Common menu bar links
Breadcrumb Trail
ARCHIVED - Horizontal Internal Audit of High Risk Expenditure Controls in Large Departments and Agencies
This page has been archived.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Detailed Findings and Recommendations
Finding 1: Risk Identification
We examined whether LDAs had an appropriate governance process in place to identify high-risk payments in expenditure management. We also examined whether the managers involved in the governance process were fully aware of the nature and extent of their responsibilities.
We expected to find a governance process over expenditure management that would identify risks and develop policies to support this risk assessment. We also expected that this governance process would involve management with functional responsibility over account verification, including those with an awareness of pertinent risks to the operations and those with appropriate decision-making authority. We expected that the identification of high-risk transactions would be adequately documented to enable those with delegated account verification signing authority to carry out their responsibilities in a manner commensurate with risk management principles. Furthermore, we expected that policies and procedures would exist to guide those responsible for account verification in carrying out their duties in accordance with the risk management decisions made.
It is important that management with appropriate decision-making authority identify expenditure transactions that are of greater risk to the LDA. Opinions on high risk from managers with varying functional responsibilities enable a complete analysis of those transactions that require further scrutiny. Without an approach that considers the risk levels specific to various types of transactions, proper attention may not be given to high‑risk transactions. In addition, in an LDA where many of the resources responsible for carrying out account verification are often not part of the risk identification process, it is essential that the identified risks and their implications be clearly documented. We would therefore expect to see policies and procedures that clearly address risk identification and the resulting impact on the account verification process.
LDAs do not have risk-based policies and procedures to guide them in their account verification practices. Overall, LDAs are at various stages in their application of rigorous risk assessment to the development of account verification policies and related processes and procedures. Some LDAs have not yet identified the criteria for high-risk payments. Others have documented risk thresholds related to various payment streams for account verification but do not have underlying support for these determinations. Only one LDA has fully documented its policies and control procedures. This LDA, which recently underwent a Controls Reliant Audit Readiness Assessment for Audited Financial Statements, is now piloting a fully compliant account verification practice.
Appropriate members of management are not involved in risk management over expenditure controls. Although most LDAs have in place some form of governance process over expenditure controls and risk assessment in account verification, very few of the LDAs included in our sample could demonstrate that appropriate management and functional areas were included in the ongoing development of risk identification processes to determine the high-risk transactions requiring comprehensive account verification.
Many of the LDAs do not have an appropriate risk assessment function, nor do they involve all the appropriate functional areas in the development and application of financial controls, processes and procedures related to account verification. This means that possible opportunities for greater efficiency and effectiveness may have been lost and that risks may not be uniformly understood by all participants in the account verification process.
Recommendations
1. LDAs should have policies and procedures in place to guide risk-based account verification processes. These should include the identification of high-risk types of payments to ensure those responsible for account verification are aware of the risk tolerance of their department or agency.
2. LDAs should ensure that management is adequately represented in the governance process that determines or defines the risk level and the policies and procedures related to risk-based account verification. Management representatives should include individuals with functional responsibility over account verification, those with an awareness of pertinent risks to the operations, and those with appropriate decision‑making authority.
Finding 2: Certification for Payments
Project authorities (section 34) must ensure that proof of performance conditions exists prior to certifying for payment. The project authority certifies that the performance of work, the supply of goods or the rendering of services complies with the terms and conditions of the agreement or contract and that the price charged complies with the contract or, in the absence of a contract, is reasonable.
We reviewed the extent of information, training and guidance available to project authorities to ensure that proof of performance conditions for the agreement are met before each payment is made.
We expected to find that in addition to guidance or checklists sufficient training would be provided to ensure that officials who verify proof of performance conditions know how to apply an appropriate level of scrutiny to determine that the performance conditions of the agreement are met before each payment is certified. Specific guidance would be especially appropriate when the proof of performance conditions are uniquely tailored for agreements not generally encountered in day-to-day situations — for example, contribution agreements that include various performance criteria and reports required prior to payment approval.
The lack of program-specific account verification guidance for project authorities could lead to their misunderstanding and inconsistent application of practices related to account verification and not enough attention being paid to departmental or program-specific attributes or risks.
Progress is being made in providing project authorities with guidance on their role in account verification. Of the LDAs included in our sample, about half have formal guidance to assist the project authorities responsible for account verification (section 34) with payment certification. In the majority of these cases, the guidance is still relatively new or in progress and has not yet been put in place on a national level. Managers in LDAs must undergo specific section 34 training offered by the Canada School of Public Service before their certification authority is granted, and most are in compliance. However, the training does not cover LDA-specific risks or the attributes of a payment under a specific program's design. LDA-specific training or guidance would help mitigate the risk associated with project authorities not completely understanding the basis of payment under a program's design.
During our audit, we noted good practices related to section 34 certification. Some LDAs are embedding finance specialists in program areas to help provide on-the-job training and support to project authorities responsible for section 34. Other LDAs have specific checklists for understanding the basis of payment associated with specific programs, such as transfer payments that could have particular payments attributes not encountered in normal day-to-day operations. In one LDA, the Centre of Excellence for Grants and Contributions rigorously reviews all payment certifications before releasing the payment request to the finance function and those responsible for quality assurance.
Recommendation
3. LDAs should develop guidance or checklists to assist project authorities responsible for section 34 account verification in carrying out their duties and to provide proof of performance related to their account verification procedures. This would be particularly helpful in instances where payment types have specific and unique terms and conditions and are otherwise not straightforward.
Finding 3: Quality Assurance
In LDAs, quality assurance for account verification is done within the finance function. Those with delegated authority for section 33 typically employ account verification clerks to assist them in ensuring that all the appropriate verifications have been done. This quality assurance activity certifies activities such as the following: the payment is in accordance with the budgeted amount, the section 34 authority has discharged his or her responsibilities in accordance with the terms and conditions of the agreement, no signing officer will personally benefit from the payment, financial coding is done accurately, and other relevant policies have been respected. For high-risk payments, quality assurance must at a minimum include all of the above elements; for low-risk payments, verification may be reduced.
Because account verification procedures may be lessened for low-risk payments, these payments should be subject to more rigorous review on a sampled basis. Such a review helps monitor whether those responsible for certification under section 34 are carrying out their duties in a responsible manner and whether risk assessment and analysis are serving to appropriately identify high-risk payments.
We examined the LDAs' quality assurance practices over account verification to determine whether they were following efficient risk management practices; that is, they were conducting full verification over high-risk payments and reduced verification, subject to sampling, for low-risk payments. We expected to find clear guidance on account verification processes for high- versus low-risk transactions, such as checklists for the account verification clerks to use in discharging their responsibilities. A checklist would also provide documentation to support the quality assurance work that had been done, thereby allowing those signing section 33 certification to feel comfortable that all necessary steps had been taken.
LDAs are not taking advantage of risk management's potential for making account verification processes more efficient. Most LDAs included in our sample are not applying a risk-based approach to account verification and, therefore, perform 100% prepayment verification of all transactions. Performing 100% verification on all transactions does not enable the LDA to leverage the efficiency gained through effective risk management and requires the LDA to have more resources to carry out verification responsibilities.
LDAs do not have guidance in place to support verification procedures for high‑ versus low-risk payment types. Some LDAs have a formal process for determining which payment types are high versus low risk and what the resulting effort for payment verification entails. Of these LDAs, some are piloting new risk‑based account verification processes with plans to roll out their sampling procedure for low-risk payments on a national level once deemed successful. However, most LDAs do not have any formal guidance or training for their quality assurance personnel to assist them in their day‑to‑day identification and verification of high- versus low‑risk types of payments. As a result, insufficient documentation exists to support the verification work that is done.
Progress was noted in a few LDAs. Some have national sampling plans for low-risk payments commensurate with their risk management guidance and are developing guidance for regional risks and capacity considerations. A few are monitoring the results of sampling and making modifications to their risk management strategies when appropriate.
Recommendations
4. LDAs should ensure that high- versus low-risk types of payments are identified and determine whether the verification procedures applied are aligned with their risk principles.
5. LDAs should develop clear risk identification guidance to assist those who provide quality assurance over account verification to characterize high- versus low-risk types of payments. LDAs should consider using checklists that outline verification procedures based on risk type or other measures.
6. LDAs need to develop rigorous sampling plans to monitor the verification process used for low-risk payments. These should be national in scope and allow for monitoring of appropriate risk identification and for the collection of results, which could indicate systemic errors or point to best practices.
Finding 4: Monitoring
Effective monitoring over high-risk transactions should be done to track common or systemic issues found, to ensure those carrying out account verification responsibilities are respecting the risk levels, and to provide timely information to the governance function overseeing expenditure management. Effective monitoring informs those charged with governance that appropriate due diligence is taking place and helps them in their analysis of the changing environment.
We reviewed the nature and extent of the LDAs' monitoring of high-risk transactions and how this information was used to support decision making. We expected that those responsible for quality assurance in LDAs would be monitoring errors and other systemic weaknesses and reporting them to the governance function. These reports would also demonstrate that the LDAs' practices for, and controls over, account verification were being performed effectively. We expected that there would be a risk-based process for the financial officers responsible for quality assurance to monitor the overall account verification process within LDAs.
Effective monitoring of account verification processes for high-risk transactions (including reporting to an oversight function) is essential for improving future performance and ensuring that risk profiles are updated based on systemic weaknesses, good performance or changing environment. Without an overall monitoring process complete with error reports, management might not be made aware of any process-related concerns or significant breakdowns in control.
LDAs are not monitoring errors found during their quality assurance process. A small number of the LDAs included in our sample regularly submit formal quality assurance reports to the governance function informing them of errors or concerns. These LDAs monitor errors from all regional and branch operations and can therefore roll up the results at the national level to report to senior management. The majority of LDAs included in our sample lack adequate information on whether account verification is achieving its objective of dealing with high-risk transactions with appropriate due diligence or whether systemic weaknesses are being identified or corrected.
Recommendation
7. LDAs should establish reporting requirements that enable the governance function over expenditure management to discharge its responsibilities in a robust, timely and comprehensive manner. Those responsible for quality assurance need to develop reports to meet this need and to prepare and present them in a timely manner.