.

Every regional office has appointed an RSO who is responsible for the security of the assets, people and information in the regional office. The RSOs coordinate the implementation of the IRB's security program in their respective regions in conjunction with the DSO situated in the National HQ. The RSOs ensure that appropriate security is in place in the regions and are expected to implement security program initiatives developed by the IRB HQ.

A recent TRA has been conducted by Corporate Security for each regional office. Each region is still in the process of implementing the recommendations provided in the regional TRA reports.

The RSO manages the local Commissionaires and responds to security information provided by other government agencies related to upcoming hearings (i.e. supplementing existing security measures with off-duty security personnel). Further, the RSO is responsible for the general security over the administrative offices and hearing rooms within the region (i.e. local building access management and security awareness).

Finally, RSOs are responsible for the appropriate security and protection of sensitive Protected B information maintained in the region to ensure compliance with the GSP and associated standards.

4 COMMON OBSERVATIONS AND RECOMMENDATIONS

While each region was evaluated independently, we also assessed the consistency of the management control framework across all regions. Based on this assessment, specific areas of weakness were identified that were common to all regions.

4.1 Regional Security

4.1.1 Related Audit Criteria

• Controls are adequately designed and effective to ensure the appropriate safeguard of assets (including financial, intangible and capital assets) in the regional offices.
• Appropriate security measures are in place in the regions to address the most recent threat and risk assessment (TRA) and increased risks associated with specific hearings.

4.1.2 Status of TRAs

Recommendations from the regional TRAs have yet to be fully addressed.

As part of the mandate of Corporate Security, a TRA was completed for each region in 2006. Each TRA outlined risks that were unique to the individual regional office and others that were consistent across all regions.

Some examples of the risks highlighted in the TRAs included the physical security over Protected B information located in the various areas of the IRB's premises. This audit identified several significant risks associated to the IRB's protected information, especially physical and electronic files taken off-site.

Based on a review of the status of the TRA in each region, it was identified that while the RSOs are addressing some of the recommendations, many critical risks have yet to be addressed. Risks identified but not addressed puts the IRB at risk in the case of a security breach.

The responsibilities for security are just one area of responsibility for the RSO. Generally, the RSO has other administrative responsibilities within the region and as a result, must manage many priorities and may not have all the necessary tools/training to effectively address all security issues within the regions.

While Corporate Security is responsible for the TRA process and is accountable to the Deputy Head, in reality it has had limited authority to direct action in the regional offices to implement the TRA recommendations. The RSOs report directly to the Regional Directors and consult and report from time to time to the DSO and other managers of Corporate Security. This limited coordinating relationship with the DSO may have reduced the sense of priority to implement the TRA recommendations. Without the support of senior management, the DSO and the Regional Directors, addressing the risks identified on the TRAs will be more challenging and the safety of IRB employees, assets, and information will continue to remain at risk.

4.1.3 Processes to Address Higher Risk Hearings

There should be a consistent approach to addressing higher risk hearings.

From time to time, the RSO is alerted by other government agencies that additional security may be required for an upcoming hearing, due to the sensitivity of the case. If additional security is deemed necessary, additional security personnel may be hired to be present during the hearing.

At this time, there are no standards or guidance to govern the process of handling higher risk hearings. For example in some cases, when the increased security risk information is received from other government agencies, the RSO may not agree with the assessment and decide not to engage additional security measures. Likewise, the Member presiding over the hearing may take the decision to ask for additional security measures. Both decisions are made in the absence of a set of documented best practices covering these types of situations.

As a result, there is need for a consistent approach to handle such hearings and to manage security risks.

4.1.4 Recommendation – Regional Security

We recommend that Corporate Security:

4.2 Financial Transactions

4.2.1 Related Audit Criteria

• Appropriate operational and financial controls are in place (and supported by sufficient documentation) to ensure effective and efficient verification and payment of accounts.

• Accounts Payable approvals, verifications and disbursements comply with applicable IRB and TBS policies and were approved by the appropriate delegated authority (FAA ss. 33 & 34).

• Amounts paid centrally based on acquisition card transactions have been reconciled to approved transactions (i.e. Section 34 delegated authorities).

4.2.2 Missing Evidence of the Dates Approved

Evidence of approval dates associated with FAA delegated approvals was inconsistently applied in all regions.

As required by the FAA, ss. 32, 34, and 33 approvals are required during the process to procure and pay for goods and services based on the matrix of delegated financial authority. The FAA s. 32 provides the commitment of funds, the Section 34 is approved by the RCM who completes the due diligence and verification of the goods or services received and finally, the Section 33 authority completes the transaction by authorizing the release of payment.

In order to demonstrate compliance with the FAA and the completion of these key financial controls, the appropriate delegated approvals must be documented and retained. Equally important is documentation of the date of approval of Section 34 as this demonstrates when the transaction was approved, which in the case of an acting position, could be critical to demonstrating compliance with the matrix of delegated authority. Based on the testing completed within all regions, there was inconsistent application of dates associated with the various FAA approvals.

4.2.3 Recommendation – Financial Transactions

We recommend that Regional Financial Managers:

4.3 Interpreter Payments

4.3.1 Related Audit Criteria

• Controls are in place to ensure interpreter services are contracted in accordance with IRB policies.
• The process to verify interpreter payments ensures compliance with IRB policies and procedures and applicable TBS policies (including FAA ss. 33 & 34).

4.3.2 Application of FAA s. 34 Verification and Section 33 Quality Assurance Sampling

Each region demonstrated weaknesses in the application of the Section 34 verification process and quality assurance sampling of transactions to support FAA s. 33 approval of the batched interpreter payments.

Once interpreter payments are approved within the IPS (confirmation of FAA s. 34 verification), they are batched and electronically transferred into FMS, the financial system. The batch report is sent to the FAA s. 34 authority for certification. Once certified, it is returned to the Regional Finance Officer for FAA s. 33 certification. In order to gain a level of assurance over the completeness, appropriateness and accuracy of the batch of transactions, prior to FAA s. 33 approval, a sample of 5% of the transactions from the batch are to be randomly selected and the corresponding source documentation (i.e. original timesheets, schedules, contracts) are requested for verification by the Financial Officer. An IRB Financial Procedure on the Processing of Interpreter Payment is in place and documents the related processes.

Based on the testing of interpreter transactions at each region, limited weaknesses were identified with respect to the timely completion and maintenance of evidence to support the Section 34 verification process. The detailed descriptions of the weaknesses identified are outlined in Sections 5.0, 6.0 and 7.0 to this report.

Testing of the interpreter transactions in the regions further identified inconsistencies and weaknesses in each region's approach to the completion of the FAA s. 33 sampling process. Examples of the inconsistencies include:

• Frequency and sample size – 20% sample selected on every fifth week
• Approach to verification – no verification back to original source documentation
• Completeness of verification – no documentation to demonstrate completion of the verification

4.3.3 Recommendation – Interpreter Payments

We recommend that:

5 EASTERN REGIONAL OFFICE

The head office for the Eastern region is located in Montreal, Quebec. Hearings for all divisions of the IRB are heard in this office, which has been designed with hearing rooms of various size and functionality.

IRB's offices are located in a building occupied exclusively by the Federal government. While public access is available to the main reception area of IRB's offices during regular business hours, access to other floors are restricted by a commissionaire and the access card system.

5.1 Travel

5.1.1 Related Audit Criteria

• Appropriate operational and financial controls are in place (and supported by sufficient documentation) to ensure effective and efficient verification and payment of accounts.
• Accounts Payable approvals, verifications and disbursements comply with applicable IRB and TBS policies and were approved by the appropriate delegated authority (FAA ss. 33 & 34).
• Travel reimbursements comply with the TBS Travel Directive and applicable IRB travel policies.

5.1.2 Travel pre-authorization (i.e. Section 32)

Pre-approval of travel by the RCM was not consistently documented.

Business travel must be authorized in advance and in writing to ensure all travel arrangements are in compliance with the provisions of the TBS Travel Directive. The respective RCM pre-authorizes the travel by providing the FAA s. 32 approval on the travel form.

Based on the testing performed in the regional office, we identified three (3) examples out of 30 where there was no evidence of pre-authorization prior to travel. Without evidence of the RCM pre-approval of travel, IRB cannot demonstrate compliance with TB requirements.

5.1.3 Documentation of Justification for Non-Compliance

Evidence was not consistently on file to justify non-compliance with the TBS Travel Directive.

When traveling, IRB employees must comply with the TBS Travel Directive and are restricted to staying at pre-approved hotels as per PWGSC accommodation listing. The hotel rates have been negotiated for the entire Federal Government and therefore, are more competitive and cost effective.

Members, Tribunal Officers, and other employees can stay at a hotel that is not on the pre-approved list of accommodations as long as the daily rates are below the highest daily rate offered for that specific city. If an employee must stay at a hotel that is not on the accommodations list and the daily rate is not as competitive as the Government rate, a written justification must accompany the travel request for pre-authorization from the RCM.

The results of sample testing identified twelve (12) transactions out of 30 where IRB travellers stayed at hotels that were not on the pre-approved accommodation list without evidence of justification or appropriate approval of the action. While there may be reasonable justification for selecting a hotel outside of the pre-approved list, without the appropriate documentation and approval of this reasoning, IRB cannot demonstrate compliance with the TBS Travel Directive.

5.1.4 Recommendations - Travel

We recommend that, the Eastern Regional Director, in conjunction with the Regional Financial Manager:

5.2 Interpreter Services

The Eastern region has developed a system to automate the interpreter sign in and out process to improve accuracy of payments.

The sign in/out process to ensure interpreters are paid appropriately at a busy regional office was considered higher risk because it was entirely manual, increasing the risk of inaccuracies in recording the appropriate time. Subsequently, the process to transfer this information into IPS was also manual, increasing the risk of data inaccuracies during data entry.

As a result of the inherent risks within the process, the Eastern regional office developed an in-house system (Site d'Accueil application) to automate the check-in process. This has minimized the time to sign in and out the interpreters and the amount of data entry required to record the time in and out.

The identification of the control risks and the inefficiencies in the existing system and the development of the Site d'Accueil application have allowed the Eastern region to become more efficient and effective during the sign in/out process. The process redesign has also reduced the congestion in the entrance and therefore reduces the risk of security incidents.

The applicability of the Site d'Accueil system or a similar process may be considered for other regions.

5.3 Interpreter Contracts

5.3.1 Related Audit Criteria

Controls are in place to ensure interpreter services are contracted in accordance with IRB policies.

5.3.2 Language Proficiency

Missing language proficiency exam results were identified within interpreter files.

In order for Members and Tribunal Officers to be assured that the interpreters can provide quality services for the contracted language, IRB requires all interpreters to pass a language proficiency exam (if available) for the contracted language. Managed by the Registrar, the test results are maintained on the interpreter's file as evidence of their ability and proficiency for the contracted language.

Based on a sample of interpreter files, no evidence of the results of proficiency testing could be located for eight (8) out of twenty-five (25) interpreters and therefore, the language capability of these interpreters could not be assessed.

5.3.3 Security Clearance

Evidence of valid security clearances were missing for selected interpreters.

Once the interpreter has successfully completed a language proficiency exam, IRB proceeds in obtaining an “enhanced reliability” security clearance for the interpreter. The security clearance is mandatory as the interpreters will regularly have access to Protected B level security information.

Based on the results of sample testing of interpreter files, six (6) out of twenty-five (25) files tested demonstrated security clearances were expired although these interpreters are still listed as “active” interpreters.

5.3.4 Expired Contracts

Expired contracts were identified for interpreters providing ongoing services to IRB.

Once an applicant has successfully passed the language proficiency testing and has obtained a valid security clearance, the Registrar will draft a contract with the interpreter. This enables the Registrar to contact the interpreter for future opportunities to provide transcription, translation, and interpreter services during an IRB hearing. The contracts are signed by the IRB and by the interpreter.

Based on the sample testing of interpreter files, one (1) out of twenty-five (25) interpreter contracts had expired; although the interpreter was continuing to provide services to the IRB.

5.3.5 Recommendations – Interpreter Contracts

We recommend that the Registrar:

5.4 Interpreter Payments

5.4.1 Related Audit Criteria

• Controls are in place to ensure interpreter services are contracted in accordance with IRB policies.
• The process to verify and pay interpreters ensures compliance with IRB policies and procedures and applicable TBS policies (including FAA ss. 33 & 34).

5.4.2 Order of Financial Controls

FAA s. 34 verification of interpreter services was completed after Section 33 release of payment.

As required by the FAA, no payment shall be made unless a delegated authority certifies that the work has been performed and that the prices charged are in accordance with the interpreter's contract. This Section 34 authorization is made on the batch of interpreter services by the Registrar and is followed by Section 33 approval by the financial authority for release of payment.

As part of the review of a sample of batch payments for interpreter services, two (2) out of twenty-five (25) payments were identified where the Section 33 approval was performed prior to the Section 34 approval. Without confirmation of the receipt of the services, there is a risk that an inappropriate payment could be released.

5.4.3 Recommendation – Interpreter Payments

We recommend that the Regional Financial Officers who have FAA s. 33 delegated authority:

5.5 Staffing Process

5.5.1 Related Audit Criteria

Regional staffing practices are in compliance with IRB policies and consistent with the PSEA.

5.5.2 Incomplete Staffing Files

Insufficient documentation was available for specific staffing files.

Each staffing file must be complete and contain the necessary detail to demonstrate due diligence and compliance with existing policies and processes. As a result, the existing staffing cycle involves a series of documented milestones and approvals. Depending on the position type (casual, term, indeterminate) and the selection process, IRB has created a staffing checklist to ensure that all required documentation is complete and retained.

Based on the testing performed on a sample of staffing actions from the region, it was observed that insufficient documentation was available within the specific staffing files reviewed although it was noted that more recent staffing files tested demonstrated improvements in the quality of the documentation contained in the files. Examples of the insufficient documentation included: missing evidence of the evaluation of potential candidates and the reason the successful candidate was awarded the position and missing evidence of the rationale for initiating the staffing action in the first place.

5.5.3 Letters to Unsuccessful Candidates

Evidence of notifications sent to unsuccessful candidates was missing from specific staffing files.

As per the requirement of the PSEA, applicants must be informed in writing once the full evaluation process at a given stage is completed, of the manager's decision to eliminate them from further consideration in an internal appointment process. This policy is enforced once a candidate has passed certain milestones in the staffing process and has been admitted to a smaller pool of potential candidates.

Based on a sample of staffing actions selected for testing, none of the five tested staffing actions provided evidence of the notification to unsuccessful candidates that they had been eliminated from the appointment process. Without maintaining evidence of this key requirement, IRB cannot demonstrate compliance with the PSEA as the unsuccessful applicant has the right to receive appropriate justification in a timely manner on the Manager's decision for not considering them for the position. The lack of sufficient documentation could further impact IRB in the event of a complaint or appeal by a rejected candidate.

5.5.4 Recommendation – Staffing Process

We recommend that the regional HR Manager:

5.6 Official Languages

5.6.1 Related Audit Criteria

All IRB offices are designated bilingual for communications and services to the public.

5.6.2 Position Language Proficiency

One regional employee selected for testing did not meet language proficiency requirements of the position.

All IRB positions have an associated pre-determined level of language proficiency for bilingual positions. This requirement is decided once the position is created and is based on the type of responsibilities being performed (service to the public, personal services, central services, grievances and supervisory functions). For example, Tribunal Officers in a bilingual position are required to have been successfully tested as CCC (reading test, test for written expression and test of oral proficiency) in her or his second official language.

Based on the limited testing performed, one (1) regional IRB employee out of the ten (10) selected for testing and who was required to have a language proficiency level in their second language did not meet this mandatory requirement. In this case, the regional office could ensure language training for the employee.

The Eastern regional office demonstrates the capacity to communicate with tribunal users, external stakeholders and the public in both official languages at reception desk and by telephone.

5.6.3 Recommendation – Official Languages

We recommend that the Regional Director with the assistance of the HRA:

5.7 Regional Security

5.7.1 Related Audit Criteria

• Controls are adequately designed and effective to ensure the appropriate safeguard of assets (including financial, intangible and capital assets) in the regional offices.
• Appropriate security measures are in place in the regions to address the most recent TRA and increased risks associated with specific hearings.

5.7.2 Access Cards

An active access card was outstanding for a recently resigned employee.

Access cards are used as a primary access control into the IRB regional office beyond the public areas and for after hours access. The RSO is responsible for ensuring that only current and approved IRB employees (and other stakeholders) have active access cards and they are appropriately programmed for the areas and time periods necessary for the completion of their work.

Based on the limited testing of the active access cards for the regional office, one (1) access card, out of five (5) tested, was active and outstanding for an employee who had recently resigned. Without timely return and de-activation of an access card for an individual who no longer works for IRB, there is a risk that they have unauthorized access to the IRB premises.

5.7.3 Recommendation – Access Cards

We recommend that the RSO:

6 CENTRAL REGIONAL OFFICE

The head office for the Central region is located in Toronto, Ontario. Hearings for all divisions of the IRB are heard in this office, which has been designed with 54 hearing rooms of various size and functionality.

The building where the IRB Central region office is located houses a variety of tenants, from privately owned companies to Federal government organizations. Public access is restricted on the IRB administrative floor. Access is open to the public on all other floors. During regular business hours, a commissionaire is on duty on the four hearing room floors.

6.1 Travel

6.1.1 Related audit criteria

• Appropriate operational and financial controls are in place (and supported by sufficient documentation) to ensure effective and efficient verification and payment of accounts.
• Accounts Payable approvals, verifications and disbursements comply with applicable IRB and TBS policies and were approved by the appropriate delegated authority (FAA ss. 33 & 34).
• Travel reimbursements comply with the TBS Travel Directive and applicable IRB travel policies.

6.1.2 Travel pre-authorization (i.e. Section 32)

Pre-approval of travel by the RCM was not consistently documented.

Business travel must be authorized in advance in writing to ensure all travel arrangements are in compliance with the provisions of the TBS Travel Directive. The respective RCM pre-authorizes the travel by signing the FAA s. 32 approval on the travel form.

Based on the testing performed in the regional office, we identified three (3) examples out of twenty-five (25) where there was no evidence of pre-authorization prior to travel. Without evidence of the RCM pre-approval of travel, IRB cannot demonstrate compliance with TB requirements.

6.1.3 Recommendation - Travel

We recommend that the Regional Financial Manager:

6.2 Procurement

6.2.1 Related Audit Criteria

• Contracting processes in the regions comply with TBS procurement policies (including FAA s. 32 delegated signing authorities).
• Contracting processes in the regions comply with IRB policies and are limited to contracts under $10,000, interpreter services and acquisition card transactions.

6.2.2 Sole Source Justification

One contract file selected was missing evidence of the required sole-source justification.

The objective of the government procurement process is to acquire goods and services in a manner that enhances access, competition, and fairness and results in best value or, if appropriate, the optimal balance of overall benefits to the Crown. As a result, the TBS Contracting Policy requires the substantiation of all decisions to contract with a supplier for goods or services.

As a result of testing performed on a sample of contracts entered into by the Central region, one non-competitive contract, out of fifteen (15) tested, did not demonstrate evidence of a sole-source justification. Without the maintenance of such evidence, IRB cannot demonstrate compliance with the TBS Contracting Policy.

6.2.3 Recommendation - Procurement

We recommend that the Regional Administration Manager:

6.3 Interpreter Contracts

6.3.1 Related Audit Criteria

Controls are in place to ensure interpreter services are contracted in accordance with IRB policies.

6.3.2 Languages Proficiency

Missing language proficiency exam results were identified within interpreter files.

In order for Members and Tribunal Officers to be assured that the interpreters can provide quality services for the contracted language, IRB requires all interpreters to pass a language proficiency exam (if available) for the contracted language. Managed by the Registrar, the test results are maintained on the interpreter's file as evidence of the interpreter's ability and proficiency for the contracted language.

Based on a sample of interpreter files, no evidence of the results of proficiency testing could be located for ten (10) out of twenty-five (25) interpreters and therefore, the language capability of these interpreters could not be assessed.

6.3.3 Security Clearance

Evidence of valid security clearances were missing for selected interpreters.

Once the interpreter has successfully completed a language proficiency exam, IRB proceeds in obtaining an “enhanced reliability” security clearance for the interpreter. The security clearance is mandatory as the interpreters will regularly have access to Protected B level security information.

Based on the results of sample testing of interpreter files, three (3) out of twenty-five (25) files demonstrated security clearances which had expired; although the services of these interpreters were still ongoing and these interpreters were still listed as “active” interpreters.

6.3.4 Recommendations – Interpreter Contracts

We recommend that the Registrar:

6.4 Interpreter Payments

6.4.1 Related Audit Criteria

• Controls are in place to ensure interpreter services are contracted in accordance with IRB policies.
• The process to verify and pay interpreters ensures compliance with IRB policies and procedures and applicable TBS policies (including FAA ss. 33 & 34).

6.4.2 Compliance with terms and conditions of contracts

Payments for interpreter services are non-compliant with specific terms of the interpreter contracts.

Standard contracts for interpreter services are in place for each interpreter used. These contracts provide the basis for payment for service delivery of interpreter and translation services. The contracts are standardized and used in all IRB regional offices. The standard work day outlined in the contract is as follows:

Interpreters scheduled for full days: A guaranteed minimum of six (6) hours shall be paid to the interpreter when, at the time of booking, the interpreter is informed that he/she is expected to be available all day;

Interpreters scheduled for half days: A guaranteed minimum of three (3) hours shall be paid to the interpreter who is scheduled for a half day, either for a morning or for an afternoon only.

Through sample testing of interpreter payments, it was identified that interpreters were consistently paid for a minimum of four (4) hours for work performed when they were scheduled for half days. The extra time that has been paid to interpreters does not comply with the contracts signed by the Board. However, this practice has been accepted in the region due to the competition for limited interpreter resources within the Toronto market of interpretation services. No evidence was provided to demonstrate senior management approval of this decision. The impact of this decision has resulted in consistent non-compliance with the terms of interpreter contracts by the Board for these services.

It was further established that weaknesses in the automated validation checks in IPS and the manual verification process to support the FAA s. 34 approval of the interpreter payment batch transactions resulted in additional payments for eight (8) out of twenty-five (25) transactions within the sample selected. The additional payments identified were the result of acceptance of non-fifteen (15) minute increments by the IPS system and data entry errors resulting in unreasonable end times (i.e. late at night) for hearings.

6.4.3 Incomplete Source Documentation

Source documentation was not found for interpreter transactions which provide key evidence of services rendered.

Upon arrival for a hearing, the Duty Officer logs the arrival time of the interpreter on a timesheet log, which is ultimately transferred manually into IPS. A key control in this process is the Registrar's (or delegate's) review of the source documentation as evidence of the number of hours that the interpreter has completed to support the entry into IPS.

As a result of testing performed on a sample of interpreter transactions, four (4) out of twenty-five (25) transactions did not have a timesheet log available to support the Registrar's verification to the source documentation. Without maintenance of the manual timesheet log, the IRB cannot demonstrate the completion of the verification of the amount paid to the interpreter to the original source documentation to support the FAA s. 34 approval.

6.4.4 Inappropriate Approval

Interpreter payments were authorized by an employee without the delegated authority over the specific responsibility centre.

Acceptance of interpreter services is authorized by the Registrar by signing as the delegated FAA s. 34 authority. The Registrar must have received the appropriate delegation of authority to approve such financial transactions in order to comply with the Financial Administration Act.

For eleven (11) out of twenty-five (25) transactions tested related to interpreter payments, authorization by the Registrar as the FAA s. 34 delegated authority was inappropriate as their delegation had expired for the time period for which the services were rendered. As a result, the Registrar was not authorized to approve these transactions for further processing and payment.

6.4.5 Recommendations – Interpreter Payments

We recommend that the Registrar:

6.4.5.1 Consider updating or adjusting the terms and conditions of interpreter payment to reflect the conditions of interpreter services specific to the region.

6.4.5.2 Consider additional automated validation checks within IPS for the next release of the application, including a reasonableness flag, which would alert the user when an unreasonable start or end time has been entered and limitations to only use 15-minute increments for data entry of interpreter time.

6.4.5.3 Ensure a robust verification process related to the IPS batch transactions, including the detailed validation of each transaction in the batch from IPS back to the source documentation (original manual timesheet) prior to the FAA s. 34 approval. This would include the maintenance of the manual timesheets for evidence of the completion of this key control.

We recommend that the Regional Finance Manager:

6.4.5.4 Ensure that the FAA s. 33 verification process include the confirmation of the appropriateness of the FAA s. 34 approval back to the individual's current signature card.

6.5 Official Languages

6.5.1 Related Audit Criteria

All offices are designated bilingual for communication and services to the public.

6.5.2 Communication with the Public

The Central regional office demonstrates the capacity to communicate with tribunal users, external stakeholders and the public in both official languages at reception desk and by telephone as all IRB offices are designated bilingual for communications and services to the public.

6.6 Regional Security

6.6.1 Related Audit Criteria

• Controls are adequately designed and effective to ensure the appropriate safeguard of assets (including financial, intangible and capital assets) in the regional offices.
• Appropriate security measures are in place in the regions to address the most recent TRA and increased risks associated with specific hearings.

6.6.2 Access Cards

A significant number of active access cards could not be accounted for.

Access cards are used as a primary access control into the IRB regional office beyond the public areas and for after hours access. The RSO is responsible for ensuring that only current and approved IRB employees and other approved stakeholders have active access cards and they are appropriately programmed for the areas and time periods necessary for the completion of work.

Based on the limited testing of the active access cards for the regional office, it was identified that thirty-four (34) active access cards assigned as temporary could not be accounted for, increasing the risk of unauthorized access to the IRB premises.

6.6.3 Recommendation – Access Cards

We recommend that the RSO:

6.6.3.1 Immediately de-activate the access cards which cannot be located. Due to the relative size of the Central region and the number of employees, a process should be developed whereby a periodic reconciliation is performed to ensure all temporary access cards can be accounted for.

7 WESTERN REGIONAL OFFICE

The head office for the Western region is located in Vancouver, British Columbia. Hearings for all divisions of the IRB are heard in this office, which has been designed with fourteen (14) hearing rooms of various size and functionality.

The building where the IRB regional office is located is a Federal Government building, occupied only by Federal Government tenants. There is public access to each floor during regular business hours and commissionaires are posted on each floor where hearing rooms are located.

7.1 Procurement

7.1.1 Related Audit Criteria

• Contracting processes in the regions comply with TBS procurement policies (including FAA s. 32 delegated signing authorities).
• Contracting processes in the regions comply with IRB policies and are limited to contracts under $10,000, interpreter services and acquisition card transactions.

7.1.2 Missing Evidence of the Procurement Process

No evidence to support the procurement process was identified for specific contract files tested.

The procurement process requires that a copy of each contract be kept on file and easily accessed by RCMs, Financial, and Procurement Officers in order to reference the contract whenever an invoice against the contract is received and verified. The RCM and/or the Financial Officer conduct a comparison against the contract in order to validate the quantity, quality of goods and/or services and to validate the price negotiated.

Based on the sample testing performed on the contracts entered into in the region, one (1) contract file out of six (6) tested was not available at the time of the audit but provided at a later date. For another file, documentation of the bid process, including the formal bid request and the bid evaluation, was not maintained on file.

Without a complete and robust contract file, the IRB cannot demonstrate completion of a fair and transparent procurement process. In addition, without a current contract on file, invoices submitted against the contract could be paid without a complete verification to the terms and conditions of the contract.

7.1.3 Recommendations - Procurement

We recommend that the Regional Administration Manager:

7.1.3.1 Ensure that all documentation required to support the completed procurement process is maintained within the contract file.

7.2 Interpreter Payments

7.2.1 Related Audit Criteria

• Controls are in place to ensure interpreter services are contracted in accordance with IRB policies.
• The process to verify and pay interpreters ensures compliance with IRB policies and procedures and applicable TB policies (including FAA ss. 33 & 34).

7.2.2 Incomplete Source Documentation

Source documentation was not found for interpreter transactions which provide key evidence of services rendered.

Upon arrival for a hearing, the Duty Officer logs the arrival time of the interpreter on a timesheet log, which is ultimately transferred manually into IPS. A key control in this process is the Registrar's (or a delegate's) review of the source documentation as evidence of the number of hours that the interpreter has completed to support the entry into IPS.

As a result of testing performed on a sample of interpreter transactions, for seven (7) out of twenty-five (25) tested, a timesheet log was not available to support the verification to the source documentation. Without maintenance of the manual sign-in log, IRB cannot demonstrate the completion of the verification of the amount paid to the interpreter to the original source documentation to support the FAA s. 34 approval.

7.2.3 Recommendation – Interpreter Payments

We recommend that the Registrar:

7.2.3.1 Ensure a robust verification process related to the IPS batch transactions, including the detailed validation of each transaction in the batch from IPS back to the source documentation (original manual timesheet) prior to the FAA s. 34 approval. This would include the maintenance of the manual timesheets for evidence of the completion of this key control.

7.3 Official Languages

7.3.1 Related Audit Criteria

All offices are designated bilingual for communication and services to the public.

7.3.2 Communicating with the Public

The Western regional office demonstrates the capacity to communicate with tribunal users, external stakeholders and the public in both official languages at reception desk and by telephone as all IRB offices are designated bilingual for communications and services to the public.

7.4 Regional Security

7.4.1 Related Audit Criteria

• Controls are adequately designed and effective to ensure the appropriate safeguard of assets (including financial, intangible and capital assets) in the regional offices.
• Appropriate security measures are in place in the regions to address the most recent TRA and increased risks associated with specific hearings.

7.4.2 Access to Secure Hallway during an Emergency

Existing physical security of hearing rooms may be ineffective in allowing access to the secure hallway in an emergency.

Each hearing room is equipped with security controls to minimize the risk of potential harm to a Member, IRB employee and stakeholder or a member of the public.

In order to minimize risk of unauthorized entry to the secure hallway from the publicly accessible hearing room, a security system has been placed on the door leading to secure areas. However, the existing security system is such that it could delay direct and safe access of the Member and employees to secure areas in the event of an emergency.

7.4.3 Recommendation – Regional Security

We recommend that the RSO:

7.4.3.1 Consider changing the security system of hearing room doors leading to direct access to secure areas. The modification should allow the Member or IRB employee immediate access to safe areas should an emergency situation arise in the hearing room.

8 CONCLUSION

We found that regional administrative processes reflect well designed controls. Further, based on the work performed, the interpretation and operation of these controls were generally effective, with the following exceptions:

• Implementation status of the recommendations from the threat and risk assessments; and
• Interpreter payment verification processes.

In addition, the inconsistent application of some controls results in the regional offices not able to consistently demonstrate compliance with applicable standards and policies.

The details of these issues and associated recommendations have been described in more detail in the sections above.

8.1.1 Recommendation – Regional Key Controls

To mitigate the risks associated with the inconsistent application of the controls within the regional offices, we recommend the IRB senior management to consider the following:

8.1.1.1 Development of a corporate oversight framework to formalize the expectations of senior management for the processes in place across the regional offices. Appropriate tools, guidance and training should be provided to support the improvements in the operational effectiveness of the key controls regarding these offices.

8.1.1.2 Critical to the success of the oversight framework will be the development of an ongoing monitoring program. This program should test key controls on an ongoing basis for compliance and include monitoring and reporting to stakeholders with appropriate priorities for corrective action, as necessary.

8.1.1.3 Senior and regional management may consider building on existing frameworks and monitoring programs currently in place as a basis for the development of this oversight framework.

---

APPENDIX A
AUDIT OBJECTIVES AND CRITERIA

Objectives and Criteria

Audit Objective
The objective of this audit was to provide assurance that regional administrative processes comply with established policies and procedures within the IRB and the Government of Canada and on the operation of the management controls in place over the specified administrative processes.
Sub-Objectives	Detailed Criteria
Finance & Accounting
1.0 Accounts Payable and Settlements are verified in a cost effective and efficient manner through the maintenance of adequate controls.	1.1 Appropriate operational and financial controls are in place (and supported by sufficient documentation) to ensure effective and efficient verification and payment of accounts. 1.2 Accounts Payable approvals, verifications and disbursements comply with applicable IRB and TBS policies and were approved by the appropriate delegated authority (FAA ss. 33 & 34). 1.3 Amounts paid centrally based on acquisition card transactions have been reconciled to approved transactions (i.e. Section 34 delegated authorities).
2.0 Travel and travel cards are managed according to travel policies and procedures.	2.1 Controls are in place to effectively issue a travel card, monitor the use of the travel card and retrieve it upon departure of the employee from the IRB. 2.2 Travel reimbursements comply with the TBS Travel Directive and applicable IRB travel policies.
Procurement and Contracting
3.0 Procurement of goods and services are carried out according to TB procurement policies and procedures while maintaining proper approval and signing authorities.	3.1 Contracting processes in the regions comply with TBS procurement policies (including FAA s. 32 delegated signing authorities). 3.2 Contracting processes in the regions comply with IRB policies and are limited to contracts under $10,000, interpreter services and acquisition card transactions. 3.3 Controls are in place to effectively issue an acquisition card, monitor the use of the acquisition card (including FAA s. 32 approval prior to purchase) and retrieve it upon departure of the employee from the IRB.
Interpreter Pay
4.0 Interpreter payments are managed according to proper policies and procedures.	4.1 Controls are in place to ensure interpreter services are contracted in accordance with IRB policies. 4.2 The process to verify and pay interpreters ensures compliance with IRB policies and procedures and applicable TBS policies (including FAA ss. 33 & 34 delegated signing authorities).
Human Resources Management
5.0 Services are actively offered and delivered in both official languages to tribunal users, services of third party agreements are effectively delivered in both official languages and IRB working environment is bilingual.	5.1 All IRB offices are designated bilingual for communications and services to the public.
6.0 Staffing practices are done in accordance with the PSEA and Public Service Employment Regulations.	6.1 Regional staffing practices are in compliance with IRB policies and consistent with the PSEA.
Security and Protection of the People, Assets and Information
7.0 The security and protection of IRB employees, tribunal users, assets and sensitive information are managed according to government security policies and procedures.	7.1 Controls are adequately designed and effective to ensure the appropriate safeguard of assets (including financial, intangible and capital assets) in the regional offices. 7.2 Appropriate security measures are in place in the regions to address the most recent threat and risk assessment (TRA) and increased risks associated with specific hearings.

---

APPENDIX B
MANAGEMENT RESPONSE AND ACTION PLAN

Endnotes

1. This refers to the sampling process prior to the FAA s. 33 approval and does not reflect a complete quality assurance program.

About PDF