Public Works and Government Services Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links

Home > Accountability and Transparency > OAE > 2006/2007 Reports > 2005-730 Action Plan

Institutional links

2005-730 Internal Audit of the Shared Travel Initiative, Travel AcXess Voyage, ITBS Management Action Plan

December 14, 2006

Recommendation 1

1 - It is recommended that the CEO, Information Technology Services Branch, investigates alternative methods of issuing passwords to mitigate the residual risk of repudiation

OPI

  1. CEO, Information Technology Services Branch
  2. (DG, Shared Travel Services Initiative)

Implementation Actions

  1. Consider alternatives that could be used to ensure TAV passwords are provided to STSI EMT users in a confidential manner.
  2. Monitoring expense claim processes to assess risk of repudiation (based on completed TRA - Recommendation #5); Liaise with OCG, PWGSC Internal Audit and OGD.
  3. Contingent upon monitoring results, select and implement appropriate safeguards (based on completed TRA - Recommendation #5)

Action Implementation Date(s)

  1. 30-Sep-2006
    Status:  Descoped
    Rationale:  Additional compensating control (wet signature) has mitigated the residual risk of repudiation.
  2. 31-Mar-2007
    Status:  Active
    Actions:  Obtaining departmental feedback
  3. 30-Jun-2007
    Status:  Pending
    Actions:  N/A

Recommendation 2

2 - It is recommended that the CEO, Information Technology Services Branch, ensure that STSI and TAV portal communications to users emphasize the need for periodic monitoring of travel expense/Expense Report approvals, in order to identify and address any improperly authorized transactions in a timely manner.

OPI

  1. CEO, Information Technology Services Branch
  2. (DG, Shared Travel Services Initiative)

Implementation Actions

  • Using existing communication and training mechanisms, issue communiqués and training updates to advise managers of the need for periodic monitoring of available travel expense reports.

Action Implementation Date(s)

  1. Sep-2006
    Status:
    • Training Instruments – Completed
    • Training courses – Ongoing
    • SFTO Communiqués - Ongoing
    Actions:
    • As a joint initiative with OCG, specialized EMT training classes have been delivered to CFO's, advising them of their responsibilities.  Session objectives were:
      • To advise SFOs/CFOs of the status of STSI;
      • To build awareness of the business processes related to TAV, and the EMT in particular, and the potential effects on departmental system of internal controls related to travel expenditures; and
      • To review the EMT implementation process and the SFO/CFO role in establishing appropriate internal controls.
    • More CFO training sessions are being scheduled with OCG.
    • SFTO bulletins are issued weekly to identify and emphasize various aspects of TAV.

Recommendation 3

3 - It is recommended that the ADM, Information Technology Services Branch, ensure that communications to users from STSI and the TAV portal emphasize the need and accountability to keep STSI TINs and passwords confidential.  Communications should emphasize the use of the Delegate role and training material and instructions to departments should emphasize the use of this STSI role, as it is an effective means supporting non-repudiation.

OPI

  1. CEO, Information Technology Services Branch
  2. (DG, Shared Travel Services Initiative)

Implementation Actions

  • Using existing communication mechanisms, issue periodic communiqués to advise Departmental SFTOs and Travellers of the importance of safeguarding their TAV passwords and appropriate use of the Delegate role.

Action Implementation Date(s)

  • 30-Jun-2006
    Status: Completed; More communiqués will be issued as necessary
    Actions:
    • A special SFTO Bulletin was issued Nov.17/06 regarding safeguarding of TINs and passwords
    • An SFTO Bulletin was issued June 30/06 regarding the Delegate role
    • RFC TAVO060405A was raised on 5-Apr-2006, to revise the TAV information about sharing TINs and passwords. Implementation is expected in the next TAV release.

Recommendation 4

4 - It is recommended that the CEO, Information Technology Services Branch ensure that, in the process of the approval of travel requests and expenses in STSI-EMT, Approvers be automatically presented with a pop-up window which provides the appropriate statement for certifying compliance with FAA spending and payment requirements, in order to provide non-repudiation of these authorization events.

OPI

  1. CEO, Information Technology Services Branch
  2. (DG, Shared Travel Services Initiative)

Implementation Actions

  • Implement system changes to provide recommended functionality.

Action Implementation Date(s)

  • 1-Sep-2006
    Status:  Completed
    Actions:
    • CR-296 was raised on 22-Mar-2006
    • TA-0022 was issued on 19-May-2006
    • Change was implemented on 29-Jul-2006

Recommendation 5

5 - It is recommended that the CEO, Information Technology Services Branch have STSI formally incorporate, as part of the TRA, threats and risks for EMT functionality that do not rely on digital or 'wet' signature standards, and include the quantification of both the probability and estimated impacts of potential repudiation risks.

The TRA information can then provide a foundation for performing independent post-transaction testing for risk management.

OPI

  1. CEO, Information Technology Services Branch
  2. (DG, Shared Travel Services Initiative)

Implementation Actions

  1. Prepare an incremental Threat Risk Assessment (TRA) to quantify both the probability and estimated impacts of threats and risks for EMT functionality that does not rely on digital or 'wet' signature standards for controls.  The TRA will be conducted with the TBS approved CSE TRA methodology.
  2. Have the completed TRA reviewed for accuracy and adequacy by the Office of the Chief Risk Officer (OCRO).
  3. Monitor the effectiveness of controls used to mitigate the threats and risks identified in the completed TRA, through sample testing of controls.  Liaise with OCG, PWGSC Internal Audit Services and OGDs to determine how to implement the sampling approach in all vanguard departments.

Action Implementation Date(s)

  1. 30-Sep-2006 (original);  31-Dec-2006 (revised)
    Status:  Active
    Actions:
    • Incremental TRA completed for FAA Section 32
    • Incremental TRA for FAA Section 34 is in progress.
  2. One month after the completed TRA is available.
    Status: Pending
    Actions: N/A
  3. Two months after the completed TRA is available.
    Status: Pending
    Actions: N/A
Date Modified: 2012-02-24

Top of Page
Important Notices