Internal Audit Report on Facilities and Administrative Services

Publication type
Audit
Date

Table of contents

    1. Background

    Introduction

    Internal Audit (IA) conducts assurance work to determine whether the Office of the Superintendent of Financial Institutions Canada’s (OSFI) risk management, control, and governance processes, as designed and represented by management, are appropriate and functioning in a manner to ensure risks are appropriately identified and managed, and to ensure compliance with such requirements as policies, plans, procedures and applicable laws and regulations.

    The audit of the Facilities & Administrative Services was recommended by the OSFI Audit Committee and approved by the Superintendent for inclusion in the OSFI 2016-17 Internal Audit Plan.

    Background

    Facilities and Administrative Services (FAS), including real property and related information, are "…significant corporate resources that, when managed well, enable effective and efficient government programs, inform strategic decision-making and facilitate horizontal initiatives."Footnote 1

    In 2015-2016, OSFI’s facilities and administration costs were approximately $15M, or approximately 10% of total OSFI expenses. It is important for OSFI to periodically examine roles and responsibilities in planning and delivering facilities and administration services while demonstrating fiscal discipline.

    FAS at OSFI falls under the Director of Security and Administration Services, who reports to the Managing Director, Human Resources & Administration. There are four (4) buildings included in the facilities portfolio, located in Ottawa, Toronto, Montreal and Vancouver.

    Facilities management is a shared responsibility between OSFI and Public Services and Procurement Canada (PSPC). The FAS program is governed by the TBS Policy on Management of Real Property, sections of the TBS Financial Administration Act and the Federal Real Property and Federal Immoveable Act.

    2. About the Audit

    Audit Objectives

    The objectives of this audit were to:

    • Assess the efficiency and effectiveness of key business processes and controls within Facilities and Administrative Services;
    • Ensure policies, practices and controls are adequate to plan and manage facility activities, including the appropriate management of departmental spending; and
    • Identify relevant Facilities and Administrative services best practices for OSFI to consider implementing, where applicable.

    Audit Scope

    The audit scope focused on an assessment of the following:

    • A review of the roles and responsibilities for the planning, oversight, and delivery of effective facilities and administration management; and
    • Policies, practices and controls supporting effective and efficient management of: space planning, optimization and management, service requests, inventory management, accessibility monitoring and purchasing. The purchasing component of the audit focused on communication services, office supplies and furniture related expenses given the historical materiality of these expenses.

    As the intent of the audit was to review and assess processes related to facilities and administration, the scope of the audit excluded the following:

    • Lease negotiation activities, including contracting procurement, as they are conducted in concert with PSPC
    • Processes related to physical security, including fire and emergency, as those responsibilities fall under OSFI’s security services and;
    • Environmental and waste management, as all facilities are leased, not owned.

    The audit assessed facilities and administrative activities and transactions that occurred between April 1, 2015 and March 31, 2016.

    Engagement Approach

    The overall approach and methodology used to complete the conduct phase of the audit consisted of documentation review and interviews with key processes owners to better understand and assess key business processes and controls.

    The audit criteria set out the elements and related components that formed the basis for assessing Facilities and Administrative Services. These criteria were based on the internationally recognized Committee of Sponsoring Organizations of the Treadway Commission (COSO) – 2013 Internal Control – Integrated Framework.

    Key controls in the areas of governance, inventory management, purchasing and monitoring were assessed to determine whether design and operational effectiveness were adequate. In addition, key business processes, were reviewed and assessed against industry best practices.

    Following the conduct phase, a summary of observations was prepared and shared with the Managing Director, Human Resources & Administration to discuss and validate preliminary observations.

    OSFI’s Internal Audit Reporting Protocol was followed throughout this engagement.

    Statement of Conformance

    The audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board Secretariat (TBS) Policy on Internal Audit and the Internal Auditing Standards of the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

    3. Observation Ratings

    Observation Ratings

    Observations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.

    Observations are ranked according to the following:

    High priority – should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or operating effectively) or a significant operational improvement opportunity.

    Medium priority – a control weakness or operational improvement that should be addressed in the near term.

    Low priority – a non-critical observation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort.

    Individual ratings should not be considered in isolation and their effect on other objectives and areas should also be considered.

    4. Results of the Engagement

    Executive Summary

    Facilities and Administrative Services has a defined mandate which outlines their commitment to providing a safe, secure and comfortable work environment for all OSFI employees. Facilities and Administrative Services supports this mandate by fostering effective relationships in coordinating the supply and demand of office facilities as well as facility related goods and services, to ensure optimal value is delivered to OSFI.

    Facilities and Administrative Services understands OSFI’s organizational tendencies and employs a number of sound business practices, some of which could be strengthened and/or updated by investing department resources into planning, monitoring and performance management elements of its core responsibilities, as indicated in the observations.

    5. Management Response

    Response

    The Director of Security and Administration Services, who is new to this role in HR&A, would like to thank Internal Audit for their findings and observations of the Facilities and Administrative Services (FAS) function. This audit has been helpful in confirming known strengths and identifying a few areas of focus for minor improvements in the upcoming fiscal year 2017-2018.

    6. Observations and Recommendations

    1. Work Space Management

    Medium Priority Observation

    Effective space planning requires participation and collaboration between FAS and operational management to optimize use of current space and proactively plan for future needs. FAS conducts an annual planning meeting to discuss lessons learned from the previous year as well as to anticipate changes for the coming year. As these meetings are infrequent and somewhat unstructured FAS does not always have an opportunity to understand, review and proactively integrate key information and/or operational initiatives into the facilities annual space planning exercise and budget.

    FAS does not currently employ established key performance indicators (KPIs) related to the overall performance and priorities of the function, as required per the TBS Policy on Management of Real Property. Without KPIs, it is difficult for FAS, as well as senior management, to assess the overall performance, trends and improvement opportunities related to the facilities management function.

    Recommendations

    FAS should implement an integrated and proactive space planning approach that includes engagement with operational management. For instance, quarterly meetings, between department/group leads and FAS to proactively discuss current and future staffing plans as well as space / facilities requirements, may provide improved insight to assist FAS in executing its mandate.

    FAS should develop, monitor and report on departmental KPIs. Some potential areas to monitor may include:

    • Employees per square meter;
    • Number of moves, adds and changes (“MAC”) per year including corresponding costing;
    • Operating cost per square foot; and
    • Performance against service standards.

    Once developed, FAS should consider identifying and implementing a regular reporting cycle to OSFI management to enable transparent and ongoing communication.

    Management Action Plan

    Planning and KPIs

    Space planning is inherently challenging given the different planning horizons. The FAS team works with PSPC on leases over a five to 10 year period, whereas staffing changes can occur within weeks and months. Nonetheless, we agree that we should implement more integrated and proactive space planning and raise awareness with senior management. To do so, beginning in Q3 2016-17, the FAS and HR teams established quarterly meetings to review upcoming hires and planned departures, to optimize the use of current space and proactively plan for future needs. The FAS team will establish additional mechanisms to ensure that space planning is informed by the outcome of the annual HR planning process (by Q1 2017-18), and will set up regular meetings with senior management to determine space needs (by Q2 2017-18).

    FAS will identify which metrics could be used to monitor the overall performance of the facilities management function at OSFI, while keeping in mind the effort to acquire that information, and will work with the Corporate Planning team to integrate these in the regular KPI reporting to senior management (by Q4 2017-18).

    2. Asset Management

    Medium Priority Observation

    In accordance with department guidelines, FAS plays an important role in collecting and maintaining accurate records of fixed assets. FAS maintains two (2) sets of floor plans using Adobe; one is used for managing inventory and the other is used for tracking space and employee seating arrangements. As Adobe software is not typically viewed as a strong asset management tool, limited inventory tracking is currently being performed.

    During the audit, asset floor plans were compared against actual asset on hand. Discrepancies were identified between what was noted on the floor plans versus what assets were actually located. More specifically, high-dollar value audio-visual equipment is not captured on inventory-related floor plans, nor is there an alternate inventory tracking mechanism in place to account for this equipment.

    Without an asset tracking/control system, FAS may not be able to perform lifecycle management and adequately plan for the replacement of these items. In addition, the risk of misappropriated assets increases.

    Recommendations

    FAS should develop a stronger process to more precisely track, account for and control facilities-related assets which will assist in properly tracking assets that can become lost, stolen or otherwise unprepared for use when needed.

    FAS may wish to consider determining a dollar threshold for items and formally track any items that meet or exceed the threshold amount (or category of asset).

    Management Action Plan

    Categorization and Tracking of Assets

    In discussions with the CFO, we understand that cost/benefit discussions on tracking other assets (beyond high-value audio visual equipment) have taken place in the past and that the conclusion was that given that the cost and effort to implement a tracking system outweighs the risk of items being lost or misappropriated, there was no incentive to do so.

    However, we agree that for lifecycle management purposes, items such as video conferencing equipment would benefit from stronger asset tracking and control. As such, we will implement tracking of the audio vidual equipment in Q3 2017-18.

    3. Service Requests Roles and Responsibilities

    Low Priority Observation

    FAS has a defined mandate which outlines their commitment to providing a safe, secure and comfortable work environment for all OSFI employees. SAS supports this mandate by fostering effective relationships, coordinating the supply and demand of office facilities to ensure optimal value is derived from the space OSFI leases.

    The FAS Service Catalogue and Standard Operating Procedures are tools used to guide and assist FAS in carrying out key responsibilities. They include detailed roles and responsibilities, as well as procedures for completing key SAS tasks. One of the key responsibilities of FAS personnel, as described in both documents, is to respond to service requests. The Operating Procedures and the Catalogue detail the types of services requests, as well as recommended response times.

    Service requests are made via Email (Outlook), walk-ups, and telephone calls. There is no process in place to centrally log service requests. As a result, FAS is unable to efficiently track, monitor and report on historical and in-progress service requests and service standards, such as response times.

    In addition, FAS roles and responsibilities are not frequently communicated to all OSFI employees resulting in OSFI employees not clearly understanding which services are, and are not, the responsibility of FAS. This increases the workload of the FAS team for work outside of their mandate (i.e. requests for meeting rooms and desired meeting room table orientation, meeting room setup, clean-up, etc.).

    OSFI has seen significant growth in the size of the organization, however, the size of the FAS team has remained constant resulting in FAS foregoing more proactive elements of its mandate to attend to and fulfill a heavy slate of service requests.

    Recommendations

    FAS would benefit from more frequently communicating their Service Catalogue to all OSFI employees. This would provide FAS with the opportunity to educate the organization and guide OSFI in understanding the role of FAS, including types of services provided, and expected timelines for services.

    FAS could also explore implementing a process, technology or means to centrally track and automate reporting of service-related activities(i.e. historical requests, response times, etc.) The resulting data would better position FAS to develop appropriate service standard levels for its various activities

    Management Action Plan

    Service Request Management & Service Catalogue Communication

    We agree that the central management of service requests would be greatly improved with the use of an automated tracking and reporting system. SAS already has plans in place in collaboration with IM/IT to do so, and a planned implementation is targeted for Q4 2017/18. This implementation includes the integration of the FAS Service Catalogue and as such, will be communicated to all OSFI employees as part of the roll out.

    4. Procurement

    Low Priority Observation

    Processes and procedures

    FAS is responsible for the procurement of a variety of products and services that support the facilities and employees at OSFI, including both goods and services. FAS currently uses the OSFI contracting policy as the guiding documentation in procuring these good and services; however, the FAS business model and purchasing practices differ from those of the OSFI procurement and contracting group, specifically relating to the procurement and payment of utilities, space management and building services. Currently, process documents do not exist for these types of purchases and FAS is heavily reliant on internal corporate knowledge to fulfill these requirements.

    Further, FAS operations are decentralized, with the team’s senior management in Ottawa and a second group operating in Toronto. There is currently no documentation in place prescribing purchasing-related responsibilities between the two offices; procedural documents outlining how purchases should be made; or information regarding allowable items.

    Blackberry Services and Invoicing

    FAS management is responsible for review and approval of the Blackberry mobility and data monthly charges. A sample of 25 transactions of facilities-related purchases was judgmentally selected for testing including two (2) Blackberry invoices. The total monthly charge, per employee, for Blackberry services should be $17.94, plus data/voice usage, as per the selected plan with OSFI’s service provider. Both invoices reviewed found the average charge per employee was more than double the rate of the negotiated plan. Further review of selected accounts where the monthly charges exceeded $250 indicated that the majority of the costs were related to international travel and roaming fees.

    FAS may be best positioned to challenge invoicing trends of certain services on behalf of OSFI.

    Recommendations

    FAS could consider developing and implementing procurement guidelines that detail purchasing-related roles and responsibilities of the Ottawa and Toronto teams. Process maps produced by Internal Audit during the course of this audit will be forwarded to FAS to assist in this endeavour.

    FAS management could consider periodically reviewing recurring invoices, including current Blackberry plan to determine if there are opportunities to reduce current costs or identify opportunities better aligned to the needs of OSFI employees.

    Management Action Plan

    Documentation

    FAS operating procedures and relevant documentation are currently available. We will be reviewing the process maps produced by Internal Audit and use them as a starting point when we refresh the relevant documentation by the end of Q3 2017-18.

    In Q2 2016-17, the FAS team put in place a process to review BlackBerry invoices. We have seen a positive change in behaviour and will continue to monitor going forward.

    Footnotes

    Footnote 1

    TBS Policy on Management of Real Property, page 3

    Return to footnote 1