Treasury Board of Canada Secretariat
Symbol of the Government of Canada

 

ARCHIVED - Horizontal Internal Audit of High Risk Expenditure Controls in Small Departments and Agencies

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.



Horizontal Internal Audit of High Risk Expenditure Controls in Small Departments and Agencies



Contents



Executive Summary

The objective of the audit was to assess the adequacy and effectiveness of processes in place to identify higher-risk transactions, which consequently enable more efficient account verification practices. We examined the risk management over expenditure controls and the practices in place in a sample of small departments and agencies (SDAs) in order to determine whether expenditure management was being carried out in a cost‑effective and efficient manner while maintaining the required level of control.

Why This Is Important

In SDAs, effective risk management over expenditure controls allows for appropriate due diligence over transactions that require more rigorous review and greater efficiency over transactions that are of lower risk. Without an approach to account verification that considers risk levels specific to various types of transactions, proper attention may not be given to high-risk transactions, and transactions of lower risk may consume disproportionate levels of employee attention and departmental resources.

Overall Assessment

SDAs are not taking advantage of risk management to help make their account verification processes more efficient. Most SDAs deem all transactions to be high-risk, when appropriate risk management strategies would result in more efficient practices. Although some efficiency is being gained, risk tolerances have not been formally documented or agreed to by all appropriate levels of management.

Most SDAs have not formalized their identification of risks for account verification transactions. Although most SDAs say they deem all transactions to be high-risk, they have not documented this decision, nor do their processes reflect this. Furthermore, not all appropriate managers have been included in this risk determination.

Generally, those with delegated authority to certify that a good or service has been received are carrying out their responsibilities appropriately. There are no systemic weaknesses in this area. However, about one third of the SDAs included in our sample are not ensuring that the individuals with this delegated authority are taking mandatory Government of Canada training prior to receiving this delegation.

SDAs are not always following account verification processes in a manner that is commensurate with the risks identified for their quality assurance process. Although most SDAs state that all transactions are of high risk, they often intuitively apply fewer verification procedures over lower-risk transactions. As a result, appropriate sampling plans for transactions subject to low-risk verification do not exist in most cases. Nevertheless, those responsible for quality assurance are monitoring the results of account verification and discussing issues with management on a timely basis.

Conclusion

Overall, SDAs are not taking advantage of the more efficient verification practices that result from the proper identification of high-risk transactions. Most SDAs included in our sample stated that, given the low number of their transactions and increased public scrutiny, they deem all transactions to be high-risk. However, this risk tolerance is not commensurate with the quality assurance procedures performed. Nevertheless, SDAs are monitoring the results of quality assurance and informally providing this feedback to the appropriate level of management.

The Internal Audit Sector of the Office of the Comptroller General (OCG) has asked SDAs to prepare detailed action plans in response to this audit report. The audit results and recommendations received positive reactions from responsible officials within SDAs. There were good indications that improvements would be pursued. Furthermore, the OCG will facilitate the dissemination of information related to audit findings including sharing of best practices and training as requested.

Statement of Assurance

In my professional judgment as Executive Director, Operational Auditing, sufficient and appropriate procedures and evidence gathering were performed to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of September 3, 2009, in the departments reviewed, against pre‑established audit criteria. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.[1]

Sylvain Michaud
Executive Director, Operational Auditing
Internal Audit Sector, Office of the Comptroller General

Background

The Treasury Board Policy on Internal Audit requires the Comptroller General to lead horizontal audits in small departments and agencies (SDAs). Horizontal audits are designed to address risks that transcend individual departments in order to report on the state of governance, controls and risk management across the Government of Canada. This report presents the results of the horizontal audit of high-risk expenditure controls.

Expenditure controls in the Government of Canada are governed by the Treasury Board Account Verification policy and the Policy on Active Monitoring and by the Financial Administration Act (FAA).[2]

The objective of the Account Verification policy is to ensure that accounts for payment and settlement are verified in a cost-effective and efficient manner while maintaining the required level of control. Account verification processes must be designed and conducted in a way that will maintain probity while taking into consideration the varying degrees of risk associated with each payment. This policy also requires that account verification practices be monitored to ensure that varying levels of controls exist over high- and low-risk transactions and that these controls are being carried out as designed.  Aspects of both the FAA and the Policy on Active Monitoring are important considerations in complying with the Account Verification policy. For example, active monitoring enables SDAs to use new information and changing conditions to accordingly revise their risk management strategies. The two sections of the FAA that are most relevant to the Account Verification policy are section 34, “Payment for work, goods or services,” and section 33, “Requisitions.”

Payment for work, goods and services (section 34) must be certified by someone with delegated authority from the minister. Certifying for section 34 implies that the work, good or service has been received in accordance with the terms and conditions established between the Government of Canada and the supplier of the work, good or service. Section 34 is typically delegated to project authorities — those generally responsible for completing the operations in line with the mandate of the department or agency.

After section 34 has been certified, payment requisitions are forwarded to the finance function, where someone with delegated section 33 authority will provide quality assurance to further certify requirements such as the following: the payment is in accordance with the budgeted amount, the section 34 authority has discharged his or her responsibilities appropriately, no signing officer will personally benefit from the payment, financial coding is done accurately, and other relevant policies have been respected. The certification of section 33 serves as official documentation to support the release of the funds. A risk management approach can be applied to the above responsibilities. For high-risk payments, however, all the requirements of quality assurance should be met; for low-risk transactions, reliance on the certification of the project authority may help reduce some of the time-consuming tasks associated with quality assurance.

Effective risk management over expenditure controls requires that the appropriate level of management in a department or agency determine which types of payments are of higher risk and should accordingly be subject to more thorough quality assurance in the section 33 verification process. To ensure appropriate monitoring, those transactions deemed lower-risk should be subject to more rigorous review on a sampled basis. This will ensure that the processes designed for lower-risk transactions result in sufficient due diligence and that any new risks can be identified. Under the Policy on Active Monitoring, SDAs must develop an early notice capability to detect and communicate unacceptable risks, vulnerabilities, control failures and deficiencies requiring remedial action. Effective risk management therefore allows for a more efficient use of the resources responsible for quality assurance requirements.

The SDA community in the federal government is extremely diverse, varying in, for example, organizational structure and size, budget, nature of work, and relationship with larger departments. Their budgets do not exceed $300 million per year, while personnel gross expenditures represent approximately 65% of expenditures. Their full‑time equivalents vary from 10 to 500 employees. These factors contribute to the nature of financial systems and controls that SDAs have implemented for decision making and accountability.

Audit Objectives, Scope and Approach

Objectives and Scope

The objective of the audit was to assess the adequacy and effectiveness of processes in place to identify higher-risk transactions, which consequently enable more efficient account verification practices.

For the 16 small departments and agencies (SDAs) included in our audit, we looked at risk management over expenditure controls, whether policies and procedures were designed to respect risk management principles, whether the controls designed were commensurate with the risks and whether appropriate monitoring mechanisms were in place.

Audit Approach

The audit was conducted in two phases. Consultants were engaged to support the Office of the Comptroller General audit team in both phases.

Phase 1

To select the SDAs to be included in the audit, we performed a risk analysis that used findings from previous horizontal audits and considered the centralization or decentralization of an SDA’s financial function, the nature of its business, and its size. We also ensured that the selected SDAs accounted for a significant volume of expenditures from a government-wide perspective. On the basis of this analysis, we chose the 16 SDAs listed in Appendix 1. These SDAs account for more than 20% of total SDA expenditures.

Phase 2

For each of the 16 SDAs, we carried out a document review to identify systemic strengths and weaknesses. Our review included documentation on risk, quality assurance and monitoring plans, and other departmental policies or procedures developed for expenditure management.

We interviewed managers from all parts of the expenditure management process including senior financial officials, and managers and project authorities responsible for account verification, to determine whether procedures were consistently understood and carried out. We also performed transaction testing to verify whether policies and procedures for account verification of high-risk transactions were being applied as intended. In total, 160 transactions from the period April 1 to December 31, 2008, were reviewed to determine whether the established procedures were being followed by the responsible officers.



Detailed Findings and Recommendations

Finding 1: Risk Identification

Although SDAs can identify high-risk expenditures, they are not using this knowledge to streamline their processes and allow for more efficient processing of transactions.

Our audit was designed to look at the SDAs’ risk management practices as they relate to account verification. We wanted to ensure that high-risk transactions had been identified and that appropriate controls were aligned with the certification of associated payments. We examined whether an appropriate level of management representing the governance function over account verification, risk management and controls was involved in risk identification. We verified whether the appropriate functional authorities were involved in risk identification, including those representing the governance function. Finally, we looked for documentation to support the identification of high-risk expenditures and supporting policies or procedures to identify the differences required in certifying high- versus low-risk payments.

We expected that high-risk transactions would be identified and articulated in writing at each of the SDAs included in our sample. We expected that the risks identified and the resulting impact on controls would be contained within policies and procedures or guidance used to inform those responsible for the account verification process. Given the SDA environment, we did not expect the resulting documents to be lengthy or a make-work exercise. Instead, we expected to see identified risks highlighted in the minutes of a senior management meeting or presented in a brief, half-page document. We also expected that the appropriate personnel would be included in risk identification, both those representing the governance of the SDA and those in the functional areas who could contribute valid input to this process.

Effective risk management involves the formalized identification of risks and resulting changes to the controls, which are important to ensure that the different levels of management share the same perspective on risk and that controls can therefore be designed to meet management’s needs and expectations.

A minority of SDAs formally identify high-risk payments. Some of the SDAs included in our sample are formally identifying and documenting their high-risk expenditures to support transaction types that need higher probity in the certification process. These SDAs also review the process at least once a year, and risk issues are discussed by established senior management committees.

However, the majority of SDAs are not documenting the types of transactions they consider high-risk. When those responsible for expenditure controls were interviewed, they were able to articulate the transaction types that they considered to be higher-risk. However, there was no formal way to ensure that all managers across the organization agreed with this risk identification or that all valid input had been considered.

Furthermore, most of the SDAs stated that they consider all transactions to be high-risk, given the minimal number of transactions occurring on a daily basis and the reputational risk to the SDA if a payment is made inaccurately. In most cases, this determination had not been documented.

Most SDAs do not include input on risks from all appropriate levels of management. Few SDAs could demonstrate that they have included appropriate members of management in their risk identification process. Without including all appropriate personnel in the risk management process — those representing the governance function and those with specific knowledge of risks — the identification of risks and the reaction to those risks may not be appropriate.

Most SDAs do not have guidance to support their risk identification and related verification procedures. Although we observed some good practices among the SDAs, such as formally notifying employees of identified risks through the development of procedures to follow in response to low versus high risk, this was not widespread. It is essential to provide those responsible for account verification with appropriate guidance on verification procedures that need to be applied for varying levels of risk. This ensures that practices are aligned with risk management decisions. Not having sufficient documentation on risk identification and risk tolerance to support personnel with a governance function over account verification could lead to inappropriate or inefficient controls being applied.

Recommendations

1. SDAs should formalize their process for identifying high-risk transactions, which could be presented in a brief guidance document. Those responsible for the governance function over expenditure management and those with functional insight should be involved.

2. SDAs should ensure that risks are clearly identified and documented for the account verification process.

Finding 2: Certification for Payments

Most project authorities have the necessary training to conduct their payment certification.

Project authorities (section 34) must ensure that proof of performance conditions exists prior to certifying for payment. The project authority certifies that the performance of work, the supply of goods, or the rendering of services complies with the terms and conditions of the agreement or contract and that the price charged complies with the contract or, in the absence of a contract, that it is reasonable.

We reviewed the extent of information, training and guidance available to project authorities to ensure that proof of performance conditions for the agreement are met before each payment is made.

We expected to find that, in addition to guidance or checklists, sufficient training would be provided to ensure that officials who verify proof of performance conditions know how to apply an appropriate level of scrutiny to determine that the performance conditions of the agreement are met before each payment is certified. Specific guidance would be especially appropriate when the proof of performance conditions are uniquely tailored for agreements not generally encountered in day-to-day situations — for example, contracting for professional services that include various performance criteria and reports required prior to payment approval.

The lack of program-specific account verification guidance for project authorities could lead to the misunderstanding and inconsistent application of practices related to account verification and not enough attention being paid to departmental or program-specific attributes or risks.

Certification for payments is being done by those with the authority to do so. Many project authorities with delegated section 34 responsibilities have delegated subordinates to review the contracting terms and conditions to ensure that the basis of payment agreed with the invoice received from the supplier. However, we found no instances where section 34 had been signed by someone not authorized to do so.

In some SDAs, those with delegated authority have not received required training. In about one third of the SDAs included in our sample, those with delegated signing authority have neither taken the required training nor written and passed the online tests designed to ensure that they understood their roles and responsibilities for section 34 authority prior to enacting delegated authorities. We also found that some of the SDAs were not aware of the required training and tests.

Those delegated authority for section 34 should fully understand the responsibility assigned to them; otherwise, the sign-off for payment of goods and services may not be done appropriately.

Recommendation

3. SDAs should ensure that those with delegated authority for section 34 certification receive the necessary training and pass the appropriate Government of Canada tests to prove they understand their responsibilities prior to this delegation.

Finding 3: Quality Assurance

SDAs are intuitively applying a risk-based approach to quality assurance for account verification.

We examined whether those responsible for quality assurance (section 33 certification) were performing their duties in an efficient and effective manner and respecting the risk management decisions for account verification established in their SDA. In those SDAs that had formally identified high-risk transactions, we wanted to ensure that a more efficient, streamlined control process was being followed for low-risk transactions and that a quality assurance strategy (including a sampling plan) had been developed to handle low-risk transactions in an appropriate fashion. For high-risk transactions, including in those SDAs where all transactions were deemed high-risk, we wanted to ensure that those responsible for quality assurance were respecting the risk level in their verification procedures. Finally, we wanted to verify whether those responsible for quality assurance were monitoring the process and accordingly reporting to the governance function on such areas as good practices, errors noted, systemic issues or any changes in risk identification or risk tolerance that needed to be discussed.

We expected that all SDAs would be following relevant control procedures for quality assurance for each transaction according to whether the payment was considered of high versus low risk. We expected that these control procedures would be clear and that evidence of the application of these controls would exist for each transaction. For those SDAs that recognized they had low-risk transactions and were therefore applying fewer controls for these transactions in their account verification process, we expected that a sampling plan would exist and would be carried out to ensure that the low-risk transactions were subject to an appropriate level of probity. Finally, we expected that results and errors would be monitored by those responsible for quality assurance and communicated to those with governance over this area on a timely basis.

It is important that expenditure controls for account verification be designed with effectiveness and efficiency in mind. Spending an inordinate amount of time verifying a low-risk transaction is not an effective use of an employee’s time. Controls should be designed and applied in a manner that corresponds to the risk tolerance of the SDA’s governance function to ensure that appropriate due diligence is being respected.

Identified high-risk transactions are often verified with low-risk considerations. In the majority of SDAs in our sample that consider all payment types to be high-risk, most actually perform fewer controls in areas that are intuitively low-risk. This means that the procedures being followed are not respecting the risk identification that determines all transactions are high-risk. Nevertheless, in SDAs where an approach for low-risk transactions exists and is being applied in a manner commensurate with the SDAs’ risk tolerances, the SDAs are demonstrating efficiency in their account verification process. However, this risk identification should be formalized to ensure that the identified high-risk areas are commensurate with the SDAs’ overall risk tolerances.

Furthermore, when following a low-risk verification process, it is imperative that sampling plans be developed to ensure that account verification over low-risk transactions is done appropriately. Given that these SDAs have streamlined control procedures in place, a sampling methodology for low-risk transactions is required to provide appropriate quality assurance.

Checklists to aid in the verification process are useful. Of the few SDAs included in our sample that are identifying high-risk transactions, half of them have checklists to assist those completing the requirements for quality assurance. These checklists identify the procedures required for low-risk transactions and the more stringent controls required for high-risk transactions. The checklists provide adequate documentation to demonstrate that the appropriate controls are being applied.

Most of the SDAs included in our sample could not provide adequate evidence of the control procedures being performed to meet their account verification requirements. Especially in light of the high employee turnover in most SDAs, evidence of work done must be documented in order to provide adequate support for past decisions made.

SDAs are monitoring the results of the account verification process. Half of the SDAs included in our audit monitor the results of the account verification process so that they can report on the areas where errors occur or where risk should be redefined in light of new circumstances. Such reports are made to those with appropriate governance over expenditure management, and although this is often done unofficially, it is seen as sufficient to meet the needs of senior management.

A good practice was noted. A few of the SDAs have been using the services of their parent department or agency to carry out their quality assurance responsibilities. This enables the SDA to take advantage of the larger resources in its parent department or agency. However, the majority of the parent departments and agencies providing this service have not adjusted their risk tolerance levels for SDA transactions to ensure that appropriate risk management is in place.

Recommendations

4. SDAs should formalize their identification of high-risk transactions so that control processes are commensurate with risk tolerances, thereby ensuring both the effectiveness and efficiency of the account verification process. This could be established in a succinct briefing document, once all relevant management personnel agree on the risk identification process.

5. SDAs that have streamlined controls over low-risk transactions should establish a sampling plan designed to periodically provide assurance that those transactions subject to low-risk account verification continue to warrant this classification.

6. SDAs should provide guidance, such as checklists, for quality assurance over low- versus high-risk transactions.

Conclusion

Overall, SDAs are not taking advantage of the more efficient verification practices that result from the proper identification of high-risk transactions. Most SDAs included in our sample stated that, given the low number of their transactions and increased public scrutiny, they deem all transactions to be high-risk. However, this risk tolerance is not commensurate with the quality assurance procedures performed. Nevertheless, SDAs are monitoring the results of quality assurance and informally providing this feedback to the appropriate level of management.

Management Action Plans

The findings and recommendations of this audit were presented to each department and agency included in the scope of the audit. They have reviewed the recommendations, provided responses and developed Management Action Plans as required. A summary of the responses received from SDAs included in the scope of this audit is included in Appendix 3. The Small Department and Agency Audit Committee (SDAAC) has been briefed on the audit findings and the departmental responses. The SDAAC will periodically receive reports on the actions taken where Management Action Plans are in place.

Deputy heads of other SDAs will take into account the results of this horizontal internal audit and will ensure that Management Action Plans are developed as deemed necessary.



Appendix 1: Departments and Agencies Included in the Audit Engagement

  1. Assisted Human Reproduction Canada
  2. Canadian Artists and Producers Professional Relations Tribunal
  3. Canadian Forces Grievance Board
  4. Canadian Human Rights Commission
  5. Canadian International Trade Tribunal
  6. Canadian Transportation Agency
  7. Copyright Board Canada
  8. Financial Consumer Agency of Canada
  9. Human Rights Tribunal of Canada
  10. Military Police Complaints Commission of Canada
  11. NAFTA Secretariat — Canadian Section
  12. National Battlefields Commission, The
  13. Public Service Staffing Tribunal
  14. Registrar of the Supreme Court of Canada
  15. RCMP External Review Committee
  16. Registry of the Competition Tribunal

Appendix 2: Objectives and Related Criteria

The objective of the audit was to assess the adequacy and effectiveness of processes in place to identify higher-risk transactions, which consequently enable more efficient account verification practices.

Objectives Criteria
Risk assessment processes are designed to identify high-risk payments for focused attention and verification.
  • The organization has established and documented appropriate internal policies specific to the account verification process.
  • The organization’s direction and approach to risk management are formally articulated and documented.
  • The documented risk identification process is rigorous; it considers risks at both the entity level and the activity level and assesses internal and external sources of risk.
  • All appropriate levels of management are involved in analyzing risks.
  • All appropriate functional areas — for example, line managers, internal auditors, security, and legal representatives — are involved in the analysis of risk.
  • Risk information is regularly presented and discussed at established management and oversight committee meetings.
Verification processes are designed to ensure that payments are verified in a cost-effective and efficient manner while maintaining the level of control required under the Account Verification policy.
  • The organization has an entity-specific account verification policy. It also has appropriate and adequate account verification procedures.
  • Other financial management policies and procedures are maintained by the organization.
  • Financial management policies and procedures are regularly and effectively communicated within the organization.
  • Responsibility for monitoring compliance with financial management laws, policies and authorities is clear and communicated through, for example, job descriptions, organization charts, or division or branch mandates.
  • Compliance monitoring is appropriately and effectively applied through a documented risk-based quality assurance process, including a documented sampling strategy.
  • Reports to the oversight body include clear statements that compliance has been maintained or that breaches have been noted.
Monitoring processes exist to inform the organization, on an ongoing basis, of the effectiveness of the account verification processes.
  • In accordance with the Policy on Active Monitoring, organizations actively monitor their management practices and controls using a risk-based approach.
  • Management review is ongoing and timely.
  • Significant control breakdowns are reported to management in a timely way.
  • The organization’s internal audit group periodically assesses the account verification processes.
  • Recommendations are considered, and deficiencies are investigated and resolved in a timely fashion.

Appendix 3: Management Action Plan

The following table presents the recommendations and a description of the actions being taken to address them. Each recommendation is assigned a risk ranking of high, medium or low, based on the relative priorities of the recommendations and the extent to which the recommendations indicate non-compliance with Treasury Board policies.

Recommendations Overall Risk Ranking Management Action Plan
1.  SDAs should formalize their process for identifying high-risk transactions, which could be presented in a brief guidance document. Those responsible for the governance function over expenditure management and those with functional insight should be involved. Medium SDAs have agreed to formalize their risk identification and resulting account verification policies and guidance. Implementation is expected to be completed by March 31, 2010.
2.  SDAs should ensure that risks are clearly identified and documented for the account verification process. High SDAs will ensure that risks are clearly identified and that those responsible for account verification receive the necessary guidance or training to carry out a risk-based account verification process. Implementation is expected to be completed by April 2010.
3.  SDAs should ensure that those with delegated authority for section 34 certification receive the necessary training and pass the appropriate Government of Canada tests to prove they understand their responsibilities prior to this delegation. High SDAs will ensure that individuals with section 34 delegated authority receive appropriate training or have the authority removed.
4.  SDAs should formalize their identification of high-risk transactions so that control processes are commensurate with risk tolerances, thereby ensuring both the effectiveness and efficiency of the account verification process. This could be established in a succinct briefing document, once all relevant management personnel agree on the risk identification process. High SDAs are or will be developing guidance or checklists to ensure that account verification processes are consistent with risk. Implementation is expected to be completed by March 31, 2010.
5.  SDAs that have streamlined controls over low-risk transactions should establish a sampling plan designed to periodically provide assurance that those transactions subject to low-risk account verification continue to warrant this classification. Low SDAs that are implementing low-risk transaction account verification processes will develop sampling strategies. These strategies will be in place by March 31, 2010.
6.  SDAs should provide guidance, such as checklists, for quality assurance over low- versus high-risk transactions. Medium SDAs will develop checklists to identify the procedures required for low- and high-risk transactions. This guidance is expected to be implemented by June 2010.

Appendix 4: Links to Applicable Legislation, Policies and Guidance

Acts, Regulations, Policies and Guidance
(Links current as of September 3, 2009)

*   Since this audit report was prepared, the Treasury Board Account Verification policy and the Policy on Delegation of Authorities were rescinded effective October 1, 2009, and replaced respectively by the Directive on Account Verification and the Directive on Delegation of Financial Authorities for Disbursements. The conclusions in the report are not affected by these changes.

[1].  This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing. However, the Office of the Comptroller General has not undergone an external assessment at least once in the past five years or been subject to ongoing monitoring or to periodic internal assessments of its horizontal internal audit activity that would confirm its compliance with the standards.

[2].  Since this audit report was prepared, the Treasury Board Account Verification policy was rescinded effective October1, 2009, and replaced by the Directive on Account Verification. The conclusions contained in the report are not affected by this change.