This Web page has been archived on the Web.

2002 December Report of the Auditor General of Canada

December 2002 Report—Chapter 5

Insert 5.1—Controls for financial information systems—challenges remain

  • Manual processing controls. Control frameworks do not appropriately integrate manual processing controls within the new electronic control environment. Key processing controls for purchasing, payment, and confirmation of receipt of goods and services are performed outside the information systems environment. Manual controls are less systematic and less comprehensive in their application than electronic controls. They can also be more easily circumvented, presenting the potential for error or fraud through incomplete, inaccurate, or unauthorized activity.
  • Electronic security controls. Electronic security controls are not well managed. The primary control mechanism in many of the new systems is the management and control of user access rights and privileges. We found that too many individuals are provided broad system access, or that individuals are given permission to perform certain functions incompatible with their other roles and responsibilities. Consequently, information could be lost or corrupted.
  • Monitoring controls. Monitoring controls require substantial improvement. These controls are an integral part of any control framework because they engage senior management in analyzing the reasonableness of results. Without sufficient monitoring controls, data accuracy and validity may be compromised, and inaccurate or unauthorized expenditures may result. Management needs to do more than simply compare actual results with either budget figures or overall appropriation limits; such basic forms of review often fail to identify errors that have occurred but that are masked because expenses are within budget. Particular attention needs to be given to key financial performance measures (such as changes in the capital assets or liabilities under a manager's control, or the aging of accounts receivable); the review of control and subsidiary ledger accounts; the review of unusual or higher-risk transactions, including selected grant and contribution payments; the review of suspense account balances; and the performance of periodic reconciliations of key control accounts (for example, accounts receivable, intergovernmental transactions, and cash).
  • New financial systems. Departments are not fully exploiting the capabilities of their new financial systems. In many cases, these systems are used to do nothing more than compile the results produced using previously existing systems. As a result, many departments are maintaining their original systems and processes and developing interfaces between them and the new systems, rather than seeking opportunities to improve integration of these systems and processes. This approach to systems development and integration adds to the complexity and operational costs within the department because it must maintain both old and new systems and practices. Eventually these older systems will require extensive renovation or replacement. Departments need to ensure that their information systems planning gives consideration to the integration of the older systems with the new financial systems approved by the Treasury Board Secretariat.