Audit Report—Community Futures Program

Audit and Evaluation Branch

January 2015

Recommended for Approval to the Deputy Minister by the Departmental Audit Committee on January 30, 2015

Approved by the Deputy Minister on February 5, 2015

Table of Contents

• List of Initialisms and Acronyms Used in the Report
• 1.0 Executive Summary
  • 1.1 Background
  • 1.2 Audit Objective, Scope and Conclusion
  • 1.3 Main Findings and Recommendations
  • 1.4 Audit Opinion
  • 1.5 Conformance with Professional Standards
• 2.0 About the Audit
  • 2.1 Background
  • 2.2 Objective and Scope
  • 2.3 Audit Approach
• 3.0 Findings and Recommendations
  • 3.1 Introduction
  • 3.2 Program and Project Level Risk Management
  • 3.3 Recipient Eligibility Assessment and Agreement Development
  • 3.4 Claims Process
  • 3.5 Ongoing Monitoring of Recipients
  • 3.6 Unused Operating Fund Management Process
  • 3.7 Temporary and Permanent Investment Fund Transfer Process
  • 3.8 Compliance Review Process
  • 3.9 Management Action Plan
• 4.0 Overall Conclusion
• Appendix A: Audit Criteria
• Management Response and Action Plan

List of Initialisms and Acronyms Used in the Report

1.0 Executive Summary

1.1 Background

In accordance with the approved Industry Canada (IC) 2014–15 to 2016–17 Multi‑Year Risk‑Based Internal Audit Plan, the Audit and Evaluation Branch (AEB) undertook an audit of the portion of the Community Futures Program (CFP or "The Program") delivered by the Federal Economic Development Initiative for Northern Ontario (FedNor).

The CFP is a federal government program that supports rural economic development across the country, through non‑repayable contributions, with the ultimate objective of assisting communities to:

• Foster economic stability, growth and job creation;
• Create diversified and competitive local rural economies; and
• Build economically sustainable communities.

The roots of the CFP began in the early 1970's with the establishment of "local employment development" type programs such as the Local Employment Assistance Program (1973) and the Community Employment Strategy (1975) delivered by Employment and Immigration Canada. In the 1980's, assistance to local businesses was provided through two community‑based programs: Local Economic Development Assistance (1980), and Local Employment Assistance and Development (1983). In 1985, the Program concepts were expanded with the establishment of the CFP under the Canadian Job Strategy, which was a federal initiative targeted towards helping communities with 'chronic' or 'acute' labor market problems and designed to provide a suite of measures to assist communities in planning and developing local solutions to local problems.

In 1995, the Program was transferred to IC and the Regional Development Agencies (RDAs): the Atlantic Canada Opportunities Agency (ACOA), Economic Development Agency of Canada for the Regions of Quebec (CED‑Q), and Western Economic Diversification Canada (WD). IC delivers its portion of the program through FedNor. In 2009, responsibility for the CFP in Southern Ontario was transferred to the Federal Economic Development Agency for Southern Ontario (FedDev). At that time, the budget allocation for program delivery was split proportionally between Southern and Northern Ontario.

FedNor is a federal regional development organization which reports to the Assistant Deputy Minister (ADM) of the Strategic Policy Sector (SPS) within IC. Its mandate is to contribute to the prosperity of Northern Ontario by supporting economic development and business growth in communities across the region. Through non‑repayable contributions, the CFP provides financial support to 24 incorporated and locally‑based Community Futures Development Corporations (CFDCs) across Northern Ontario to offset general operating costs (e.g. salaries; rent) and to establish and support investment funds. The CFDCs are community‑based, not‑for profit, independent and arms‑length organizations governed by volunteer local boards of directors (BoD); they support the mandate of the CFP for community economic development and building self‑reliance and capacity of communities to realize their full sustainable potential. The contributions allow the CFDCs to provide support to small and medium‑sized enterprises (SMEs), social enterprises and their communities by engaging in four key activities:

• Fostering strategic community planning and socio‑economic development;
• Providing business services by delivering a range of business counselling and information services to SMEs and social enterprises (e.g. libraries providing general business information);
• Providing access to capital to assist existing SMEs and Social Enterprises or to help entrepreneurs to create new SMEs and Social Enterprises; and
• Supporting community‑based projects and special initiatives in areas such as tourism and economic opportunities for specific client groups such as women, youth, and Aboriginal people and members of official language minorities.

In addition to the funds provided by the CFP to support operating costs, CFDCs may receive funding from other government programs, including FedNor's other programs, to support activities that are incremental and complementary to those supported by the CFP.

The CFDCs are connected through networks that provide regular collaboration among members, such as sharing products and services (e.g. online training), facilitating group purchases to achieve economies of scale, providing an advocacy function and facilitating communication among network members (e.g. newsletters and sharing best practices).

In support of regional development activities of the Program, the Grants and Contributions (G&Cs) total funding for IC is $8.36 million per year. The CFP updated Terms and Conditions (T&Cs) were effective October 3, 2010.

1.2 Audit Objective, Scope and Conclusion

The objective of this audit was to provide assurance that the management control framework pertaining to the management of the CFP by FedNor is adequate and effective in the areas of:

• Risk Management (Obj. 1.1)
• Eligibility Assessment, Agreement Development, Funding, and Claims (Obj. 1.2)
• Monitoring and Compliance Reviews (Obj. 1.3)

The CFDCs were not subject to this audit. The scope of the audit included activities completed directly by FedNor in support of the Program objectives, including assessment of Program activities, processes and controls. The audit covered transfer payments (i.e. operating and investment Contribution Agreements (CA)) administered during fiscal years 2012–13 and 2013–14.

The results of the audit revealed that, with exceptions, FedNor's governance, risk management and control processes support the delivery of the Program's mandate and priorities. Improvements are needed to address some low to medium risk exposures in the areas of Risk Management, Monitoring and Compliance Reviews.

1.3 Main Findings and Recommendations

Program and Project Level Risk Management

Program Level Risk Management: Although there are elements of a program level risk management process in place, there is an opportunity to strengthen it by periodically reviewing and reporting on the program level risks and related mitigation strategies.

The National CFP Performance Measurement Strategy identified four (4) Program risks and mitigation strategies at the national level. In addition, a risk assessment checklist was completed by the Department in 2012 for G&C programs and it was determined that the CFP was an overall "low risk" Program. An update of this risk assessment is currently underway. FedNor has informal processes in place to periodically assess the environment to identify and mitigate risks. The FedNor Management Committee or "FMC" reviews and discusses program level risks as they arise.

Although there are elements of a program level risk management process in place, a formal risk management process, including the continuous identification, assessment and consideration of emerging risks, as well as, the periodic review of risk mitigation strategies at the program level has not been established. In addition, currently, project level risk assessments are not considered holistically to ensure emerging risks are addressed at the program level, as they arise.

Recommendation 1: The Director General, FedNor, should improve and formalize its program level risk management process, to assist FedNor in the identification, assessment, mitigation and monitoring of key program risks on an ongoing basis. This process should ensure that mitigation strategies are developed and assigned to an appropriate risk owner with articulated timelines for implementation, and that mitigation efforts are periodically monitored. Program level risks should consider project level risk assessments to ensure emerging risks are addressed as they arise.

Project Level Risk Management: A formal risk management process is in place to identify, assess, mitigate and monitor/report project level risks. There is an opportunity to strengthen the project risk assessment practices to regularly review and manage risks.

The Risk Assessment Form (RAF) was implemented commencing April 2014 and includes a comprehensive list of established criteria to facilitate consistent project‑level risk assessments. It is adequately and consistently completed by the Program Delivery Officers (PDOs) and reviewed by the Program Delivery Managers (PDMs) during the initial eligibility assessment process.

Although the RAFs are completed prior to entering into a new CA, there is currently no requirement to re‑assess project level risks at key milestones within the CA life‑cycle or based on changes regarding the recipient. The audit found that a project‑level risk assessment is not revisited after the eligibility assessment is completed for the application. Based on the testing of the compliance reviews, it was noted that there is a lack of evidence on file to demonstrate that the results from the compliance reviews are considered in terms of impact on the original project risk assessment; although the Compliance Review Checklist does require this consideration.

Recommendation 2: The Director, Corporate Services (FedNor), should improve the project risk assessment process by implementing a periodic review of project risks during the course of a CA (e.g. consideration of compliance reviews' results on project risks / annual re‑assessment).

Eligibility Assessment and Agreement Development

Recipients are consistently assessed against established eligibility criteria, and resulting CAs are reviewed and approved by appropriate delegated authorities.

The audit found that the FedNor PDOs perform their eligibility analysis using specific templates and checklists, with supporting documentation on file.

The audit noted that the standard "Right to Audit" clause is included within each CA and that amendments to the standard T&Cs of the CA are appropriately processed and approved in accordance with established guidelines per IC's delegated signing authorities for financial assistance programs.

Funding Approval and Disbursement

Funds disbursed to recipients are approved by the appropriate delegated authorities and payments are supported by proper documentation.

The results of detailed testing of the advance payment (at the outset of the CA) and claims process demonstrated that the key controls identified were applied and documented on a consistent basis

Ongoing Monitoring of Recipients

Key financial and non‑financial information are obtained from the CFDCs and analyzed to monitor progress and compliance to the CA, with some exceptions (e.g. obtaining the information with delays). A FedNor representative (e.g. the FedNor PDO and/or the Payment and Monitoring Officer (PMO)) attends at least one BoD meeting and specifically the one where the annual audited financial statements are presented.  

CFDCs may collaborate with one or more local CFDCs to pool their investment funds in order to provide financial assistance to SMEs or Social Enterprises in cases where there is a demonstrated benefit to their communities. FedNor has provided guidance to CFDCs on this and has some controls in place. The CFDCs have created Memorandums of Understanding (MOU) which stipulate the parameters for them to pool their investment funds together for the purpose of making larger loans (which exceed $150,000 but are capped at $500,000) within their communities.

However, there is a lack of evidence on file to demonstrate:

• That all the required monitoring activities resulting from the Risk Assessment Form (e.g. for medium risk recipients) are completed, where applicable;
• Follow‑up activities are undertaken to obtain information when there are delays in receipt; and
• How FedNor uses the pooled investment fund reports they receive (e.g. analyze these reports and decide if additional monitoring activities are required).

Recommendation 3: The Director, Corporate Services (FedNor), should ensure:

• Completion and documentation of monitoring plan/activities identified in the Risk Assessment Form.
• Consistent follow‑up activities are implemented and documented in the event that financial or non‑financial information is not obtained on time from a CFDC, as per the T&Cs of the CA.
• Additional monitoring activities conducted for pooled investment funds are documented.

Unused Operating Funds Management Process

Unused operating funds at the end of the CA are identified; however, there are delays relative to obtaining information required to calculate unused funds. Furthermore, in some examples, the unused funds calculation was either not performed or reviewed.

During the file testing, the audit noted that there were some exceptions where neither the formal request letter nor the copy of the cheque to the Receiver General of Canada is on file for the projects with unused funds identified by FedNor. The audit team noted that no evidence was on file to ensure collection of unused funds for two (2) of the five (5) samples tested where there were unused funds identified by FedNor. The amounts were, respectively, $6,613 and $8,432.

Recommendation 4: The Director General, FedNor should ensure that follow‑up activities regarding unused funds remaining at the end of a CA are documented, including the letter or other vehicle for conveying instructions to the CFDCs on how to return funds as well as confirmation from the CFDCs that the funds have been returned.

Temporary and Permanent Investment Fund Transfer Process

Temporary and permanent transfers from the investment fund to the operating fund are approved by the appropriate delegated authority.

For temporary fund transfers, there is a tool in place to track the transfers (Bring Forward (BF) system). This tool is not updated in a timely manner and the records do not provide the expected date for the PDM to verify the return of funds.

For permanent fund transfers, there is no formal process to track all incremental costs associated with the transfer. While the FedNor PDOs track the actual costs based on the CFDC's audited financial statements, this does not distinguish the categories between the incremental costs associated with the permanent transfers and the CFDC's normal operating costs.

For both types of transfers, there is no process in place within FedNor to confirm that the transfer occurs after the formal approval has been provided by FedNor.

Recommendation 5: The Director General, FedNor should ensure that all investment fund transfers are approved and monitored effectively, as follows:

• For temporary fund transfers: Ensure that the BF system is updated in a timely manner and that it is reviewed for completeness and accuracy by an authorized person within FedNor.
• For permanent fund transfers: Oversight on the actual expenditures incurred in various cost categories to ensure they align with projected amounts in the original request for fund transfer (i.e. incremental costs vs. normal operating costs).
• For both temporary and permanent fund transfers: Design of a control whereby FedNor obtains a confirmation of when and how much of the investment fund was transferred to compare against the approved amount/date to ensure only approved funds were transferred and only after the approval date.

Compliance Review Process

A compliance review methodology has been established to support compliance to the T&Cs of the CA. However, there is no sampling strategy in place to establish the sample size and sample selection criteria for the completion of each compliance review.

All compliance reviews have been conducted as per the compliance review schedule for the last three years (2010 to 2013). However, Compliance Review Checklists are completed with inconsistent levels of details. In addition, there is a lack of evidence on file to demonstrate that follow‑up activities are performed to ensure that recommendations made to the CFDCs as a result of the compliance reviews are implemented.

Recommendation 6: The Director General, FedNor should ensure that a consistent approach is applied to the completion of compliance reviews by:

• Implementing a sampling methodology that is consistently applied for all compliance reviews.
• Ensuring consistent completion/documentation of the compliance activities prior to sign‑off.
• Development of a formal approach to follow up on the recommendations resulting from the compliance reviews.

1.4 Audit Opinion

In my opinion, overall, FedNor's governance, risk management and control processes support the delivery of the CFP mandate and priorities with exceptions noted. Improvements are needed to address low to moderate risk exposures in the areas of Risk Management, Monitoring and Compliance Reviews.

1.5 Conformance with Professional Standards

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Audit and Evaluation Branch's quality assurance and improvement program.

Brian Gear
Chief Audit Executive, Industry Canada

2.0 About the Audit

2.1 Background

In accordance with the approved Industry Canada (IC) 2014–15 to 2016–17 Multi‑Year Risk‑Based Internal Audit Plan, the Audit and Evaluation Branch (AEB) undertook an audit of the portion of the Community Futures Program (CFP or "The Program") delivered by the Federal Economic Development Initiative for Northern Ontario (FedNor).

The CFP is a federal government program that supports rural economic development across the country, through non‑repayable contributions, with the ultimate objective of assisting communities to:

• Foster economic stability, growth and job creation;
• Create diversified and competitive local rural economies; and
• Build economically sustainable communities.

The roots of the CFP began in the early 1970's with the establishment of "local employment development" type programs such as the Local Employment Assistance Program (1973) and the Community Employment Strategy (1975) delivered by Employment and Immigration Canada. In the 1980's, assistance to local businesses was provided through two community‑based programs: Local Economic Development Assistance (1980), and Local Employment Assistance and Development (1983). In 1985, the Program concepts were expanded with the establishment of the CFP under the Canadian Job Strategy, which was a federal initiative targeted towards helping communities with 'chronic' or 'acute' labor market problems and designed to provide a suite of measures to assist communities in planning and developing local solutions to local problems.

In 1995, the Program was transferred to IC and the Regional Development Agencies (RDAs): the Atlantic Canada Opportunities Agency (ACOA), Economic Development Agency of Canada for the Regions of Quebec (CED‑Q), and Western Economic Diversification Canada (WD). IC delivers its portion of the program through FedNor. In 2009, responsibility for the CFP in Southern Ontario was transferred to the Federal Economic Development Agency for Southern Ontario (FedDev). At that time, the budget allocation for program delivery was split proportionally between Southern and Northern Ontario.

FedNor is a federal regional development organization which reports to the Assistant Deputy Minister (ADM) of the Strategic Policy Sector (SPS) within IC. Its mandate is to contribute to the prosperity of Northern Ontario by supporting economic development and business growth in communities across the region. Through non‑repayable contributions, the CFP provides financial support to 24 incorporated and locally‑based Community Futures Development Corporations (CFDCs) across Northern Ontario to offset general operating costs (e.g. salaries; rent) and to establish and support investment funds. The CFDCs are community‑based, not‑for profit, independent and arms‑length organizations governed by volunteer local boards of directors (BoD); they support the mandate of the CFP for community economic development including self‑reliance and capacity of communities to realize their full sustainable potential. The contributions allow the CFDCs to provide support to small and medium‑sized enterprises (SMEs), social enterprises^{Footnote 1} and their communities by engaging in four key activities:

• Fostering strategic community planning and socio‑economic development;
• Providing business services by delivering a range of business counselling and information services to SMEs and social enterprises;
• Providing access to capital to assist existing SMEs and Social Enterprises or to help entrepreneurs to create new SMEs and Social Enterprises; and
• Supporting community‑based projects and special initiatives in areas such as tourism and economic opportunities for specific client groups such as women, youth, and Aboriginal people and members of official language minorities.

In addition to the funds provided by the CFP to support operating costs, CFDCs may receive funding from other government programs, including FedNor's other programs, to support activities that are incremental and complementary to those supported by the CFP.

The CFDCs are connected through three (3) levels of networks:

• Community Futures Network of Canada – this is a national organization supporting Community Futures Organizations (CFOs) throughout Canada.
• Provincial and Territorial Networks – in Ontario, this is the Ontario Association of Community Futures Development Corporations (OACFDC). The provincial networks have dedicated offices and staff, whereas, the national and regional networks are run out of existing CFDC offices.
• Regional Networks – in Northern Ontario, there are two (2): Northwest and Northeast.

These networks were established to provide regular collaboration among members, such as sharing products and services (e.g. online training), facilitating group purchases to achieve economies of scale, providing an advocacy function and facilitating communication among network members (e.g. newsletters and sharing best practices).

Program Delivery by FedNor

FedNor's mandate is to contribute to the prosperity of Northern Ontario by supporting economic development and business growth in communities across the region. FedNor's funding focuses on projects that support its core economic development mandate and on those activities that create short to medium‑term, measurable results for the communities and businesses of the region.

FedNor is divided into several directorates and two (2) of them work together directly to deliver the CFP:

• Program Delivery; and
• Corporate Services.

The Program Delivery Directorate is split into two (2) regions (Northeast and Northwest) and operates out of main offices in Sudbury, Sault Ste. Marie and Thunder Bay. Also, it has three (3) satellite offices in strategic locations: Kenora, North Bay, and Timmins. Officers are located in areas where they can stay in close contact with the communities.

The Corporate Services Directorate includes the Community Futures Policy and Program Coordination Branch and mainly operates out of the Sudbury office.

2.2 Objective and Scope

The objective of this audit was to provide assurance that the management control framework pertaining to the management of the CFP by FedNor is adequate and effective in the areas of:

• Risk Management (Obj. 1.1)
• Eligibility Assessment, Agreement Development, Funding, and Claims (Obj. 1.2)
• Monitoring and Compliance Reviews (Obj. 1.3)

The CFDCs were not subject to this audit. The scope of the audit included activities completed directly by FedNor in support of CFP objectives, including assessment of Program activities, processes and controls. The audit covered transfer payments (i.e. operating and investment Contribution Agreements) administered during fiscal years 2012–13 and 2013–14.

2.3 Audit Approach

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada. Sufficient and appropriate audit procedures have been conducted and evidence was gathered to support the accuracy of the conclusion and opinion provided and contained in this report. This opinion is based on a comparison of the conditions, as they existed at the time, against pre‑established audit criteria that were agreed on with management. This opinion is applicable only to the areas examined and within the scope described herein.

The audit was performed in three (3) phases: planning, conduct and reporting. A risk assessment was executed during the planning phase of this audit to confirm the audit objective and to identify areas requiring more in‑depth review during the conduct phase. In addition to the risk assessment, the audit considered the Treasury Board Secretariat's Management Accountability Framework tool for assessing Core Management Controls (CMC), including those controls pertaining to Grants and Contributions (G&Cs).

Based on the identified risks, AEB developed audit criteria that linked back to the overall audit objective (Appendix A).

The methodology used to address the audit objectives included:

• Documentation review;
• Interviews with key Program personnel; and
• File testing (described below).

Significant judgement and analysis is required by FedNor in order to carefully evaluate the unique characteristics of each funding request submitted by the CFDCs. Testing was carried out of controls over application eligibility, agreement development, agreement funding, claims review process and ongoing monitoring, including the processes related to unused funds, investment funds' transfers and compliance reviews.

For each of these processes, the following sample of recipient files was reviewed:

• Eligibility assessment and agreement development – 7 out of a population of 20 files were tested.
• Agreement funding and claims process – 25 out of a population of 252 claims were tested.
• Ongoing monitoring of recipients:
  • Ongoing monitoring – 7 out of a population of 20 files were tested.
  • Unused operating fund management process – 5 out of a population of 66 files were tested.
  • Temporary and permanent investment fund transfer process – 4 out of a population of 20 temporary files were tested and 2 out of a population of 11 permanent files were tested.
  • Compliance review process – 4 out of a population of 13 files were tested.

The testing covered the period between April 1, 2012 and March 31, 2014 for a total of 54 projects/files.

A debrief meeting was held with FedNor on December 15, 2014to validate the accuracy of the findings contained in this report.

3.0 Findings and Recommendations

3.1 Introduction

This section presents detailed findings from the Audit of the CFP. The findings are based on evidence and analysis from both the initial risk assessment and the detailed audit work.

In addition to the findings below, the audit team has verbally communicated to management, findings for consideration that were non‑systemic, of low risk or not directly related to the audit objective and criteria.

3.2 Program and Project Level Risk Management

Effective risk management adds value as a key component of decision making, business planning, resource allocation, and operational management. The Treasury Board of Canada's(TB) Framework for the Management of Risk defines risk management as a, "systematic approach to setting the best course of action under uncertainty by identifying, assessing, making decisions on and communicating risk issues". In addition, IC's Integrated Risk Management Framework requires sectors to identify, prioritize and clearly understand Program and organizational risks and to put appropriate mitigation strategies and action plans in place to respond to identified risks.

The audit team reviewed the National CFP Performance Measurement Strategy and noted that four (4) Program risks and mitigation strategies were identified at the national level. In addition, a risk assessment checklist was completed by the Department in 2012 for G&C programs and it was determined that the CFP was an overall "low risk" Program. An update of this risk assessment is currently underway. Based on the interviews and documentation review, FedNor has informal processes in place to periodically assess the environment to identify and mitigate risks. For example, oversight bodies (e.g. the FedNor Management Committee or "FMC") are in place to review and discuss program level risks as they arise.

Although there are elements of a program level risk management process in place, a formal risk management process, including the continuous identification, assessment and consideration of emerging risks, as well as, the periodic review of risk mitigation strategies at the program level has not been established. Without a formal program level risk management process including processes to periodically review and report on the program level risks and mitigation strategies in place, the risk management process may not be effective and the mitigation strategies may not get implemented in a timely manner if risk owners and timelines are not articulated as part of the risk management process. In addition, currently, project level risk assessments are not considered holistically to ensure emerging risks are addressed at the program level, as they arise.

Recommendation 1: The Director General, FedNor, should improve and formalize its program level risk management process, to assist FedNor in the identification, assessment, mitigation and monitoring of key Program risks on an ongoing basis. This process should ensure that mitigation strategies are developed and assigned to an appropriate risk owner with articulated timelines for implementation, and that mitigation efforts are periodically monitored. Program level risks should consider project level risk assessments to ensure emerging risks are addressed as they arise.

At the project level, the audit found that a formal risk management process is in place to identify, assess, mitigate and monitor/report project level risks. The Risk Assessment Form (RAF), updated and implemented commencing April 2014, established criteria to facilitate consistent project-level risk assessments. The audit found this tool to be comprehensive. It is adequately and consistently completed by the PD Officers (PDOs) and reviewed by the Program Delivery Managers (PDMs) during the initial eligibility assessment process.

The results of the RAF impacts the duration of the CA entered into with a recipient and the level of monitoring performed during the course of the CA. An overall low risk project results in a five (5) year CA, a medium risk project in a three (3) year CA and a high risk project results in a one (1) year CA. All files tested subsequent to the introduction of the RAF confirmed that a complete risk assessment is performed and testing confirmed the consistent application of the high, medium and low categories relative to the duration of the resulting CA.

Although the RAFs are completed prior to entering into a new CA, there is currently no requirement to re‑assess project level risks at key milestones within the CA life cycle or based on changes regarding the recipient. The audit found that a project level risk assessment is not revisited after the eligibility assessment is completed for the application. Based on the testing of the compliance reviews (see details further within this report), it was noted that there is a lack of evidence on file to demonstrate that the results from the compliance reviews are considered in terms of impact on the original project risk assessment; although the Compliance Review Checklist does require this consideration.

On occasion, there may be substantive amendments required to the CA as a result of changes to the scope and amount of funding, which could, in turn, also revise the duration of the CA. As such, the documentation that is to be completed during the CA substantive amendment process requires that a risk re‑assessment be completed or reason(s) for not doing so be documented and supported. During the testing of the substantive CA amendments, it was noted that the reasons provided to support the decision to not complete a risk re‑assessment are not adequate (e.g. insufficient justification).

Without evaluating risks/emerging risks periodically during the course of a CA, there is an increased risk that the impact of emerging risks or changes in operating environments will not be adequately assessed in a timely manner; and as a result, may not be reflected in the monitoring activities of that recipient.

Recommendation 2: The Director, Corporate Services (FedNor), should improve the project risk assessment process by implementing a periodic review of project risks during the course of a CA (e.g. consideration of compliance reviews' results on project risks / annual re‑assessment).

3.3 Recipient Eligibility Assessment and Agreement Development

In advance of entering into a CA with a recipient, FedNor undertakes an eligibility assessment process. The eligibility assessment is an important process as it constitutes the basis for the funding decisions (e.g. value of the CA) and supports the approval of the CA by delegated authorities.

The audit found that the FedNor PDOs perform their eligibility analysis using specific templates and checklists, with supporting documentation on file. The FedNor PDM reviews the analysis for completeness and appropriateness and signs off prior to formal approval, depending on the value of the CA, by the Director General (for funding requests under $500K) or the Investment Oversight Committee (for funding requests over $500K). No exceptions were noted in these processes and as such, the controls related to the eligibility assessment process were found to be working effectively.

The audit noted that the standard "Right to Audit" clause is included within each CA and that amendments to the standard T&Cs of the CA are appropriately processed and approved in accordance with established guidelines per IC's delegated signing authorities for financial assistance programs. The audit also noted that funding decisions related to advance payments take into consideration the recipient's cash flow and specific requirements. Finally, funds disbursed to recipients are approved by the appropriate delegated authorities and payments are supported by proper documentation. No exceptions were noted, and as such, these controls were found to be working effectively.

3.4 Claims Process

During the course of a CA, the recipient submits a claim with relevant supporting documents, such as cash‑flow reports and the variance to budget reports with details on the planned and actual eligible activities/costs to the CFP for reimbursement. Claim requests and supporting documentation are reviewed by the FedNor PDO and the Payment and Monitoring Officer (PMO), and authorized by the appropriate delegated authority. In addition, the Grant & Contribution (G&C) Verification Checklist is completed, filed and signed by the FedNor PDO and the PMO. Payments made to the recipients are adjusted accordingly to match their spending.

The results of detailed testing of the advance payment (at the outset of the CA) and claims process demonstrated that the following controls were applied and documented on a consistent basis:

• The unused/carry forward contributions, and contributions made by other funding agencies are considered by the FedNor PDO, documented, and on file;
• The variance to budget reports are received and analyzed by the FedNor PDO;
• For those files where the year to date costs differ significantly from the planned costs, revised cash flow forecasts are requested and maintained on file;
• The Applicant Claim Summary (ACS) Form is accurately completed and signed by both the FedNor PDO and PMO;
• Section 34 approvals as per the Financial Administration Act, are obtained for the advance payments and claims from the PMO, as per the delegation of authorities; and
• The G&C Verification Checklist is completed and signed by the FedNor PDO and PMO.

Minor exceptions were noted during the testing conducted and were verbally communicated to the FedNor Program Management during the debrief meeting.

3.5 Ongoing Monitoring of Recipients

FedNor PDOs are required to conduct ongoing financial and non‑financial monitoring activities for the recipients. Specific information is required from the recipients periodically as per the T&Cs to allow for assessment of compliance to the CA and to ensure progress towards the CFP's objectives.

Required risk‑based monitoring activities are identified on the CFP RAF. The audit found a lack of evidence on file to demonstrate that all the required monitoring activities resulting from the RAF (e.g. for medium risk recipients) are completed, where applicable. Not completing all of the monitoring activities included within the RAF could result in emerging issues not being highlighted or addressed in a timely manner.

The audit found that key financial information and non‑financial information is obtained from the recipients and analyzed to monitor progress and compliance to the CA, with some exceptions.

Detailed audit observations are explained as follows:

Financial Monitoring: Financial information required to be provided by the recipients includes the Annual Report, the Audited Financial Statements (audited F/S), the Operating Fund Reconciliation Report (OFRR), the Quarterly Financial Statements and the Investment Fund Reports (IFR).

In most of the cases, the required financial information is provided to FedNor on a timely basis. Testing of the financial monitoring activities confirmed that analysis of the financial information is conducted which includes variance against established targets and follow‑up with the CFDC where there are deviations from the plan. Exceptions were noted regarding the documentation to support the completion of specific financial monitoring activities (e.g. projects where the IFR was either not provided or there was no evidence of a review; projects where the audited F/S were provided after a delay, which is a non‑compliance with the T&Cs of the CA and there was no evidence of follow‑up activities by FedNor to receive the delayed information; projects where the OFRR was received, but there was no evidence on file to demonstrate that the FedNor PDO had reviewed/recommended it or that the FedNor PDM had approved it; and a project which had several instances of quarterly financial reports not included in the file).

Non‑Financial Monitoring: The non‑financial information provided by the recipients includes Quarterly Performance Reports, BoD meeting minutes and a copy of the recipient's policies. Evidence was generally on file to demonstrate the receipt and review of these documents. In addition, the audit found evidence that a FedNor representative (e.g. the FedNor PDO and/or the PMO) attends at least one BoD meeting and specifically the one where the annual audited financial statements are presented.

When there are delays in obtaining this information, there is a lack of evidence on file to demonstrate that follow‑up activities are being undertaken by FedNor to obtain the missing information. Without follow‑up activities to ensure that reporting requirements are being met and monitoring activities can take place promptly, there is the potential that emerging risks, issues or areas of non‑compliance with the CA will not be detected in a timely manner.

Pooled Investment Funds:  As per Clause 1.5 in Schedule 3 of Annex 1 of the CFP Contribution Agreement, CFDCs may collaborate with one or more local CFDCs to provide financial assistance to SMEs or Social Enterprises in cases where there is a demonstrated benefit to their communities. In such situations each participating CFDC may provide up to $150,000. Investments in excess of $150,000 may be considered on an exceptional basis, and FedNor has provided guidance to CFDCs on this.

CFDCs in Northern Ontario have established Investment Pools to share risk and opportunity for investments in SMEs or Social Enterprises that require funding in excess of the $150,000 limit. The CFDCs have created Memorandums of Understanding (MOU) which stipulate the parameters for them to pool their investment funds together for the purpose of making larger loans (which exceed $150,000 but are capped at $500,000) within their communities. One MOU is for the North Western Ontario Investment Pool and another is for the North Eastern Ontario Investment Pool. The CFP may be exposed to a risk associated with pooled investment funds due to the materiality (higher dollar values) of these loans and the fact that more than one CFDC is exposed to a single recipient loan, should the loan not perform. As a result of this inherent risk, there are a number of controls in place, as follows:

• Each CFDC is only permitted to enter into two (2) pooled loans during the calendar year;
• The total value of each pooled investment loan is not permitted to exceed $500,000;
• For each pooled loan, as part of the approval process, the assessment and evaluation details are circulated among all the CFDCs that participate within the MOU in the Northwest region and the Northeast region;
• An independent consultant (external financial advisor) provides advice and conducts due diligence on the pooled loans; and
• The BoD for each CFDC has authority over decisions made with respect to pooled investment loans.

In addition to the above controls in place at the CFDC level, FedNor requires pooled investment funds to be reported on the IFR of the leading CFDCs; however, there is a lack of evidence on file to demonstrate how this information is used. Without appropriate documentation of the monitoring of pooled investment activities, there is the potential that emerging risks or issues with these investment funds will not be detected in a timely manner.

Recommendation 3: The Director, Corporate Services (FedNor), should ensure:

• Completion and documentation of monitoring plan/activities identified in the RAF.
• Consistent follow‑up activities are implemented and documented in the event that financial or non‑financial information is not obtained on time from a CFDC, as per the T&Cs of the CA.
• Additional monitoring activities conducted for pooled investment funds are documented.

3.6 Unused Operating Fund Management Process

The amount of funding approved for a CFDC is based on the forecasted requirements that are supported by the projected budget, submitted during the initial application process. At the end of the CA, the CFDC may have unused funds, in the case where their spending is lower than their initial projected amounts for eligible activities and costs covered under their CA.

The FedNor PDO is required to review the annual audited F/S and the OFRR at the end of the CFDC's fiscal year and at the end of the CA. The OFRR is a rolling schedule with the total amount per year that is projected to be incurred by the CFDC under the various eligible activities and costs, what was claimed and what was paid by the CFP under these categories. The FedNor PDO and the FedNor PDM are required to review the OFRR to confirm the accuracy and completeness of its calculation based on the audited F/S. The audit found that this was completed with minor exceptions. For example, no evidence was on file to demonstrate that the calculation was reviewed by the FedNor PDM in two (2) of the four (4) files tested. Without consistently reviewing the OFRR, there is a risk that unused funds at the end of the CA are not identified and requested in a timely manner.

Although not all CFDCs have unused funds at the end of the CA, when it is determined that there are any, a letter to the CFDC is to be drafted and signed by the Director General, requesting unused funds to be returned by a cheque to the Receiver General of Canada. During the file testing, the audit noted that there were some exceptions where neither the formal request letter nor the copy of the cheque to the Receiver General of Canada is on file for the projects with unused funds identified by FedNor. The audit team noted that no evidence was on file to ensure collection of unused funds for two (2) of the five (5) samples tested where there were unused funds identified by FedNor. The amounts were, respectively, $6,613 and $8,432.

Without documenting the requests made to CFDCs to return the unused funds, there is a risk that follow‑up activities to obtain these funds are not performed in a timely manner.

Ultimately, this could possibly lead to unspent contributions provided to a CFDC in excess of the amounts available to retain, which could lead to potential misuse of funds by the CFDC or non‑compliance with the T&Cs of the CA.

Recommendation 4: The Director General, FedNor should ensure that follow‑up activities regarding unused funds remaining at the end of a CA are documented, including the letter or other vehicle for conveying instructions to the CFDCs on how to return funds as well as confirmation from the CFDCs that the funds have been returned.

3.7 Temporary and Permanent Investment Fund Transfer Process

A CFDC can formally request a temporary or permanent transfer from its investment fund to its operating fund to cover short‑term cash shortfalls or incremental costs associated with monitoring and management of problematic and/or complex loans. Effective controls over the fund transfers are essential in ensuring that the CFDC obtains approval for the transfer with adequate support and justification, and that temporary transfers are repaid promptly.

For both temporary and permanent transfers, the CFDC has to formally submit a "Request for Investment Fund Transfer" form in order to make a request to transfer their funds from the investment fund to the operating fund. The audit noted that this document is signed by the Chair of the BoD or other officially designated corporate signing authority within the CDFC and is kept on file along with the rationale for the transfer.

For both transfers, the audit noted that appropriate reviews and approvals are provided. For temporary transfers, the FedNor PDM provides the approval and for permanent transfers, the Director General provides the approval, with no exceptions noted. The audit also noted that for both transfers, there is no formal process within FedNor to confirm that the transfer occurs only after the formal approval has been granted. Without a formal process to confirm that the transfer occurred only after the approval, there is a risk that this could lead to instances where the transfer is made without or before the proper approval is granted.

For temporary transfers, it was noted that these are typically required as a result of delays in the finalization of a CA and/or flowing funds to the CFDC. There is a tool in place to track the return of temporary fund transfer (i.e. the Bring Forward (BF) system); this BF system was established as part of the management action plan resulting from the previous CFP internal audit (2009–10) for tracking, monitoring and following up on temporary investment fund transfers. However, the audit found that this tool is not updated in a timely manner and the records do not provide the expected date for the FedNor PDM to verify the return of funds. Without a formal control to ensure the timely update of the BF system, it is challenging for the FedNor PDM to track the status of transferred funds and follow‑up on those which are outstanding.

For permanent transfers, the audit found that there is no formal process to track all incremental costs associated with the transfer. The FedNor PDOs do track the actual costs based on the CFDC's audited F/S; however, this does not distinguish the categories between the incremental costs resulting from the permanent transfer and the CFDC's normal operating costs. Without a formal process to track all incremental costs, there is a risk that the CFDC could use the transferred funds for unauthorized purposes.

Recommendation 5: The Director General, FedNor should ensure that all investment fund transfers are approved and monitored effectively, as follows:

• For temporary fund transfers: Ensure that the BF system is updated in a timely manner and that it is reviewed for completeness and accuracy by an authorized person within FedNor.
• For permanent fund transfers: Oversight on the actual expenditures incurred in various cost categories to ensure they align with projected amounts in the original request for fund transfer (i.e. incremental costs vs. normal operating costs).
• For both temporary and permanent fund transfers: Design of a control whereby FedNor obtains a confirmation of when and how much of the investment fund was transferred to compare against the approved amount/date to ensure only approved funds were transferred and only after the approval date.

3.8 Compliance Review Process

Until July 2010, the approach taken to gain assurance over compliance to the T&Cs of the CA with CFDCs was that the independent external auditors of the CFDC were asked to issue a separate Auditor's Report on compliance with certain provisions of the CA. A three (3) year rolling schedule was established for the twenty‑four (24) CFDCs and it is expected that by March 2015, all of the CFDCs would have had one (1) compliance review completed.

From a design perspective, the Compliance Review Checklist (i.e. the methodology) was developed through collaborative efforts (i.e. program delivery officers, managers, MPOs and staff from the policy group). The audit team reviewed the checklist and noted its linkage to various components within the CA. The existence of the CFDC conflict of interest policy, including compliance/adherence to it by the CFDC's BoD for both investment and operating fund operations are included within the Compliance Review Checklist. This checklist comprises a series of Yes/No type questions on a wide array of topics related to the CFDC such as its general policies, organizational structure, BoD turnover, bookkeeping systems, payroll and personnel and other items.

Through the documentation review and interviews, the auditors noted that various training activities are provided to the FedNor PDOs who conduct compliance reviews. The audit found that there is no sampling strategy in place to establish the sample size and sample selection criteria for the completion of each compliance review. The PMO and the FedNor PDO use professional judgment when determining the sample size and the samples to be tested and have no tools or established guidelines available to them. Without a sampling strategy in place, there is a risk that insufficient/ inappropriate testing is completed to confirm compliance to the T&Cs of the CA and that the review might not detect potential areas of non‑compliance (e.g. insufficient samples selected).

From the effectiveness of performing the compliance reviews, the audit found that all compliance reviews were conducted as per the compliance review schedule for the last three years (2010 to 2013). There was adequate segregation of duties in the completion of the compliance reviews which were conducted by both the FedNor PDO and the PMO. The results of the compliance reviews were communicated to the CFDCs with a directive (mandatory action from the CFDC), a recommendation or a best practice for the CFDC to ensure compliance with the T&Cs of the CA. The results were formally communicated to the CFDC in a timely manner.

The audit also noted that the Compliance Review Checklists are completed with inconsistent level of details (e.g. some sections were left incomplete without justification). In addition, evidence was not on file to demonstrate that follow‑up activities are performed by the FedNor PDO to ensure that the recommendations made to the CFDCs, as a result of the compliance reviews, are implemented. Without documented follow‑up activities, there is a risk that non‑compliance issues identified in the compliance review are not corrected in a timely manner.

Recommendation 6: The Director General, FedNor should ensure that a consistent approach is applied to the completion of compliance reviews by:

• Implementing a sampling methodology that is consistently applied for all compliance reviews.
• Ensuring consistent completion/documentation of the compliance activities prior to sign‑off.
• Development of a formal approach to follow up on the recommendations resulting from the compliance reviews.

3.9 Management Action Plan

The findings and recommendations of the audit were presented to the ADM of the Strategic Policy Sector, the Director General of FedNor and the Director of Corporate Services, FedNor. Management has agreed with the findings included in this report and will take actions to address the recommendations by December 31, 2015.

FedNor will improve and formalize its program risk management process for the Community Futures Program and will ensure projects are re‑assessed according to project risks using a risk assessment tool that was implemented by FedNor in April 2014. FedNor will develop a tracking report to track follow‑up activities for overdue reports. The implementation of a Client Case Management software system currently underway at FedNor will facilitate electronic tracking and documentation. Specific monitoring of pooled investments activities will be documented for the Program. In relation to documenting follow‑up activities regarding unused funds remaining at the end of a contribution agreement, a report will be provided to Program Delivery Management on a quarterly basis for follow‑up and review. In addition, FedNor will revise the CFP business process and Investment Fund Transfer request form to ensure that documentation is obtained to demonstrate compliance with agreed terms of transfer. Regarding compliance reviews, FedNor will undertake various actions such as strengthening its monitoring processes to follow up on recommendations resulting from compliance reviews as well as developing and implementing a sampling methodology.

4.0 Overall Conclusion

The results of the audit revealed that FedNor's governance, risk management and control processes support the delivery of the CFP mandate and priorities in the areas of:

• Risk Management;
• Eligibility Assessment, Agreement Development, Funding, Claims; and
• Monitoring and Compliance Review.

Exceptions were noted in the areas of Risk Management, Monitoring and Compliance Reviews. Improvements are needed to address low to moderate risk exposures in these areas.

Appendix A: Audit Criteria

Management Response and Action Plan

A - For inclusion in the report

The findings and recommendations of the audit were presented to the Assistant Deputy Minister of the Strategic Policy Sector, the Director General of the Federal Economic Development Initiative for Northern Ontario (FedNor) and the Director of Corporate Services, FedNor. Management has agreed with the findings included in this report and will take actions to address the recommendations by December 31, 2015. The table below presents the detailed actions planned to address the recommendations.

B - For follow-up purposes - Detailed actions to address the recommendations in the report