Delegation of Financial Signing Authorities

January 2008

Executive Summary
Introduction
Audit Objective
Audit Scope
Overall Audit Opinion
Statement of Assurance
Summary of Internal Control Strengths
Summary of Internal Control Weaknesses

Detailed Report
Audit Approach, Methodology, and Criteria
Audit Approach and Methodology
Audit Criteria

Findings and Recommendations

Appendix A: Audit Criteria and Conclusions

Appendix B: Segregation of Duties

Management Action Plan

Executive Summary

Introduction

The internal audit of the Delegation of Financial Signing Authorities is part of the Risk-Based Annual Internal Audit Plan 2007-08 approved by the Canadian Institutes of Health Research (CIHR) Governing Council.

As an arms-length agency of government, CIHR is accountable to Parliament through the Minister of Health. CIHR's stewardship is the responsibility of its Governing Council, which is chaired by the CIHR President. The President is also the chief executive officer of CIHR and is responsible for its day-to-day management and direction. For 2007-2008, CIHR's forecast is for 406 full-time equivalents and $872.2M in spending.

Audit Objective

It is Government of Canada policy that ministers and deputy heads delegate and communicate financial authorities in a manner and form that provide controls on the disbursement of public money by adequately enforcing an appropriate division of responsibilities. The audit addresses the risk that public monies may be disbursed for unauthorized purposes. The objective of the audit is to assess the adequacy of the delegation of authorities at CIHR and whether the delegation instrument properly reflects CIHR's financial management control framework.

Audit Scope

The scope of the audit covers policy and procedural requirements for the delegation of authorities, as set out in the Treasury Board (TB) Policy on the Delegation of Authorities.

The delegation of authorities is an internal control tool based on appropriate segregation of duties or division of responsibilities, with specific reference to Sections 32 (Commitment Control Authority), 33 (Payment Authority), and 34 (Contract Performance Authority) of the Financial Administration Act (FAA). This internal control comprises policies, standards, procedures, and related activities planned, organized, directed, and monitored by management to ensure that public monies are appropriately disbursed and accounted for. Controls are adequate if management has planned and organized in a manner that provides reasonable assurance that related risks will be managed effectively.

During the audit, the newly appointed Director, Financial Operations and Monitoring, who is the audit client, initiated a formal project, The Review of the Delegation of Financial Signing Authorities. The project's objective is to improve the overall internal financial controls over key business processes by revising the current Delegation of Financial Signing Authorities policy and procedures. After discussions with the Director, Financial Operations and Monitoring, Internal Audit decided to optimize the cost-benefits of the audit and inform the project activities by reporting immediately on its assessment of the adequacy of controls.

The Audit of the Acquisition Card Program, November 2007, and the Audit of Contracting Services, September 2005, included delegation of authorities in their scopes. A follow-up of Contracting Services has been scheduled in the CIHR Risk-Based Internal Audit Plan. Therefore, this audit considers the overall management control framework for the delegation of authorities in all of CIHR, not the specific controls for the Acquisition Card Program and Contracting Services.

Overall Audit Opinion

We have concluded that the management control framework for the delegation of financial signing authorities has moderate issues: There are control weaknesses, but overall risk exposure is limited because either the likelihood or the impact of the risk is not high. Please see the detailed report for an assessment of each audit criterion.

Statement of Assurance

In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided in this report. The audit of the Delegation of Financial Signing Authorities was conducted in accordance with the Federal Government Policy on Internal Audit and related professional standards. The audit opinion is based on a comparison of conditions that existed at the time of the audit against established audit criteria that were agreed upon with management. The evidence is sufficient to provide senior management with proof of the opinion.

Summary of Internal Control Strengths

As required by government policy, the CIHR President has formally delegated and communicated financial authorities in writing.
In compliance with policy, authorities are delegated to positions identified by title, not to individuals identified by name.
Persons in positions with delegated authorities are informed of their responsibilities through the CIHR Policy on Delegation of Financial Signing Authorities, which is available on the CIHR intranet Policy site. The Policy includes a Chart, which is the formal instrument for delegating authority to organizational positions of CIHR. It depicts the delegation by position, function, area of authority, and nature and type of expenditure. In addition, the intranet site contains an FAQ that explains and clarifies the policy requirements.
Human Resources (HR) has established a Policy on the Delegation of Human Resources Signing Authorities to identify the level of authority required for the effective management of human resources at CIHR, to be exercised within the constraints of HR policies and in conjunction with the Delegation of Financial Signing Authorities.
Finance and HR use the delegation instruments to verify the exercise of delegated authority.
Spending authority is delegated to Responsibility Centre (RC) managers according to their budgetary requirements and responsibilities.
As required by government policy, payment authority is delegated to positions classified as "financial officer" that can independently verify the exercise of spending authority.
Finance has initiated a project to revise the current Delegation of Financial Signing Authorities Policy, Chart, Specimen Signature Cards, and related processes. The project's delivery date is April 2008.

Summary of Internal Control Weaknesses

The current Delegation of Financial Signing Authorities Chart needs more clarification and precision to be effective as a formal delegation instrument and enable proper segregation of duties. The Chart assigns potentially incompatible authorities to some positions and payment authority (Financial Administration Act (FAA) Section 33) to other positions with titles that are too general to ensure proper delegation. There is no clear delineation between functional and operational authorities for those positions in Finance and Contracting that are vested inherently with both.
Training for RC managers on the application of the Delegation policy has not been given since the Financial Policy and Training Officer position was vacated a year and a half ago.
Financial Operations uses Public Key Infrastructure (PKI) to perform FAA Section 33 certification of transactions submitted to the Public Works and Government Services Canada (PWGSC) payment system. However, a formal policy and procedures on Electronic Authorization and Authentication as required by federal government policy have not been established.
There have been no formal periodic reviews and updates of delegated authorities as required by government policy. In particular, Specimen Signature Cards (SSC) used for verifying authorization signatures have not been kept up to date.
Financial Operations performs 100% verification of FAA Section 34, Contract Performance. However, there has been no formal monitoring of overall compliance with policy.

Dev Loyola-Nazareth
Chief Audit Executive
Canadian Institutes of Health Research

Detailed Report

Audit Approach, Methodology, and Criteria

Audit Approach and Methodology

The assessment of the adequacy of delegation of authorities at CIHR was conducted through interviews with management and staff at Financial Operations and Monitoring and Human Resources, review of relevant documentation, identification and description of controls related to delegation of authorities, and analysis of the controls against audit criteria.

The audit was conducted between August and November 2007.

Audit Criteria

Criteria for the audit were based on following:

Treasury Board (TB) Policy on the Delegation of Authorities,
Financial Administration Act (R.S.C., 1985, Chapter F-11), sections 32, 33 and 34,
TB Policy on Electronic Authorization and Authentication, and
TB Secretariat Memorandum to Senior Financial Officers and Senior Full-Time Financial Officers, on Delegation of Financial Authorities, October 23, 1996.

Detailed criteria and conclusions are contained in Appendix A of this report.

Findings and Recommendations

The following are audit observations on internal control weaknesses in the delegation of financial signing authorities at CIHR.

Observation	Impact	Recommendation
1. The Delegation of Financial Signing Authorities Chart needs more clarification and precision to be effective as a formal delegation instrument and enable proper segregation of duties. As required by policy, the Chart identifies authorities by position and not by individual. However, in some cases, the Chart assigns potentially incompatible authorities to certain positions and payment authority (Financial Administration Act (FAA) Section 33) to positions with titles that are too general to ensure proper delegation and segregation of duties. a. The basis for the delegation of authorities to University Delegates is not clear. In addition, the delegation includes potentially incompatible authorities. University Delegates are not employees of CIHR. They represent CIHR at Universities and are given Standing Advances up to $5K for use in promoting and disseminating information about CIHR. In addition, they have been delegated full FAA Section 32 Commitment Control Authority; Expenditure Initiation Authority for Hospitality, Goods, Printing Requisitions, and Requisitions for Service Contracts; Contract Authority; and FAA Section 34 Contract Performance Authority. b. There is no clear delineation between functional and operational authorities for those positions in Finance and Contracting that are vested inherently with both. These positions have Spending Authority within their own budgets and also exercise FAA Section 32 Commitment Control and Section 34 Contract Performance Authorities for other functions. c. Manager, Administration has full FAA 34 Contract Performance and Inventory Write-down Authorities. d. The Contracting Officer has full Contract and FAA Section 34 Contract Performance Authorities. e. Director, Finance and Administration had full Spending Authorities for goods and services, Other Authorities, and FAA Section 34 and FAA 33 Authorities. This position has been replaced by two Directors: Financial and Corporate Planning and Reporting, and Financial Operations and Monitoring. f. Within each Area of Authority, the same person may perform both Expenditure Initiation and Certification of receipt of goods and services under Section 34. In other words, the Chart does not specify segregation of duties for RC managers, between the ordering and the receipt of goods and services within their budgets. g. In the Chart, Manager, Corporate Financial Services or equivalent includes Manager, Financial Administration, Grant and Awards; Project Manager, Modern Comptrollership; and Manager, Financial Planning and Advisory Services. All these positions have FAA Section 33 Payment Authority plus other authorities such as Ex Gratia Payments up to $2K, Loss of Money, and Inventory Write-Off and Disposal of Material. Financial Officer or equivalent includes Financial Advisor; Financial Systems Officer; Financial Reporting and Analysis Officer; and Senior Operations Officer. All these positions have FAA Section 33 Payment Authority.	Lack of proper segregation of duties exposes CIHR to the risk of error and unauthorized payments. Appendix B describes Segregation of Duties.	It is recommended that Director, Financial Operations and Monitoring revise the Delegation of Financial Signing Authorities Chart to depict clear delegation and segregation of duties between and within functions and operations.
2. Training for Responsibility Centre (RC) managers on the application of the Delegation policy has not been given since the Financial Policy and Training Officer position was vacated a year and a half ago.	RC managers may not be aware of the proper application of the policy, their related roles and responsibilities, and the exercise of segregation of duties. As a result, the policy may not be followed and there may be a lack of proper segregation of duties, which exposes CIHR to the risk of error and unauthorized payments.	It is recommended the Director, Financial Operations and Monitoring provide a course on Delegation of Financial Signing Authorities to RC managers. The course should be repeated periodically to ensure that new RC managers are trained in their responsibilities.
3. Formal policy and procedures on Electronic Authorization and Authentication as required by federal government policy have not been established. Electronic authorization and authentication (EAA) is the electronic process that affixes proof of authorization to a transaction, contributes to the protection of data integrity, and ensures that the authorizer can be identified. Together with appropriate management practices, EAA results in accountability controls for the conduct of electronic business. At CIHR, Manager, Financial Operations uses Public Key Infrastructure (PKI) to perform FAASection 33 certification of transactions submitted to the Public Works and Government Services Canada (PWGSC) payment system. It is government policy that electronic business transactions be properly authorized, validated, and safeguarded against loss, alteration, duplication, substitution, or destruction. Departments must establish policies and procedures that will ensure that the distribution and communication of authorities and the delegation process itself, when in an electronic form, are protected by an approved digital signature and key management process. Encryption and key management processes for EAA must be endorsed or approved by CSE. A sound EAA control framework includes Access Control, Key Management, and an Audit Trail.	The absence of formal policy and procedure increases the risks that appropriate controls are not in place to maintain the integrity of transactions and their related authorization throughout the payment process.	It is recommended that Director, Financial Operations and Monitoring develop and implement formal policy and procedure on Electronic Authorization and Authentication.
4. There have been no formal periodic reviews and updates of delegated authorities as required by federal government policy. In particular, the Specimen Signature Cards (SSC) used for verifying authorization signatures have not been kept up to date.	Without formal periodic reviews and updates, there is a risk that delegation instruments such as the Chart and Specimen Signature Cards will not reflect changes in the organization and, consequently, unauthorized transactions may be processed for payment.	It is recommended that Director, Financial Operations and Monitoring implement a formal process for reviewing and updating the delegated authorities and related instruments at least annually. Director, Financial Operations and Monitoring should collaborate with Director, Human Resources to ensure that organizational changes affecting delegated authorities are reported by Human Resources to Financial Operations and Monitoring on a timely basis.
5. There has been no formal monitoring of overall compliance with policy, to detect and correct the improper use of the authorities delegated to subordinates. It should be noted, however, that Financial Operations performs 100% verification of FAA Section 34 Contract Performance.	Without a formal monitoring process, there is no assurance that that the policy is being followed and authorities are properly exercised.	It is recommended that Director, Financial Operations and Monitoring implement a formal monitoring process for ensuring compliance with the Delegation of Financial Signing Authorities policy.

Appendix A Audit Criteria and Conclusions

The audit uses the following definitions to make its assessment of the control framework.

Conclusion on Audit Criteria	Definition of Opinion
Well Designed Control	Control is well designed, no material weaknesses noted or only minor improvements are needed.
Moderate Issues	Control design is weak, but exposure is limited because either the likelihood or the impact of the risk is not high.
Significant Improvements Required	Control design requires significant improvements in the area of material financial adjustments or control deficiencies represent serious exposure.

Overall Conclusion

The audit has concluded that the weaknesses in the management control framework for the delegation of financial signing authorities represent moderate issues.

Criteria	Reference to Observations	Conclusions
1. The CIHR President formally delegates and communicates financial authorities in writing.		Well Designed Control.
2. Authorities are delegated to positions identified by title, not to individuals identified by name.	1	Moderate Issues.
3. Persons in positions with delegated authorities are well informed of their responsibilities in this regard.	2	Moderate Issues.
4. No person is permitted to exercise authorities unless the President has formally delegated these authorities and the officer to whom the incumbent of the position reports has formally designated the person.	4	Moderate Issues.
5. Persons properly designated to exercise authorities do not delegate these authorities.		Well Designed Control.
6. Spending authority is delegated to responsibility centre managers according to their budgetary responsibility in order to ensure that they have adequate authority and full responsibility for their decisions.		Well Designed Control.
7. There are four general categories of duties or responsibilities which are examined when segregation of duties is discussed: authorization, custody, record keeping, and reconciliation. In an ideal system, different employees would perform each of these four major functions. For individuals involved in the expenditure process, the following functions are kept separate: procurement; certification of the receipt of goods and the provision of services; determination of entitlement, verification of accounts, and preparation of requisitions for payment or settlement; and certification of requisitions for payment or settlement pursuant to Section 33 of the Financial Administration Act. If the process or other circumstances do not allow such separations of duties, alternate control measures are implemented (e.g., acquisition cards).	1	Moderate Issues.
8. Payment authority is delegated to positions classified as "financial officer" that can independently verify how other officers exercise spending authority.		Well Designed Control.
9. a. A specimen signature document is prepared as soon as a new employee is appointed to a position with delegated authorities.	4	Moderate Issues.
9. b. This specimen signature along with delegation documents is available in all locations where the signatures will have to be recognized and honoured.		Well Designed Control.
9. c. The specimen signature document is cancelled and withdrawn as soon as the incumbent gives up the duties of the position, and withdrawn and replaced when departmental reorganizations or policy changes modify any of the information it contains.	4	Moderate Issues.
9. d. It is government policy that electronic business transactions be properly authorized, validated, and safeguarded against loss, alteration, duplication, substitution, or destruction. Departments must establish policies and procedures that will ensure that the distribution and communication of authorities and the delegation process itself, when in an electronic form, are protected by an approved digital signature and key management process. Encryption and key management processes for EAA must be endorsed or approved by CSE.	3	Moderate Issues.
10. The signatures of persons authorized to exercise authorities are authenticated before the processing of the transaction.	4	Moderate Issues.
11. CIHR reviews and updates all delegated authorities, including electronic delegation matrixes, specimen signature documents, and validation and authentication processes in use, at least annually.	4	Moderate Issues.
12. CIHR carries out control measures periodically to monitor compliance with policy and prevent the improper use of the authorities delegated to subordinates.	5	Moderate Issues.

Appendix B Segregation of Duties

The delegation of authorities is based on an appropriate segregation of duties or division of responsibilities. Segregation of duties is a basic, key internal control that can be difficult to achieve. It is used to ensure that errors or irregularities are prevented or detected on a timely basis by employees in the normal course of business. With proper segregation of duties, fraud is more difficult to perpetrate because it requires collusion of two or more persons, and innocent errors are more likely to be found.

At the most basic level, segregation of duties means that no single individual should have control over two or more phases of a transaction or operation. If a single person can carry out and conceal errors and, or, irregularities in the course of performing his day-to-day activities, he has likely been assigned or allowed access to incompatible duties or responsibilities. Therefore, management should assign responsibilities to ensure a crosscheck of duties. Some examples of incompatible duties are:

Authorizing a transaction, and receiving and maintaining custody of the asset that resulted from the transaction.
Receiving cheques (payment on account) and approving write-offs.
Depositing cash and reconciling bank statements.
Having unlimited access to assets, accounting records, and computer terminals and programs. For instance, having access and using cheques as the source documents to post to accounting records rather than using a cheque log or receipts.

There are four general categories of duties or responsibilities which are examined when segregation of duties is discussed: authorization, custody, record keeping, and reconciliation. In an ideal system, different employees would perform each of these four major functions. In other words, no one person should have control of two or more of these responsibilities. The more negotiable the asset, the greater is the need for proper segregation of duties, especially when dealing with cash, negotiable cheques, and inventories.

In situations in which duties cannot be fully segregated, mitigating or compensating controls must be established. Mitigating or compensating controls are additional procedures designed to reduce the risk of errors or irregularities. For example, if the record keeper also performs a reconciliation process, a detailed review of the reconciliation could be performed and documented by a supervisor to provide additional control over the assignment of incompatible functions. Segregation of duties is more difficult to achieve in a centralized, computerized environment. Compensating controls in that arena include passwords, inquiry only access, logs, dual authorization requirements, and documented reviews of input and output.

Management Action Plan

December 2007

Observation	Recommendation	Action Plan	Initial Timeframe
1. The Delegation of Financial Signing Authorities Chart needs more clarification and precision to be effective as a formal delegation instrument and enable proper segregation of duties. As required by policy, the Chart identifies authorities by position and not by individual. However, in some cases, the Chart assigns potentially incompatible authorities to certain positions and payment authority (Financial Administration Act (FAA) Section 33) to positions with titles that are too general to ensure proper delegation and segregation of duties. a. The basis for the delegation of authorities to University Delegates is not clear. In addition, the delegation includes potentially incompatible authorities. University Delegates are not employees of CIHR. They represent CIHR at Universities and are given Standing Advances up to $5K for use in promoting and disseminating information about CIHR. In addition, they have been delegated full FAA Section 32 Commitment Control Authority; Expenditure Initiation Authority for Hospitality, Goods, Printing Requisitions, and Requisitions for Service Contracts; Contract Authority; and FAA Section 34 Contract Performance Authority. b. There is no clear delineation between functional and operational authorities for those positions in Finance and Contracting that are vested inherently with both. These positions have Spending Authority within their own budgets and also exercise FAA Section 32 Commitment Control and Section 34 Contract Performance Authorities for other functions. c. Manager, Administration has full FAA 34 Contract Performance and Inventory Write-down Authorities. d. The Contracting Officer has full Contract and FAA Section 34 Contract Performance Authorities. e. Director, Finance and Administration had full Spending Authorities for goods and services, Other Authorities, and FAA Section 34 and FAA 33 Authorities. This position has been replaced by two Directors: Financial and Corporate Planning and Reporting, and Financial Operations and Monitoring. f. Within each Area of Authority, the same person may perform both Expenditure Initiation and Certification of receipt of goods and services under Section 34. In other words, the Chart does not specify segregation of duties for RC managers, between the ordering and the receipt of goods and services within their budgets. g. In the Chart, Manager, Corporate Financial Services or equivalent includes Manager, Financial Administration, Grant and Awards; Project Manager, Modern Comptrollership; and Manager, Financial Planning and Advisory Services. All these positions have FAA Section 33 Payment Authority plus other authorities such as Ex Gratia Payments up to $2K, Loss of Money, and Inventory Write-Off and Disposal of Material. Financial Officer or equivalent includes Financial Advisor; Financial Systems Officer; Financial Reporting and Analysis Officer; and Senior Operations Officer. All these positions have FAA Section 33 Payment Authority.	It is recommended that Director, Financial Operations and Monitoring revise the Delegation of Financial Signing Authorities Chart to depict clear delegation and segregation of duties between and within functions and operations.	Responsibility: Director, Financial Operations and Monitoring Action: 1 a) Part of the review of the CIHR’s Delegation of Financial Signing Authorities will include the removal the University Delegates from our Instrument. The University Delegates will however be able to retain their standing advances of up to $5K for use in promoting and disseminating information about CIHR if they are authorized by CIHR employees who have the appropriate delegate financial authority. Further discussions will be to take place with those impacted to ensure the smooth implementation of this decision. 1 b) The Financial Operation and Monitoring Directorate is in the process of revising CIHR’s Delegation of Financial Signing Authorities. As part of this review will include the development and implementation of instruments such a revised summary chart, a table of equivalent positions and a specimen signature record that will limit functional authorities to those financial officers within the Financial Operations and Monitoring Directorate. The contract performance function, i.e. Section 34 currently exercised by the CIHR Procurement officers will be also be modified so that it becomes a shared responsibility with the responsibility center budget holders who issued the contract and the Administrative Services Shipping and Receiving Officer who performs the goods and service receipt functions. 1 c) Part of our revision of the CIHR Delegation of Financial Signing Authorities will include a review of the current Section 34, Contracting Performance authority of the Manager, Administration’s to limit this authority to only cases of pressing emergencies. Part “C” of the new CIHR Delegation of Financial Signing Authorities instrument will contain a proper definition of what is a case of pressing emergency and the central agency reporting requirement associated with such an authority. The Manager, Administration, as primary custodian of CIHR’s inventory and assets should have functional delegated authority to write-off material assets that are lost due to fire, theft, accidents or that are reported missing during regularly scheduled inventory reviews. However, this delegated authority will be subject to the prescribed guidelines as outlined in Part “C” of the Delegated Financial Signing Authorities instrument and will also be subject to an annual review by the Financial Monitoring Unit as part of CIHR’s yearly reporting exercise for the Public Accounts of Canada. 1 d) It should be recognized that when Section 34, of the Financial Administration Act is given a designated position with functional authority, the incumbent of this position is exercised this authority on behalf of, or as an agent for, the responsibility center manager who has budgetary responsibility. In addition, all transactions that are subject to Section 34 contract performance sign-offs by the Procurement Officer are subject to an independent verification by the Accounting Operations Unit. 1 e) f) Part of our review of CIHR’s Delegation of Financial Signing Authorities will include the implementation of a Table of Equivalent Positions that outlines the levels of delegated financial signing authorities granted to specific positions within CIHR. This table will also be utilized to delineate between those positions that have been granted operational authorities, i.e. delegated financial authorities that are linked to an RC manager’s financial budget and functional authorities, i.e. those delegated financial authorities linked exclusively to corporate functions such as finance or procurement. Each incumbent to those positions identified in the Table of Equivalent Positions will be required to have a new specimen signature record signed off by a manager at a higher level to ensure their areas of authorities are in sync with their level of authorities. The implementation of both the Table of Equivalent Positions and the new Specimen Signature record will address the concerns raised by Internal Audit regarding the proper segregation of duties for RC managers and that levels of financial signing authorities granted to specific incumbents are restricted to their areas of responsibility. 1 g) One of the key recommendations of the review of CIHR’s Delegation of Financial Signing Authorities will be to limit the exercise of Section 33 of the Financial Administration Act (FAA) to the Chief Financial Officer position and specific positions within the Financial Operations and Monitoring Directorate. No other positions will be granted authority to exercise Section 33 of the FAA unless the incumbent has received prior authorization from the Chief Financial Officer or the Director, Financial Operations and Monitoring.	April 1, 2008
2. Training for Responsibility Centre (RC) managers on the application of the Delegation policy has not been given since the Financial Policy and Training Officer position was vacated a year and a half ago.	It is recommended the Director, Financial Operations and Monitoring provide a course on Delegation of Financial Signing Authorities to RC managers. The course should be repeated periodically to ensure that new RC managers are trained in their responsibilities.	Responsibility: Director, Financial Operations and Monitoring Action: The Financial Operations and Monitoring Directorate plans to implement a Delegation of Financial of Authority training course and FAQ document that will be offered to all CIHR who have delegated financial authorities prior to the issuance of their new specimen signature record. This course will be repeated on a periodic basis to ensure managers can continue to demonstrate their understanding of the delegation instrument and are aware of their responsibilities and their accountabilities for spending decisions.	April 1, 2008
3. Formal policy and procedures on Electronic Authorization and Authentication as required by federal government policy have not been established. Electronic authorization and authentication (EAA) is the electronic process that affixes proof of authorization to a transaction, contributes to the protection of data integrity, and ensures that the authorizer can be identified. Together with appropriate management practices, EAA results in accountability controls for the conduct of electronic business. At CIHR, Manager, Financial Operations uses Public Key Infrastructure (PKI) to perform FAA Section 33 certification of transactions submitted to the Public Works and Government Services Canada (PWGSC) payment system. It is government policy that electronic business transactions be properly authorized, validated, and safeguarded against loss, alteration, duplication, substitution, or destruction. Departments must establish policies and procedures that will ensure that the distribution and communication of authorities and the delegation process itself, when in an electronic form, are protected by an approved digital signature and key management process. Encryption and key management processes for EAA must be endorsed or approved by CSE. A sound EAA control framework includes Access Control, Key Management, and an Audit Trail.	It is recommended that Director, Financial Operations and Monitoring develop and implement formal policy and procedure on Electronic Authorization and Authentication.	Responsibility: Director, Financial Operations and Monitoring Action: The Resource Planning and Management Portfolio in close collaboration with the Information and Technology Management Services utilizes Public Works and Government Services Canada (PWGSC) electronic authorization and authentication (EAA) system that includes an approved digital signature and key management process to manage the interface between CIHR's financial system and the Receiver General for Canada's Central Financial Management Reporting System and the Standard Payment System. The day-to-day management as to which position/incumbent is authorized to access the EAA system is a shared responsibility between the Financial Operations and Monitoring Directorate and Information and Technology Management Services. Financial Operations is responsible for identifying those positions where the incumbents are authorized under the Section 33 of the Financial Administration Act (FAA), to access the EAA System. Information and Technology Management Services is responsible for ensuring compliance to PWGSC requirements for granting end-user access to the EAA system. This dual control provides the assurance that business transactions are properly authorized, validated and safeguarded against loss, duplication, substitution or destruction. It should be noted however that the Resource Planning and Management Portfolio currently does not have a formal policy and procedures governing the transfer of roles and responsibilities related to the internal management of the electronic authorization and authentication system particularly in situations when an employee leaves CIHR or when a new employee is assigned to take on these duties. This situation will be rectified as part of the review of CIHR's Delegation of Financial Authorities instrument.	April 1, 2008
4. There have been no formal periodic reviews and updates of delegated authorities as required by federal government policy. In particular, the Specimen Signature Cards (SSC) used for verifying authorization signatures have not been kept up to date.	It is recommended that Director, Financial Operations and Monitoring implement a formal process for reviewing and updating the delegated authorities and related instruments at least annually. Director, Financial Operations and Monitoring should collaborate with Director, Human Resources to ensure that organizational changes affecting delegated authorities are reported by Human Resources to Financial Operations and Monitoring on a timely basis.	Responsibility: Director, Financial Operations and Monitoring Action: A formal process for reviewing and updating the delegation instrument and individual specimen signature records on an annual basis will be jointly implemented with the Director, Human Resources once the Delegation of the Financial Authority Instrument Project is completed. It should be noted that the Director, Human Resources is a current member of the Working Group that is tasked with the oversight of the Delegation of Financial Signing Authority Instrument Project. This should facilitate the synergy between the two groups when time comes to ensuring organizational changes are properly reflected in the both delegation instruments on a timely basis.	June 1, 2008
5. There has been no formal monitoring of overall compliance with policy, to detect and correct the improper use of the authorities delegated to subordinates. It should be noted, however, that Financial Operations performs 100% verification of FAA Section 34 Contract Performance.	It is recommended that Director, Financial Operations and Monitoring implement a formal monitoring process for ensuring compliance with the Delegation of Financial Signing Authorities policy.	Responsibility: Director, Financial Operations and Monitoring Action: A formal monitoring process will be implemented for ensuring compliance with the Delegation of Financial Authority policy once the current review of CIHR's Delegated Financial Authorities instrument is completed. This monitoring process will be supported by offering managers training sessions on the new Delegation Instrument as well as through regular meetings between managers and financial officers to ensure managers are made aware of their financial management responsibilities and accountabilities and that they can demonstrate their understanding of the delegation instrument.	June 1, 2008

Search

Funding

Institutes

Strategies

Initiatives

Signature initiatives

Strategic initiatives

Collaboration

Research highlights