Management Action Plan (MAP) Status Update Report

Transcription

1 Management Action Plan (MAP) Status Update Report Office of Audit and Ethics April 19, 2010 E-DOCS-# v2-Report MAP Status Update April 13, DOC 1

2 1. EXECUTIVE SUMMARY As required by the Policy on Internal Audit and in compliance with the Internal Audit Standards of Canada, internal audit is required to follow-up on past audit recommendations. In July 2009, CNSC s Audit Committee approved the Annual Audit Plan including a follow-up of past CNSC audits. This report presents the results of our review and the status on the implementation of management action plans (MAPs) for the following audits: - Audit of Contracting and Procurement, Audit of Sealed Source Controls, Audit of the Corporate Security Program, OAG Management Letter - Fiscal year ending April 2009 The objective of the follow-up process is to determine whether staff and management are meeting commitments made in response to previous audit recommendations and whether progress in addressing them has been satisfactory. The follow-up audit process focuses attention on significant recommendations and findings and ensures continued monitoring until they have been addressed and resolved. As such, it provides relevant information to the President and senior management in holding those responsible for corrective action to account for actions planned and taken. Update as at At OAE s request, management provided an update on the implementation of the management action plans that remained OPEN at the conclusion of the October status update for the audits of Corporate Security Program (5) and the OAG s Management Letter of July 9, 2009 (2). This report also presents a status update for two new audits that were previously tabled and accepted at the October audit committee meeting, namely, the Audit of Sealed Source Controls and the Audit of Contracting and Procurement. Section 2, Status of Management Action Plans includes the details of the Audit of Uranium Mills and Mines Division (UMMD), however, we did not request an update at this time since the one outstanding management action is only due in July

3 The chart below illustrates CNSC s overall progress in implementing all of the Management Action Plans (MAPs) listed in this report. Status January 1/10 Summary of all MAPs Change since January Total As at January 30/10 New MAPs Total As at March 31/10 Complete In progress: On track Delayed Not addressed 0 0 Obsolete Total

4 2. STATUS OF MANAGEMENT ACTION PLANS 2.1 Contracting and Procurement Office of Audit and Ethics Scale Status Number of Recs 1 Complete 1 2 In progress: On track 1 Delayed 3 3 Not addressed 4 Obsolete 0 Total 5 CLOSED 1 OPEN 4 This is our first follow up for the Audit of Contracting and Procurement which was tabled and approved in October 2009 this audit resulted in 5 audit recommendations and management action plans. Since that time, Contracting Management Services (CMS) completed one of the MAP and started to address the remainder. Actions taken include the completion of the Terms of Reference for the Contract Review Board (CRB) which was recently approved by Management Committee. Now that the Terms of Reference are in place, CMS will focus on formally establishing the CRB who will be responsible for implementing a post contract evaluation process. CMS is also consulting with other government departments in an effort to identify best practices for post contract evaluation processes. Implementation of the evaluation process has been delayed from March 2010 to March The FreeBalance update has been rescheduled for the summer of 2010 instead of the spring 2010; this will impact the implementation of revised service standards as this is dependant on the information that will be captured in Freebalance. In total, the implementation dates for 4 MAPs have been extended. 2.2 Sealed Source Controls Scale Status Number of Recs 1 Complete 0 2 In progress: On track 1 Delayed 1 3 Not addressed 4 Obsolete 0 Total 2 CLOSED 0 OPEN 2 4

5 This is also the first follow up for the Audit of Sealed Source Controls which resulted in two (2) recommendations. Each MAP is comprised of several actions and implementation dates. Some of the detailed actions have already been completed while others are in-progress and on track. One action has been delayed from December 2009 to December 2010 to allow for the publication of the sealed source compliance data in the new Nuclear Substance Regulations industry report instead of the 2009 National Sealed Source Registry report. 2.3 Corporate Security Program Scale Status Number of Recs 1 Complete 14 2 In progress: On track 5 Delayed 3 Not addressed 0 4 Obsolete/non-significant 5 Total 24 CLOSED 19 OPEN 5 For this follow up period, the Corporate Security Division reported the completion of two of the seven items that were previously in progress. The Corporate Security Division continues to work on the implementation of the outstanding MAPs and the overall progress is reported as being on track. 2.4 OAG Management Letter Scale Status Number of Recs 1 Complete 6 2 In progress 0 On track Delayed 3 Not addresses 0 4 Obsolete 0 Total 6 CLOSED 6 1 OPEN 0 The Finance and Administration Directorate (FAD) fully implemented the 2 MAPs that were previously reported as in-progress. These dealt with the need to review and adjust the cost recovery formula and the rates charged for special projects thereby ensuring full compliance with the CNSC Cost Recovery Fees Regulations. 1 Completed MAPs will remain OPEN for OAG monitoring and follow-up purposes 5

6 Both these recommendations have been completed. Effective April , the CNSC increased the hourly rate from $200/hr to $250/hr for Formula Fees and special projects. Although, we report all 6 MAPs as completed and, these will remain OPEN for OAG monitoring and follow-up purposes until such time as the OAG completes its annual audit of the financial statements and confirms that the audit issues have been effectively addressed. 2.5 Uranium Mines and Mills Division (UMMD) Scale Status Total # of Recs 1 Complete 7 2 In progress: On track 1 Delayed 3 Not addresses 0 4 Obsolete 0 Total 8 CLOSED 7 OPEN 1 No follow up conducted at this time as the implementation date for the one outstanding item is only due in July Detailed Status Update Complete details of the progress made in implementing specific MAPs are provided in the following exhibits: Exhibit A Audit of Contracting and Procurement Exhibit B Audit of Sealed Sources Exhibit C Audit of Corporate Security Program Exhibit D OAG Management Letter In order to provide a complete picture of the management response to an audit, each exhibit presents a list of all audit recommendations included in the original audit report and a high level overview the MAP implementation status. It should be noted that the information contained in this update was provided by the officials responsible for implementation of the management action plans and has not been verified or confirmed by OAE. Based on the significance of the reported observations or recommendations, OAE will determine whether a comprehensive Follow- Up Audit, over and above OAE s status update, is warranted and should be included in the annual Risk-Based Audit Plan. 6

7 Exhibit A - Audit of the Contracting and Procurement Implementation Status Update As at March 31, 2010 OVERVIEW - Recommendations 1 Ensure effective quality control mechanisms are implemented for contract files processing and actions and decisions are adequately documented. Regular quality control reviews of files using a risk-based approach should be done. Person (s) Accountable Security Contracting and Procurement Division (SCPD) Status CMS implemented a revised contract signing authority delegation instrument and documented all CMS processes. CMS continues to research best practices for a quality management system. Management reporting mechanisms in the proposed Contract Review Committee terms of reference (TOR) should be designed. 2 In the absence of a contract tracking system, a performance measurement framework should be developed for the contracting function. Information Management Technology Directorate (IMTD) The Contract Review Board s terms of reference were approved at MC March 18, The update of FreeBalance (financial system) that will provide enhanced procurement business practices has been delayed to summer Re-institute the Contract Review Board to ensure effective oversight of contracting activities. Implement a formal postcontract evaluation process. 4 Implement a formal, documented risk management framework for contracting activities. 5 The Human Resources Directorate should ensure the Management Fundamentals training program includes a module on contracting. Security Contracting and Procurement Division (SCPD) Security Contracting and Procurement Division (SCPD) SCPD, Strategies, Programs and Learning Division (SPLD) The development of services standard will be dependant on the FreeBalance upgrade and, as such, has been delayed to December The reactivation of the Contract Review Board has been rescheduled for July 2010, to allow for a review of the board membership. Post contract evaluation has been delayed from March 2010 to March Implementation date has been extended to March 31, 2011 as the framework is to be presented to the CRB for approval. Module has been completed and training is currently being offered. 7

8 Exhibit B - Audit of Sealed Sources Implementation Status Update As at March 31, 2010 OVERVIEW - Person Status Recommendations (s) Account able 1. CNSC should consider changes to the content of the annual NSSR/SSTS report to provide internal and external stakeholders a more complete and accessible account of CNSC activities related to sealed sources. DG, DNSR A report on lost and stolen radioactive material has been made available on the CNSC external website (January 2010). This report provides the status of the materials that are missing. The license condition and licensee compliance of those conditions for the tracking sealed sources for 2009 will be included, in the annual report generated by DNSR. (December 2010). 2. Information in the LOUIS and LISE databases should be electronically integrated to address control weakness. Interim, manual reconciliation procedures should be established until an electronic link is established. DG, DNSR A process plan for the electronic integrating of the LISE/LOUIS databases will be completed by June 2010 in order to facilitate, the physical integration that is scheduled for March Increased reporting capabilities will be realized once COGNOS, [the business intelligence software] is fully operational at CNSC. This initiative is still on track for April In order to address some of the weaknesses in controls, an automatic notification system and a new verification process for all export licenses issued by (NECD) has been implemented as of October Acronyms NSSR - National Sealed Source Registry, SSTS Sealed Source Tracking System NECD - Non-proliferation and Export Control Division DNSR - Directorate of Nuclear Substance Regulations (DNSR) 8

9 Exhibit C - Audit of the Corporate Security Program Implementation Status Update As at March OVERVIEW - Recommendations 1. The Departmental Security Officer () should update the CNSC Security Manual to clarify the roles and responsibilities of the and the purpose of the corporate security program. 2. Work descriptions of the and his team should be updated. 3. The should be provided with appropriate resources. 4. The reporting relationship of the should be realigned. 5. Establish a network of Regional Security Coordinators. 6. The or a member of the Corporate Security Team should visit each regional or site offices once a year to assess the state of both the CNSC s and licensee s corporate security programs in relation to the GSP Develop a security-reporting format for regular presentation to the CNSC s Executive Committee. 9. Develop a comprehensive action plan for renewal of the CNSC s corporate security program and present it to the Executive Committee. 10 Further, promote awareness of security issues, policies, and procedures through an intranet website. 11 The security information contained on the Employee Orientation Intranet site should be enhanced to more adequately explain the role of the and the corporate security program. Person (s) Accountable Status CNSC Security Policies will continue to be updated as they are published by TBS. Updated July 2009 Received funding for 4 FTEs & $131K O&M reports to & Pres for urgent matters; approved by MC SCPD and Regional managers responsible for security Regional and site visits have been started with only two sites remaining. The remaining two sites will be done in the first quarter of 2010/ st report tabled with MC on Feb 2009; process will be continued The plan was presented and accepted at MC on April 6,2010. Still on target for January Next update will be September Role of the is part of Security Policy which is to be posted on BORIS. (Policy was posted Sept/09). 9

10 Exhibit C - Audit of the Corporate Security Program Implementation Status Update As at March OVERVIEW - Recommendations 12 Ensure security training for those regional/site staff assigned GSP responsibilities. 13 Develop a briefing package/presentation to be given either to staff members travelling internationally or into potentially hazardous areas. 14 Implement the recommendations of previous Threat & Risk Assessments. 15 Conduct a full departmental Threat & Risk Assessment. 16 Explore ways and means of enhancing access control measures currently in place. 17 Develop a full Business Continuity Plan (BCP). 18 Develop a security incident reporting system for regional/site staff. 19 Develop a reporting framework for staff to report security related incidents when they are away from the office on Commission duties. Person (s) Accountable Status Security awareness training has been given to staff with GSP responsibilities during the planed site and regional office. This will become an ongoing project. Guidance published in the Travel Safe Booklet On target and to be completed by April 30, Completed August 2006 Calgary and Saskatoon have been completed. Ongoing work to be done: -Pt-Lepreau (Summer/Fall 2010) -Lab at limebank (Sept/Oct 2010) -Mississauga (Dec 2010) -Gentilly (Feb 2011) -Bruce (March 2011) -Darlington (March 2011) -Pickering ( January 2012) Ongoing and on track for completion by November Done. Info on BORIS Done. Guidance provided in Travel Safe Booklet 10

11 Exhibit D - OAG Management Letter Implementation Status Update As at March 31, 2010 OVERVIEW - Recommendations 1. We recommend that the CNSC implement compensating controls which would detect incorrect or inappropriate pay actions. Person Account able Implementation Status Completed post-payment verification and reporting will be conducted quarterly. 2. We recommend that the CNSC review their user accesses to prevent any disbursements on inappropriate or incorrect expense vouchers. 3. We recommend that the CNSC review the segregation of duties in relation to processing cash receipts to determine which activities can be segregated and which activities require adequate monitoring, and implement the necessary processes and controls to address the above-mentioned observation. Completed - access rights to the Freebalance system have been updated to ensure appropriate segregation of duty. Completed - A cash receipt and credit note verification process has been implemented; the oversight of the Regulatory Activity Plan Fees was transferred to the Financial Resource Management Division. 4. We recommend that the CNSC comply with its Capital assets policies and procedures and that it keeps updated financial records of their capital assets and its related amortization expenses. 5. We recommend that management review this matter (cost recovery formula) to ensure compliance with the CNSC Cost Recovery Fees Regulations and considering their intent, as set out in the related Regulatory Impact Analysis Statement. Completed - The Capital Asset Process and Procedures have been updated and related information reconciled to ensure proper capitalization of costs on a quarterly basis. Completed The hourly rate has been updated and is effective April 1, 2010 to $250/hour for Formula Fees. 6. We recommend that management review this matter (rate charged for special projects) to ensure that compliance with the CNSC Cost Recovery Fees Regulations is demonstrated and documented. Completed The method to calculate the special project rate is consistent with the method regulations and is the same as the hourly rate for Formula Fees effective April 1,