Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Horizontal Internal Audit of High Risk Expenditure Controls in Large Departments and Agencies


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Executive Summary

The objective of the audit was to assess the adequacy and effectiveness of processes in place to identify higher‑risk transactions, which consequently enable more efficient account verification practices. We examined the risk management over expenditure controls and the practices in place in a sample of large departments and agencies (LDAs) in order to determine whether expenditure management was being carried out in a cost‑effective and efficient manner while maintaining the required level of control.

Why This Is Important

In LDAs, effective risk management over expenditure controls allows for appropriate due diligence over transactions that require more rigorous review, and greater efficiency over transactions that are of lower risk. Without an approach to account verification that considers risk levels specific to various types of transactions, proper attention may not be given to high-risk transactions, and transactions of lower risk may consume disproportionate levels of employee attention and departmental resources.

Overall Assessment

LDAs are not taking advantage of risk management to help make their account verification practices more efficient. Most LDAs are applying 100% verification on all transactions when appropriate risk management strategies would result in more efficient practices. Further, while some LDAs have appropriate guidance for those with financial signing authority, this guidance is still relatively new or has not been fully implemented.

More specifically, LDAs are at different stages in either the development or the implementation of effective governance processes over their account verification practices. Although most LDAs have some sort of governance function, there is not widespread representation of functional managers or others who can provide pertinent input for risk identification. In addition, most LDAs do not have formal policies and procedures for those who make decisions about payment certification. Without adequate documentation to support decisions made for high-risk types of payments, LDAs must treat all payments as high risk, which is not an efficient practice.

About half of the LDAs have formal guidance or checklists for those authorized to certify (project authorities) that the procured service or good meets the requirements for payment. In addition to receiving formal training from the Canada School of Public Service, half of the LDAs included in our sample have identified when unique payment criteria exist and have guidance or checklists for project authorities to use in carrying out their responsibilities. When proof of payment is particularly risky in some program areas, some LDAs go further, embedding specialists within those program areas to support the certification requirements. One LDA has its Centre of Expertise review payment authorizations before forwarding payment requests to the finance function.

Generally, LDAs are not distinguishing between high- and low-risk types of payments and therefore apply 100% verification on all transactions. This results in an ineffective use of resources because less time should be involved in quality assurance for payments of low risk. A small number of LDAs are beginning to develop guidance to support the identification of high-risk transactions, in keeping with the department's risk management approach. Of these, some are applying fewer verification procedures over low-risk transactions and have national sampling plans in place for these transactions to ensure that the application of fewer verification procedures continues to be appropriate.

Most LDAs apply 100% verification on all transactions. However, they are not monitoring the account verification processes to identify systemic weaknesses and therefore cannot report (through the governance process) the identification of revisions required to the risk identification, or the results of best practices. Insufficient monitoring may hamper LDAs' efforts to be responsive to changing circumstances or new risks.

Conclusion

Overall, the processes in place to identify high-risk transactions for account verification are not satisfactory. Most LDAs are applying 100% verification on all transactions — that is, treating them all as high risk — when appropriate risk management strategies would result in more efficient practices. Furthermore, they do not have an appropriate governance process over risk identification or provide guidance on the verification work required of account verification officers. These practices result in an inefficient use of the time of account verification clerks and of those providing quality assurance.

The Internal Audit Sector of the Office of the Comptroller General has asked chief audit executives to prepare detailed action plans and to have these plans endorsed by their department and agency audit committees. The audit results and recommendations received positive reactions from responsible officials within LDAs. There were good indications that improvements would be pursued. Furthermore, the OCG will facilitate the dissemination of information related to audit findings including sharing of best practices and training as requested.