This Web page has been archived on the Web.

2004 March Report of the Auditor General of Canada Exhibit 6.5—Weaknesses in internal control systems that need particular attention

2004 March Report of the Auditor General of Canada

March 2004 Report—Chapter 6

Exhibit 6.5—Weaknesses in internal control systems that need particular attention

Systems

Weaknesses

Explanation

Implication

Electronic security controls

  • User access rights and privileges reflect incompatible duties.
  • Super user accounts are not sufficiently controlled.
  • Users have wider system access than required.
  • Generic user IDs are used, which impairs accountability.
  • Best practices for key security parameters are not being enforced.

Electronic security controls are used to control user access rights and privileges within an electronic information system. Lapses in electronic security controls could allow for accidental or intentional corruption or loss of information. This can also result in the integrity of system tables and structures being compromised.

Inadequate electronic security controls could lead to unauthorized access, which can then lead to loss and/or corruption of data. This can result in erroneous reports being produced by the systems.

Monitoring controls

  • Security administration function does not follow best practices.
  • Reconciliation of accounts is not being done on a timely basis.
  • Review of clearing and suspense accounts is not timely.
  • Policies and procedures for monitoring accounts are not always in place—for example, review of unusual or high-risk transactions and review of key performance measures such as "receivables aging".

Monitoring controls engage senior management in analyzing the reasonableness of financial information. Differences identified or matters observed must not only be highlighted but investigated and analyzed with corrective action taken.

The security administration function is shared among many users and not controlled. There are no formal policies and best practices in place, leaving this position at risk.

A lack of monitoring controls allows errors to go unnoticed, thereby compromising data accuracy and validity as well as increasing the risk of loss and/or corruption of data.

New financial systems

  • Integration of financial systems has not been achieved.
  • Many controls inherent in the new financial systems are not being used.

New financial systems have many capabilities but are often used to simply compile results produced from existing systems. In some cases, two or more systems are operating where integration may be possible. This approach to systems development and integration adds to the complexity and cost of maintaining financial information. There is also additional room for error if separate systems are maintained.

Not taking full advantage of the new systems capabilities results in lost opportunity to increase efficiency and effectiveness of the operations. Also, not using built-in controls could reduce the consistency of the controls.

Manual processing controls

  • Segregation of duties is inadequate.
  • Documentation on policies and procedures is not being prepared/reviewed.
  • Quality assurance of the account verification process is limited.

Modern control frameworks should allow for proper integration of manual processing controls within an electronic framework. Manual controls are less systematic and less comprehensive in their application than electronic controls.

Bypassing the electronic framework increases the risk that data values will remain unchecked, be omitted, or result in duplicate information or other errors.

Selected authorities controls

  • Payments are being certified without:
    • documentation of having received the goods;
    • proper delegation of signing authority; and
    • authorization.

Section 34 of the Financial Administration Act (FAA) requires that proper authorization be obtained and that goods or services have been received prior to any payment being made. Section 33 of the FAA requires that proper authorization be obtained prior to any requisition for a payment out of the Consolidated Revenue Fund and the subsequent charge against appropriations.

Without proper controls the government does not have assurance that payments are made only for goods or services that have been received.