Audit of employee departure process – phase one (Non-equipment items)

Vetted report

November 2017

Access to information assessment

This report has been reviewed in consideration of the Access to Information Act and Privacy Acts. The asterisks [***] appear where information has been removed; published information is UNCLASSIFIED.

Acronyms and abbreviations
Executive summary
Management's response to the audit
1 Background
2 Objective, scope and methodology
3 Audit findings
4 Recommendations
5 Conclusion
Appendix A – Audit objective and criteria

Acronyms and abbreviations

CMN: Civilian Member
CM&C: Corporate Management and Comptrollership
CPIC: Canadian Police Information Centre
DSB: Departmental Security Branch
DSS: Departmental Security Section
FMM: Financial Management Manual
HR: Human Resources
HRMIS: Human Resources Management Information System
NHQ: National Headquarters
PKI: Public Key Infrastructure
PROS: Police Reporting and Occurrence System
PS: Public Servant
RCMP: Royal Canadian Mounted Police
RM: Regular Member
ROSS: RCMP Office Support System
SPS: Specialized Policing Services
TB: Treasury Board

Executive summary

With the heightened focus on information security and increasing mobility of employees, there is a growing need for strong departure processes and procedures within organizations to ensure that equipment is returned and information and systems accesses are terminated when an employee departs. This is particularly important given the range of sensitive facilities and systems, assets and equipment available to Royal Canadian Mounted Police (RCMP) employees.

Controls regarding the granting of access to systems and assets to employees are often quite robust, including requirements for proper authorization and training. The controls associated with removing access should be equally robust as deficient controls can result in individuals having inappropriate access to key information systems as well as to key corporate assets.

The objective of this audit was to determine whether the RCMP has an effective departure framework in place to ensure that individual facility and system accounts are deactivated, and financial assets are returned in a timely manner upon employee departure.

The audit examined the departure process as it pertains to Regular Members (RMs), Civilian Members (CMs) and Public Servants (PSs). For this audit, the term departure included employees taken off strength permanently. The audit focused on the departures due to resignation, retirement, and termination during 2016.

The audit found that within the RCMP, there is no overarching employee departure policy establishing roles and responsibility with respect to ensuring all assets are recovered and accesses are deactivated when an employee departs the organization. As a result, the departure process is not managed by a single process owner, but rather by various business lines in accordance with policies and procedures as they relate to specific types of accesses or assets that fall within their area of responsibility.

Overall, the audit concluded that opportunities exist to improve the governance framework and controls surrounding the departure process. Drafting a centralized policy and creating a corporate approach clearly defining roles, responsibilities and accountabilities would serve to ensure the requirements of Treasury Board (TB) policy and directives regarding employee departures are met.

In addition, once a business line area is identified as process owner, defining a notification process which ensures all affected business lines are promptly notified of departures ***.

The management responses included in this report demonstrate the commitment from senior management to address the audit findings and recommendations. A detailed management action plan is currently being developed. Once approved, RCMP Internal Audit will monitor its implementation and undertake a follow-up audit if warranted.

Management's response to the audit

The Audit of the Employee Departure Process has highlighted opportunities to further strengthen internal governance and better define roles and responsibility with respect to the recovery of assets and the deactivation of accesses. The Chief Financial and Administrative Officer, Chief Human Resources Officer, and Deputy Commissioner Specialized Policing Services, agree with the findings and recommendations of the Audit of Employee Departure Process – Phase I. In particular, we acknowledge the need to improve coordination to determine how best to fulfil TBS requirements in regards to the departure process.

Aligning and standardizing departure processes and procedures will ensure that access to RCMP systems and information is removed and monetary assets are recovered in a timely manner, once an employee leaves the organization.

To that end, we have agreed to establish a working group of the various policy centres involved in the departure process. This working group will have the mandate to:

Recommend an organizational lead for this initiative, including roles and responsibilities across the various policy centres; and,
Strengthen the national processes and procedures for departing employees.

A detailed management action plan which addresses the report recommendations will be developed for review by the Departmental Audit Committee prior to the next Committee meeting.

Dennis Watters, Chief Financial and Administrative Officer
Stephen White, Acting Chief Human Resources Officer
Francois Bidal, Acting Deputy Commissioner Specialized Policing Services

1 Background

The Financial Administration Act (FAA) designates deputy ministers and deputy heads of government entities - the Commissioner in the case of the Royal Canadian Mounted Police (RCMP) - as accounting officers.^{Footnote 1} As accounting officers, deputy heads are accountable, in part to: ensure measures are taken to organize the resources of the department to deliver departmental programs in compliance with government policies and procedures; and to maintain an effective system of internal controls within the department.^{Footnote 2}

The Treasury Board (TB) Directive on Financial Management of Pay Administration (rescinded April 2017) assigned responsibility for the creation of an employee departure process and required that the Chief Financial Officer establish management practices and controls to ensure effective financial controls over pay administration. This included establishing, in collaboration with Human Resources (HR), a departure process that certifies that all money owing to the Crown, and any financial instruments (acquisition cards, cash advances etc.) issued to the employee, are accounted for before an employee leaves the department.

The new 2017 TB Directive on Public Money and Receivables stipulates that the Chief Financial Officer is responsible for ensuring, as part of the departure process, that the employee returns all public money owed, including outstanding accountable advances and any public property, before leaving the department. In addition, the Chief Financial Officer is responsible for ensuring, in collaboration with compensation services, that when a departing employee owes public money or has not accounted for public property, that a process is put in place to take recovery action and, if necessary, establish an accounts receivable.^{Footnote 3}

In the RCMP various policies contained within the Operational Manual, Administration Manual and other subsidiary manuals, such as the National Compensation, Financial Management, and Security, assign the accountability and responsibility for the issuance, control, and return of specific assets and accesses. These responsibilities involve the following business lines and stakeholders:

The Chief Financial and Administrative Officer is responsible for management practices to ensure effective internal controls over both financial and physical assets.
The Chief Human Resources Officer is responsible for management practices and controls relating to employee compensation and pay. As part of this, related to the departure process, HR Compensation verifies leave balances and salary advances, completes Regular Member (RM) discharges and Public Servant (PS) releases, updates the HR and pay systems and updates personnel records once the departure process has been initiated.
The Departmental Security Branch (DSB), under the Deputy Commissioner Specialized Policing Services (SPS), is responsible for establishing and monitoring policies and procedures concerning the physical security of assets, information, and personnel in the RCMP.
Commanding Officers have final approval of the member's discharge request, sign and forward the retiring member's submitted Form 1733 (Discharge Request) to the RCMP's National Compensation Services Pay Operations Special Unit.

In addition to the departmental policies, controls, including requirements for proper authorization and training, associated with removing accesses should be equally robust as deficient controls can result in individuals having inappropriate access to key information systems as well as to key corporate assets.

There is a growing need for strong departure control processes and procedures within organizations to ensure that equipment is returned and information and systems accesses are terminated when an employee departs. This is particularly important given the range of sensitive facilities and systems, assets and equipment available to RCMP employees.

In May 2016, the Commissioner approved the 2016-2019 Internal Audit Risk-Based Audit Plan, which included an Audit of Security of Individual Accounts and Assets – Out-Clearances. The audit was renamed during the planning phase to the Audit of Employee Departure Process – Phase One (Non-equipment Items).

2 Objective, scope and methodology

2.1 Objective

2.2 Scope

The audit examined the departure process as it pertains to RMs, CMs and PSs. For this audit, the term departure included employees taken off strength permanently. The audit focused on the departures due to resignation, retirement, and termination during 2016.

During the planning phase, the audit team considered and assessed risks associated with the departure process including access to facilities and IT systems, the return of financial and physical assets, as well as the return of equipment. Based on subject matter complexity, it was determined that a phased approach would be the most viable. Phase One has examined administrative items such as the deactivation of employee access to both facilities and IT systems (PKI token / chip) along with the recovery of monetary assets such as travel and acquisition cards, and advances. Phase Two will examine the processes involved in the retrieval of key physical assets, such as RM equipment, to ensure that assets and equipment are returned in a timely manner. This phased approach will result in two separate, albeit related, audits.

The current audit excluded all employee transfers within the RCMP. As well, the audit did not assess the quality of data within Human Resources Management Information System (HRMIS) with respect to employee departures. In addition, the audit did not assess unit assigned equipment (i.e. radios, desktop computers, Blackberries), investigator's notebooks, keys and corporate records. Finally, the audit did not test access suspension / deactivation of specific corporate applications (i.e. TEAM, PROS, Canadian Police Information Centre (CPIC), etc.) as access to these systems requires an active PKI token / chip. By ensuring the PKI token is returned and deactivated, access to these applications is denied post departure.

2.3 Methodology

All work was conducted in accordance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Audit (2015) and the 2017 TB Policy on Internal Audit.

Planning for the audit was completed in May 2017. In this phase, the audit team conducted interviews, process walkthroughs and examined relevant policies, directives, procedures and results of previous audit work.

Sources used to develop audit criteria and audit tests included TB Directives and Standards as well as RCMP departure-related policies and guides. The audit objective and criteria are available in Appendix A.

The examination phase, which concluded in July 2017, employed various auditing techniques including interviews, documentation reviews and testing of employee files. Site visits took place at four divisional headquarters to review files and assess practices. Upon completion of the examination phase, the audit team held meetings to validate findings with personnel and debriefed senior management of the relevant findings.

Table 1 below provides a summary of the number of departures tested during the audit. Sampling methodology involved random sampling based on data extracts obtained from HRMIS. The audit team tested a random sample of 100 departures that took place during calendar year 2016 within the four divisions visited. Sixty-five percent of departures in 2016 occurred at these four sites, as demonstrated below. The sample included departures of 63 RMs, 11 CMs and 26 PSs.

Table 1: File Review Sample
	Number of departures in 2016	Percentage of total RCMP departures	Number included in sample
E Division	330	23.1%	36
F/T Divisions	124	8.7%	13
K Division	190	13.3%	21
N/S Divisions	277	19.4%	30
Total	921	64.5%	100

2.4 Statement of conformance

The audit engagement conforms to the Institute of Internal Auditors' International Professional Practices Framework and the Treasury Board of Canada Directive on Internal Audit, as supported by the results of the quality assurance and improvement program.

3 Audit findings

To achieve effective governance over the departure process, a sound structure, including policies and processes, clear accountabilities and effective oversight must all be working together to encourage behavior and activities that ensure the retrieval of assets, and the denial of future access to RCMP buildings and IT systems.

The TB Standards on Security Screening requires that upon the termination of employment, "all authorities and access permissions are to be reclaimed, including identification and access badges, physical and logical access keys".^{Footnote 4}

Additionally, the TB Guideline on Financial Management of Pay Administration,which supports the 2017 Directive on Payments, requires that the financial management personnel or, if applicable, the organization to which payment authority under section 33 of the FAA is delegated, is the last to sign off and does so only after establishing that no money is owed to the Crown. Only then is it recommended that final payment be released.^{Footnote 5}

Accordingly, in regards to the departure process, we expected to find:

A departure policy included in the RCMP Operational or Administrative Manual that had been communicated across the Force to ensure effective internal controls over the departure process;
A departure process and related tools had been communicated to managers for their sign-off and certification that all funds and equipment had been accounted for before employees leave the Force;
A departure process and checklist requiring sign-off or certification by, but not limited to, HR, security, material management, IM / IT Program, and financial services;
That Business Lines involved in the departure process are notified of upcoming departures in a timely manner to ensure consistent and efficient execution of the departure process;
Managers clearly understand their role within the departure process;
Managers and employees have access to information to allow them to complete the departure process, including records of access granted, and equipment and financial instruments issued; and
A monitoring framework exists to ensure that managers consistently followed policies, procedures and directives included in manuals pertaining to the departure process and gaps in the process are corrected.

3.1 Governance

Opportunities exist to develop a national departure policy, processes, and related tools in order to formalize the departure process and communicate requirements to all managers and employees.

Responsibilities and accountabilities

Within the RCMP, there is no overarching employee departure policy establishing roles and responsibility with respect to ensuring all assets are recovered and accesses are deactivated when an employee departs the organization. As a result, the departure process is not managed by a single process owner, but rather by various business lines in accordance with policies and procedures as they relate to specific types of accesses or assets that fall within their area of responsibility.

The lack of a single owner for the departure process has resulted in a siloed approach and has led to inconsistencies in how the departure process is managed across both units and divisions. ***

Policy and procedures

The TB Directive on Public Money and Receivables addresses the need for effective internal controls surrounding employee departures to minimize the possibility of an employee leaving the Federal Public Service owing a debt or prior to returning all government issued items. In addition, TB Standards on Security Screening addresses the need to disable accesses promptly following an employee's departure. In the RCMP, several policies reference various aspects of the employee departure process. However, these policies have not been incorporated into a comprehensive departmental employee departure policy or process that details the steps to be taken and the business lines responsible for ensuring that the process is respected. Rather, 12 RCMP policies address different components of the departure process and 13 different RCMP forms may be required to complete various steps of the departure process.

Unit managers and representatives from business lines involved in the departure process confirmed that no national guidance has been provided on the topic of departures except for some information on Form 1733 (Discharge Request) for members. During interviews, various unit managers stated that they were not aware of all the forms to be completed and indicated that information about the steps that had to be completed upon departure was difficult to locate on the RCMP's Infoweb.

Of note, Form 2688 (Retrieval of Items), was in the process of being updated by DSB and it was intended to include all types of departures and to include most steps in the departure process. However, we were informed by officials within DSB that the update had not been completed and the form is still in draft.

In order to determine which forms were commonly used by employees and managers during the departure process, the audit team tested a sample of 100 departures that occurred in calendar year 2016. Although the IM policy for Employee Records stipulates that, depending on the category of employee, Forms 1733 (Discharge Request), S-54A (Disposition of Equipment and Uniform on Discharge) and/or 2688 (Retrieval of Items) should be placed on the employee's file, testing demonstrated that this is not always occurring. Table 2 documents the forms found on the files of departed employees.

Table 2: Forms on files
Forms	Regular Members	Civilian Members	Public Servants
1733 – Discharge Request	***	***	***
S-54-A – Disposition of Equipment (including administrative and operational equipment.)	***	***	***
330-47 – Security Screening Certificate and Briefing Form	***	***	***
2882 – PS Questionnaire	***	***	***
2688 – Retrieval of Items	***	***	***

The majority of forms that document the departure process could not be found on employee files. *** Audit testing could not confirm whether forms were not being completed or whether they were being kept at the detachment level and not forwarded to Records for inclusion on members' Service files or PS' personnel files. ***

In the absence of national policy, guidance or a comprehensive national checklist, units and detachments were creating their own tools to track equipment and to ensure that accesses were deactivated. For example, K, C and O Divisions have created retirement guides for RMs and many business lines have developed their own departure checklists. The audit team reviewed some of these tools and concluded that none detailed all pre-departure considerations. For example, while the retrieval of the building security badge was listed on all departure checklists reviewed, other items were missing from some, such as the return of / request for travel cards, USB keys, parking passes, ID cards, the deactivation of security clearances, and the updating of leave. The development and promulgation of a national approach and checklist would better ensure that all departure related activities are considered.

Notifications and monitoring

In order for the departure process to function effectively and to ensure that accesses are deactivated, equipment returned and money-owing recovered, business lines involved in the departure process need to be notified of employee departures. However, existing RCMP policies do not mention the need to notify the various business lines involved in the departure process. In addition, there is currently no formal mechanism to efficiently do so. ***

Although several business lines rely on relevant HRMIS data to complete their section of the departure process, employee status changes in HRMIS (i.e. retirement, termination, and deceased) do not trigger automatic notifications to these business lines.^{Footnote 6} A clear, coordinated departure process in which all stakeholders involved in the process are informed of a departure in a consistent and integrated approach would increase efficiencies ***.

It was expected that in order to comply with TB Directives and guidelines, there would be monitoring and reporting of the departure process. In the absence of a national policy prescribing monitoring and reporting requirements, activities in this area are limited and responsibility for monitoring the departure process has not been assigned. While several business lines are involved in the departure process including Corporate Management and Comptrollership (CM&C), HR, and SPS, none had been identified as the overall policy owner accountable for monitoring policy adherence. Although some monitoring mechanisms related to certain activities included in the departure process do exist, they do not appear to have been put in place specifically to ensure that the departure process is carried out according to policies. Furthermore, the reporting frequency of these monitoring mechanisms seems to be ad-hoc.

***. The development of a comprehensive employee departure policy, integrated process and associated management control framework is required to ensure compliance with TB directives.

3.2 Building and system accesses

Opportunities exist, through the development of a departure policy and tools, to improve the notification process ***.

Building security badges

Building security badges are issued to individuals who have a valid RCMP reliability status or security clearance, are employed or under contract for more than 90 days (i.e. contractors, co-op students) and require regular admittance to, or movement within, RCMP facilities.^{Footnote 7}

RCMP policy indicates that when an employee terminates employment, the building security badge is to be collected by either the manager, supervisor or Unit Security Coordinator and forwarded immediately to the Property Security Unit. In addition, the Property Security Unit is to be advised of the departure by the manager or the Unit Security Coordinator before the end of the last day of work so that the badge can be deactivated.^{Footnote 8}

The audit team reviewed a random sample of 100 employees who, according to HRMIS records, departed in 2016. The intent of the file review was to determine if building security badges were retrieved upon employee departure and whether the badges were deactivated in a timely manner. Of those sampled, 24 employees had not been issued a building security badge due to the remoteness of their workplace location. The results are depicted in Table 3 below.

Table 3: Property security testing results (Source: Lenel database)
	Building security badges returned to property security unit	Building security badges not returned to property security unit	Returned building security badges deactivated
NHQ and N Division	***	***	***
E Division	***	***	***
F and T Divisions	***	***	***
K Division	***	***	***
Total	***	***	***

Testing indicated that of the 76 departed employees who had been issued a building security badge, ***

RCMP policies indicate that security badges are to be deactivated immediately. ***

Property Security interviewees stated that the RCMP relies on unit managers to ensure that the badges are returned. ***.

Security clearances

Security clearances are granted to individuals working for the RCMP upon the successful completion of a security assessment in order for the person to be allowed to access classified information.^{Footnote 9} The TB Standard on Security Screening indicates that all individuals will receive a formal debriefing upon termination of employment, to remind them of their continuing responsibilities to maintain the confidentiality of the sensitive information to which they have had access. The RCMP Security Manual indicates that an RCMP security clearance is normally administratively cancelled when an employee's employment is terminated.

Form TB 330-47 (Security Screening Certificate and Briefing) is completed during a security briefing with an employee after they have been granted a reliability status or security clearance and is also used to inform the Departmental Security Section (DSS) that an employee has left the organization to document that their security clearance should be terminated. Although member discharge request Form 1733 does not address the need to complete Form TB 330-47, the retirement guide from K Division and the PS departure form (Form 2882) state that, upon departure, Form TB 330-47 must be completed and forwarded to the divisional Personnel Security Unit (Regional DSS).

The audit team reviewed security clearance files to determine if Form TB 330-47 had been completed and examined the related HRMIS records to determine if the employee's security clearance had been administratively cancelled following their departure. The security clearance cancellation testing results, by division, are depicted in Table 4 below.

Table 4: Security clearance testing results (Source: HRMIS records)
	Security clearance cancelled	Security clearance still active	Security file not located^{Footnote 10}
NHQ and N Division	***	***	***
E Division	***	***	***
F and T Divisions	***	***	***
K Division	***	***	***
Total	***	***	***

***

DSSs cancel security clearances if they are notified of the departure. If not cancelled, security clearances could remain active for a period of up to 10 years after departure. ***

System access

Within the RCMP, both a Public Key Infrastructure (PKI) smart card and a user ID and password are required to access the RCMP Office Support System (ROSS). *** PKI access is administered by the IM/IT Program at National Headquarters (NHQ), while ROSS is administered in a decentralized fashion by Informatics personnel in the divisions. ***

We were expecting to find clear policies and practices relating to the deactivation of accesses and the systematic notification of the IM/IT Program when employees permanently depart the RCMP. ***

Common Services, formerly Enterprise Computing Solutions, is responsible for creating PKI accounts, putting accounts on hold and revoking PKI access for all RCMP employees. *** When notified of a departure, Common Services first puts the PKI access on hold, then permanently deactivates if the account has not been restored within 90 days of the hold.^{Footnote 11} ***

In order to mitigate this control weakness, Common Services has developed an automated script which places accounts on hold based on the employee's HRMIS status. Once a month, the script is used to identify employees who have departed the organization and to place their PKI access on hold.

Similarly, Divisional Informatics personnel rely on unit managers to advise when an employee has permanently departed the organization in order to manually shut down the ROSS log-in and the GroupWise account. ***

Best Practice:

Within K Division, K Access is a unit tasked with managing system access activation / deactivation. When an employee (RMs, CMs or PSs) is discharged, K Access receives a discharge notification from the HR Officer. From there, K Access either removes (deactivates) or sends a request to have removed all system accounts including ROSS, PKI, GroupWise, PROS, CPIC and the Alberta Government System. The work of K Access was reflected in our audit testing where shorter deactivation timelines were noted.

Using the same sample of 100 departed employees, records were examined to determine if PKI access was disabled in a timely manner. The results are depicted in Table 5 below.

Table 5: PKI deactivation testing results (Source: RCMP admin service portal)
Division	Account disabled less than 60 days after departure	Account disabled between 60 and 400 days after departure	Accounts still active at the time of the audit
NHQ and N Division	***	***	***
E Division	***	***	***
F and T Divisions	***	***	***
K Division	***	***	***
Total	***	***	***

***

These deactivation timeframe results can partly be explained by Common Service's reliance on an automated script to place accesses on hold. Deactivation timeframes are influenced by the frequency with which HRMIS data is updated, and the frequency at which the script is executed. Common Services is working towards further automating the deactivation process in order to both reduce the amount of manual intervention and to reduce delays in the process.

While the automated script reduces manual intervention and may be more efficient for Common Services, testing results showed that manual deactivation completed after receiving a departure notification through a Central Help Desk ticket led to timelier PKI deactivations. For example, in K Division, where a team was created in order to ensure that all accesses were deactivated promptly and where a Central Help Desk ticket was rapidly created upon each employee departure (see Best Practice text box), ***

Testing results for the deactivation of ROSS accounts showed that *** The ROSS deactivation testing results, by division, are depicted in the table below.

Table 6: ROSS deactivation testing results
Division	ROSS accounts deactivated at the time of the audit	ROSS account still active at the time of the audit
NHQ and N Division	***	***
E Division	***	***
F and T Divisions	***	***
K Division	***	***
Total	***	***

These results may be due to the absence of formalized notification by the employee and/or manager to the divisional Informatics personnel (i.e. Discharge Notices sent by HR Offices are often not forwarded to the Informatics groups). ***

*** Improving the deactivation notification process would improve the ***

In August 2017, a news bulletin was issued introducing a newly developed national form (Form 710). This new form consolidates several physical and logical access forms into one form. The new form was developed to streamline the process of requesting a building security badge to access buildings (physical access), as well as obtaining ROSS and PKI access (logical access). The goal of the form is to improve the verification process for both physical and logical access requests, thereby improving security and accountability. Ideally, this form could also be used during the departure process to notify business lines of upcoming departures, and facilitate timely deactivation.

3.3 Financial recovery

CM&C is currently ***

Responsibilities

Although stated within TB directives and guidelines that financial management personnel or the delegated FAA section 33 holder^{Footnote 12}, should always sign off last to ensure that all other areas have been cleared and that no money is owed to the Crown before an employee departs, this overall responsibility has not been assigned by RCMP policy.

Debt owing at the time of departure can be associated with different financial instruments including travel and acquisition cards, advances and overdrawn leave. Different groups within CM&C manage these financial instruments. For the most part, responsibilities for the return of acquisition cards, travel cards and reconciliation of advances currently fall to the employee and unit manager. *** . This is particularly true in the case of individual travel cards and advances.

*** An examination of member's Pay files as part of this audit showed *** That said, the audit team found evidence of financial recoveries being performed on accounts with outstanding debts to the Crown.

Internal procedures exist within National Pay Operations and CM&C to recover funds when an employee departs with a balance owing. CM&C employees interviewed at NHQ stated that amounts owing can be recovered by garnishing pay, pensions or through Canada Revenue Agency set-off. When the Canada Revenue Agency set-off is used, the funds are then returned to the RCMP through interdepartmental transfer. However, neither National Pay Operations nor CM&C collected recovery amount statistics, so the audit team was unable to assess the efficiency and effectiveness of these processes.

Acquisition cards

Acquisition cards are assigned to selected employees as a convenient method of paying for low-dollar value goods and services from contracted suppliers. The outstanding balance on these cards is automatically paid monthly by Corporate Accounting. Card holders and their managers are required to conduct a 'post-payment' monthly reconciliation to certify that all purchases were properly authorized and approved, and that all charges on the cards are valid. *** The RCMP Financial Management Manual (FMM) documents the procedures to retrieve and cancel acquisition cards when an employee leaves the RCMP^{Footnote 13} and assigns responsibility for destroying the cards and advising the Card Coordinator to the departing employee. ***.

The audit team sought to verify whether employees who had an acquisition card in their possession had returned the card prior to departure and whether the card had been promptly deactivated. Of the 100 employee departures sampled, 25 employees had been assigned an acquisition card. ***

Table 7: Acquisition cards testing results
	Departed employees assigned an acquisition card	Cards cancelled before departure	Cards cancelled within 30 days of departure	Cards cancelled within 1 to 6 months of departure	Cards cancelled more than 6 months after departure
NHQ and N Division	***	***	***	***	***
E Division	***	***	***	***	***
F and T Divisions	***	***	***	***	***
K Division	***	***	***	***	***
Total	***	***	***	***	***

Individual travel cards

To reduce the number of cash advances from the RCMP's Departmental Bank Account, employees are expected to apply for a travel card if they need to travel for work purposes. The RCMP FMM stipulates that travel card holders are responsible for all charges incurred on their cards and payment should be remitted to the issuing card company by the due date (60 days after statement date)^{Footnote 14}. The RCMP pays the outstanding balance to the issuing company if an account is more than 95 days past due. In these situations, the travel card is cancelled and Corporate Accounting creates an invoice in order to recover the funds from the delinquent account holder (i.e the employee).

The FMM indicates that employees who leave the RCMP permanently must turn in their travel cards to the division travel card coordinator. Interviews with Financial Officers indicated that they are not notified consistently when an employee departs. Account Verification runs monthly status reports to identify delinquent cards. During this process, departed employees with cards that should have been cancelled are sometimes identified.

The audit team sought to verify whether employees in possession of travel cards had returned the card prior to leaving the organization and whether the travel card had been promptly deactivated. As noted in Table 8 below, of the 100 employee departures sampled, ***

Table 8 – Travel Cards Testing Results
	Departed employees with travel card	Cards cancelled less than 30 days after departure	Cards cancelled 1 to 6 months after departure	Cards cancelled more than 6 months after departure	Travel cards still active
NHQ and N Division	***	***	***	***	***
E Division	***	***	***	***	***
F and T Divisions	***	***	***	***	***
K Division	***	***	***	***	***
Total	***	***	***	***	***

Advances

RCMP employees can obtain different types of advances (temporary, standing, and emergency salary advances, and the cadet allowance). These advances are managed by different areas within CM&C. The RCMP FMM stipulates that temporary advances should be reimbursed by the employee no more than 30 days after they are issued.^{Footnote 15} In addition, the FMM requires that standing advances be reconciled continuously by the employee and that National Accounting Operations obtain from the holder a written confirmation at year-end that the advance is still required.^{Footnote 16}

For PSs, the Roles and Responsibilities table from the National Pay Centre (Phoenix) regarding emergency salary advances and priority payments outline that any money advanced will be recovered only after the employee has started receiving their regular salary and has received the full amount owed. The recovery period, in most cases, will extend over the same length of time as they received either of these types of advances.

Interviews with CM&C within the divisions indicated that reconciliations of temporary and standing advances are monitored on a monthly basis and at year-end. CM&C verifies that departing employees have no outstanding balance owing for advances, but only if they receive a copy of the member's Form 1733 (Discharge Request). Similarly, verification can only be completed for PSs if CM&C receives a notification that the employee is departing. However, it was indicated by CM&C employees that the National Pay Centre reconciles any outstanding emergency salary advances or priority payments it has issued to PSs.^{Footnote 17}

Given the limited number of advances issued to employees in the audit sample, additional data analytics testing was conducted on the entire population of 1,428 employee departures during calendar year 2016. The aim of this additional testing was to verify whether employees had reconciled and re-paid their advances prior to departure. This analysis indicated that while no individuals held temporary or standing advances at the time of departure, eight individuals held a total of 11 salary advances at the time of their departure from the RCMP. Eight of these salary advances had been repaid in full by the time of our testing. Three salary advances held by two PS employees could not be confirmed as repaid. For these two employees, a full analysis of advance recovery would require access to PS Pay files located at the National Pay Centre in Miramichi. We were unable to assess this as the National Pay Centre is outside the mandate of RCMP Internal Audit.

Leave

The National Compensation Manual specifies that when a member departs for a reason other than a medical discharge or death, the monetary value of any unearned annual leave credits already used by the member will be recovered from any monies owed to the member. Similar provisions are found within the PS collective agreements.

The audit team examined 65 Pay files (all RMs and CMs included in the sample of 100). This examination provided evidence that the RCMP National Compensation Services completed a discharge checklist, which included HRMIS leave transaction reconciliations. If the member's annual leave was negative (or overdrawn), the corresponding monetary value was taken from the employee's last pay.

The audit team was informed that PS leave was reconciled by the National Pay Centre. HR staff explained that since employees are paid in arrears, any amount owing, for example, for overdrawn leave, would be taken from future pay periods through the centralized Phoenix pay system. We were unable to assess either this process or its effectiveness as the National Pay Centre is outside the mandate of RCMP Internal Audit.

The overall responsibility to ensure that employees have no amount owing at the time of departure has not been assigned by RCMP policy even though this is a TB policy requirement. ***

The TB Directive on Public Money and Receivables requires that Chief Financial Officers ensure that employees return all public money owed, including outstanding accountable advances, before leaving the department. When money is owed, the Chief Financial Officer is responsible for ensuring, in collaboration with compensation services, that a process is put in place to take recovery action. ***

The monetary asset recovery process at the RCMP is decentralized. As a result, amounts outstanding / owing are managed in a dispersed manner with no one person or unit having a comprehensive process to monitor and review all outstanding monies. Without clear responsibilities and a clear, coordinated process, there is an increased risk that employees are departing with debts outstanding.

4 Recommendations

It is recommended that all relevant internal stakeholders, including the Deputy Commissioners of Chief Human Resources Officer, Specialized Policing Services, and the Chief Financial and Administrative Officer collaborate to determine how best to fulfil the TB's policy and directive requirements in regards to the departure process and present their recommendation to the Senior Executive Committee for approval.
Following the Senior Executive Committee's decision relating to recommendation # 1, it is recommended that the identified business lead ensure:
1. Roles and responsibilities be clarified, documented and communicated to all managers and employees;
2. National guidelines, process maps, departure tools (i.e. checklists), documentation (i.e. records management), standards and monitoring requirements be created or finalized and issued; and existing best practices be shared and incorporated across business lines;
3. Draft departure form 2688 be finalized and issued; and
4. Consideration be given to how HRMIS transactions can be incorporated to automate the notification process.

5 Conclusion

Overall, opportunities exists to improve the governance framework and controls surrounding the departure process. Documenting a corporate policy and approach and clearly defining roles, responsibilities and accountabilities would serve to ensure the requirements of TB policy and directives regarding employee departure are met.

In addition, defining a notification process which ensures all affected business lines are promptly notified of departures ***

Appendix A – Audit objective and criteria

Objective: The objective of this audit is to determine whether the RCMP has an effective departure framework in place that ensures individual facility and system accounts are deactivated, and financial assets are returned in a timely manner upon employee departure.	Criterion 1: A governance structure including policies and procedures for the departmental departure process exists, is well-communicated, and is being followed.
	Criterion 2: Effective controls are in place to ensure that building and system accesses are disabled in a timely manner in order to mitigate physical and IT related risks to the organization..
	Criterion 3: Effective controls are in place to ensure monetary assets that are owed to the RCMP are recovered prior to an employee`s departure.

Footnotes

Footnote 1

Financial Administration Act Section 16.3 (Definition of Accounting Officer). http://laws-lois.justice.gc.ca/eng/acts/f-11/FullText.html

Return to footnote 1 referrer

Footnote 2

Financial Administration Act Section 16.4 (Accountability of accounting officers within framework of ministerial accountability). http://laws-lois.justice.gc.ca/eng/acts/f-11/FullText.html

Return to footnote 2 referrer

Footnote 3

TB Directive on Public Money and Receivables (Sections 4.4.1, 4.4.2) https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32505

Return to footnote 3 referrer

Footnote 4

Government of Canada, Treasury Board Standards on Security Screening, section 12, https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=28115, modified October 20, 2004.

Return to footnote 4 referrer

Footnote 5

Guideline on Financial Management of Pay Administration. Departure Procedures (Section 4.9.2). Senior officials within Treasury Board Secretariat have confirmed that this Guideline, along with additional policy instruments, is in the process of being revised as a result of significant changes to pay administration within the Government of Canada. The revised guideline is expected to issued by Treasury Board Secretariat in late 2017.

Return to footnote 5 referrer

Footnote 6

The audit team did not validate the accuracy of HRMIS data.

Return to footnote 6 referrer

Footnote 7

RCMP Administrative Manual APPENDIX XI-3-2. Physical Security.

Return to footnote 7 referrer

Footnote 8

RCMP Administrative Manual ch11 4.7. Physical Security.

Return to footnote 8 referrer

Footnote 9

Government of Canada Policy on Government Security, http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578, modified April 1, 2012.

Return to footnote 9 referrer

Footnote 10

DSSs stated that files could have been transferred if the employee returned to work in a different division or the file may have been assigned to officers for further work (i.e. to terminate or update the clearance) and not have been returned to Records at the time of the audit team's site visit. *** The RCMP Internal Audit of Personnel Security (2016) identified and reported on challenges with the national case management system used within the RCMP to manage the personnel security program and to provide performance measures. The audit reported that the Departmental Security Branch recently undertaken an initiative, in the short term, to improve the quality of data with its case management system while it works to identify a long term solution.

Return to footnote 10 referrer

Footnote 11

Putting the account on hold as a first step minimizes disruption in cases where the employee returns to work at the RCMP in another category shortly after departure, but still requires access to RCMP systems (i.e. members retiring and coming back as either a contractor or reservist).

Return to footnote 11 referrer

Footnote 12

Guideline on Financial Management of Pay Administration (Section 4.9.2). Senior officials within Treasury Board Secretariat have confirmed that this Guideline, along with additional policy instruments, is in the process of being revised as a result of significant changes to pay administration within the Government of Canada. The revised guideline is expected to issued by Treasury Board Secretariat in late 2017.

Return to bibliography 12 referrer

Footnote 13

Financial Management Manual Ch.7.8

Return to footnote 13 referrer

Footnote 14

Financial Management Manual Ch.9.9

Return to footnote 14 referrer

Footnote 15

Financial Management Manual Section 3.12

Return to footnote 15 referrer

Footnote 16

Financial Management Manual Section 3.11

Return to footnote 16 referrer

Footnote 17

CM&C staff confirmed that the National Pay Centre (Phoenix) reconciles pay advances. The audit finding is limited to this, given that the National Pay Centre is outside of the RCMP and the audit scope.

Return to footnote 17 referrer

Date modified:: 2019-03-11

Language selection

Search and menus

Search