Audit of Key Financial Controls Year 2
December 2014
For readers interested in the PDF version, the document is available for downloading or viewing:
Audit of Key Financial Controls – Year 2 (PDF document - 326 KB- 36 pages)
Table of Contents
- Executive summary
- A - Introduction
- B - Findings, recommendations and management responses
- 1. Progress made on previous year's recommendations
- 2. Select key financial controls common to all classes of transactions
- 2.1 Delegation of financial signing authorities
- 2.2 Quality assurance process of FAA Section 34 certification
- 2.3 FAA Section 33 certification
- 2.4 Management review of expenditures and commitments
- 2.5 Accrued liabilities at year-end
- 2.6 System access and segregation of duties
- 2.7 Journal entry review
- 3. Select key financial controls specific to classes of transactions
- C - Conclusion
- Appendix A - Lines of enquiry and criteria
- Appendix B - Scorecard
- Appendix C - The Agency's internal control over financial reporting framework
- Appendix D - Risk profile of transactions
- Appendix E - Corrective actions and follow-up activities
- Appendix F - Overview of progress made on previous year's recommendations
Executive summary
In support of the Treasury Board of Canada's Policy on Internal Control, the Public Health Agency of Canada's (the Agency) Deputy Head and Chief Financial Officer are required to sign an annual representation letter acknowledging their responsibilities for maintaining an effective system of internal controls over financial reporting.
The objective of this audit was to provide reasonable assurance that internal controls over financial reporting are operating effectively, in order to mitigate the risk of material misstatement in the Agency's financial statements. The audit focused on testing the controls that help the Agency meet its control objectives and address management's responsibility over the completeness, validity and accuracy of its financial reporting. Select controls from two categories of key financial controls were tested as part of the audit: common key controls and specific key controls. The audit covered transaction processing activities for fiscal year 2013-14.
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Audit. Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion.
The audit concluded that the Agency's internal controls over financial reporting are generally operating effectively to mitigate the risk of material misstatement. The majority of the common and specific key controls were generally operating effectively. The audit also found that progress has been made on the recommendations from last year's report, with all recommendations being substantially or fully implemented.
The common key controls are those found across the most significant classes of transactions. Five of the seven controls were generally operating effectively. The audit observed that the management variance review process needs to include cost centre manager sign-off as evidence of the Finance Administration Act Section 34 certification of pay transactions. As well, the audit noted that improvement is required to strengthen access controls to SAP, to ensure that mutually exclusive roles cannot be assigned to a single user.
The specific controls supplement the common key controls. Nine of the ten controls were generally operating effectively. The audit noted that the monitoring of salary payments needs to be conducted as described in the Compensation Monitoring Framework.
Management agrees with the three recommendations outlined in the report and has provided an action plan that will improve the effectiveness of the Agency's internal controls over financial reporting.
A - Introduction
1. Background
Reliable financial reporting provides transparency and accountability on public funds spent to achieve departmental objectives. To this effect, Treasury Board (TB) has put in place policies to strengthen financial reporting, and requires departments to have an effective risk-based system of internal controls. These include the following.
- The TB Policy on Internal Control requires that the Deputy Head sign an annual departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting; and,
- The TB Policy on Financial Resource Management, Information and Reporting requires that the Deputy Head take measures to ensure that the department can sustain a control-based audit of its annual financial statements.
In addition, deputy heads and chief financial officers are required to sign an annual Letter of Representation to the Auditor General and the Deputy Receiver General in support of the Public Accounts covering their responsibilities for internal control over financial reporting and assertions over the integrity of financial information.
In support of the Policy on Internal Control, the Office of the Chief Financial Officer (OCFO) has developed the Internal Control Framework over Financial Reporting (ICFR). The Agency is working towards the implementation of this framework by providing direction for its implementation. Five main classes of processes were identified to support reliable financial reporting (see Appendix C):
- Management of Parliamentary Appropriations;
- Purchasing/payable/payments, including transfer payments;
- Payroll;
- Capital assets;
- Financial statement, year-end and reporting.
This is the second year of a recurring (annual) audit aimed at assessing the operating effectiveness of key financial controls. A number of changes took effect in fiscal year 2013-14. These changes include the first full year of implementation for the Procure to Pay (P2P) initiative, which allows for electronic approvals of commercial invoices; the centralization of regional accounting offices into two hubs, one for Western Canada (Winnipeg) and one for Eastern Canada (Ottawa); and the creation of the Shared Services Partnership (SSP), which includes the provision of services such as invoice processing, procurement activities, IT services and compensation services.
Notwithstanding the changes, the select key financial controls being tested as part of this audit are fundamental to the operation of the Agency and should remain effective in a challenging environment.
2. Audit objective
The objectives of the audit were to:.
- Determine whether key controls in support of the Agency's financial statements are operating effectively, to mitigate the risk of material misstatements in terms of ensuring the validity, completeness and accuracy of the financial transactions reported; and,
- Follow-up on the progress made on the implementation of the management action plan developed in response to the previous year's key financial controls internal audit recommendations.
3. Audit scope
The scope of this audit encompassed a review of the operational effectiveness of key financial controls that are either common or specific to the following significant classes of transactions:
- Grant and contribution agreements;
- Salaries and wages expenses;
- Purchase of goods and services;
- Acquisition card purchases; and
- Capital assets.
Lines of enquiry and audit criteria (see Appendix A) are similar to the previous year's audit.
The audit covered transaction processing activities for fiscal year 2013-14. The Internal Control Division (ICD) under the SSP has performed and documented testing of some processes for part of the 2013-14 fiscal year. Following an examination and assessment of the methodology and testing documentation performed by ICD, the audit team decided to rely on some of its test results.
The audit coverage included controls exercised in the National Capital Region and other regions. The controls tested are predominantly within the OCFO and the Financial Operations Directorate (FOD), under the SSP, but the audit also reviewed the control activities that fell under the responsibility of the offices of secondary interest.
4. Audit approach
The audit included an analysis of financial statement data, the identification of the significant classes of transactions, a review of key business process flowcharts and control matrices and discussions with management regarding significant changes in business processes.
In assessing the effectiveness of key financial controls, the audit included interviews with the Agency and employees under the SSP, a review of documentation (for example, departmental policies and procedures, relevant documentation in support of financial transactions), the observation of key processes and controls and an analysis of financial and non-financial data using computer-assisted audit techniques and tools.
Where possible, reliance was placed on work performed by other parties such as the ICD under the SSP activities, to support the Statement of Management Responsibility Including Internal Controls over Financial Reporting, as well as internal audits recently conducted by the Portfolio Audit and Accountability Bureau, such as the Audit of Procurement and Contracting, currently being finalized in fiscal year 2014-15.
5. Statement of conformance
In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.
B - Findings, recommendations and management responses
1. Governance
1.1 Progress made on previous year's recommendations
Audit criterion: Progress is made on the previous year's recommendations.
The audit followed up on progress on the implementation of the five recommendations issued in the previous year's audit. All recommendations have been substantially or fully implemented.
Audit of key financial controls (Year 1)
Delegation of financial signing authorities (recommendation 1)
Through the Shared Services Partnership (SSP), management has revised the departure process and form, which now includes verification that specimen signature cards are cancelled when an employee leaves the Agency. The periodic monitoring of specimen signature cards has been implemented. Management's action plan for this recommendation has been fully implemented.
Quality assurance over Financial Administration Act (FAA) Section 34 account verification (recommendation 2)
Through the SSP, management has implemented measures to ensure that appropriate action is taking place when the quality assurance tolerable error rate has been exceeded. The Financial Operations Directorate (FOD-SSP), under the SSP, has provided the chief Financial Officer (CFO) with updates on the quarterly sampling results. Management's action plan for this recommendation has been fully implemented.
Reconciliation of the Lotus Notes grants and contributions database to SAP (recommendation 3)
Management commenced reconciliations of the Lotus Notes grants and contributions database to SAP; however, due to a capacity issue, this reconciliation is yet to be completed. Management indicated that the new grants and contributions system (GCIMS) being implemented for fiscal year 2014-15 will include a direct linkage to SAP, and that work to complete the quarterly reconciliations will continue in the new fiscal year. Management's action plan for this recommendation has been substantially implemented.
Coordination between accounting offices and contribution programs (recommendation 4)
Management has established procedures to improve coordination between accounting offices and contribution programs. These procedures were communicated to the contribution programs after the end of the fiscal year. For the new fiscal year, accounts receivables are being established, based on information provided by contribution programs. Management's action plan for this recommendation has been fully implemented.
Quality assurance procedures for capital assets (recommendation 5)
Through the SSP, management has implemented procedures, tools and guides to validate the information provided by cost centre managers at the time of the Annual Capital Asset Review. This includes clarification of roles and responsibilities and a risk-based sampling strategy for the verification of assets and cost-centre information. Management's action plan for this recommendation has been fully implemented.
2 Select key financial controls common to all classes of transactions
2.1 Delegation of financial signing authorities
Audit criterion: Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid.
The FOD-SSP is responsible for the controls over the maintenance of specimen signature cards.
Certification under Section 34 of the Finance Administration Act (FAA) requires account verification of all expenditures processed at the Agency. Such certification aims to provide assurance of the validity and accuracy of transactions by certifying that goods and services were received or that a grant or contribution recipient is eligible for payment.
Financial signing authority is delegated by the Minister and the Deputy Head to various management levels throughout the Agency, including to the cost centre manager (CCM) or administrator (CCA) levels. These authorities are then granted to employees by creating and activating specimen signature cards that are maintained in a Lotus Notes database used to authenticate whether an employee has a valid delegation of financial signing authority. As of January 2014, the Agency has been using SAP as the tool for authorizing, approving, and storing specimen signature cards. There were approximately 450Footnote 1 active signature cards in the SAP database as of March 2014.
Certification under FAA Section 33 (payment authority) ensures that payments are subject to authorized requisitions, are lawful charges against the appropriation and are within the appropriations level. This requires that appropriate processes and controls be in place to verify accounts under FAA Section 34, as stated in the Agency's delegation of financial signing authorities document. Section 33 of the FAA relies on the specimen signature cards to substantiate whether an employee has a valid Section 34 delegation of financial signing authority. Consequently, it is essential that the controls over the creation and activation of specimen signature cards operate effectively to comply with the FAA and central agency policy instruments, in order to prevent unauthorized expenditures.
Activation of specimen signature cards
As of January 2014, the creation of specimen signature cards is facilitated through SAP. This change will enable online validation of cost-centre information and will reduce errors associated with manual review. A sample of 30 cards was tested to determine if the officers responsible for activating the cards verified their validity (for example, approved by a supervisor with delegated authority, mandatory training has been taken and issued to an eligible Agency employee). Test results indicated that two cards were approved by supervisors who did not have delegated authority for all the cost centres identified in the employee's card, and one instance where the card was activated prior to CCM approval. These cards were activated prior to the transition to SAP. No issues were identified with cards created after the transition to SAP. While some exceptions were noted, the new process currently in place addresses the identified issues. Therefore, no recommendation will be made.
Termination of specimen signature cards
An employee's specimen signature card may be terminated for two reasons: the responsibility of the employee has changed or the employee has left the Agency. In the first circumstance, the signature card is edited to reflect the new responsibilities, provided that the employee retains financial signing authority. In the second circumstance, the signature card is simply cancelled.
Because the financial officers rely on the accuracy of the specimen signature card database when conducting FAA Section 33 certification, the termination of signature cards needs to be completed in a timely manner. In year 1 of this recurring audit, it was recommended that the CFO ensure that specimen signature cards are terminated on a timely basis. In response, actions have been implemented, as noted in Appendix F, recommendation 2.
Using computer-assisted audit techniques, auditors assessed the accuracy of the database throughout the year by analyzing the timeliness of the termination of specimen signature cards for departed employees. The analysis showed that cards for terminated employees were cancelled at the time of each employee's departure.
Overall, controls over the maintenance of specimen signature cards were operating effectively.
2.2 Quality assurance process of FAA Section 34 certification
Quality assurance performed on Financial Administration Act Section 34 certification is effective.
The FOD-SSP is responsible for conducting the quality assurance of FAA Section 34 certification on payment requests. The Office of the Chief Financial Officer (OCFO) is responsible for monitoring the quality assurance. Fiscal year 2013-14 was a period of change for the FOD-SSP. These changes included completion of the transition to two accounting hubs and implementation of the SAP-Procure to Pay (P2P) for commercial invoice processing.
Under the Section 34 of the FAA,
managers are required to certify that:
- Goods were supplied or the service rendered;
- The price charged is in accordance with the contract;
- Supporting documentation is complete;
- The financial coding is correct;
- The payee is eligible and entitled to
the payment.
In accordance with the Treasury Board (TB) Directive on Account Verification, the Agency employs a risk-based approach to performing quality assurance of FAA Section 34 account verification. A well-functioning quality assurance process provides a high level of assurance that a high standard of integrity and accountability is maintained in the spending of public money and supports sound stewardship of financial resources.
The quality assurance process aims at ensuring that the FAA Section 34 certification is properly and consistently performed. This provides assurance that transactions are valid, accurate and properly authorized. For high-risk transactions, it acts as a main control to ensure that the transactions are accurate and valid and that errors (if detected) are corrected prior to payment. For low-risk transactions, the quarterly sampling results provide insight into the effectiveness of the FAA Section 34 certification and, if necessary, action plans can be developed. For both types of transactions, errors are corrected where deemed necessary. See Appendix D for the risk profile of transactions.
As illustrated in Diagram 1, all transactions undergo a minimum quality assurance, which focuses on verifying the appropriateness of FAA Section 34 authorization, the financial coding and vendor information. The implementation of SAP-P2P has automated the verification of FAA Section 34 authorization for commercial invoices. A minimal quality assurance review for payment requests related to contribution agreements is still being conducted manually. A risk profile (low or high) is then assigned through a "gating" process, based on the nature and value of the transactions.
Diagram 1: Quality Assurance Review Process
Source: Shared Services Partnership Statistical Sampling Training Guide
Text Equivalent - Diagram 1: Quality Assurance Review Process
As Diagram 1 illustrates, every transaction, regardless of whether it is a transfer payment, a commercial invoice or a general accounts payable, is subject to some form of quality assurance to verify the appropriateness of Financial Administration Act Section 34 authorization, the financial coding and vendor information.
Minimum quality assurance reviews are conducted manually for payments related to contribution agreements. As for commercial invoices and general accounts payable, the implementation of SAP-P2P has automated FAA Section 34 authorization.
Once a transaction has gone through a minimum quality assurance, it is then assigned a high or low risk profile, based on its nature and value. High-risk transactions undergo a full quality assurance review, while low-risk transactions are submitted for payment. However, low-risk transactions may be subject to the post-payment quality assurance process, a full quality assurance conducted quarterly on a statistical sampling of transactions.
Transactions deemed as high-risk undergo full quality assurance prior to payment. This includes verifying whether the back-up documentation provided supports the payment request, whether the financial coding is appropriate, that claimed amounts are in accordance with the corresponding contract or funding agreement, and that the procurement document and payment request comply with TB and Agency policies.
Those identified as low-risk are paid immediately after a minimal quality assurance is performed, and are subject to a full quality assurance through quarterly statistical sampling. This process is referred to as the post-payment quality assurance process.
Errors identified through quality assurance that put into question the validity of the payment request must be followed up and corrected, such as inappropriate FAA Section 34 financial signing authority or an invoice price that is not in accordance with the contract/funding agreement. See Appendix E for corrective actions and follow-up activities.
Table 1 provides a breakdown by risk profile of the transactions (see Appendix D) recorded in fiscal year 2013-14. It demonstrates that even though high-risk transactions only represented 13% of the total population in terms of number, these transactions accounted for 86% of the total dollar value.
Table 1: Transactions by risk profile, fiscal year 2013-14
No. of Transactions | Value | |||
---|---|---|---|---|
Risk Profile | (‘000) | (%) | ($ M) | (%) |
Low | 35 | 87% | 45 | 14% |
High | 5 | 13% | 285 | 86% |
Total | 40 | 100% | 330 | 100% |
Source: Departmental Financial System, fiscal year 2013-14
Quality assurance of FAA Section 34 account verification encompasses most payment transactions, including grants and contributions, account payables, travel claims, honoraria and acquisition cards. However, it does not cover salary and wage expenditures, since they are subject to a different quality assurance process, as discussed in section 3.2 of this report.
The main aspects of the quality assurances process include:
- gating of transactions;
- identification of errors in account verification;
- quality assurance on grants and contributions payments;
- logging of results of quality assurance review; and
- statistical sampling for low-risk transactions.
Gating of transactions for the quality assurance process
The gating of transactions is an important aspect of the quality assurance process. It determines whether a transaction is low-risk or high-risk, thereby determining the level of quality assurance (minimum or full) to be performed prior to payment. The audit tests determined that the gating of transactions is working effectively.
Identification of errors in account verification
The quality assurance review entails a review to ensure that FAA Section 34 account verification has been performed properly. This process provides evidence of the effectiveness of FAA Section 34 account verification.
The audit tested a random sample of 30 transactions recorded in fiscal year 2013-14. The audit noted four instances where the individual certifying under FAA Section 34 did not have the authorization for the cost centre. As such, the quality assurance function could be improved.
In addition, there were nine instances where supporting documentation could not be found at the time of the audit. Auditors rely on these documents to support account balances and transactions. Therefore, the auditors were not able to assess the effectiveness of the quality assurance review for these transactions. This issue was also noted by ICD in its work. This is primarily the result of the transition from regional accounting offices to the two accounting hubs. Management has indicated that operating practices for the safeguarding of supporting documents are being clarified and that standard practices are being improved to assist with the performance of the quality assurance process on payments.
Logging of results of quality assurance review
The SSP's Statistical Sampling Training Guide requires that all errors identified during the quality assurance review for both low- and high-risk transactions be logged in SAP, the departmental financial system. This is regarded as the most significant output of the quality assurance process, as it provides the data required to report on the overall adequacy and reliability of the account verification process and allows management to develop corrective actions where necessary, in line with the TB Directive on Account Verification.
The audit found that in the sample of 30 transactions reviewed, there were three instances where not all of the errors identified by the quality assurance reviewer had been logged into SAP. This reduces the accuracy of the information presented to management.
Quality assurance of low-risk transactions
As noted earlier, all low-risk transactions undergo minimal quality assurance prior to payment. In addition, a sample of these transactions is selected on a quarterly basis to undergo full quality assurance. The analysis of errors and the action plans developed by senior financial officers are to be reported to the OCFO on a quarterly basis. The SSP's Statistical Sampling Framework provides guidance on corrective actions and follow-up activities (see Appendix E).
In 2013, the Audit of Key Financial Controls–Year 1 recommended that the CFO monitor the quality assurance of FAA Section 34 certification, to ensure that appropriate action is taking place when the quality assurance tolerable error rate has been exceeded. In response, actions were implemented, as noted in Appendix F, recommendation 2.
The audit examined the results of the statistical sampling on low-risk transactions for all four quarters of fiscal year 2013-14. The results indicated that 65 of the 816 transactions sampled had critical errors, which indicates that controls over low-risk transactions are not operating effectively. Additional analysis of the results showed that the majority of the errors were from acquisition card transactions.
Management has developed action plans to address these errors on acquisition card transactions, including communications to cardholders and cost centre managers, reminding them of their responsibilities. Starting in fiscal year 2014-15, quarterly samples of acquisition card transactions will be monitored separately from other low-risk payments. Based on the planned actions, no recommendation will be made.
In conclusion, while some exceptions were noted, select key financial controls related to quality assurance over the FAA Section 34 account certification process were generally operating effectively. Actions are being taken to reduce the acquisition card transactions errors.
2.3 FAA Section 33 certification
Audit criterion: Certification under FAA Section 33 is performed and an appropriate segregation of duties exists with FAA Section 34 certification.
The FOD-SSP is responsible for the quality assurance of FAA Section 33 certification.
The authority to request payments in accordance with Section 33 of the FAA is referred to as payment authority. Pursuant to this section, a financial officer with delegated payment authority must ensure that:
- FAA Section 34 was properly exercised by confirming that the Section 34 signatory has a valid delegated authority to authorize the expense and that there is auditable evidence that the quality assurance over the adequacy of the Section 34 account verification has taken place; and
- Expenditures are a lawful charge against the appropriation.
The FAA Section 33 payment authorization performed by financial officers is a key control to ensure the accuracy and legality of transactions.
The auditors evaluated the performance of the FAA Section 33 certification using the sample of transactions selected for the quality assurance review and concluded that certification under FAA Section 33 is performed and appropriate segregation of duties exists with FAA Section 34 certification.
2.4 Management review of expenditures and commitments
Audit criterion: Cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.
Responsibility for the review of actual expenditures, commitments and forecasts rests with program management. The OCFO's Resource Management and Analysis Division (RMAD) is responsible for coordinating the management variance reporting (MVR) process and for providing instruction, advice and Agency-wide tools in support of the conduct of the MVR process. Advice and support is provided to program management through the financial management advisor (FMA) review and challenge of expenditures and commitments recorded in SAP, as well as forecasted expenditures recorded in the MVR.
Cost centre managers, with the support of FMAs in OCFO-RMAD, are required to review expenses charged to their cost centres through the MVR process. In other departments, the MVR also serves as the cost centre managers' FAA Section 34 authorization of the salary and wage expenditures. The activity entails a review of the validity, accuracy and completeness of expenses. OCFO-RMAD is responsible for ensuring that the MVR exercise is adequately conducted and documented through a challenge function. This process is considered a key control over financial reporting.
Responsibilities with regard to forecasting and the preparation of MVRs are communicated through call letters issued by the OCFO. In addition to MVR call letters, some branches have developed guidelines and instructions to provide support to managers for the MVR process.
In 2013-14, the MVR process was conducted on four pre-determined occasions throughout the year (June, August, October and December).
Director and CCM attestation and sign-off of MVRs
The call letter from the OCFO requires branches to provide FMAs with signed copies of the MVR at the centre, directorate and branch levels only. The audit's documentation review and interviews demonstrated that cost centre managers reviewed commitments and expenditures, including a detailed review of their salary expenditures recorded in SAP, for completeness, validity and accuracy, with the support of FMAs and their business managers. Copies of signed MVRs at the director general and branch head levels are retained by the OCFO.
MVR attestation
As noted previously, the Agency uses the MVR call letter as its primary source of guidance for preparing the MVR, which indicates that directorate or centre heads within the branches should work with their directors, administrative officers, HR advisors and planners to thoroughly develop and validate the MVR forecast. This work includes ensuring that year-to-date expenditures, outstanding commitments and anticipated expenditures are accurate and complete, that the overall MVR forecast is realistic, in light of allocated budgets and operational plans and that progress made to date is properly considered.
The following attestation text is used on all directors general and branch heads MVR sign-offs: "I certify that these financial results are fairly stated based on the information available at the time of preparation of this Management Variance Report."
The current attestation text provides few details to inform MVR users on the nature of the work performed for the review of expenditures, including the detailed review of salary expenditures, outstanding commitments and anticipated expenditures during the MVR process. The audit also noted that call letter directions do not require that directors and CCMs sign the MVR.
FAA Section 34 Manager certification of salary expenditures
In accordance with TB's Pay Administration Control Framework Tool and the Guideline on Common Financial Management Business Process 5.1- Pay Administration, attestation for pay transactions is conducted in three parts and shared between the CCMs and the compensation advisors. After salary payments have been made, CCMs are expected to review pay expenses and complete their part of FAA Section 34 certification:
- Part 1 (pre-payroll): CCM signs letter of offer and other pay action documents.
- Part 2 (payroll): Compensation verifier confirms the accuracy of pay transactions in the regional pay system, resulting from pay actions.
- Part 3 (post-payroll): CCM reviews pay expenses and confirms accuracy.
The audit found that CCMs perform a detailed review of salary expenditures and forecasts, which is the equivalent of Part 3 of FAA Section 34 described above. Although the review work is done, there is no mechanism for CCMs to document the certification of salary expenditures under FAA Section 34.
The addition of specific wording to the MVR attestation text related to the review of salaries, along with a new requirement to obtain CCM signatures on MVRs, would ensure that FAA Section 34 manager sign-off is obtained for salary expenditures, as required under TBS Guidelines.
Recommendation 1
It is recommended that the Chief Financial Officer ensure that:
- the management variance review attestation text is modified to ensure that it reflects the nature of the work performed for the review of salary expenditures; and
- the management variance review process is amended to include sign-off at the cost centre manager level, to serve as evidence of Finance Administration Act Section 34 certification of pay expenditures.
Management response
Management agrees with the recommendation
- The Office of the Chief Financial Officer will work with Accounting Operations and Systems to ensure that the management variance review attestation text is modified to reflect the nature of the work performed related to the review of salary expenditures
- The Office of the Chief Financial Officer will communicate the requirement to obtain sign-off for management variance review forecasts by all cost centre managers.
2.5 Accrued liabilities at year-end
Audit criterion: Senior financial officers review and challenge the completeness, validity and accuracy of transactions payable at year- end.
The OCFO's RMAD and the Centre for Grants and Contributions are responsible for managing payables at year-end, while the FOD-SSP is responsible for reviewing payables at year-end (PAYE) to ensure that there is appropriate supporting documentation before posting them to SAP.
As per the TB Policy on Payables at Year-End (PAYEs), departments and agencies must identify and quantify liabilities to outside organizations and individuals resulting from operations up to and including March 31st of each fiscal year. In the absence of certainty, estimates must be used to determine the amounts of liabilities, as long as reasonably accurate values can be assigned.
As per the departmental year-end procedures, cost centre managers and administrators must submit PAYE requests for goods and services of value greater than or equal to $1,000 (except salary-related items, where the minimum threshold is $400; interdepartmental settlements, where there is no threshold; and grants and contributions, where there is no minimum threshold), for which an invoice has not been received or when accounts payable or payments cannot be recorded by the required cut-off date. In addition, notwithstanding the fact that a PAYE could be established from a reasonable estimate, supporting documentation must be provided for all PAYEs. Where goods are received, a packing slip is sufficient. For consulting services, timesheets and an assessment of the work completed as at March 31st should be provided. This helps to ensure a sufficient audit trail for follow-up purposes.
The audit tested the review and challenge function exercised over both PAYEs related to the previous fiscal year that have yet to be cleared and PAYEs recorded as part of the year-end procedures. For both types of transactions, sufficient evidence was provided to demonstrate adequate management oversight.
In conclusion, the financial officers reviewed and challenged the completeness, validity and accuracy of transactions payable at year-end.
2.6 System access and segregation of duties
Audit criterion: Senior financial officers review and challenge the completeness, validity and accuracy of transactions payable at year- end.
The FOD-SSP is responsible for the controls over the access to SAP and the enforcement of the segregation of duties, while the Corporate Services Branch (CSB), under the SSP, is responsible for monitoring user access.
Segregation of duties is a key concept for internal controls, to mitigate the occurrence of fraud and errors. An example of incompatible duties that must be segregated is the maintenance of vendor master files and the recording of purchase orders. Prior to granting or modifying access, the FOD-SSP performs tests to ensure that it does not result in incompatible functions. In addition, CSB, under the SSP, monitors the segregation of duties in the departmental financial system on a semi-annual basis. For this type of monitoring, the Agency follows tests that have been standardized across the federal government. These tests are based on a matrix of critical functions that rate risk as low, medium or high.
In fiscal year 2013-14, the migration of Accounting Operations to two accounting hubs was implemented in phases, to allow for business process redesign and change management activities. In addition, a new travel system was implemented, which resulted in changes to business processes and the security access required by end-users. Fiscal year 2013-14 was a transition year, with the implementation of business process changes and system enhancements.
The auditors tested the segregation of duties to determine whether individuals had access to incompatible functions. The results indicated that some FOD users had access to incompatible duties at some point during the fiscal year, as described in Table 2.
# of users | Access to incompatible duties | Description of risk | |
---|---|---|---|
44 | Enter/post vendor invoice | Process payment | Improper vendor invoices could be entered and released for posting and authorized for payment. |
6 | Enter vendor invoice | Maintain vendor master records | Fictitious vendor accounts could be created and used to generate invalid purchases. |
2 | Maintain vendor master records | Create purchase order | Vendor master data owners could set up improper suppliers on the system and create purchase orders that are not for business use goods and services. |
This finding is explained by the phased migration strategy of Accounting Operations and the implementation of the new travel system. Management indicated that further actions will be taken to review security roles, to ensure alignment of business processes, and that additional monitoring will be performed.
In conclusion, management is strengthening access controls to SAP.
Recommendation 2
It is recommended that the Chief Financial Officer review and strengthen access controls to the departmental financial system, to ensure that mutually exclusive roles cannot be assigned to a single user.
Management response
Management agrees with the recommendation
Actions will be taken to review security roles, to ensure alignment with new business processes and system enhancements, and additional monitoring will be performed.
The Framework for Integrated Resource Management System (FIRMS) will perform a review of the security access of the users where PAAB identified access to incompatible duties and will either make adjustments to security roles or remove user access to security roles.
FIRMS will perform quarterly monitoring of the FIRMS employees with access to Post-Invoice and Payment Run for production support purposes, to ensure that no transactions are posted.
2.7 Journal entry review
Audit criterion: Journal entries are reviewed by a second person and accompanied by appropriate supporting documentation.
The FOD-SSP is responsible for policy and quality assurance.
At the time of the audit, there was no policy incorporating journal voucher requirements. However, the FOD-SSP issued a publication on March 22, 2013, advising of the requirement for more stringent verification controls for routine and non-routine journal vouchers (JV). At that time, it was also indicated that a policy on journal vouchers would be forthcoming for the Agency.
In its publication, FOD-SSP indicated that:
"...Journal Vouchers (JVs) are one of the methods of making adjustments to accounts in SAP, and must be properly controlled to ensure that financial information accurately reflects the activities of the Agency. As part of the ongoing testing of financial processes, gaps in controls have been identified. These gaps must be successfully addressed in order to have auditable Financial Statements. One of the deficiencies noted has been in the area of verification controls for routine and non-routine journal vouchers.
A journal voucher (JV) request must include:
- the journal voucher request form;
- a source document such as a copy or screen-print of the SAP Detailed Expenditure (100) Report and/or other supporting documentation;
- a description / reason for the JV; and
- approval by the responsible financial manager(s)." The audit noted that journal voucher forms are rarely used and occasions were found where there were no signs of review by a second person, that is to say the responsible financial manager.
The audit noted that journal voucher forms are rarely used and occasions were found where there were no signs of review by a second person, that is to say the responsible financial manager.
The weaknesses in the internal controls surrounding JVs could lead to potential material misstatement. The MVR process is a compensating control, but it is still expected that JVs will be entered, reviewed and documented appropriately.
In conclusion, no recommendation will be made since FOD-SSP is in the process of adopting a formal standard for JVs clarifying the requirements for supporting documentation and review.
3. Select key financial controls specific to classes of transactions
3.1 Grant and contribution agreements
Audit criterion: Reconciliation of payment requests from Lotus Notes to SAP is performed. Contribution agreements are reviewed and closed out to ensure that receivables arising from overpayment are recorded.
The Office of the Chief Financial Officer's (OCFO) Centre for Grants and Contributions is responsible for the controls over the grant and contribution agreements.
Agreement/recipient risk assessments
The Agency utilizes the Enterprise Risk Management Agreement/Recipient Risk Assessment Tool (ERM-ARRAT), which has been designed to assess and manage risks associated with recipients and funding agreements. This tool is to be used annually to assess risks for all funding agreements, as well as to reassess risks for existing multi-year agreements.
The recipient's risk rating profile determines the risk tolerance strategy, which includes risk mitigating activities such as determining the amount of advance payments, establishing applicable holdbacks and monitoring activities. This means that recipients with the highest risk receive pre-payments on a quarterly basis and are subject to a maximum holdback on the final payment, as opposed to recipients with a low risk, to whom a single pre-payment can be made at the start of the year, with minimum or no holdback.
The audit reviewed a sample of 30 contribution agreements for fiscal year 2013-14 and found that the required risk assessments had been completed.
Reconciliation of payment transactions between grants and contributions systems and the departmental financial system
Grants and contributions payment requests are initiated in the Lotus Notes Grants and Contributions Database. Reconciliations between this system and SAP contribute to providing assurance that grant and contribution agreement expenditures are complete and accurate.
In 2013, the Audit of Key Financial Controls–Year 1 recommended that the CFO ensure that reconciliations between the Lotus Notes Grants and Contributions Database and SAP are prepared on a monthly basis and that all variances are investigated to ensure that the amounts reported in SAP are complete and accurate. In response, actions were substantially implemented, as noted in Appendix F, recommendation 3. The audit found that this reconciliation was performed for part of the year only, and not completed at year-end. As a result, there is limited evidence to clearly demonstrate that payments transferred to SAP were complete and accurate.
For next fiscal year, the Agency will be using the new Grants and Contributions Agreement Management System (GCIMS), which will include linkages to the departmental financial system for payment purposes.
Review and close-out of contribution agreements
The review and close-out of contribution agreements are necessary to ensure that all the terms and conditions have been met and that receivables arising from overpayment are recorded in the departmental financial system and collected, as required.
The 2013 Audit of Key Financial Controls–Year 1 recommended that coordination between accounting offices and contributions programs be improved, to ensure that all receivables, including those resulting from annual overpayments or the close-out of contribution agreements, are recorded in the departmental financial system in an accurate and timely manner. In response, actions were implemented, as noted in Appendix F, recommendation 4. Procedures have been established for the communication and recording of receivables and management has demonstrated its efforts to ensure that receivables are recorded in the departmental financial system for fiscal year 2014-15.
The audit reviewed a sample of 30 contribution agreements. One of these agreements included an overpayment in fiscal year 2013-14 that was not captured in the departmental financial system. However, the overpayment was recorded in the system at the time of the receipt of payment.
As well, a review was conducted of the five instances where recoveries were identified through recipient audits conducted by the Centre for Grants and Contributions. In four of these cases, the receivable were not recorded in the departmental financial system. The recoveries were recorded in the system at the time of receipt of payment rather than when the receivables were identified.
In conclusion, the reconciliation of payment requests from Lotus Notes to SAP was not completed. Actions have been taken to address the review and closed-out of contribution agreements, to ensure that receivables arising from overpayment are recorded.
3.2 Salary and wage expenses
Audit criterion: Compensation verifiers review payroll registers to confirm the accuracy of payroll transactions
Compensation verifier review of pay registers
The Human Resources Services Directorate of the Corporate Services Branch (CSB-HRSD), under the SSP, is responsible for the controls over the pay registers.
According to the TBS Directive on Financial Management of Pay Administration and the Guideline on Common Financial Management Business Process for Pay Administration, responsibilities for FAA Section 34 certification are to be shared between cost centre managers, compensation advisors and compensation verifiers, at different stages of the pay administration cycle. The financial controls over pay administration are common for both the Agency and Health Canada under the SSP.
Since October 2013, pay account files as well as payroll function have been gradually transferred to Public Works and Government Services Canada (PWGSC)'s Pay Centre. It is anticipated that all pay account files will be transferred to PWGSC by October 2015.
Until the transfer of pay account files is completed, the pay administration is under the responsibility of CSB-HRSD and includes compensation advisors and compensation verifiers. Compensation advisors are responsible for the accuracy of pay input through FAA Section 34 certification. Compensation verifiers are responsible for reviewing the payroll registers and individual salary payments, as part of a quality assurance process. This review is the final opportunity to confirm the accuracy of payroll transactions prior to payment. The audit found that the pay verification to confirm the accuracy of payroll transactions was appropriately performed.
FAA Section 33 quality assurance review
The TB Policy on Internal Control states that the CFO is responsible for establishing and maintaining a system of internal controls that is monitored and reviewed, and for ensuring that timely corrective measures are taken when issues are identified. This includes a quality assurance review, which provides assurance on the adequacy and reliability of the account verification process.
The TBS Directive on Account Verification states that financial officers are responsible for ensuring that payments and interdepartmental settlements are verified when exercising payment authority for payments pursuant to Section 33 of the FAA. The Directive further states that: "although account verification is normally performed prior to payment, completing account verification after the payment has been made is permitted in certain situations."
FAA Section 33 post-payment quality assurance or account verification for payroll transactions is the responsibility of financial officers under the OCFO. Since pay administration is under the SSP, the task of performing quality assurance or account verification is conducted by CSB-HRSD and the results are shared with FOD, under the SSP, to provide assurance to the OCFO of the adequacy and reliability of the account verification process.
In the context of pay transactions, the audit reviewed CSB's Compensation Monitoring Framework, which was updated earlier this year. The framework includes cyclical and on-site monitoring activities that are aimed at providing assurance that controls are effective. The audit found no evidence that CSB-HRSD conducted monitoring of salary payments for fiscal year 2013-14.
Performing this control activity and sharing its results with the OCFO is important because it serves to complete the FAA Section 33 payment authorization process by validating that pay transactions are lawful, accurate and properly authorized and that controls over the pay process are operating effectively. The OCFO's certification of salary payments under FAA Section 33 is only partially complete without the performance of CSB-HRSD's quality assurance post-payment verification. The lack of post-payment verification increases the risk of undetected unlawful payments and financial reporting misstatements.
The responsibility for conducting quality assurance procedures on pay transactions will be assumed by PWGSC once pay administration functions have been transferred. However, quality assurance procedures should continue to be performed by CSB-HRSD, under the SSP, during the period up to the transfer of the pay account files and be reported to FOD, under the SSP, to provide the required assurance to the OCFO.
The audit found that pay verification to confirm the accuracy of payroll transactions was appropriately performed; however, the audit also found no evidence of salary payments monitoring, as described in the Compensation Monitoring Framework.
Recommendation 3
It is recommended that the Assistant Deputy Minister, Corporate Services Branch, under the Shared Services Partnership, conduct cyclical and ongoing monitoring activities of salary payments and report to the Financial Operations Directorate, as described in the Compensation Monitoring Framework.
Management response
Management agrees with the recommendation
The reason that monitoring was not conducted in FY 2013-14 was due to the fact that during the same time period, two Portfolio Audit and Accountability Bureau (PAAB) audits (PeopleSoft and Regional Operations) and a CFOB-ICD review took place. Resources were spent instead on enhancing controls and responding to the above-mentioned reviews.
The Human Resources Services Directorate will conduct quarterly monitoring and reporting, in accordance with the CSB Compensation Monitoring Framework, until such time as all compensation activities have been transferred from the Agency to Public Works and Government Services Canada's Pay Centre. As of FY 2014-15, monitoring activities are underway and operating effectively, in accordance with the framework
3.3 Purchase of goods and services
Audit criterion: Purchase orders over $10,000 are reviewed for accuracy, completeness and validity.
Review of contracts over $10,000
The FOD-SSP is responsible for the controls over purchase orders.
In 2013, the Agency implemented a procurement service delivery model that includes the implementation of new SAP-P2P technology. This new technology provides for electronic approvals of procurement transactions, and has enabled the centralization of the procurement and contracting functions in two hubs, Winnipeg and Ottawa.
Under the new process, all contractual proposals for the procurement of goods and services are reviewed and/or prepared by procurement specialists. This helps to ensure that contractual documents are in accordance with Government Contracts Regulations and relevant policies and departmental delegation of financial authorities, and that an appropriate procurement vehicle is used. This review also provides assurance over the validity and accuracy of the purchase of goods and services over $10,000.
Some high-complexity/high-sensitivity requirements will need approval by the departmental review committee, based on the following two-tier governance model:
- Tier I – New Contract and Requisition Control Committee (CRCC) model.
- Chaired by the responsible PG-05 managers and supported by subject matter experts on an as-needed basis, such as a financial resources, legal and HR expert.
- Tier II – the Shared Services Contract Review Committee (SS-CRC), which provides oversight.
- Chaired by senior management at the Department; To complement and support Tier I, the SS-CRC will review and recommend for approval any contracts that are particularly complex or deviate from policies and regulations.
The audit found that the review of purchase orders over $10,000 was generally operating effectively.
In conclusion, purchase orders over $10,000 were reviewed for accuracy, completeness and validity.
3.4 Acquisition card purchases
Audit criterion: The monitoring of monthly acquisition card reconciliations and quality assurance reviews of acquisition card transactions are performed.
The FOD-SSP is responsible for the monitoring of monthly acquisition card reconciliations and the quality assurance reviews of acquisition card transactions.
Official reconciliation report
Acquisition card purchases are paid prior to reconciliation of purchases by the cardholder and FAA Section 34 certification, as permitted under the TBS Directive on Account Verification. To provide assurance of the accuracy and completeness of acquisition card purchases, cardholders are responsible for completing a reconciliation of the transactions with their statement of accounts.
The FOD-SSP monitors these reconciliations to ensure that they are adequately completed. Interviews conducted with the FOD-SSP and documentation reviewed provided evidence that this oversight role is adequately fulfilled. However, the timeliness of the reconciliation could be improved. The audit noted that 12% of the reconciliation reports were submitted to the FOD-SSP more than 30 days past the due-date, and there were 15 instances where a reconciliation report had not been submitted to FOD-SSP. For instances where the reconciliation report was not submitted, this means that FAA Section 34 certification was not performed. While the amounts for these purchases were not material for financial statement purposes, it is an indication that controls over the official reconciliation reports need to be strengthened.
At the time of the audit, management indicated that new measures have been implemented for the coming year, to ensure that all reconciliation reports are completed. Starting in fiscal year 2014-15, the process for following up on outstanding reconciliation reports will include more timely reminders to acquisition cardholders and the cost centre managers responsible for performing FAA Section 34 certification. If the reconciliation reports are not provided to Accounting Operations after the reminders, the acquisition card may be cancelled. Therefore, no recommendation will be made.
Quality assurance over acquisition cards
In addition to the monitoring of monthly reconciliations, financial officers conduct quality assurance reviews of acquisition card transactions. All transactions are subject to a minimal quality assurance procedure, to ensure that all items included on a statement are reconciled in SAP and that Section 34 of the FAA is appropriately documented. High-risk transactions undergo a full quality assurance review, while lower-risk transactions are subject to a full quality assurance on a sample basis. Since July 2012, the sample of lower-risk transactions has been included as part of the statistical sampling exercise through the use of SAP, as is the case for accounts payable transactions. Through this review, selected transactions are examined for appropriate supporting documentation and sign-off. Errors identified through this review are recorded.
The audit tested a sample of monthly statements, which included transactions that underwent a full quality assurance to determine whether they were performed adequately and appropriately. No significant errors were identified as a result of this review.
While the audit noted timeliness of reconciliation reports as an issue, overall, the reconciliation of payments to acquisition card transactions and the quality assurance review were operating effectively.
3.5 Capital assets
Audit criterion: Controls over the conduct of an annual capital assets review are operating effectively, to ensure that the capital assets are well-managed and properly accounted for.
The OCFO and the FOD-SSP share the responsibility for the controls over the effectiveness of the conduct of the annual capital assets review.
The Agency's Capital Assets Accounting Standard defines capital assets as assets with a useful life greater than one year, and a per-item cost of $10,000 or greater. The Agency holds a variety of capital assets. Aside from buildings, the items include mostly machinery and equipment, IT equipment/software and vehicles.
Physical count of capital assets
In June 2013, the Materiel and Assets Management Division, under the SSP, launched the Agency's annual capital asset review. This review complies with the requirements stated in the Agency's Asset Management Policy. The audit reviewed the reports produced as part of the annual review exercise, as well as the quality assurance procedures, to ascertain whether appropriate actions were taken to address the issues raised in the reports. The review showed that the physical count of the capital asset inventory was conducted and appropriate actions were taken to address issues raised.
The 2013 Audit of Key Financial Controls–Year 1 recommended that quality assurance procedures be implemented to validate the information provided by the various CCMs at the time of the capital asset inventory count. In response, actions were implemented, as noted in Appendix F, recommendation 5.
In conclusion, controls over the conduct of an annual capital assets review were operating effectively.
C - Conclusion
The audit concluded that the Agency's internal controls over financial reporting are generally operating effectively in order to mitigate the risk of material misstatement. The majority of the common and specific key controls were generally operating effectively. The audit also found that progress has been made on the recommendations from last year's report, with all recommendations being substantially or fully implemented.
The common key controls are those found across the most significant classes of transactions. Five of the seven controls were generally operating effectively. The audit observed that the management variance review process needs to include cost centre manager sign-off as evidence of FAA Section 34 certification of pay transactions. The audit also noted that improvement is required to strengthen access controls to SAP, to ensure that mutually exclusive roles cannot be assigned to a single user.
The specific controls supplement the common key controls. Nine of the ten controls were generally operating effectively. The audit noted that the monitoring of salary payments needs to be conducted, as described in the Compensation Monitoring Framework.
Appendix A - Lines of enquiry and criteria
Criteria title | Audit criteria |
---|---|
Line of enquiry 1: Progress is made on the previous year’s recommendations. | |
Line of enquiry 2: Select key financial controls common to all class of transactions are operating effectively, to ensure completeness, validity and accuracy of transactions. | |
2.1 Delegation of financial signing authorities | Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid. |
2.2 Quality assurance process for FAA Section 34 certification | Quality assurance performed on Financial Administration Act (FAA) Section 34 certification is effective. |
2.3 FAA Section 33 certification | Certification under FAA Section 33 is performed and an appropriate segregation of duties exists with FAA Section 34 certification. |
2.4 Management review of expenditures and commitments | Cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy. |
2.5 Accrued liabilities at year- end | Senior financial officers review and challenge the completeness, validity and accuracy of transactions payable at year-end. |
2.6 System access and segregation of duties | Access to SAP is restricted and the segregation of duties is enforced. |
2.7 Journal entry review | Journal entries are reviewed by a second person and accompanied by appropriate supporting documentation. |
Line of enquiry 3: Select key financial controls specific to classes of transactions are operating effectively, to ensure completeness, validity and accuracy of transactions. | |
3.1 Grants and contributions payments | Reconciliation of payment requests from Lotus Notes to SAP is performed. Contribution agreements are reviewed and closed out to ensure that receivables arising from overpayment are recorded. |
3.2 Salary and wage expenses | Compensation verifiers review payroll registers to confirm the accuracy of the payroll transactions. |
3.3 Purchase of goods and services | Purchase orders over $10,000 are reviewed for accuracy, completeness and validity. |
3.4 Acquisition card purchases | The monitoring of monthly acquisition card reconciliations and quality assurance reviews of acquisition card transactions are performed. |
3.5 Capital assets | Controls over the conduct of an annual capital assets review are operating effectively, to ensure that the capital assets are well-managed and properly accounted for. |
Appendix B – Scorecard
Line of enquiry | Responsibility | 2013 Recs | 2014 Recs | Rating | ||||
---|---|---|---|---|---|---|---|---|
Line of enquiry 2: Select key common controls | ||||||||
Delegation of financial signing authorities | FOD-SSP | 1 | Controls operating effectively | |||||
Quality assurance over FAA Section 34 | FOD-SSP/OCFO | 2 | Controls operating effectively | |||||
FAA Section 33 certification | FOD-SSP | Controls operating effectively | ||||||
Management review of expenditures and commitments (MVR exercise) | RMAD | 1 | Controls need minor improvement | |||||
Accrued liabilities at year-end | RMAD/CGC | Controls operating effectively | ||||||
System accesses and segregation of duties | FOD-SSP | 2 | Controls need moderate improvement | |||||
Journal entry review | FOD-SSP | Controls need minor improvement | ||||||
Line of enquiry 3: Select key specific controls | ||||||||
Statement of operations | Balance sheet | |||||||
Grant and contribution agreements | Salaries and wages | Purchase of goods and services | Acquisition card purchases | Capital assets | ||||
1a. Review of recipient risk assessments | CGC | Controls operating effectively | ||||||
1b. Reconciliation of commitments and payments transactions between contribution systems and SAP | CGC | 3 | Controls need minor improvement | |||||
1c. Review and close-out of contribution agreements | CGC | 4 | Controls operating effectively | |||||
2. Quality assurance over payroll (peer verification) | HRSD-SSP | 3 | Controls need moderate improvement | |||||
3. Review of contracts over $10,000 | FOD-SSP | Controls operating effectively | ||||||
4. Reconciliation of card statements of account | FOD-SSP | Controls need minor improvement | ||||||
Physical count of capital assets | FOD-SSP/OCFO | 5 | Controls operating effectively |
Legend: CGC: OCFO’s Centre of Grants and Contributions
FOD-SSP: Financial Operations Directorate in the Shared Services Partnership
HRSD-SSP: Corporate Services Branch – Human Resources Services Directorate in the Shared Services Partnership
OCFO: Agency’s Office of the Chief Financial Officer
RMAD: OCFO’s Resource Management and Analysis Division
Appendix C – The Agency's internal control over financial reporting framework
Control Environment
- Public Service Values
- Learning, Innovation and Change Management; Policy and Programs;
- People; Citizen-focused Services
- Risk Management, Stewardship and Accountability
- Governance and Strategic Direction; Results and Performance
Financial Risk Assessment and Financial Risk Management
- Financial Reporting Objectives
- Financial Reporting Risks
- Fraud Risk
Monitoring
- Ongoing and Separate Monitoring and Assessment
- Reporting and Deficiencies
Control Activities
For each business process below:
- Cost-effective control activities
- Integration with assessment of risks over financial reporting
- Supporting policies and procedure assessment
- Management of information (e.g., IT Applications Controls and Database and Records Management controls)
Management of Parliamentary Appropriations
- Budgeting
- Management Variance Reporting
- Funding Resource Allocation (TB Submissions)
Shared Services PartnershipFootnote 2
Purchasing/Payables/Payments
- Transfer Payment
- Vendor Master Data
- Purchase Order; Purchase Requisition; Contracting
- Acquisition Card; Hospitality
- Travel Card; Receipt of Goods
- Invoice Posting
- Petty Cash; Asset Management; Programs
- Interdepartmental Settlements
- Payments
Payroll
- Employee Data Management
- Processing of Payment
- Advance or overpayment
- Reconciliation
- Period end close
Capital Assets
- Asset Management
Financial Statements, Year-End and Reporting
- General Ledger Maintenance
- Non-recurring Transactions
- Period Close
- Consolidations
- Financial Statements Preparation
- Accruals and Management Estimates
Financial Reporting Information
Internal Communication
Information and Communication
Internal Control Information
External Communication
* Some controls under these processes fall under the responsibility of the Financial Operations Directorate (FOD) and the Corporate Services Branch (CSB), under the Shared Services Partnership (SSP).
Appendix D – Risk profile of transactions
High-risk transactions include highly sensitive transactions, such as when an error in payment is non-recoverable or when payments are largely judgmental, subject to interpretation, involve very large dollar amounts or are considered highly error prone.
High-risk transactions | Threshold |
---|---|
General accounts payable invoices | Greater than $25,000 |
Conference | Any amount |
Foreign travel | |
Court awards (federal and other) and damage and other claims against the Crown | |
Ex gratia payments | |
Honoraria | |
Relocation | |
Domestic travel Minister and staff Non-public servants |
|
Domestic travel – public servants | $1,500 or greater |
Hospitality | |
Membership fees (e.g., fees for professional designations) | $700 or greater |
Low-risk transactions include transactions that are not sensitive in nature, have little or no potential financial loss associated with them or have a low error rate with a low dollar-value impact of error to medium dollar-value and are recoverable.
Low-risk transactions | Threshold |
---|---|
General accounts payable invoices | Up to $25,000 |
Domestic travel – public servants | Less than $1,500 |
Hospitality | |
Membership fees | Less than $700 |
Non-insured health travel | Any amount |
Source of information: Shared Services Partnership’s Statistical Sampling Framework.
Appendix E – Corrective actions and follow-up activities
The TBS Directive on Account Verification notes that financial officers are responsible for requesting corrective action when critical errors are identified during the quality assurance process for payment authority. Based on the results of the sampling period, accounting offices will take immediate corrective actions and may also determine that an action plan for follow-up be developed.
Corrective actions
All critical errors identified during the pre and post-payment process must be corrected by the accounting office, and the Section 34 manager must be informed of the error. A critical error is an error serious enough to require that the payment should not be/have been made, for example:
- Section 34 is not signed by an authorized officer for the cost centre.
- Back-up documentation does not support the payment.
- The amount of the payment is not in accordance with or exceeds the price or payment terms contained the procurement document.
For non-critical errors, corrections will be made by the accounting office when it is considered efficient; however in all cases, the Section 34 manager should be informed of the error. A non-critical error is an error identifying that the requirements of Section 34 account verification were not fully complied with at the time of payment; however, the error was not serious enough to prevent payment or to negatively impact financial information recorded in the financial system.
If the account verification completed by a specific Section 34 signatory is found to be continually inadequate, there may be a requirement to suspend Section 34 authority.
Follow-up activities
Accounting offices will implement follow-up activities aimed at reducing errors while strengthening the Department's oversight role. Follow-up will include, for example:
- Reviewing sampling results and identifying problematic areas; and,
- Working with branches, programs and cost centre managers to further define issues and assist in identifying potential solutions.
Further analysis may be required by the accounting office to identify whether a specific organization, transaction type, etc., is the cause of the error. A separate quarterly sample may be generated for continued errors for these transactions.
Source of information: Shared Services Partnership's Statistical Sampling Framework.
Appendix F - Overview of progress made on previous year's recommendations
Recommendation 1
Ensure that specimen signature cards are terminated through the year on a timely basis.
Responsibility - Financial Operations Directorate-SSP
Actions | Initial Date | Management's Suggested Expectation Date | Status (as of July 7, 2014 *) |
---|---|---|---|
1. Revise and approve departure form and process. Mandatory usage of the new departure form and process will be communicated and implemented. | 2014-04-30 | n/a | 5 |
2. Implementation of a periodic monitoring tool. | 2014-04-30 | n/a | 5 |
Recommendation 2
Monitor the quality assurance over Financial Administration Act Section 34 certification to ensure that appropriate action is taking place when the quality assurance tolerable error rate has been exceeded.
Responsibility - OCFO and Director, Accounting Operations and Systems-SSP
Actions | Initial Date | Management's Suggested Expectation Date | Status (as of July 7, 2014 *) |
---|---|---|---|
1. Review of the error reports provided by the Financial Operations Directorate on a quarterly basis to ensure that the required level of analysis has been performed and that the follow-up actions, including the possibility of examining additional samples, are appropriate when the tolerable error rate has been exceeded. | 2014-04-30 | n/a | 5 |
2. Accounting hubs will perform the quarterly statistical samples, review and analyse the results and develop actions plans to address error rates that exceed the tolerable error rates | 2014-04-30 | n/a | 5 |
Recommendation 3
Ensure that reconciliations between the Lotus Notes Grant and Contribution Database and SAP are prepared on a monthly basis and that all variances are investigated. Reconciliation should also be prepared as at March 31, 2013 to ensure that amounts reported in SAP are complete and accurate.
Responsibility - Director, Centre for Grants and Contributions (OCFO)
Actions | Initial Date | Management's Suggested Expectation Date | Status (as of July 7, 2014 *) |
---|---|---|---|
The Office of the Chief Financial Officer will produce a quarterly report verifying the reconciliation is complete and that amounts reported in SAP are complete and accurate. | 2014-04-30 | 2015-04-30 | 5 |
Recommendation 4
Responsibility - Director, Centre for Grants and Contributions (OCFO)
Actions | Initial Date | Management's Suggested Expectation Date | Status (as of July 7, 2014 *) |
---|---|---|---|
The Office of the Chief Financial Officer will produce a quarterly report verifying the reconciliation is complete and that amounts reported in SAP are complete and accurate. | 2013-12-31 | n/a | 5 |
The Office of the Chief Financial Officer will work with Accounting Offices to setup an Accounts Receivable for grants and contributions based on available information unless justification is provided not to. | 2013-12-31 | n/a | 5 |
Recommendation 5
Ensure that a quality assurance procedure be implemented to validate the information provided by the various CCM at the time of the Capital Asset Inventory Count.
Responsibility - OCFO and Director, Material and Assets Management-SSP
Actions | Initial Date | Management's Suggested Expectation Date | Status (as of July 7, 2014 *) |
---|---|---|---|
Implement the Shared Services Portfolio Capital Assets Inventory process and tools which includes an in-depth quality assurance process. | 2014-04-30 | n/a | 5 |
Issue an Annual Capital Assets Inventory call letter that includes user friendly tools, a guide that described the roles and responsibilities and timelines. | 2014-04-30 | n/a | 5 |
*Status (as of July 7, 2014 ) | 1 | h | h | h | h |
---|---|---|---|---|---|
Description | No progress or insignificant progress | Planning stage | Preparations for implementation | Substantial implementation | Full implementation |
Page details
- Date modified: