ARCHIVED - Horizontal Internal Audit: Delegation of Financial Authorities in Large Departments and Agencies

• Previous Page
• Table of Contents
• Next Page

This page has been archived.

Audit Findings and Recommendations

This section presents the key detailed findings, based on the evidence and analysis associated with Phases I and II of the horizontal internal audit of the Delegation of Financial Authorities. As stated previously, the focus of the audit work in Phase I was to look at the existence of key elements of the management of the delegation of financial authorities and compliance with applicable Treasury Board Policy. The work in Phase II was designed to validate the results of Phase I, and to include a more detailed analysis of the management framework surrounding the delegation of financial authorities.

Finding 1:  Delegation of Financial Authorities as an Enabler

While all departments and agencies examined were utilizing delegation instruments as a control mechanism, we observed that the instruments were viewed principally as an administrative tool. Accordingly, we found little evidence suggesting that senior executive committees were periodically briefed on matters such as:  the principles underlying the design of the instruments and delegations; recommended adjustments resulting from changed circumstances, risks and/or the results of monitoring; or, the best modes of communication, particularly taking advantage of technology. (Finding 4 in this report addresses issues pertaining to the monitoring of the exercise of delegated authorities.)

Similarly, when a new minister or deputy is appointed, the delegation instrument does not normally receive priority attention. This, again, is a function of the tendency to view the instrument as an administrative document. In fact, with the passage of the Federal Accountability Act, a newly-appointed deputy head may have greater interest in gaining an early understanding of the risk tolerances and governance principles operative in the design of the delegation of authorities, including the alignment between management capabilities, organization, responsibility, risks, operational flexibility, as well as, information, monitoring, reporting and oversight mechanisms. A mature system will ensure that the volume, value and nature of financial transactions authorized at all levels will be visible, transparent and subject to quality control.

In this context, departments and agencies were not appropriately capitalizing on delegation instruments for their potential contribution to risk management and good governance. Annual reviews of delegations were focused predominantly on updating the authentication of specimen signature cards.

Delegation of Authorities is addressed under two Management Accountability Framework (MAF) elements: Accountability and Stewardship. Under Accountability, the MAF states that delegations are to be appropriate to capabilities. Specifically, authority is formally delegated and aligned with responsibilities. The audit sought to assess the effectiveness of the Delegation of Financial Authorities by determining the extent to which authorities were adequately aligned. Although all departments and agencies manage delegation instruments as an internal control, the audit team found little evidence that these organizations review existing delegations as an enabler.

As was described earlier in the report, after being sworn in, a new minister should be afforded the earliest opportunity to be briefed on and approve delegated authorities. Other events should trigger a review of the delegation instruments such as a re-organization of the department/agency, where the delegation instruments may no longer be aligned with the organizational structure, or the implementation of new programs. 

Recommendation:

It is recommended that departments and agencies ensure that processes are in place and functioning to require meaningful, risk-oriented annual reviews of delegation instruments. At a minimum, these annual reviews should consider:

• the sources of, limitations on, sufficiency and continuing relevance of, delegated authorities;
• the basic principles supporting and guiding the delegation of authorities within the organization;
• compatibility of authorities with current organizational structure and mandates;
• alignment of authorities with responsibility and necessary expertise;
• clarity and accessibility of communication of authorities;
• exploitation of technology to enhance the management of delegated authorities;  and,
• changing circumstances affecting risk, including results from ongoing monitoring of the exercise of delegations.

The Executive management table should be briefed on the principles supporting and guiding the delegation of financial authorities and the results of annual reviews.

Finding 2:  Current Delegation Instruments

As at June 2006, five months after the change of government, 14 of the 24 departments and agencies audited had delegation instruments in use that had not yet been approved by current ministers. Further, as at September 1, 2006, seven months after the swearing in of the new government, 12 departments/agencies did not have current instruments – and three large departments had not yet taken any steps to obtain ministerial approval.   

The Treasury Board Policy on Delegation of Authorities states that, "Ministers must formally delegate and communicate financial authorities in writing". The Policy also specifies that, "Though appointment of a new minister does not automatically nullify existing delegations of authorities, departments must prepare a new document of delegation as quickly as possible for the new minister's approval."

The audit team noted circumstances where responsible officials were exercising due diligence in updating delegation instruments; however, there were several cases where the update and approval of the delegation instrument was not a priority. This approach tended to correlate with the view that the delegation instrument simply amounted to an instrument of administrative compliance.

Though the appointment of a new minister does not render a delegation instrument invalid, it remains important that the new minister is given the earliest opportunity to review the delegated authorities. Ministerial approval of delegation instruments should be considered not only a compliance issue, but also one of good governance.   

Recommendation:

It is recommended that departments and agencies undertake to brief ministers about the governance principles and capabilities, as well as the risk tolerances that support and guide the delegations reflected in departmental and agency delegation instruments. Departments and agencies should give priority to seeking the minister's approval of a current delegation instrument. New ministers, with the advice of the deputy head, should be provided the earliest opportunity to decide on delegations throughout the organization.

Finding 3:  Annual Review and Update of Delegation Instruments

A quarter of the audited departments/agencies were not performing an annual review of delegation instruments and related policies.  These organizations were not meeting the requirements of the Treasury Board Policy on Delegation of Authorities, which states:

"Departments must review and update all delegated authorities, including electronic delegation matrices, specimen signature documents and validation and authentication processes in use in departments at least annually."

Other departments indicated that an annual review was performed, but that it was not guided by formal policy or procedures. The audit team found that, in the majority of cases, annual reviews were predominantly limited to updating of Specimen Signature Records.

Without a well-structured qualitative review of changed circumstances and risks, delegations can become misinterpreted and misapplied. For example, the internal auditors in one large department reported that changes in the marketplace and inappropriate local interpretations of contracting authorities had resulted in significant patterns of non-compliance.

Specimen Signature Records (SSRs):  These records are to include authenticated signatures, as well as documentation of local limits and conditions imposed by management. Together with a delegation instrument, specimen signature records form part of the comprehensive configuration of the delegated authorities within a department or agency.

The audit team found that signature cards do not always include the information required by individuals regarding the authorities delegated to positions. While individuals, including those responsible for account verification, can perform further research to assist their understanding of a particular delegation, this information should be clearly communicated and readily accessible.

In Phase II, the audit team reviewed the management of the specimen signature records. To the extent that departments and agencies still rely on an exclusively paper-based process, the specimen signature record is an essential control and must be properly managed.

The following issues were observed:

• SSRs were not always readily available;
• Parallel systems had incomplete or out-dated information;
• Records were missing, outdated and/or improperly altered;
• More than one SSR was present for one person; 
• SSRs were not updated annually or not updated when the delegation matrix was reviewed;
• SSRs did not reflect the same Authorities as the current delegation matrix;
• SSRs for acting appointments were not up-to-date;
• SSRs were not secured after working hours;
• SSRs were not updated in a timely manner to reflect the arrival and departure of employees;  and,
• A list of the authorities delegated was available electronically to the transaction verification unit, but without the authorized signature.

Recommendations:

It is recommended that written departmental procedures be implemented to ensure that specimen signature records are current, valid, and in compliance with the instruments signed by the Minister. Specimen signature records must be accessible, preferably through electronic means during transaction verification and used when appropriate to ensure that transactions are properly authorized. 

It is further recommended that the Treasury Board Secretariat, Office of the Comptroller General, in consultation with the Chief Information Officer Branch, explore means to eliminate/minimize the requirement for physical specimen signature cards and wet signatures in favour of alternative methods to authenticate and validate the identities of individuals and the legitimacy of authorities exercised.

The recommendation applicable to Finding 1 also applies.

Finding 4:   Monitoring the Exercise of Delegated Authorities

For 50 percent of the 24 LDAs, the audit team found no evidence of post-payment monitoring of the performance of internal financial controls that apply to the initiation of expenditures through to the processing of invoiced charges for payment. Many organizations informed the audit team that such monitoring was not necessary because they perform 100 percent pre-payment account verification.  Others reported that monitoring had been discontinued and replaced by internal audit activities. Accordingly, two key deficiencies were identified:

1. Many LDAs do not actively monitor the exercise of delegated authorities, and therefore do not know the extent and effectiveness of compliance and internal control;  and

2. There is an insufficient appreciation of the complementary roles between account verification, active monitoring and internal auditing.

Departments and agencies are required to monitor their management practices and internal controls and to take early remedial action in areas where deficiencies are identified.  Contrary to views expressed to the audit team, 100-percent account verification can lead to the routine administration of accounts payable, versus a targeted financial-management approach that ensures focused attention of verification resources on higher-risk transactions. Also, internal audit plans are risk-based, as opposed to being cyclical, and cover a wide spectrum of management activities. Internal Audit functions are intended to provide assurance relative to the management control framework and cannot be viewed as a first-order control. Ultimately, internal audit would examine the account verification process, including the adequacy of ongoing monitoring activity.  

The audit team looked for evidence of monitoring activities and of actions taken to address deficiencies (e.g. rates of error or non-compliance that exceed pre-defined tolerances). As stated above, there was also concern that 100% account verification can lead to the routine administration of accounts payable, versus a financial-management approach that ensures focused attention of verification resources on higher-risk transactions.

The audit team received evidence of recent audit activity from four departments/agencies that at least partially addressed the management of Delegations of Financial Authorities. Based on a review of internal audit reports submitted to the Office of the Comptroller General, as well as a review of department/agency websites, it was found to be the exception that internal audits had been conducted of basic financial transaction controls, including transaction testing of payments made.

Phase I of this audit noted the lack of monitoring as a key concern. Follow-up work in Phase II provided additional insight in this respect. In one regional office, the audit team found evidence of monitoring and preliminary reports. Although the reports showed a high rate of error in some programs or expenditures, there was no evidence of corrective action found to address the situation (e.g. additional verification or training).

Recommendations:

It is recommended that departments and agencies develop performance targets for the quality of processing of accounts, and employ automated checks and statistical sampling techniques to measure the quality of internal controls and to contribute to improved understanding of higher-risk transaction types. These monitoring activities must be documented and reports should be generated for consideration by successive levels of management, and follow-up action taken, including recommended adjustments to delegated authorities.

It is also recommended that departments and agencies ensure that risk-based internal audit plans give greater consideration to substantive audits of basic financial controls for account verification and payment.

The Treasury Board Secretariat, Office of the Comptroller General should coordinate the accumulation and dissemination of useful and innovative monitoring techniques developed by individual departments and agencies.

Finding 5:   Documentation to Manage Electronic Authorization & Authentication (EAA)

There is an electronic system in place for departments and agencies to request Public Works and Government Services Canada (PWGSC) to make payments to individuals and organizations. Once the department has approved a payment, an authorized employee (generally in Financial Services) will use the Payment System of the Receiver General to process the payment.

The audit team assessed the extent to which departments and agencies had put in place policies, controls and procedures to manage EAA; principally the granting and revoking of user IDs and keys necessary to access the system and to authorize payment transactions.

The audit team found that 16 departments and agencies had not established documented procedures to manage the EAA process.  Although most had informal processes in place, the absence of adequate written procedures and controls increased the risk of unauthorized access to the Government's centralized payment system.  

Recommendation:

It is recommended that departments and agencies develop written procedures and controls over Electronic Authentication Authorization (EAA); including the revocation of delegated Authorities (electronic signature user IDs and keys) used to access the payment system of the Receiver General, to ensure only authorized access to the systems.

Finding 6:  Departmental Authorities and Limits for Departmental Bank Accounts (DBAs)

To assess whether authorities are formally delegated in the delegation instruments, clearly communicated and understood by personnel, the audit team reviewed Departmental Bank Account delegations.  The Treasury Board Policy on Departmental Bank Accounts states⁴:

"It is government policy to use the payment facilities of the Receiver General when making payments. However, departments may apply for approval to operate departmental bank accounts (DBAs) for specified classes of payments where the normal facilities for the issue of Receiver General cheques are not immediately available."

Of the 24 LDAs audited, 17 use Departmental Bank Accounts (DBAs). Thirteen of the 17 addressed DBAs in their respective delegation instruments; the remaining four did not. Further, the maximum of $5000 per transaction was not specified in the delegation instruments for eight of the 13 departments and agencies that had addressed this authority.

Recommendation:

To ensure that authorities are formally established, clearly communicated and understood by personnel, it is recommended that departments and agencies include in their delegation instruments the authorities for Departmental Bank Accounts, including the financial limits for payment as specified in the Treasury Board Policy.

Finding 7: Account Verification

While this audit did not perform extensive testing of financial transactions; interviews, observation and limited examinations of transactions were performed to assess the quality of internal controls of the account verification function. Though account verification and payment are not expected to be error-free, the audit observed indications of apparent imbalances between service and control, as transactions were frequently processed without basic verification of the following authorities:

• Expenditure initiation (program authority);
• Contracting authority;  and/or
• Section 34 of the FAA certification of performance and price.

Account verification is the final step before the payment of a transaction is requisitioned. It is the process for ensuring that payments and settlements of transactions are verified in a risk-informed manner that maintains an appropriate level of control. Account verification includes ensuring that authorizations leading to payment are appropriate.

There were instances in which payments were made despite unresolved issues and without post-payment monitoring. Emphasis on prompt payment of invoices may be a determinant force causing the S. 33 FAA authority to requisition payments without checking for assurance of account verification.

Although all departments had a unit responsible for the review and processing of transactions, account-verification methodologies varied greatly among the audited departments and agencies. Many departments verified 100 percent of invoiced charges. However, the rigour of the verification varied and may have been limited to items such as the amount of an invoice and the name of the supplier. The focus of most verification units was on processing, rather than assessing compliance or challenging problem transactions. 

As per Appendix A of the Policy on Delegation of Authorities, financial authorities include spending authority and payment authority.  Spending authority consists of four elements: expenditure initiation, commitment control, contracting and confirmation of contract performance and price. Departments should have controls in place to ensure that expenditures are properly approved. 

It was also noted that the training for accounting employees, whether financial officers or accounting clerks, was not always adequate to enable them to properly assess and challenge transactions. 

Adequate account verification was further challenged in departments and agencies that are still relying on paper Specimen Signature Records because financial officers do not always work with the most current signature cards. Parallel systems are developed that may be incomplete or out-of-date.

Recommendation:

It is recommended that transaction verification methodologies be based on risk, and that adequate procedures be developed to ensure that when a transaction is selected for verification, the verification includes a validation of the supporting authorities. Any transactions detected that involve material non-compliance must be challenged. Transaction verification is a key control to ensure compliance and an adequate level of direction over delegated authorities.

Finding 8:  Training

In Phase II, the audit team found evidence that all five departments had implemented the required training through the Canada School of Public Service. The Treasury Board Policy on Learning, Training and Development has the following objective:

"The objective of this policy is to help build a skilled, well-trained and professional workforce; to strengthen organizational leadership; and to adopt leading-edge management practices to encourage innovation and continuous improvements in performance."

Regarding delegation of authorities, "managers at all levels (should) have the necessary knowledge to effectively exercise their delegated authorities". The new Policy on Learning, Training and Development which took effect on January 1, 2006, addresses training for:

• First-time managers at all levels so that they meet the Standards on Knowledge for Required Training prior to delegating authorities; and
• Existing managers and executives to validate knowledge associated with their legal responsibilities to maintain their delegated authorities.

The scope of the audit did not include an assessment of compliance with the Policy on Learning, Training and Development. Instead the objective was to assess the following two criteria:

• Financial authorities and policies are effectively communicated (e.g. available on intranet and referenced by e-mail or other correspondence);
• Personnel know and understand financial policies and authorities.

Fieldwork in Phase II found that, in certain departments, employees in acting positions did not receive training on the Delegation of Authorities, either from the School or their respective departments. Also, in some departments, financial authorities are delegated to levels lower than the management level; the employees involved are not required to undergo the training established. The audit team is of the view that the same requirement for training should apply to these holders of delegated financial authorities.

Recommendation:

Departments and agencies should ensure customized training strategies for applicable employees regarding not only the concept of Delegation of Authorities, but also departmental/agency-specific authorities, delegation instruments and related policies and procedures. Training should apply to all employees occupying positions with delegated authorities including acting employees and those outside of the management ranks.

• Previous Page
• Table of Contents
• Next Page