Archived - Audit of Acquisition Cards
Internal Audit and Evaluation
Department of Finance Canada
Approved by the Deputy Minister of Finance Canada on the recommendation of the
Audit and Evaluation Committee on December 8, 2014
Statement of Conformance and Audit Approach
Appendix A - List of Employees Interviewed
Appendix B – Key Information Reviewed
Appendix C – Sampling Methodology
The Audit of Acquisition Cards was authorized as part of the Department of Finance’s (the Department) 2014-17 Internal Audit Plan, which was approved by the Deputy Minister at the departmental Audit and Evaluation Committee meeting on May 26, 2014.
Acquisition cards provide a convenient and practical method of procuring and paying for goods and services, while maintaining effective financial control. The use of acquisition cards is governed by the Treasury Board Directive on Acquisition Cards (the Directive) and the Financial Administration Act (FAA).
The audit objective was to assess the adequacy and effectiveness of the management control framework for acquisition cards, including compliance with relevant government policies.
The audit concluded that the Department has a management control framework in place for acquisition cards and that transactions are generally compliant with the requirements. Opportunities exist to align credit and transaction limits on acquisition cards with business needs; and document expenditure initiation approval for all acquisition card purchases.
The Audit of Acquisition Cards is part of the Department of Finance’s (the Department) 2014-17 Internal Audit Plan, which was approved by the Deputy Minister at the departmental Audit and Evaluation Committee meeting on May 26, 2014.
Acquisition cards provide a convenient and practical method of procuring and paying for goods and services, while maintaining effective financial control. The use of acquisition cards simplifies the purchases of low-risk goods and services, offering the potential to generate savings in procurement and expenditure processing. Acquisition card transactions are governed by the Treasury Board Directive on Acquisition Cards (the Directive) and the Financial Administration Act (FAA).
Departmental standards for acquisition card transactions include monthly limits of $5,000 and daily transaction limits of $2,500. Individual acquisition card credit limits may differ from the departmental standards, based on user requirements and Fund Centre Manager approval. According to the Directive, acquisition cards are to be used for authorized official purchases of goods, services and pre-approved hospitality expenditures. Acquisition cards are not to be used for certain specified categories of expenditures, such as cash advances, vehicle expenses and travel expenses. The Bank of Montreal MasterCard is the standard acquisition card used in the Department.
The Contracting and Procurement Division, Corporate Services Branch (CSB), provides a centralized service to clients and administers the Department’s acquisition card program. Management of the acquisition card program, including authorization of card issuance and ensuring monitoring of acquisition cards, is the responsibility of the departmental acquisition card coordinator. In the Department, this role resides with the Director of Contracting and Procurement within CSB.
The Department has a memorandum of understanding, effective April 1, 2010, with the Treasury Board of Canada Secretariat (TBS) for the provision of accounting services. TBS Accounting Services is responsible for the reconciliation and payment of monthly cardholder statements on a consolidated basis for the Department.
For the three fiscal years included in the scope of the audit, the total acquisition card expenditures were approximately $3.0M. As of March 31, 2014, there were 88 acquisition cards assigned within the Department.
To assess the adequacy and effectiveness of the management control framework for acquisition cards, including compliance with relevant government policies.
The audit scope included all departmental MasterCard acquisition cards transactions for fiscal years 2011–12, 2012–13 and 2013–14.
The scope did not include:
- VISA and ARI* card transactions due to their limited number and low materiality; and
- AMEX card transactions because of their distinct purpose for travel-related expenditures.
*ARI fleet cards are used for authorized purchases of supplies and services essential to the operation of the Department’s vehicles.
The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.
The audit was planned and performed so as to obtain reasonable assurance that the audit objective was achieved. During the audit, appropriate procedures were followed and sufficient evidence was obtained to support the accuracy of findings and the overall audit opinion presented in this report. The findings are based on a comparison of the conditions, as they existed at the time of the audit, with the audit criteria identified in this report, which were accepted by management. The opinion applies only to the entity examined.
Audit procedures included, but were not limited to, interviews, review of supporting documentation, walkthroughs, data analytics using ACL, and detailed testing of a sample of acquisition card transactions. The audit criteria used to develop the required audit tests were based on (1) the Treasury Board Directive on Acquisition Cards, and (2) relevant elements of the Office of the Comptroller General’s Audit Criteria Related to the Management Accountability Framework, and (3) the Receiver General Manual Chapter 9 (Government of Canada Acquisition Card Program).
Nineteen individuals (listed in Appendix A) were interviewed for this audit. These individuals were consulted on one or more criteria, and with different levels of depth, depending on their role in the acquisition card program. The audit team also conducted a review and analysis of applicable authorities and policies, as well as financial and non-financial documents from various relevant sources. A list of key information reviewed is provided in Appendix B.
The audit approach allowed for the audit findings to be communicated so as to enable management to review and provide feedback on the findings and conclusions before they were finalized.
The audit concluded that the Department has a management control framework in place for acquisition cards and that transactions are generally compliant with the applicable requirements.
In particular, the following good management practices were noted:
- Procedures, guidelines, and tools are in place in the Department and support the administration of the acquisition card program.
- Performance of the responsibilities of the departmental card coordinator is in accordance with the Directive.
- Monitoring mechanisms are in place to review acquisition card transactions.
- Controls are in place to ensure that acquisition card transactions are in compliance with applicable requirements.
Although the acquisition card program within the Department is well managed, opportunities for further improvement were noted in the following areas:
- Aligning credit and transaction limits on acquisition cards with business needs; and
- Documenting expenditure initiation approval for all acquisition cards purchases.
The assessments in this section summarize the audit observations based on the evidence gathered and analyzed during the audit. Based on these assessments, issues and themes along with potential causes, impacts, management initiatives and recommendations are summarized in the “Recommendation and Management Action Plan” section.
The “Findings by Audit Criteria” section includes the approach used for the assessment of risk exposure in audit reports. Taking into consideration audit findings and mitigating controls in place in relation to the audit criteria, residual risk exposure for each audit criterion is categorized as high, medium or low.
These risk ranking levels correspond to residual risk exposure, which auditors believe may impact the achievement of organizational objectives. The risk levels also take into consideration the levels of resources required to successfully implement corrective actions. The following describes the standards used to establish the residual risk exposure:
Findings by Audit Criteria
|Criteria||Residual Risk Exposure||Assessment|
|The Department has a management control framework in place to effectively administer the use of acquisition cards.||Low||
The Department has a management control framework in place to administer the use of acquisition cards. However, an opportunity for improvement exists in aligning credit and transaction limits on acquisition cards with business needs.
The acquisition cards program includes several processes and involves different key players such as the departmental card coordinator, the cardholders, the fund center managers and the accounting service provider. A sound control framework helps organizations address the potential risk exposures during each step of the acquisition cards process. It is expected that the control framework would create an environment where the confidence in each step of the process will be increased by the presence of additional and complementary controls in the other steps or sub-processes involved.
To determine the effectiveness of the control framework in place for acquisition cards the auditors interviewed key individuals, surveyed a number of cardholders, conducted walkthroughs of the processes in place, reviewed documents, and analyzed financial reports from the BMO online system.
Procedures, guidelines and tools
The audit found that procedures, guidelines, and tools are in place in the Department and support the administration of the acquisition card program. In particular, the audit noted the following sources of key information: a section in the Manager’s Guide to Contracting, request form, presentations and an information kit for new cardholders. The audit also found that communication channels to report on errors are in place and used. Information on improvement areas related to the acquisition card process are shared during Financial Management information sessions. Cardholders are also individually contacted when there are issues with their paperwork, resulting in more diligence in the subsequent submission of their monthly statements.
While procedures, guidelines and tools exist, the audit found that key information is not being consistently used by cardholders. The Contracting and Procurement Section is currently working on a guidance document for acquisition cards. This guidance document, once shared, may increase awareness of the requirements and help ensure consistent use among cardholders.
Administration of cards and setting of credit and transaction limits
The audit confirmed the performance of the responsibilities of the departmental card coordinator in accordance with the Directive. In particular, the audit noted that the cardholders’ database was up-to-date and that the requests for cancellation of acquisition cards were processed in a timely manner. The analysis of a sample of acquisition card request forms showed that some of them were not properly processed; resulting in cards being assigned incorrect transaction limits.
Documentation regarding the monitoring procedures and examples of monitoring activities were reviewed for validation purposes. The audit found that monitoring procedures are documented and were recently updated, along with the list of cards that have been reviewed. The audit also noted that monitoring mechanisms are in place to review transactions for the purpose of identifying and addressing cases of misuse. Furthermore, the audit noted that another section within the branch conducts a reconciliation of payments made to the financial institution and departmental expense accounts. However, it was noted that reviews of card and transaction limits were conducted on an “as needed basis” and that periodic reviews were not performed to ensure that departmental acquisition cards were meeting operational needs. In particular, the analysis of the population of transactions in the audit scope showed that credit and transaction limits on some cards were in excess of business needs based on purchasing history.
To further enhance the framework in place, the audit recommends reviewing periodically the credit and transaction limits of acquisition cards.
|Acquisition card usage and transactions are in compliance with applicable Directives, relevant legislation, and departmental guidance.||Low||
Overall, the Department’s acquisition card transactions are in compliance with the applicable requirements. However, an opportunity for improvement exists in documenting expenditure initiation approval for acquisition card purchases.
Compliance requires that expenditures be properly pre-authorized, in line with the TB Directive on Acquisition Cards, adequately approved by a delegated financial authority with supporting documents, and verified prior to payment.
For compliance testing, the auditors used a data analytics software to analyze the population of acquisition card transactions in the scope of the audit. A sample of 85 transactions was selected for detailed testing. The audit approach focused on the key controls in place and compliance with the applicable requirements such as the Financial Administration Act (FAA), the Directive and the departmental guidance. Details of the sampling methodology can be found in Appendix C.
The audit noted that the Department follows the Directive and has developed its own guidance. The detailed review of the selected sample of transactions showed a high level of compliance with the requirements. Also, the audit tested whether cardholders obtained sufficient and appropriate expenditure initiation approval before making purchases. The audit found that while most of the transactions reviewed had a documented expenditure initiation approval, there were cases where such documentation was missing. Furthermore, the audit verified whether the acquisition card statements were properly certified under Section 34 of the FAA. Testing results showed that the statements reviewed were properly certified under Section 34. Finally, for Section 33 testing, two consolidated departmental monthly payments to BMO were selected for review. These consolidated statements were properly certified and their related disbursement was subsequently authorized under Section 33 of the FAA.
To further increase compliance the audit recommends that measures be taken to ensure that expenditure initiation approval is documented for all acquisition card purchases.
The following section summarizes the audit findings based on their causes, highlights their impact and presents the audit recommendations with the corresponding timeframes.
The implementation timeframes are assigned as follows:
- Short term: implementation of the audit recommendation is expected within 6 months from the approval of the audit report;
- Medium term: implementation of the audit recommendation is expected within 6 to 12 months from the approval of the audit report; and
- Long term: implementation of the audit recommendation is expected to take more than 12 months from the approval of the audit report.
When applicable, relevant management initiatives already underway are included.For each recommendation, management has provided the following:
- An action plan that addresses the recommendation;
- The position responsible for implementing the action plan; and
- The target date for completion.
Observations and Impact
A sound control framework helps organizations address the potential risk exposures during each step of the acquisition cards process. As such, the existence of robust information sharing and monitoring mechanisms contributes to increasing effectiveness of the departmental control framework.
The audit noted that a structured and periodic review of transaction and credit limits on acquisition cards was not conducted as part of the current regime.
The absence of a regular review of the credit and transaction limits could lead to unnecessary financial risk stemming from potential misuse of high limits. In this regard, Chapter 9 of the Receiver General manual recommends a periodic verification of card usage and appropriateness of cardholder credit limits.
The audit recommends that the Contracting and Procurement Section review on a periodic basis the credit and transaction limits of departmental acquisition cards based on the business needs, ensuring as such that cardholders have the appropriate limits on their cards.
Recommended timeframe for implementation: 6 months
The Contracting and Procurement Section will conduct a review of credit and transaction limits of departmental acquisition cards on a quarterly basis. The objective of the review will be to ensure that limits are based on cardholder business needs. Reviews will be conducted within 60 days of the end of each quarter, beginning the second quarter of 2014/15.
Position responsible: Director, Contracting and Procurement
Timeframe for implementation: less than 6 months
Observations and Impact
According to the TB Directive on Acquisition Cards, cardholders must obtain sufficient and appropriate authorization before making purchases. In addition, according to Chapter 9 of the Receiver General manual, expenditure initiation approval for acquisition card purchases must be documented.
The audit found that expenditure initiation approval was not systematically documented in the acquisition card files reviewed, especially in the case of small dollar purchases.
Not reinforcing the importance of documenting such approval may lead to inappropriate use of acquisition cards and risk of non-compliance. It is worth noting that the Receiver General manual states that a blanket authority can be provided for small dollar purchases such as office supplies, which could then be included in the monthly statement package as proof of expenditure initiation.
The audit recommends that Contracting and Procurement Section undertake measures to ensure that expenditure initiation approval is documented for all acquisition card purchases.
Recommended timeframe for implementation: 6 months
The Contracting and Procurement Section is developing a guidance document for cardholders and managers on the use of acquisition cards. This guidance document, once shared, aims to increase awareness of the requirements and help to ensure consistent use among cardholders.
The Contracting and Procurement Section will communicate directly to all cardholders to advise them of the requirement to obtain and document expenditure initiation approval in advance of all acquisition card purchases. The use of blanket authorities will be recommended where appropriate.
Position responsible: Director, Contracting and Procurement
Timeframe for implementation: less than 6 months
Corporate Services Branch
- Director, Contracting and Procurement, Financial Management Directorate
- Team Leader, Contracting and Procurement, Financial Management Directorate
- Senior Contracting Officer, Contracting and Procurement, Financial Management Directorate
- Contracting Officer, Contracting and Procurement, Financial Management Directorate
- Executive Officer, Information Management and Technology Directorate
- Manager, Departmental Reporting, Financial Management Directorate
Economic Development and Corporate Finance Branch
- Administrative Assistant, Microeconomic Policy Analysis
Economic and Fiscal Policy Branch
- Acting Executive Assistant, Assistant Deputy Minister’s Office
- Administrative Assistant, Office of Values and Ethics
Tax Policy Branch
- Administrative Coordinator, Sales Tax Division
Consultations and Communications Branch
- Design and Publishing Officer, Public Affairs and Operations Division
Federal-Provincial Relations and Social Policy Branch
- Administrative Assistant, Social Policy
International Trade and Finance Branch
- Executive Assistant/Office Manager, Assistant Deputy Minister's Office
- Senior Director, Financial Planning & Resource Management
- Director, Accounting Services and Management Practices
- Manager, Accounting Services
- Financial Planning Analyst, Accounts Payable
- Financial Planning Analyst, Accounting Services and Management Practices
- Client Relationship Manager, Treasury & Payment Solutions
Legislation, Policies and Guidelines
- Financial Administration Act
- Treasury Board Directive on Acquisition Cards
- Treasury Board Contracting Policy
- Treasury Board Directive on Expenditure Initiation and Commitment Control
- Treasury Board Directive on Account Verification
- Treasury Board Guideline on Common Financial Management Business Process – Manage Administration of Acquisition and Fleet Cards and Business Process Model
- PWGSC Receiver General Manual Chapter 9, Government of Canada Acquisition Card Program
Documents Specific to the Department of Finance
- Presentations on the Acquisition Card Program
- Financial Signing Authorities Manual and Delegation of Financial Signing Authorities Instrument
- Manager’s Guide to Contracting
- Memorandum of Understanding between Finance Canada and the Treasury Board of Canada Secretariat for the Provision of Financial and Administrative Shared Services
- Office of the Comptroller General’s “Using ACL to Analyze Acquisition Cards Controls”
- Office of the Comptroller General’s Audit Criteria Related to the Management Accountability Framework
- Office of the Comptroller General’s Core Control Audit Criteria OAG Public Accounts Audit Results for the year ended March 31, 2013
- Integrated Financial and Material System(IFMS-SAP) – data related to departmental acquisition cards (FY 2011-14)
- BMO Online System – data related to the departmental acquisition cards (FY 2011-14)
The audit team obtained a population of 9305 acquisition card transaction data for the three fiscal years in the scope of the audit directly from the BMO Details Online System. The data was then analyzed in ACL using OCG scripts. A sample of 85 transaction was chosen as follows:
- 10 acquisition card transactions chosen randomly using ACL from the full population of transaction data, and
- 75 acquisition card transactions selected judgmentally, based on the ACL stratification of higher-risk areas for compliance risk
|Stratification||Number of transactions tested|
|Duplicate Card Number||8|
|Multiples of $100||2|
|Possible Questionable Expenses||4|
|Possible Duplicate Records||9|
|Other Government Department||2|
|Split Card Vendor Date||19|
- Michelle Langlois, B. Comm, CPA, CA, CIA, Senior Financial Auditor, Internal Audit and Evaluation
- Randa Kassis, B. Soc. Sc., Senior Auditor, Internal Audit and Evaluation
- Abdillahi Roble, MBA, CPA, CGA, CIA, CRMA Director, Internal Audit Operations and Practice Management, Internal Audit and Evaluation
- Christian Kratchanov, MBA, CIA, CMC, CRMA, Chief Audit Executive and Head of Evaluation, Internal Audit and Evaluation
Report a problem or mistake on this page
- Date modified: