Audit of Departmental Financial Controls—Table of Contents

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Final Audit Report—March 2006

Prepared for: Industry Canada/Audits and Evaluation Branch
Tabled and approved at DAEC on September 21, 2006.

Table of Contents


1. Executive Summary

An audit of Departmental Financial Controls was carried out in accordance with the approved Internal Audit Plan for 2004–05. The period of the audit covered the period that expenditures were incurred during FY 2003/04 and FY 2004/05 to end of October of 2004.

The audit assessed whether Industry Canada's financial control framework is adequate to ensure that: allocated funds are spent for their intended purposes and within approved limits; financial information is accurate; and appropriate controls are maintained over expenditures. The audit also assessed whether the department effectively discharges responsibilities as required under the Financial Administration Act (FAA).

The audit was department-wide in scope and encompassed financial responsibilities assigned to all levels of Industry Canada managers, as well as the framework of expenditure financial control within the department and applicable policies and procedures. The audit included a review of transfer payment programs and regular operating expenditures, but excluded salaries and revenues.

Key Findings

Effective controls necessary to ensure sound stewardship of public funds requires clearly defined roles and responsibilities, delegated authorities commensurate with these responsibilities, and appropriate accountability mechanisms. The current delegation of financial authorities and organization of financial functions within the department is set up in a manner that reflects the department's organizational structure, but, at the same time results in the risk of inadequate controls within the financial control framework of the department. For example, within the department, while autonomous agencies and sectors exercise payment authority under Section 33 of the FAA, Financial Officers do not report (in either a functional or administrative capacity) to the Senior Financial Officer (SFO). In addition, Financial Officers are not accountable to the SFO for the design and operation of related financial processes and controls.

Further complications arise at the regional level where various Industry Canada programs are delivered. Regional offices receive financial services from the Operations Sector. However, Regional Financial Officers approve transactions from satellite offices without, in most cases, requesting supporting documentation. Further, some Financial Assistants working in satellite offices are under the direct supervision of another program or sector and are not accountable to Regional Financial Officers exercising payment authority under Section 33 of the FAA.

Conclusion

Without the existence of a clearly documented, department-centric financial management organizational structure, complemented by an effective monitoring and review function and corresponding accountability mechanisms, there is no assurance that financial processes are being carried out in a consistent manner and that all required financial controls are in place and operating as intended. In the absence of these key controls, the SFO and the Deputy Minister are at risk of not being able to assess the design, implementation and maintenance of internal controls at a departmental level. As a result, auditors are unable to provide assurance that the Department's comptrollership responsibilities are being effectively managed.

Recommendations

Implementing a single point of accountability for ensuring financial controls exist and are operating effectively would increase assurance that managers are exercising their comptrollership responsibilities properly. Therefore it is recommended that:

  • An effective monitoring and review function should be implemented throughout the department, along with corresponding accountability mechanisms.
  • Monitoring and review functions, along with accountability mechanisms, should be monitored by a functional authority to ensure that they are effective and that they are carried out in a consistent manner.

Additional, detailed recommendations are provided in Section 6 of this report.

2. Introduction

An audit of Departmental Financial Controls was carried in accordance with the approved Internal Audit Plan for 2004–05.

As a federal department, the cornerstone of Industry Canada's financial control framework consists of several components, including: the organization of controls, the delegation of financial authority, departmental bulletins and guidelines that supplement TBS policies and regulations, financial management training and support to managers and staff, account verification processes, and the monitoring activities that support the exercise of payment authority.

This report summarizes audit observations about this financial control framework and provides recommendations for management consideration. Information is presented as follows:

  • Objective, scope, approach and methodology (Section 3);
  • Organization of financial management in Industry Canada (Section 4);
  • Summary of audit findings, overall conclusion and recommendations (Section 5); and
  • Detailed findings and recommendations (Section 6).

Appendix A contains a complete list of the audit criteria used to assess the financial function during this audit.

Appendix B contains an Action Plan, summarizing of all recommendations highlighted throughout this report, management's response to the recommendations along with a proposed time frame for implementation of corrective action.

3. Audit Objectives, Scope, Approach and Methodology

3.1 Audit Objectives

The two objectives of the audit were as follows:

  • Objective #1: To assess the adequacy of the design and operation of the department's financial control framework to ensure that: allocated funds are spent for their intended purposes and within approved limits; financial information is accurate; and appropriate controls are maintained over expenditures.
  • Objective #2: To ensure that the department properly and effectively discharges its responsibilities with regard to the exercise of financial authority, notably with respect to the application of Sections 32, 33, 34 of the Financial Administration Act (FAA).

The FAA is the federal government's legislative authority with respect to financial management. Three sections of the Act are critical to ensuring that controls are in place over expenditures made from parliamentary appropriations.

  • Section 32 of the FAA covers the control of financial commitments chargeable to each Parliamentary appropriation.
  • Section 34 of the FAA deals with the need to certify that goods and services were received or that a recipient is eligible for payment.
  • Section 33 of the FAA relates to the need to ensure that payments are subject to authorized requisitions, lawful and within the appropriations level. Officers exercising Section 33 payment authority must have adequate assurance that the Section 34 certification has been provided.

The FAA is supplemented by Treasury Board (TB) policies and guidelines dealing with various subject-specific aspects of financial control over expenditures. Departmental senior financial managers are responsible for designing and implementing procedures and controls that promote and ensure the appropriate management of departmental financial resources.

3.2 Audit Scope, Approach and Methodology

This audit covered expenditures incurred during FY 2003/04 and FY 2004/05 to end of October of 2004.

The audit was department-wide in scope and encompassed financial responsibilities assigned to all levels of Industry Canada managers, as well as the framework of expenditure financial control within the department and applicable policies and procedures. The audit included a review of transfer payment programs and regular operating expenditures, but excluded salaries and revenues.

The following approach was followed in conducting this audit:

  • Review of relevant documentation on financial controls within Industry Canada.
    • Auditors reviewed relevant documentation in order to gain a sound understanding of IC's policies, procedures and reporting mechanisms as they relate to financial controls and reporting.
  • Interview key individuals within the Comptrollership and Administration Sector (CAS), the Chief Information Office as well as the Operations Sector.
    • A conference call was conducted with all regions to understand the organization of financial management at the regional office level. The auditors also interviewed key individuals at the Communication Research Centre (CRC).
    • Note: The Operations Sector is responsible for regional operations as well as several Special Operating Agencies and several contribution programs including the Aboriginal Business Canada Program, the Technology Partnership Program and FedNor.
  • Establish audit criteria (see Appendix A) to undertake the audit.
    • Specific audit criteria were developed to assess the appropriateness of the financial management framework (control mechanisms and processes) and the extent to which key elements of a sound financial management framework are in place in Headquarters (HQ) and in the regions.
  • Conduct visits to two regions and FedNor.
    • Auditors visited the Ontario and Atlantic regions as well as FedNor in Sudbury to assess financial management controls as well as to review a sample of financial transactions (G&C and O&M).
    • Note: FedNor maintains its own financial management organization, with delegated payment authority.
  • Conduct visits to three discrete organizations.
    • Auditors visited the Canadian Intellectual Property Office (CIPO), the Communications Research Centre (CRC) and Measurement Canada (MC) Auditors assessed financial management controls and reviewed a sample of financial transactions (O&M) in each organization.
    • Note: All three of these organizations have a unique status within the department with their own financial management organizations.
  • Conduct review of financial transactions in HQ.
    • Auditors reviewed a sample of financial transactions in HQ (G&C and O&M) to assess whether key financial controls were working as intended.
  • Validate results from sample review.
    • Audit results were documented and provided to the ComptrollershipBranch for review and comment.

After these steps were complete, auditors debriefed key departmental officials on the results of the audit to validate findings and seek feedback on key recommendations.

3.3 Appreciation

The auditors would like to thank individuals and organizations that participated in this audit for the cooperation and assistance afforded to the audit team throughout this engagement.

4. Financial Management Organization in Industry Canada

Financial management activities are carried out across various entities within the department, reflecting an organization with a complex structure. Financial activities within the department are delivered by sectors, branches, regions and discrete organizations to which payment authority under Section 33 of the FAA has been delegated.

The Assistant Deputy Minister (ADM) of the Comptrollership and Administration Sector (CAS) reports to the Associate Deputy Minister and is ultimately accountable to provide support for the planning, allocation and control of departmental expenditures. The ADM, CAS fulfils the role of Senior Financial Officer (SFO) for the department and is responsible for the preparation and presentation of financial statements including notes, schedules, significant judgments and estimates. Annually, the ADM, CAS together with the Deputy Minister, must declare, in a letter of representation attached to the departmental financial statements, that the department has developed internal controls designed to prevent and detect fraud and error. This statement serves to provide reasonable assurance to parliamentarians that relevant and reliable information is produced.

Also reporting to the Associate Deputy Minister, the Chief Information Office (CIO) acts as the principal departmental information management/information technology (IM/IT) advisor, and is accountable for the overall performance, effectiveness and efficiency of IM/IT services, policies and resources for the department. The Corporate Financial Systems Division, within the CIO, is responsible for the management of the Integrated Financial Management System (IFMS), as well as the maintenance and development of the IFMS. Responsibility was recently reassigned from CAS to the CIO.

Within the CAS, the Comptroller's Branch, headed by the Corporate Comptroller1, is responsible for financial and materiel management policies, systems, processes and standards which are consistent with modern comptrollership, while striving to ensure compliance with Parliament's requirements for financial stewardship and probity. The role of Senior Full-time Financial Officer was assumed by the Corporate Comptroller in November 2003 with the creation of the CAS Sector.

Within CAS, the Programs Services Branch (PSB) is responsible for providing advice, guidance and program expertise on the design of new or amended programs or services in order to assist the Programs and Services Board carry out its mandate and to ensure departmental compliance with all governmental and departmental program related regulations and policies.

The Financial Policy Section, CAS provides guidance on financial management. Guidance is provided through the provision of financial and accounting policy development and/or interpretation of the Treasury Board and departmental financial and accounting policies.

The Financial Services Division of Financial and Material Management Directorate (FMMD) within CAS provides advice, guidance and financial services, revenue management and General and Public Accounting and Expenditures Management. Included in this mandate are payment services and support for Grants and Contributions (G&C), Operation and Maintenance (O&M), Travel, Removal, Hospitality, Membership and Conference Sponsorship in addition to services related to Reconciliation, Signing Authorities, Pay Cheques Distribution and Public Accounts.

Discrete organizations and autonomous agencies within the NCR which have been delegated payment authority under Section 33 FAA include the Canadian Intellectual Property Office (CIPO), the Communications Research Centre (CRC) and Measurement Canada. These organizations are responsible for providing their own financial services to their clients. CIPO and Measurement Canada report to the Operations Sector while CRC reports to the Associate Deputy Minister.

Each of Industry Canada's five regional offices has a Financial Management Group normally headed by a Director of Corporate Services. These groups are responsible for financial management activities within each region including the approval of payments under Section 33 of the FAA. These corporate regional offices report to the ADM of the Operations Sector.

Two contribution programs, FedNor and Community Futures Program, located in Sudbury, Ontario, also share a financial management group. This group is responsible for financial management activities within these programs, including the approval of O&M and G&C payments under Section 33 FAA. FedNor also reports to the ADM of the Operations Sector.

Expenditure management is governed by three specific sections the Financial Administration Act: Sections 32, 33 and 34. The following paragraphs described these authorities and how they are being exercised within the department.

4.1 Expenditure Initiation and Commitment Authority (S.32 of FAA)

Expenditure initiation authority is the authority to enter into contracts or other arrangements that will result in a charge to the departmental appropriation. This authority is exercised by managers throughout the department who are responsible for the administration of a budget, usually associated with a responsibility centre. Section 32 of the FAA requires that there are sufficient funds in the appropriation to discharge the payment. While expenditure initiation is delegated to responsibility centre managers, the commitment authority is often exercised by administrative officers who act on behalf of a responsibility centre manager when committing funds into IFMS for a particular purpose.

4.2 Contract Performance (S.34 of FAA)

Contract performance is the authority to certify the receipt of goods and/or services in accordance with the terms and conditions of a contract or other relevant arrangement and the availability of funds for payments. In the case of a grant or contribution, the certification under Section 34 ensures that all the terms and conditions of the agreement have been met and that funds are available for payment.

Contract performance is exercised by the manager who is responsible for the budget, normally, the responsibility centre manager. The manager exercising contract performance under section 34 is responsible for account verification. Account verification represents the actions of the manager required to certify delivery. Under Section 34, managers must attest or confirm that:

  • Work has been performed, goods supplied or that the payee is entitled to or eligible for payment (as in the case of a grant or contribution);
  • Terms and conditions of the contract or agreement have been met;
  • The transaction is accurate; and
  • The transaction complies with the FAA or relevant Treasury Board policies.

Both contract performance and account verification are carried out by Responsibility Centre Managers (RCM). Within HQ, once Section 34 FAA authority has been exercised, payment requests are entered into IFMS at the division or sector level, or are forwarded to the Financial Services Division (FSD) of FMMD for data entry. To date, most divisions or sectors are inputting payment requests into IFMS. However, all travel claims are entered into IFMS by FSD while for other accounts payable the input level by FSD is limited. In all cases, whether the financial transactions are input by the divisions or not, the FSD authorizes payment under Section 33 FAA on the basis of supporting information forwarded by divisions.

Within regions, account verification is also exercised by RCM who may either be working in the regional office or from a point of service (satellite office). There are 44 satellite offices linked to the five regional offices. Payments from a satellite office are typically input into IFMS in the satellite office by Financial Assistants. Regional Financial Officers exercise payment authority from the regional office. However, given the geographical distance of the satellite offices from the regional offices, the satellite offices retain all supporting payment documentation.

4.3 Payment Authority (S.33 of FAA)

The Financial Services Section in CAS approves payments under Section 33 of the FAA for all payments processed in HQ except for organizations that have delegated payment authority. These organizations are CIPO, CRC and Measurement Canada. In addition, the Financial Services Section is responsible for performing departmental reconciliations, for managing signing authorities, for distributing pay cheques and for developing public accounts and departmental financial statements.

Regional offices in the Atlantic, Québec, Ontario, Prairie and Pacific regions have financial management capacity as well as Financial Officers within the regions that have been delegated payment authority under Section 33 of the FAA. Regional financial staff report to the Operations Sector. FedNor and the Community Futures Program are the only contribution programs which have financial management capacity as well as Financial Officers within FedNor's Corporate Services group, who have been delegated with payment authority to support these contribution programs. The organization also reports to the ADM Operations.

Table 1: summarizes the number of financial officers in the department with payment authority under Section 33 FAA at the time this audit was conducted:

Table 1: The number of financial officers in the department with payment authority under Section 33 FAA at the time this audit was conducted
Division / Region / Organization Financial Officers with authority under S.33, FAA Responsible Sector
HQ / Financial Services Division 9 CAS
HQ / Financial Services Division Post GL only 3 CAS
HQ / Financial Services Division Autopost 1 CAS
Atlantic Region 3 Operations
Québec Region 4 Operations
Ontario Region 2 Operations
Prairie Region 3 Operations
Pacific Region 3 Operations
FedNor/CFP 5 Operations
Communication Research Centre Canada 2 CRC
Measurement Canada 2 Operations
Canadian Intellectual Property Office 4 Operations
Total 41  

4.4 Acquisition Card Program

To reduce costs involved in processing payments, the department introduced an Acquisition Card Program and developed a monitoring approach designed to ensure the effectiveness of controls over the program. The Acquisition Card Program is defined in the departmental policy on acquisition cards. Under the program, more than 600 acquisition cards have been issued to cardholders across Canada. The official acquisition card is the Bank of Montreal (BMO) MasterCard. However, some sectors, regions and discrete organizations (CIPO and CRC) have opted to go with VISA from the Canadian Imperial Bank of Commerce (CIBC) or other company credit cards (i.e., Business Depot).

Each month, BMO and CIBC issue acquisition card statements. Statements are verified by the cardholder and are then processed in IFMS. Each acquisition card statement is subject to a single payment. The department is currently implementing a consolidated payment approach in conjunction with the BMO whereby all statements will be subject to one unique payment.

A Departmental Coordinator, the Supervisor of Contracts in Contracts and Materiel Management (CMM) supervises the Acquisition Card Program. Regional and other Coordinators (CIPO, CRC and Measurement Canada) have also been appointed to facilitate the receipt, delivery and retrieval of acquisition cards, and to respond to queries from managers and cardholders.

Monitoring of this program involves both CMM and the Financial Services Directorate. CMM monitors the nature of the purchases, from a contracting perspective, using the BMO's Details Online Software, while the Financial Services Directorate ensures compliance with financial policies and procedures. This approach to monitoring was implemented in the fall of 2003. In the past, the Audit and Evaluation Branch played a role in acquisition card monitoring by reviewing records of discrete organizations (CIPO, CRC, Measurement Canada and the Ontario Region of Measurement Canada). However, monitoring of these organizations is now being coordinated by FMMD in order to accommodate post-payment verification procedures required for the consolidated billing implemented in October 2005.

4.5 Integrated Financial Management System (IFMS)

The Corporate Financial Systems Division is responsible for the maintenance of the IFMS and manages access to the system. The IFMS Access Group acts as the Departmental Coordinator for issuing and removing access rights to IFMS. Regional and other Coordinators (CIPO, CRC and Measurement Canada) have been appointed to facilitate the issuance of access rights by ensuring that application forms are duly approved by requesting managers, and that applicants receive necessary training. Although the Chief Information Office is now accountable for all systems including IFMS, CAS authorizes all access requests prior to granting of access to the system by the IFMS Access Group.


1Although this position was staffed at the time of the audit, the position is currently vacant. Also, the Comptroller General will be making proposals to reshape the current SFO and SFFO roles into a single position of Chief Financial Officer (SFO). (Return to text.)

5. Summary of Findings, Overall Conclusion and Main Recommendation

5.1 Summary of Findings

Audit Objective #1: To assess the adequacy of the design and operation of the department's financial control framework to ensure that allocated funds are spent for intended purposes and within approved limits; financial information is accurate; and appropriate controls are maintained over expenditures.

Effective controls that are necessary to ensure sound stewardship of public funds requires clearly defined roles and responsibilities, delegated authorities commensurate with these responsibilities, and appropriate accountability mechanisms. The current delegation of financial authorities and organization of financial functions within the department is set up in a manner that reflects the department's organizational structure, but, at the same time results in the risk of inadequate controls within the financial control framework of the department.

Specifically, within the department, while autonomous agencies and sectors exercise payment authority under Section 33 of the FAA, Financial Officers do not report functionally or administratively to the SFO and are not accountable to the SFO for the design and operation of related financial processes and controls. Financial management responsibilities are further complicated at the regional level through which various Industry Canada programs are delivered. Regional program offices (e.g. Measurement Canada) operate in a matrix fashion and receive financial services from the Operations Sector. However, regional financial officers approve transactions from satellite offices without, in most cases, requesting supporting documentation. Further, some Financial Assistants working in satellite offices are under the direct supervision of another program or sector and are not accountable to regional Financial Officers.

In the absence of these key controls, the SFO and the Deputy Minister are at risk of not being able to assess the design, implementation and maintenance of internal controls at a departmental level.

Audit Objective #2: To ensure that the department properly and effectively discharges responsibilities with regard to the exercise of financial authority, notably with respect to the application of Sections 32, 33, 34 of the Financial Administration Act (FAA).

Control processes have not been established to ensure that accounts for payment and settlement are being verified in a cost-effective and efficient manner. Treasury Board policy states that the responsibility for the system of account verification and related financial controls rests ultimately with officers who are delegated payment authority pursuant to Section 33 of the FAA. Further, financial officers must provide assurance of the adequacy of Section 34 FAA account verification, and must be in a position to state that the process is in place and is being properly and conscientiously followed. At present, this is not being done.

In the case of G&C programs, there is no single, generally accepted claims verification process that programs are required to follow. Given this, it is even more important for Financial Officers to have an understanding of each program's claim verification process and to adapt specific steps followed in accordance with the strengths or weaknesses of verification processes in place in each program. A review of the claim verification process used by three G&C programs found that, while all programs had documented processes to perform verification, very little supporting documentation is forwarded to Financial Services for payment approval purposes. This would not be an issue if Financial Services could demonstrate a solid understanding of the claim verification system in place for each particular program and if they had tested the systems they rely upon to approve payment. However, such is not the case for the three major contribution programs included in this audit.

Opportunities exist to strengthen existing account verification practices. In several instances, there was a lack of documentation on file to support the basis for certifying contract performance as required under Section 34 of the FAA. Supporting documents (invoices or contracts) were not found on file in over 20% of the files reviewed. In other instances, tools developed in support of account verification were either not used or were photocopied to avoid having to re-check the boxes on the form, thus negating the purpose and benefits of the checklist.

5.2 Overall Conclusion

From a financial management perspective, the absence of a clearly documented, department-centric financial management organizational structure, complemented by an effective monitoring and review function and corresponding accountability mechanisms, presents the following risks to the department:

  • There is no assurance that financial processes are being carried out in a consistent manner;
  • There is no assurance that all required financial controls are in place and are operating as intended; and
  • The Deputy Minister and the SFO are at risk of not being able to assess the design, implementation and maintenance of internal controls at a departmental level.

As a result, the auditors are unable to provide assurance that the department's comptrollership responsibilities are being effectively managed.

5.3 Main Recommendation

The department should assess the organization of the financial management function in terms of overall responsibility and accountability for the design, implementation and maintenance of internal financial controls.

In so doing, the department should consider the following:

  • The need for financial processes to be carried out consistently across the department;
  • The need for the SFO to exercise functional authority for financial management in the department through:
    • promulgation of financial management roles, responsibilities, authorities and reporting relationships;
    • establishment of an effective monitoring and review function and corresponding accountability mechanisms; and
  • The need for assurance that financial controls are in place and operating as intended.

6. Detailed Findings and Recommendations

Detailed audit findings are presented in this section along with specific audit recommendations to address each key finding. The Management Response for each finding can be found in Appendix B of this Audit Report. Findings are presented in accordance with the three audit criteria examined during the audit as follows:

6.1 Audit Criterion: Organization and Advice

6.1.1 Development and Communication of Policies, Procedures and Guidelines

The department has developed and communicated financial policies, procedures and guidelines with respect to key areas of financial management. However, auto-post and the complementary post-audit processes, adopted by the department to bring efficiency to the processing of payments, have not been documented.

The Financial Policy Unit (FPU) within the Comptrollership and Administration Sector is responsible for writing financial policies and bulletins and for interpreting TBS as well as Industry Canada financial policies and bulletins. Easy access to TBS financial policies is provided and the FPU has developed, when necessary, IC policies, procedures and guidelines. In the opinion of the auditors, the Comptrollers Branch Website, which is managed by the FPU, is well organized, with appropriate policies and bulletins references and with convenient links to TBS financial policies. The Acquisition Card Program has also been defined well through a departmental policy and a monitoring program.

Requests for interpretation of policy generally come from Financial Officers in HQ and regions as well as from sector financial advisors in HQ. Managers often seek interpretation of financial policies from these front line Financial Officers. Frequent personnel changes within the FMMD at HQ and Financial Policy Divisions have rendered it difficult to access policy interpretations.

Regions have implemented various means for communicating financial management policies, such as:

  • Providing regular training sessions on Delegation of Authorities or other areas of financial management at Managers' Meetings or one-on-one training sessions at the request of a manager;
  • Conducting annual meetings of Administrative Officers and IFMS Users (i.e. ICAP—Industry Canada Administrative Practionners conference) to reach the local financial officers' community and discuss important financial management issues and new policies and procedures;
  • Conducting conference calls with District Offices when changes to IFMS or other important changes to financial policies are introduced; and
  • Providing access to important financial management information through regional websites (i.e. Ontario-Web).

Auditors noted that the department has introduced an auto-post process to reduce administrative burden as well as to expedite the processing of low dollar value payments. This process calls for payments under $2000 to be posted directly to the General Ledger. Payments below the $2000 threshold, which are deemed to be sensitive, are excluded from the auto-post process. A postaudit process complements the auto-post process and consists of the examination of a sample of auto-post transactions done on a monthly basis. Both the auto-post and its complementary postaudit processes are considered important but have not been documented.

Recommendation

  • FMMD should document its auto-post and post-audit processes so that the organization of this important financial management activity is clearly communicated to those who need to know about these processes.

6.1.2 Exercise of Departmental Functional Authority

The roles and responsibilities required of the Senior Financial Officer (SFO) have not been implemented across the department to provide direction and guidance for all departmental financial processes and controls. Further, accountability mechanisms have not been established to provide the SFO with the means to monitor the design and operation of departmental financial processes and controls.

The audit assessed whether roles, responsibilities, authorities and related accountability mechanisms for financial management had been established in an effective manner.

At the time of the audit, the role of departmental SFO was the responsibility of the ADM, Comptrollership and Administration Sector (CAS). As SFO, the ADM, CAS is functionally responsible and accountable for all financial management matters in the department. This is evident, for example, in the annual Letter of Representation prepared for Public Accounts purposes, in which both the Deputy Minister and the ADM CAS, as the SFO, acknowledge responsibility for the design, implementation and maintenance of internal financial controls. The Financial and Materiel Management Division (CASFMMD) provides support to the ADM in exercising this responsibility.

The Treasury Board Policy on Responsibilities and Organization for Comptrollership states that deputy heads must designate a SFO with a direct reporting relationship to the deputy head.2 SFO responsibilities include:

  • Devising and implementing a financial management organization and processes in the department that lay the foundation for good comptrollership;
  • Working with managers at all levels to ensure that they exercise their comptrollership responsibilities properly;
  • Establishing and communicating an efficient and effective policy framework for financial management in support of comptrollership; and
  • Establishing a monitoring and review function to support the department in carrying out its own assessments of comptrollership.

In November, 2003, prior to the creation of CAS, the Corporate Comptroller was the designated SFO, with the role of Senior Full-time Financial Officer (SFFO) assigned to the then Director, Financial and Materiel Management Division (FMMD). There is no evidence to indicate that, at that time, resources had been provided to enable the SFFO to carry out all of the responsibilities of the position. Following the creation of CAS, the role of SFFO was assumed by the Corporate Comptroller, however this was done without concomitant resources. This has meant that some key responsibilities, such as the implementation of a department-centric financial management organization and the establishment of a monitoring and review function, have not being implemented.

Functional Reporting, Accountability Relationships Not Conducive to Good Comptrollership

Good comptrollership requires clearly defined roles and responsibilities, delegated authorities commensurate with these responsibilities, and appropriate accountability mechanisms. In Industry Canada, these tenets of good comptrollership are made more difficult by a very complex organizational structure.

Industry Canada consists of several sectors reporting to the Deputy Minister, autonomous agencies such as CIPO, Measurement Canada (MC), FedNor reporting to the ADM Operations Sector, and the Communications Research Centre (CRC) reporting to the Associate Deputy Minister. These organizations are responsible for providing financial services and carrying out various financial management activities, including exercising payment authority under Section 33 of the FAA. However, the SFO has not established review and monitoring processes and corresponding accountability mechanisms to assess the design and operation of related financial processes and controls. While the current delegation of financial authorities and organization of financial functions within the department reflects the department's organizational structure, delegation also increases the risk of inadequate controls within the financial control framework of the department.

Accountability Gaps at Regional Level

Financial management responsibilities are further complicated at the regional level through which various Industry Canada programs are delivered. Regional offices receive financial services through the Operations Sector. Regional financial services are delivered to direct and indirect clients with whom there is rarely a clear attribution of financial management responsibility. Indirect clients are either other programs of the department operating in regions and reporting to another division within the department, such as Bankruptcy, or programs that report to DFAIT, as is the case with International Trade Canada (ITCan).

The regional offices also have a total of 44 satellite offices and points of service to which certain financial management activities have been decentralized. After carrying out account verification steps leading to the approval of payments under Section 33 of the FAA, Financial Assistants in the satellite offices input or "park" financial transactions into the IFMS. In most cases, Financial Officers, located in the regional offices, then approve the transactions without requesting access to supporting documentation. These Financial Assistants are often under the direct supervision of another program or sector and are not accountable to the Financial Officer exercising Section 33 FAA payment authority.

At the time of the audit, there were 29 Financial Officers approving payment under Section 33 FAA in regions and discrete organizations. While Financial Officers within FMMD report to the Corporate Comptroller, the remaining Financial Officers report to management either within regional offices, within discrete organizations or, in the case of Measurement Canada, to the ADM, Operations Sector.

FedNor, located in Sudbury, Ontario, has its own financial management group. This group is responsible for financial management activities within the suite of programs delivered by FedNor, including the approval of payments under Section 33 of the FAA. However, as noted, the SFO has not established review and monitoring processes, along with corresponding accountability mechanisms, to assess the design and operation of related financial processes and controls.

Department at Risk

Industry Canada has in place a complex financial management structure which has not been formally documented or assessed in terms of the risks it presents to the Deputy Minister, the SFO and the regional financial management service organizations. In the opinion of the auditors, the absence of a clearly documented, department-centric financial management organizational structure, complemented by an effective monitoring and review function and corresponding accountability mechanisms, presents the following risks to the department from a financial management perspective:

  • There is no assurance that financial processes are being carried out in a consistent manner;
  • There is no assurance that all required financial controls are in place and operating as intended; and
  • The Deputy Minister and the SFO are at risk of not being able to assess the design, implementation and maintenance of internal controls at a departmental level.

As a result, auditors are unable to provide assurance that the department's comptrollership responsibilities are being effectively managed at the present time.

Recommendations

  • The department should assess the organization of the financial management function in terms of overall responsibility and accountability for the design, implementation and maintenance of internal financial controls.
  • In so doing, the department should consider the following:
    • The need for financial processes to be carried out consistently across the department;
    • The need for the SFO to exercise functional authority for financial management in the department through:
      • promulgation of financial management roles, responsibilities, authorities and reporting relationships;
      • establishment of an effective monitoring and review function and corresponding accountability mechanisms; and
    • The need for assurance that financial controls are in place and operating as intended.

6.1.3 Organization of Financial Management in Regions and Discrete/Autonomous Organizations

Internal control weaknesses were noted in Management Services Divisions in regions and in discrete/autonomous organizations.

Auditors found that officers exercise payment authority in regions without having clear assurance that they can rely on audit verification activities taking place in satellites offices. In one instance, conflicting financial management functions were identified in one of the three discrete organizations.

Exercise of Payment Authority for Satellite Offices

The Management Services Division (MSD) is responsible for financial management in regions and discrete organizations. In regional satellite offices program administrative staff act as Financial Assistants. They input financial transactions into IFMS and ensure that account verification has been adequately performed by the manager exercising contract performance under Section 34 of the FAA. Financial Assistants "park" financial transactions into IFMS while the Region's Financial Officers approve payments under Section 33 FAA without supporting documentation (this documentation remains in satellite offices). At the time of the audit, the two regions visited were beginning to initiate processes to oversee the quality of verification steps exercised by Financial Assistants. However, up until then payment approval has been done without sufficient assurance as to the appropriateness of the account verification process leading to approval under Section 34.

Lack of Segregation of Duties

In one agency visited, auditors noted that conflicting financial management functions were being carried out by the Management Services Division (MSD). When an RCM initiated an expenditure a MSD staff member entered financial commitments, prepared and issued contracts, requested invoices be sent to MSD, approved contract performance under Section 34 FAA (on behalf of the RCM), input transactions into IFMS and approved payment under Section 33 FAA.

In this instance, the MSD had obtained all financial authorities as a result of the interpretation given to the "Responsibility Centre Assistant (RCA) concept", developed as part of the Delegation of Authority Instrument. This concept allows an RCA who is accountable to the designating RCM to exercise spending authorities for operating expenses on behalf of the RCM. The President of this Agency has delegated the authority to contract, to commit (Section 32 of the FAA) and to confirm delivery of goods and services (Section 34 of the FAA) to Financial Officers working within the MSD. This blanket authority covers all transactions of the Agency. MSD also inputs financial transactions into IFMS and approves payments under Section 33 of the FAA.

Auditors also noted that, in this instance, the job description of the Director of MSD indicates that the incumbent directs the accounting operations of the Agency by exercising full commitment and expenditure authority (Sections 32 and 34 of the FAA) for the Agency's budget and provides cash control and cash management control for the Agency with signing authority under Sections 32, 33 and 34 of the FAA.

In the opinion of the auditors, this approach has the effect of taking away the financial accountability of managers while not ensuring an appropriate segregation of duties between the officer approving contract performance and the officer who inputs transactions into the IFMS.

Recommendations

  • Payment authority should only be exercised with sufficient assurance as to the appropriateness of the account verification process leading to contract performance approval (Section 34 FAA).
  • The organization of financial responsibilities for processing payments should respect the principle of segregation of duties.
top of page

6.2 Audit Criterion: Controls

The audit of internal controls covered the design of controls to mitigate risks assessed as well as the implementation of such controls. During the audit, auditors visited all organizations with payment authority under Section 33 of the FAA in order to understand processes in place for expenditure initiation, commitment control, account verification and payment authority. A sample of transactions of grants and contributions as well as operating and maintenance expenditures were examined.

6.2.1 Access Controls and Related Security Issues

For the most part, IFMS access controls and related security measures are in place and are operating as intended.

During the audit, the responsibility for all corporate systems, including the IFMS, was assigned to the CIO. Previously, this was under the responsibility of the ADM CAS.

The IFMS Application Security Policy was formally approved in February of 2004.

Formal approval procedures exist for access requests and the Corporate Comptroller (through FMMD in HQ). Financial Officers in regions and in discrete organizations exercise a sign-off on the IFMS Access and Authorization Form. Formal procedures also exist for defining and maintaining user access rules and profiles and for deleting or changing access rights when a person leaves or is transferred. However, departmental managers in regions and discrete organizations who supervise IMFS users do not always advise the IFMS Access Group of departures or changes in responsibility of former IFMS users.

Financial Officers indicated that often they learn through the IFMS Access Group that an individual has not accessed IFMS for several months. Once aware, they then communicate with the responsible manager to confirm the situation and advise IFMS Access Group accordingly. This situation mainly arises with IFMS users working in regional satellite offices or with IFMS users working in HQ divisions. The policy states that departmental managers must advise (in writing or by email) the Corporate System Division (IFMS Access Group) as soon as possible to cancel user names and passwords of departing employees.

Segregation of responsibilities and authorities is ensured by having Finance approve requests for financial profiles. Key segregations of duties are assessed prior to providing access to an IFMS User. For instance, all IFMS users with payment authority under Section 33 of the FAA cannot, and do not, have authority to create vendor codes in the system.

User profiles are reviewed periodically by a Security Analyst (IFMS Access Group), subject to departmental managers providing timely corrections to UserID and access rights. Twice a year, the IFMS Access Group provides FMMD with the list of users that have been provided with profiles which typically should be segregated. Auditors noted that FMMD is not providing additional monitoring of these users. Amongst groups of IFMS Users having incompatible authorities, auditors noted the following:

  • Four (4) IFMS users in regions with access to create a Purchase Order, to record the receipts of goods and services (GRIR), to input transactions into IFMS and to authorize payment under Section 33 of the FAA. From a systems point of view, these users are able to handle a transaction from beginning to end; and
  • Seventy-seven (77) IFMS users in regions or in discrete organizations who have the ability to access to create a Purchase Order, to record the receipt of goods and services (GRIR) and to input transactions into IFMS. Although they do not have payment authority under Section 33 of the FAA, the authority provided is less than effective since supporting documentation and back-up remains in satellite offices, and payments are authorized in Regional Offices with no oversight activities.

Users access SAP functions on a "need to know" basis. Auditors noted one instance where an IFMS User with delegated payment authority under Section 33 of the FAA was transferred from a region to HQ (early fall, 2004). In a new position, the employee no longer required IFMS access, yet retained access until January, 2005. If departures and changes in responsibilities are not reported in a prompt manner, the department is exposed to the risk of inappropriate access to the financial system.

There are a limited number of super-users (IFMS User with an authority "IFMS All") in the CIO Branch who have the ability to make use of all functions on the system. Typically, super-users require full access when an upgrade to the system is occurring or during special circumstances. Only two Access Security Officers within the CIO can authorize such access (approve a superuser). However, when such access is given to a user, typically a consultant, Access Security Officers do not ensure that the consultant has the appropriate security clearance. Furthermore, no special monitoring is carried out by Access Security Officers of these super-users when such access is given (i.e. to verify whether they have created a vendor and approved payments under Section 33 of the FAA while having all authorities).

It is a requirement that new IFMS users receive training prior to being given access (via UserID and password) to the IFMS. In regions, prospective IFMS users receive on-the-job training, and are provided with another IFMS user's current ID and password. Again, sharing of UserID and passwords exposes regions to greater risks. As new IFMS users can not be provided access until they have completed training, regions see no other alternative to this issue. A specific profile for IFMS Users-in-training does not exist. Such a profile could provide access to training modules, for instance, while, at the same time restrict access to production.

Recommendations

  • The Corporate Comptroller together with the CIO, should:
    • Review practices surrounding departmental manager sign-off of departing employees to ensure that on the Employee Exit Clearing Sheet managers are reminded to advise the IFMS Access Group of the departure;
    • Strengthen the periodic review of User Profiles (especially those that include incompatible functions) through enhanced segregation of duties and/or through the inclusion of compensating internal controls where considered appropriate (i.e. increase review of the transactions processed by these IFMS users);
    • Reinforce monitoring of super-users so that an automatic log of specific types of transactions is produced and examined by FMMD (e.g., transactions creating a vendor code, inputting a financial transaction into IFMS, and approving payment should be logged for review); and
    • Review practices surrounding the sharing of UserID and passwords for employees being trained on the IFMS. Trainees could make use of the training module of IFMS or could be provided with a specific "training" UserIDs and passwords so that sharing with ongoing IFMS Users is not permitted.

6.2.2 Verification of Authority to Approve Assistance

There is no documentation in the financial files to demonstrate that departmental grants and contribution payments have been approved by officials with delegated authority.

The audit included a review to determine if adequate supporting documentation was contained in financial files to demonstrate that payments are properly approved. In the case of grants and contribution payments, FMMD indicated that it does not maintain approval documents on the financial files. Payments are approved under Section 33 of the FAA without verifying that assistance has been authorized by the appropriate level of authority. There is no effort made to re-verify, on a sample basis, that the system in place for ensuring proper authority has been obtained is actually working as intended.

According to the Delegation of Authority Instrument, the Minister must approve all assistance above $5M, while contributions aboveÁ$10M require TB approval, and contributions above $20M require Cabinet approval. Auditors understand that the Programs and Services Branch (PSB) exercises an oversight role for contribution projects above a certain threshold. However, PSB decisions are not systematically placed on financial files.

When staff in specific programs were asked to provide proof of such approval they indicated that proper approvals are always obtained relative to the amount of the assistance. However staff were not readily able to provide such proof. In fact, staff could not provide approval documents for 25 files examined during the audit. Subsequently, PSB was able to provide evidence of approval for 23 of these 25 files. In two cases, there was no evidence of approval of file. As such, the department is at risk as proper authority might not be obtained. Given that it is the responsibility of the Financial Officer to ensure the legality of payments, it is important that these Officers ensure that approval is provided by the officials who have proper authority to do so.

Recommendations:

  • FMMD should establish a process to ensure that departmental grants and contribution payments have been approved by officials with delegated authority.
    • For instance, all decisions made by Programs and Services Branch should be systematically placed on financial files. Where authorities are required from outside the department, there should be a statement to that effect on the Programs and Services Branch decision sheet.
  • A re-verification of a sample of contribution projects should be examined to ensure that the proper level of authority was obtained.

6.2.3 Claim Verification Process for G&C Payments

Financial Officers have not established a process to assess the effectiveness of the claim verification process at the program level.

Responsibility for verification of claims rests with Program Managers. Auditors noted that in most contribution programs there is a process in place to perform verification and complete a contribution verification checklist to attest to steps carried out in this regard. According to the departmental Verification of Claim Policy, Financial Officers who exercise payment authority are responsible for establishing a quality assurance process to ensure that the claim verification process is working as intended. However, auditors found that no such mechanisms have been established.

Auditors examined contributions payments from the following programs managed by the department:

  • Canada-Ontario Infrastructure (COIP)
  • Aboriginal Business Canada (ABC)
  • PEMD and PEMD–I
  • SchoolNet, CAP and Broadband
  • Technology Partnerships Canada (TPC)
  • Small Business Financing
  • FedNor and Community Futures.

With the exception of the COIP, PEMD and PEMD–I, auditors noted that contribution verification checklists are used to attest to the verification points exercised when conducting claim verification activities.

System of Claim Verification

Treasury Board policy states that the responsibility for the system of account verification and related financial controls rests, ultimately, with officers who are delegated payment authority pursuant to Section 33 of the FAA. Further, these financial officers must provide assurance of the adequacy of Section 34 account verification and be in a position to state that the process is in place, and is being properly and conscientiously followed. This responsibility involves conducting periodic review of the system of claim verification. It can be carried out by reverifying a sample of transactions and, if necessary, through on-site observation of the claims verification process. However, re-verification of the claim verification system is not carried out by officials with delegated payment authority.

Auditors reviewed the claim verification process used by three programs. While all programs had a documented process for performing claim verification, very little supporting documentation is forwarded to Financial Services for payment approval purposes. This would not be an issue if staff in Financial Services could have demonstrated that they understood the claim verification system and if they had tested the systems they are relying upon. Such is not the case for all major contribution programs in place. For instance, the SchoolNet Program had been the subject of a major change in 2004–05 with the adoption of a decentralized approach which resulted in an increase in the number of Program Officers confirming entitlement under Section 34 of the FAA. FMMD was not apprised of the changes to the claim verification process and could not assess the impact of the changes on their responsibility for approving payment under Section 33 of the FAA.

Given the claim verification process varies from program to program, it is even more important for Financial Officers to fully understand the claim verification process in each program and to adapt verification processes in accordance with the strengths or weaknesses of the processes in place in each program.

Claim Verification Process

In some instances, Financial Officers use audit checklists to document verification steps carried out prior to authorizing the payment of claims. However, in one region visited, auditors found that photocopies of completed audit checklists were placed in all files to avoid having to recheck boxes on these forms. In addition, in HQ, several non-completed checklists were found in the files. The checklist provides the Financial Officer with a reminder of all the verification points to be carried out while attesting to the work done. Current practices negate the benefits provided by this checklist.

Summary of Audit Test Results

As part of the audit, financial files for 169 grants and contributions were examined to assess the overall quality of the claim verification process. Table 2 below summarizes the audit findings from this sample review:

Table 2: Financial files for 169 grants and contributions
Issues HQ Ont Atl FedNor
No proof that assistance was authorized 2 - 4 -
Unsupported approval (S34) 2 9 5 4
Unjustified advance payment 6 - - 2
Advance not in compliance with Contribution Agreement - - - 4
No authority to authorize payment (S34) - - 3 -

Recommendations

  • The Senior Financial Officer should:
    • Direct that all programs are required to complete a Contribution (Claim) Verification Checklist as part of the claim verification process;
    • Implement a process whereby the claim verification process each program must be reviewed periodically to ensure appropriateness in providing necessary assurance required to authorize payment under Section 33 of the FAA. The same approach should be implemented by Regional Management Services Divisions who are responsible for approving payments under Section 33 of the FAA; and
    • Re-enforce the appropriate use of audit checklists by Financial Officers.

6.2.4 Account Verification Process for O&M Transactions

The review of operating and maintenance financial files noted a number of weaknesses in both account verification (Section 34 of the FAA) and payment approval (Section 33 of the FAA).

Auditors examined a total of 232 O&M transactions to assess appropriateness of the account verification and payment approval processes. Results of audit tests are presented in Table 3 below:

Table 3 Results of audit tests
  HQ Ont Atl MC CRC CIPO
Note: Numbers in brackets represent transactions involving internal settlements with OGDs (primarily PWGSC).
Issues O&M excluding Acquisition Card
No authority to initiate expenditure - - 3 4 - -
Missing invoices or contract on financial file 16(1) 2 0 7(5) 7(2) -
Unsupported approval (S34) 16 14(4) 10(1) 5 5 -
Lack of prior approval for hospitality - 2 1 2 2 -
Lack of prior approval for membership - - - 2 - -
Issues Acquisition Card
PST charged and paid by IC - 8 - 2 - 1
Unsupported approval (S34) - 14 - - - -
Cardholder signs his/her statement under S34 - 1 - - 1 1

Financial officers stated that a 100% review is carried out of all payments above $2,000 and of "sensitive" transactions as part of the process for authorizing payment under Section 33 of the FAA. This verification process, which applies to several thousand of payments each year, and is usually carried out by support staff in the Financial Services Units, is considered to be cursory in nature.3

In examining financial files, auditors noted several instances where either contracts or invoices were not on file, and several other instances where approval under Section 34 of the FAA was unsupported (i.e. no authority to initiate expenditure, no S34 signature, situation of potential contract splitting, wrong input of GST, coding issue, PO done after the fact). In the opinion of the auditors, the existing system of account verification does not provide necessary assurance that contract performance is being adequately carried out.

Account Verification and Common Services Provider

The department receives services through PWGSC as the federal government's provider of common services. Auditors noted that the roles, responsibilities and obligations of both PWGSC and Industry Canada staff are not documented. This situation impacts negatively on the account verification process. Auditors were informed that PWGSC staff do not provide supporting documentation with invoices issued to the department. Rather, through a system of internal settlements, PWGSC staff obtain coding information for the department and then, through an interdepartmental settlement, obtain payment for services provided. The following specific issues were noted in this regard:

  • In one instance, PWGSC staff provided simultaneous translation at an event organized by Measurement Canada. The organization subsequently received a request for internal settlement (IS) which was settled immediately. When auditors examined the transaction, the organization called PWGSC to obtain supporting documentation for this transaction, (which would not otherwise have been requested). Auditors noted that GST had been charged on the travel portion of the invoice, while GST was only admissible on professional fees. Travel per diems were not justified and amounts charged varied from $50.66 and $152.00, while the authorized per diem at that time was $71.45. As well, Measurement Canada staff could not explain one charge (entitled "Frais au sol") included on the invoice.
  • In another instance, auditors noted that payments to GTIS are automatically invoiced to the department through the internal settlement process with no supporting information. The Financial Officer for Measurement Canada reported that, when supporting information for an invoice from PWGSC — GTIS was requested, the Officer discovered that 70 telephones lines did not belong to the organization, yet Measurement Canada had been paying for these lines since 2001–02. As a result of these findings, GTIS and Bell Canada will be reducing charges to Measurement Canada by $22,680 a year.

Relocation Services

Auditors noted that a centrally managed contract for relocation services with Royal Lepage is not subject to proper account verification by those expected grant approve under Section 34 of the FAA. It is noted that, other than the TBS policy on relocation, which is directed primarily at relocated employees, there is no guidance provided as to how this program should be managed within the department.

The auditors also examined three relocation cases as part of the audit. Audit findings were as follows:

  • In one case, an advance to Royal Lepage was made before the need for such an advance existed. An advance payment was requested in the early fall of 2003 for a relocation to take place in July 2004. Although the discrete organization requested advice from HQ Financial Services as to why the advance payment had to be made that early, none was provided and payment was issued in December of 2003, over six months prior to the expected moving date.
  • In another instance, in one region visited, global reconciliation was not completed between payments issued to Royal Lepage as advances, and the Royal Lepage Final Account Summary. A difference of $484.65 could not be explained to auditors examining this file. In the end, payments were approved under Section 33 of the FAA without being questioned.

It is the responsibility of Financial Services to understand the account verification systems that support approval of goods and services and to periodically re-verify those systems (through the examination of a sample of transactions). Auditors found that, in general, Financial Officers exercising payment authority do not verify the systems of account verification on a periodic basis and therefore cannot rely on these systems when approving payments.

Recommendations

  • The Senior Financial Officer should establish a process that will ensure thorough understanding of how account verification is being carried out across the department.
  • The existing 100% cursory review process should be enhanced through verification, on a sample basis, of the account verification steps undertaken to obtain assurance of contract performance (i.e. the completion of deliverables), as well as compliance with TBS and to departmental policies.

6.2.5 Financial Controls over Collaborative Agreements

Some weaknesses exist in the management of Specified Purpose Accounts.

On a regular basis Program Managers make use of Collaborative Agreements to conduct shared research with outside organizations (other levels of government, non-government organizations or the private sector). Requirements respecting the use of such agreements are outlined in the TBS Policy on Specified Purpose Accounts (SPA). Auditors found that the department complies with the provisions of this policy. Within the department, agreements are reviewed by Financial Services and Legal Services before they are signed; however, there are no specific departmental guidelines respecting the use of Collaborative Agreements.

Auditors reviewed financial controls over collaborative agreements and noted the following:

  • In one discrete organization, Financial Officers felt they were unable to exercise functional authority as they were not provided with copies of the proposed agreements for review and comment prior to signature, or at the time of processing a payment against the agreement. As the department is creating a liability when funds are received, it is important that Financial Officers be involved in the establishment of the SPA to ensure compliance with TBS policy.
  • In one region visited, auditors noted that SPA funds were used to reimburse departmental expenditures rather than charging expenditures directly to the account. In this instance, the collaborator, the Province of Ontario, did not always provide funds on a timely basis and therefore project expenditures were paid by the program. When dealing with collaborative arrangements, Program Managers and Financial Officers must ensure that funds are received in advance of needs and that they deposited in a distinct account. Then they must also ensure that payments are made directly from each distinct account.

Recommendation

  • The Corporate Comptroller should remind all Financial Officers of the policy requirements relating to the TBS Policy on Specified Purpose Accounts.

6.2.6 Organization of Financial Files

Weaknesses exist in the organization of HQ's financial files.

Financial files of the Corporate Comptroller are maintained in the Records Office, under the responsibility of the Chief Information Officer. As outlined in Industry Canada's Records Management Policy, employees are responsible for creating, capturing and filing records in the corporate records system and are accountable for their records management practices. The maintenance of financial files is a shared responsibility between the CIO records office and the financial officers using them. Some files are on long term charge-out to finance staff who maintain the files while in their custody. Alternatively, individual documents are provided to the records office for placement on the official files.

As part of the audit, a total of 80 O&M files were requested of which only 52 files were provided (a rate of 65%). Other files could not be located. Files provided were often missing the original contract or subsequent amendments, thus hindering the Financial Officers' verification process or delaying payments when the contractual information had to be obtained through other means. Auditors also found misplaced payments in the files reviewed. Although supplier files should be opened every fiscal year, the auditors noted that in some instances, the suppliers' file contained financial transactions dating back as far as 2002.

The absence of well organized files impacts the efficiency of the payment approval process as it can delay or prevent the verification of key information.

Recommendation

  • The Chief Information Officer and the Corporate Comptroller should ensure that financial files are well maintained, with pertinent documents on all files in order to assist Financial Officers in fulfilling responsibilities.
top of page

6.3 Audit Criterion: Accountability

6.3.1 Training Programs

Existing financial training courses do not address all key risk areas.

The Corporate Comptroller and Regional Financial Services have jointly developed training packages to address the delegation of authorities. Regular meetings or other sessions are conducted to apprise interested parties of changes made to the IFMS. As well, the department has developed training programs for managers and administrative officers on the delegation of authorities and on other areas of financial management.

However, there is no systematic training offered on the account (claim) verification process, a key process exercised across the department by several hundred managers and staff in support of approving contract performance under Section 34 of the FAA. As well systematic and regular training is not offered to the Financial Officers (40) exercising Section 33 of the FAA and to the 77 Financial Assistants sharing payment approval responsibilities within numerous satellite offices that support Regional Financial Officers.

Recommendations

  • The Senior Financial Officer should ensure that training and related tools are provided to managers and administrative staff about responsibilities for approving contract performance.
  • The Senior Financial Officer should ensure that training and related tools are provided to Financial Officers and Financial Assistants about payment approval responsibilities.

6.3.2 Oversight of Expenditure Management Accountability

Opportunities exist to strengthen aspects of the Corporate Comptroller's oversight role.

Low value transactions (< $2000)

The Corporate Comptroller developed an approach to monitor low dollar value transactions through the post-audit process. Monitoring is carried out centrally, in HQ, by officers who have not been involved in the input of financial transactions. Auditors believe that this process should be re-examined once risks relating to the complex organization of financial management within the department have been assessed, including the role of satellite offices in financial management.. Currently the results of monitoring activities are being disseminated in a sporadic manner. In some areas observations are forwarded to the clerk responsible for inputting transactions and in other areas observations are provided to the Financial Officers.

When results of monitoring are sent to input clerks, Financial Officers are not aware of issues that need to be addressed in respective areas of responsibility. Auditors believe that the results of current monitoring exercises should be communicated to Financial Officers working within Management Services Divisions in regions and discrete organizations at all times. Management Services Divisions require this information to appreciate the quality of the account verification process exercised on low dollar value transactions in regions or discrete organizations.

Other transactions (> $2000, including sensitive transactions)

The Corporate Comptroller is not monitoring the process used by Financial Officers exercising payment authority under Section 33 of the FAA for transactions above $2000. The Director of Management Services in one discrete organization reported having been subject to a Section 33 audit by the Corporate Comptroller about five years ago.

In the regions and discrete organizations visited by the auditors, Financial Officers do not forward reports on monitoring activities they are conducting over financial transactions to the Corporate Comptroller. When examining the job description of Financial Officers operating in discrete organizations, auditors noted that the functional role of the Corporate Comptroller is not reflected.

When conducting regional visits, auditors also noted that minimal oversight was being exercised by the Regional Management Services Divisions over financial management activities taking place within satellite offices. However, Financial Assistants in these offices play an important role in overall expenditure management accountability for the department.

Recommendations

  • The Corporate Comptroller should:
    • Review the post-audit process on low value transactions to take into consideration the risks associated with the complex nature of expenditure management in the department;
    • Ensure that, on a consistent basis, results of current monitoring exercises are forwarded to all Directors of Management Services Divisions in regions and discrete organizations so that they can learn from the results of oversight activities;
    • Influence Regional Directors of Management Services Divisions to exercise more oversight of financial management activities in satellite offices and request that results of monitoring activities be reported to the Corporate Comptroller; and
    • Regularly assess how various regions and discrete organizations are reviewing systems of account verification upon which they rely to authorize payment under Section 33 of the FAA. This will involve visiting Management Services Divisions in regions to gain an understanding of oversight processes, and examining results of oversight activities.

6.3.3 Oversight of the Acquisition Cards Process

Opportunities exist to strengthen the monitoring of acquisition card transactions.

The Corporate Comptroller established a monitoring process to oversee the use of acquisition cards. At the time of the audit, the department was in the process of adopting a consolidated approach to pay the acquisition card supplier, the Bank of Montreal. Notwithstanding, some organizations, notably CIPO, Measurement Canada (HQ and Ontario) and the CRC were not part of the departmental monitoring program.

As a result, active monitoring of these organizations was being carried out by the interal Audit and Evaluation Branch (AEB) on behalf of the department. Auditors suggested to AEB that the Branch should not have a direct role in the monitoring of the Acquisition Card Program as it compromises audit independence. It is noted that AEB has since ceased active monitoring activities in this area.

In establishing a departmental monitoring regime, consideration should also be given to the relative risks associated with the complex organizational structure that supports expenditure management within the department. For example, in smaller offices (i.e., satellite offices), the acquisition cardholder could be the same individual as the Financial Assistant inputting transactions into IFMS, thus increasing the risk profile within those offices. Given that supporting documentation for the acquisition card remains in satellite offices, it makes it more difficult for Regional Financial Officers, exercising Section 33 of the FAA, to identify potential irregularities with acquisition card transactions.

Recommendation:

  • The Corporate Comptroller should establish a comprehensive, risk-based monitoring program for acquisition cards to coincide with the implementation of a consolidated payment approach for Acquisition Cards.

2In larger departments, the SFO may delegate his or her authority for key financial responsibilities to a Senior Fulltime Financial Officer. (Return to text.)

3Although not documented, the following verification is typically carried out as part of the verification process leading to the approval of payment under S33 of the FAA: name and address on the payment matches the contract or PO; terms of the contract have been complied with; services invoiced fall between the contract start and completion date; amendments are in place when contract extended; fiscal year split matches the contract); and deliverables are received (based on a S34 signature only). (Return to text.)

Appendix A—Audit Criteria

Organization and Advice

  • The department has adequate, effective and dependable financial policies, procedures and guidelines are in place, communicated, understood and complied with.
  • Expenditure management responsibilities, authorities and spending limits are clearly identified, communicated, understood and complied with. These responsibilities are supported through timely and adequate advice and analysis.

Controls

  • Access controls and related security issues/elements (i.e. users = profiles) are adequate, understood and monitored.
  • Internal controls (surrounding expenditure initiation, commitment control, account verification and payment authority) take into account materiality, public sensitivity and risk.
  • Accounting records are complete and reliable.

Accountability

  • Branches' Managers and their staff who are exercising financial authorities are knowledgeable and trained.
  • Quality assurance processes ensure that expenditure management is monitored, assessed and reported on.

Appendix B—Action Plan

Table 4: Action Plan—Audit of Departmental Financial Controls
Recommendation Management Response and Proposed Action Responsible Official Action Completion Date

6.1. Development and Communication of Policies, Procedures and Guidelines

FMMD should document its autopost and post-audit processes so that the organization of this important financial management activity be clearly communicated to those who need to know about these processes.

FMMD has drafted the auto post procedures.

Director, FMMD

Completed

FMMD will send the procedures out to the regional financial officers and ask them to start doing their own post-audit based on the sample that FMMD will send on a monthly basis. After completing their post-audit, the regional officers will communicate the results to FMMD and SSSB.

Director, FMMD

October 31, 2006

6.1.2 Exercise of Departmental Functional Authority

The department should assess the organization of the financial management function in terms of overall responsibility and accountability for the design, implementation and maintenance of internal financial controls. In so doing, the department should consider the following:

  • the need for financial processes to be carried out consistently across the department;
  • the need for the SFO to exercise functional authority for financial management in the department through;
    • promulgation of financial management roles, responsibilities, authorities and reporting relationships;
    • establishment of an effective monitoring and review function and corresponding accountability mechanisms; and
  • the need for assurance that financial controls are in place and operating as intended.

Senior Management recently announced there would be no organizational changes or changes to reporting relationships with respect to the financial management function in the department.

As a result, responsibility for those functions in the regions and autonomous units would continue to reside in the Operations Sector.

   

Operations Sector Response and Proposed Action(s)

We recognize that additional work is required at the Sector level to ensure that financial controls are effective and operating as intended. For its part, the Operations Sector is undertaking the following in view of clarifying financial accountabilities and increasing it focus on transactional oversight, and review and monitoring:

  • To ensure the ADMs ultimate financial accountabilities are effectively discharged, Sectorial Strategies and Services Branch (SSSB) is developing a financial accountability framework complete with financial roles, responsibilities and accountabilities of finance personnel working in Regions and Discrete/Autonomous Units.
  • The framework will require that the most senior finance person in a Region or Discrete/Autonomous Unit have a direct reporting relationship with the Business Unit Head;
  • Further, work descriptions and performance agreements of those with financial authority will clearly articulate roles and responsibilities as they relate to financial operations;
  • SSSB will increase its focus on financial monitoring across the Sector and will develop and implement a more formal financial review process, whereby SSSB personnel will conduct regular visits to Regions and Discrete/Autonomous Units to ascertain the effectiveness of financial controls; review results will be shared with the ADMs and regularly with the CFO.
  • The Sector will work closely with CAS to sustain assurance that financial controls in Regions and Discrete/Autonomous Units are operating as intended and align with those in place elsewhere in the department.

Director, Strategic and Financial Planning, SSSB

November 30, 2006

Note:
Regions and Discrete/Autonomous Units currently seek and receive policy and process guidance from CAS via monthly teleconferences, annual face-to-face meetings and on an ongoing basis via CAS' intranet site. CAS also provides training to financial personnel in Regions and Discrete/Autonomous Organizations regarding systems (IFMS; FRS) and policy (e.g., authority delegation). CAS will continue to be relied upon by Regions and Discrete/Autonomous Organizations to provide this important functional guidance.

Director, Strategic and Financial Planning, SSSB

February 28, 2007

6.1.3 Organization of Financial Management in Regions and Discrete/Autonomous Organizations

Payment authority should only be exercised with sufficient assurance as to the appropriateness of the account verification process leading to contract performance approval (Section 34 FAA).

The organization of financial Responsibilities for processing payments should respect the principle of segregation of duties.

Since the audit, corrective actions have been taken in Regions and Discrete/Autonomous Units where weaknesses were cited in the audit report.

   

Segregation of Duties— Since the audit, Measurement Canada has reviewed its internal procedures pursuant to IC's delegation of authority instrument. Changes have been implemented which restrict the exercise of Section 34 to RC Managers only, thereby ensuring clearer segregation of duties in processing payments.

President, Measurement Canada

Completed

Monitoring, Account verification— Atlantic and Ontario Regions have put in place monitoring programs for their satellite offices. Monitoring programs typically involve regularly-scheduled visits to all satellite offices, examination of expenditure files for completeness, required use of account verification checklists, and specific actions related to above-average risk transactions (e.g., hospitality; memberships; travel) and the payment of G&C claims.

In addition to specific corrective actions, the audit report has served to increase awareness in other Regions as to the importance of their activities related to transactional oversight and monitoring. In Prairie and Northern and Quebec Regions, for example, all Section 33 authorizations are performed in a centralized location (Winnipeg and Montreal, respectively) and procedures are in place that ensure payments are not posted in the absence of appropriate supporting documentation. Pacific Region has in place a monitoring program that involves bi-annual visits to satellite offices, where file reviews are conducted and interviews are held with personnel with key financial responsibilities. Results of site visits/audits are shared with the appropriate satellite office director for further action, as necessary.

Regional Executive Directors

Completed

The Operations Sector recognizes that more could be done in this area to ensure consistent application of policy and procedure across all Regions and Discrete/Autonomous Units, particularly those with satellite office operations. To this end, SSSB is examining monitoring processes in place across all five Regions, as well as those in place in Discrete/Autonomous Units as and where appropriate, with a view to obtaining and sustaining a consistent level of assurance across the Sector.

Director, Strategic and Financial Planning, SSSB

December 31, 2006

Further, through periodic monitoring, SSSB will ensure that CAS procedures regarding account verification are respected and applied consistently across the Sector.

Director, Strategic and Financial Planning, SSSB

December 31, 2006

6.2.1 Access Controls and Related Security Issues

The Corporate Comptroller together with the CIO, should:

  • review practices surrounding departmental manager sign off of departing employees to ensure that on the Employee Exist Clearing Sheet managers are reminded to advise the IFMS Access Group of the departure;
  • strengthen the periodic review of User profiles (especially those that include incompatible functions) through enhanced segregation of duties and/or through the inclusion of compensating internal controls where considered appropriate (i.e. increase review of the transactions processed by these IFMS users);
  • reinforce monitoring of super-users so that an automatic log of specific types of transactions is produced and examined by FMMD (e.g. transactions creating a vendor code, inputting a financial transaction into IFMS, and approving payment should be logged for review; and
  • review practices surrounding the sharing of UserID and password for employees being trained on IFMS. Trainees could make use of the training module of IFMS or could be provided with a specific "training" UserIDs and passwords so that sharing with ongoing IFMS Users is not permitted.

We agree that the Departure Process form could be modified to include a step to email IFMS Access if the employee has an IFMS user account. Currently, the RC Manager signs an attestation that "all access privileges to Industry Canada computers … have been revoked". However, because there is no specific reference to IFMS, this statement may not be clear. To minimize the risk in the past, all user ids that have not been used for 3 months are locked and the IFMS Sector Coordinator contacted. After 5 months of no activity, the user and Sector Coordinator are told that the account will be deleted unless they can justify a reason to retain the account.

Director, FMMD

October 31, 2006

Review of the user profiles has been strengthened since the audit. A segregation of duties report is now issued every quarter to the Manager of Financial Services.

 

Completed

New reports have been available since May 2006, which enable the review of transactions performed by users who have been given special access. "IFMS All" is only granted to 1 or 2 users for a small period of time, usually only during a system upgrade. A special log which traces the transactions that the user has accessed, is reviewed by IFMS Access team. This log will be provided to FMMD for review.

 

Completed

Training user id's are currently available in a separate environment that grants the user access to all transactions for training purposes. It is not possible to issue a training ID in the production environment. Display only access is possible in production but this would not provide the user with sufficient access to learn the transaction.

 

Completed

FMMD will work with Security to modify the Exit form to include an area for the employees to indicate if they have access to the financial systems (RPS, SPS, IFMS, CMIS).

Director, FMMD

October 31, 2006

FMMD will also look into modifying the Exit form to include the revocation of the signature card, if any exist.

Director, FMMD

October 31, 2006

SSSB will notify and remind business units, through the existing Operations Sector Finance Network, of employee departure procedures as they impact on the security of IFMS—specifically the requirement to notify the IFMS Access Group regarding departing employees and changes in responsibilities.

Director, Strategic and Financial Planning, SSSB

October 31, 2006

6.2.2 Verification of the Authority to Approve Assistance

FMMD should establish a process to ensure that departmental grants and contribution payments have been approved by officials with delegated authority. For instance, all decisions made by Programs and Services Branch should be systematically placed on financial files. Where authorities are required from outside the department, there should be a statement to that effect on the Programs and Services Branch decision sheet. A re-verification of a sample of contribution projects should be examined to ensure that the proper level of authority was obtained.

A new verification checklist has been prepared. All documents, which include the proper level of approval based on the dollar value of the agreement, are available on the project file.

Director, FMMD

Completed

A copy of all TB submission for each program will be available centrally within FMMD.

Director, FMMD

October 1, 2006

FMMD will create a new G&C unit within financial services to enforce quality control, follow up and monitor G&Cs agreements and related financial instruments. The G&Cs unit will be responsible for payables and revenues related to G&Cs.

Director, FMMD

September 25, 2006

The Operations Sector will increase its financial monitoring of the Sector, including the monitoring of the G&C payment process in conjunction with broader departmental direction from the new G&C unit to be created within CAS.

Director, Strategic and Financial Planning SSSB

November 30, 2006

6.2.3 Claim Verification Process for G&C Payments

The Senior Financial Officer should:

  • direct that all programs are required to complete a Contribution (Claim) Verification Checklist as part of the claim verification process;
  • implement a process whereby the claim verification process each program uses must be reviewed periodically to ensure appropriateness in providing necessary assurance required to authorize payment under S33 of the FAA. The same approach should be implemented by Regional Management Services Divisions who are responsible for approving payments under S33 of the FAA; and
  • re-enforce the appropriate use of audit checklists by Financial Officers.

With the creation of the new G&C unit, FMMD will meet with each program to design a checklist based on specific program requirements. FMMD will recommend their approach by sharing the checklists with the regional offices and assisting them in implementing similar processes.

Director, FMMD

January 31, 2007

The Operations Sector will work with the new CAS G&C unit to design program-specific checklists and will coordinate the distribution and monitoring the use of the checklists across Operations Sector business units.

Director, Strategic and Financial Planning, SSSB

January 31, 2007

6.2.4 Account Verification Process for O&M Transactions

The Senior Financial Officer should establish a process that will ensure thorough understanding of how account verification is being carried out across the department.

The existing 100% cursory review process should be enhanced through verification, on a sample basis, of the account verification steps undertaken to obtain assurance of contract performance (i.e. the completion of deliverables) as well as compliance with TBS and to departmental policies.

The section 33/34 processes will be addressed.

Director, FMMD

December 1, 2006

FMMD will create a quality control team. This team will implement quality control processes for revenues, expenditures and public accounts.

Director, FMMD

February 28, 2007

The Operations Sector will increase its financial monitoring of the Sector, including the monitoring of the procedures related to account verification in conjunction with broader departmental direction from the new quality control unit to be created within CAS.

Director, Strategic and Financial Planning SSSB

February 28, 2007

6.2.5 Financial Controls over Collaborative Agreements

The Corporate Comptroller should remind all Financial Officers of the policy requirements relating to Specified Purpose Accounts.

FMMD will develop procedures and guidelines on how specified purpose account needs to be managed and communicate them across the department including regional offices.

Director, FMMD

November 1, 2006

6.2.6 Organization of Financial Files

The Chief Information Officer and the Corporate Comptroller should ensure that financial files are well maintained, with pertinent documents on all files to assist Financial Officers in fulfilling responsibilities.

Effective April 2006 all original contracts and invoices are sent to the records room for filing. They are no longer kept on file until the contract is complete.

Director, FMMD

Completed

6.3.1 Training Programs

The Senior Financial Officer should ensure that training and related tools are provided to managers and their administrative staff about responsibilities for approving contract performance.

The Senior Financial Officer should ensure that training and related tools are provided to Financial Officers and Financial Assistants on their payment approval Responsibilities.

FMMD in collaboration with Financial Policy group will prepare an e-mail explaining the managers' responsibilities when given authority under section 32 and/or 34. FMMD will send this e-mail to individuals submitting specimen signature forms.

Director, FMMD

October 15, 2006

New policy on training for managers will help ensure that managers have the proper training to exercise financial authority.

Director, FMMD

December 31, 2006

6.3.2 Oversight of Expenditure Management Accountability

The Corporate Comptroller should:

  • review the post-audit process on low value transactions to take into consideration the risks associated with the complex nature of expenditure management in the department;
  • ensure that, on a consistent basis, results of current monitoring exercises are forwarded consistently to all Directors of Management Services Divisions in regions and discrete organizations so that they can learn from the results of oversight activities;
  • influence Regional Directors of Management Services Divisions to exercise more oversight of financial management activities in satellite offices and request that results of monitoring activities be reported to the Corporate Comptroller; and
  • regularly assess how various regions and discrete organizations are reviewing their systems of account verification upon which they rely to authorize payment under Section 33 FAA. This will involve visiting Management Services Divisions in regions to gain an understanding of oversight processes, and examining the results of their oversight activities.

Financial and Materiel Management Directorate (FMMD) is currently reviewing the post-audit process. The document needs to be updated to account for the comments received from AEB.

Director FMMD

September 30, 2006

Financial and Materiel Management Directorate (FMMD) will have a designated team to perform post-audit functions on expenditures in entities under the authority of the CFO.

Director FMMD

February 28, 2007

With guidance from CAS/FMMD, and in the context of the departmental financial statement readiness assessment, the Operations Sector will ensure that monitoring processes in place are sufficient to assure that financial controls are operating effectively.

Director, Strategic and Financial Planning, SSSB

December 31, 2006

6.3.3 Oversight of the Acquisition Cards Process

The Corporate Comptroller should establish a comprehensive, risk-based monitoring program for acquisition cards to coincide with the implementation of a consolidated payment approach for Acquisition Cards.

A comprehensive monitoring process is in place.

Director, FMMD

Completed

FMMDCMM will undergo a review of all IC acquisition cards.

Director, FMMD

January 19, 2007

FMMD will also improve the monitoring process by tracking post audit critical errors, action taken and when the issue was resolved and reviewing the cardholder (committing critical errors) rate of error. Monitoring will be done on a monthly basis.

Director, FMMD

January 19, 2007