Continuous auditing provides ongoing assurance on specific management processes and controls to enable more timely insight into possible risk and control issues. It enables the provision of findings to management on key controls related to financial and non-financial processes in a timely manner.
As continuous auditing provides management with near real-time audit results on the effectiveness and efficiency of key controls on related transactions, it can significantly enhance the internal control processes and frameworks within an organization.
This report is the annual assurance report by Natural Resources Canada’s (NRCan’s) Audit Branch (AB) on key controls assessed via continuous auditing. It presents the results of the continuous auditing activities undertaken by the AB on transactions recorded in fiscal year 2014-15.
Accomplishments This Year
With support from the Deputy Minister, Senior Management, and the Departmental Audit Committee (DAC), the AB has continued the implementation of an effective and sustainable continuous auditing capacity for NRCan in 2014-15.
The continuous audit activities conducted in 2014-15 focused on identifying potential control issues related to specific processes identified in the Deputy-approved Risk-Based Audit Plan. Accordingly, the following three areas were assessed via continuous auditing in 2014-15:
- Travel and Associated Events;
- Pay; and
- Contracting and Supplier Payments.
Based on the continuous audit work that was completed in 2014-15, the AB was able to provide timely advice to senior management and the DAC on the functioning of the key controls associated with these three areas. Findings and recommendations resulting from the continuous audits were provided to management, in order to assist them with improving existing control mechanisms. These findings and recommendations were also presented to the DAC along with the associated management responses and action plans.
In addition to our continuous audit activities, NRCan’s management was engaged in continuous monitoring in accordance with the Treasury Board’s (TB’s) Policy on Internal Controls. The combined efforts by both the AB and management have resulted in improvements to control processes and the correction of any identified errors.
The objective was to provide reasonable assurance that key controls were in place for the Travel and Associated Events, Pay, and Contracting and Supplier Payments processes, and that these key controls were working as intended.
The scope of the three continuous audit activities was:
- For Travel and Associated Events, the period under review was June 1, 2014 – October 10, 2014.
- For Pay, the period under review was April 1, 2014 – December 31, 2014.
- For Contracting and Supplier Payments, period under review was October 1, 2014 – March 15, 2015.
A risk-based approach was used in identifying which transactional processes would most benefit from a continuous audit in 2014-15. As a result of our annual risk-based audit planning exercise, the three processes above were selected for audit, in consideration of the following inherent risks:
- Risk of potential non-compliance with government legislation, policies, and directives which may result in the revocation of certain delegated departmental financial authorities by the Treasury Board Secretariat;
- Risk of loss of public money/public confidence: The management of contracting and travel functions are often indicators of a department’s prudence and probity in their management of public funds;
- Risk of possible errors, issues, and omissions associated with these types of transactions which may result in inaccurate financial information; and
- Risk of inadequate documentation to support decisions made during the contracting process could result in the department not being able to demonstrate that it has a fair and transparent contracting process.
Key Findings and Recommendations
The following summarizes the findings and conclusions for each of the three continuous audits completed in 2014-15.
Travel and Associated Events
Overall, the key controls for travel and associated events were in place and operating as intended. The audit found several good practices in place, such as management requiring that all employee travel be planned and approved using the NRCan Travel and Conference Planning tool. This tool is automated and provides guidance to obtain the appropriate pre-approvals for travel.
The audit also found that the department uses the government Expense Management Tool (EMT) which automates key controls such as verification of correct per diem rates and allowable hotel rates. This automation also minimizes the risk of errors caused by manual data entry in the Systems Applications Products (SAP) accounting system. The EMT also ensures that any deviation from policy requirements is identified to the approver of the travel request for follow up.
As the EMT is relatively new, the audit noted that management has developed and communicated procedures for Travel Request Approvals to NRCan employees and has developed and distributed ‘Travel Newsletters’ to employees to address EMT problems and temporary workarounds.
In addition, the audit found that the process for identifying, validating, and posting NRCan senior official travel transactions on the NRCan website, under the government’s proactive disclosure policy, was well-defined and operating as intended.
All of the controls tested for this continuous audit were found to be effective; although there were a few opportunities for improvement identified. Specifically, there is need to regularly review and update the criteria for determining the ‘risk-level’ of any travel transaction to ensure reviews by the Finance and Procurement Branch are conducted by the individuals with the appropriate approval level. The audit also identified opportunities to achieve efficiencies by streamlining overlapping processes and eliminating redundant controls. Management has put in place an action plan to further strengthen existing controls.
The Government of Canada’s Consolidation of Pay Services Initiative has resulted in significant changes over the past few years with regards to the management of pay and benefits at NRCan. One major change resulting from the pay consolidation process is that all pay action requests are now processed by the Public Works and Government Services Canada’s (PWGSC’s) Public Service Pay Centre (PSPC), which has limited NRCan’s role to initiating a pay action request and verifying that it has been approved by an individual with the appropriate delegated authority.
Overall, the audit found that improvements are required to ensure a more robust control framework is in place for pay and some benefits transactions. Specifically, key areas for improvement include ensuring adequate documentation is maintained to support reviews conducted by Human Resources on pay action requests; conducting regular financial budget reviews by Responsibility Centre Managers (RCMs) of pay transactions; ensuring clarity of responsibilities between RCMs and Human Resources on employee departures; and, further strengthening the monitoring of compressed work week arrangements and other leave transactions.
The audit identified some positive findings such as the implementation of a centralized trusted source function within NRCan Human Resources. The trusted source function enables the department to centrally track and confirm appropriate approval for pay initiation requests, send pay action requests to the PSPC, and play a central liaison role with the PSPC.
In addition, the audit found that NRCan’s Internal Control Unit (ICU) within the Finance and Procurement Branch recently completed an Internal Control Assessment on the Payroll and Benefits business processes. The group’s mandate includes, among other responsibilities, the assessment of NRCan’s system of internal controls over financial reporting using a multi-year monitoring plan. The group maintains a plan of corrective actions and conducts follow-up activities. The audit team reviewed the adequacy of the work completed by the Internal Control Unit and concurred with their assessment of the controls.
Of the 19 controls tested as part of this continuous audit, 7 were found to be ineffective. Management has put in place an action plan to address deficiencies identified at NRCan. A subsequent continuous audit of pay will also be conducted to ensure actions committed to by NRCan management to address recommendations have been implemented in a timely manner. These actions should strengthen controls related to initiation requests. With that said, as the PSPC processes pay action requests, NRCan’s improved controls may not address residual issues. Specifically, considering NRCan’s reliance on the PSPC to process pay action requests, issues related to timeliness of processing and/or accuracy of the resulting payment calculations may continue to exist regardless of whether NRCan specific initiation controls are functioning as intended.
Contracting and Supplier Payments
This continuous audit found that, overall, key controls were in place and operating as intended with respect to the contracts reviewed and their related payments. The audit confirmed that invoices were reviewed and approved by individuals with appropriate delegated authority (as per Financial Administration Act [FAA] section 34) and that transaction payments were approved by individuals with appropriate delegated authority (as per FAA section 33). The audit noted that there is a continuous monitoring program in place which periodically reviews, on a sample basis, payments issued as a result of a contract.
NRCan Management has put in place a good practice, in the form of a Procurement Review Board (PRB). The PRB plays a key role in assessing and mitigating risks associated with NRCan procurement and contracting activities. Of interest to this continuous audit is the PRB’s responsibility to review, for recommendation or modification, any procurement strategy for all non-competitive (sole source) goods or services requirements over $25,000.
The NRCan eProcurement system, another example of a good practice, is used to initiate most NRCan contract requests. This eProcurement tool allows individuals to purchase and track procurement needs online and from anywhere. Once the appropriate approvals are completed on-line, a procurement specialist executes the request after reviewing the documents that are attached to the request. This tool is a repository for key documents, which is important prior to any contract being issued, and it reduces data input errors.
Of the 15 key controls tested as part of this continuous audit, 13 were found to be effective, although there were some opportunities for improvement related to documentation of files. Specifically, the audit found that some contracting files lacked key documentation to support decision-making, such as written approvals of changes to commitments and justifications for contract amendments. Similar findings were also identified in a recent review by the Office of the Procurement Ombudsman and during last year’s Continuous Audit of Contracting and Supplier Payments.
Opportunities were also identified to strengthen controls regarding reviewing the contract quality assurance processes to ensure activities conducted reflect a risk-based approach based on available resources; strengthen controls related to monitoring of low risk payments; and, eliminate possible redundant controls to achieve increased efficiencies. Management has put in place an action plan to further strengthen existing controls.
Based on the review of selected transactions for each respective process, the AB can provide reasonable assurance that, overall, key controls are in place and working as intended for the Travel and Associated Events, and Contracting and Supplier Payments processes. Opportunities for improvements were identified to ensure a more robust control process is in place for the Pay process.
Continuous auditing activities undertaken in 2014-15 provided timely recommendations to management to strengthen specific management processes and controls. As such, the management actions taken to address continuous audit findings have significantly enhanced the internal control processes and frameworks within NRCan.
Management has responded with timely action plans to address the issues noted in these three continuous audit activities, and in most cases, issues were corrected immediately. The AB will continue to follow-up on the implementation of these management action plans.
The AB would like to thank those individuals who contributed to these continuous audits and, particularly employees who provided their insights and comments.
Conformance with Professional Standards
In my professional judgement as Chief Audit Executive, the continuous audit activities along with this annual report conform with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.
Christian Asselin, CPA, CA, CMA, CFE
Chief Audit Executive
September 10, 2015
APPENDIX A – CONTINUOUS AUDIT CRITERIA
TRAVEL AND ASSOCIATED EVENTS
The objective of this continuous audit was to provide reasonable assurance that key controls for travel and event expenses were in place and were working as intended. Specifically, the audit assessed compliance with government and departmental policies, directives, procedures, and monitoring.
- Compliance to Policies: Event form requesting travel is approved by an individual with the appropriate authority.
- Compliance to Policies: The EMT system identifies any policy deviation (s) prior to Sec. 32 of the FAA being signed.
- Appropriate Authority: A Responsibility Center manager with the required financial (Sec. 32 FAA) approves the travel request in the EMT system after the required event approval has been obtained.
- Compliance to Policies: The EMT system identifies any policy deviation (s) prior to Sec. 34 of the FAA being signed.
- Appropriate Authority: A Responsibility Center manager with the required financial (Sec. 34 FAA) approves the travel request in the EMT system and the required receipts or attestations are attached to the travel expense claim.
- Compliance to Policies: Post-payment account verification of low risk travel expense payments is undertaken by Quality Assurance group and issues are followed up in a timely manner.
- Compliance to Policies: Pre-payment account verification of high risk travel expense claims is undertaken by Finance travel group and issues are followed up in a timely manner.
- Commitments in SAP are removed after the travel claim has been paid in a timely manner.
- Compliance to Policies: Documented evidence exists that the report for proactive disclosure of travel expenses for NRCan Senior Management levels (DM, ADMs and equivalents) has been reviewed for accuracy and completeness prior to posting on the NRCan Internet website.
The objective of this continuous audit was to provide reasonable assurance that key controls for pay expenses were in place and were working as intended.
- Documentation: Trusted Source maintains copies of key documents supporting the Pay Action Requests (PAR) sent to Pay Center for action, including evidence that the information was received by the Pay Centre.
- Appropriate Authority: The Trusted Source validates that pay requests are approved by individuals with the appropriate financial S. 34 FAA and HR delegated authorities before the documents are sent to the Public Service Pay Centre (PSPC).
- Appropriate Procedures: Procedures are in place and communicated for the validation of approvals of pay requests.
- Appropriate Authority: Access to authorize (Sec. 33 FAA) transactions in the GC Pay Interface is restricted to delegated Sec. 33 FAA employees from Finance and Procurement Services.
- Appropriate Authority: In the PeopleSoft system, leave requests, leave amendments, and deletions of approved leave are approved by individuals with the appropriate delegated HR authority.
- Appropriate Authority: Manual overtime requests are signed by the employee’s immediate supervisor and approved under Sec. 34 of the FAA by the appropriately delegated RC manager.
- Compliance to policies: Edit checks in PeopleSoft prevent the employee from taking more overtime or vacation leave than their available balance.
- Compliance to policies: For Leave without pay, a Leave Form is printed and signed by the employee’s direct supervisor and the appropriately delegated RC manager.
- Appropriate Authority: The Trusted Source verifies that RC Manager has the appropriate delegated HR authority for the leave without pay prior to sending the documents to the PSPC.
- Appropriate Procedures: Salary accrual journal vouchers are entered in SAP by a Financial Analyst in Corporate Reporting and there is evidence of a secondary review.
- Communications: The PeopleSoft team reminds via email or notice to managers and employees that they should ensure that all vacation leave taken has been recorded in PeopleSoft, prior to year-end.
- Communications: The PeopleSoft team reminds via email or notice to managers and employees that they should ensure that all compensatory leave taken has been recorded in PeopleSoft.
- Appropriate Authority: NRCan employees are designated as Trusted Sources to submit pay action requests to the Public Service Pay Centre. The list of Trusted Sources is approved by the Director, Human Resources Services and Systems and communicated to the Public Service Public Service Pay Centre when updated.
- Appropriate Procedures: All Pay Action Requests (PAR) including hardcopy overtime forms, sent to the trusted source are logged and sent to the Pay Centre. Employees receive a message confirming that their PAR has been sent to the Pay Centre. The Trusted Source retains evidence that the information was received by the Pay Centre.
- Appropriate Procedures: Responsibility Centre managers forecast salary expenses on an employee by employee basis through the Salary Forecasting Tool.
- Budget Controls: Budget controls for salary commitments and expenditures are maintained at the vote level (Vote 1 – Operating Expenditures).
- Monitoring and Reporting: RC managers review actual expenditures and commitments to ensure completeness, validity and accuracy of pay and pay related transactions against their budget.
- Monitoring and Reporting: A Quality Assurance review is undertaken on selected Trusted Source transactions with follow up on any identified issues.
- Monitoring and Reporting: Periodic reviews of the usage of 699 (Other Paid Leave) and 999 (Other Unpaid leaves) for appropriateness against collective agreements and have been approved by individuals with appropriate authorities.
CONTRACTING AND SUPPLIER PAYMENTS
The objective of this continuous audit was to provide reasonable assurance that controls were in place and were working as intended for the procurement process (from initiation or contract award to supplier payment). Specifically, the audit assessed compliance with government and departmental policies, procedures, monitoring, and reporting.
- Compliance to Policy: Procurement Review Board reviews and endorses the procurement strategy for sole source contracts over $25,000.
- Appropriate Authority: Sec. 34 approval through the E-Payment system is appropriate.
- Appropriate Authority: Sec. 33 approval is appropriate.
- Monitoring and Reporting: Tests are undertaken to identify duplicate payments when Quality Assurance reviews of low risk payments are undertaken.
- Monitoring and Reporting: A Standards document governing the Procurement Policy Analysis and Reporting (PPAR) Unit’s monitoring and reporting functions exists and is reviewed for relevance.
- Compliance to Policies: Documented evidence exists that the report for proactive disclosure of contracts greater than $10,000 has been reviewed for accuracy and completeness prior to posting on the NRCan Internet website.
- Appropriate Procedures: PPAR has the appropriate process in place for the list of contracts to be disclosed on the NRCan internet website.
- Monitoring and Reporting: Transactional Contract Monitoring and the Departmental Risk-Based Contract Monitoring Reports are submitted to Procurement Review Board.
- Monitoring and Reporting: PPAR conducts test sampling on issued contracts to ensure data integrity and data entry accuracy, and any noted deficiencies are reported and corrected.
- Appropriate Authority: Sec. 32 approval thru E-Procurement is appropriate.
- Compliance to Policies: Thresholds are respected and key supporting documentation is present.
- Appropriate Authority: Authorities in the contracting unit respect the different levels of procurement approval and signing authority.
- Compliance to Policies and FAA: Post-payment verification is completed for low risk payments.
- Compliance to Policies and FAA: Pre-payment verification is completed for high risk payments.
- Compliance to Policies and FAA: Post-contract verification is completed as per the PPAR Standards document.
- Date Modified: