Continuous Auditing of Key Controls for Selected Processes Annual Report for 2017-18

Audit and Evaluation Branch
Natural Resources Canada
Presented to the Departmental Audit Committee (DAC)
October 11, 2018

Table of Contents


Continuous auditing provides ongoing assurance on specific management processes and controls to enable more timely insight into possible risk and control issues. It enables the provision of findings to management on key controls related to financial and non-financial processes in a timely manner. The combination of our continuous and regular audit activities provides adequate coverage of the Department’s key processes and controls. During the annual Risk-Based Audit Planning exercise, consideration is given as to whether a continuous or regular audit is the most effective approach for providing assurance.

Continuous auditing provides management with near real-time audit results on the effectiveness and efficiency of key controls on related transactions. As such, continuous audits can significantly enhance the internal control processes and frameworks within an organization. They differ from traditional audits, which tend to be more comprehensive in terms of their scope. On an annual basis, all continuous audit activities undertaken by Natural Resources Canada’s (NRCan) Audit and Evaluation Branch (AEB) are formally reported through this annual assurance report on key controls. This report presents the results of the continuous auditing activities undertaken by the AEB in fiscal year 2017-18.

Accomplishments this Year

With support from the Deputy Minister, Senior Management, and the Departmental Audit Committee (DAC), the AEB continued to provide continuous auditing capacity for NRCan in 2017-18.

The continuous audit activities conducted in 2017-18 focused on identifying potential control issues related to specific processes identified in the approved Risk-Based Audit Plan. Accordingly, the following three areas were assessed via continuous auditing: Pay and Benefits, Acquisition Cards, and Grants and Contributions.

Based on the continuous audit engagements completed, the AEB was able to provide timely assurance to senior management and the DAC on the functioning of key controls for the pay and benefits, acquisition cards and grants and contributions (G&C) processes. Findings and recommendations resulting from the examination of these processes were provided to management in order to assist them with improving existing control mechanisms. These findings and recommendations were also presented to the DAC along with the associated management responses and action plans.

In addition to our continuous audit activities, NRCan’s management was engaged in continuous monitoring in accordance with the Treasury Board’s (TB’s) Policy on Financial Management. The combined efforts by both the AEB and management have resulted in improvements to control processes and the correction of any identified errors.


The objective of the Continuous Audit of Pay and Benefits was to provide reasonable assurance that key controls are in place and operating as intended.

The objective of the Continuous Audit on Acquisition Cards was to provide reasonable assurance that key controls are in place and working as intended for acquisition card use, in the compliance with government and departmental policies and procedures; and acquisition card monitoring activities are undertaken and effective.

The objective of the Continuous Audit of Grants and Contributions was to provide reasonable assurance that key financial and monitoring controls were in place and operating as intended for the selected grant and contribution payments.


The scope and period of review for each of the continuous audit activities was:

Pay and Benefits April 1, 2017 – May 31, 2017
Acquisition Card Audit April 1, 2017 – October 31, 2017
Grants and Contributions Audit April 1, 2017 – October 31, 2017

The key controls assessed during the three continuous audits are provided in Appendix A - Audit Criteria.


The Audit of Pay and Benefits examined for the period covered a random sample of 20% of the Pay Action Requests, or PARs (208), received by NRCan’s Departmental Pay Liaison Office (DPLO) for Emergency Salary Advances, employee departures, leave without pay greater than five days (LWOP > 5 days), and return from LWOP > 5 days.

For the Acquisition Cards Audit, analytical tests were executed to identify key control risks within the NRCan acquisition card process. A judgmental sample of 50 high-risk transactions was selected and a random sample of 14, which were reviewed against the key controls. Transactions were also randomly selected from the acquisition card transactions that had previously undergone the Department’s quality assurance process to assess the effectiveness of this control.

For the Grants and Contributions Audit, the sampling methodology used for this continuous audit was as follows:

  • NRCan’s G&C program expenditures totalled $287.9 million. Of this, $266.6 million was attributable to programs that had been subject to audit within the past three years.  A judgemental sample was selected from the remaining $21.4 million.
  • From this sampling population, 25 payment transactions were randomly selected. These transactions involved the administration of 18 separate contribution agreements between NRCan and program proponents.

Key Findings and Recommendations

The following summarizes the findings and recommendations for each of the continuous audit engagements.

Continuous Audit of Pay and Benefits

The continuous audit found that three of the six key controls examined are partially effective, requiring management attention.

For the transactions sampled, roles and responsibilities were clear for return for LWOP >5 days, with the exception of the responsibilities for verification of the Financial Administration Act (FAA) s.34 authority. The Public Service Pay Centre has instructed departments that the Trusted Source within each department is responsible for verifying the s.34 delegated authority prior to processing these PARs. The audit found that this is not being completed by the NRCan Trusted Source. This finding may undermine the PAR processing accuracy and efficiency. The Assistant Deputy Minister, Corporate Management and Services Sector (ADM CMSS) should ensure that roles and responsibilities for the processing of PARs in the area of FAA S.34 authority verification are clearly defined and documented, and are implemented in accordance with Public Services and Procurement Canada (PSPC) guidance.

For the transactions sampled, requests for LWOP >5 days were found to comply with the Directive on Executive Compensation and relevant departmental policies; however, they did not always comply with the terms and conditions of relevant collective bargaining agreements (CBAs). The responsibility for ensuring that the PAR complies with the relevant CBA resides with the cost centre manager. The Trusted Source agent and the Human Resource assistants responsible for inputting these pay actions into the departmental PeopleSoft system are not tasked with verifying if the request is compliant with the relevant CBA. The absence of clearly defined roles and responsibilities in the verification of compliance to CBAs increases the likelihood of errors in the processing of PARs that require additional effort to correct. These errors may contribute to transaction backlogs, thereby eroding the service standards provided to NRCan employees. The ADM CMSS should ensure that roles and responsibilities are clearly defined and documented for the verification of PARs to relevant collective bargaining agreements.

The DPLO established a service standard of two working days for the processing of all PAR types. The DPLO has previously indicated that all PARs were being actioned within one working day. The actual performance ranged from 3.2 to 4.6 days for all PAR types sampled. Even taking the extra time into account, requests for LWOP > 5 days were generally actioned in a timely manner for the audit sample. Although this performance level did not meet the established service standard, it is still reasonable and acceptable. The lack of an accurate means of performance measurement may impact the effective management of PAR processing and employee trust based on communicated levels of service. The ADM CMSS should ensure methods of measuring PAR processing performance are designed and implemented to capture the duration of time transactions remain within DPLO control, with current service standards reconsidered accordingly.

Continuous Audit of Acquisition Cards

The Continuous Audit of Acquisition Cards found that all 10 key controls tested were effective or appropriately designed, in compliance with government and departmental policies and procedures; and Finance and Procurement Branch’s quality assurance process is appropriate.

There were no audit recommendations resulting from this continuous audit. Also the results of the follow up on outstanding previous recommendations indicated that the management action plan is substantially implemented.

The audit recommended that CMSS continue to refine the sample selection methodology identified within the Quality Assurance Account Verification Plan, using a risk-based approach and finalize and implement the Financial Corrective Measures Framework. The Plan should ensure an alignment to the Financial Corrective Measures Framework. The audit also recommended that CMSS, in collaboration with Sectors and Information Management (IM), review the retention requirements for paper acquisition card statements and supporting documentation and determine the feasibility of adopting electronic storage.

The sample selection of acquisition card transactions subject to quality assurance has been refined to a full risk-based approach. With respect to corrective measures, the “Guidelines for Strengthening Financial Stewardship” were finalized and approved by the Chief Financial Officer (CFO) in April 2017. Business requirements for the development of the associated database have been drafted and are being finalized. The account verification plan as well as the corrective measures framework have both been completed; the corrective measures database is to be completed by June 30, 2018. The Accounting Operations team has engaged the help of the Chief Information Officer and Security Branch and the sectors, and work is underway to determine the appropriate treatment for adopting electronic storage of acquisition card records; the expected completion date is September 30, 2018. Subsequent to the completion of the continuous audit, management indicated that all these pending actions are being completed. The AEB will continue to conduct periodic follow-ups with CMSS until full implementation has been achieved.

Continuous Audit of Grants and Contributions (G&C)

The AEB found that the key financial and monitoring controls are in place for the administration of grants and contributions, and they are generally working as intended.

The audit found all three programs examined had developed a performance measurement and risk strategy (PMRS); and a risk-based plan had been formally established for the Energy Efficiency Program. Although a formally documented risk-based recipient audit plan was not obtained for the remaining two programs both have procured external auditors to conduct recipient audits. The absence of a formally documented risk-based plan is consistent with findings of previous G&C Program audits. To address this the Centre of Expertise (CoE) on G&C developed a Recipient and Project Risk Management Model (RPRMM), and an NRCan Guide on Recipient Auditing.

The audit found that Programs were not consistently aware of these documents, or who in the Department to contact for advice and guidance on G&C. The lack of a risk based plan for recipient audits may lead to excessive monitoring of lower risk projects and higher risk projects not being adequately examined.

The audit recommended that Programs follow the guidance on recipient auditing provided by the CoE on G&C, particularly for program use in developing a customized and documented approach to proponent monitoring that applies measures commensurate with individual proponent risk and prior performance. CoE reminded programs of the existence of guidance documents at the April 2018 Gs&Cs Discussion Forum.


The AEB concluded with reasonable assurance that most key controls are in place for the acquisition card process and for the administration of grants and contributions, and they are generally working as intended. With the Continuous Audit of Acquisition Cards’ positive results and support from the CFO, AEB will replace this process in 2018-19 with the Continuous Audit of Travel.

The Continuous Audit of Pay and Benefits provided management with timely recommendations to strengthen selected key controls, taking into consideration that this area is in ongoing transition resulting from PSPC efforts to resolve pay problems.

Management Responses

Management has responded with timely action plans to address the issues noted in the continuous audit activities. The AEB will continue to follow-up on the implementation of the management action plans.


The AEB would like to thank those individuals who contributed to these continuous audits and particularly employees who provided their insights and comments.

Conformance with Professional Standards

In my professional judgement as Chief Audit and Evaluation Executive, the continuous audit activities along with this annual report conform with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the Government of Canada’s Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

Christian Asselin, CPA, CA, CMA, CFE
Chief Audit and Evaluation Executive
October 11, 2018


Continuous Audit of Pay and Benefits

The continuous audit objective was to provide reasonable assurance that key controls are in place and operating as intended in the following areas:

  • Initiation of LWOP > 5 days (Timeliness, Accuracy)
  • Return from LWOP > 5 days (Timeliness, Accuracy)
  • Requests for LWOP > 5 days (Policy Compliance)
  • Employee Pay Departure Transactions (Timeliness)
  • Requests for Emergency Salary Advances (Timeliness)
  • Communications Plan (Sufficient Design and Implementation)

Key Controls

  1. NRCan promptly actions requests for leave without pay (LWOP) greater than five days from employees and communicates these requests to the PSPC in a timely manner (Timeliness).
  2. Return from LWOP greater than five days is actioned by NRCan in accordance with the approved request for LWOP and established process in this regard (Timeliness).
  3. Requests for LWOP greater than five days are administered in compliance with collective agreements, the Directive on Executive Compensation and/or other relevant departmental policies (Compliance).
  4. Employee departure pay transactions are performed in a timely manner (Timeliness).
  5. NRCan’s Finance group has processes in place to promptly action emergency salary advance (ESA) requests from employees and communicate these requests to the PSPC in a timely manner (Timeliness).
  6. A sufficient communications plan has been designed and implemented to inform employees of pay-related roles and responsibilities.

Continuous Audit of Acquisition Cards

The objective of this continuous audit was to provide reasonable assurance that key controls for acquisition cards were in place and working as intended.

Specifically, the continuous audit assessed whether:

  • Acquisition card use was in compliance with government and departmental policies and procedures; and
  • Acquisition card monitoring and reporting activities were undertaken and effective.

Key Controls

  1. An individual has been designated as the Acquisition Card Coordinator.
  2. A list of all outstanding acquisition cards is maintained by the Acquisition Card Coordinator.
  3. The Acquisition Card Coordinator maintains documentation for each cardholder (Responsibility Center Manager [RCM] approval and signature that cardholder has signed acknowledgement of their cardholder roles and responsibilities).
  4. The Acquisition Card Coordinator is notified through the Employee Departure Form when an individual leaves NRCan in order to cancel the acquisition card.
  5. For each acquisition card transaction, there is either a blanket commitment or the purchase has been authorized by the RCM before the purchase is made (FAA S.32).
  6. All sampled transactions are reviewed and approved by an individual with FAA S.34 delegated authority.
  7. The BMO monthly invoice related to the sampled transactions is approved under FAA S.33 by an individual who has been delegated the authority, but has not benefited by one of the acquisition card transactions included in the invoice.
  8. Sampled transactions are coded to the appropriate Fund (activity type).
  9. The monthly BMO statement is reconciled to the cleared individual card transactions.
  10. Changes of RCMs are communicated to the Acquisition Card Coordinator to ensure that email addresses are changed accordingly.

Continuous Audit of Grants and Contributions

The objective of this continuous audit was to provide reasonable assurance that payment and monitoring controls were in place and working as intended for the selected grant and contribution payments.

Key Controls

  1. The selected project met the selection criteria of the program and was recommended by the selection committee.
  2. The contribution agreement or amended contribution agreement is signed by an individual with the appropriate delegated financial signing authority for transfer payments / grants and contributions.
  3. Commitments (S.32 of the FAA) are entered into the NRCan SAP financial system when agreements are signed.
  4. Requests by recipients for payments are reviewed;
    1. to ensure compliance with stacking provisions and that federal resources are applied to initiatives in a fair and equitable manner;
    2. with sufficient procedures and rigour to assess their accuracy, reasonableness, eligibility, and compliance with program terms and conditions, and are authorized pursuant to S.34 of the FAA by individuals with appropriate delegated financial signing authority; and
    3. to ensure advance payments (if any) are in accordance with program terms and conditions and comply with the Directive of Transfer Payments.
  5. Authorization is completed pursuant to S.33 of the FAA and approved in the departmental financial system (SAP) by an individual with the appropriate delegated financial signing authority.
  6. Payments to recipients are recorded in the appropriate fiscal period.
  7. Repayable contributions are monitored and recorded in the AMI system and any prior year payments deemed repayable have been correctly recouped in a timely manner.
  8. A risk-based plan for recipient audits is established, implemented, and progress is monitored.
  9. Findings and recommendations identified during prior year site visits or recipient audits are addressed in a timely manner.
  10. Proactive disclosure of grants and contributions over $25,000 is verified for accuracy and approved prior to web posting.