ARCHIVED - Internal Audit and Evaluation Bureau - Audit of Acquisition Cards

This page has been archived.

Final Report

Table of Contents

• Assurance Statement
• Executive Summary
• 1.0 Introduction
• 2.0 Audit Details
  • 2.1 Objectives and scope
  • 2.2 Lines of enquiry
  • 2.3 Approach and methodology
• 3.0 Audit Results
  • 3.1 Line of Enquiry: Management Control Framework
  • 3.2 Line of Enquiry: Compliance With the Relevant Directive, Guidelines and Practices
  • 3.3 Overall Conclusion
• Appendix A: Audit Criteria
• Appendix B: Management Action Plan
  • Recommendation 1
  • Recommendation 2
  • Recommendation 3

Assurance Statement

The Internal Audit and Evaluation Bureau has completed an audit of acquisition cards. The objectives of the audit were to assess the adequacy and effectiveness of the management control framework for acquisition cards within the Treasury Board of Canada Secretariat (Secretariat) and ensure compliance with the Treasury Board Directive on Acquisition Cards and internal policies and procedures.

We conclude with a reasonable level of assurance that, although the Secretariat is generally compliant with the Treasury Board Directive on Acquisition Cards, attention is required to address key elements of the management control framework for acquisition cards. Specifically, these relate to objectives and goals; accountabilities, roles, and responsibilities; training; processes and procedures; and mechanisms for planning, risk assessment, and monitoring.

The audit approach and methodology followed the Internal Auditing Standards for the Government of Canada and the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

The examination was conducted from January to March 2011. Acquisition card purchases from April 1, 2009 to March 31, 2010 were used to select a sample of cardholders and fund centre managers to test the current acquisition card management control and operating framework. Documents received were also reviewed to determine the degree to which a management control framework for acquisition cards has been developed and implemented within the Secretariat.

The audit consisted of interviews, documentation review, and an examination of a sample of purchases for trends using computer-assisted audit techniques. The audit evidence gathered is sufficient to provide senior management with reasonable assurance of the results derived from this audit.

In the professional judgment of the Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence has been gathered to support the accuracy of the opinion provided in this report. The opinion is based on a comparison of the conditions, as they existed at the examination phase of the audit, against pre-established audit criteria. The opinion is applicable only to the entities examined and for the time period and scope specified herein.

Executive Summary

Background

The Audit of Acquisition Cards is part of the approved Treasury Board of Canada Secretariat's (Secretariat's) Three Year Risk-Based Audit Plan 2010-2013.

Acquisition cards provide government departments with a convenient, simplified, and practical method of procuring and paying for goods and services while ensuring effective financial controls. Use of acquisition cards is governed by the Treasury Board Directive on Acquisition Cards and operates pursuant to section 2 of the Financial Administration Act. This directive replaced the 1998 Policy on Acquisition Cards.

Objectives and scope

The objectives of the audit were to assess the adequacy and effectiveness of the management control framework (MCF) for acquisition cards within the Secretariat and to ensure compliance with the Treasury Board Directive on Acquisition Cards and internal policies and procedures.

The audit's scope focused on the management control and operating framework for the Secretariat's acquisition card activities.The audit did not address the account verification process used for reconciling card statements nor the monthly processing of acquisition card payments. This was the subject of a recently conducted separate audit of account verification.

Key findings and conclusion

We conclude with a reasonable level of assurance that, although the Secretariat is generally compliant with the Treasury Board Directive on Acquisition Cards, attention is required to address key elements of the MCF for acquisition cards, specifically the following:

• Accountabilities, roles, and responsibilities are not completely articulated, and draft documents are not finalized and communicated to stakeholders;
• Procedures, guidelines, and related documents are in draft form and not yet formally approved and accessible to employees for their use;
• Training needs are not identified, and no training plan has been implemented; and
• Planning, risk management, monitoring, and reporting mechanisms are not developed.

Regarding compliance with the Treasury Board Directive on Acquisition Cards and internal policies and procedures, we conclude that, although card activities are found to be generally compliant with this directive, opportunities exist to strengthen control with respect to timely card cancellation. Compliance was largely due to the general awareness of responsibilities based on previous experience and ad hoc practices in place throughout the Secretariat.

A management action plan is being developed by the Secretariat.

1.0 Introduction

Acquisition cards provide government departments with a convenient, simplified, and practical method of procuring and paying for goods and services while ensuring effective financial controls.

Use of acquisition cards is governed by the Treasury Board Directive on Acquisition Cards and operates pursuant to section 2 of the Financial Administration Act. This directive replaced the 1998 Policy on Acquisition Cards.

Acquisition cards are credit cards issued to employees of the Government of Canada to enable them to make timely purchases in support of government operations. There are currently three types of credit cards used in government. The AMEX card is used exclusively for travel expenditures by employees. The fleet credit card is used for the operating and maintenance expenses of departmental vehicles. All other card purchases are to be made using the Bank of Montreal (BMO) MasterCard and/or the Canadian Imperial Bank of Commerce (CIBC) Visa card, depending on operational needs.

BMO is the service provider for the Secretariat. The contract with BMO offers a rebate program payable directly to the department. There are no user fees associated with the use of acquisition cards.

The scope of this audit was limited to the BMO acquisition card. Any references to "acquisition card" or "card" in this report pertain to the BMO acquisition card.

Operating environment

Within the Secretariat, the Corporate Services Sector (CSS) is responsible for managing acquisition cards. The Administration and Security Directorate (ASD) of CSS is responsible for overall management of the cards, and the Financial Management Directorate is responsible for accounting and payments related to card use.

Prior to February 1, 2009 the Department of Finance Canada provided shared services to the Secretariat, including contracting and procurement services. As a result of an Order in Council, the Secretariat became responsible for its own contracting and procurement services. It should be noted that since the transfer, the Contracting, Procurement and Material Management (CPMM) group within ASD faced capacity issues, staff turnover, and a lack of documented internal processes and procedures, which resulted in operational challenges. The priority for CPMM was to build capacity while maintaining operations. CPMM's focus has also been on developing a contracting and procurement MCF, including elements pertaining to the MCF for acquisition cards.

For the period from April 1, 2009 to March 31, 2010, 336 cards were used, which included 16 acquisition cards used at regional offices.

The total amounts procured with acquisition cards for the fiscal years ending March 31, 2009 and March 31, 2010 constituted 3.6 per cent and 3.9 per cent, respectively, of the total expenditures for goods and services for these two fiscal years. Goods and services expenditures for these two fiscal years are provided in Table 1.

Table 1. Vote 1 Operating Expenditure (Goods and Services)

Expenditure Type	Expenditures for Fiscal Year Ending  March 31, 2009	Percentage of Total	Expenditures for Fiscal Year Ending March 31, 2010	Percentage of Total
Note: Percentages may not total due to rounding.
Acquisition Card Transactions	$1,886,094	3.6%	$2,430,844	3.9%
Other Goods and Services Transactions	$50,424,596	96.0%	$57,716,352	93.5%
Capital Assets	$29,662	0.1%	$1,262,940	2.0%
Other Vote 1 Balance Sheet Transactions	$149,303	0.3%	$322,392	0.5%
Total Vote 1 Operating Expenditure	$52,489,655	100%	$61,732,528	100%

Given the proposed increase in the use of such cards, the high level of public sensitivity, and the potential risk of misuse, the establishment of a sound MCF based on an appropriate risk assessment is required.

2.0 Audit Details

2.1 Objectives and scope

The objectives of the audit were to assess the adequacy and effectiveness of the MCF for acquisition cards within the Secretariat and ensure compliance with the Treasury Board Directive on Acquisition Cards and internal policies and procedures.

The audit focused on the following elements of the MCF:

• Objectives and goals;
• Accountabilities, roles, and responsibilities;
• Planning and risk management;
• Policies and procedures;
• Learning and training; and
• Monitoring and reporting.

Audit period

Acquisition card purchases from April 1, 2009 to March 31, 2010 were used to select a sample of cardholders and fund centre managers to test the current acquisition card management control and operating framework.

Scope exclusion

The audit did not address the account verification process used for reconciling the card statements nor the monthly processing of acquisition card payments. This was the subject of a recently conducted separate audit of account verification. This previous audit examined a representative sample of card payments by the Secretariat to assess the level of compliance with the applicable policy or directive on account verification.

2.2 Lines of enquiry

Included in the audit were the following two lines of enquiry:

• Management Control Framework: An MCF is in place to ensure that the Secretariat is properly administering its responsibilities regarding the Treasury Board Directive on Acquisition Cards and good management practices; and
• Compliance with the directive, guideline, and practices: Internal control activities and mechanisms are in place, are relevant, and address known risks.

The audit assessed whether management control activities and mechanisms were clearly defined, addressed known risks, were sufficient and effectively communicated, adequately monitored, and reported risks and major issues related to acquisition cards. The audit also assessed the level of compliance with applicable authorities through a detailed examination of a sample of purchases.

2.3 Approach and methodology

The audit approach and methodology was risk-based and followed the Internal Auditing Standards for the Government of Canada and the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that audit objectives are achieved. The audit included various tests considered necessary to provide such assurance, such as the following:

• Interviews with key personnel, preliminary research, review of key documents, observation of card processes and controls, a risk assessment exercise to identify potential risk exposure, data analysis of card purchases for trends, and a sample selection of purchases using computer-assisted audit techniques for further review. A sample of cardholders and fund centre managers was subsequently selected for further substantiation.
• Validation and assessment of the MCF elements as described in the scope. In addition, the key control processes applied to the administration of the cards were reviewed to assess the level of compliance with applicable authorities. The examination phase of this audit was conducted from January to March 2011.

3.0 Audit Results

3.1 Line of Enquiry: Management Control Framework

The audit expected that the Secretariat would have a sound MCF in place to provide reasonable assurance to management that the Secretariat's objectives for acquisition cards are achieved, to support effective decision making, and to flag significant control issues on a timely basis. It also expected that the MCF would be formally documented, maintained, and effectively communicated to all stakeholders involved in acquisition card activities.

The audit found that since the creation of a dedicated function in 2009, the Secretariat has undertaken a number of initiatives to develop key elements of an MCF. These initiatives related to considering the goals and objectives of the acquisition card activity and developing draft documents that define roles, responsibilities, and departmental procedures for card activities. Specifically, the audit found the following:

• Whereas government-wide objectives and goals have been broadly defined for the use of acquisition cards pursuant to Treasury Board's Directive on Acquisition Cards and Policy on Internal Control, a document that clearly defines Secretariat objectives and goals for acquisition cards has not been developed. The audit found evidence that objectives and goals have been considered and articulated within the CPMM group; an initial formal identification of the goal to increase card usage was stated in the Secretariat's Report on Plans and Priorities.
• Accountabilities, roles, and responsibilities for key stakeholders have been defined at the Secretariat level in draft documents; however, they have not yet been approved or communicated within the Secretariat, resulting in a variety of practices being used throughout the department. The audit found that there have been discussions to clarify specific accountabilities between the procurement and accounting services groups. The audit noted that cardholders were generally aware of their responsibilities regarding the use of acquisition cards.
• The audit also found that there was a formal and documented organization structure to support the acquisition card activity, once fully staffed. However, the audit could not assess whether the organizational structure is sufficient to effectively support this activity because of lack of clarity regarding roles and responsibilities. With respect to internal policies, procedures and guidelines, the audit found that there is a series of internal documents, a few which are now in use, with the rest in draft form awaiting formal approval to be implemented and communicated to card users. Cardholders and fund centre managers interviewed followed a variety of practices based on previous work experience in other government organizations.

Further work is required to ensure clarity and completeness with respect to goals and objectives, roles and responsibilities, and processes and procedures. These documents need to be finalized, approved, and communicated to all employees involved in acquisition card activities.

The audit found that some of the key elements of a sound MCF were not in place to support acquisition card activities within the Secretariat. The missing elements pertained to planning and risk management, monitoring and reporting, and learning and training as follows:

• A risk assessment exercise was not undertaken within CPMM with respect to acquisition cards. As part of an assessment conducted in 2007 by an external consultant, the acquisition cards process was identified as immaterial for financial audit readiness purposes. Given the degree of organizational and process changes that have occurred since that assessment and recent initiatives to increase the use of acquisition cards at the Secretariat, a more fulsome and up-to-date risk assessment is warranted.
• Although certain training and guidance exist, such as mandatory green procurement training to promote environmentally friendly purchases, there was no clearly defined or documented training program for individuals who have acquisition card responsibilities. There is a general awareness of responsibilities based on previous experiences and ad hoc practices in place throughout the Secretariat. Training is important to ensure consistent application of the Secretariat's internal policies and procedures in order to minimize errors and potential misuse. It was noted that the completion of the series of documentation mentioned in the preceding would help create the foundation for a training program.  
• In addition to training, there was an interest expressed by cardholders and fund centre managers in using the Secretariat's intranet to facilitate access to information and documentation in situations that require direction or clarity. This is particularly important for individuals who are new to acquisition card activities or who do not perform such activities frequently and need to refer to a process in order to ensure compliance.
• The audit also found that with respect to monitoring and reporting practices, there was no established process to perform regular monitoring activities using the information and tools available in the departmental information technology systems to track errors, misuse, or recurring issues and report on management practices, controls, and results to senior management for resolution.

Without improvements to the current MCF, the ability to identify and mitigate risks is impeded, increasing the potential for errors and abuse, particularly in an organization that intends to increase the use of acquisition cards to procure goods and services and use such cards to make payments against contracts and purchase orders.  

Recommendations

It is recommended that the Assistant Secretary, Corporate Services Sector, undertake the following:

• 1. Finalize and formally approve draft documents relating to accountabilities, roles, responsibilities, procedures, guidelines, and related documents and make these accessible to stakeholders. Priority ranking: High
• 2. Develop, document, and institute a training program, planning and risk management, and monitoring and reporting activities to effectively support acquisition card activities within the Secretariat. Priority ranking: High

3.2 Line of Enquiry: Compliance With the Relevant Directive, Guidelines and Practices

It is expected that risks relating to the stewardship of public resources are adequately managed through effective controls, including internal controls over financial reporting. The audit expected to find that card activities would be performed in a manner that is compliant with applicable authorities.

Overall, the audit found that general compliance with authorities was largely due to employees' general awareness of responsibilities based on previous work experience in other government departments and ad hoc practices in place throughout the Secretariat.

The audit found that the issuance and renewal of acquisition cards, as well as card usage and security, were generally compliant with the Treasury Board Directive on Acquisition Cards. However, weaknesses were noted in the knowledge of cardholders on types of allowable purchases, errors in classifying purchases for financial reporting, and inconsistent application of issued processes. In the opinion of the audit team, these errors would have been addressed if appropriate training had been provided, adequate procedures had been accessible to users, and monitoring activities had been in place.

The audit also found that oversight over the cancellation of cards on employee departure or transfer of cardholder responsibilities was weak. There was heavy reliance on the cardholder or fund centre manager to notify an individual in the CPMM group of a departure or requirement to cancel a card. The controls over ensuring that cards are cancelled on a timely basis would be strengthened if the individuals responsible for cancellation processes use the departmental information technology systems to identify cardholder departures or potential situations where a cardholder has changed positions within the department.

Recommendation

• 3. It is recommended that the Assistant Secretary, CSS, strengthen controls over card cancellation, using the information and tools available in the departmental information technology systems. Priority ranking: Medium

3.3 Overall Conclusion

The audit recognizes the significant efforts made by the Administration and Security Directorate, Corporate Services Sector, in developing elements of an MCF since its creation in February 2009.

We conclude with a reasonable level of assurance that, although the Secretariat is generally compliant with the Treasury Board Directive on Acquisition Cards, attention is required to address key elements of the MCF for acquisition cards. Specifically, there is a need to:

• Finalize draft documents pertaining to accountabilities, roles, and responsibilities and communicate them to stakeholders;
• Finalize draft procedures, guidelines, and related documents, and make them accessible to employees for their use;
• Identify training needs and implement a training program; and
• Develop, document, and implement planning, risk management, monitoring, and reporting mechanisms.

Regarding compliance with the Treasury Board Directive on Acquisition Cards, opportunities exist to strengthen control with respect to timely card cancellation.

Appendix A: Audit Criteria

Line of Enquiry 1: The Management Control Framework for Acquisition Cards

Line of Enquiry 2: Compliance With the Relevant Directive, Guidelines and Practices

Appendix B: Management Action Plan

Recommendation 1:

It is recommended that the Assistant Secretary, Corporate Services Sector finalize and formally approve draft documents relating to accountabilities, roles, responsibilities, procedures, guidelines, and related documents and make these accessible to stakeholders.

Priority Ranking: High

Management Action	Completion Date	Office of Primary Interest (OPI)
CSS agrees with the findings and recommendation
CSS will integrate the management of the acquisition card function with the Financial Management Division (FMD) while retaining an oversight role with Contracting and Procurement (CPMM)	September 2011	CSS/FMD
Draft documents will be finalized, approved and promulgated.	March 2012

Recommendation 2:

It is recommended that the Assistant Secretary, Corporate Services Sector develop, document, and institute a training program, planning and risk management, and monitoring and reporting activities to effectively support the acquisition card activities within the Secretariat.

Priority Ranking: High

Management Action	Completion Date	Office of Primary Interest (OPI)
CSS agrees with the findings and recommendations.
Training and guidance will be incorporated into existing programs and products. This will ensure consistency and have one common contact within CSS.	September  2011	CSS/FMD
The 2007 Deloitte assessment will be reviewed in light of the planned increased usage of the card and a new risk assessment will be developed.	March 2012
Acquisition card monitoring and reporting processes will be integrated into the continuous monitoring program that FMD is currently developing.	March 2012

Recommendation 3:

It is recommended that the Assistant Secretary, CSS, strengthen the controls over card cancellation, using the information and tools available in the departmental information technology systems.

Priority Ranking: Medium

Management Action	Completion Date	Office of Primary Interest (OPI)
CSS agrees with the findings and recommendation
CSS will strengthen the controls over card cancellation by:		CSS/FMD
Ensuring the Contracting and Procurement staff is notified when TRINET receives an electronic "Employee Departure" notification so that they can verify whether there is an acquisition card to be accounted for and taking cancellation action, if required. Note this process will be transferred to FMD.	Completed
Augment current credit card processes and monitoring activities (such as AMEX travel card) to include acquisition cards.	March 2012