Archived - Audit of Acquisition Cards

Prepared by
Internal Audit and Evaluation
Department of Finance Canada

Approved by the Deputy Minister of Finance Canada on the recommendation of the
Audit and Evaluation Committee on December 8, 2014

Executive Summary

Background

Audit Objective and Scope

Statement of Conformance and Audit Approach

Conclusion

Findings by Audit Criteria

Appendix A - List of Employees Interviewed

Appendix B – Key Information Reviewed

Appendix C – Sampling Methodology

Appendix D – Members of the Audit Team

The Audit of Acquisition Cards was authorized as part of the Department of Finance’s (the Department) 2014-17 Internal Audit Plan, which was approved by the Deputy Minister at the departmental Audit and Evaluation Committee meeting on May 26, 2014.

Acquisition cards provide a convenient and practical method of procuring and paying for goods and services, while maintaining effective financial control. The use of acquisition cards is governed by the Treasury Board Directive on Acquisition Cards (the Directive) and the Financial Administration Act (FAA).

The audit objective was to assess the adequacy and effectiveness of the management control framework for acquisition cards, including compliance with relevant government policies.

The audit concluded that the Department has a management control framework in place for acquisition cards and that transactions are generally compliant with the requirements. Opportunities exist to align credit and transaction limits on acquisition cards with business needs; and document expenditure initiation approval for all acquisition card purchases.

The Audit of Acquisition Cards is part of the Department of Finance’s (the Department) 2014-17 Internal Audit Plan, which was approved by the Deputy Minister at the departmental Audit and Evaluation Committee meeting on May 26, 2014.

Acquisition cards provide a convenient and practical method of procuring and paying for goods and services, while maintaining effective financial control. The use of acquisition cards simplifies the purchases of low-risk goods and services, offering the potential to generate savings in procurement and expenditure processing. Acquisition card transactions are governed by the Treasury Board Directive on Acquisition Cards (the Directive) and the Financial Administration Act (FAA).

Departmental standards for acquisition card transactions include monthly limits of $5,000 and daily transaction limits of $2,500. Individual acquisition card credit limits may differ from the departmental standards, based on user requirements and Fund Centre Manager approval. According to the Directive, acquisition cards are to be used for authorized official purchases of goods, services and pre-approved hospitality expenditures. Acquisition cards are not to be used for certain specified categories of expenditures, such as cash advances, vehicle expenses and travel expenses. The Bank of Montreal MasterCard is the standard acquisition card used in the Department.

The Contracting and Procurement Division, Corporate Services Branch (CSB), provides a centralized service to clients and administers the Department’s acquisition card program. Management of the acquisition card program, including authorization of card issuance and ensuring monitoring of acquisition cards, is the responsibility of the departmental acquisition card coordinator. In the Department, this role resides with the Director of Contracting and Procurement within CSB.

The Department has a memorandum of understanding, effective April 1, 2010, with the Treasury Board of Canada Secretariat (TBS) for the provision of accounting services. TBS Accounting Services is responsible for the reconciliation and payment of monthly cardholder statements on a consolidated basis for the Department.

For the three fiscal years included in the scope of the audit, the total acquisition card expenditures were approximately $3.0M. As of March 31, 2014, there were 88 acquisition cards assigned within the Department.

To assess the adequacy and effectiveness of the management control framework for acquisition cards, including compliance with relevant government policies.

The audit scope included all departmental MasterCard acquisition cards transactions for fiscal years 2011–12, 2012–13 and 2013–14.

The scope did not include:

*ARI fleet cards are used for authorized purchases of supplies and services essential to the operation of the Department’s vehicles.

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

The audit was planned and performed so as to obtain reasonable assurance that the audit objective was achieved. During the audit, appropriate procedures were followed and sufficient evidence was obtained to support the accuracy of findings and the overall audit opinion presented in this report. The findings are based on a comparison of the conditions, as they existed at the time of the audit, with the audit criteria identified in this report, which were accepted by management. The opinion applies only to the entity examined.

Audit procedures included, but were not limited to, interviews, review of supporting documentation, walkthroughs, data analytics using ACL, and detailed testing of a sample of acquisition card transactions. The audit criteria used to develop the required audit tests were based on (1) the Treasury Board Directive on Acquisition Cards, and (2) relevant elements of the Office of the Comptroller General’s Audit Criteria Related to the Management Accountability Framework, and (3) the Receiver General Manual Chapter 9 (Government of Canada Acquisition Card Program).

Nineteen individuals (listed in Appendix A) were interviewed for this audit. These individuals were consulted on one or more criteria, and with different levels of depth, depending on their role in the acquisition card program. The audit team also conducted a review and analysis of applicable authorities and policies, as well as financial and non-financial documents from various relevant sources. A list of key information reviewed is provided in Appendix B.

The audit approach allowed for the audit findings to be communicated so as to enable management to review and provide feedback on the findings and conclusions before they were finalized.

The audit concluded that the Department has a management control framework in place for acquisition cards and that transactions are generally compliant with the applicable requirements.

In particular, the following good management practices were noted:

Although the acquisition card program within the Department is well managed, opportunities for further improvement were noted in the following areas:

The assessments in this section summarize the audit observations based on the evidence gathered and analyzed during the audit. Based on these assessments, issues and themes along with potential causes, impacts, management initiatives and recommendations are summarized in the “Recommendation and Management Action Plan” section.

The “Findings by Audit Criteria” section includes the approach used for the assessment of risk exposure in audit reports. Taking into consideration audit findings and mitigating controls in place in relation to the audit criteria, residual risk exposure for each audit criterion is categorized as high, medium or low.

These risk ranking levels correspond to residual risk exposure, which auditors believe may impact the achievement of organizational objectives. The risk levels also take into consideration the levels of resources required to successfully implement corrective actions. The following describes the standards used to establish the residual risk exposure:

High
Serious impact that requires immediate attention and action (extensive management efforts are required; problems are costly and difficult to repair, if repairable).
Medium
Significant impact that requires ongoing monitoring to ensure risk is contained to an acceptable level (considerable management efforts are required; problems are manageable with management action and investment).
Low
Little impact (limited effort from management is required and low level of investment is needed to address the problems).

Findings by Audit Criteria

Criteria Residual Risk Exposure Assessment
1. Controls
The Department has a management control framework in place to effectively administer the use of acquisition cards. Low

The Department has a management control framework in place to administer the use of acquisition cards. However, an opportunity for improvement exists in aligning credit and transaction limits on acquisition cards with business needs.

The acquisition cards program includes several processes and involves different key players such as the departmental card coordinator, the cardholders, the fund center managers and the accounting service provider. A sound control framework helps organizations address the potential risk exposures during each step of the acquisition cards process. It is expected that the control framework would create an environment where the confidence in each step of the process will be increased by the presence of additional and complementary controls in the other steps or sub-processes involved.

To determine the effectiveness of the control framework in place for acquisition cards the auditors interviewed key individuals, surveyed a number of cardholders, conducted walkthroughs of the processes in place, reviewed documents, and analyzed financial reports from the BMO online system.

Procedures, guidelines and tools

The audit found that procedures, guidelines, and tools are in place in the Department and support the administration of the acquisition card program. In particular, the audit noted the following sources of key information: a section in the Manager’s Guide to Contracting, request form, presentations and an information kit for new cardholders. The audit also found that communication channels to report on errors are in place and used. Information on improvement areas related to the acquisition card process are shared during Financial Management information sessions. Cardholders are also individually contacted when there are issues with their paperwork, resulting in more diligence in the subsequent submission of their monthly statements.

While procedures, guidelines and tools exist, the audit found that key information is not being consistently used by cardholders. The Contracting and Procurement Section is currently working on a guidance document for acquisition cards. This guidance document, once shared, may increase awareness of the requirements and help ensure consistent use among cardholders.

Administration of cards and setting of credit and transaction limits

The audit confirmed the performance of the responsibilities of the departmental card coordinator in accordance with the Directive. In particular, the audit noted that the cardholders’ database was up-to-date and that the requests for cancellation of acquisition cards were processed in a timely manner. The analysis of a sample of acquisition card request forms showed that some of them were not properly processed; resulting in cards being assigned incorrect transaction limits.

Monitoring

Documentation regarding the monitoring procedures and examples of monitoring activities were reviewed for validation purposes. The audit found that monitoring procedures are documented and were recently updated, along with the list of cards that have been reviewed. The audit also noted that monitoring mechanisms are in place to review transactions for the purpose of identifying and addressing cases of misuse. Furthermore, the audit noted that another section within the branch conducts a reconciliation of payments made to the financial institution and departmental expense accounts. However, it was noted that reviews of card and transaction limits were conducted on an “as needed basis” and that periodic reviews were not performed to ensure that departmental acquisition cards were meeting operational needs. In particular, the analysis of the population of transactions in the audit scope showed that credit and transaction limits on some cards were in excess of business needs based on purchasing history.

To further enhance the framework in place, the audit recommends reviewing periodically the credit and transaction limits of acquisition cards.

2. Compliance
Acquisition card usage and transactions are in compliance with applicable Directives, relevant legislation, and departmental guidance. Low

Overall, the Department’s acquisition card transactions are in compliance with the applicable requirements. However, an opportunity for improvement exists in documenting expenditure initiation approval for acquisition card purchases.

Compliance requires that expenditures be properly pre-authorized, in line with the TB Directive on Acquisition Cards, adequately approved by a delegated financial authority with supporting documents, and verified prior to payment.

For compliance testing, the auditors used a data analytics software to analyze the population of acquisition card transactions in the scope of the audit. A sample of 85 transactions was selected for detailed testing. The audit approach focused on the key controls in place and compliance with the applicable requirements such as the Financial Administration Act (FAA), the Directive and the departmental guidance. Details of the sampling methodology can be found in Appendix C.

The audit noted that the Department follows the Directive and has developed its own guidance. The detailed review of the selected sample of transactions showed a high level of compliance with the requirements. Also, the audit tested whether cardholders obtained sufficient and appropriate expenditure initiation approval before making purchases. The audit found that while most of the transactions reviewed had a documented expenditure initiation approval, there were cases where such documentation was missing. Furthermore, the audit verified whether the acquisition card statements were properly certified under Section 34 of the FAA. Testing results showed that the statements reviewed were properly certified under Section 34. Finally, for Section 33 testing, two consolidated departmental monthly payments to BMO were selected for review. These consolidated statements were properly certified and their related disbursement was subsequently authorized under Section 33 of the FAA.

To further increase compliance the audit recommends that measures be taken to ensure that expenditure initiation approval is documented for all acquisition card purchases.

The following section summarizes the audit findings based on their causes, highlights their impact and presents the audit recommendations with the corresponding timeframes.

The implementation timeframes are assigned as follows:

When applicable, relevant management initiatives already underway are included.For each recommendation, management has provided the following:

Observations and Impact

A sound control framework helps organizations address the potential risk exposures during each step of the acquisition cards process. As such, the existence of robust information sharing and monitoring mechanisms contributes to increasing effectiveness of the departmental control framework.

The audit noted that a structured and periodic review of transaction and credit limits on acquisition cards was not conducted as part of the current regime.

The absence of a regular review of the credit and transaction limits could lead to unnecessary financial risk stemming from potential misuse of high limits. In this regard, Chapter 9 of the Receiver General manual recommends a periodic verification of card usage and appropriateness of cardholder credit limits.

Recommendation

The audit recommends that the Contracting and Procurement Section review on a periodic basis the credit and transaction limits of departmental acquisition cards based on the business needs, ensuring as such that cardholders have the appropriate limits on their cards.

Recommended timeframe for implementation: 6 months

Agreed.

The Contracting and Procurement Section will conduct a review of credit and transaction limits of departmental acquisition cards on a quarterly basis. The objective of the review will be to ensure that limits are based on cardholder business needs. Reviews will be conducted within 60 days of the end of each quarter, beginning the second quarter of 2014/15.

Position responsible: Director, Contracting and Procurement

Timeframe for implementation: less than 6 months

Observations and Impact

According to the TB Directive on Acquisition Cards, cardholders must obtain sufficient and appropriate authorization before making purchases. In addition, according to Chapter 9 of the Receiver General manual, expenditure initiation approval for acquisition card purchases must be documented.

The audit found that expenditure initiation approval was not systematically documented in the acquisition card files reviewed, especially in the case of small dollar purchases.

Not reinforcing the importance of documenting such approval may lead to inappropriate use of acquisition cards and risk of non-compliance. It is worth noting that the Receiver General manual states that a blanket authority can be provided for small dollar purchases such as office supplies, which could then be included in the monthly statement package as proof of expenditure initiation.

Recommendation

The audit recommends that Contracting and Procurement Section undertake measures to ensure that expenditure initiation approval is documented for all acquisition card purchases.

Recommended timeframe for implementation: 6 months

Agreed.

The Contracting and Procurement Section is developing a guidance document for cardholders and managers on the use of acquisition cards. This guidance document, once shared, aims to increase awareness of the requirements and help to ensure consistent use among cardholders.

The Contracting and Procurement Section will communicate directly to all cardholders to advise them of the requirement to obtain and document expenditure initiation approval in advance of all acquisition card purchases. The use of blanket authorities will be recommended where appropriate.

Position responsible: Director, Contracting and Procurement

Timeframe for implementation: less than 6 months

Corporate Services Branch

Economic Development and Corporate Finance Branch

Economic and Fiscal Policy Branch

Law Branch

Tax Policy Branch

Consultations and Communications Branch

Federal-Provincial Relations and Social Policy Branch

International Trade and Finance Branch

Legislation, Policies and Guidelines

Documents Specific to the Department of Finance

Other Documents

Information Systems

The audit team obtained a population of 9305 acquisition card transaction data for the three fiscal years in the scope of the audit directly from the BMO Details Online System. The data was then analyzed in ACL using OCG scripts. A sample of 85 transaction was chosen as follows:

Sampling Methodology

Stratification Number of transactions tested
Random 10
Transactions>5K 4
Weekend Expenses 4
Computer Expenses 6
Drugstore 1
Duplicate Card Number 8
Multiples of $100 2
Possible Questionable Expenses 4
Automotive Expenses 1
Possible Duplicate Records 9
Financial Services 2
Food Expenses 1
Foreign expenses 2
Hotel 2
Internet Purchases 1
Other Government Department 2
Split Card Vendor Date 19
Transportation 2
Car Rental 5

Page details

Date modified: