2006 Audit Recommendations - Status Tracking
							Document 4
	Audit: Financial Control Environment		(EMC Lead: K. Kirkpatrick / Staff Lead: Marian Simulik)
	Audit Recommendation	Management Response			Budget Implications 2007 or Beyond	Related Council Motions	Status Update / Comments
		Audit Management Response	Action Required Based on DCM Implementation Plan	Management Timelines (Q1- Q4)	($$ if known)		(Status, risks, issues regarding implementation, etc)
	SECTION ONE: OMNIBUS RESPONSE
1	That Financial Services Branch establish, continually document and review financial processes with staff of the various FSUs and other finance groups. This would reinforce the requirement to follow expected control procedures and provide clear references for testing that the controls are effective.	Management agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS).	• Obtain documentation for all existing financial processes • Develop a Compliance Review Universe based on risk assessment of key financial processes; • Review existing policies and procedures and identify gaps in control procedures; • Identify and document new or missing policies and procedures; • Establish process for reviewing financial processes with FSU and other Finance Groups to ensure that control procedures are up-to-date and are working as expected. • Develop training plan for FSU and other Finance groups to reinforce control procedures.	Q1-Q4/08 & Ongoing	$725,000-$900,000 This amount applies to all the recommendations in the omnibus response.	None	Sept, 2007 : All Activities are currently in progress. To date Policy & Compliance has collected 672 financial policies, procedures and guidelines from the various Finance Divisions and is in the process of analyzing these documents to determine the level of effort and resources required to bring them up to corporate standards. Previous comment: The Compliance Review Universe would require the use of outside resources to prepare a detailed risk assessment of all potential areas of the Corporation that could be reviewed for either compliance or process improvement. This will provide greater visibility of potential risks associated with the financial control environment and will therefore enable the Policy & Compliance staff to focus on highest risk areas from the perspective of City Management and key stakeholders, and would form the basis of their annual workplan.
2	That Financial Services Branch ensure that the review, approval and other control procedures are clearly evidenced by signatures or retention of documents.	Management agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS).	• Review existing policies and procedures to incorporate this requirement and communicate to FSU and other Finance groups. • Management will also establish a comprehensive process for capturing, communicating, and maintaining evidence of delegation of signing authority. This will require collaboration with ITS regarding enabling technology as well as considerations involving shared/secure access.	Q1- Q2/08		Purchasing By-Law; Delegation of Authority By-Law.	Sept 2007: The review of existing policies and procedures are currently underway to identify gaps in the control requirements.
4a)	That Financial Services Branch develops finance and accounting specific training and that finance staff be encourage to pursue such training.	Management agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS).	Finance specific training has been in place since 2002 and will be upgraded to reflect new control requirements; External training will be provided in the use of automated data mining tools, as well as regulatory requirements such as commodity taxes and PSAB. SAP training would require the establishment of the proposed FMIS Unit in Finance. On a longer term basis, a comprehensive training needs assessment will be undertaken to identify any gaps and opportunities to enhance staff competency levels.	Q4/07 - Q4/08			Sept. 2007: In process Training sessions addressing changes to financial processes and commodity taxes are scheduled from September 10 to October 12/07. Additional SAP training requires the establishment of the FMIS Unit, which is dependent on completion of BPRP to identify funds and the budget approval for FTEs.
5	That Financial Services Branch conduct periodic reviews of disbursements with a particular focus on those that appear to be inconsistent with the City’s policies and general business practices.	Management agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS).	• A compliance review process has been in existence since 2001. • Audit Control Language (ACL) will be implemented to enhance the scope and efficiency of the ongoing compliance reviews. A proposal and CVC has been submitted to IT, but implementation is subject to VAP approval and scheduling.	Q2/08	n/a	None	Sept. 2007 : Installation scheduled for Sep 24; Testing/Training Oct/07; Go live Nov/07 Previous Comment: Compliance review process completed. Audit Control Language (ACL) will be implemented to enhance the scope and efficiency of the ongoing compliance reviews. A proposal and CVC has been submitted to IT, but implementation is subject to VAP approval and scheduling.
6	That Financial Services Branch ensure that guidelines be developed within the City’s financial control framework to ensure that FSUs implement consistent control procedures. That Financial Services Branch ensure that in those rare instances where internal control practices need to differ between FSUs, these are based on risk assessment, and are clearly communicated and documented. Units or divisions that rely on controls within FSUs should have a clear understanding of the internal control processes.	Management agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS).		Q3/08	n/a	None	Sept. 2007: A detailed action plan has been prepared to identify variations in FSU operating policies and procedures and to take steps to harmonize those differences to the extent practical. Efforts are also underway to identify options for resourcing this project. • Specific directives and control requirements will be outlined within the proposed Financial Control Framework.
7	That Financial Services Branch review all practices used by FSUs so as to develop one stringent set of guidelines/procedures for all FSUs to adhere to. That, as part of its Financial Management Control Framework, Financial Services Branch clearly delineate, document and communicate the role and responsibilities of FSUs.	Management agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS).		Q4/08	n/a	None	Sept 2007 • See omnibus response regarding roles and responsibilities. • Currently on FSB workplan • This will require use of outside resources to develop a comprehensive document based on FSU client operations.
11	That Financial Services Branch in conjunction with Information Technology Services Branch analyze and modify the Corporate Financial Management System (SAP) design and reporting functions to better meet the needs of FSUs and other users. That Financial Services Branch in conjunction with Information Technology Services Branch develop and offer “advanced” Corporate Financial Management System (SAP) training to increase staff capabilities.	Management agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS).	This requires the establishment of the FMIS Unit. • FMIS Business Analyst must work with the FSU and Client to determine their training needs; • ITS will provide some basic training, training environment and logistical support as required	Q4/08 - Q4/09	n/a	None	Sept 2007 This requires the establishment of the FMIS Unit, which is dependent on completion of BPRP to identify funds and the budget approval for FTEs.
20	That Financial Services Branch review all practices used by FSUs so as to develop one stringent set of guidelines and procedures for all FSUs, which include the consistent occurrence of three way matching.	Management agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS).	• This requires the establishment of the FMIS Unit. • See comments under Recomm. #1; Same as #7 and #8. • Create task description and communicate to all FSUs.	Q3/08		None	Sept 2007: • All 672 existing FSB policies and procedures are currently under review, as well as options to revise or update those documents. • Additional resources will be required to complete this project. • See also Recomm. #7 re. harmonizing FSU procedures
27	That Financial Services Branch require that Supply Management Division verify the authority of staff that are approving budgetary releases. In addition, if such releases are not approved by an FSU staff, that Supply Management Division ensure that the employee has the proper authority.	Management agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS).	• Each FSU to prepare a list of employees with authority for budgetary release authority. • FSU to act as screener to ensure appropriate signing authority. • In addition, a comprehensive signing/delegation of authority project is currently underway.	Q4	n/a	PBL/Delegation of Authority B/L	Sept. 2007: FSB is in discussions with ITS to develop a comprehensive process for capturing, communicating, and maintaining evidence of delegation of signing authority and specimen signatures. See also Recommendation #2, above.
40	a) That Financial Services Branch, as part of their periodic disbursement review, examine the supporting documentation, transaction details, investigate unusual items and take appropriate action. b) That Financial Services Branch, direct staff to ensure purchase orders be established prior to the ordering, receipt or payment of any purchases. c) That Financial Services Branch, develop and implement a policy relating to invoice payment terms and payment practices. Management Response.	Management agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS).		Q4/07 - Q3/08	n/a	None	Sept 2007: (a) Complete. (b) Complete. (c) A Corporate Payment Policy is currently under development and should be completed on schedule. A/P has implemented a second cheque run per week. See also Recommendation #2, above.
	Audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. OMNIBUS MANAGEMENT RESPONSE: Management agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS). At amalgamation, the Financial Services branch created a new policy and compliance unit responsible for: conducting regular compliance reviews; developing, documenting and maintaining policies and procedures; creating business processes and operating guidelines; and dealing with all commodity tax issues. The organizational structure for the policy and compliance unit has 11 FTEs, with 2 FTEs dedicated to developing and maintaining the 53 policies and procedures for which the branch is responsible. However, the 2 staff assigned to the policy area, were redeployed due to the increased workload of this unit, stemming from the credit card audit, the Universal Program Review and changes in legislative requirements. As a result, Financial Services has focused insufficient attention on policy and procedure documentation of internal controls.				$725,000-$900,000 This applies to all the recommendations in the omnibus response.		Status updates / comments and timelines have been included beside each recommendation in the previous section.
	Management has re-staffed the policy and compliance unit to its original complement. This unit will continue to document and review financial processes, with the staff of the Financial Service units and other finance groups ensuring that consistent control procedures are applied. The policy and compliance unit will also develop new policies and guidelines to support the City’s financial control framework. The compliance unit was initially focused on conducting compliance reviews in the area of credit card transactions, but has been expanded to cover key financial processes such as payments without reference to a purchase order, travel claims, petty cash, departmental purchase orders, hospitality, gifts and entertainment, and other such activities as determined by senior management. Compliance reports are circulated to management and financial services staff on a quarterly basis. In response to the recommendations in this audit, the scope of the compliance unit will expand to include periodic reviews of disbursements and invoices to ensure they are in compliance with the City’s policies and business practices.
	As part of the compliance review, Financial Services will continue to ensure that staff is establishing purchase orders prior to the commencement of work or the receipt of goods, when the purchase order is the basis of the contract. There are some rare occasions where exceptions to this principle are warranted in order to ensure there is no interruption of essential City services such as in the purchase of salt and gas. Furthermore, Financial Services will also continue to ensure that the employee authorizing expenditures has the appropriate level of delegated authority. The training budget for Financial Services was established at amalgamation in 2001 at approximately $67 per employee. Due to on-going budget constraints, the training budget has not been increased since that time. Subsequently, Financial Services staff training has lagged behind optimal levels. In response to the audit recommendation, specific finance and accounting training will be offered to staff. Training will be provided, through a combination of in-house and external providers, on City-specific policies and procedures, including the use of the Corporate Financial Management System (SAP).
	Section 286 (1) of the Municipal Act assigns responsibility for financial internal controls of the City to the Treasurer. City Council, through its approval of the City’s organizational and management structure and the Centre of Expertise model, has directed the Treasurer to discharge these responsibilities within this organizational framework. To ensure sufficient financial controls are in place, the City Treasurer delegates relevant responsibilities for financial internal controls to specific divisions within Financial Services, including the accounting and reporting division. Management recognizes that the Corporate Financial Management System (SAP) requires on-going modifications to increase the utility of the system. In 2006, the Financial Services and Information Technology Services branches implemented an on-going process for the identification, prioritization and implementation of SAP enhancements in order to actively control this process within Finance. When these improvements are made, it will be easier for Financial Services staff to use the technology to track activities and create reports. In addition, a number of SAP “real-time” financial reports are available for managers to access on the City’s intranet. This allows managers to keep up-to-date on financial management issues within their areas of responsibility.
	Financial Services will also continue to work with ITS to review the ability to disallow changes to the status of transactions in order to ensure that only essential, authorized persons, as approved by management, will have this access. Financial Services continues to work with ITS to ensure proper training and supervision of staff. Ernst & Young identified the issue of segregation of duties in the inventory management area in their 2005 management letter. As a result, Council approved additional resources in the 2007 budget that permits appropriate segregation of duties and system access. Management has also committed to creating a Financial Management Information System (FMIS) unit within the accounting section. This unit will be modeled after the Employee Services Human Resources Information System (HRIS) unit. Creating a specific unit allows the Financial Services branch to develop in-house system experts within the branch capable of ensuring that SAP will be modified to meet the diverse needs of the branch. Modification will ensure increased operational efficiency and will allow the branch to maximize the return on the City’s investment in the technology. Financial Services will develop a Payment Terms Policy as part of its planned review of the accounts payable process. This review will start in Q2 2007 and will be completed by Q3 2007. It should be noted that the process controls for invoice payment terms are already in place.
	This audit has allowed management to implement many improvements that will strengthen existing internal financial controls. Management agrees with the Auditor’s recommendations and will ensure they are implemented. In order to fully comply with the Auditor’s recommendations, the Financial Services branch has examined existing resource levels with a view to redeploying resources wherever possible. As a result of this analysis, it has determined that some reallocation is possible, however, the branch will require additional resources. Resources will be required to provide adequate staffing, implement system modifications and provide training identified by the Auditor General. To fully comply, it is estimated that the cost will be approximately $725,000 to $900,000. Prior to requesting additional resources, management has made a commitment to advance the review of the Financial Services branch, as part of the Branch Process Review Program. Any savings identified through this process will be used to fund activities related to implementing the Auditor General’s recommendations. The BPRP review will take place by Q4 2007.
	SECTION TWO: ALL OTHER RECOMMENDATIONS
3	That Financial Services Branch in conjunction with Employee Services Branch ensure that detailed task and job descriptions are developed as part of process documentation in order to provide a basis for training and reference for finance employees.	Management disagrees with this recommendation. The City’s current practise is to develop job descriptions that reflect the skills, knowledge, professional qualifications and experience requirements of the positions, and to list the major duties of the position. This is of value to the City with respect to multi-incumbent positions where only one generic job description is needed. Financial Services will instead improve the detailed process descriptions.	Detailed process descriptions will be reviewed as part of the overall strategic direction for the Branch and a decision will be made following the completion of the scheduled BPRP.	Q4/08	n/a	None	Sept. 2007: A briefing note is being prepared.
4b)	That Financial Services Branch identifies an appropriate number of positions that require an accounting designation.	Management disagrees with this recommendation. Management believes that Financial Services already has an appropriate number of staff with accounting designations in the Financial Service units and the Accounting and Reporting division. Within these divisions, there are currently 18 professional accountants out of a total of 62 positions, almost a 1:3 ratio. All positions in Financial Services were reviewed with respect to the requirement for a professional designation following amalgamation. The branch will continue to determine the skills and abilities required of its staff, including the requirement for an accounting designation, as new positions are created and job requirements change to meet emerging needs. Management feels that it is more appropriate to look at the number of professional accountants within CIPP and the management groups within the FSU and Accounting and Reporting divisions of Financial Services.	FSB will review which positions require a professional designation and identify other appropriate qualifications for the remaining Finance positions. The Branch will also identify steps taken to encourage staff to upgrade their skills.	Q4	n/a	None	Sept. 2007: An inventory is being completed of professional designations within Finance. A briefing note will be provided.
9	That Financial Services Branch review current Corporate Financial Management System (SAP) user authorization in relation to incompatible duties and modify access as required and that such reviews be conducted periodically.	Management agrees with this recommendation. The Auditor General noted that 25 users have the ability to create a vendor, enter an invoice, create cheque information and post outgoing payments. Of these 25 users, 3 are operational staff and 22 are ITS staff. Management is aware of the assignment of these duties to operational staff. In this case, the Manager of Accounting and Reporting has provided written authorization approving operational staffs access to meet operational requirements. ITS staff use their access to provide user support to Helpline calls and to research reported problems. ITS will take steps to review the number of staff who have access and will apply the same standard of care with respect to incompatible duties, although these staff do not update data and transactions within the production environment. This review will commence in Q2 2007.	• Discussion and documentation of the rationale for a set of comprehensive controls that will govern access to the vendor maintenance function. • Needs Assessment to determine who needs access and which requests should be elevated to Deputy Treasurer • Review and document compensating controls • Establish process for quarterly review of incompatible duties • Audit position in Stores Inventory to be filled by year end. • ITS to review support roles in SAP production and reduce the number of ITS staff that are able to make changes to production. • ITS to provide access in such a way as to separate incompatible duties in the SAP Support Centre.	Q4/07	n/a	None	Sept 2007 1. Complete. ITS has reviewed SAP production support roles and has reduced the access to the minimum number of ITS staff (four) required to maintain the production SAP environment. 2. ITS duties assigned to the four roles are separated to avoid incompatible duties. 3. ITS access security reviews being conducted weekly. 4. ITS requirements for non-standard access assigned on a time limited basis, for specific task completion only after formal management review. 5. Complete. Periodic reviews have been in place since Q1 2003. 6. Draft Procedure for monthly/quarterly review of profiles in conflict and controlling role conflicts have been completed. All documentation to be completed by Q4/07.
10	That Financial Services Branch in conjunction with Information Technology Services Branch review systems design to implement controls to disallow overriding prices, processing of duplicates, drawing and taking greater than set sick leave allowance, etc., and that reviews be conducted on a regular basis to confirm that any override capabilities deemed necessary are appropriate and approved.	Management disagrees with this recommendation. There are operational requirements that require overrides of the standard processes. Management understands there are additional risks associated with such overrides, but there are compensating controls to mitigate such risks. For example, in order to release contract holdbacks, the system requires that the authorizing document be amended. There is no way to release holdbacks without this override ability. The compensating controls are that the ability to amend the document is limited to the supervisor of Accounts Payable and that every override has to be documented. The system generates a report for review by management of all overrides so that they can be checked against the list maintained by the A/P supervisor.	See #9, re: rationale for comprehensive access controls. • Identify compensating controls; • Determine whether current practises are reasonable and provide reasons for or against; • Requires a separate project for each of the six items to review and document the rationale for each override and why it is necessary. • (a) N/A; • (b) ACL request submitted to ITS; • (c) Currently on ITS workplan • (d) (e), (f) - None	Start in Q1 /08	n/a	None	Sept. 2007: A briefing note is provided.
		These types of compensating controls exist for all system overrides. Specific management comments regarding the audit findings are as follows: a. SAP override - No such functionality exists in SAP. CLASS is a stand-alone program that is linked to SAP via an interface file. Pricing information does not exist within SAP and thus price overrides are not possible. b. Duplicate invoice payments - See management response in Section 5.3.1. c. Cheque printing – See management responses in Sections 5.3.5/5.3.6 d. Sick days – See management response in Section 5.4.5 e. Annual leave - See management response in Section 5.4.8 f. Pay rates - See management response in Section 5.4.5
12	That Financial Services Branch in conjunction with Information Technology Services Branch limit the level of access to the CLASS system to those persons who require access for the performance of their duties and have proper authorization level and provide “read only” access to those who do not necessitate and are not authorized to make changes to the arena and sportfields modules of CLASS	Management agrees with this recommendation and it has already been implemented. Financial Services and ITS will continue to work in partnership with Parks and Recreation, as the business process owners of the CLASS application, to ensure the adequacy of the internal controls. The process of ensuring the adequacy of internal controls will be ongoing, whereby facility supervisors/managers will sign-off on the appropriate security profile for their staff.	The Branch requires a formal policy for levels of access in the CLASS system. Level of access documentation for all staff is required to be on file and a review of any conflicts documented and resolved.	Q4	n/a	None	Sept. 2007: In Process. Currently facility supervisors determine required level of authorization required for their staff. Requests are submitted to Class Support in writing and initiated in Class. Class Support has been tracking all documented requests on line using magic software since April 1, 2007.
13	That Financial Services Branch in conjunction with Recreation and Parks Branch require the review of open contracts become a formal process requiring reports to be printed and signed off by the area managers. Follow-up should be documented on the reports supporting the analysis and work performed. This will ensure that appropriate revenues are recorded in a timely manner.	Management agrees with the recommendation. Financial Services in consultation with Parks and Recreation will develop a formal process for the sign off of the Rental Control Report by Q3 2007.	A formal procedure is required to be put in place which requires formal sign off on all reports and tracking/documentation of actions.	Q3	1 FTE in 2008 - for all the required controls/processes that need to be implemented, tracked and documented in the Class system in Parks & Recreation	None	Sept. 2007: In Process. Currently two reports are provided to staff monthly by Class Support - Rentals to Completed and Rentals to be Completed with Security Deposits. AS well, following each rental session, the Tentative Rental Bookings report is circulated to all staff to ensure rentals are firmed up and charges correctly applied to customer accounts. A formal procedure is being prepared to be implemented in the 4th quarter for all outstanding rental contracts clearly outlining process and deadlines for cleanup activities. Quarterly, these reports will be a standing agenda item at the management quarterly financial meetings where reviews/follow up action will take place on all outstanding items from these reports.
14	That Financial Services Branch in conjunction with Information Technology Services Branch review CLASS system design to prohibit price overrides and that price changes only be allowed by supervisory approval and completed separately in order to differentiate the sales at regular prices and the discounts or other changes made.	Management agrees with the recommendation. Financial Services and ITS will continue to work in partnership with Parks and Recreation, as business process owners of the CLASS application, to ensure the adequacy of the internal controls. In 2006, management reviewed and restricted price override capabilities through the security group control in the program registration module of CLASS. An additional review of other CLASS modules will be completed by Q3 2007 to determine other areas where these controls can be further restricted.	• Define Standards for internal control purposes. • Review system controls and assess adequacy of internal controls; • Document process to allow Deputy City Treasurer to sign off on all system overrides that affect the financial control environment. • ITS to advise on potential solutions as required.	Q3/08	n/a	None	Sept. 2007 • Review in process. • The review and documentation phase will be completed by Q3/07 • The development of new business practices and procedures will be completed by Q4/07 detailing risk analysis and documentation of any acceptable exceptions to procedures. Class system design unable to address this issue.
16b)	That Financial Services Branch in conjunction with Parks and Recreation Branch and Information Technology Services Branch review the CLASS system design to disallow refunds past the program end date.	Management disagrees with this recommendation. The technology is not available in the CLASS system to customize the program registration module in this way. There is a system limitation that does not allow the automated prevention of refunds after 50% of the program has elapsed. In the registration module, each registration session (spring, summer, fall, winter) must be marked “completed” before refunds can no longer be processed. With thousands of programs each session with different start and end dates, this is a back-end function completed by the CLASS Support team and is set at 30 days after the end of each session. This window of opportunity is necessary for staff to perform a final clean-up of accounts as a result of cancelled classes, etc.	The Branch, in conjunction with Parks & Recreation will determine required compensating controls in the processing of refunds. Management will determine a process and procedure for reviewing reports in CLASS for assessing reasonableness of refunds and ensuring the policy is being implemented properly across the Branch.	Q4	n/a	None	Sept. 2007: remains unresolved. A briefing note will be provided. The system automatically stops refunds for memberships from being processed and after 50% of the program has elapsed for registrations. There is no system default for rentals or POS sales. * Parks & Recreation branch has implemented a process to close all course registrations 30 days after the end of each registration session. For example, the last course in the spring session ends June 30th. All spring programs are closed on July 31st, at which time no refunds can not be processed in CLASS following that date. All refunds after that date must go to the FSU. * In 2006 the FSU processed 1,228 cheque refunds totalling $164,000. The FSU processes all cheque refunds from CLASS. Staff process credit card refunds in CLASS up to the date the registration session is closed. * P&R is customizing the current Class refund report to include additional information required for Management review in determining if the refund policy is being properly implemented at their locations. This report will be a standing agenda item at the quarterly financial review meetings and a procedure for review/action will be implemented.
16c)	That Financial Services Branch establish a procedure requiring the appropriate FSU to review a predetermine percentage of CLASS refunds.	Management agrees with this recommendation. Financial Services will expand the scope of the compliance review program to include CLASS refunds if it determines that the value of such refunds exceed the cost of the additional resources required to carry out the reviews. Such a review will also assess the compensating controls that are in place, or have recently been put in place, to mitigate the financial risk inherent with issuing refunds. Management has agreed to implement this recommendation, however, feels that additional or reallocated resources are required. Prior to requesting additional funds during the 2008 budget process, management has made a commitment to advance the review of Financial Services, as part of the Branch Process Review Program, to identify efficiency savings for reallocation towards the required resources. The total estimated resource requirements is $60,000-$75,000.	FSU to incorporate this requirement in the their job descriptions and workplans.	Q1 2008	none at this time see management response	None	Sept. 2007: The FSU in conjunction with the Policy & Compliance Division of Finance and P&R are preparing a procedure for reviewing a predetermined percentage of Class refunds. P&R is customizing the current refund report to include additional information required for this review. Policy & Compliance hope to have special software in place by Q1 2008 to select samples from this report for testing.
17	That Financial Services Branch in conjunction with Parks and Recreation Branch analyze and review accounts receivable balances on a timely basis and retain documentation for follow-up and actions being taken by the City.	Management agrees with this recommendation. In 2006, the Parks and Recreation branch implemented quarterly reviews of outstanding receivable balances from reports provided from CLASS. In addition, clear direction has been given to staff regarding the timely collection of account receivables and training on the running of reports has commenced for facility supervisors. The Parks and Recreation branch has an established practise of transferring overdue accounts receivable to the Accounts Receivable unit who has the expertise for collecting on overdue accounts. This is in accordance with the COE model adopted and implemented by the City at amalgamation.	The Parks and Recreation branch, in conjunction with Financial Services, will establish a policy and procedure for reviewing of accounts receivable balances which will include actions required and follow-up on outstanding balances.	Q4	n/a	None	Sept. 2007: CLASS Support and FSU are completing the AR reports training for all facility supervisors. Expected completion will be by Q3. Area and Division manager AR reports training is expected to be completed by Q4. * Detailed AR reports for registrations and memberships are distributed to Area Managers each quarter with comparisons to past due accounts in prior quarter. * A draft procedure is in process with respect to actions following reviews. Documentation is being kept by the FSU and summary reports are prepared comparing outstanding AR for each quarter. * Currently, Branch wide AR reports are not available for the rental system. These must be run by facility as the report is too long and will crash. The FSU is investigating a way to have these run each quarter to add to their AR information and analysis. These will be added to the quarterly review meetings by Q3.
19	That Financial Services Branch in conjunction with Information Technology Services Branch review the system design to include controls that do not permit entry of duplicates, as well as, reports that identify possible duplicate entry. That Financial Services Branch establish more stringent review by FSUs, and greater follow-up by Accounts Payable to prevent duplicate payments. In addition, a program of on-going review designed to identify duplicate invoice processing would also reduce the risk of duplicate payments or serve as a mechanism for cash recovery. A comprehensive approach would serve to prevent duplicate entries, reduce duplicate payments, and increase the prospect for cash recovery in the event of a duplicate payment. That Financial Services Branch recover duplicate payment totalling $9,064 and the overpayment of $750 (see 5.6.2), identified in this audit.	Management disagrees with this recommendation. Management is of the opinion that internal controls to prevent the processing of duplicate supplier invoices are already appropriate to manage the risk of such errors in a cost effective manner. The error rate of this review was a small fraction of 1%. However, as a precautionary measure, Financial Services is assessing the value of using Audit Control Language as a detective tool to identify any duplicated payments and will be completing a review of the accounts payable process by the end of Q4 2007. Financial Services has recovered all the duplicate payments identified in the recommendation.	• Ongoing Analysis by A/P • Scheduled compliance testing is already in place • FSB is in consultation with ITS in order to implement Audit Control Language solution, which would permit more timely detection and recovery of duplicates payments.	Q1/08	n/a	None	Sept. 2007: ACL being ordered to allow for timely detection. Although management is satisfied with the current business process, SAP configuration options will be reviewed in 2008-Q1 to ascertain the feasibility of enhancing the duplicate invoice validation routine. A briefing note is provided to explain the circumstance for permitting duplicate payments.
21	That Financial Services Branch establish a practice requiring all goods based invoices be signed off by the client department as evidence of receipt of goods. If the invoice is not signed, that the Accounts Payable staff return the invoice to the FSU for approval on a timely basis.	Management disagrees with this recommendation. The current process requires that vendor invoices be routed directly to Central Accounts Payable, where staff relies on the controls embedded in SAP to process the payments for goods-based invoices. Service-based invoices are re-routed to the FSU for the client’s approval and sign-off. It is also important to distinguish between inventory goods and non-inventory goods receipts. For inventory goods, a goods receipt entry is processed at the inventory location on the basis of a packing slip. The packing slip is retained at the receiving site. Compensating controls include an automated inventory management system and physical inventory counts. For non-inventory goods, the goods receipt is entered by the client or the FSU on the basis of a packing slip, if one is available, otherwise, an invoice is used for that purpose. The packing slip is retained at the receiving site.	•Document process for receipt of inventory and non-inventory goods •Document ordering/receiving/payment function •Assess risk of fraud or other irregularities involving the procurement of goods and services. •The procedure will outline the control process	Q2 2008	n/a	None	Sept. 2007: A briefing note is provided.
21		The above processes leverage the best practices embedded in SAP, including the three way match between the purchase order, goods receipts, and vendor invoice. Management’s preference is to have all goods receipts issued on the basis of packing slips and to continue routing all vendor invoices to Central Accounts Payable. This will minimize the number of lost or misplaced invoices and reduce the likelihood of late payment fees.
22	That Financial Services Branch in conjunction with Information Technology Services Branch review the Corporate Financial Management System (SAP) design and configuration to disallow changes to the status of the transaction by anyone that is capable of processing invoices payments.	Management disagrees with this recommendation. There are a number of valid reasons for allowing or requiring changes to the status of accounts payable documents. These include the release of holdback and changes to the method of payment. Based upon a review of the findings, management has determined that the incident reported by the Auditor was caused by an error of omission. Financial Services staff at one of the City’s locations was improperly removing the system-generated payment blocks. Further investigation revealed that this was a gap in process training. Management has corrected this oversight. There are compensating controls to detect the inappropriate removal of payments blocks and this report will now be reviewed on a regular basis.	• Document the existing compensating controls • Develop process to review and maintain SAP tracking/exception report	Q4	n/a	None	Sept. 2007: A briefing note is provided. • Operating department has been directed to change the current practise • FSB needs the flexibility for error correction and for releasing holdbacks
23a)	That Financial Services Branch in conjunction with Information Technology Services Branch review the Corporate Financial Management System (SAP) design and configuration to permit for a single download of the daily and weekly Corporate Financial Management System (SAP) cheque run to the printer or at a minimum require special approval for the file to be re-printed.	Management agrees with this recommendation. Management believes that there is already sufficient compensating controls in place in its accounting for the usage of the secure forms used to create cheques. However, in response to this recommendation, management, in conjunction with ITS, will review SAP design and configuration options to permit for a single download of the daily/weekly SAP cheque run to the printer or at a minimum require special approval for the file to be re-printed. It is estimated that the modification to the system will cost $25,000-$50,000 of professional services effort. This includes conducting an IT security threat and risk assessment and reconfiguring SAP to ensure the proper security measures are in place to permit a single download of the weekly cheque run to the printer. Due to other corporate IT priorities, this work will not commence until late Q4 2007.	• Document compensating controls • IT review and risk assessment is currently on ITS Workplan	Q3/08	n/a	None	Sept 2007 Management has changed its position and disagrees with this recommendation. A briefing note has been prepared.
26	That Financial Services Branch establish a procedure requiring two signatures on all cheque requisitions and that reconciliations be maintained by someone other than the individuals who orders and receives the cheques.	Management disagrees with this recommendation. Management believes that there are already sufficient manual controls in place. Part of the control processes include that the City’s supplier of cheques verify the person and organization placing the order and ensure continuity and completeness with respect to document number sequence. As well, incoming cheque stock orders are delivered to shipping and receiving where they are verified against the accompanying packing slip. The packing slip is initialled by the receiver and delivered with the cheques to the print shop coordinator who passes them to the senior supervisor for final verification and safe storage. It should also be noted that the cheque stock, as is the case for any type of secure document, are produced under tight controls by the paper manufactures.	FSB will continue to monitor the controls and risks in this area to ensure the control measures are working as intended.			None	Sept. 2007: remains unresolved. A briefing note is provided. Management has documented the control process and has provided this to the AG.
26		As part of the continuous improvement process, management will explore the possibility of assigning the ordering function to an individual other than the supervisor. Corporate Security also reviewed the procedures when the print shop started to print Employment and Financial Assistance cheques.
30	That Employee Services Branch require that supervisors ensure there is an Incumbent Report for the staff directly reporting to them and review these for any errors, incorrect data entered or unauthorized employees or changes to employees pay grade or level.	Management does not agree with this recommendation. The role of Employee Services is to ensure that human resource reports are available to managers and to provide training on the use of these reports. Employee Services does not control whether managers use these reports. Managers are responsible for managing their staff, which includes reviewing human resource reports on a regular basis. The Position Incumbent Report is available at all times in SAP to managers, their administrative assistants, and to supervisors of 15 or more direct reports as per the SAP licensing model approved during the IBS Project. Managers can also access their Position Incumbent Report via the City’s intranet without using SAP.	None	n/a	n/a	None	Sept. 2007: remains unresolved.
31	That Employee Services Branch require that Display Changes to Employee Pay Information Report can be generated and reviewed by : a) Payroll Analysts, and b) Supervisors.	(a) Management agrees with this recommendation and was already in place prior to the audit. Payroll Analysts have always had access to a report to review changes to employee pay information. An enhanced report was built in late 2006 and Payroll Analysts now utilize Report ZRXHR126B to view changes to employee pay information each pay. (b) Management does not agree with this recommendation. Regarding the supervisors, presently there are already many controls in place to ensure changes to employees pay are complete and accurate. These include: written authorization by the manager for pay rate changes, payroll audits, management reports such as the Position Incumbent Report and Cost Center Report that identifies charges against the manager’s budget.	None			None	(a) Complete (b) Sept 2007: Remains unresolved
32a)	That Information Technology Services Branch in conjunction with Employee Services Branch identify all significant system overrides and these be eliminated. That in the rare occasion when overrides are deemed necessary, that they are restricted to a limited number of users. At a minimum, create detective controls that would prevent errors from flowing through the financial data.	Management does not agree with this recommendation. Management believes that is not necessary to eliminate overrides as the Payroll division already has controls in place to ensure that all pay rate changes including pay overrides are in accordance with management’s authorization. For example, the salary scales in the ATU 1760 contract have only a minimum and maximum salary. In some unions, employees have red-circled rates of pay as allowed under collective agreement provisions. In both these situations it is incumbent for the Payroll division to manually update the system with the appropriate pay rate. With respect to economic increases, where overrides are required, an independent verification of the override is performed by a second Payroll Analyst to ensure compliance with collective agreement provisions. Payroll currently performs many audits to capture system changes including overrides.	(a) Document compensating controls (b) Document process for management review of any overrides.	Q3/08		None	Sept. 2007: remains unresolved.
36	That Employee Services Branch require that Supervisors review Payroll Cost Center reports.	Management does not agree with this recommendation. Employee Services has made Payroll Cost Center Reports available to managers, program managers, and supervisors with more than 15 direct reports. Employee Services also provides SAP-HR manager and refresher training sessions to instruct users on the uses of this report, and encourages them to review their reports regularly. The Financial Services branch also works with managers on an ongoing basis to review cost center charges and identify anomalies. The City’s accountability framework for managers stipulates that human resource and financial management is the responsibility of the operating manager. In addition to the Payroll Cost Center Report, managers have access to financial cost center reports that provide a comprehensive picture of the manager’s entire budget.				None	Sept 2007 : this item remains unresolved