Follow-up to the 2006 Audit of Departmental Financial Controls
5.0 Actions and Detailed Follow-up Findings
The following section summarizes the actions developed by departmental management to address the recommendations contained in the September 2006 Audit Report and the current status of their implementation.
Table of Contents
- 5.1 Development and Communication of Policies, Procedures and Guidelines
- 5.2 Exercise of Departmental Functional Authority
- 5.3 Organization of Financial Management in Regions and Descrete/Autonomous Organizations
- 5.4 Access Controls and Related Security Issues
- 5.5 Verification of the Authority to Approve Assistance
- 5.6 Claim Verification Process for G&C Payments
- 5.7 Account Verification Process for O&M Transactions
- 5.8 Financial Controls Over Collaborative Agreements
- 5.9 Organization of Financial Files
- 5.10 Training Programs
- 5.11 Oversight of Expenditure Management Accountability
- 5.12 Oversight of the Acquisition Card Process
5.1 Development and Communication of Policies, Procedures and Guidelines
2006 Initial Recommendation #1 and Management Response
FMMD should document its auto-post and post-audit processes so that the organization of this important financial management activity is clearly communicated to those who need to know about these processes.
Management Response — FMMD has drafted the auto-post procedures (Director FMMD.)
FMMD will send the procedures out to the regional financial officers and ask them to start doing their own post-audit based on the sample that FMMD will send on a monthly basis. After completing their post-audit, the regional officers will communicate the results to FMMD and SSSB (Director FMMD).
This recommendation has been substantially implemented.
Our follow-up revealed that procedures were developed and distributed to the regional offices through the Sector Strategies and Infrastructure Programs Branch (SSIP) which outline the account verification process for the auto-post payments (less than $2,000) and its related post-audit process. It includes departmental policy and procedures for the statistical sampling methodology used in testing auto-post transactions at the Section 33 FAA payment requisition stage, describes the Section 34 FAA account verification process and the related roles and responsibilities for conducting the sampling. This procedure is also accompanied by an auto-post verification checklist.
We noted however, that the auto-post procedures are not available on the Corporate Finance website and have not been disseminated to all organizations of Industry Canada. Our site visits revealed that some discrete organizations were not aware of the written procedures and typically these organizations only recognize policies and procedures that are posted on the Industry Canada Intranet as being official.top of page
5.2 Exercise of Departmental Functional Authority
2006 Initial Recommendation #2 and Management Response
The department should assess the organization of the financial management function in terms of overall responsibility and accountability for the design, implementation and maintenance of internal financial controls. In so doing, the department should consider the following:
- The need for financial processes to be carried out consistently across the department;
- The need for the SFO to exercise functional authority for financial management in the department through promulgation of financial management roles, responsibilities, authorities and reporting relationships; and establishment of an effective monitoring and review function and corresponding accountability mechanisms.
- The need for assurance that financial controls are in place and operating as intended.
Management Response (FMMD) — Senior Management recently announced there would be no organizational changes or changes to reporting relationships with respect to the financial management function in the department. As a result, responsibility for those functions in the regions and autonomous units would continue to reside in the Operations Sector.
Operations Sector Response and Proposed Action(s) We recognize that additional work is required at the Sector level to ensure that financial controls are effective and operating as intended. For its part, the Operations Sector is undertaking the following in view of clarifying financial accountabilities and increasing it focus on transactional oversight, and review and monitoring:
- To ensure the ADMs ultimate financial accountabilities are effectively discharged, Sectorial Strategies and Services Branch (SSSB) is developing a financial accountability framework complete with financial roles, responsibilities and accountabilities of finance personnel working in Regions and Discrete/Autonomous Units.
- The framework will require that the most senior finance person in a Region or Discrete/Autonomous Unit have a direct reporting relationship with the Business Unit Head;
- Further, work descriptions and performance agreements of those with financial authority will clearly articulate roles and responsibilities as they relate to financial operations;
- SSSB will increase its focus on financial monitoring across the Sector and will develop and implement a more formal financial review process, whereby SSSB personnel will conduct regular visits to Regions and Discrete/Autonomous Units to ascertain the effectiveness of financial controls; review results will be shared with the ADMs and regularly with the CFO.
- The Sector will work closely with CAS to sustain assurance that financial controls in Regions and Discrete/Autonomous Units are operating as intended and align with those in place elsewhere in the department. (Director, SSIP)
Note: Regions and Discrete/Autonomous Units currently seek and receive policy and process guidance from CAS via monthly teleconferences, annual face-to-face meetings and on an ongoing basis via CAS' intranet site. CAS also provides training to financial personnel in Regions and Discrete/ Autonomous Organizations regarding systems (IFMS; FRS) and policy (e.g., authority delegation). CAS will continue to be relied upon by Regions and Discrete/Autonomous Organizations to provide this important functional guidance.
This recommendation has been substantially implemented.
A Financial Control Framework was developed by SSIP in April 2007. The monitoring and reporting procedures within the Framework provide for sharing results with CAS such that the CFO and by extension the DM, will have ongoing knowledge of financial results and accuracy in order that they may rely upon the attestations of their ADM colleagues. All staff governed by the Framework with Section 33 and Section 34 FAA authorities must sign a financial attestation form stating that they have read the framework and that they agree to abide by its requirements. This document was disseminated to all regional operations, however some financial staff in the discrete organizations were not fully aware of the Framework and had developed their own controls forms (checklists) and procedures. It is anticipated that the SSIP framework will provide the basis for a departmental financial control framework, to be applicable to all Industry Canada organizations. CAS officials indicated that a departmental framework would be in place as of April 2008.
In addition to the existing SSIP Framework, CAS has strengthened accountabilities by putting in place MOUs with the Regional Executive Directors, the President of Measurement Canada (MC), the Director General Federal Economic Development Initiative of Northern Ontario (FedNor) and the ADMs of the Regional Operations Sector and the Small Business and Marketplace Services Sector. An annual detailed workplan is to be prepared to confirm the accountability of the organizations in exercising delegated financial authorities. By signing an annual Letter of Representation, each business unit head will be attesting that they have consistently reviewed their financial activities and exercised due diligence on an ongoing basis. The workplan together with the Letters of Representation will provide assurance to the CFO and, by extension the DM, that their financial activities align consistently with those deployed in CAS.
The department is also undergoing a Financial Statements Readiness Assessment initiative which will determine whether the financial controls and capacity are in place to sustain an efficient financial statement audit by the Office of the Auditor General. Phase 1 of the assessment was to determine whether financial controls and capacity are in place while Phase 2 will identify, prioritize and implement solutions to remediate identified gaps.
Further, CAS has implemented a Functional Relationship Model which will increase its ability to manage new and evolving core responsibilities related to financial systems, financial records, reporting and financial controls, including oversight of all financial controls in programs. The Federal Accountability Act, launched in December 2006, strengthens accountabilities within departments by designating deputy ministers as accounting officers. Specific responsibilities include ensuring that resources are organized to deliver departmental objectives in compliance with government policy and procedures and ensuring that there are effective systems of internal controls.top of page
5.3 Organization of Financial Management in Regions and Descrete/Autonomous Organizations
2006 Initial Recommendation #3 and Management Response
Payment authority should only be exercised with sufficient assurance as to the appropriateness of the account verification process leading to contract performance approval (Section 34 FAA).
The organization of financial responsibilities for processing payments should respect the Principle of segregation of duties.
Management Response — Since the audit, corrective actions have been taken in Regions and Discrete/Autonomous Units where weaknesses were cited in the audit report.
Segregation of Duties — Since the audit, Measurement Canada has reviewed its internal procedures pursuant to IC's delegation of authority instrument. Changes have been implemented which restrict the exercise of Section 34 to RC Managers only, thereby ensuring clearer segregation of duties in processing payments (President, Measurement Canada).
Monitoring, Account verification — Atlantic and Ontario Regions have put in place monitoring programs for their satellite offices. Monitoring programs typically involve regularly-scheduled visits to all satellite offices, examination of expenditure files for completeness, required use of account verification checklists, and specific actions related to above-average risk transactions (e.g., hospitality; memberships; travel) and the payment of G&C claims.
In addition to specific corrective actions, the audit report has served to increase awareness in other Regions as to the importance of their activities related to transactional oversight and monitoring. In Prairie and Northern and Quebec Regions, for example, all Section 33 authorizations are performed in a centralized location (Winnipeg and Montreal, respectively) and procedures are in place that ensures payments are not posted in the absence of appropriate supporting documentation. Pacific Region has in place a monitoring program that involves biannual visits to satellite offices, where file reviews are conducted and interviews are held with personnel with key financial responsibilities. Results of site visits/audits are shared with the appropriate satellite office director for further action, as necessary (Regional Executive Directors).
The Operations Sector recognizes that more could be done in this area to ensure consistent application of policy and procedure across all Regions and Discrete/Autonomous Units, particularly those with satellite office operations. To this end, SSSB is examining monitoring processes in place across all five Regions, as well as those in place in Discrete/Autonomous Units as and where appropriate, with a view to obtaining and sustaining a consistent level of assurance across the Sector (Director, SSIP).
Further, through periodic monitoring, SSSB ensures that CAS procedures regarding account verification are respected and applied consistently across the Sector (Director, SSIP).
This recommendation has been substantially implemented.
Internal procedures at Measurement Canada headquarters have been strengthened and segregation of duties measures have been implemented. The detailed testing showed that section 34 was being exercised by the RC managers or their designated RCA.
The audit team visited three regional offices (Ontario, Prairies and Northern, and Québec), and three discrete organizations (Measurement Canada (HQ), CIPO and CRC) during Phase II of the follow-up to validate the implementation of management responses. Overall, it was noted that regional finance officers were fully aware of the Financial Control Framework developed by SSIP and that measures were in place to ensure adequacy of Section 34 FAA sign-off. All Section 34 authorities are required to sign an attestation to having read and understand the framework. They all have copies of the verification checklists on hand although it is not mandatory to complete one for each transaction. We noted that this was the case in the regional offices; however, some discrete organizations visited were not aware of the framework nor was it being applied for day-to-day operations.
The first quarterly monitoring conducted by CAS was completed in December 2007 which included sampling the first two quarters (April to September) of the fiscal year of 2007–2008. This sampling did not include CIPO, however we were advised by CAS that they would be included in future sampling. The results of the monitoring exercise were not available at the time of this writing.top of page
5.4 Access Controls and Related Security Issues
2006 Initial Recommendation #4 and Management Response
The Corporate Comptroller together with the CIO, should:
- review practices surrounding departmental manager sign off of departing employees to ensure that on the employee Exist Clearing Sheet managers are reminded to advise the IFMS Access Group of the departure;
- strengthen the periodic review of User profiles (especially those that include incompatible functions) through enhanced segregation of duties and/or through the inclusion of compensating internal controls where considered appropriate (i.e. increase review of the transactions processed by these IFMS users);
- reinforce monitoring of super-users so that an automatic log of specific types of transactions is produced and examined by FMMD (e.g. transactions creating a vendor code, inputting a financial transaction into IFMS, and approving payment should be logged for review; and
- review practices surrounding the sharing of UserID and password for employees being trained on IFMS. Trainees could make use of the training module of IFMS or could be provided with a specific "training" UserIDs and passwords so that sharing with ongoing IFMS Users is not permitted.
Management Response — We agree that the Departure Process form could be modified to include a step to email IFMS Access if the employee has an IFMS user account. Currently, the RC Manager signs an attestation that "all access privileges to Industry Canada computers… have been revoked". However, because there is no specific reference to IFMS, this statement may not be clear. To minimize the risk in the past, all user ids that have not been used for 3 months are locked and the IFMS Sector Coordinator contacted. After 5 months of no activity, the user and Sector Coordinator are told that the account will be deleted unless they can justify a reason to retain the account.
Review of the user profiles has been strengthened since the audit. A segregation of duties report is now issued every quarter to the Manager of Financial Services. New reports have been available since May 2006, which enable the review of transactions performed by users who have been given special access. "IFMS All" access is only granted to one or two users and for a small period of time; usually only during a system upgrade. A special log which traces the transactions that the user has accessed is reviewed by IFMS Access team. This log will be provided to FMMD for review (Director, FMMD).
Training user identifications are currently available in a separate environment that grants the user access to all transactions for training purposes. It is not possible to issue a training ID in the production environment. Display only access is possible in production but this would not provide the user with sufficient access to learn the transaction.
FMMD will work with Security to modify the Exit form to include an area for the employees to indicate if they have access to the financial systems (RPS, SPS, IFMS, CMIS). FMMD will also look into modifying the Exit form to include the revocation of the signature card, if any exists (Director, FMMD).
SSSB will notify and remind business units, through the existing Operations Sector Finance Network, of employee departure procedures as they impact on the security of IFMS — specifically the requirement to notify the IFMS Access Group regarding departing employees and changes in responsibilities (Director, SSIP).
This recommendation has been fully implemented.
We noted in our review that a new employee departure form specifically identifies all departmental financial systems (IFMS, GCRS, CMIS, FRS). Site visits revealed that in the regions the new IFMS policy (POL 001 dated March 2001 and modified on December 5, 2007) is followed and that one employee is assigned the responsibility to communicate with HQ to provide access to IFMS. Passwords are cancelled for individuals leaving the organization, on maternity leave or any other long term leave. We also noted that a new IFMS Access and Authorization Form was issued on November 9, 2007 and included as part of the modified IFMS policy.
On March 5, 2008 the password expiry period for the IFMS was reduced from 90 to 60 days. This is to comply with the Departmental Security Policy.
We noted, however, that there are still several instances of individuals with conflicting user roles in some regions due to limited number of staff available to process transactions. This risk has been mitigated with the quarterly segregation of duties reports and the access logs which are provided to the Manager of Financial Services.top of page
5.5 Verification of the Authority to Approve Assistance
2006 Initial Recommendation #5 and Management Response
FMMD should establish a process to ensure that departmental grants and contribution payments have been approved by officials with delegated authority. For instance, all decisions made by Programs and Services Branch should be systematically placed on financial files. Where authorities are required from outside the department, there should be a statement to that effect on the Programs and Services Branch decision sheet. A re-verification of a sample of contribution projects should be examined to ensure that the proper level of authority was obtained.
Management Response — A new verification checklist has been prepared. All documents, which include the proper level of approval based on the dollar value of the agreement, are available on the project file (Director, FMMD).
A copy of all TB submission for each program will be available centrally within FMMD (Director, FMMD).
FMMD will create a new G&C unit within financial services to enforce quality control, follow up and monitor G&Cs agreements and related financial instruments. The G&Cs unit will be responsible for payables and revenues related to G&Cs (Director, FMMD).
The Operations Sector will increase its financial monitoring of the Sector, including the monitoring of the G&C payment process in conjunction with broader departmental direction from the new G&C unit to be created within CAS (Director, SSIP).
This recommendation has been substantially implemented
The new G&C Unit in CAS reviews and processes payments for IC transfer payment programs in the National Capital Region. A complete 100 percent verification is conducted for these payments. FedNor and the Ontario region authorize payments for the programs in their respective regions. All employees in the CAS-G&C Unit appear to be properly trained in processing G&C transactions and their roles and responsibilities are clearly defined.
The detailed testing indicated that documents indicating the proper level of approval were on file. Copies of all Treasury Board submissions are obtained by FMMD and available to the G&C Unit staff.
New procedures and checklists were developed in September 2007 by the CAS G&C Unit to monitor financial G&Cs payment transactions. We noted the distribution of these procedures have been limited to the CAS G&C Unit. Also, there have been no procedures prepared for the handling of repayable contributions. It is further noted that the procedures that have been developed are not available on the IC Intranet although these checklist are included in the SSIP Financial Control Framework thus making them available to FedNor and the Ontario Region.top of page
5.6 Claim Verification Process for G&C Payments
2006 Initial Recommendation #6 and Management Response
The Senior Financial Officer should:
- direct that all programs are required to complete a Contribution (Claim) Verification Checklist as part of the claim verification process;
- implement a process whereby the claim verification process each program uses must be reviewed periodically to ensure appropriateness in providing necessary assurance required to authorize payment under S.33 of the FAA. The same approach should be implemented by Regional Management Services Divisions who are responsible for approving payments under S.33 of the FAA; and
- re-enforce the appropriate use of audit checklists by Financial Officers.
Management Response — With the creation of the new G&C unit, FMMD will meet with each program to design a checklist based on specific program requirements. FMMD will recommend their approach by sharing the checklists with the regional offices and assisting them in implementing similar processes. (Director, FMMD)
The Operations Sector will work with the new CAS G&C unit to design program-specific checklists and will coordinate the distribution and monitoring the use of the checklists across Operations Sector business units. (Director, SSIP)
This recommendation has been partially implemented
Checklists have been developed and are included in the SSIP Financial Control Framework. The audit team tested a limited sample of 25 G&C files in the National Capital Region processed by CAS to verify the integrity of controls. Most of the files audited in our sample included a checklist for Section 34 and Section 33 FAA verification. Our assessment, however, revealed that monitoring of G&C payments requires improvement.
In total 76 percent (19 out of 25) of the transactions were accurate with no errors or anomalies. However 24 percent of the transactions (6 out of 25) contained errors or anomalies:
- One file did not contain evidence that the required level of approval was obtained. In this instance, Cabinet approval was required as the agreement exceeded $20 million. This approval is now being added to the file.
- In another instance, payment was issued based one Section 34 FAA signature. Under the delegation of authorities instrument, two project officers would be required to sign. This represents a serious error.
- Another four transactions lacked documentation, had inadequate level of authority at the initiation stage, or had advances in excess of requirements.
5.7 Account Verification Process for O&M Transactions
2006 Initial Recommendation #7 and Management Response
The Senior Financial Officer should establish a process that will ensure thorough understanding of how account verification is being carried out across the department.
The existing 100 percent cursory review process should be enhanced through verification, on a sample basis, of the account verification steps undertaken to obtain assurance of contract performance (i.e. the completion of deliverables) as well as compliance with TBS and to departmental policies.
Management Response —The section 33/34 processes will be addressed (Director, FMMD).
FMMD will create a quality control team. This team will implement quality control processes for revenues, expenditures and public accounts (Director, FMMD).
The Operations Sector will increase its financial monitoring of the Sector, including the monitoring of the procedures related to account verification in conjunction with broader departmental direction from the new quality control unit to be created within CAS (Director, SSIP).
This recommendation has been partially implemented
CAS has created a quality control team and account verification monitoring has been initiated in conjunction with SSIP. The CAS Quality Control team has three full-time Financial Officers. Roles and responsibilities for the unit have been established. A schedule for Quality Assurance site visits was developed and updated in November 2007. A sampling methodology and reporting requirement has been established and communicated.
The follow-up included testing of transactions within selected departmental organizations. Test results revealed a four per cent error rate for critical errors and 20 per cent error rate for noncritical errors (processing and documentation errors), for a total error rate of 24.03 per cent for all O&M transactions tested.
The following table compares error rates by organizations covered by the SSIP Financial Control Framework to those organizations not governed by a formal framework:
|# Transactions Tested||Critical Errors||Non-Critical Errors||Critical Error Rate||Non-Critical Error Rate||Overall Error Rate|
|Organizations Governed by SSIP Framework||133||3||21||2.26%||15.79%||18.05%|
|Organizations not Governed by a formal framework||100||7||25||7%||25%||32%|
The results indicated that organizations governed by a formal framework had fewer errors than those organizations not governed by a formal framework. The difference may be attributed to the enhanced controls and monitoring of financial processes established through the Financial Control Framework, and conversely, the absence of such controls for all other organizations. In our opinion, the need for a robust, comprehensive financial control framework applicable to all Industry Canada organizations would strengthen overall departmental financial controls.
The follow-up noted concerns with the management of specimen signature cards. During testing, signature cards for 12 of the transactions were verified. Of these:
- two could not be located as the signature on the payment was illegible and could not be identified by FMMD staff;
- it was difficult to match signatures to specific fund centres as the area of authority section on the forms was inconsistently completed. There is no assurance that individuals are signing section 34 for funds centres for which they have delegated authority;
- in two cases, the signature forms were located in the cancelled binder but it was unclear as to when the forms were cancelled;
- several forms for individuals in acting positions were designated as "temporary acting – up to 1 year". A memo activating the acting authority is to be provided to FMMD for acting situations. In one instance, we could not locate the activation memo for an individual.
2006 Initial Recommendation #8 and Management Response
The Corporate Comptroller should remind all Financial Officers of the policy requirements relating to Specified Purpose Accounts.
Management Response — FMMD will develop procedures and guidelines on how specified purpose account needs to be managed and communicate them across the department including regional offices (Director, FMMD).
This recommendation has been substantially implemented.
New Specified Purpose Account (SPA) procedures were developed by CAS which reinforce procedural requirements and outline monitoring responsibilities but are not available on the IC Corporate Finance Intranet site. The current reference to SPAs on the site provides a much more simplified version of an SPA definition and does not include policy requirements and monitoring.
Our sampling of SPAs in one region and one discrete organization revealed that some issues still exist. For example, it was noted that the issue of payments being processed before funds are received still exists. The organization has not been able to comply with the Treasury Board (TB) policy for SPAs due to delays in finalizing an MOU with the province in obtaining approval signatures. In the past, contrary to policy, invoices were being paid from operating funds and the funds were reimbursed to the O&M budget by journal vouchers once the SPA money was received. The organization decided to suspend payments until such a time as the MOU was signed by the proper authorities.
This does not correct the issue since expenditures are still being initiated before funds are received, therefore creating a liability for the Department and could result in late payment charges. The CFO was advised of this situation in November 2007.
In another organization, we noted that there is still one SPA with no transactions. They have recently reviewed all SPAs and cancelled most accounts that had not been used and returned unspent cash to the fund providers.top of page
5.9 Organization of Financial Files
2006 Initial Recommendation #9 and Management Response
The Chief Information Officer and the Corporate Comptroller should ensure that financial files are well maintained, with pertinent documents on all files to assist Financial Officers in fulfilling responsibilities.
Management Response — Effective April 2006 all original contracts and invoices are sent to the records room for filing. They are no longer kept on file until the contract is complete (Director, FMMD).
This recommendation has been partially implemented.
CAS has indicated that all financial files are to reside in the records office. FMMD has stated that it has instituted a more controlled process relating to the management of financial files. Financial officers should no longer keep the payment files in their office and they have been instructed to retrieve files less frequently.
It was noted, however, that two of the 50 files requested for audit testing could not be found although they were located several weeks after our request. Further, eight of the 25 O&M files requested (32 percent) were missing key documentation.top of page
5.10 Training Programs
2006 Initial Recommendation #10 and Management Response
The Senior Financial Officer should ensure that training and related tools are provided to managers and their administrative staff about responsibilities for approving contract performance.
The Senior Financial Officer should ensure that training and related tools are provided to Financial Officers and Financial Assistants on their payment approval Responsibilities.
Management Response: FMMD in collaboration with Financial Policy group will prepare an e-mail explaining the managers' responsibilities when given authority under section 32 and/or 34. FMMD will send this e-mail to individuals submitting specimen signature forms (Director, FMMD).
New policy on training for managers will help ensure that managers have the proper training to exercise financial authority (Director, FMMD).
This recommendation has been substantially implemented
FMMD has reviewed all existing delegated authorities to ensure the mandatory training has been taken. Site visits to the regions and HQ revealed that most of the employees with Section 34 FAA authority have received the mandatory training as outlined in the framework. Employees are issued a certificate when the courses are completed. Adequate lists of Section 34 and Section 33 FAA authorized signatures are maintained in the regional offices and discrete organizations and specimen signature cards are well maintained.
Some training at the regional level has been delayed due to the regional reorganization and it is anticipated that the training will be available in the near future.top of page
5.11 Oversight of Expenditure Management Accountability
2006 Initial Recommendation #11 and Management Response
The Corporate Comptroller should:
- review the post-audit process on low value transactions to take into consideration the risks associated with the complex nature of expenditure management in the department;
- ensure that, on a consistent basis, results of current monitoring exercises are forwarded consistently to all Directors of Management Services Divisions in regions and discrete organizations so that they can learn from the results of oversight activities;
- influence Regional Directors of Management Services Divisions to exercise more oversight of financial management activities in satellite offices and request that results of monitoring activities be reported to the Corporate Comptroller; and
- regularly assess how various regions and discrete organizations are reviewing their systems of account verification upon which they rely to authorize payment under Section 33 FAA. This will involve visiting Management Services Divisions in regions to gain an understanding of oversight processes, and examining the results of their oversight activities.
Management Response: Financial and Materiel Management Directorate (FMMD) is currently reviewing the post-audit process. The document needs to be updated to account for the comments received from AEB (Director, FMMD).
Financial and Materiel Management Directorate (FMMD) will have a designated team to perform post-audit functions on expenditures in entities under the authority of the CFO (Director, FMMD).
With guidance from CAS/FMMD, and in the context of the departmental financial statement readiness assessment, the Operations Sector will ensure that monitoring processes in place are sufficient to assure that financial controls are operating effectively (Director, SSIP).
This recommendation has been fully implemented.
As note in Section 5.1 above, post-audit procedures were developed and distributed to the regional offices through the Sector Strategies and Infrastructure Programs Branch (SSIP). This procedure outlines the account verification process for the auto-post payments (less than $2,000) and its related post-audit process. It describes departmental policy and procedures for the statistical sampling methodology used in testing auto-post transactions at the Section 33 FAA payment requisition stage. It describes the Section 34 FAA account verification process and the related roles and responsibilities for conducting the sampling. This procedure is also accompanied by an auto-post verification checklist.top of page
5.12 Oversight of the Acquisition Card Process
2006 Initial Recommendation #12 and Management Response
The Corporate Comptroller should establish a comprehensive, risk-based monitoring program for acquisition cards to coincide with the implementation of a consolidated payment approach for Acquisition Cards.
Management Response: A comprehensive monitoring process is in place (Director, FMMD).
FMMD — CMM will undergo a review of all IC acquisition cards (Director, FMMD).
FMMD will also improve the monitoring process by tracking post audit critical errors, action taken and when the issue was resolved and reviewing the cardholder (committing critical errors) rate of error. Monitoring will be done on a monthly basis (Director, FMMD).
This recommendation has been partially implemented
A departmental audit of acquisition cards was completed and tabled at the Departmental Audit Committee on February 28, 2008. The audit noted that acquisition card monitoring functions are the responsibility of the Departmental Coordinator and FMMD and that a control framework and monitoring system to mitigate risks associated with acquisition cards have been developed. It was found, however, that the parameters used in Audit Command Language (ACL) software for tracking anomalies and high-risk transactions have not been significantly revised since its inception, thus increasing the risk of not identifying high-risk transactions.
Although transaction information is available online through BMO to manage and monitor acquisition usage; the BMO details system is not being used effectively to analyse acquisition card purchases. There was limited analysis of patterns of card usage, card limits, number of multiple cardholders and frequency of card use and associated risks.
It was also noted that neither the results of monitoring activities nor the overall level of purchase activity is reported to senior management.
- Date modified: