E-Payment is “an accounts payable solution” that was implemented at Natural Resources Canada (NRCan) on a pilot basis within the National Capital Region in 2009. After the pilot, it was fully implemented across the Department in May of 2010. Since the inception of e-Payment, two major initiatives were implemented: the implementation of a secure electronic signature service known as “myKey”, and the implementation of a new SAP financial system. The three initiatives were significant changes at NRCan, and together represent an improvement to the way accounts payable are processed across the Department.
This payment solution streamlines NRCan’s accounts payable process and involves the scanning of supplier invoices as well as the automated processing of these invoices through a workflow-based payment software application system. E-Payment is based on two major components: (1) that all supplier invoices are received through a consolidated Invoice Reception Center (IRC) (i.e. a receiving centre) at one location for the entire Department; and, (2) that these invoices are processed at one location through a consolidated Invoice Payment Center (IPC).
The e-Payment system has evolved over its life and has been upgraded regularly with better functionalities to improve controls and ease of use. Recent examples include more accurate software for Optical Character Recognition to improve the accuracy of invoice scanning and the mandatory use of the "myKey" electronic signature.
The goal of e-Payment is to increase the efficiency and speed of invoice processing, reduce data entry errors, eliminate lost invoices, reduce interest charges, automate most of the verification activities (i.e. providing a faster, more accurate information used for approval), create efficiencies in payment audits, reduce labour costs, and facilitate tracking and management through the Accounts Payable Process.
Shared Services Office (SSO), Finance and Procurement, is responsible for the receipt and payment of over 90,000 supplier invoices per yearFootnote 1 resulting from various NRCan procurement activities. In 2011-2012, approximately 29,540 with a total value of $161 million were processed via e-Payment. This represents approximately 30% of all supplier invoices received by NRCan per year. At the time of the audit, 70,568 transactions had been processed by e-Payment since its inception in 2009.
The purpose of this audit was to provide reasonable assurance that the e-Payment process has appropriate management controls in place and that it is operating efficiently and economically, and in compliance with Treasury Board and NRCan policies and directives.
The scope of the audit included all e-Payment transactions from the inception of the process on April 1, 2009 to March 31, 2012.
The e-Payment process has established key management controls. Specifically, Management has clearly defined and communicated roles and responsibilities, and has developed and communicated procedures for payment to suppliers. In addition, Management has incorporated within the e-Payment system the functionality of a secure electronic signature service known as “myKey” for the authentication of the identity of those involved in signing financial transactions, as well as the requirement of entering an electronic goods receipt. Creation of a consolidated IRC and a single IPC centralizes the reception, scanning, and payment processing of supplier invoices, and when used in conjunction with “myKey”, automates the workflow of suppliers’ invoices from receipt to payment.
Although not wholly attributable to the implementation of the e-Payment system, the audit findings confirm that controls over the FAA Section 33 and Section 34 have improved since the Internal Audit of Management of Accounts Payable/Acquisition Cards 2008.
It was also noted that the Department is steadily increasing use of e-Payment as a process.Footnote 2 All invoices received had been entered into the e-Payment information system and all payments examined were supported by an invoice.
AREAS FOR IMPROVEMENT
The following elements require attention:
- Supporting documentation (i.e. auditable evidence facilitate tracking of compliance with relevant policies and directives);
- Sampling for low and medium risk payments;
- Data integrity; and,
- Timely processing of invoices and reduction of interest costs.
The monitoring of the e-Payment system’s performance against established measures can also be improved.
AUDIT CONCLUSION AND OPINION
The implementation of the e-Payment system represents an improvement for the way accounts payable are processed at NRCan. The audit results provide reasonable assurance that the e-Payment process was designed with key controls in place to ensure compliance with relevant Treasury Board and NRCan policies, directives and guidance. These key controls and management tools include checklists for high risk transactions, a statistical sampling plan for low and medium risk transactions, creation of a consolidated Invoice Reception Centre and a single Invoice Payment Centre, and use of electronic signatures for Financial Administration Act authorities. The audit results could not provide reasonable assurance that someFootnote 3 key controls are operating as intended. The audit found that three key expected outcomes (increased efficiency, effectiveness and reduced error rate) from the implementation of the e-Payment process have not yet been fully realized.
In my opinion, there are moderate risk exposures related to the effectiveness of key controls in the e-Payment system that ensure transactions are processed in compliance with Treasury Board and NRCan policies, directives and guidance. Improved monitoring of adherence to existing controls would significantly reduce instances of non-compliance.
Since the completion of the audit, management has initiated new functionality in order to improve controls. Audit Branch considers that the Management Action Plan presented for this audit adequately addresses the issues identified.
The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the entity examined.
STATEMENT OF CONFORMANCE
In my professional judgement as Chief Audit Executive the audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the internal Quality Assurance and Improvement Program (QAIP).
Christian Asselin, CA, CMA, CFE
Chief Audit Executive
TABLE OF CONTENTS
- EXECUTIVE SUMMARY
- FINDINGS AND RECOMMENDATIONS
- APPENDIX A – STANDARD RISK TYPES AND AUDIT RATINGS
- APPENDIX B – AUDIT OBJECTIVES AND CRITERIA
E-Payment is “an accounts payable solution” that was implemented on a pilot basis within the National Capital Region in 2009 and then fully implemented across the Department in May of 2010.
The e-Payment system has evolved over its life and has been upgraded regularly with better functionalities to improve controls and ease of use. Recent examples include more accurate software for Optical Character Recognition to improve the accuracy of invoice scanning and the mandatory use of an electronic signature service known as the "myKey" electronic signature.
At the time of the audit, the e-Payment’s workflow-based payment information system was in its 3rd phase of implementation.
The e-Payment tool was rolled out in three phases:
- The initial implementation of the e-Payment process included the creation of a consolidated Invoice Reception Centre (IRC) and the design, development and implementation of an electronic system which images supplier invoices and electronically routes them to the appropriate responsibility centre for payment verification. During this phase, a secure electronic signature service known as “myKey” was also incorporated. This particular service was incorporated to replace manual (wet ink) signatures and add an additional level of control for the authentication of the identity of those involved in signing financial transactions.
- In its second phase of implementation, a single Invoice Payment Centre (IPC), reducing the number of payment centres from 13 to 1, was created for the e-Payment system. In addition, the e-Payment system was updated in response to the Department’s implementation of a new financial system known as the Systems Applications and Products in Data Processing financial system (SAP) – designed to deliver finance, material and project management capabilities. This update resulted in the creation of an entirely new e-Payment system database.
- In its third phase, the requirement of entering an electronic goods receipt was implemented to ensure proper material control and restriction of unwanted or unauthorized entry of goods.
The implementations of the e-Payment process, myKey service, and the SAP financial system, as well as the implementation of an electronic goods receipt, were significant changes at NRCan.
E-Payment represents the streamlining of NRCan’s accounts payable process and involves the scanning of vendor and supplier invoices as well as the automated processing of these invoices through a workflow-based payment software application system. E-Payment is based on two major components: (1) that all supplier invoices are received through a consolidated IRC (i.e. a receiving centre) at one location for the entire Department; and, (2) that these invoices are processed at one location through a consolidated IPC.
The e-Payment process begins with supplier and vendor invoices being received by the IRC either in electronic (i.e. e-mail) or hard copyFootnote 4 format. Upon receipt, the invoices are date-stamped and uploaded into the e-Payment workflow-based payment information system. Once uploaded, automated and manual checks for duplicate invoices are performed. If the invoice is not identified as a duplicate, the invoice is then cross-referenced to the corresponding payment authorization instrument (i.e. contract and/or fund commitment) as well as to the responsible manager. Once the invoice has been cross-referenced, it is then routed through the system to the responsible manager for certification that goods were received or services rendered and prices are as contracted pursuant to FAA Section 34 of the Financial Administration Act (FAA). The certification of an invoice includes an electronic signature from the responsible manager, or a wet ink signature from the responsible manager for invoices greater than $50K.
As part of the audit, four of the key expected outcomes resulting from the implementation of the e-Payment process were selected as criteria against which to assess the performance of e-Payment process. These included: increased efficiency (timely processing); improved effectiveness (reducing labour and interest costs); reducing lost invoices; and, error rate reduction.
AUDIT PURPOSE AND OBJECTIVES
This audit was intended to provide reasonable assurance that the e-Payment process has appropriate management controls in place and that it is operating efficiently and economically, in compliance with TB and NRCan policies and directives.
Specifically, the audit was to assess whether:
- e-Payment is administered with due diligence and in compliance with policies, directives and procedures requirements;
- Management has implemented the necessary procedures and practices to ensure that financial transactions are complete, accurate and valid;
- Management has designed and implemented the e-Payment process in compliance with IT policies and directives; and
- Management has properly identified measures to ensure that e-Payment process is efficient and economic.
E-Payment was fully implemented across the Department in May of 2010. It represents a significant change in NRCan’s overall accounts payable process. As such, there exists a risk that management controls are not working as intended and do not detect anomalies that require action.
The audit of the e-Payment (Audit of Accounts Payable Transactions processed using NRCan’s e-Payment System) was approved by the Deputy Minister as part of the 2011-2014 Risk-Based Audit Plan.
SCOPE AND METHODOLOGY
The scope of the audit included all transactions processed in e-Payment from the inception of the e-Payment system on April 1, 2009 to March 31, 2012.
The audit methodology was based on Treasury Board guidelines on internal auditing and standards defined by the Institute of Internal Auditors (IIA) and included:
- Review of key documents and relevant background documentation including policies, directives and standards;
- Interviews with key corporate and program personnel and e-Payment users (within the sectors);
- Site visit to the Invoice Payment Center to examine e-Payment transactions; and,
- Examination of corporate records, program records and other supporting documentation (to determine if effective financial and program controls have been designed and implemented).
The audit did not examine how the implementation of e-Payment options were identified and appraised or the total costs of the implementation.
The audit criteria used to assess the management controls in place for the e-Payment process were selected using professional judgement based on the results of the audit’s planning phase and in consultation with management. The final audit criteria were accepted by management prior to the commencement of the audit. Please refer to Appendix B for the audit criteria.
FINDINGS AND RECOMMENDATIONS
The e-Payment process has established key management controls. However, these are not functioning as intended, resulting in transactions not always being processed in compliance with NRCan established procedures which are aligned with the Treasury Board Secretariat’s Directive on Account Verification or with the NRCan Quality Assurance and Statistical Plan. There were no payments issued without a supporting invoice.
Quality Assurance for High Risk Transactions
The Financial Administration Act Section 34Footnote 5 (FAA Section 34) requires that a responsible manager with delegated financial authority certify that goods and/or services were received and prices were fair and consistent with the contract. The Financial Administration Act Section 33 (FAA Section 33) requires that a financial officer with delegated payment authority must verify that FAA Section 34 has been properly certified before a payment can be released.
The Treasury Board Secretariat's (TBS) Directive on Account Verification states that financial officers must ensure that all high-risk transactions are subjected to a full review of the transaction prior to exercising payment authority pursuant to FAA Section 33. During the last fiscal year, three percent (3%) or 943 transactions were considered high risk. These payments represented 51% of the dollar amount paid using e-Payment.
In order to assist financial officers in verifying high-risk transactions which are subjected to a full review prior to exercising payment authority pursuant to FAA Section 33 occurs as required, a Quality Assurance (QA) Checklist for high-risk transactions has been developed by NRCan. The checklist serves as another level of control allowing for more immediate identification and resolution of errors and provides auditable evidence that a full review of the transaction has been completed as required.
As part of the audit, a statistical random sample of 447 e-Payment transactions was selected for examination. Seventeen of these 447 transactions were identified as high-risk transactions. An additional judgmental sample of 95 high-risk transactions was selected for examination. The audit team found 134 errors or deficiencies within these high-risk transactions. Example deficiencies included instances of payments being approved by an individual without the delegated authority, and responsible financial officers not verifying that the original expenditure initiation approval (FAA Section 32) was appropriate.
It was determined that although employees were familiar with the procedures for the processing of these high-risk transactions, they were not all interpreting these the same way and, as a result, were not always applying these procedures as intended. It should be noted that Management was made aware of the latter situations and the issues were resolved immediately, such as on site training and Section 33 delegation. In addition, the audit team observed that all QA Checklists for high-risk transactions were located for transactions which fell within the 2011-2012 fiscal year, coinciding with the implementation of SAP, an updated version of the e-Payment system, as well as the implementation of an electronic goods receipt.
The audit team also found 4 errors relating to FAA Section 34 within the judgmental sample of 95 high-risk transactions. The errors or deficiencies found included:
- High-risk transactions processed without any FAA Section 34 certification; and,
- High-risk transactions certified pursuant to FAA Section 34 had been certified by individuals who had not been formally delegated this authority as required by TBS Directive on Delegation of Financial Authorities for Disbursements.Footnote 6
It was determined that although employees were familiar with the procedures for the processing of these transactions, they did not possess the appropriate FAA Section 34 delegation at the time of certifying the transactions.
Quality Assurance for Low and Medium Risk Transactions Processed with e-Payment
Low-risk transactions include transactions that are not sensitive in nature and medium-risk transactions include transactions not considered either high risk or low risk. The Directive on Account Verification requires that financial officers ensure that sampling be conducted by the Department for medium and low risk transactions based on a sound sampling plan and selection methodology and that these types of transactions are subjected to a review of the most important aspects of each selected transaction. The Directive also requires that sampling practices and related techniques that are selected are sufficiently accurate and enable reporting on results to demonstrate the overall adequacy and reliability of the account verification process.
It should be noted that while the IPC does exercise payment authority for high risk payments pursuant to FAA Section 33, it does not exercise this authority with respect to low and medium risk payments. IPC employees are only tasked to perform a number of specified checks to determine whether FAA Section 34 certification has been properly exercised. The actual approval for payment of these types of transactions is performed by a financial officer outside the IPC who creates a batch payment run for all invoices for which payments have been cleared for processing by IPC employees, including high risk payments cleared by the IPC’s financial officer and authorized for payment. Once the batch payment run file has been created, the financial officer generates an electronic authorization and certification attesting to the fact that payments have been verified according to the Directive on Account Verification, including the performance of sampling for medium and low risk transactions.
During fiscal year 2011-2012, it was noted that 97% of invoices processed were considered as low or medium risk transactions and represented 49% of the total value of transactions processed. The audit team found that the Finance and Procurement Branch was conducting sampling for medium and low risk transactions. However, it was not occurring in a timely manner in accordance to the NRCan Quality Assurance and Statistical Plan. Management advised the audit team that this was partly due to limitations within SAP that were rectified in December 2011.
Of the random statistical sample of 447 transactions, 430 were low and medium risk transactions. These transactions were reviewed to determine whether FAA Section 34 certification had been properly exercised. The audit team found 10 errors relating to FAA Section 34 within these 430 low and medium risk transactions. The errors or deficiencies found included:
- Transactions did not have the required FAA Section 34 certification;
- Signatures applied did not match those on record; and,
- Transactions were certified pursuant to FAA Section 34 by individuals who had not been formally delegated this authority as required by TBS Directive on Delegation of Financial Authorities for Disbursements.Footnote 7
Again, it was determined that although employees were familiar with the procedures for the processing of these transactions, they did not possess the appropriate FAA Section 34 delegation at the time of certifying the transactions.
On September 29, 2012, subsequent to the completion of the audit, SSO issued instructions to all departmental employees that “wet ink” signatures were not to be used, and that electronic sign-offs utilizing “myKey” were mandatory.
According to the Directive on Account Verification, individuals who have been delegated authority under FAA Section 34 must ensure that there is auditable evidence of verification and that the supporting documentation is complete (i.e. it requires maintenance of documentation demonstrating agreed price and other specifications, and demonstrates receipt of goods or services and authorization according to the delegation of financial signing authorities). In addition, complete documentation of the electronic business transactions, including electronic authorization and authentication, must be maintained.
An expected outcome of e-Payment was the consolidation of all key documents required for various FAA related tasks. Footnote 8 However, the e-Payment information system does not yet provide responsible managers with the functionality to upload supporting documentation, such as a receipt, a bill of lading, and/or a packing slip, related to the verification and certification that goods were in fact received or services in fact rendered as contracted. Rather, at the time of the audit, the procedures for e-Payment provided guidance for the sending of supporting documentation to the IPC for upload into the e-Payment system for only a limited number of transactions types, such as training, hospitality, conferences, memberships, and contracts issued by Sectors. The procedures have since been improved to allow for managers to include other supporting documents for inclusion in the payment file.
Training and Awareness
NRCan’s Shared Services Office, Finance and Procurement Services, have created a set of documented procedures to assist those processing transactions for payment (i.e. IRC and IPC). These procedures are available on the Shared Services Office’s Service Innovation website and provide step by step guidance for processing transactions for payment. The audit team conducted a review of these procedures to determine whether the guidance it contained complied with the Directive on Account Verifications. Although the guidance did comply with the Directive on Account Verifications, it lacked clarity for employees who were using the procedural document for verifying the accuracy and integrity of the invoice prior to posting the related transaction or performing FAA Section 33 certifications.
Employees who are responsible for processing e-Payment transactions in preparation for payment were interviewed as part of the audit. It was determined that although employees were familiar with the procedures, they were not all interpreting these the same way and as a result were not always applying these procedures as required.
In addition, the audit team interviewed 25 managers responsible for FAA Section 34 certifications for processing e-Payment transactions. These were selected from the overall statistical random sample of 447 transactions. Seventeen indicated that they had received no training at all with respect to the e-Payment process while nine indicated that they had received only minimal training.
Although Management has developed and communicated procedures for payment to suppliers, has developed an e-Payment process map outlining key steps and responsibilities, has established a service desk to assist managers and their staff, and does provide training on a demand basis (when resources are available), there continues to be a lack of awareness with respect to key steps, responsibilities, and procedures among employees and responsible managers processing e-Payment transactions.
RISK AND IMPACT
There exists moderate compliance risk exposure that transactions are not always being processed in compliance with NRCan established procedures which are aligned with the Treasury Board Secretariat’s Directive on Account Verification. This may result in payments not being properly authorized, accurate, or fulfilling legitimate obligations.
1. The Director, Finance and Procurement Services, should ensure that all high risk transactions are subjected to a full review of the transaction when exercising FAA Section 33 payment authority, in compliance with relevant TB and NRCan policies, related directives, and procedures.
2. The Director, Finance and Procurement Services, should also ensure that sampling for low and medium risk payments, which includes e-Payment transactions, is completed and reported on in a timely manner.
MANAGEMENT RESPONSE AND ACTION PLAN AND TIME FRAME
1. Management Agrees with the audit finding and the Director, Financial and Procurement Services will review the procedures in place for all high risk transactions to ensure that they are compliant with relevant TB and NRCan policies, related directives, and procedures.
Timing: December 2012
2. Management agrees with the audit finding and has acted on audits recommendation to ensure statistical sampling for low and medium risk e-payments are completed and reported on in a timely manner in order to provide the required level of assurance when exercising FAA Section 33 payment authorization. Management has caught up with the outstanding statistical sampling required for e-payment and is committed to provide reports as required under the NRCan Quality Assurance and Statistical Plan.
Timing: Next report is due August 31st, 2012
DATA INTEGRITY Footnote 9
Controls around the uploading of invoices into the e-Payment system by the IRC are working as intended. Transactions processed in e-Payment are recorded in the proper financial period. The e-Payment application control framework does not adequately address data integrity with regards to the correction of data entry errors, including the accuracy of invoice dates and the final status of e-Payment records contained within the system.
Data Completeness of Invoices Received
In order to determine whether the e-Payment information system contained complete information with respect to invoices received at the Invoice Reception Centre (IRC), a random sample of 100 electronic and paper based invoices were examined. The audit team found that all invoices had been entered into the e-Payment system and determined the e-Payment information system contained complete invoice information.
The following graph illustrates the total volume of invoices uploaded into the e-Payment information system from its inception in April 2009 to April 2012. This represents a total number of 70,568 transactions since 2009. While e-Payment is being more widely used, there are noticeable peak workload periods for the IRC which coincide with each fiscal year end.
Data Accuracy and Integrity
As noted above, an expected outcome of e-Payment was the consolidation of all key documents required for various FAA related tasks. Footnote 10 It was observed that the e-Payment information system contained data errors such as, duplicate entry of invoices, instances where the incorrect amount of an invoice was recorded and subsequently approved by the responsible manager, or incorrect currency payments. The majority of these errors were identified by clerical staff who disregarded the error and/or processed the correct amounts. Although these errors were identified and there was no monetary impact for the Department, the data was left unchanged within the e-Payment information system. This practice results in inaccurate data maintained within the e-Payment system. At the time of the audit no formal mechanism was in place to address this issue.
On average, 278 transactions per month were cancelled within the system and never processed for payment. These transactions are known as “closed issues” and can include such things as an invoice that had been previously received for payment and input into the system a second time. However, by examining the number of “closed issues” over the last fiscal year (2011-2012) alone, 413 transactions were closed per month creating ineffective and inefficient use of resources. The audit team observed that the peak volume of issues seem to coincide with peak workload periods of the IRC.
It was also noted, at the time of the audit, that the invoice received date being uploaded into the e-Payment information system is not consistently the date that the invoice was actually received. In some situations the date that the invoice was scanned into the system is used as the receipt date. This impacts whether or not a payment is in fact issued within 30 days of the receipt date as required and along with interest charges applied to payments.
Duplicate Invoice Identification
In order to check for potential duplicate requests for payment, the e-Payment system incorporates measures and automatic checks to identify duplicate invoices. It was noted that this control was not always effective if the invoice number was not entered properly or the vendor name was entered differently. It was noted that this control was not always effective if the invoice number or the vendor GST was not captured correctly. This created a control weakness by impeding the systems functionality making it difficult to verify whether or not an invoice is a duplicate. Despite this weakness, the audit team noted only two instances of duplicate payments which were of low dollar value. These occurred during the 1st phase of the e-Payment system implementation.
RISK AND IMPACT
There exists minor reporting risk exposure resulting from data accuracy and integrity within the e-Payment information system as a tool. Errors in data accuracy and integrity can lead to inaccurate performance information and reporting with respect to the e-Payment system.
3. The Director, Finance and Procurement Services, should ensure that the e-Payment application control framework adequately addresses data integrity discrepancies.
MANAGEMENT RESPONSE AND ACTION PLAN AND TIME FRAME
3. Management Agrees with the audit finding and the Director, Finance and Procurement Services is scheduled to release an update to the e-Payment system on September 30, 2012.
- will automate the invoice date in the e-Payment system and make it modifiable. The invoice date will be the date received by the imaging unit.
- will enhance the automated SAP to e-Payment reconciliation routine to ensure that the final status of e-Payment requests are accurate.
It is important to note that the SAP is the Department Financial System of Record.
Timing: September 2012
Four of the key outcomes that were expected to result from the implementation of the e-Payment system such as: increased efficiency (timely processing), improved effectiveness (reducing labour and interest costs), reducing lost invoices, and error rate reduction were selected as criteria to examine the performance of the e-Payment process. While it was found that the uploading of invoices into the e-Payment system by the Invoice Reception Center was working as intended, resulting in the reduction of the potential for lost invoices, the remaining three key expected outcomes have not yet been fully realized.
The TBS Directive on Payment Requisitioning and Cheque Control requires that payments to suppliers be issued within 30 calendar days of receipt of invoice or good/services (whichever is later) in order to avoid interest charges. At the time of the audit, it was determined that not all payments were being made within 30 days.
From the random statistical sample of 447 e-Payment transactions, it took on average 14 days from the time that the IRC received the invoice to the time that FAA Section 34 was signed by the responsible manager; 11 days before the transaction was approved for payment; and, on average 10 days before the actual payment was issued (cheque estimated date). The total average processing time, based on the random sample, was 35 days.
The processing time for all transactions within the last fiscal year (2011-2012) was also reviewed. The average period of time taken to process these transactions was 39 days. Sixty-two percent of all transactions were paid on time.
Reducing Interest Costs
SSO expected the e-Payment system would reduce interest costs by $45,000 per year. The audit team examined interest costs incurred by the Department, starting in fiscal year 2008-2009 up to fiscal year 2011-2012. It was determined that interest costs have not been reduced as expected. The following graph identifies interest payments paid by NRCan from Fiscal Year 2008-2009 to Fiscal year 2011-2012.
During fiscal year 2010-2011 when e-Payment was fully implemented across the Department interest costs had actually increased by $105K compared to the prior fiscal year. For fiscal years 2011-2012, during which time the Department was realizing significant and transformative changes with respect to its financial system, including e-Payment, interest costs decreased by $87K. This amount does not include interest charges that were individually less than $10 as these were only paid on demand. For the fiscal year 2010-2011, the total interest charges less than $10 was approximately $19K.
Value for Money
The audit determined that 83% of invoices were for low dollar values (i.e. less than $5,000) and represented 21% of total dollar value of transactions processed. High risk transactions represented only 3% of the total number of invoices that were processed through the e-Payment system. This 3% actually represented 51% of the total dollar value of transactions processed through the e-Payment system.
Management advised the audit team that the Department’s additional incremental cost of processing an invoice through e-Payment in comparison to paying an invoice using an acquisition card was approximately $20. This excludes additional costs incurred by Public Works and Government Services Canada to issue the corresponding cheque. If low dollar value invoices were to be processed by acquisition cards, the Department could incur savings of up to 80% per transaction. However, further analysis would be required to determine the exact extent of potential savings due to certain contracting restrictions and reporting requirements imposed by central agencies, as well as the functionality and design of the SAP system which imposes certain limitations with respect to acquisition card use.
In addition to potential savings, processing low dollar value invoices outside of the e-Payment system would also reduce the workloads of IRC and IPC employees, and the number of transactions processed in the e-Payment system, especially at the year end.
Inefficiencies with respect to supplier invoices processed through e-Payment were also noted. In particular, one cost centre received 94 invoices in one month from the same supplier of temporary help services with an average price of $333 per invoice. The large number of invoices submitted every month from the same vendor creates more work for the staff involved in terms of processing invoices. There may be opportunities for the Department to work with suppliers to consolidate the number of invoices received on a monthly basis. This could result in reducing the administration burden of processing transactions.
The audit did not examine how e-Payment implementation options were identified and appraised or the total costs of the implementation. The audit team did note, however, that the implementation of the e-Payment process together with reductions resulting from Strategic Review has allowed for annual cost reallocations of 12 full time equivalents (FTEs) or approximately $750K for improvements to other core SSO Finance service delivery commitments.
Error Rate Reduction
With the implementation of the e-Payment system, it was expected that there would be an overall reduction in the critical error rate from 5% to 2%.
It was determined that transactions were not always being processed in compliance with NRCan established procedures which are aligned with the Treasury Board Secretariat’s Directive on Account Verification. From the statistical random sample which included transactions from April 2009 up to December 2011 the audit team found that the overall error rate was 5.4%.
The audit team defined critical errors as transactions that were processed for payment:
- in spite of communicated restrictions;
- with inadmissible charges;
- without evidence of appropriate Payment Verification Authority;
- with an invalid Section 34 Delegation; and
- with an expired Section 34 Delegation.
The audit team also defined critical errors as transactions where payments were issued:
- with an invalid Section 33 Payment Authorization;
- without evidence that Section 33 Payment Verification had been performed;
- despite evidence of an incomplete Section 33 Payment Verification; and,
- without evidence of complete supporting documentation.
SSO Management advised the audit team that some expected outcomes were delayed due to the implementation of SAP.
RISK AND IMPACT
There is a moderate operational risk exposure related to the monitoring of the expected outcomes that may result in ineffective and inefficient use of resources in NRCan’s overall accounts payable process.
4. The Director, Finance and Procurement Services, should monitor the e-Payment process against the key objectives such as timeliness of invoice processing, interest costs on late payments and the reduction of errors to ensure continuous improvement.
MANAGEMENT RESPONSE AND ACTION PLAN AND TIME FRAME
4. The Director, Finance and Procurement Services will continuously monitor progress and provide senior management with reports on a quarterly basis to track progress made towards realizing the expected outcomes and on an annual basis thereafter.
Timing: December 2012
INFORMATION TECHNOLOGY CONTROL ENVIRONMENT
Electronic signatures used within the e-Payment system for FAA Section 34 and 33 related tasks are made as a result of a combination of user identification codes, passwords, personal authorization, and special keys in personal access devices. However, the e-Payment information system holds only an Interim Authority to Operate (departmental certification and accreditation). An appropriate, formalized backup and restore process, compliant with the applicable IT policies and directives was not evident at the time of the audit and there is a need to implement sound access controls to manage and monitor the security of data within the e-Payment system.
The Policy on Government Security mandates that departments certify and accredit all IT systems prior to their operation. The e-Payment system has not yet been certified or accredited and NRCan’s IT Security Program issued an Interim Authority to Operate in April 2012. This authority is valid until April 2013, at which time the certification and accreditation process is to be finalized by the Director, CMSS/SSO/FAP and NRCan’s IT Security Program.
NRCan’s Backup and Restore Standard has not been met for the e-Payment system. There was no evidence of formally documented backup procedures at the application level and no evidence that backups of the system were formally tested, either at the application or infrastructure level. The audit team was advised that these tasks were now being shared among the new Shared Services Canada Office and NRCan employees who were currently in the process of documenting these requirements.
NRCan’s Logging and Monitoring Directive requires that the process for logging and monitoring of events be documented. There is no formally documented process in place for the e-Payment information system.
Electronic signatures used within the e-Payment system for FAA Section 34 certification related tasks are made as a result of a combination of user identification codes, passwords, personal authorization, and special keys in personal access devices. The use of electronic signatures over wet ink signatures increases the level of control and confidence with respect to authority and authenticity of the individual certifying under FAA Section 34. It serves to ensure that FAA Section 34 is being applied by the correct manager for the correct invoice, whereas wet ink signatures have proven to be at times illegible which can make confirmation of authority more time consuming. It should be noted that invoices of $50,000 and more, require that the responsible manager sign and date FAA Section 34 certification on the invoice manually and forward it, along with supporting documentation, through internal mail for payment processing by the IPC.
An administrator account provides system Administrator level access which allows a user to make changes to the system’s structure as well as the data contained within the system. The sharing of this account and related password is contrary to best practices and NRCan Policy. This level of access had been given to three NRCan Software Developers by providing them with the Administrator password. As a result, when changes are made using this password, there is no clear audit trail identifying the individual who modified the system or the data. In addition, a number of users have been assigned the role of granting super user access. This role is generally used by the supervisor of the system process and other “business” users who are tasked in fixing live data within the application system. However, this role had also been granted to members of NRCan’s Application Development Team along with NRCan’s Maintenance Team essentially creating a lack of clear system-specific segregation of duties. This issue, along with the lack of sound access controls, could result in an inability to monitor and control security and access to data within the application and ultimately the organization.
RISK AND IMPACT
There is a minor compliance risk exposure related to the lack of logging and monitoring of events and access controls which could lead to unauthorized modification to data and compromised data integrity.
5. The Director of IT Support Services should ensure for the e-Payment system that:
- there are appropriate controls in place to monitor and segregate activities between the Application Development Team and Maintenance Team Staff; and
- there is a formally documented process in place for logging and monitoring of events.
MANAGEMENT RESPONSE AND ACTION PLAN AND TIME FRAME
5. The Director of IT Support Services will:
- Work with SSC to ensure that a formal and documented backup process is in place. This process will also have a regular testing schedule.
Timing: September 30th, 2012
- Ensure that a formal documented process and procedures are developed in order to appropriately segregate activities between the development team and the maintenance and support team.
Timing: October 31st, 2012
- Ensure that a formal documented process is in place for logging and monitoring events and that unique accounts per team members are used.
Timing: March 29th, 2013
APPENDIX A – STANDARD RISK TYPES AND AUDIT RATINGS
Standard Risk Types
Our standard risk types are classified based on the COSOFootnote 11 Internal Control-Integrated Framework as follows:
Strategy – High-level goals, aligned with and supporting the Department's mission.
Operations – Effective and efficient use of resources.
Monitoring – Accurate assessments or evaluation of activities.
Reporting – Reliability of operational and financial reporting.
Compliance – Compliance with applicable laws, regulations, policies and procedures.
Standard Audit Risk Ratings
Audit findings are rated as follows:
Major: A key control does not exist, is poorly designed or is not operating as intended and the related risk is potentially significant. The objective to which the control relates is unlikely to be achieved. Corrective action is needed to ensure controls are cost effective and/or objectives are achieved.
Moderate: A key control does not exist, is poorly designed or is not operating as intended and the related risk is more than inconsequential. However, a compensating control exists. Corrective action is needed to avoid sole reliance on compensating controls and/or ensure controls are cost effective.
Minor: A weakness in the design and/or operation of a non-key process control. Ability to achieve process objectives is unlikely to be impacted. Corrective action is suggested to ensure controls are cost effective.
APPENDIX B – AUDIT OBJECTIVES AND CRITERIA
The audit criteria were derived from widely recognized control models (e.g. Management Accountability Framework, CICA Criteria of Control - CoCo) and relevant policies, acts and legislation. Actual performance was assessed against the audit criteria resulting in either a positive finding or the identification of an area of improvement.
The purpose of this audit was to provide reasonable assurance that the e-Payment process has appropriate management controls in place and that it is operating efficiently and economically, and in compliance with Treasury Board and NRCan policies and directives.
The following audit criteria were used to conduct the audit:
|AUDIT SUB-OBJECTIVES||AUDIT CRITERIA|
To evaluate whether e-Payment is administered with due diligence and in accordance with TB/NRCan policies and procedures requirements.
|1.1 We expect that Management has designed and implemented appropriate controls to ensure that e-Payment transactions are in compliance with all relevant requirements.
1.2 We expect that management has clearly defined and communicated roles and responsibilities.
To evaluate whether management has implemented the necessary procedures and practices to ensure that transactions are complete, accurate and valid.
|2.1 We expect that the e-Payment transactions are complete, accurate and valid.
2.2 We expect that the e-Payment transactions are reported in the proper period (Cut-off) (Presentation).
2.3 We expect that the integrity of e-Payment transactions is maintained and no duplicate payments are processed.
To determine whether management has designed and implemented the e-Payment process in compliance with IT policies and directives.
|3.1 We expect that the e-Payment process is developed and implemented in accordance with the appropriate IT policies and directives.
3.2 We expect that the electronic signature is made as a result of a combination of user identification codes, passwords, personal authorization, and special keys in personal access devices for FAA Section 34 and 33.
3.3 We expect that access controls are in place and access is restricted only to network account user ID and the Entrust software and GOC PKI is identifying and verify user access for RCM reviewer, RCM, Section 33 and others.
To determine whether management has properly identified necessary measures to ensure that the e-Payment process is efficient and economic.
|4.1 We expect that the e-Payment process can demonstrate that transactions are processed in a timely manner.
4.2 We expect that the e-Payment can demonstrate that the process is managed in an economic fashion by reducing interest costs as well as by reducing labour costs.
4.3 We expect that e-Payments can demonstrate that data entry errors have been reduced.
4.4 We expect that e-Payments process has resulted in the elimination of lost invoices.
- Date Modified: