Continuous Auditing of Key Controls Annual Report for 2013-14

Introduction

This report is the annual assurance report by Natural Resources Canada’s Audit Branch (AB) on core controls assessed via continuous auditing. It presents the results of the continuous auditing activities undertaken by AB on transactions recorded in fiscal year 2013-14.

Why This Is Important

Continuous auditing is the use of audit methods, ranging from ongoing control evaluations to continuous risk assessments on a more frequent or ongoing basis to provide assurance on financial and non-financial data of an organization through a narrow scope in a specific area in near real-time environment.

Continuous auditing enables auditors to report on subject matter within a much shorter timeframe than under the traditional auditing model. The ability to provide Management with near real-time auditing on the functioning of core financial controls and on financial transactions can significantly enhance internal controls.

Accomplishments This Year

With support from the Deputy Minister, Senior Management and the Departmental Audit Committee (DAC), AB has continued the implementation of an effective and sustainable continuous auditing capacity for NRCan in 2013-14. The capacity in this area will be maintained and the nature and scope of testing will evolve over time.

The continuous audit activities conducted in 2013-14 focused on identifying potential control issues related to high-risk financial processes and introducing ongoing testing of transactions related to these processes. Accordingly, the following three areas were assessed via continuous auditing in 2013-14:

  • Acquisition card usage;
  • Hospitality expenditures; and
  • Contracting and supplier payments.

Based on the continuous audit work that was completed in 2013-14, AB was able to provide timely feedback to Senior Management and DAC on the functioning of the core financial controls associated with these three areas. Findings and recommendations resulting from the continuous audits were provided to Management in order to assist them with improving existing control mechanisms. Findings and recommendations were also presented to DAC along with the associated Management Response and Action Plans.

Directly complementing continuous auditing activities undertaken by AB, NRCan Management was engaged in continuous monitoring of these same processes (in accordance with TB Policy on Internal Controls). Combined efforts by both AB and Management have resulted in improvements to control processes and correction of any identified errors. It should be mentioned that, in its second year of continuous auditing activities, AB has noted improvements to the departmental controls.

Objective

The overall objective was to provide reasonable assurance that key controls are in place for the use of departmental acquisition cards, hospitality expenses and contracting and supplier payments and, these key controls are working as intended.

Scope

The scope of the three cycles of continuous audit activities were as follows:

  • For acquisition card usage, period under review was June 1, 2013 – August 31, 2013.
  • For hospitality, period under review was July 1, 2013 – September 30, 2013.
  • For contracting and supplier payments, period under review was October 1, 2013 – February 28, 2014.

The audit criteria used for each cycle is provided in Appendix A.

Key Findings and Recommendations

Based on the audit work, it was found that the key controls associated with all three processes (acquisition card usage, hospitality expenditures and contracting and supplier payments) are in place.

These three processes were chosen because of the inherent risks associated with the types of transactions associated with them. The following areas of consideration were identified:

  • Risk of potential non-compliance with government legislation, policies and directives which might result in the revocation of certain delegated departmental financial authorities by the Treasury Board Secretariat;
  • Risk of loss of public money/public confidence: contracting, hospitality and acquisition card expenditures frequently become indicators of a department’s prudence and probity in the management of public funds; and
  • Possible errors, issues, omissions associated with certain categories of acquisition card expenditures because they are not routinely purchased on an acquisition card (such as travel expenses) or they require specific documentation to support the expenses (such as Hospitality expenditures).

For the period under review, it was concluded that, for the most part, key controls were working as intended for acquisition card usage and contracting and supplier payment processes. However, the audit found that some tested controls did not always operate as intended for hospitality expenditure transactions. Still, it is important to note that the audit found no instances where hospitality was extended for non-government business. All findings and recommendations from the continuous audit activities were accepted by Management. Responses and action plans were prepared by Management and provided to DAC to address the recommendations in a timely manner.

The following section of the report summarizes the findings and conclusions for each continuous audit cycle completed in 2013-14.

Acquisition Card Usage

Overall, the key controls were in place and, for the most part, operating as intended. The audit work concluded there is a central oversight of the card issuance/maintenance process. Additionally, the audit noted that monitoring activities are taking place to review the usage of these cards by the departmental users.

AB has also noted two opportunities for further strengthening the control framework surrounding the acquisition card usage at NRCan: First, it was found that some cardholders did not maintain proper supporting documentation, as required, for approving the transaction under FAA section 34. Secondly, the audit also noted that some cardholders had used their acquisition cards to purchase legitimate but restricted items (such as accommodation and vehicle expenses). In these cases, the acquisition card was not the appropriate method/mechanism to acquire these goods/services. Appropriate alternatives would have been a government travel card, the vehicle credit card or an interdepartmental payment mechanism.

NRCan’s Finance and Procurement Branch has recently developed an enhanced continuous monitoring program of all departmental acquisition card use. This new methodology is currently being implemented for 2014-15 fiscal year and it will include a review of all active NRCan acquisition cards.

In addition, each month, the top ten statements with the highest combination of sensitive transaction types (such as potential split transactions, duplicate transactions or transaction occurring on a weekend), will be examined, regardless of whether or not the cardholders had previously been subject to review. It is expected that with the increase number of cards being reviewed, awareness and compliance to the requirements of policies and procedures will be enhanced. This is a further indication that Management is committed to maintaining and further improving the management control framework over the use of acquisition cards.

Hospitality Expenditures

The completed audit work has provided reasonable assurance that the key controls for managing payments for hospitality have been established and documented by Management. However, it was noted that tested key controls did not always operate as intended for hospitality expenditure transactions. While it was noted that there were no instances of hospitality for non-government business, there were cases where required documents were not completed and signed by an authorized individual prior to the hospitality expense being incurred. As such, key controls need to be strengthened specifically for obtaining appropriate approvals prior to incurring the expense.

The audit found that the departmental verification policy was not being applied consistently. While hospitality transactions paid by cheque or direct deposit were reviewed as per the policy, transactions paid using an acquisition card were subject to a lower level of verification.

To address this issue, Management has approved a new monitoring methodology for hospitality expenditures. This methodology ensures that when acquisition cards are used to pay for purchases, any expenses coded as hospitality will be reviewed in the same manner as transactions paid by cheque or direct deposit.

Contracting and Supplier Payments

Overall, the key controls were in place and, for the most part, operating as intended with respect to the contracts reviewed and their related payments. The audit found that the invoices were reviewed and approved by individuals with appropriate delegated authority (as per FAA section 34) and that the transactions were approved by individuals with appropriate delegated authority (as per FAA section 33). The audit also noted that there is a continuous monitoring program in place which periodically reviews samples of issued contracts.

NRCan Management has put in place a good practice, in the form of a Procurement Review Board (PRB). The PRB plays a key role in assessing and mitigating risks associated with NRCan procurement and contracting activities. Of interest to this continuous audit, is the PRB’s responsibility to review, for recommendation or modification, any procurement strategy for all non-competitive (sole source) goods or services requirements over $25,000.

Another good practice in place is the eProcurement system that is used to initiate the process for all NRCan contracts except for a couple of areas within NRCan. This eProcurement tool allows individuals to purchase and track procurement needs online and from anywhere. Once the appropriate approvals are completed on-line, a procurement specialist executes the request after reviewing the documents that are attached with the request. This tool reduces data input errors and is a repository for key documents which is important prior to any contract being issued.

However, contract initiation key controls can be further strengthened. At the time of initiation, the expected value of the contract is entered in the system. Section 32 of the FAA is obtained for this amount. Should the final value of the contract be higher by 10% of the initial amount or greater than $1,000, additional approval must be obtained for the increase in estimated contract value. In some instances, the documentation demonstrating the approval of the additional section 32 was not always on file.

Furthermore, the Procurement, Contracting and Asset Management Group within NRCan’s Finance and Procurement Branch created a sub-delegation for its contracting authority. This allows junior procurement officers to obtain experience with more complex contracts. In these cases, a more senior procurement officer must review and sign-off the work. In some instances, it was found that junior contracting officers signed contracts outside of their sub-delegated contracting authority. It is important to note here that, for all transactions reviewed, the contracts were for legitimate purposes and there was no financial impact on the department.

Departments are required to disclose, quarterly, a list of signed contracts over $10,000 on their website. The audit found that for the period under review, the list of contracts disclosed on the website for the second quarter of 2013-14 was incorrect. While the list was correctly prepared and compiled, a wrong version of it was posted due to an administrative error. The error was corrected by Management as soon as it was identified.

Conclusion

The Audit Branch can provide reasonable assurance that key controls are in place based on the review of selected transactions for these three processes: Acquisition card usage, hospitality expenditures and contracting and supplier payments.

For the period under review, for the most part, key controls were working as intended for acquisition card use and contracting and supplier payment processes. However, it was found that some tested controls did not always operate as intended for hospitality expenditure transactions. Still, it is important to note that the audit found no instances where hospitality was extended for non-government business.

Management Response

Management has responded with timely action plans to address the issues noted in these three cycles of continuous audit activities, and in most cases, issues were corrected immediately. Therefore, the Audit Branch has assessed the residual risks to be low. AB will continue to follow-up on the implementation of these management action plans.

Acknowledgements

The Audit Branch would like to thank those individuals who contributed to these continuous audits and, particularly employees who provided insights and comments.

Conformance with Professional Standards

In my professional judgement as Chief Audit Executive the continuous audit activities along with this annual report conform with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program (QAIP).

Christian Asselin, CPA, CA, CMA, CFE
Chief Audit Executive

APPENDIX A – CONTINUOUS AUDIT CRITERIA

ACQUISITION CARD USAGE

The overall objective of this continuous audit was to provide reasonable assurance that key controls are in place for Acquisition Cards (AC) and working as intended. Specifically, the audit assessed whether:

  • The use of AC were in compliance with NRCan’s policy on Acquisition Cards Section 9.2 (allowable purchases); Section 10 (Restrictions) and Section 9.4.a (Section 34 of the FAA and sign off); and
  • Convenience cheques were appropriately used. The use of AC was monitored.

Sub-Objective

Criteria

Sub-Objective 1

Acquisition cards are only used to pay for government goods and services and acquired items that are in compliance with NRCan’s policy on Acquisition Cards.

Acquisition Cards are being used exclusively for authorized government purchases (Acquisition Cards Policy Instruments).

Sub-Objective 2

Acquisition card transactions have the required documentation to support expenditures.

Acquisition Cards transactions are supported by appropriate documentation (invoices / hospitality authorization etc.).

Sub-Objective 3

RC managers certifying FAA Sections 34 have the appropriate FAA Section 34 signing authority.

Only staff with appropriate FAA Section 34 signing authority for the specific cost center has approved the transactions.

Sub-Objective 4

Appropriate spending authority is in place and documented.

Appropriate transaction and monthly spending limits have been established and transaction spending limit in excess of $5,000 has been properly authorized and documented.

Sub-Objective 5

The use of acquisition cards is monitored.

Monitoring is conducted to identify Acquisition Cards which are not used for a certain period and appropriate action is taken.

Account Verification is completed on a regular basis for acquisition cards as per applicable policy / guidelines. 

HOSPITALITY EXPENDITURES

The objective of this continuous audit was to provide reasonable assurance that key controls for hospitality expenses were in place and working as intended. Specifically, the audit assessed whether:

  • Hospitality activities and related expenses were in compliance with Treasury Board and NRCan policies and procedures; and
  • Monitoring of hospitality activities were conducted and proactively disclosed where applicable.

Sub-Objective

Criteria

Sub-Objective 1

To assess whether hospitality expenses are managed in compliance with Treasury Board and departmental policies and procedures.

Hospitality expenses are incurred for the purposes of effective conduct of government business and courtesy, diplomacy or protocol.

Appropriate approvals are obtained prior to incurring hospitality expenses.

Hospitality expenses are supported by appropriate documentation.

Hospitality claims are reviewed and have appropriate sections 34 and 33 of the FAA.

Sub-Objective 2

To assess whether monitoring of hospitality activities are undertaken.

Monitoring activities are taking place and working as intended. Actions are taken to address deficiencies. Issues have decreased over time.

Hospitality expenses for selected government officials are proactively disclosed.

CONTRACTING AND SUPPLIER PAYMENTS

The objective of this continuous audit was to provide reasonable assurance that key controls were in place and working as intended for the procurement process (from initiation or contract award to supplier payment), specifically the audit assessed:

  • whether contracts were initiated in compliance with Treasury Board and departmental policies and procedures;
  • whether supplier payments were in compliance with Treasury Board and departmental policies and procedures; and
  • the effectiveness of monitoring and reporting activities for contract initiation and spending verification.

Sub-objective

Criteria

Sub-objective 1

To assess whether contracts are managed in compliance with Treasury Board and departmental policies and procedures.

The Department’s process for managing contracts is in compliance with Treasury Board’s Contracting Policy.

Contract thresholds are respected.

There is documentation supporting the review and approval of contract transactions by the appropriate delegated signing authorities; sections 32 of the FAA are properly applied.

There is documentation supporting the rationale and justification of contract transactions by the appropriate authorities (e.g. complete audit trail, sole source justification, rationale for amendment).

Sub-objective 2

To assess whether supplier payments are verified in compliance with Treasury Board and departmental policies and procedures.

The Department’s process for account verification of supplier payments is implemented, effective, and in compliance with Treasury Board’s Directive on Account Verification.

There is sufficient documentation supporting the review and approval of supplier payments by the appropriate delegated signing authorities; sections 33 and 34 of the FAA are properly applied.

No duplicate payments are processed.

Sub-objective 3

To assess the effectiveness of monitoring and reporting activities for contract administration.

The Department has effective processes in place to regularly monitor contracting activities and supplier payments. Issues and anomalies are addressed and corrected in a timely manner.

Reporting information for forecasting and financial statements is complete and accurate (transactions are coded appropriately).

Contracts over $10K are proactively disclosed in a timely manner, including those with former public servants.