1 iiiMTvilv (il MlHTt;! 1 i brar> II1 (1 1620 H>y7 776') AUDITOORR I GENERA^ALl r 4 GEl Alberta Annual Report of the Auditor General of Alberta 2001-2002 GOV DOC CA2 AL PA A56 2001/ 2002 HSS Ex LIBRIS Universitatis Albertensis AUDITOR GENERAL Alberta Ms. Janis Tarchuk, MLA Chair Standing Committee on Legislati\ e OtTices I a m honoured to send my 2001-2002 Annual Report to the members of the Legislative Assembly, as required by section 19(5) of the Auditor General Act. This is my first annual report to the Legislative Assembly and the twenty-fourth such report issued by the Auditor General of Alberta. Fred J. Dunn. CA Auditor General Edmonton. Alberta September 24, 2002 I I I Contents Introduction 3 Predominant theme of our findings 6 Overv iew of the report 8 Acknowledgements Ministry Audits and Recommendations 1 1 2001-2002 recommendations 19 Analysis of 2001-2002 numbered recommendations 21 Cross-Government 35 Aborigmal Aiiairs & Northern Development 37 Agriculture, hood and Rural Development 45 Children's Services 65 Community Development 71 Economic Development Energy 73 81 Environment 85 Executive Council 89 Finance Gaming 109 117 Gov emment Services 125 Health and Wellness 147 Human Resources and Employment 155 Infrastructure 167 Innovation and Science 177 International and Intergovernmental Relations 179 Justice and Attorney General 185 Learning 215 Legislative Assembly 217 Municipal Affairs 231 Revenue 235 Seniors 239 Solicitor General 243 Sustainable Resource Development 251 Transportation 257 Section 1 1(b) Audits i Annual Report of the Auditor General of Alberta 2001—2002 Supplementary information 261 Status of past numbered recommendations not yet implemented Office of the Auditor General — Performance Report 263 Results Analysis— March 3 1 , 2 002 269 Management's Responsibility for Financial Reporting 270 Financial Statements— March 3 1 , 2 002 283 Committees and Agents 285 Staff 287 Auditor General Act - Key sections Reference 291 Glossary 295 Index of entities Annual Report of the Auditor General of Alberta 2001—2002 UNIVERSITY LIBRARY UNIVERSITY OF ALBERTA Introduction 1 Annual Report of the Auditor General of Alberta 2001—2002 Annual Report of the Auditor General of Alberta 2001—2002 Introduction 1. Predominant theme of our findings Government organizations need a systematic approach to manage risk. They need formal processes to explicitly link risks with controls and to ensure effective internal controls. The government and certain Provincial agencies would likely have avoided w eak internal controls if they had used formal risk management. This conclusion is based on the interrelationship of explicit risk analysis, cost-effective internal control, and internal auditing. Poor risk management exposes Albertans to unnecessary costs. Good risk management improves the government's ability to reach its goals. 1.1 Risk management A risk is anything that affects an organization's ability to achieve its goals. Therefore, risk management means being proactive in reducing the gap between expected and actual results. This temi is used increasingly, but it is not new. Managers have always identified risks and opportunities and tried to deal with them. But increasingly, we understand that cost-effective control can only be achie\ ed after good risk analysis. So risk analysis must be a disciplined exercise — not just in the minds of managers. On pages 101. Ill and 1^)2, we recommend to Alberta Treasury Branches, the Alberta Gaming and Liquor Commission, and the Department of Learning that they develop comprehensive approaches to risk management, and we explain the implications of not doing so. These three report sections pro\ idc an o\ er\ icw of the purpose of explicit risk management. Focussing on expenses and revenues, the Financial Management Commission recently recommended that the government develop a comprehensive, cost-effective risk mitigation strategy. This timely advice reinforces the need to decide explicitly which risks to concentrate on. 1 .2 Internal control Management is responsible for an effective internal control system in an organization, and the organization's governing body should ensure that the control system does, in fact, operate as intended. The internal control system is designed to provide reasonable assurance that an organization will reliably achieve its objectives. The control system is effective when the governing body and management have reasonable assurance that: • they understand the effectiveness and efficiency of operations. • internal and external reporting is reliable. • the organization is complying with laws, regulations and internal policies. 3 Annual Report of the Auditor General of Alberta 2001—2002 Introduction What we found 1.2.1 Cross-Government — see page 23 Government departments should improve internal control systems. We found: • insufficient control over user access to the IMAGIS system. • significant weaknesses in controls over procurement card disbursements. • instances where the approval of disbursements did not comply with the Financial Administration Act. 1.2.2 Ministry of Innovation and Science — see page 169 The Ministry has to resolve deficiencies in the iMAGis environment, and strengthen the overall iMAGis control framework. We found: • weaknesses in control procedures at the service provider as well as elsewhere in the IMAGIS environment. • weaknesses in the critical areas of security management, system configurations, access controls, segregation of duties, and business continuity that were identified by management's contracted review of the service provider's control environment. 1.2.3 Alberta Treasury Branches — see pages 103 and 104 Management should ensure key internal controls are effective. We found: • control weaknesses throughout ATB. In some cases, management had not established controls, and in others, employees were not following control policies. • outsourcing agreements that do not require the service provider to assure management that proper controls are in place. 1 .2.4 University of Alberta — see page 201 The University should improve its internal control systems. We found: • over-expenditures in research accounts. • significant deficiencies that could result in unauthorized access to, or modification of, the University's computerized systems. 1.2.5 University of Calgary — see pages 205, 206 and 207 The University should improve its internal control systems. We found that: • a number of gifts received were not independently verified. • some revenue was overstated and expenses were understated. • some employees have access to systems that is not required to perform their assigned duties. • the capital asset system is inefficient. • there is no clear, published corporate security policy. 4 Annual Report of the Auditor General of Alberta 2001—2002