Audit of Data Migration 2004-2005 Preliminary Survey Report

March 2006

Table of Contents

Executive Summary Introduction Focus of the Audit Findings, Recommendations and Action Plans o Reconciliation of the Overall Migration of Financial Data at the Public Account Level o Reliability of Financial Data Migration Files Received at CBSA o Management and Results of the Data Migration Exercise in CBSA Conclusion Audit Team Appendix A: Reconciliation by the Receiver General for Canada for 2004-2005

Executive Summary
Background
This audit was included in the 2005-2008 Internal Audit Strategic Plan that was approved by the Internal Audit and Evaluation Committee on March 17, 2005. The Internal Audit Directorate undertook an audit of the 2004-2005 data migration between legacy organizations and Canada Border Services Agency (CBSA). The requirement was established as a result of an Agency-wide program and corporate activity risk assessment. Although CBSA formally ceded from the Canada Customs and Revenue Agency (CCRA) on December 12, 2003, CBSA has continued using the CCRA Corporate Administrative System (CAS), the departmental financial and material system, which is operated and maintained in the [now] Canada Revenue Agency (CRA) environment. In January 2005, CRA split separate CAS functionality for CBSA, formally creating CBSA-CAS with its own data. The operation of a separate financial and material system allowed CCRA, Citizenship and Immigration Canada (CIC) and the Canadian Food Inspection Agency (CFIA) to transfer information and financial data on people, collective agreements, budgets, assets, inventory, capital assets, real property and a wide variety of human resources, administrative and operational support functions to the new Agency. Data migration from the three legacy organizations to CBSA occurred from January 17 to March 31, 2005. The objective of the audit of data migration is to verify the integrity of data populated into CBSA-CAS from legacy organizations, namely, CCRA, CIC and CFIA. Audit lines of inquiry included: 1. reconciliation of the overall migration of financial data at the Public Accounts level; 2. assessment of the reliability of the financial data files transferred to CBSA; and

3. management and results of the data migration exercise in CBSA.

Observations
The overall migration of financial data was independently verified by the Receiver General for Canada (RG) at the Public Accounts level. Specifically, the RG concluded that the financial data migrated to CBSA from legacy organizations balanced at the Financial Reporting Activity (FRA) level of Public Accounts, had the correct FRA-level coding, was transferred in the same accounting period and was reconciled in the accepted rounding amount. The financial data files transferred to CBSA included $3.5 billion in opening balances and inyear transfers, or equity, from legacy organizations. The relative transfer amounts were: CRA approximately 84% or $3.0 billion, CIC 15% or $500 million, and CFIA 1% or $35 million. According to the Retention Guidelines for Common Administrative Records of the Government of Canada, Part 4, all financial migration files used in the creation of CBSA should be formally identified and retained as part of the Agency record. However, at the time of our survey, we were not provided with all financial migration files used in the creation of CBSA. Most of these files were provided in February 2006. At that time, the gathering, summarizing and formal retention of these files were still to be completed by Comptrollership Branch. Management practices and results of the migration of financial data to CBSA were not formally recorded. This included documentation of the comprehensive and detailed results of the migration, a formal listing of outstanding data migration items on March 31, 2005, and sign-off from cost centres, divisions, directorates, branches and/or regions on the results of the migration of their financial data. Also not documented at that time were the control processes used to manage the validation of the migration of financial data. As a result, the Agency management has not been placed in a position where it can assess and prioritize data migration issues in a comprehensive manner. Through interviews with senior Agency officials, the audit has identified a number of lingering data migration concerns.

Conclusion
The preliminary survey of the audit has determined that financial data migrated to CBSA from legacy departments was completely and accurately transferred at the financial reporting activity or Public Accounts level. The other two lines of inquiry were not completed for the reasons noted above. If detailed testing were to continue, the sample size would be such that Internal Audit felt that there would be insufficient cost benefit. As the financial information has been verified at the Public Accounts level, the risk lies in short-term misstatement of particular accounts, in the amounts of transferred fixed assets, for example. While further work on this audit is not considered cost effective at this time, there are considerable lessons to be learned in terms of managing the migration of data. In particular, projects of this nature should have a proper project plan and results and control processes should be formally documented and retained during the project.

Action Plans
Corporate Finance Directorate responded that all data migration input files and related documents required in support of the 2004/2005 OAG Public Accounts audit have been maintained and that these documents will be retained in the same manner as all other CBSA financial records. Corporate Finance Directorate outlined that, for future reorganization, they will ensure proper documentation and effective project monitoring and reporting.

Introduction
Canada Border Services Agency (CBSA) was created in December 2003 and operates as an agency under the Public Safety and Emergency Preparedness (PSEP) portfolio. An Act to Establish the Canada Border Services Agency was passed in Parliament in November 2005 and formally defines CBSA's mandate. While a majority of border operations existed under the Customs Branch of the former Canada Customs and Revenue Agency (CCRA), CBSA is also made up of border service programs that were previously in operation under Citizenship and Immigration Canada (CIC) and the Canadian Food Inspection Agency (CFIA). Although CBSA formally ceded from CCRA on December 12, 2003, CBSA has continued using the Canada Revenue Agency (CRA) Corporate Administrative System (CAS), the departmental financial and material system, which is operated and maintained in the CRA environment. In January 2005, CRA split separate CAS functionality for CBSA, formally creating CBSA-CAS with its own data. The operation of a separate financial and material system allowed all three legacy departments to transfer information and financial data on people, collective agreements, budgets, assets, inventory, capital assets, real property and a wide variety of human resources, administrative and operational support functions to the new Agency. Data migration from the three legacy organizations to CBSA occurred from January 17 to March 31, 2005. In order for CBSA to obtain assurance concerning the integrity of CAS data, the Audit and Evaluation Committee approved an audit of the data migration in March 2005.

Focus of the Audit

The audit of data migration focused on the transfer of financial data to CBSA from the three legacy organizations from which CBSA was formed, namely, CCRA, CIC and CFIA.

Objective
The objective of this audit is to verify the integrity of data populated into CAS from legacy organizations. Sub-objectives include verifying the reliability of data transferred into CAS from legacy organizations, assessing the data migration control process(es) used or in use, and confirming the effectiveness of the management control framework currently in effect to monitor and report on data integrity for key and high-risk CAS data.

Scope
Due to the enormity of the information transferred to CBSA for the data migration, which includes people and position data, collective agreement information, assets, inventory, real property, budgets, expenses and liabilities, it was decided to focus the audit on the migration of financial information. Due to the high volumes of financial data transferred to CBSA, the audit scope was then focused on summary level results of the migration of financial data, to be supplemented with a review of a random sample of high-risk transactions including payroll and Operating and Maintenance (O&M) expenditures, machinery, IT equipment, developed software, and accrued salaries and accrued liabilities. As a result, the following three general lines of inquiry were identified:

reconciliation of the overall migration of financial data at the Public Accounts level (i.e., confirmation of the result of the data migration by the Receiver General for Canada); determination of the reliability of the financial data files transferred to CBSA (i.e., verification of detailed financial data received by CBSA and populated into the Agencys departmental financial management system); and management and results of the data migration at CBSA (i.e., assessment of the summary and detailed data migration results, and the related management and control processes).

The preliminary survey was conducted at CBSA headquarters from May to July 2005, and from November 2005 to February 2006.

Methodology
A top-down approach was selected for the gathering and assessment of audit evidence. This method allows for assessment of the completeness, accuracy and reliability of the data migration at a high or summary level, in order to determine the related risk and appropriate level of investigation and testing required at the detailed or transaction level. The audit approach consisted of the following steps: 1. Determine the entities that migrated financial data to CBSA, and the specific data transferred [interview and review of migration summary documentation]. 2. Identify and obtain the migration approach, management and process controls applied [interview, review migration control documentation and migration control results]. 3. Verify the role and accountability of all key stakeholders involved [interview and data migration reports]. 4. Identify data migration risks, risk assessment and risk mitigation [interview and review risk-related documentation]. 5. Review migration summary documentation and interview financial officers. 6. Select representative samples of migrated data for testing/comparison to data transferred into the CBSA financial system [interview and use of audit software Audit Control Language/ACL]. 7. Determine alternate approaches to testing, if desired data are not available as needed.

Findings, Recommendations and Action Plans

Reconciliation of the Overall Migration of Financial Data at the Public Accounts Level
Audit Sub-Objective: Verify the integrity of data populated into the CBSA financial system from legacy organizations, at a summary level. As the objective of the audit is to verify the integrity of data populated into the CBSA financial system that was provided by legacy departments, the best place to begin the preliminary survey was with Public Accounts. Under Chapter 10 of the Receiver General Manual, the Receiver General for Canada (RG) is responsible for overseeing the transfer of funds between departments on the consolidation, splitting, termination or creation of a

department or agency. The RG is able to perform this oversight because affected departments are required to record the accounting affects of the reorganization in their departmental financial management system (DFMS). The legal basis for a reorganization or transfer of duties is generally through the application of the Public Service Rearrangement and Transfer of Duties Act, or through the passage of legislation in the form of a specific government organization act. The organizations involved in the reorganization consist of transfer-out department and agencies (i.e., CCRA, CIC and CFIA) and a transfer-in agency (CBSA). The organizations need to consult with each other and the RG to coordinate the exchange of information, identify the amounts involved and the government-wide coding, and identify the accounting period for processing the accounting transactions. Reorganization will result in the transfer of opening balance amounts for assets, liabilities and the departmental and agencys net asset or liability (i.e., equity) account. Under this type of financial data migration, the Intergovernmental Settlement (IS) system cannot be used. The organizations involved must agree on an accounting approach, whereby the integrity of the accounting data is maintained. This was done. As all four organizations involved in the data migration have SAP as their DFMS, it was agreed to use Equity Accounts in SAP as control accounts to ensure that the financial amounts released by the transfer-out organizations matched the transfer-in amounts CBSA recorded into CBSA-CAS (Corporate Administrative System/CAS is the DFMS for CBSA). The Equity Accounts used by the four organizations in the data migration to CBSA were reconciled by the RG. Opening balances, in-year transactions and closing balances were monitored and reconciled by the RG. The RGs Equity Review figures, as of August 25, 2005, identified a near-perfect reconciliation of migrated financial data. For more details, see Appendix A. The CBSA data migration of 2004-2005 was balanced at the Financial Reporting Activity (FRA) level of Public Accounts among the three transfer-out organizations and CBSA. Specifically, this means the migrated data had the correct FRA-level coding, were transferred within the same accounting period, were reconciled by the RG within the rounding amount, were successful in relation to the RG QA Report (e.g., checks matching of Opening Balances), and were balanced under the RG Audit Statement. In short, all financial data that were sent to CBSA were received and copied completely into CBSA-CAS. As a result, the Agency was able to focus on more specific data migration issues, such as following up on items that were expected to be migrated but were not (see section of the report on Management and Results of the Data Migration Exercise in CBSA page 10). In summary, the overall migration of financial data was independently verified by the Receiver General for Canada (RG) at the Public Accounts level. Specifically, the RG concluded that the financial data migrated to CBSA from legacy organizations balanced at the Financial Reporting Activity (FRA) level of Public Accounts, had the correct FRA-level coding, were transferred within the same accounting period and were reconciled within the accepted rounding amount.

Reliability of Financial Data Migration Files Received at CBSA

Audit Sub-Objective: Verify the reliability of data populated into the CBSA financial system from legacy organizations. Of the $3.5 billion in opening balances and in-year transfers/equity migrated to CBSA, CRA provided approximately 84% ($3.0 billion), CIC 15% ($500 million), and CFIA 1% ($35

million). Financial transactions migrated to CBSA were populated into CBSA-CAS by one of two methods: (1) large volumes of transactions in electronic files were processed by CRA-IT using automated scripts, where each transactions organization/company code, cost centre code and general ledger (G/L) code was converted from the legacy organization coding to CBSA coding, or (2) financial transactions, in spreadsheets, were received on CDs by Corporate Accounting, CBSA, and were individually key-entered into CBSA-CAS with the revised Agency code, cost centre and G/L. CRA provided approximately a dozen financial data migration files; two for opening balances and 10 for in-year transactions. In-year transactions files included airfare advances (asset), tuition advances (asset), extended advances, revenue, O&M (with and without trading partners), salary dollars and various fixed assets. Most transactions were processed by CRAIT via automated script. CIC provided 34 financial data migration files; three for opening balances and 31 for in-year transactions. In-year transactions files included specific funds files, two salary files, one cash bonds file, a performance bonds credit and debit file, O&M, O&M for other government departments, expense correction files, two taxi expense files, and six adjustment files. Most of the files were loaded into CBSA-CAS manually; the larger files were entered via script. CFIA provided CBSA with seven financial data migration files; two for opening balances and five for in-year transactions. In-year transactions files included two salary files (one loaded via script; one manually entered), two year-to-date salary files (uploaded via script), and an O&M file (loaded via script). The Retention Guidelines for Common Administrative Records of the Government of Canada, Part 4 (Comptrollership Function), identifies the formal document recording and retention requirements for financial management activity. According to these guidelines, all financial figures and files received by CBSA for the data migration should have been formally recorded and readily available for management review purposes. However, at the time of our survey, we were not provided with all financial migration files used in the creation of the CBSA. Most of these files were provided in February 2006. At that time, the gathering, summarizing and formal retention of these files were still to be completed by Comptrollership Branch. In summary, opening balances and in-year transfers, or equity, migrated to CBSA from legacy organizations. The relative transfer amounts were: CRA approximately 84% or $3 billion, CIC 15% or $500 million, and CFIA 1% or $35 million. If detailed testing were to continue, the sample size would be such that Internal Audit felt that there would be insufficient cost benefit. As the financial information has been verified at the Public Accounts level, the risk lies in short-term misstatement of particular accounts, in the amount of transferred fixed assets, for example. Recommendation (#1) It is recommended that the Director General, Corporate Finance Directorate, complete the process of gathering all data migration input files, financial figures and related support documents provided to CBSA from legacy organizations and formally retain these files for further verification as required. Action Plans All data migration input files and related supportive documents required in support of the 2004/2005 OAG Public Accounts audit have been maintained by Corporate Accounting staff, in their various forms (i.e., electronic files, spreadsheets, emails, fax copies etc.). CBSA will retain these documents in the same manner as all the Agencys other financial records, which is in accordance with the retention guidelines for Common Administrative Records of the Government of Canada as established in the National Archives of Canada Act.

Management and Results of the Data Migration Exercise in CBSA

Audit Sub-objective: Assessing the data migration control process(es) used or in use. Audit Sub-objective: Confirming the effectiveness of the management control framework to monitor and report on data integrity for key and high-risk CAS data. The migration of financial data to CBSA from legacy organizations was not undertaken as a formal department project. Rather, the migration of financial data was managed as an additional exercise that Corporate Accounting, CBSA, had to complete at the same time as all other activities under way at that time for fiscal year-end. A departmental project would be expected to include standard project management characteristics such as a project management office, documentation of processes and control processes, retention of documents and reporting of results to management on a periodic and project-completion basis. In the case of the creation of CBSA-CAS, a formal project methodology was applied as this was required for a system change of this magnitude in the SAP R/3 (Systems, Applications and Products in Data Processing/Release 3) environment, but was not applied for the migration of financial transactions. Corporate Accounting indicated that it faced resourcing challenges at that time, in order to handle both year-end processes and the data migration. Compounded by the need to run and verify the automated data entry of migration transactions, Corporate Accounting also indicated that it did not have the resources to allow for formal documentation of processes and results that might otherwise have been expected. As a result of the data migration not being run as a formal project, a number of management processes and supporting documents that would have been useful for the audit were not completed. These processes and documents include:

formal departmental sign-off of the data migration, including comprehensive results of the migration at a summary level; formal and comprehensive results of the data migration at the detailed level (e.g., specific problems with data content, financial coding issues, duplicate or incomplete data, and delayed receipt of data, all by data type or business function or cost centre); formal listing of outstanding data migration items as of March 31, 2005 (i.e., that will need to be addressed in 2005-2006, and corresponding action plans); formal sign-off from cost centres, divisions, directorates, branches and/or regions that migration of their data was successful, or not; data migration status reports, especially indicating migration results (in order to observe what worked and what did not, and how problems and risks were resolved); control information on migration files/spreadsheets received by CBSA, such as file content, size, date received, date entered, input success/failure (see Reliability of CBSA Data Migration Files Received regarding records identification and retention requirements under Retention Guidelines for Common Administrative Records of the Government of Canada, Part 4-Comptrollership Function); and data migration control processes were not documented (i.e., for use under Audit Sub-objective: Assessing the data migration control process(es) used or in use).

The impact of limited documentation has provided the audit with two significant challenges. First, without this documentation, auditors cannot gain a comprehensive, balanced and timely understanding of what specifically transpired and what resulted. Secondly, without this documentation, the audit cannot evaluate the adequacy and effectiveness of the control processes applied and use this knowledge to select, on a risk basis, a small representative sample of transactions for testing/assurance purposes based on documented results. Consequently, testing for audit purposes then requires a larger and more comprehensive sample of financial transactions than would otherwise be necessary. In order to proceed with the audit, a representative selection of higher risk transactions (G/L accounts) was identified for possible testing in the detailed examination stage of the audit. As part of this selection process, the audit identified the need for documented control processes for the migration of the data into CBSA-CAS. The audit did not find evidence that the control processes were documented at the time of the data migration. In November 2005, Corporate Accounting prepared a detailed description of the control processes used for the audit sample transactions selected. To focus the audit effort, key issues affecting the data migration, as well as those issues outstanding at the end of the period under audit review (March 31, 2005) were identified. These issues risks were identified through interviews with CBSA managers six months after the formal completion of the migration exercise:

Data migration for HR and IT assets continued into the post-migration period: Changes to collective agreements, new contracts at the time of the migration and new employees from other departments, made the HR migration complex and extensive. Ongoing changes were being made to terms and conditions in collective agreements during the migration period. Adjustments for HR and IT assets have continued through 2005-2006. CAS data cleaned-up was limited before migration: Inventory, assets (especially IT assets), contracts, work-inprocess, splitting and/or continuing service contracts may not have been up-to-date at the time of migration or may have been incorrectly recorded/split by CRA, in CBSA-CAS, as a result of the data migration. Incomplete descriptions of migrated financial data. CBSA did not get all the information required to validate the completeness of the migration data provided by CIC. Data Migration had no User Acceptance Testing. While data balanced at the RG level, the completeness and accuracy of data verification at the cost centre level was not formally tested.

In summary, management practices and results of the migration of financial data to CBSA were not formally recorded. This included documentation of the comprehensive and detailed results of the migration, a listing of outstanding data migration items on March 31, 2005, and sign-off from cost centres, divisions, directorates, branches and/or regions on the results of the migration of their financial data. Also not documented, at that time, were the control processes used to manage the validation of the migration of financial data. As a result, Agency management has not been placed in a position where it can assess and prioritize outstanding data migration issues in a comprehensive manner. Through interviews with senior Agency officials, the audit has identified a number of lingering data migration concerns. While further work on this audit at this time is not considered cost effective, there are considerable lessons to be learned in terms of managing the migration of data. In particular, projects of this nature should be formally documented and retained during the project and not as an after-the-fact activity. Recommendation (#2)

It is recommended that the Vice-President, Comptrollership Branch, ensure that any future migration of financial data to or from CBSA, resulting from an Agency reorganization, be managed as a formal departmental project to ensure proper documentation and effective project monitoring and reporting. Action Plans The recommendation is noted. No action plan will be prepared as a future reorganization is not anticipated at this time or within the next three years.

Conclusion
The preliminary survey of the audit has determined that financial data migrated to CBSA from legacy departments were completely and accurately transferred at the financial reporting activity or Public Accounts level. Because of lack of information on migration data, management practices and results of the migration, two lines of inquiry were not completed. While further audit work at this time is not considered a cost benefit, there are considerable lessons to be learned for the management of other migration of data.

Audit Team
Bob Fox, Consulting and Audit Canada Elizabeth Choros, CBSA, project leader

Appendix A: Reconciliation by the Receiver General for Canada for 2004-2005

TABLE *

CBSA Equity Review 25/08/2005

Transfer-out 1. CIC RG Account 25113 25116 (CAas) Opening 38,119,703.66 -3,785,612.30 34,334,091.36 Transfer 505 Variance Note 1 -34,426,930,24 -92,838.88 In-Year Transfer -111,508,324.57 -2,680,337.67 -114,188,662.24 114,071,025.57 -117,636.67 Calculated Close -73,388,620.91 -6465,949.97 Closing -73,388,620.91 -6,465,949.92

2.

CFIA

25114 25117 (CAs)

0.00 -388,357.09

-5,251,825.70 0.00

-5,251,825.70 -388,357.09

-5,251,825.70 -388,357.09

-388,357.09 Transfer 136 Variance 388,357.09 Nil

-5,251,825.70 5,251,825.70 Nil

-5,640,209.79

3.

CRA

25112 25115 (CAs)

-819,571,295.32 -246,689,512.54 -1,066,260807.86

-643,398,911.91 -5,477,929.18 -648,876,841.09 0.00 648,876,964.34 123.25

-1,462,970,207.23 -252,167,441.72

-1,462,970,207.23 -252,167,441.72 -1,715,137,684.95

Transfer 130 Transfer 122 Variance (Rev. Ledger) Note 2

177,678,831.75 1,066,260807.86 Nil

0.00% of Equity

Total Equity as of 2005-05-25

-1,032,315,073.59

-1,800,632,429.62

-3,515,770,078.52

Total Variance

-92,838.88

-117,513.42

-210,352.30 -36,057.29 275,000

Unexplained Variance

28,590.41

-0.08% of Equity

Note 1: CIC advised of transfer out opening Balance of Capital Assets (CAs) $204,542.94 Depreciation $111,704.06 = $92,83888; however, CIC entered this as an In-Year transaction as of 31/03/2005. This affects In-Year amounts because CIC then recorded depreciation for assets that were already transferred; which explains the $36,057.29. An amount of $275,000 has been identified as a Liability transferred out by CIC, but not provided to CBSA with details. A request to correct by adjustment to 36ddd was made by CBSA [accept the Liability transfer] and accepted by the RG, corrected in 2005-2006. Note 2: Remains outstanding [not of material value; minor adjustment to be made] * Table: Provided by Corporate Accounting, CBSA; figures confirmed by the RG on February 28, 2006.