Audit of the implementation of delegation of authority within SAP

The operating effectiveness of controls over the DFSA could be strengthened

ESDC's process to receive, review, validate, update and activate SSCs is well designed. A centrally managed SAP database is used as the central repository of all SCCs. This database is managed by a unit within the Integrated Corporate Accounting and Accountability Directorate (ICAAD) of the CFOB at National Headquarters (NHQ).

In order to set up a SSC in the SAP database, the incumbent has to submit an electronic DFSA request through the SAP portal. The DFSA request is then actioned by a financial officer from the ICAAD, who verifies its completeness, such as the delegation of the incumbent's supervisor, the appropriateness of the fund centre, the validity of the incumbent's training through the Canada School of Public Service website and ensures that the delegation is consistent with the Internal Audit Services Branch departmental DFSA chart, particularly dollars limits and expenditure types (hospitality, conferences, ex gratia etc.). When the DFSA request is deemed satisfactory, the financial officer approves the request and the system sends automatically an e-mail message to the incumbent confirming that the request has been approved and requesting a signed hard copy of the SSC to NHQ. Once NHQ received the hard copy of the SSC, it is uploaded into the SAP database and made available for reference.

We designed our tests to obtain a representative number of active SSCs through the period under review by selecting a statistically valid sample of 114 managers with DFSA. We tested controls such as the authentication of the SSC by the supervisor, the completion of mandatory training and the completeness of key information of the DFSA (e.g. fund centre, dollars amount limit, etc.). Finally, we compared the information contained on the SSC hard copies with what was granted in SAP.

While the process to grant DFSA is well designed, we found that the operating effectiveness of controls relating to SSCs is not working as intended. The audit team found that 45% of the files contain at least one error and the following weaknesses were identified:

• Granting DFSA before receiving the SSC hard copies and processing SCCs that are undated:
  • The date of the manager's signature was after the starting date of the delegation. Per discussion with CFOB, in most cases this timing issue is due to the delegation of authority being granted electronically first (when the delegation is approved in SAP) and the SSC being signed by the manager shortly after; and
  • The date of the manager's signature was not indicated on the SSC.
• Inconsistency between the DFSA granted in SAP and the DFSA requested on the SSC hard copies:
  • Request made for sections 32 and 34 but the incumbents were granted section 33;
  • The DFSA section was left blank on the SCCs form and the incumbents were granted DFSA; and
  • The incorrect fund centre was delegated to the incumbent.
• Some key controls related to granting DFSA were missing:
  • The DFSA was granted with no end date;
  • The training validity dates were not entered in the SAP system; and
  • The training end date was entered as 9999 into the SAP system.

Review and monitoring on DFSA needs to be formalized

The DFSA database is the fundamental control that financial officers rely on when performing account verification, and it serves as the source of reference for the SAP system when routing workflows to the appropriate individuals for approval.

We noted that there is no formal process to update and monitor the accuracy of the DFSA instruments. As required by the Directive on Delegation of Financial Authorities for Disbursements, at a minimum, controls pertaining to all delegated financial authorities are reviewed and updated annually. These include delegation instruments, electronic authorization matrices, specimen signature documents, validation and authentication processes in use in departments. We expected to find a formal work plan outlining roles and responsibilities and the frequency of the monitoring activities for the delegation instruments including, among others, the alignment of the DFSA with the departmental objectives and the rationale for delegating financial signing authorities to positions, the validity of SCCs, the accuracy of the SAP database, and the adherence to training requirements.

A formal, documented and properly executed monitoring process would allow the Department to prevent and detect potential errors and apply corrective measures as needed. Interviews with management revealed that they are at the early stage of establishing such a process.

Also, there is no formal process to revoke DFSA from employees upon changes to their responsibilities such as departure, transfer or long term leave. Consequently, there is a risk that when employees' responsibilities change, they would still be able to continue exercising their previous DFSA.

By adopting a formal termination process, the DFSA instruments would be updated in a timely fashion and kept accurate, which increase the likelihood of processing financial transactions that are appropriately authorized.

Incompatible financial signing authorities need to be monitored

The audit team noted that the ESDC Delegation Chart grants incompatible financial signing authorities to certain positions. TBS Directive on Delegation on Financial Authorities for Disbursements indicates that when assigning financial signing authorities to positions, the following functions are to be kept separate: exercising both section 34 and section 33 authority of the FAA or exercising both contracting authority and certification authority for the same transaction.

The following are examples of positions with incompatible financial signing authorities within CFOB:

• Senior Director General ICAAD;
• Regional Director; and
• Regional Manager.

These positions have up to $25K contracting authority, full commitment and expenditure initiation authority (section 32), certification authority (section 34) and payment authority (section 33). As per discussion with management, they are aware of the situation and these authorities have been granted for business continuity purposes in case of disruptive events.

Given the fact that the departmental DFSA chart granted incompatible authorities to certain positions, we expected to find preventive or detective controls such as embedded system controls in SAP to flag transactions where incompatible financial authorities are exercised. Walkthroughs and interviews demonstrated that such controls are not in place.

Enabling individuals to execute end to end processing from initiation to payment without adequate mitigation controls puts the Department at risk of not complying with the regulatory and compliance requirements of the FAA and TBS, but also increases the likelihood of processing errors, misappropriations and fraud. Management acknowledged that the ability of flagging transactions where incompatible financial authorities are exercised would be beneficial.

It should be noted that interviews, documentation and file review confirmed that the vast majority of payments are processed by a limited number of functional specialists in the Department, whom exercise section 33 authority and do not have any other DFSA.

A randomly selected and statistically valid sample of 114 transactions processed between June 1st and August 30th, 2014 was reviewed by the audit team to verify whether transactions were appropriately authorized, auditable evidence is captured in SAP and to determine whether incompatible authorities were exercised. The file review revealed no issues pertaining to contracting authority, certification authority or payment authority, and no incidence where incompatible authorities were actually exercised. The only weakness identified is the absence of supporting documentation in SAP related to section 32 for 36 files, pertaining to medical fees associated with the Canada Pension Plan Disability. CFOB is currently discussing this issue with Payment and Processing Services Branch to clarify section 32 requirements for these transactions.