Audit of Departmental Financial Controls
6. Detailed Findings and Recommendations
Detailed audit findings are presented in this section along with specific audit recommendations to address each key finding. The Management Response for each finding can be found in Appendix B of this Audit Report. Findings are presented in accordance with the three audit criteria examined during the audit as follows:
6.1 Audit Criterion: Organization and Advice
6.1.1 Development and Communication of Policies, Procedures and Guidelines
The department has developed and communicated financial policies, procedures and guidelines with respect to key areas of financial management. However, auto-post and the complementary post-audit processes, adopted by the department to bring efficiency to the processing of payments, have not been documented.
The Financial Policy Unit (FPU) within the Comptrollership and Administration Sector is responsible for writing financial policies and bulletins and for interpreting TBS as well as Industry Canada financial policies and bulletins. Easy access to TBS financial policies is provided and the FPU has developed, when necessary, IC policies, procedures and guidelines. In the opinion of the auditors, the Comptrollers Branch Website, which is managed by the FPU, is well organized, with appropriate policies and bulletins references and with convenient links to TBS financial policies. The Acquisition Card Program has also been defined well through a departmental policy and a monitoring program.
Requests for interpretation of policy generally come from Financial Officers in HQ and regions as well as from sector financial advisors in HQ. Managers often seek interpretation of financial policies from these front line Financial Officers. Frequent personnel changes within the FMMD at HQ and Financial Policy Divisions have rendered it difficult to access policy interpretations.
Regions have implemented various means for communicating financial management policies, such as:
- Providing regular training sessions on Delegation of Authorities or other areas of financial management at Managers' Meetings or one-on-one training sessions at the request of a manager;
- Conducting annual meetings of Administrative Officers and IFMS Users (i.e. ICAP—Industry Canada Administrative Practionners conference) to reach the local financial officers' community and discuss important financial management issues and new policies and procedures;
- Conducting conference calls with District Offices when changes to IFMS or other important changes to financial policies are introduced; and
- Providing access to important financial management information through regional websites (i.e. Ontario-Web).
Auditors noted that the department has introduced an auto-post process to reduce administrative burden as well as to expedite the processing of low dollar value payments. This process calls for payments under $2000 to be posted directly to the General Ledger. Payments below the $2000 threshold, which are deemed to be sensitive, are excluded from the auto-post process. A postaudit process complements the auto-post process and consists of the examination of a sample of auto-post transactions done on a monthly basis. Both the auto-post and its complementary postaudit processes are considered important but have not been documented.
- FMMD should document its auto-post and post-audit processes so that the organization of this important financial management activity is clearly communicated to those who need to know about these processes.
6.1.2 Exercise of Departmental Functional Authority
The roles and responsibilities required of the Senior Financial Officer (SFO) have not been implemented across the department to provide direction and guidance for all departmental financial processes and controls. Further, accountability mechanisms have not been established to provide the SFO with the means to monitor the design and operation of departmental financial processes and controls.
The audit assessed whether roles, responsibilities, authorities and related accountability mechanisms for financial management had been established in an effective manner.
At the time of the audit, the role of departmental SFO was the responsibility of the ADM, Comptrollership and Administration Sector (CAS). As SFO, the ADM, CAS is functionally responsible and accountable for all financial management matters in the department. This is evident, for example, in the annual Letter of Representation prepared for Public Accounts purposes, in which both the Deputy Minister and the ADM CAS, as the SFO, acknowledge responsibility for the design, implementation and maintenance of internal financial controls. The Financial and Materiel Management Division (CAS–FMMD) provides support to the ADM in exercising this responsibility.
The Treasury Board Policy on Responsibilities and Organization for Comptrollership states that deputy heads must designate a SFO with a direct reporting relationship to the deputy head.2 SFO responsibilities include:
- Devising and implementing a financial management organization and processes in the department that lay the foundation for good comptrollership;
- Working with managers at all levels to ensure that they exercise their comptrollership responsibilities properly;
- Establishing and communicating an efficient and effective policy framework for financial management in support of comptrollership; and
- Establishing a monitoring and review function to support the department in carrying out its own assessments of comptrollership.
In November, 2003, prior to the creation of CAS, the Corporate Comptroller was the designated SFO, with the role of Senior Full-time Financial Officer (SFFO) assigned to the then Director, Financial and Materiel Management Division (FMMD). There is no evidence to indicate that, at that time, resources had been provided to enable the SFFO to carry out all of the responsibilities of the position. Following the creation of CAS, the role of SFFO was assumed by the Corporate Comptroller, however this was done without concomitant resources. This has meant that some key responsibilities, such as the implementation of a department-centric financial management organization and the establishment of a monitoring and review function, have not being implemented.
Functional Reporting, Accountability Relationships Not Conducive to Good Comptrollership
Good comptrollership requires clearly defined roles and responsibilities, delegated authorities commensurate with these responsibilities, and appropriate accountability mechanisms. In Industry Canada, these tenets of good comptrollership are made more difficult by a very complex organizational structure.
Industry Canada consists of several sectors reporting to the Deputy Minister, autonomous agencies such as CIPO, Measurement Canada (MC), FedNor reporting to the ADM Operations Sector, and the Communications Research Centre (CRC) reporting to the Associate Deputy Minister. These organizations are responsible for providing financial services and carrying out various financial management activities, including exercising payment authority under Section 33 of the FAA. However, the SFO has not established review and monitoring processes and corresponding accountability mechanisms to assess the design and operation of related financial processes and controls. While the current delegation of financial authorities and organization of financial functions within the department reflects the department's organizational structure, delegation also increases the risk of inadequate controls within the financial control framework of the department.
Accountability Gaps at Regional Level
Financial management responsibilities are further complicated at the regional level through which various Industry Canada programs are delivered. Regional offices receive financial services through the Operations Sector. Regional financial services are delivered to direct and indirect clients with whom there is rarely a clear attribution of financial management responsibility. Indirect clients are either other programs of the department operating in regions and reporting to another division within the department, such as Bankruptcy, or programs that report to DFAIT, as is the case with International Trade Canada (ITCan).
The regional offices also have a total of 44 satellite offices and points of service to which certain financial management activities have been decentralized. After carrying out account verification steps leading to the approval of payments under Section 33 of the FAA, Financial Assistants in the satellite offices input or "park" financial transactions into the IFMS. In most cases, Financial Officers, located in the regional offices, then approve the transactions without requesting access to supporting documentation. These Financial Assistants are often under the direct supervision of another program or sector and are not accountable to the Financial Officer exercising Section 33 FAA payment authority.
At the time of the audit, there were 29 Financial Officers approving payment under Section 33 FAA in regions and discrete organizations. While Financial Officers within FMMD report to the Corporate Comptroller, the remaining Financial Officers report to management either within regional offices, within discrete organizations or, in the case of Measurement Canada, to the ADM, Operations Sector.
FedNor, located in Sudbury, Ontario, has its own financial management group. This group is responsible for financial management activities within the suite of programs delivered by FedNor, including the approval of payments under Section 33 of the FAA. However, as noted, the SFO has not established review and monitoring processes, along with corresponding accountability mechanisms, to assess the design and operation of related financial processes and controls.
Department at Risk
Industry Canada has in place a complex financial management structure which has not been formally documented or assessed in terms of the risks it presents to the Deputy Minister, the SFO and the regional financial management service organizations. In the opinion of the auditors, the absence of a clearly documented, department-centric financial management organizational structure, complemented by an effective monitoring and review function and corresponding accountability mechanisms, presents the following risks to the department from a financial management perspective:
- There is no assurance that financial processes are being carried out in a consistent manner;
- There is no assurance that all required financial controls are in place and operating as intended; and
- The Deputy Minister and the SFO are at risk of not being able to assess the design, implementation and maintenance of internal controls at a departmental level.
As a result, auditors are unable to provide assurance that the department's comptrollership responsibilities are being effectively managed at the present time.
- The department should assess the organization of the financial management function in terms of overall responsibility and accountability for the design, implementation and maintenance of internal financial controls.
- In so doing, the department should consider the following:
- The need for financial processes to be carried out consistently across the department;
- The need for the SFO to exercise functional authority for financial management in the department through:
- promulgation of financial management roles, responsibilities, authorities and reporting relationships;
- establishment of an effective monitoring and review function and corresponding accountability mechanisms; and
- The need for assurance that financial controls are in place and operating as intended.
6.1.3 Organization of Financial Management in Regions and Discrete/Autonomous Organizations
Internal control weaknesses were noted in Management Services Divisions in regions and in discrete/autonomous organizations.
Auditors found that officers exercise payment authority in regions without having clear assurance that they can rely on audit verification activities taking place in satellites offices. In one instance, conflicting financial management functions were identified in one of the three discrete organizations.
Exercise of Payment Authority for Satellite Offices
The Management Services Division (MSD) is responsible for financial management in regions and discrete organizations. In regional satellite offices program administrative staff act as Financial Assistants. They input financial transactions into IFMS and ensure that account verification has been adequately performed by the manager exercising contract performance under Section 34 of the FAA. Financial Assistants "park" financial transactions into IFMS while the Region's Financial Officers approve payments under Section 33 FAA without supporting documentation (this documentation remains in satellite offices). At the time of the audit, the two regions visited were beginning to initiate processes to oversee the quality of verification steps exercised by Financial Assistants. However, up until then payment approval has been done without sufficient assurance as to the appropriateness of the account verification process leading to approval under Section 34.
Lack of Segregation of Duties
In one agency visited, auditors noted that conflicting financial management functions were being carried out by the Management Services Division (MSD). When an RCM initiated an expenditure a MSD staff member entered financial commitments, prepared and issued contracts, requested invoices be sent to MSD, approved contract performance under Section 34 FAA (on behalf of the RCM), input transactions into IFMS and approved payment under Section 33 FAA.
In this instance, the MSD had obtained all financial authorities as a result of the interpretation given to the "Responsibility Centre Assistant (RCA) concept", developed as part of the Delegation of Authority Instrument. This concept allows an RCA who is accountable to the designating RCM to exercise spending authorities for operating expenses on behalf of the RCM. The President of this Agency has delegated the authority to contract, to commit (Section 32 of the FAA) and to confirm delivery of goods and services (Section 34 of the FAA) to Financial Officers working within the MSD. This blanket authority covers all transactions of the Agency. MSD also inputs financial transactions into IFMS and approves payments under Section 33 of the FAA.
Auditors also noted that, in this instance, the job description of the Director of MSD indicates that the incumbent directs the accounting operations of the Agency by exercising full commitment and expenditure authority (Sections 32 and 34 of the FAA) for the Agency's budget and provides cash control and cash management control for the Agency with signing authority under Sections 32, 33 and 34 of the FAA.
In the opinion of the auditors, this approach has the effect of taking away the financial accountability of managers while not ensuring an appropriate segregation of duties between the officer approving contract performance and the officer who inputs transactions into the IFMS.
- Payment authority should only be exercised with sufficient assurance as to the appropriateness of the account verification process leading to contract performance approval (Section 34 FAA).
- The organization of financial responsibilities for processing payments should respect the principle of segregation of duties.
6.2 Audit Criterion: Controls
The audit of internal controls covered the design of controls to mitigate risks assessed as well as the implementation of such controls. During the audit, auditors visited all organizations with payment authority under Section 33 of the FAA in order to understand processes in place for expenditure initiation, commitment control, account verification and payment authority. A sample of transactions of grants and contributions as well as operating and maintenance expenditures were examined.
6.2.1 Access Controls and Related Security Issues
For the most part, IFMS access controls and related security measures are in place and are operating as intended.
During the audit, the responsibility for all corporate systems, including the IFMS, was assigned to the CIO. Previously, this was under the responsibility of the ADM CAS.
The IFMS Application Security Policy was formally approved in February of 2004.
Formal approval procedures exist for access requests and the Corporate Comptroller (through FMMD in HQ). Financial Officers in regions and in discrete organizations exercise a sign-off on the IFMS Access and Authorization Form. Formal procedures also exist for defining and maintaining user access rules and profiles and for deleting or changing access rights when a person leaves or is transferred. However, departmental managers in regions and discrete organizations who supervise IMFS users do not always advise the IFMS Access Group of departures or changes in responsibility of former IFMS users.
Financial Officers indicated that often they learn through the IFMS Access Group that an individual has not accessed IFMS for several months. Once aware, they then communicate with the responsible manager to confirm the situation and advise IFMS Access Group accordingly. This situation mainly arises with IFMS users working in regional satellite offices or with IFMS users working in HQ divisions. The policy states that departmental managers must advise (in writing or by email) the Corporate System Division (IFMS Access Group) as soon as possible to cancel user names and passwords of departing employees.
Segregation of responsibilities and authorities is ensured by having Finance approve requests for financial profiles. Key segregations of duties are assessed prior to providing access to an IFMS User. For instance, all IFMS users with payment authority under Section 33 of the FAA cannot, and do not, have authority to create vendor codes in the system.
User profiles are reviewed periodically by a Security Analyst (IFMS Access Group), subject to departmental managers providing timely corrections to UserID and access rights. Twice a year, the IFMS Access Group provides FMMD with the list of users that have been provided with profiles which typically should be segregated. Auditors noted that FMMD is not providing additional monitoring of these users. Amongst groups of IFMS Users having incompatible authorities, auditors noted the following:
- Four (4) IFMS users in regions with access to create a Purchase Order, to record the receipts of goods and services (GRIR), to input transactions into IFMS and to authorize payment under Section 33 of the FAA. From a systems point of view, these users are able to handle a transaction from beginning to end; and
- Seventy-seven (77) IFMS users in regions or in discrete organizations who have the ability to access to create a Purchase Order, to record the receipt of goods and services (GRIR) and to input transactions into IFMS. Although they do not have payment authority under Section 33 of the FAA, the authority provided is less than effective since supporting documentation and back-up remains in satellite offices, and payments are authorized in Regional Offices with no oversight activities.
Users access SAP functions on a "need to know" basis. Auditors noted one instance where an IFMS User with delegated payment authority under Section 33 of the FAA was transferred from a region to HQ (early fall, 2004). In a new position, the employee no longer required IFMS access, yet retained access until January, 2005. If departures and changes in responsibilities are not reported in a prompt manner, the department is exposed to the risk of inappropriate access to the financial system.
There are a limited number of super-users (IFMS User with an authority "IFMS All") in the CIO Branch who have the ability to make use of all functions on the system. Typically, super-users require full access when an upgrade to the system is occurring or during special circumstances. Only two Access Security Officers within the CIO can authorize such access (approve a superuser). However, when such access is given to a user, typically a consultant, Access Security Officers do not ensure that the consultant has the appropriate security clearance. Furthermore, no special monitoring is carried out by Access Security Officers of these super-users when such access is given (i.e. to verify whether they have created a vendor and approved payments under Section 33 of the FAA while having all authorities).
It is a requirement that new IFMS users receive training prior to being given access (via UserID and password) to the IFMS. In regions, prospective IFMS users receive on-the-job training, and are provided with another IFMS user's current ID and password. Again, sharing of UserID and passwords exposes regions to greater risks. As new IFMS users can not be provided access until they have completed training, regions see no other alternative to this issue. A specific profile for IFMS Users-in-training does not exist. Such a profile could provide access to training modules, for instance, while, at the same time restrict access to production.
- The Corporate Comptroller together with the CIO, should:
- Review practices surrounding departmental manager sign-off of departing employees to ensure that on the Employee Exit Clearing Sheet managers are reminded to advise the IFMS Access Group of the departure;
- Strengthen the periodic review of User Profiles (especially those that include incompatible functions) through enhanced segregation of duties and/or through the inclusion of compensating internal controls where considered appropriate (i.e. increase review of the transactions processed by these IFMS users);
- Reinforce monitoring of super-users so that an automatic log of specific types of transactions is produced and examined by FMMD (e.g., transactions creating a vendor code, inputting a financial transaction into IFMS, and approving payment should be logged for review); and
- Review practices surrounding the sharing of UserID and passwords for employees being trained on the IFMS. Trainees could make use of the training module of IFMS or could be provided with a specific "training" UserIDs and passwords so that sharing with ongoing IFMS Users is not permitted.
6.2.2 Verification of Authority to Approve Assistance
There is no documentation in the financial files to demonstrate that departmental grants and contribution payments have been approved by officials with delegated authority.
The audit included a review to determine if adequate supporting documentation was contained in financial files to demonstrate that payments are properly approved. In the case of grants and contribution payments, FMMD indicated that it does not maintain approval documents on the financial files. Payments are approved under Section 33 of the FAA without verifying that assistance has been authorized by the appropriate level of authority. There is no effort made to re-verify, on a sample basis, that the system in place for ensuring proper authority has been obtained is actually working as intended.
According to the Delegation of Authority Instrument, the Minister must approve all assistance above $5M, while contributions aboveÁ$10M require TB approval, and contributions above $20M require Cabinet approval. Auditors understand that the Programs and Services Branch (PSB) exercises an oversight role for contribution projects above a certain threshold. However, PSB decisions are not systematically placed on financial files.
When staff in specific programs were asked to provide proof of such approval they indicated that proper approvals are always obtained relative to the amount of the assistance. However staff were not readily able to provide such proof. In fact, staff could not provide approval documents for 25 files examined during the audit. Subsequently, PSB was able to provide evidence of approval for 23 of these 25 files. In two cases, there was no evidence of approval of file. As such, the department is at risk as proper authority might not be obtained. Given that it is the responsibility of the Financial Officer to ensure the legality of payments, it is important that these Officers ensure that approval is provided by the officials who have proper authority to do so.
- FMMD should establish a process to ensure that departmental grants and contribution payments have been approved by officials with delegated authority.
- For instance, all decisions made by Programs and Services Branch should be systematically placed on financial files. Where authorities are required from outside the department, there should be a statement to that effect on the Programs and Services Branch decision sheet.
- A re-verification of a sample of contribution projects should be examined to ensure that the proper level of authority was obtained.
6.2.3 Claim Verification Process for G&C Payments
Financial Officers have not established a process to assess the effectiveness of the claim verification process at the program level.
Responsibility for verification of claims rests with Program Managers. Auditors noted that in most contribution programs there is a process in place to perform verification and complete a contribution verification checklist to attest to steps carried out in this regard. According to the departmental Verification of Claim Policy, Financial Officers who exercise payment authority are responsible for establishing a quality assurance process to ensure that the claim verification process is working as intended. However, auditors found that no such mechanisms have been established.
Auditors examined contributions payments from the following programs managed by the department:
- Canada-Ontario Infrastructure (COIP)
- Aboriginal Business Canada (ABC)
- PEMD and PEMD–I
- SchoolNet, CAP and Broadband
- Technology Partnerships Canada (TPC)
- Small Business Financing
- FedNor and Community Futures.
With the exception of the COIP, PEMD and PEMD–I, auditors noted that contribution verification checklists are used to attest to the verification points exercised when conducting claim verification activities.
System of Claim Verification
Treasury Board policy states that the responsibility for the system of account verification and related financial controls rests, ultimately, with officers who are delegated payment authority pursuant to Section 33 of the FAA. Further, these financial officers must provide assurance of the adequacy of Section 34 account verification and be in a position to state that the process is in place, and is being properly and conscientiously followed. This responsibility involves conducting periodic review of the system of claim verification. It can be carried out by reverifying a sample of transactions and, if necessary, through on-site observation of the claims verification process. However, re-verification of the claim verification system is not carried out by officials with delegated payment authority.
Auditors reviewed the claim verification process used by three programs. While all programs had a documented process for performing claim verification, very little supporting documentation is forwarded to Financial Services for payment approval purposes. This would not be an issue if staff in Financial Services could have demonstrated that they understood the claim verification system and if they had tested the systems they are relying upon. Such is not the case for all major contribution programs in place. For instance, the SchoolNet Program had been the subject of a major change in 2004–05 with the adoption of a decentralized approach which resulted in an increase in the number of Program Officers confirming entitlement under Section 34 of the FAA. FMMD was not apprised of the changes to the claim verification process and could not assess the impact of the changes on their responsibility for approving payment under Section 33 of the FAA.
Given the claim verification process varies from program to program, it is even more important for Financial Officers to fully understand the claim verification process in each program and to adapt verification processes in accordance with the strengths or weaknesses of the processes in place in each program.
Claim Verification Process
In some instances, Financial Officers use audit checklists to document verification steps carried out prior to authorizing the payment of claims. However, in one region visited, auditors found that photocopies of completed audit checklists were placed in all files to avoid having to recheck boxes on these forms. In addition, in HQ, several non-completed checklists were found in the files. The checklist provides the Financial Officer with a reminder of all the verification points to be carried out while attesting to the work done. Current practices negate the benefits provided by this checklist.
Summary of Audit Test Results
As part of the audit, financial files for 169 grants and contributions were examined to assess the overall quality of the claim verification process. Table 2 below summarizes the audit findings from this sample review:
- The Senior Financial Officer should:
- Direct that all programs are required to complete a Contribution (Claim) Verification Checklist as part of the claim verification process;
- Implement a process whereby the claim verification process each program must be reviewed periodically to ensure appropriateness in providing necessary assurance required to authorize payment under Section 33 of the FAA. The same approach should be implemented by Regional Management Services Divisions who are responsible for approving payments under Section 33 of the FAA; and
- Re-enforce the appropriate use of audit checklists by Financial Officers.
6.2.4 Account Verification Process for O&M Transactions
The review of operating and maintenance financial files noted a number of weaknesses in both account verification (Section 34 of the FAA) and payment approval (Section 33 of the FAA).
Auditors examined a total of 232 O&M transactions to assess appropriateness of the account verification and payment approval processes. Results of audit tests are presented in Table 3 below:
Financial officers stated that a 100% review is carried out of all payments above $2,000 and of "sensitive" transactions as part of the process for authorizing payment under Section 33 of the FAA. This verification process, which applies to several thousand of payments each year, and is usually carried out by support staff in the Financial Services Units, is considered to be cursory in nature.3
In examining financial files, auditors noted several instances where either contracts or invoices were not on file, and several other instances where approval under Section 34 of the FAA was unsupported (i.e. no authority to initiate expenditure, no S34 signature, situation of potential contract splitting, wrong input of GST, coding issue, PO done after the fact). In the opinion of the auditors, the existing system of account verification does not provide necessary assurance that contract performance is being adequately carried out.
Account Verification and Common Services Provider
The department receives services through PWGSC as the federal government's provider of common services. Auditors noted that the roles, responsibilities and obligations of both PWGSC and Industry Canada staff are not documented. This situation impacts negatively on the account verification process. Auditors were informed that PWGSC staff do not provide supporting documentation with invoices issued to the department. Rather, through a system of internal settlements, PWGSC staff obtain coding information for the department and then, through an interdepartmental settlement, obtain payment for services provided. The following specific issues were noted in this regard:
- In one instance, PWGSC staff provided simultaneous translation at an event organized by Measurement Canada. The organization subsequently received a request for internal settlement (IS) which was settled immediately. When auditors examined the transaction, the organization called PWGSC to obtain supporting documentation for this transaction, (which would not otherwise have been requested). Auditors noted that GST had been charged on the travel portion of the invoice, while GST was only admissible on professional fees. Travel per diems were not justified and amounts charged varied from $50.66 and $152.00, while the authorized per diem at that time was $71.45. As well, Measurement Canada staff could not explain one charge (entitled "Frais au sol") included on the invoice.
- In another instance, auditors noted that payments to GTIS are automatically invoiced to the department through the internal settlement process with no supporting information. The Financial Officer for Measurement Canada reported that, when supporting information for an invoice from PWGSC — GTIS was requested, the Officer discovered that 70 telephones lines did not belong to the organization, yet Measurement Canada had been paying for these lines since 2001–02. As a result of these findings, GTIS and Bell Canada will be reducing charges to Measurement Canada by $22,680 a year.
Auditors noted that a centrally managed contract for relocation services with Royal Lepage is not subject to proper account verification by those expected grant approve under Section 34 of the FAA. It is noted that, other than the TBS policy on relocation, which is directed primarily at relocated employees, there is no guidance provided as to how this program should be managed within the department.
The auditors also examined three relocation cases as part of the audit. Audit findings were as follows:
- In one case, an advance to Royal Lepage was made before the need for such an advance existed. An advance payment was requested in the early fall of 2003 for a relocation to take place in July 2004. Although the discrete organization requested advice from HQ Financial Services as to why the advance payment had to be made that early, none was provided and payment was issued in December of 2003, over six months prior to the expected moving date.
- In another instance, in one region visited, global reconciliation was not completed between payments issued to Royal Lepage as advances, and the Royal Lepage Final Account Summary. A difference of $484.65 could not be explained to auditors examining this file. In the end, payments were approved under Section 33 of the FAA without being questioned.
It is the responsibility of Financial Services to understand the account verification systems that support approval of goods and services and to periodically re-verify those systems (through the examination of a sample of transactions). Auditors found that, in general, Financial Officers exercising payment authority do not verify the systems of account verification on a periodic basis and therefore cannot rely on these systems when approving payments.
- The Senior Financial Officer should establish a process that will ensure thorough understanding of how account verification is being carried out across the department.
- The existing 100% cursory review process should be enhanced through verification, on a sample basis, of the account verification steps undertaken to obtain assurance of contract performance (i.e. the completion of deliverables), as well as compliance with TBS and to departmental policies.
6.2.5 Financial Controls over Collaborative Agreements
Some weaknesses exist in the management of Specified Purpose Accounts.
On a regular basis Program Managers make use of Collaborative Agreements to conduct shared research with outside organizations (other levels of government, non-government organizations or the private sector). Requirements respecting the use of such agreements are outlined in the TBS Policy on Specified Purpose Accounts (SPA). Auditors found that the department complies with the provisions of this policy. Within the department, agreements are reviewed by Financial Services and Legal Services before they are signed; however, there are no specific departmental guidelines respecting the use of Collaborative Agreements.
Auditors reviewed financial controls over collaborative agreements and noted the following:
- In one discrete organization, Financial Officers felt they were unable to exercise functional authority as they were not provided with copies of the proposed agreements for review and comment prior to signature, or at the time of processing a payment against the agreement. As the department is creating a liability when funds are received, it is important that Financial Officers be involved in the establishment of the SPA to ensure compliance with TBS policy.
- In one region visited, auditors noted that SPA funds were used to reimburse departmental expenditures rather than charging expenditures directly to the account. In this instance, the collaborator, the Province of Ontario, did not always provide funds on a timely basis and therefore project expenditures were paid by the program. When dealing with collaborative arrangements, Program Managers and Financial Officers must ensure that funds are received in advance of needs and that they deposited in a distinct account. Then they must also ensure that payments are made directly from each distinct account.
- The Corporate Comptroller should remind all Financial Officers of the policy requirements relating to the TBS Policy on Specified Purpose Accounts.
6.2.6 Organization of Financial Files
Weaknesses exist in the organization of HQ's financial files.
Financial files of the Corporate Comptroller are maintained in the Records Office, under the responsibility of the Chief Information Officer. As outlined in Industry Canada's Records Management Policy, employees are responsible for creating, capturing and filing records in the corporate records system and are accountable for their records management practices. The maintenance of financial files is a shared responsibility between the CIO records office and the financial officers using them. Some files are on long term charge-out to finance staff who maintain the files while in their custody. Alternatively, individual documents are provided to the records office for placement on the official files.
As part of the audit, a total of 80 O&M files were requested of which only 52 files were provided (a rate of 65%). Other files could not be located. Files provided were often missing the original contract or subsequent amendments, thus hindering the Financial Officers' verification process or delaying payments when the contractual information had to be obtained through other means. Auditors also found misplaced payments in the files reviewed. Although supplier files should be opened every fiscal year, the auditors noted that in some instances, the suppliers' file contained financial transactions dating back as far as 2002.
The absence of well organized files impacts the efficiency of the payment approval process as it can delay or prevent the verification of key information.
- The Chief Information Officer and the Corporate Comptroller should ensure that financial files are well maintained, with pertinent documents on all files in order to assist Financial Officers in fulfilling responsibilities.
6.3 Audit Criterion: Accountability
6.3.1 Training Programs
Existing financial training courses do not address all key risk areas.
The Corporate Comptroller and Regional Financial Services have jointly developed training packages to address the delegation of authorities. Regular meetings or other sessions are conducted to apprise interested parties of changes made to the IFMS. As well, the department has developed training programs for managers and administrative officers on the delegation of authorities and on other areas of financial management.
However, there is no systematic training offered on the account (claim) verification process, a key process exercised across the department by several hundred managers and staff in support of approving contract performance under Section 34 of the FAA. As well systematic and regular training is not offered to the Financial Officers (40) exercising Section 33 of the FAA and to the 77 Financial Assistants sharing payment approval responsibilities within numerous satellite offices that support Regional Financial Officers.
- The Senior Financial Officer should ensure that training and related tools are provided to managers and administrative staff about responsibilities for approving contract performance.
- The Senior Financial Officer should ensure that training and related tools are provided to Financial Officers and Financial Assistants about payment approval responsibilities.
6.3.2 Oversight of Expenditure Management Accountability
Opportunities exist to strengthen aspects of the Corporate Comptroller's oversight role.
Low value transactions (< $2000)
The Corporate Comptroller developed an approach to monitor low dollar value transactions through the post-audit process. Monitoring is carried out centrally, in HQ, by officers who have not been involved in the input of financial transactions. Auditors believe that this process should be re-examined once risks relating to the complex organization of financial management within the department have been assessed, including the role of satellite offices in financial management.. Currently the results of monitoring activities are being disseminated in a sporadic manner. In some areas observations are forwarded to the clerk responsible for inputting transactions and in other areas observations are provided to the Financial Officers.
When results of monitoring are sent to input clerks, Financial Officers are not aware of issues that need to be addressed in respective areas of responsibility. Auditors believe that the results of current monitoring exercises should be communicated to Financial Officers working within Management Services Divisions in regions and discrete organizations at all times. Management Services Divisions require this information to appreciate the quality of the account verification process exercised on low dollar value transactions in regions or discrete organizations.
Other transactions (> $2000, including sensitive transactions)
The Corporate Comptroller is not monitoring the process used by Financial Officers exercising payment authority under Section 33 of the FAA for transactions above $2000. The Director of Management Services in one discrete organization reported having been subject to a Section 33 audit by the Corporate Comptroller about five years ago.
In the regions and discrete organizations visited by the auditors, Financial Officers do not forward reports on monitoring activities they are conducting over financial transactions to the Corporate Comptroller. When examining the job description of Financial Officers operating in discrete organizations, auditors noted that the functional role of the Corporate Comptroller is not reflected.
When conducting regional visits, auditors also noted that minimal oversight was being exercised by the Regional Management Services Divisions over financial management activities taking place within satellite offices. However, Financial Assistants in these offices play an important role in overall expenditure management accountability for the department.
- The Corporate Comptroller should:
- Review the post-audit process on low value transactions to take into consideration the risks associated with the complex nature of expenditure management in the department;
- Ensure that, on a consistent basis, results of current monitoring exercises are forwarded to all Directors of Management Services Divisions in regions and discrete organizations so that they can learn from the results of oversight activities;
- Influence Regional Directors of Management Services Divisions to exercise more oversight of financial management activities in satellite offices and request that results of monitoring activities be reported to the Corporate Comptroller; and
- Regularly assess how various regions and discrete organizations are reviewing systems of account verification upon which they rely to authorize payment under Section 33 of the FAA. This will involve visiting Management Services Divisions in regions to gain an understanding of oversight processes, and examining results of oversight activities.
6.3.3 Oversight of the Acquisition Cards Process
Opportunities exist to strengthen the monitoring of acquisition card transactions.
The Corporate Comptroller established a monitoring process to oversee the use of acquisition cards. At the time of the audit, the department was in the process of adopting a consolidated approach to pay the acquisition card supplier, the Bank of Montreal. Notwithstanding, some organizations, notably CIPO, Measurement Canada (HQ and Ontario) and the CRC were not part of the departmental monitoring program.
As a result, active monitoring of these organizations was being carried out by the interal Audit and Evaluation Branch (AEB) on behalf of the department. Auditors suggested to AEB that the Branch should not have a direct role in the monitoring of the Acquisition Card Program as it compromises audit independence. It is noted that AEB has since ceased active monitoring activities in this area.
In establishing a departmental monitoring regime, consideration should also be given to the relative risks associated with the complex organizational structure that supports expenditure management within the department. For example, in smaller offices (i.e., satellite offices), the acquisition cardholder could be the same individual as the Financial Assistant inputting transactions into IFMS, thus increasing the risk profile within those offices. Given that supporting documentation for the acquisition card remains in satellite offices, it makes it more difficult for Regional Financial Officers, exercising Section 33 of the FAA, to identify potential irregularities with acquisition card transactions.
- The Corporate Comptroller should establish a comprehensive, risk-based monitoring program for acquisition cards to coincide with the implementation of a consolidated payment approach for Acquisition Cards.
3Although not documented, the following verification is typically carried out as part of the verification process leading to the approval of payment under S33 of the FAA: name and address on the payment matches the contract or PO; terms of the contract have been complied with; services invoiced fall between the contract start and completion date; amendments are in place when contract extended; fiscal year split matches the contract); and deliverables are received (based on a S34 signature only). (Return to text.)
- Date modified: