ARCHIVED - Horizontal Internal Audit: Delegation of Financial Authorities in Large Departments and Agencies

This page has been archived.

Horizontal Internal Audit:
Delegation of Financial Authorities
in Large Departments and Agencies

December 2008
Last amended November 2008

Internal Audit Sector
Office of the Comptroller General

Table of Contents

EXECUTIVE SUMMARY

Introduction
Overall Assessment
Statement of Assurance
Main Findings
Main Recommendations

DETAILED OBSERVATIONS AND DISCUSSION

Background
Audit Project Charter
Audit Scope
Audit Approach
Audit Findings and Recommendations
Best Practices

ANNEXES

Annex A:  Participating Departments and Agencies
Annex B:  Treasury Board Policy on Delegation of Authorities
Annex C:  Audit Criteria
Annex D:  Project Advisory Committee Membership and Mandate

EXECUTIVE SUMMARY

Introduction

The Treasury Board Policy on Internal Audit, which came into effect April 2006, requires the Comptroller General to lead horizontal internal audits of risks that transcend individual large departments and agencies (LDAs). This report presents the results of the first such horizontal audit, an internal audit of the Delegation of Financial Authorities.

Audit Objective & Scope:  The purpose of the audit, led by the Internal Audit Sector of the Office of the Comptroller General, was to assess the use of delegation-of-authority instruments and related policies as key measures for managing risks and contributing to sound financial management within departments and agencies. The audit focused on financial signing authorities and addressed three principal considerations:

• the availability of a current, approved delegation instrument;
• monitoring of the exercise of delegations, and corresponding revision of authority delegations; and,
• compliance with applicable legislation, regulations and policies.

The audit encompassed two phases. Phase I consisted of a review of the systems and procedures associated with the delegation of financial authorities in 24 large departments and agencies (See Annex A). This Phase was also attentive to best practices in the design and communication of delegated financial authorities. Subsequently, in Phase II, on-site audit work was performed at five of these organizations.

While certain transactions were examined to support an understanding of the delegation systems and procedures, the audit did not include detailed testing of financial transactions.

Overall Assessment

For all of the 24 departments and agencies forming part of this audit, an instrument was in place to formally delegate the financial authorities falling within the scope of the audit.  Further, the audit did not find obvious critical weaknesses in the form and content of these instruments. However, it was also observed that the instruments were not being exploited for their potential contribution to governance, nor as foundational risk-management mechanisms. Viewed primarily as administrative, the delegation documents had little visibility at the executive-management table. Consequently, insufficient priority was being given to ensuring that the documents were up-to-date, and approved by the current minister, as well as being subject to meaningful periodic review and adjustment to reflect changed circumstances and risks.

The audit also found that the structure and levels of delegation, as well as underlying management principles, including those pertaining to risk management, were not subject to regular, meaningful assessment and adjustment. Not only was there a lack of priority given to obtaining the endorsement and approval of new ministers, but there were also lapses in the monitoring of the exercise of delegated financial authorities. Additionally there was only limited substantive internal audit attention to fundamental financial controls over the processing of financial transactions. Notably, however, some organizations demonstrated exemplary practices warranting consideration by other departments and agencies.

Greater departmental and agency attention to, and profile for, delegation instruments, including analysis of limitations on the authority of the minister and deputy head, would be to advantage. This would encompass analysis of changed circumstances (e.g. inflation) and risks as well as providing the basis to assess the need for adjustments to the departmental authorities available. This could, for example, result in a request to the Minister of Public Works and Government Services (PWGSC) to extend the delegation of contracting authority, or other such remedy.

The mandatory annual reviews of financial signing authorities that are conducted by department and agencies often do not include a risk-based assessment of the design, configuration and extent of the pertinent delegations. These reviews are more inclined to be routinely focused on the authentication of specimen signature records;  a somewhat cumbersome source of information on the designation of individuals occupying positions having delegated authorities, and specifying local limits on these same authorities. A full view of the ultimate configuration of financial delegations within departments and agencies is dependant on access to these detailed physical records – records that are sometimes duplicated and/or edited after being authenticated.

Performance measures and risk tolerances are not consistently established as a basis for assessing and performing quality assurance on completed financial transactions.  In fact, such monitoring and measurement does not occur in a number of departments/agencies.  Therefore, an important risk management and control feature is foregone.  The results of ongoing monitoring should form an important basis for modifying, if not withholding, financial delegations.

Recommendations and Action Plans:  A number of audit recommendations have been directed to the Treasury Board Secretariat to address improvements that can be brought or reinforced through policy provisions, and/or the improved use of technology, to efficiently achieve appropriate risk-based financial control. 

Initial briefings of the audit results and recommendations encountered positive reactions from responsible officials within departments and agencies.  There were good indications that improvements would be pursued. At the same time, the Internal Audit Sector of the Office of the Comptroller General will engage Chief Audit Executives within departments and agencies to obtain detailed action plans, and to ensure that these are presented for endorsement by the respective Departmental Audit Committees. 

Statement of Assurance

Main Findings

Delegation of Financial Authorities as an Enabler – Governance

Within the departments and agencies audited, the delegation of authorities was commonly viewed as an administrative matter and senior leaders were not engaged in consideration of the principles, risk tolerances and the alignment between authority and responsibility.  Delegation instruments were not being sufficiently exploited for their potential contribution to good governance and risk management.

Currency of Delegation Instruments

Insufficient attention was paid to obtaining timely approval of delegation instruments from new ministers.  Although the Treasury Board Policy on Delegation of Authorities states that departments and agencies must prepare a document of delegation as quickly as possible for the new minister's approval, half of the departments and agencies audited had not obtained necessary approvals as of September 2006.  This involves an issue of compliance with policy, but, perhaps more importantly, is an indicator of the lack of profile given the delegation instruments and the tendency on the part of management to view approval of the documents as an administrative formality.

Annual Review of Delegation Instruments

There is much inconsistency in the quality and scope of annual reviews of delegation instruments, including the administration of specimen signature records. Relatively few annual reviews are genuinely risk-based or address the sources of, limitations on, and continuing appropriateness of, delegated authorities.  One circumstance was noted (as raised by the internal audit function in a large department), whereby changes in the marketplace had seriously affected the relevance and interpretation of delegated contracting authorities.

Internal Controls over the Exercise of Delegated Authorities

It was expected that the design of account verification and monitoring procedures would be risk-based.  However, this was rarely the case and much inconsistency was observed.  For example, half of the organizations audited did not perform ongoing post-payment monitoring of transactions. Invoice processing was often predominantly service oriented, as opposed to placing appropriate emphasis on control.  Further, there was limited internal audit attention to basic controls over the processing of financial transactions. 

Main Recommendations

Some Context:  The effective management of delegations of authority will be inherently important to deputy heads, particularly in the context of increased emphasis on accountability.  Accordingly, there will be interest in well-designed and managed delegation instruments as key governance and risk management tools. 

Technology can assist in the communication of delegations and in keeping them current.  Interfaces between people and technology will also play in the design of effective segregation of duties that is to be reflected in delegation instruments.   Such technology-assisted segregation can be more effective than traditional, labour-intensive controls.  Further, technology should eventually obviate the requirement for specimen signature records.  Similarly, it will facilitate ongoing electronic validation of the legitimacy of authorities exercised, accept or reject transactions, and produce exception reports for managerial review.  This will be particularly so as end-to-end business is transacted electronically.  Monitoring of expenditure trends, patterns and compliance will also be facilitated.

It has been observed that, with respect to stewardship, the Public Service experienced a vulnerable period as downsizing occurred, but the true benefits of technology were not delivered as early as anticipated. While some departments are now making good use of technology to improve the communication of delegated authorities and the ongoing monitoring of financial transactions, there is still an overall requirement for dialogue concerning risk tolerances, the corresponding extent of delegations, and the measures of performance of expenditure processing systems.  Routine consideration is also required of the implications of changing mandates, organizational structures, and compliance requirements as well as marketplace conditions (e.g. supplier concentration, brokers, competitiveness, inflation). 

The main recommendations of the audit are as follows:

Delegation & Governance 

Ministers should be briefed on the governance principles and capabilities, as well as the risk tolerances, that support departmental and agency delegation instruments. In providing this information, departments and agencies should give priority to seeking the minister's approval of a current delegation instrument. New ministers, with the advice of the deputy head, should have the earliest opportunity to decide on the appropriateness of delegated authorities.

Annual Review of Delegations of Authorities

Departments and agencies should ensure that processes are in place and functioning to require meaningful, risk-oriented annual reviews of delegation instruments.  At a minimum, annual reviews should consider:

The executive management table should be briefed on the results of the annual review.

In addition, the Treasury Board Secretariat, Office of the Comptroller General, should ensure that the next iteration of the Policy on Delegation of Authorities clarifies and reinforces a requirement for more meaningful periodic/annual reviews to be undertaken by departments and agencies. It should highlight the important contribution to be made to governance and risk management.

Account Verification, Monitoring and Internal Audit

Departments and agencies should develop and implement plans and procedures to promote a risk-based approach to pre-payment verification of accounts and post-payment monitoring and quality assurance.  A performance target should be established for the quality of processing of accounts, and automated checks and statistical sampling techniques should be employed to measure the quality of internal controls and to contribute to an improved understanding of higher-risk transaction types.  These monitoring activities must be documented and must generate reports for consideration by successive levels of management, as well as related follow-up actions, including recommended adjustments to delegated authorities.

It is also important to note that a service orientation regarding the processing of accounts for payment must not overshadow basic control and compliance imperatives.

It is further recommended that departments and agencies ensure that risk-based internal audit plans give sufficient attention to fundamental financial controls over the accounts payable function.

Innovations & Sharing

The Office of the Comptroller General should coordinate the accumulation and dissemination of useful and innovative post-transaction monitoring techniques developed by individual departments and agencies.

Additionally, the Office of the Comptroller General, in consultation with the Chief Information Officer Branch, should actively explore means to minimize, if not eliminate, the need for specimen signature cards and wet signatures in favour of alternative methods of electronically authenticating and validating the identity of individuals and the legitimacy of authorities exercised.

DETAILED OBSERVATIONS AND DISCUSSION

Background

The effective management of government departments and agencies has been entrusted to ministers and deputy ministers to delegate authority in order to accomplish the business of their organizations. In turn, departments and agencies must manage the delegation and exercise of authorities responsibly. In fiscal year 2005/2006, the Government of Canada spent $175.2 billion carrying out its day-to-day business^[1]. Tens of thousands of public servants across Government exercised delegated authorities to carry out government operations.

Delegation of authority is thus an important enabler. It enables managers to administer programs under their jurisdiction and contributes to the accomplishment of the organization's mandate. At the same time, delegation of authority is a control. It provides one of the foundation pieces that allow organizations to hold managers accountable for the lawful utilization of resources to achieve established objectives.  

There are three key policy requirements pertaining to delegation of authority:

Audit Project Charter

Treasury Board has assigned specific responsibilities to the Comptroller General, including responsibility for horizontal audit across large departments and agencies. The audit of the Delegation of Financial Authorities was the first horizontal internal audit led by the Office of the Comptroller General and has been managed as a pilot project. A specific sub-objective was to develop protocols and, particularly, approaches to reporting on internal audits.

Rationale: Following a risk analysis process in early 2006 involving the participation of Chief Audit Executives, the management of the delegation of financial authorities was identified as a potential topic for a horizontal internal audit. The topic figures prominently in discussions pertaining to core internal controls across government and fits the criteria of being: a significant management process; broad-based in relevance; and, auditable. The topic is also directly relevant to the Federal Accountability Act and to the Management Accountability Framework. Effective management of the delegation of authorities represents an opportunity to contribute to good governance and risk management within departments and agencies. It constitutes a fundamental vehicle for ensuring an appropriate balance between operational flexibility and purposeful control through the escalation of higher-risk decisions/transactions for consideration by successive levels of management.

Governance: The audit was conducted under the direction of the Executive Director, Forensic, Systems and Horizontal Audits, within the Internal Audit Sector of the Office of the Comptroller General. The audit engagement also benefited from the advice of a Project Advisory Committee, chaired by the Director of Horizontal Audits and included the participation of Chief Audit Executives from six of the participating Large Departments and Agencies (LDAs). The Committee's membership and mandate can be found at Annex D.

Timeframe: The Comptroller General approved the proposed audit in August 2006. The formal launch of the audit occurred when the Comptroller General wrote to selected deputy heads on August 25^th, 2006. Phase I, involving a document review of 24 LDAs, began immediately and was completed by mid-December 2006. Phase II, which took a more in-depth look at selected LDAs, began early in 2007, following an analysis of the results of Phase I. 

Audit Objectives: This first horizontal internal audit was intended to provide assurance on the effectiveness of delegated financial authority instruments as a control and enabler, contributing to sound risk management and governance. The audit was also intended to assist in the development of protocols for conducting future horizontal internal audit work.

A further objective was to identify and promote best practices in the design and communication of delegated financial signing authorities.

Audit Scope

The scope of the audit was limited to financial authorities as per the Treasury Board Policy on Delegation of Authorities. For a more detailed view of the financial authorities, please refer to the link at Annex B.

The audit was structured in two phases. Phase I addressed 24 LDAs having planned spending of $1 billion or more, and consisted of a review of key documents such as the delegation instruments, organization charts, applicable financial policies and procedures, and monitoring activities. At the time of the audit, the 24 participating departments and agencies accounted for more than 90% of the Government's total planned spending. The engagement considered delegation of financial authority and how the delegation instruments align with organizational structures in place at  June 30, 2006.

It was decided at the outset to limit the number of departments and agencies to be examined in Phase II.  The selection departments and agencies for Phase II was balanced between organizations that exhibited indicators of relatively higher risk (based on the results of Phase I), as well as those for which indications of best practices were noted.  Five departments were selected for inclusion in Phase II.

Audit Approach

The chart below illustrates a summary of the key aspects concerning the two phases of the audit.

Summary of the key aspects concerning the two phases of the audit - Text version

The audit objectives and criteria were based on principles drawn from the Treasury Board Policy on Delegation of Authorities as well as from the Management Accountability Framework (MAF) elements of Accountability and Stewardship.  To assess the reliability and effectiveness of the delegation instruments, the following three central/overview objectives were identified²:

1) Authorities, responsibility and accountability instruments and policies are established and clearly communicated;

2) Delegation of financial authorities and applicable policies are reviewed regularly and revised as required; and,

3) Compliance with financial-management legislation, policies and authorities is monitored regularly.

In addition, the audit team endeavoured to identify best practices in the design and communication of the delegation of financial authorities.

Phase I

A set of 58 questions was developed and used to guide the conduct of Phase I of this audit. A numerical value was then assigned to each question's five possible answers as follows:

Meets ................. 0

Partially meets....... 1

Does not meet....... 2

Concern³.............. 5

Not applicable........ 0

Selected answers were converted to numerical values and added together as a means of measuring each participating department's/agency's respective level of risk.  The higher a department's overall score, the more audit criteria were not met. Thus, higher scores represent relatively higher levels of risk.

During Phase I, review of the documents received from departments and agencies provided the basis for answering the 58 questions of the audit program.  There was an ongoing exchange of information between the audit team and the 24 departments involved.  These communications followed from the analysis of the documents received from the departments, and sought to either clarify issues or to obtain further information.  A significant effort was made at this stage to provide departments every opportunity to respond to any issues identified by the auditors. 

Given the mandate to conduct a horizontal internal audit, a great deal of attention was paid to analyzing and compiling the results by subject.  The analysis of results by subject facilitated the identification and reporting of trends and observations that apply across all these organizations. 

The following chart (See Figure 1) illustrates the extent of variance in levels of risk, as represented by defined criteria pertaining to delegated financial authorities and assigned scores across departments and agencies.   Note that this analysis pertains to the delegation of financial authorities and does not represent an overall statement of relative risk for the departments and agencies involved. 

Figure 1

Figure 1: Phase 1 Risk Analysis - text version

Although the audit found a general level of compliance (in that all departments and agencies had instruments in place to delegate financial authorities) the results indicated a high degree of variance in risk levels.

Phase II

Selection of departments and agencies:  In Phase II, the onsite audit work conducted in the five selected organizations included visits to the departmental/agency headquarters, and, in all but one case, fieldwork in two regional offices.  In this Phase, the audit team aimed to confirm the results of Phase I and to identify potential best practices.

Departmental/agency risk scores from Phase I are presented below in a "target" graph format.   Using this approach, organizations having lower risk scores appear within the green inner circle (the lower risk zone); and, those with higher risk scores are depicted toward the outer limits of the graph, as indicated by the red outer circle (the higher risk zone).

The audit team selected the three participants from outside the red circle (i.e. LDAs appearing in the higher risk zone) and the two from within the green circle – those from which best practices might be drawn.

Selection of Departments and Agencies in Phase II - text version

Audit Approach: Phase II consisted of a detailed review of the Delegation of Financial Authorities in five large departments and provided a more in-depth view of the control framework.  Through interviews and observation of transaction processing, the audit team analyzed the various management procedures and internal controls.  The compilation of results by department and by key subject/review topic, contributed to a horizontal view.   The review topics included the following:

• Internal controls over the authorization of transactions;
• Monitoring activities;
• Administration of specimen-signature records;
• Communication and training; and, 
• Level of understanding of persons exercising delegated authorities.

Audit Findings and Recommendations

This section presents the key detailed findings, based on the evidence and analysis associated with Phases I and II of the horizontal internal audit of the Delegation of Financial Authorities. As stated previously, the focus of the audit work in Phase I was to look at the existence of key elements of the management of the delegation of financial authorities and compliance with applicable Treasury Board Policy. The work in Phase II was designed to validate the results of Phase I, and to include a more detailed analysis of the management framework surrounding the delegation of financial authorities.

Finding 1:  Delegation of Financial Authorities as an Enabler

While all departments and agencies examined were utilizing delegation instruments as a control mechanism, we observed that the instruments were viewed principally as an administrative tool. Accordingly, we found little evidence suggesting that senior executive committees were periodically briefed on matters such as:  the principles underlying the design of the instruments and delegations; recommended adjustments resulting from changed circumstances, risks and/or the results of monitoring; or, the best modes of communication, particularly taking advantage of technology. (Finding 4 in this report addresses issues pertaining to the monitoring of the exercise of delegated authorities.)

Similarly, when a new minister or deputy is appointed, the delegation instrument does not normally receive priority attention. This, again, is a function of the tendency to view the instrument as an administrative document. In fact, with the passage of the Federal Accountability Act, a newly-appointed deputy head may have greater interest in gaining an early understanding of the risk tolerances and governance principles operative in the design of the delegation of authorities, including the alignment between management capabilities, organization, responsibility, risks, operational flexibility, as well as, information, monitoring, reporting and oversight mechanisms. A mature system will ensure that the volume, value and nature of financial transactions authorized at all levels will be visible, transparent and subject to quality control.

In this context, departments and agencies were not appropriately capitalizing on delegation instruments for their potential contribution to risk management and good governance. Annual reviews of delegations were focused predominantly on updating the authentication of specimen signature cards.

Delegation of Authorities is addressed under two Management Accountability Framework (MAF) elements: Accountability and Stewardship. Under Accountability, the MAF states that delegations are to be appropriate to capabilities. Specifically, authority is formally delegated and aligned with responsibilities. The audit sought to assess the effectiveness of the Delegation of Financial Authorities by determining the extent to which authorities were adequately aligned. Although all departments and agencies manage delegation instruments as an internal control, the audit team found little evidence that these organizations review existing delegations as an enabler.

As was described earlier in the report, after being sworn in, a new minister should be afforded the earliest opportunity to be briefed on and approve delegated authorities. Other events should trigger a review of the delegation instruments such as a re-organization of the department/agency, where the delegation instruments may no longer be aligned with the organizational structure, or the implementation of new programs. 

Recommendation:

It is recommended that departments and agencies ensure that processes are in place and functioning to require meaningful, risk-oriented annual reviews of delegation instruments. At a minimum, these annual reviews should consider:

• the sources of, limitations on, sufficiency and continuing relevance of, delegated authorities;
• the basic principles supporting and guiding the delegation of authorities within the organization;
• compatibility of authorities with current organizational structure and mandates;
• alignment of authorities with responsibility and necessary expertise;
• clarity and accessibility of communication of authorities;
• exploitation of technology to enhance the management of delegated authorities;  and,
• changing circumstances affecting risk, including results from ongoing monitoring of the exercise of delegations.

The Executive management table should be briefed on the principles supporting and guiding the delegation of financial authorities and the results of annual reviews.

Finding 2:  Current Delegation Instruments

As at June 2006, five months after the change of government, 14 of the 24 departments and agencies audited had delegation instruments in use that had not yet been approved by current ministers. Further, as at September 1, 2006, seven months after the swearing in of the new government, 12 departments/agencies did not have current instruments – and three large departments had not yet taken any steps to obtain ministerial approval.   

The Treasury Board Policy on Delegation of Authorities states that, "Ministers must formally delegate and communicate financial authorities in writing". The Policy also specifies that, "Though appointment of a new minister does not automatically nullify existing delegations of authorities, departments must prepare a new document of delegation as quickly as possible for the new minister's approval."

The audit team noted circumstances where responsible officials were exercising due diligence in updating delegation instruments; however, there were several cases where the update and approval of the delegation instrument was not a priority. This approach tended to correlate with the view that the delegation instrument simply amounted to an instrument of administrative compliance.

Though the appointment of a new minister does not render a delegation instrument invalid, it remains important that the new minister is given the earliest opportunity to review the delegated authorities. Ministerial approval of delegation instruments should be considered not only a compliance issue, but also one of good governance.   

Recommendation:

It is recommended that departments and agencies undertake to brief ministers about the governance principles and capabilities, as well as the risk tolerances that support and guide the delegations reflected in departmental and agency delegation instruments. Departments and agencies should give priority to seeking the minister's approval of a current delegation instrument. New ministers, with the advice of the deputy head, should be provided the earliest opportunity to decide on delegations throughout the organization.

Finding 3:  Annual Review and Update of Delegation Instruments

A quarter of the audited departments/agencies were not performing an annual review of delegation instruments and related policies.  These organizations were not meeting the requirements of the Treasury Board Policy on Delegation of Authorities, which states:

"Departments must review and update all delegated authorities, including electronic delegation matrices, specimen signature documents and validation and authentication processes in use in departments at least annually."

Other departments indicated that an annual review was performed, but that it was not guided by formal policy or procedures. The audit team found that, in the majority of cases, annual reviews were predominantly limited to updating of Specimen Signature Records.

Without a well-structured qualitative review of changed circumstances and risks, delegations can become misinterpreted and misapplied. For example, the internal auditors in one large department reported that changes in the marketplace and inappropriate local interpretations of contracting authorities had resulted in significant patterns of non-compliance.

Specimen Signature Records (SSRs):  These records are to include authenticated signatures, as well as documentation of local limits and conditions imposed by management. Together with a delegation instrument, specimen signature records form part of the comprehensive configuration of the delegated authorities within a department or agency.

The audit team found that signature cards do not always include the information required by individuals regarding the authorities delegated to positions. While individuals, including those responsible for account verification, can perform further research to assist their understanding of a particular delegation, this information should be clearly communicated and readily accessible.

In Phase II, the audit team reviewed the management of the specimen signature records. To the extent that departments and agencies still rely on an exclusively paper-based process, the specimen signature record is an essential control and must be properly managed.

The following issues were observed:

• SSRs were not always readily available;
• Parallel systems had incomplete or out-dated information;
• Records were missing, outdated and/or improperly altered;
• More than one SSR was present for one person; 
• SSRs were not updated annually or not updated when the delegation matrix was reviewed;
• SSRs did not reflect the same Authorities as the current delegation matrix;
• SSRs for acting appointments were not up-to-date;
• SSRs were not secured after working hours;
• SSRs were not updated in a timely manner to reflect the arrival and departure of employees;  and,
• A list of the authorities delegated was available electronically to the transaction verification unit, but without the authorized signature.

Recommendations:

It is recommended that written departmental procedures be implemented to ensure that specimen signature records are current, valid, and in compliance with the instruments signed by the Minister. Specimen signature records must be accessible, preferably through electronic means during transaction verification and used when appropriate to ensure that transactions are properly authorized. 

It is further recommended that the Treasury Board Secretariat, Office of the Comptroller General, in consultation with the Chief Information Officer Branch, explore means to eliminate/minimize the requirement for physical specimen signature cards and wet signatures in favour of alternative methods to authenticate and validate the identities of individuals and the legitimacy of authorities exercised.

The recommendation applicable to Finding 1 also applies.

Finding 4:   Monitoring the Exercise of Delegated Authorities

For 50 percent of the 24 LDAs, the audit team found no evidence of post-payment monitoring of the performance of internal financial controls that apply to the initiation of expenditures through to the processing of invoiced charges for payment. Many organizations informed the audit team that such monitoring was not necessary because they perform 100 percent pre-payment account verification.  Others reported that monitoring had been discontinued and replaced by internal audit activities. Accordingly, two key deficiencies were identified:

1. Many LDAs do not actively monitor the exercise of delegated authorities, and therefore do not know the extent and effectiveness of compliance and internal control;  and

2. There is an insufficient appreciation of the complementary roles between account verification, active monitoring and internal auditing.

Departments and agencies are required to monitor their management practices and internal controls and to take early remedial action in areas where deficiencies are identified.  Contrary to views expressed to the audit team, 100-percent account verification can lead to the routine administration of accounts payable, versus a targeted financial-management approach that ensures focused attention of verification resources on higher-risk transactions. Also, internal audit plans are risk-based, as opposed to being cyclical, and cover a wide spectrum of management activities. Internal Audit functions are intended to provide assurance relative to the management control framework and cannot be viewed as a first-order control. Ultimately, internal audit would examine the account verification process, including the adequacy of ongoing monitoring activity.  

The audit team looked for evidence of monitoring activities and of actions taken to address deficiencies (e.g. rates of error or non-compliance that exceed pre-defined tolerances). As stated above, there was also concern that 100% account verification can lead to the routine administration of accounts payable, versus a financial-management approach that ensures focused attention of verification resources on higher-risk transactions.

The audit team received evidence of recent audit activity from four departments/agencies that at least partially addressed the management of Delegations of Financial Authorities. Based on a review of internal audit reports submitted to the Office of the Comptroller General, as well as a review of department/agency websites, it was found to be the exception that internal audits had been conducted of basic financial transaction controls, including transaction testing of payments made.

Phase I of this audit noted the lack of monitoring as a key concern. Follow-up work in Phase II provided additional insight in this respect. In one regional office, the audit team found evidence of monitoring and preliminary reports. Although the reports showed a high rate of error in some programs or expenditures, there was no evidence of corrective action found to address the situation (e.g. additional verification or training).

Recommendations:

It is recommended that departments and agencies develop performance targets for the quality of processing of accounts, and employ automated checks and statistical sampling techniques to measure the quality of internal controls and to contribute to improved understanding of higher-risk transaction types. These monitoring activities must be documented and reports should be generated for consideration by successive levels of management, and follow-up action taken, including recommended adjustments to delegated authorities.

It is also recommended that departments and agencies ensure that risk-based internal audit plans give greater consideration to substantive audits of basic financial controls for account verification and payment.

The Treasury Board Secretariat, Office of the Comptroller General should coordinate the accumulation and dissemination of useful and innovative monitoring techniques developed by individual departments and agencies.

Finding 5:   Documentation to Manage Electronic Authorization & Authentication (EAA)

There is an electronic system in place for departments and agencies to request Public Works and Government Services Canada (PWGSC) to make payments to individuals and organizations. Once the department has approved a payment, an authorized employee (generally in Financial Services) will use the Payment System of the Receiver General to process the payment.

The audit team assessed the extent to which departments and agencies had put in place policies, controls and procedures to manage EAA; principally the granting and revoking of user IDs and keys necessary to access the system and to authorize payment transactions.

The audit team found that 16 departments and agencies had not established documented procedures to manage the EAA process.  Although most had informal processes in place, the absence of adequate written procedures and controls increased the risk of unauthorized access to the Government's centralized payment system.  

Recommendation:

It is recommended that departments and agencies develop written procedures and controls over Electronic Authentication Authorization (EAA); including the revocation of delegated Authorities (electronic signature user IDs and keys) used to access the payment system of the Receiver General, to ensure only authorized access to the systems.

Finding 6:  Departmental Authorities and Limits for Departmental Bank Accounts (DBAs)

To assess whether authorities are formally delegated in the delegation instruments, clearly communicated and understood by personnel, the audit team reviewed Departmental Bank Account delegations.  The Treasury Board Policy on Departmental Bank Accounts states⁴:

"It is government policy to use the payment facilities of the Receiver General when making payments. However, departments may apply for approval to operate departmental bank accounts (DBAs) for specified classes of payments where the normal facilities for the issue of Receiver General cheques are not immediately available."

Of the 24 LDAs audited, 17 use Departmental Bank Accounts (DBAs). Thirteen of the 17 addressed DBAs in their respective delegation instruments; the remaining four did not. Further, the maximum of $5000 per transaction was not specified in the delegation instruments for eight of the 13 departments and agencies that had addressed this authority.

Recommendation:

To ensure that authorities are formally established, clearly communicated and understood by personnel, it is recommended that departments and agencies include in their delegation instruments the authorities for Departmental Bank Accounts, including the financial limits for payment as specified in the Treasury Board Policy.

Finding 7: Account Verification

While this audit did not perform extensive testing of financial transactions; interviews, observation and limited examinations of transactions were performed to assess the quality of internal controls of the account verification function. Though account verification and payment are not expected to be error-free, the audit observed indications of apparent imbalances between service and control, as transactions were frequently processed without basic verification of the following authorities:

• Expenditure initiation (program authority);
• Contracting authority;  and/or
• Section 34 of the FAA certification of performance and price.

Account verification is the final step before the payment of a transaction is requisitioned. It is the process for ensuring that payments and settlements of transactions are verified in a risk-informed manner that maintains an appropriate level of control. Account verification includes ensuring that authorizations leading to payment are appropriate.

There were instances in which payments were made despite unresolved issues and without post-payment monitoring. Emphasis on prompt payment of invoices may be a determinant force causing the S. 33 FAA authority to requisition payments without checking for assurance of account verification.

Although all departments had a unit responsible for the review and processing of transactions, account-verification methodologies varied greatly among the audited departments and agencies. Many departments verified 100 percent of invoiced charges. However, the rigour of the verification varied and may have been limited to items such as the amount of an invoice and the name of the supplier. The focus of most verification units was on processing, rather than assessing compliance or challenging problem transactions. 

As per Appendix A of the Policy on Delegation of Authorities, financial authorities include spending authority and payment authority.  Spending authority consists of four elements: expenditure initiation, commitment control, contracting and confirmation of contract performance and price. Departments should have controls in place to ensure that expenditures are properly approved. 

It was also noted that the training for accounting employees, whether financial officers or accounting clerks, was not always adequate to enable them to properly assess and challenge transactions. 

Adequate account verification was further challenged in departments and agencies that are still relying on paper Specimen Signature Records because financial officers do not always work with the most current signature cards. Parallel systems are developed that may be incomplete or out-of-date.

Recommendation:

It is recommended that transaction verification methodologies be based on risk, and that adequate procedures be developed to ensure that when a transaction is selected for verification, the verification includes a validation of the supporting authorities. Any transactions detected that involve material non-compliance must be challenged. Transaction verification is a key control to ensure compliance and an adequate level of direction over delegated authorities.

Finding 8:  Training

In Phase II, the audit team found evidence that all five departments had implemented the required training through the Canada School of Public Service. The Treasury Board Policy on Learning, Training and Development has the following objective:

"The objective of this policy is to help build a skilled, well-trained and professional workforce; to strengthen organizational leadership; and to adopt leading-edge management practices to encourage innovation and continuous improvements in performance."

Regarding delegation of authorities, "managers at all levels (should) have the necessary knowledge to effectively exercise their delegated authorities". The new Policy on Learning, Training and Development which took effect on January 1, 2006, addresses training for:

• First-time managers at all levels so that they meet the Standards on Knowledge for Required Training prior to delegating authorities; and
• Existing managers and executives to validate knowledge associated with their legal responsibilities to maintain their delegated authorities.

The scope of the audit did not include an assessment of compliance with the Policy on Learning, Training and Development. Instead the objective was to assess the following two criteria:

• Financial authorities and policies are effectively communicated (e.g. available on intranet and referenced by e-mail or other correspondence);
• Personnel know and understand financial policies and authorities.

Fieldwork in Phase II found that, in certain departments, employees in acting positions did not receive training on the Delegation of Authorities, either from the School or their respective departments. Also, in some departments, financial authorities are delegated to levels lower than the management level; the employees involved are not required to undergo the training established. The audit team is of the view that the same requirement for training should apply to these holders of delegated financial authorities.

Recommendation:

Departments and agencies should ensure customized training strategies for applicable employees regarding not only the concept of Delegation of Authorities, but also departmental/agency-specific authorities, delegation instruments and related policies and procedures. Training should apply to all employees occupying positions with delegated authorities including acting employees and those outside of the management ranks.

Best Practices

As per the Audit Charter, the audit team also undertook to identify and promote best practices.  In this regard, the audit team reports the following:

Risk-based Management of Account Verification 

One department utilizes an approach whereby a risk profile is established for the various programs and expenditure types.  The requirement for pre-payment account verification is based on this risk profile.  Monitoring of payments made is based on statistical sampling.  The results of this monitoring are then used to update the applicable risk profiles.   This approach allows the department to maintain its service level in transaction processing, but without unduly compromising control.

The above-noted approach contrasts with that of many departments whereby all transactions are reviewed with the same focus, or there are no monitoring reports or follow-up on issues.  The risk-based strategy enables management to focus limited verification resources, to identify problems, and provide solutions to issues identified.

Delegation Instruments and Specimen Signature Records  

Delegation instruments are most effective when they clearly communicate all authorities and their accompanying limits.  The instrument should be designed to strike an appropriate balance between lending itself to being succinct and efficiently changed, while at the same time including sufficient detail.  Over-reliance on specimen signature records to capture detail diminishes the visibility of the overall configuration of authorities, as well as visibility, accuracy and the ease of updating.    A best practice was to reserve much of the detail for specimen signature records, but to ensure that these records are scanned and captured as electronic records available for routine central review. 

Digital Specimen Signature Records  

As noted above, specimen signature records must be made available when and where they are required to validate transactions.  A good practice is to have the digital images of specimen signature cards available to employees doing account verification.  Without a digital image, employees sometimes make copies of signature records, and these copies may not be up-to-date.  An electronic approach with access to digital images of the specimen signature records would increase the efficiency of the instruments and reduce the risk of transactions being processed without proper approval.  A central approach would also reduce the administrative effort required to keep the information current.

Effective Communication

It is good practice to provide a central point of communication for delegated authorities, as well as a web resource on the intranet, dedicated to delegation matrixes, policies and procedures.   This practice also provides for ease of updating the information.

ANNEXES

Annex A:  Participating Departments and Agencies
Annex B:  Treasury Board Policy on Delegation of Authorities
Annex C:  Audit Criteria
Annex D:  Project Advisory Committee Membership and Mandate

Annex A: Participating Departments and Agencies

1. Agriculture and Agri-Food Canada
2. Canada Border Services Agency
3. Canadian Heritage
4. Citizenship and Immigration Canada
5. Canadian International Development Agency
6. Correctional Services Canada
7. Environment Canada
8. Finance
9. Fisheries and Oceans, Department of
10. Foreign Affairs and International Trade Canada
11. Health Canada
12. Human Resources and Social Development Canada
13. Indian and Northern Affairs Canada
14. Industry Canada
15. Infrastructure Canada
16. Justice Canada
17. National Defence
18. Natural Resources Canada
19. Public Works and Government Services Canada
20. Royal Canadian Mounted Police
21. Transport Canada
22. Treasury Board Secretariat
23. Veterans Affairs Canada
24. Service Canada

Annex B:   Treasury Board Policy on Delegation of Authorities  

Link to policy published on the Treasury Board website:

Treasury Board Policy on Delegation of Authorities

Annex C: Audit Criteria

For the respective sub-objectives indicated, the following detailed audit criteria were established: 

Sub-Objective 1: Authorities, responsibility and accountability instruments and policies are established and clearly communicated.

1a)  Authority is formally delegated and aligned with individuals' responsibilities.  

1b)  Applicable delegations of authority policies are maintained by the organization or reliance on TB Policies are referenced to ensure an adequate level of control over delegated authorities.  

1c)  Effective communication of financial authorities/policies is carried out, (e.g. available on intranet and referenced by e-mail or other correspondence). 

1d)  Financial policies and authorities are known and understood by personnel.  

Sub-Objective 2: Delegation of Financial authorities and applicable policies are reviewed regularly and revised as required.

2a)  There exists the capacity and capability to identify, respect, enforce, and monitor adherence to central agency policies that have a direct interdependence with delegation of financial authority. 

2b)  Responsibility for review and revision of the delegation of financial authority instruments and policies is clear and is communicated in the appropriate organizational unit's mandates.  This responsibility is known, understood and applied accordingly.    

2c)  Evidence of regular review and / or revision exists (e.g. recently revised policies, decision memoranda noting policies considered and resulting decision to revise or not).  

2d)  The required authority level approves policy and authority revisions. 

Sub-Objective 3:  Compliance with Financial Management legislation, policies and authorities is monitored regularly.

3a)  Responsibility for monitoring of compliance with financial legislation, policies and authorities, is applied accordingly.  This monitoring is documented and reported to management.     

3b)  Members of senior management monitor the resulting reporting of compliance.    

3c)  Reporting to the oversight body includes a clear statement that compliance has been maintained or breaches noted and corrective actions taken.    

Annex D: Project Advisory Committee Membership and Mandate

Membership:

• Vincent DaLuz
• Robert Hamilton
• Robin Strang
• Lynden Hillier
• Diane Robertson
• Janak Shah
• Peter Everson

Mandate:

1. Review Audit Program for Phase II;
2. Provide ongoing advice on conduct of audit;
3. Provide advice on reporting of audit results for both Phases;
4. Review and comment on drafts of report;
5. Review and comment on protocols for conducting horizontal internal audits.