Audit of Controls Around Payment Processes – Operations and Maintenance

From: Employment and Social Development Canada
Official title: Audit of Controls Around Payment Processes – Operations and Maintenance.

On this page

Alternate formats

Request other formats online  or call 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105. Large print, braille, audio cassette, audio CD, e-text diskette, e-text CD and DAISY are available on demand.

Acronyms used in this report

AC
Acquisition Card
CFOB
Chief Financial Officer Branch
CMCP
Centrally Managed Cost Pools
FAA
Financial Administration Act
NHQ
National Headquarters
O&M
Operations & Maintenance
QAP
Quality Assurance Plan
SAP
Systems, Applications and Products
TB
Treasury Board

1. Background

1.1 Context

Treasury Board (TB) defines Operations & Maintenance (O&M) as all expenses within a program or operating vote other than salary, capital expenditures, transfer payments or any other payments that are deemed appropriate to exclude from the operating budget.

In 2017 to 2018, the Department processed $728 million of O&M payments which are comprised of vote 1 expenditures through the Systems, Applications and Products (SAP) software. Acquisition cards (ACs) are used as a convenient way to buy and pay for low dollar value, low risk goods and services. ACs facilitate the procurement process for managers and employees and streamline the payment process for suppliers and departmental accounting units. In 2017 to 2018, $34 million of O&M were purchased using ACs.

1.2 Audit objectives

The objectives of this audit were to provide assurance that:

1.3 Scope

The scope of this audit included the assessment of selected controls related to payment processes in SAP for O&M payments processed during 2017 to 2018 and the first quarter of 2018 to 2019 pertaining to:

The audit excluded emergency salary advances priority payments as those will be included in a separate audit on payroll.

1.4 Methodology

The audit was conducted using a number of methodologies which included (but were not limited to):

Data analytics on 3,184,907 transaction line items including AC transactions (50,806) and vendor records (483,339)

2. Audit findings

2.1 Controls are in place to detect erroneous or non-legitimate vendor records and prevent unauthorized access to establish or modify vendor records

Vendor records controls

The set up and change requests for vendor records are first submitted in SAP by procurement officers, national accounts payable or business line clients. These requests are validated by an accounts payable clerk and then approved by an accounts payable financial officer. Once validated and approved, the requests are processed in the Montréal or Winnipeg payment processing centres.

Vendor records monitoring

The audit team was informed that verifications of vendor address and banking information are embedded in the regular vendor creation and modification procedures of the payment processing centres completed on a daily basis. The monitoring procedures, tools and reports are currently being reviewed to develop an improved monitoring plan.

Testing results

Through interviews, documentation reviews and testing of 45 vendor records, the audit team noted the following with respect to vendor records management.

2.2 The majority of payments were processed accurately and in a timely manner

O&M expenses

In the Department, O&M expenses are managed as follows:

There are differences in the way regions and NHQ are managing their O&M expenses. In 2 regions, most O&M costs are centrally managed, including office supplies. In these regions, interviews with AC holders confirmed that due to the centralization of cost pools, the use of their ACs is very limited

Most managers with a section 34 delegation and AC holders interviewed indicated they had a good understanding of O&M costs under their responsibilities, common cost pools and the related processes. The audit team confirmed that the approvers of the 45 files sampled had effectively completed their delegation of authority training.

Testing results

The audit team encountered challenges in obtaining a complete payments details data set for the $728 million of O&M payments processed during 2017 to 2018 and the first quarter of 2018 to 2019. Challenges were mainly due to a lack of clarity in the definition of which transactions are considered O&M payments and which SAP document types, general ledger or financial reporting accounts need to be queried to obtain O&M payments details. Subsequently, Chief Financial Officer Branch (CFOB) provided the requested payments details data to the audit team.

Through interviews, documentation reviews and testing of 150 payment transactions, the audit team noted the following:

Expenditure initiation and section 32 approval

Section 34 approval

Section 33 approval

Segregation of duties

Accuracy and timeliness of payments

Recommendation

CFOB should document evidence of section 32 approval for all O&M transactions in SAP

Management response

CFOB agrees with the recommendation. It should be noted that it is not possible to include documents in SAP for all types of transactions. Where possible, CFOB will document evidence of section 32 approval in SAP. If not, CFOB will resort to other alternatives to document evidence of section 32 outside of SAP. The estimated completion date is March 2020

2.3 Quality assurance and monitoring activities are in place

Quality assurance and monitoring

A section 33 control framework, revised in May 2018, outlines how the FAA and the TB Directive on Delegation of Spending and Financial Authorities are complied with. The framework outlines quality assurance activities including account verifications to be completed on O&M payments. These activities are detailed in the “section 33 control framework - accounts payable Quality Assurance Plan” (QAP).

The QAP also outlines the roles and responsibilities for account verification, the risks as well as sampling methodologies to be used to select the payments for account verification.

Pre-payment verifications are completed for all transactions gated as high risk in SAP before section 33 approval is completed. However, post-payment verifications are not completed on these transactions. Therefore, it is not possible to confirm whether pre-payment verifications on high risk transactions are effective.

Post-payment verifications are completed on a sample of O&M transactions gated as low and medium risks. Accounts payable officers in the Montréal and Winnipeg payment processing centres complete these verifications and enter the results in SAP.

Testing results

Through interviews, documentation reviews and testing of 45 account verifications conducted, the audit team noted the following with respect to quality assurance and monitoring of payments:

Based on the above, management might want to consider documenting the completion of the account verification procedures in SAP in order to provide an oversight mechanism to ensure that account verification procedures are completed in accordance with the QAP.

2.4 Controls are in place to issue and monitor acquisition cards

Acquisition card controls

During 2017 to 2018, 50,806 transactions totalling $34 million of goods and services were purchased using an AC. ACs are used as a convenient way to buy and pay for low dollar value, low risk goods and services. They also facilitate the procurement process for managers and employees and streamline the payment process for suppliers and departmental accounting units. ACs provided to staff must only be used to purchase goods and services for conducting government business.

ACs are issued and approved by the national AC coordinator team in NHQ who is also responsible for completing the monthly sampling of transactions to verify compliance.

The departmental AC policy details the length of time that the card will be suspended depending on the number of occurrences of misuse or other actions in contradiction to the policy. The national AC coordinator team identified 17 misuse cases during 2017 to 2018.

Testing results

Through interviews, documentation reviews and testing of 50 transactions, the audit team noted the following with respect to issuance and monitoring of ACs:

Management may want to consider revising the criteria used for monitoring of AC transactions.

3. Conclusion

Overall, O&M payments were mostly processed in accordance with the requirements of applicable TB policies and directives as well as departmental policies and procedures. The majority of O&M payments were processed accurately and in a timely manner and were approved by officers with proper financial delegated authority. There is an opportunity to better document section 32 approval in SAP.

Controls to issue and monitor ACs are established in accordance with applicable TB policies and directives as well as departmental policies and procedures.

4. Statement of assurance

In our professional judgement, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for the Audit of Controls Around Payment Processes – Operations and Maintenance. The evidence was gathered in accordance with the Treasury Board Policy on Internal Audit and the International Standards for the Professional Practice of Internal Auditing.

Appendix A: Audit criteria assessment

Audit criteria: Vendor records management: It was expected that the Department has mechanisms to detect erroneous or non-legitimate vendor records and prevent unauthorized access to establish or modify vendor records in SAP in accordance with the TB Standard on Vendor Record and departmental procedures.

Rating: Sufficiently controlled; low-risk exposure

Audit criteria:
Processing of operations and maintenance payments: It was expected that the Department has implemented controls to:

Rating: Controlled, but should be strengthened; medium-risk exposure 

Audit criteria:
Reporting and Monitoring of Payment Processes: It was expected that the Department:

Rating: Sufficiently controlled; low-risk exposure

Audit Criteria:
Issuance and Monitoring of Acquisition Cards: It was expected that the Department has established controls to:

Rating: Sufficiently controlled; low-risk exposure

Appendix B: Financial signing authorities definitions

Expenditure initiation is the authority to incur expenditures or to obtain goods or services that will result in the expenditure of funds. It is the first step in the expenditure process.

Commitment authority (section 32) is the authority to ensure there is a sufficient unencumbered balance available before entering into a contract or other arrangement before a commitment is made.

A decision to spend (expenditure initiation authority) would be made in conjunction with commitment authority to ensure there are available funds in the appropriation

Transaction authority is the legal authority to enter into contracts, including acquisition card purchases, and to sign off on legal entitlements.

Certification authority (section 34) is the authority to certify, before making a payment for the performance of work, the supply of goods or the rendering of services, that:

Payment authority (section 33) is the authority to requisition payments. Individuals exercising payment authority must ensure that no requisition is made when:

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: