Audit of the Financial Management Controls and Practices of the Royal Canadian Navy
PDF Version
Assistant Deputy Minister (Review Services)
May 2017
7055-62 (ADM(RS))
Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.
- ADM(Fin)/CFO
-
Assistant Deputy Minister (Finance) / Chief Financial Officer
- ADM(RS)
-
Assistant Deputy Minister (Review Services)
- CAF
-
Canadian Armed Forces
- CDAO
-
Corporate Departmental Accounting Office
- DND
-
Department of National Defence
- DOA
-
Delegation of Authority
- FAA
-
Financial Administration Act
- FAM
-
Financial Administration Manual
- FY
-
Fiscal Year
- OPI
-
Office of Primary Interest
- RCN
-
Royal Canadian Navy
- RDAO
-
Regional Departmental Accounting Office
Overall Assessment
While governance, internal controls and risk management practices are in place, improvements to financial management guidance and modifications to monitoring and oversight practices are required to increase the effectiveness of the financial management controls and practices of the RCN.
Results in Brief
With annual expenditures of over $1 billion, excluding salaries and benefits for Regular Force members, the Royal Canadian Navy (RCN) accounts for over five percent of the appropriations of the Department of National Defence and the Canadian Armed Forces (DND/CAF). As part of the departmental Risk-based Internal Audit Plan for fiscal years (FY) 2015/16 to 2017/18, Assistant Deputy Minister (Review Services) (ADM(RS)) conducted an audit of the financial management controls and practices of the RCN. Effective financial management controls and practices are necessary to ensure that the RCN’s governance structure, its system of internal controls, and its risk management practices support the effective stewardship of public funds.
Findings and Recommendations
Internal Controls. While required financial management controls are generally in place, some were not operating as intended. A review of a sample of transactions revealed instances of non-compliance with financial management policies, though there was no evidence of misappropriation or misuse of public funds. The Financial Administration Act (FAA) requirements for account verification, payment and segregation of duties, as well as contracting requirements, were generally well managed. Nonetheless, some issues were identified in the areas of expenditure initiation and commitment control, and delegation of authority (DOA) forms as well as supporting documentation and paper trail.
Despite significant efforts by the RCN in the monitoring and oversight of financial transactions, non-compliance errors have persisted. Insufficient practical training for personnel with financial management responsibilities and a lack of consistent and adequate procedural guidance are contributing to these recurring errors.
It is recommended that the RCN develop consistent financial management guidance for high-risk financial management areas including expenditure initiation and commitment control, delegated authorities and acquisition cardholder responsibilities. This should supplement formal departmental training and existing corporate guidance by providing direction on the practical application of relevant policies, as well as clarify the roles, responsibilities and authorities of the personnel involved.
Governance, Monitoring and Oversight. Monitoring and oversight practices within the RCN financial management governance structure currently emphasize the review of transactions on an individual and reactive basis. While this type of transactional review has provided for correction of the specific instances of errors identified, a more strategic approach to monitoring and oversight would allow the RCN to improve processes, strengthen controls or identify areas of concern that cannot be easily measured or quantified through transactional review.
It is recommended that the RCN develop and implement a risk-based approach to monitoring and oversight practices that focuses on improving financial management processes and identifying systemic issues in order to increase the effectiveness of transactional reviews performed.
Risk Management. The current risk management practices within the RCN emphasize the operational and budgetary risks faced by the Navy. While funding risks are continually managed through the in-year budget management process, financial management risks are not documented in the current risk management process. However, RCN comptrollers have an awareness of financial management risks, and address them through their day-to-day operations and local initiatives. These observations and potential improvements were discussed with management; however, no recommendation is deemed necessary in this report.
Note: Please refer to Annex A—Management Action Plan for the management response to the ADM(RS) recommendations.
1.1 Background
Financial management controls and practices consist of a structure of finance-related activities undertaken to ensure the prudent use of public resources in an effective, efficient and economic manner. It provides the governance structure of an organization, a system of internal controls, and risk management practices to ensure the effective stewardship of public funds.
The Assistant Deputy Minister (Finance) / Chief Financial Officer (ADM(Fin)/CFO) has functional and overriding authority over financial management in the Department. Within the RCN, the financial management organizational structure consists of organizational and functional reporting relationships as illustrated in Figure 1.
Figure 1. RCN Financial Management Organizational Structure.1 This figure illustrates the financial management organizational structure of the RCN.
Text description for Figure 1
The organizational chart shows the financial management reporting relationships of the RCN at all five levels of the organization and the reporting relationships to the ADM(Fin)/CFO organization.
The Commander of the RCN is at the highest level of the RCN financial management organizational structure. At the same level is the ADM(Fin)/CFO, connected with a dotted line representing a functional reporting relationship.
The RCN Comptroller is at the second level of the RCN financial management organizational structure with a direct reporting relationship to the Commander of the RCN.
The Formation/RDAO Comptrollers are at the third level of the RCN financial management organizational structure with a functional reporting relationship to the RCN Comptroller. At the same level is the CDAO, from the ADM(Fin)/CFO organization, connected sideways with a dotted line representing a functional reporting relationship. There are two organizational levels between the CDAO and ADM(Fin)/CFO, represented by a dashed line connecting the two.
The Unit Comptrollers are at the fourth level of the RCN financial management organizational structure with a functional reporting relationship to the Formation/RDAO Comptrollers.
Financial Officers are at the last level of the RCN financial management organizational structure with a functional reporting relationship to the Unit Comptrollers.
In support of the Deputy Minister in his role as the accounting officer pursuant to the FAA, ADM(Fin)/CFO is responsible for ensuring the integrity of financial management and comptrollership within the DND/CAF. He provides departmental guidance and advice on comptrollership and the financial authorities framework necessary to support the resource management process. The horizontal dotted lines to the RCN in Figure 1 above represent this functional authority over the financial management within the RCN.
As the head of the Navy, the Commander of the RCN is at the highest level of the financial management organizational structure within the RCN. The RCN Comptroller is responsible to the Commander of the RCN for the strategic-level coordination of the Navy’s comptrollership, resource management, costing services, policy guidance and oversight.
Reporting functionally to the RCN Comptroller are two Formation Comptrollers for Maritime Forces Pacific and Maritime Forces Atlantic, who are responsible for the day-to-day comptrollership, financial management, resource management and budget reporting within the Navy. As the functional authorities for financial management at the Formation level, they are also responsible for the following:
- conducting monitoring and oversight activities including financial inspections to ensure compliance with financial management policies and providing assurance on the effective stewardship of public resources;
- interpreting and promulgating financial management policies to all subordinate organizations within the Formation; and
- delivering ongoing training and assistance for all aspects of financial management.
As the senior comptrollers in a region, Formation comptrollers are also assigned the RDAO role and report functionally to the ADM(Fin)/CFO through the CDAO on various financial management areas. The CDAO is responsible for the monitoring and oversight of the control and processing of financial transactions by the RDAOs in accordance with financial legislation and policies. RDAOs are responsible for the control, processing and monitoring of financial transactions in their geographical region, including the execution of payment authority. They also provide monitoring and oversight of their geographical regions on behalf of the ADM(Fin)/CFO.
Unit comptrollers are responsible for the day-to-day financial management, budget management and reporting within their organizations. Some financial management responsibilities are devolved to financial officers within the unit or in subordinate organizations, which include managing local budgets, as well as procuring goods and services, mainly through the use of acquisition cards.
The RCN has made significant efforts to integrate their business processes in the areas of governance, reporting, risk management, performance management and business planning. The RCN has established a robust structure of strategic boards, committees and councils through which information flows from the operational levels to the strategic departmental level. The RCN has also developed an output model that maps the Navy’s activities through five main areas, and this model is used to integrate the planning and reporting of business areas. Additionally, a suite of reporting tools has been developed that integrate several information systems and produce dashboards and reports used for decision making. The RCN has also established an integrated risk management system with several mechanisms to capture, assess and manage risks from a pan-Naval perspective. With a goal to take the Navy from measurement and reporting to management and improving, a performance management framework is being implemented through a phased approach.
While not included in the scope of this audit, the integrated business planning process that the RCN is implementing is also a part of the financial management controls and practices. The RCN has developed a business management toolset, which is an automated process for business planning and resource management to replace the large number of documents used in the departmental process. The goal of this toolset is to reduce the manual workload by automating budget management processes and allow for a greater focus on analysis and evidence-based decision making. Using a suite of front-end reporting and visualization applications, Naval comptrollers will be able to access, view, sort and analyze business intelligence data as well as have access to a dashboard, reporting tools, analytical capabilities and highly formatted reports.
1.2 Rationale
As one of the three military environmental commands of the CAF, the RCN’s annual net expenditures have exceeded $1 billion annually, accounting for over five percent of the Department’s annual expenditures of over $18 billion in FY 2014/15. This audit is the second in a series of audits of the financial management controls and practices within the military environmental commands; ADM(RS) completed an audit of the financial management framework of the Royal Canadian Air Force in 2015, while a subsequent audit of the Canadian Army is planned. Given the importance of effective financial management within the DND/CAF and the materiality of RCN expenditures, this audit was included in the Risk-based Internal Audit Plan for the period from FY 2015/16 to 2017/18.
1.3 Objective
The objective of this audit was to assess the effectiveness of the financial management controls and practices of the RCN.
1.4 Scope
The scope of this audit included current RCN financial management practices, including expenditure management, revenue management, risk management, monitoring and oversight, reporting and organizational structures, training and guidance as well as succession planning.
This audit included financial information from FY 2010/11 to 2014/15 for the purposes of data and sample analysis. The sample analysis assessed the following financial management areas:
- expenditure management process (including expenditure initiation, account verification and payment);
- DOAs management;
- commitment accounting;
- acquisition cards management;
- contracting practices;
- travel claims management;
- hospitality management;
- revenue management; and
- payables at year-end management.
The scope of this audit did not include a comprehensive review of the following:
1.5 Methodology
The audit approach included the following:
- interviews with individuals in key positions holding financial management responsibilities at all levels of the RCN financial management structure;
- reviews of financial management policies, including Sections 32, 33 and 34 of the FAA; several chapters from the DND Financial Administration Manual (FAM); and RCN-specific financial policies and procedures;
- reviews of documentation provided by the RCN, including financial reports, training material, operating procedures, and monitoring and oversight guidance and reports;
- walkthroughs of key financial management processes;
- analyses of data extracted from the departmental financial system, the Defence Resource Management Information System;
- site visits to Maritime Forces Pacific in Victoria and Maritime Forces Atlantic in Halifax; and
- testing of a directed sample of 113 transactions, consisting of expenses, revenues, purchases of assets, and payable at year-end transactions.
Although the sample included 113 transactions, not every audit test was applicable to every transaction. The applicable sample size for each testing area is outlined in Annex C.
1.6 Audit Criteria
The audit criteria can be found at Annex B.
1.7 Statement of Conformance
The audit findings and conclusions contained in this report are based on sufficient and appropriate audit evidence gathered in accordance with procedures that meet the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing. The audit thus conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. The opinions expressed in this report are based on conditions as they existed at the time of the audit and apply only to the entity examined.
2.1 Internal Controls
The required internal controls for financial management are generally in place. However, some controls related to expenditure initiation, use of commitments and contracting requirements are not operating as intended.
2.1.1 FAA and Departmental Policy Compliance
The FAA is the cornerstone of the legal framework for financial management within the federal government, and confers financial authorities to Ministers and Deputy Heads. These authorities are delegated to positions within the Department. Sections 32, 33 and 34 of the FAA describe the financial authorities for the expenditure process.
Section 32 of the FAA defines the requirements that must be met before initiating a purchase of goods or services. This includes expenditure initiation and commitment control. Expenditure initiation requires an individual with delegated authority to ensure that an expense is a legitimate operational or business requirement, and that sufficient funds are available before entering into a contract or other arrangement. Commitment control requires that funds be secured through a financial commitment recorded in the Department’s financial system.
Section 34 of the FAA defines the requirements that must be met before a disbursement can be made. This is a certification that goods have been delivered or work has been performed according to agreed-upon terms, and that the invoice complies with contract terms.
Section 33 of the FAA defines the requirements that must be met in order to authorize a payment for goods or services purchased.
The financial authorities for Sections 32, 33 and 34 of the FAA are delegated in writing through the use of a DOA form. This form documents the applicable financial authority, associated restrictions, and proof of completion of prerequisite training.
Within DND, there are a few sources of guidance on financial management. The ADM(Fin)/CFO has issued the FAM, which outlines departmental policies for all areas of financial management. The FAM includes specific chapters on the expenditure process (Sections 32, 33 and 34 of the FAA), delegated financial authority, the CDAO and RDAO functions, revenue management, acquisition cards management, travel claims, hospitality and more. The FAM provides direction and guidance on the processes, responsibilities, and detailed controls required for compliance. Similarly, the Procurement Administration Manual issued by the Assistant Deputy Minister (Materiel) provides departmental policy requirements for the contracting of goods and services. In addition, Naval Orders issued by the RCN and Formation Orders issued by the Formations provide specific administrative, technical and operational direction and procedural aspects that amplify departmental policies for the RCN.
During this audit, a review of sample transactions, process walkthroughs, and client interviews was conducted at the RCN headquarters and within subordinate organizations. Generally, these tests demonstrated sufficient financial management practices and controls in the management of revenues, payables at year-end, travel claims, hospitality and contracting as well as certification in accordance with Sections 33 and 34 of the FAA. However, instances of non-compliance were identified in the certification of Section 32, management of DOAs and acquisition cards and the sufficiency of supporting documentation.
Section 32 – Expenditure Initiation and Control of Commitments
As part of the sample analysis, transactions were assessed to determine whether they were authorized in accordance with Section 32 of the FAA, including the requirement for commitment control.
Documented evidence of Section 32 authorization was not provided for 30 percent of the sample transactions assessed. The sample analysis and interview results revealed a general lack of understanding of what constitutes acceptable documented proof of Section 32 authorization, even though departmental policy and procedures provide clear guidance on these expectations.
The interview results also revealed that commitment control is not well understood or used for its intended purposes in many cases. While all transactions were linked to a financial commitment in the departmental financial system, this was the result of a system control that forces each payment to be linked to a commitment. By not employing commitment control at the time of expenditure initiation, the intended function of commitments as a budget management and expenditure control measure is defeated. Although guidance regarding commitment control was not available during the time the sample transactions were completed in FY 2014/15, ADM(Fin) has subsequently issued a standard operating procedure entitled “Procure to Payment” in January 2016, which provides detailed guidance on the use of commitments.
Section 32 of the FAA also requires that individuals with delegated authority ensure that sufficient funds are available before entering into a contract or incurring an expense to ensure proper controls over transactions. Of the transactions where a date stamp identified when Section 32 was authorized, 15 percent were authorized after the expense was incurred.
Section 34 – Certification for Performance of Work, Goods or Services and Eligibility for Payment
The results of the sample analysis indicate a high level of compliance with the requirements for Section 34 of the FAA, with errors identified in three percent of the transactions assessed.
Section 33 – Payment for Work, Goods or Services
The results of the sample analysis in conjunction with the process walkthroughs and interviews conducted indicate that compliance with the requirements for Section 33 of the FAA is an area of low risk. The payment authorization process for the Navy is centralized within the two Formation comptroller organizations, and controls are in place to ensure that only a limited number of personnel are delegated Section 33 authority. All transactions receive an electronic Section 33 approval in the departmental financial system before a payment can be made and a transaction can be completed. A cursory review of low-risk transactions is performed before they are certified in accordance with Section 33 of the FAA followed by a post-payment verification of a statistical sample of low-risk transactions. All high-risk transactions are reviewed in detail prior to Section 33 approval and payment. It was determined that payment authority was correctly applied for the sampled transactions.
Segregation of Duties
Effective governance and management control as well as government-wide financial management policy require that persons with delegated financial authority must not exercise both certification that goods and services have been delivered or performed, and authorization of the related payment. This segregation of duties reduces the risk of misuse of funds.
The results of the sample analysis indicate that there is an appropriate segregation of financial management duties. Although segregation of duties could not be verified for five percent of the sampled transactions, the remaining 95 percent of the sampled transactions were in compliance with segregation of duties requirements. Several compensating controls also reduce the level of risk in this area. This includes centralization of Section 33 authorities that limit the number of individuals who can authorize a payment for a transaction.
Delegation of Financial Authorities
DOA is a critical element of internal control. The FAA and other federal legislation confer specific authorities and responsibilities for the control and spending of funds on the Minister and Deputy Minister of DND. Since it is not practical for the Minister and Deputy Minister to personally carry out all of these responsibilities, it is necessary for them to authorize responsible officials to exercise these authorities on their behalf. Through the process of DOAs, the Department is able to ensure that effective financial and operational management controls are applied for the expenditure of public funds.
The Delegation of Authorities for Financial Administration is presented as a matrix that reflects the authority limits that the Minister and Deputy Minister have granted to positions within the DND/CAF. Individuals who occupy positions that have been delegated financial authority as per the matrix may not exercise these authorities unless they have been designated to do so through the completion of a DOA form. In order to ensure that these responsibilities are understood, individuals must successfully complete various training courses prior to exercising any delegated authorities.
To verify the appropriate use of delegated financial authorities, the audit team requested the related DOA forms for a sample of transactions to assess the contracting, Section 32, Section 33 and Section 34 areas of authorities. Of the forms requested, 22 percent were not provided. The lack of supporting documentation for delegated authorities indicates a deficiency in the control’s effectiveness.
Good Practice
The Department is in the process of implementing the management of delegated authorities electronically, through the departmental financial system. While the old DOA form did not include a field to identify its expiry date, the new system will require each DOA form to have an expiry date explicitly defined. This should trigger the preparation of a new DOA form when an individual’s training and DOA form is about to expire.
The review of DOA forms that were provided indicated that not all sampled transactions were certified by a person with a valid financial authority. Of the forms provided, eight percent were invalid. A DOA form was considered invalid if it was confirmed that a form did not exist for the person certifying any of the above-listed authorities, if the required training course was expired or if the individual was not authorized to certify the particular DOA area being assessed. In one case, an individual with an invalid DOA form had re-taken the required training before it had expired, but a new DOA form had not been prepared. Furthermore, some transactions certified were not within the limitations defined on the forms. Of the DOA forms provided, two percent of transactions were not within the limitations identified on the DOA form. The FAA requires valid DOA forms be held on file to decrease the risk of misuse or misappropriation of public funds.
Contracting
The departmental Procurement Administration Manual sets out contract administration requirements, which are vital to promoting effective stewardship of public funds. Key contracting documentation, such as contract and vendor details, quotes, timelines, and dollar limitations, was not available for 34 percent of transactions sampled. Of the transactions with appropriate documentation, the value of two transactions exceeded the expenditure limitations as outlined in the contract.
Acquisition Cards
The errors previously described also reflect the risk of non-compliance with acquisition card requirements, as 15 of the 113 sampled transactions reviewed were paid using an acquisition card. Acquisition cardholders are responsible for ensuring that individuals with a valid DOA appropriately authorize Section 32 and Section 34, adhering to contracting requirements and maintaining an adequate paper trail. Acquisition cardholders also indicated through interviews that they did not have adequate guidance on acquisition card reconciliations, which is required by departmental policy.
Supporting Documentation
The audit assessed the appropriateness of supporting documentation to determine if a sufficient paper trail had been maintained for sampled transactions. Departmental policy requires the retention of a sufficient paper trail, which includes invoices, proof of Sections 32, 33 and 34 authorizations, related DOA forms and applicable contracts. Overall, adequate supporting documentation was provided in 34 percent of sampled transactions, affecting the Department’s ability to conduct financial monitoring and oversight. Additionally, no documentation at all was provided for 16 percent of the requested sample. While the requirement to maintain appropriate supporting documentation is described in all financial management policies issued by ADM(Fin)/CFO, specific guidance regarding the types and details of supporting documents was not available during the period of the transactions sampled. ADM(Fin)/CFO has since issued a standard operating procedure entitled “Procure to Payment” in January 2016, which provides detailed guidance on the supporting documentation required at each step of the expenditure process.
2.1.2 Financial Management Training and Guidance
The most frequent errors identified through the sample analysis are attributable to insufficient training and a general lack of documented guidance. In many cases, personnel holding operational positions have significant financial management responsibilities, such as exercising delegated financial authority, managing a budget, forecasting expenses, and reconciling acquisition card expenses. However, the necessary training is not always available for personnel in operational positions to support them in the delivery of their financial management responsibilities.
Good Practice
Formation comptrollers are developing local training initiatives that supplement formal departmental training and are providing guidance on the practical application of policies in some areas, such as DOA, hospitality and events.
For many operational positions, the only financial management training available consists of three online courses required for delegated financial authority. However, the content of these courses does not provide extensive practical application of financial management theories and requirements. Half of the interviewees who have taken these online courses responded that the training provided did not prepare them for their financial management responsibilities. In many cases, operational personnel, while being subject matter experts within their areas of work, do not have the training or experience to perform financial management duties.
While operational personnel may be able to complete financial management tasks, how these processes fit into the overall framework is not always understood. For example, commitment control at the local level may not seem important as the local financial officer can easily track the budget and expenditures through a spreadsheet or alternative system. However, the incorrect use of commitment control reduces the RCN, Formation and Unit comptrollers’ visibility of the budget and expenditures. Furthermore, without appropriate commitment control, periodic reporting of expenditures and budgets requires increased effort and resources at all levels of the organization, a task that could otherwise be easily completed by running a report in the departmental financial system if commitment control is properly exercised at all levels in the organization.
As formal training is not sufficient for individuals working in operational roles, significant supplemental on-the-job training and guidance is required. The two Formation Comptrollers are developing local training initiatives and documented procedures to supplement formal training with direct guidance on the application of relevant policies. In a recent example, the Formations held a seminar in conjunction with the CDAO to present changes to the DOA process in preparation for its implementation through the departmental financial system. This provided attendees with a common understanding of the new process, as evidenced by consistent responses on the topic from all interviewees. In another example, comptrollers at both Formations have prepared and issued detailed guidance with respect to the management and processing of hospitality and events requests, providing a clear and consistent message on the specific process. However, such guidance is not available for other financial management processes such as the expenditure process, which includes commitment control, DOA and audit trail.
Furthermore, key financial management activities and processes are not consistently documented at the Formation or Unit level. Having numerous organizations preparing similar guidance results in inefficiencies, inconsistencies and duplication of efforts. Although Formation comptrollers have encouraged some local training initiatives and some organizations have documented procedures for various financial activities, these are not consistently developed at the Formation level or across the RCN.
2.1.3 Conclusion
While no evidence of misappropriation or misuse of public funds was found through the sample analysis, a number of controls need to be strengthened to ensure full compliance with the FAA and departmental financial management policies. The lack of appropriate expenditure initiation and commitment control, valid DOA forms, conformance to DOA limitations, and sufficient paper trail are breaks in the control framework of the expenditure process, which increase the risk of mismanagement of public funds. These issues of non-compliance can be attributed to a combination of a lack of adequate financial management training and inconsistent guidance. The RCN would benefit from a centralized approach to local training initiatives and documentation of financial management processes. Given that financial management processes are identical across the RCN, the development of local training and guidance at the subordinate levels results in a duplication of effort and inconsistent application of policies.
ADM(RS) Recommendation
1. The RCN should develop consistent financial management training and guidance to be delivered at the Formation level that clarifies roles, responsibilities, authorities and procedures with respect to:
- delegated financial and contracting authority;
- FAA Section 32;
- commitment control;
- acquisition cardholders; and
- supporting documentation.
OPI: RCN
Key considerations for development of a management action plan are as follows:
Clear definition and documentation of any interpretations of policy when it is unclear.
Although several monitoring and oversight practices have been established, they focus on correcting transactions rather than on improvements to the overarching financial management processes.
Although several monitoring and oversight practices have been established, they focus on correcting transactions rather than on improvements to the overarching financial management processes.
Good Practice
- Although there are opportunities for improvement, the established monitoring and oversight processes are formally documented and include appropriate reporting and follow-up practices.
- At one Formation, comprehensive reviews are conducted following a risk-based methodology to select the areas, processes and programs to be reviewed annually.
2.2.1 Monitoring and Oversight Practices
Monitoring and oversight practices serve a vital role in assessing financial management controls and practices by providing assurance that an organization is compliant with policies and is operating effectively and efficiently. There are several monitoring and oversight practices established at the RCN and Formation levels to review various aspects of financial management. Most of these monitoring and oversight practices focus on the expenditure of public funds either through the review of payments and financial transactions or the management of cash.
All high-risk transactions are subject to a pre-payment verification in accordance with the departmental policy on Section 33 of the FAA. All low-risk transactions are subject to a department-wide post-payment verification based on a statistical sample selected monthly by the CDAO.4 The Formation comptrollers also conduct local post-payment verifications on additional low-risk financial transactions based on a sample selected locally. The pre- and post-payment verifications of expenditure transactions assess compliance with Sections 32, 33 and 34 of the FAA, and departmental financial management policies as well as some contracting rules and regulations. In addition, every ship (unit) undergoes a Logistics Readiness Inspection every 18 to 24 months to assess all aspects of the ship’s readiness, including consideration of financial management of public funds. Units that manage and hold cash undergo a Unit-Level Verification every six months to verify the appropriate use of cash management and handling.
In addition to these monitoring and oversight activities, one Formation conducts inspections of its largest units every 18 months, consisting of a transactional review similar to the post-payment verification, as well as a verification of public funds management. The other Formation conducts comprehensive compliance reviews for all units under that Formation. The reviews are identified through a risk-based methodology and assess the compliance, controls, governance and stewardship of various processes and programs across that Formation.
2.2.2 Transactional versus Process Review
Transactional review is a time-consuming process that focuses on detecting errors and taking corrective action. In contrast, a review of processes and programs can identify weaknesses in controls and governance to prevent future errors. Despite the significant amount of transactional review currently conducted through the local post-payment verification process, this type of review has not been shown to prevent or reduce errors.
The CDAO-directed post-payment verification is considered sufficient to comply with federal and departmental policy requirements. Notwithstanding, the standard operating procedures for post-payment verifications issued by the CDAO further specify that local post-payment verifications can be conducted by comptrollers on additional transactions based on local risks identified.
The local post-payment verification teams at each of the two Formation comptrollers review thousands of transactions annually from all organizations across the Formations. The verification team at each Formation consists of three to four personnel dedicated to reviewing transactions on a full-time basis in addition to personnel providing management oversight. Interviews with the reviewers revealed that error rates remain consistent, with some cyclical variability as organizations experience regular turnover through military postings. In fact, at one Formation, the post-payment verification error rates grew from 9.4 percent in FY 2014/15 to 12.8 percent in FY 2015/16. The reviewers expressed that the post-payment verification process is useful as a means to provide informal training to personnel new to their positions. However, there are more efficient and effective ways to provide local training to new personnel as recommended in Section 2.1 of this report.
The significant transactional review conducted through the local post-payment verification is a practice that stemmed from an older version of the Department’s policy on Section 33 of the FAA, which required RDAO comptrollers to conduct a post-payment verification of at least 20 percent of the monthly low-risk transactions. This requirement has since been amended to indicate that the CDAO-directed post-payment verification is sufficient in order to conclude on the adequacy and reliability of the account verification process, given that it is based on a statistical sampling methodology. The continued practice of conducting post-payment verification on additional transactions therefore exceeds the level required for compliance, and may not be an efficient use of limited resources. In fact, given the reactive nature of transactional reviews, individual instances of exceptions are corrected, rather than systemic issues affecting financial management processes.
2.2.3 Conclusion
While a number of monitoring and oversight activities have been established, a significant focus on transactional review without including a higher level of process review has limited the RCN’s ability to systematically prevent and reduce errors and non-compliance with regulations and policies. The significant amount of transactional review being performed can be attributed to an outdated departmental policy requirement. This type of review tends to correct individual instances of errors rather than leverage the results to address overarching issues in the financial management process. Although such extensive transactional review has also been observed in another military environmental command of the CAF, it was complemented by other monitoring and oversight practices that focused on the review of processes, providing for a more strategic approach.
In contrast, process reviews could increase compliance and improve the controls of the Formations by targeting the root causes of errors. Furthermore, adopting a risk-based methodology for process reviews can identify areas of higher risk, which can be mitigated through various strategies including local training initiatives.
Given that transactional reviews require a considerable amount of time and resources and focus on subsequent corrective action, a more strategic approach to monitoring and oversight with reduced transactional reviews and increased process reviews can reduce and prevent future errors and/or non-compliance with policies.
ADM(RS) Recommendation
2. The RCN should develop and implement a risk-based approach to monitoring and oversight practices that focuses on improving financial management processes and identifying systemic issues in order to increase the effectiveness of transactional reviews performed.
OPI: RCN
Key considerations for development of a management action plan are as follows:
- Adopt a risk-based methodology to identify areas for review;
- Conduct reviews to assess the internal controls and processes to complement the compliance reviews currently being performed; and
- Define the reporting requirements to include recommended actions and appropriate follow-up to ensure implementation of improvements.
2.3 Risk Management
Although financial management risks are addressed through the activities of the comptroller functions, some potential improvements could be made.
2.3.1 Funding versus Financial Management Risks
The RCN has a robust integrated risk management system with several mechanisms in place to capture, assess and manage risks in the areas of operations, finances, injury and safety, legislation and reputation. Funding risks in the RCN are identified during the business planning process and documented within the risk management section of business plans, which includes an assessment of the likelihood, impact and management strategies. Funding risks are also continually addressed in the course of in-year budget management. Other financial management risks are not identified, assessed or managed in a documented activity. Nevertheless, they are considered through the activities of the comptroller functions.
Based on interviews with key stakeholders, there is an overall opinion that risks have been addressed through the in-year budget monitoring process and in the risk management portion of the business planning process. Furthermore, when referring to financial management risks, stakeholders focused entirely on funding, budgets and expenditure; identifying, assessing and managing financial management risks was not seen as a necessity. Nonetheless, there was evidence that financial management risks were being managed through the comptrollers’ day-to-day activities. For example, the Formations have recently started local initiatives to manage the risk of inadequate training. Furthermore, Formations have adopted a risk-based approach to monitoring and oversight, focusing on high-risk transactions, organizations and financial management areas. In another example, the RCN develops and manages succession plans for key financial management positions to ensure qualified personnel are available for these roles.
Identifying key financial management risks is an important practice to increase the likelihood that they are effectively managed, that important risks are not overlooked, and that risk levels are updated on a routine basis to account for changes in the financial management landscape. While potential improvements could be made to improve the documentation of financial management risks within the RCN, this was discussed with management, and no recommendation is deemed necessary in this report.
3.0 General Conclusion
The financial management controls and practices of the RCN were found to be operating effectively in some areas of governance, internal controls and risk management. However, the audit identified areas for improvement in financial management guidance and in monitoring and oversight practices. The sample analysis found no evidence of misappropriation or misuse of public funds.
Although the required internal controls were in place, some of these controls were not operating as intended. These controls need to be in place to ensure full compliance with the FAA and financial management policies. The development and communication of consistent RCN financial management training and guidance will promote a higher level of compliance in key financial management areas.
In terms of governance, current monitoring and oversight practices focus heavily on correcting transactions, but do not address the underlying cause of errors. The development and implementation of a risk-based approach to monitoring and oversight practices that focuses on improving financial management processes will allow the RCN to increase compliance as well as improve their processes and internal controls within the Formations.
Although a documented risk management activity is not in place to identify, assess and manage financial management risks, these risks are addressed informally. Potential improvements were briefed to the RCN and no recommendation is made in this report.
Annex A—Management Action Plan
ADM(RS) uses recommendation significance criteria as follows:
Very High—Controls are not in place. Important issues have been identified and will have a significant negative impact on operations.
High—Controls are inadequate. Important issues are identified that could negatively impact the achievement of program/operational objectives.
Moderate—Controls are in place but are not being sufficiently complied with. Issues are identified that could negatively impact the efficiency and effectiveness of operations.
Low—Controls are in place but the level of compliance varies.
Very Low—Controls are in place with no level of variance.
Internal Controls
ADM(RS) Recommendation (Moderate Significance)
1. The RCN should develop consistent financial management training and guidance to be delivered at the Formation level that clarifies roles, responsibilities, authorities and procedures with respect to:
- delegated financial and contracting authority;
- FAA Section 32;
- commitment control;
- acquisition cardholders; and
- supporting documentation.
Management Action
The RCN will formalize training initiatives already occurring at the Formations level that will address the non-compliance issues indicated in the report. In addition, the Formations will develop and disseminate local procedures that supplement departmental directives regarding internal controls to ensure enduring compliance going forward.
OPI: RCN
Target Date: August 1, 2017
Governance
ADM(RS) Recommendation (Moderate Significance)
2. The RCN should develop and implement a risk-based approach to monitoring and oversight practices that focuses on improving financial management processes and identifying systemic issues in order to increase the effectiveness of transactional reviews performed.
Management Action
The RCN will conduct a review of all monitoring and oversight practices and amend as necessary to ensure that a risk-based approach is utilized pan Navy. In addition, RCN will collaborate with CDAO/RDAO organizations to identify systemic issues with the focus on improving financial management process.
OPI: RCN
Target Date: April 1, 2017
Annex B—Audit Criteria
Criteria Assessment
The audit criteria were assessed using the following levels:
Assessment Level and Description
Level 1—Satisfactory
Level 2—Needs Minor Improvement
Level 3—Needs Moderate Improvement
Level 4—Needs Significant Improvement
Level 5—Unsatisfactory
Controls
- An adequate system of internal controls and practices is maintained and monitored to promote effective and efficient financial management.
Assessment Level 3 – Although sufficient financial management internal controls and practices are in place, some are not effective as evidenced by the results of the sample analysis. Supplemental financial management guidance is required for high-risk areas, which include Section 32 authorization, commitment control, delegated authorities, and acquisition cards.
Governance
- A governance structure is in place to promote effective RCN financial management controls and practices.
Assessment Level 3 – While a financial management governance structure is in place, the monitoring and oversight practices require modification in order to prevent and reduce non-compliance and errors through a higher focus on the improvement of financial management processes and reduced focus on correcting transactions.
Risk Management
- A risk management framework is in place to ensure that financial management risks are identified and adequately managed.
Assessment Level 2 – Although some financial risk management occurs through the in-year budget monitoring process, key financial management risks and their associated management strategies are not identified or documented as part of the formal RCN risk assessment process. Observations and recommendations for minor improvements in this area have been briefed to the RCN.
Source of Criteria
Governance:
- Reference to: Treasury Board of Canada Secretariat, Audit Criteria Related to the Management Accountability Framework: A Tool for Internal Auditors, March 2011
Risk Management:
- Reference to: Treasury Board of Canada Secretariat, Audit Criteria Related to the Management Accountability Framework: A Tool for Internal Auditors, March 2011
Controls:
-
Reference to: Treasury Board of Canada Secretariat, Audit Criteria Related to the Management Accountability Framework: A Tool for Internal Auditors, March 2011
Annex C—Sample Size
Although the sample included 113 transactions, not every audit test was applicable to every transaction. The applicable sample size for each testing area is outlined in Table 1 below.
Sample Test | Sample Size |
---|---|
Proof of Section 32 authorization | 88 |
Expense incurred after Section 32 authorization | 88 |
Proof of Section 34 authorization | 88 |
Proof of Section 33 authorization | 59 |
Appropriate segregation of duties | 94 |
DOA forms requested for assessing Section 32, Section 33, Section 34 and contracting authorities | 268 |
DOA forms provided for assessment | 208 |
Compliance with contracting requirements | 53 |
Appropriate supporting documentation | 113 |
Table C-1. Sample Tests and Sizes. This table lists the applicable sample size for each testing area.
Table Summary
The Sample Tests are indicated in the left-hand column. For each Sample Test, read across the row to determine the Sample Size.
Footnote 1 The solid lines represent organizational reporting relationships while the dotted lines represent functional reporting relationships. While Formation and Unit comptrollers and financial officers report functionally to the RCN Comptroller, they report organizationally within the military chain of command. There are two organizational levels between the CDAO and ADM(Fin)/CFO, represented by the dashed line.
Footnote 2 Budget management processes were assessed in the ADM(RS) Audit of Department Budget Management, completed in December 2012.
Footnote 3 The financial management of personnel salaries and wages of Regular Force members falls primarily under the responsibility of other organizations.
Footnote 4 Post-payment verification requirements are outlined in the Treasury Board Directive on Account Verification and the Department’s policy on Section 33 of the FAA.
Page details
- Date modified: