Audit of Controls Around Payment Processes – Operations and Maintenance

From: Employment and Social Development Canada
Official title: Audit of Controls Around Payment Processes – Operations and Maintenance.

On this page

• 1. Background
  • 1.1. Context
  • 1.2. Audit objectives
  • 1.3. Scope
  • 1.4. Methodology
• 2. Audit findings
  • 2.1. Controls are in place to detect erroneous or non-legitimate vendor records and prevent unauthorized access to establish or modify vendor records
  • 2.2. The majority of payments were processed accurately and in a timely manner
  • 2.3. Quality assurance and monitoring activities are in place
  • 2.4. Controls are in place to issue and monitor acquisition cards
• 3. Conclusion
• 4. Statement of assurance
• Appendix A: Audit criteria assessment
• Appendix B: Financial signing authorities definitions

Alternate formats

Large print, braille, MP3 (audio), e-text and DAISY formats are available on demand by ordering online or calling 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105.

Acronyms used in this report

AC

Acquisition Card

CFOB

Chief Financial Officer Branch

CMCP

Centrally Managed Cost Pools

FAA

Financial Administration Act

NHQ

National Headquarters

O&M

Operations & Maintenance

QAP

Quality Assurance Plan

SAP

Systems, Applications and Products

TB

Treasury Board

1. Background

1.1 Context

Treasury Board (TB) defines Operations & Maintenance (O&M) as all expenses within a program or operating vote other than salary, capital expenditures, transfer payments or any other payments that are deemed appropriate to exclude from the operating budget.

In 2017 to 2018, the Department processed $728 million of O&M payments which are comprised of vote 1 expenditures through the Systems, Applications and Products (SAP) software. Acquisition cards (ACs) are used as a convenient way to buy and pay for low dollar value, low risk goods and services. ACs facilitate the procurement process for managers and employees and streamline the payment process for suppliers and departmental accounting units. In 2017 to 2018, $34 million of O&M were purchased using ACs.

1.2 Audit objectives

The objectives of this audit were to provide assurance that:

• O&M payments are processed in accordance with the requirements of applicable TB policies and directives as well as departmental policies and procedures; and
• ACs are used and monitored in accordance with applicable TB policies and directives as well as departmental policies and procedures.

1.3 Scope

The scope of this audit included the assessment of selected controls related to payment processes in SAP for O&M payments processed during 2017 to 2018 and the first quarter of 2018 to 2019 pertaining to:

• vendor records management (including but not limited to vendor set-up and changes)
• approval of payments by the proper delegated financial authority
• processing of payments
• account verification and monitoring of payments processed and the related reporting which also includes sampling methodology, results analysis and follow-up; and
• AC usage and monitoring, the related reporting and corrective actions taken

The audit excluded emergency salary advances priority payments as those will be included in a separate audit on payroll.

1.4 Methodology

The audit was conducted using a number of methodologies which included (but were not limited to):

• process observation and analysis;
• documentation review and analysis;
• interviews with management and staff at National Headquarters (NHQ) and in the 4 regions:
  • Western – Regina, Edmonton, Vancouver and Winnipeg
  • Quebec – Montréal and Québec City
  • Atlantic – Dartmouth, Halifax, Moncton and St. John’s; and
  • Ontario – Mississauga, Scarborough and Toronto
• On-site observation and walkthroughs at NHQ and at the Montréal and Winnipeg payment processing centres;
• A sample of O&M payments processed during 2017 to 2018 and the first quarter of 2018 to 2019 was tested:
  • 150 payment transactions
  • 45 vendor records creation and change requests
  • 45 low and medium risk post-payment verifications of transactions
  • 50 ACs issued
  • 50 AC payments; and

Data analytics on 3,184,907 transaction line items including AC transactions (50,806) and vendor records (483,339)

2. Audit findings

2.1 Controls are in place to detect erroneous or non-legitimate vendor records and prevent unauthorized access to establish or modify vendor records

Vendor records controls

The set up and change requests for vendor records are first submitted in SAP by procurement officers, national accounts payable or business line clients. These requests are validated by an accounts payable clerk and then approved by an accounts payable financial officer. Once validated and approved, the requests are processed in the Montréal or Winnipeg payment processing centres.

Vendor records monitoring

The audit team was informed that verifications of vendor address and banking information are embedded in the regular vendor creation and modification procedures of the payment processing centres completed on a daily basis. The monitoring procedures, tools and reports are currently being reviewed to develop an improved monitoring plan.

Testing results

Through interviews, documentation reviews and testing of 45 vendor records, the audit team noted the following with respect to vendor records management.

• All vendor records creation and change requests had a requestor, enhancer and approver and no individual took on a dual role in a single request
• The vendor records requests were properly completed, had no missing mandatory fields and were consistent with the original documentation submitted to create or change vendor information
• The internal service standard for national accounts payable staff of 2 days to process vendor creations and changes included in the vendor creation procedures manual was met for 84% (38 out of 45) of the samples tested

2.2 The majority of payments were processed accurately and in a timely manner

O&M expenses

In the Department, O&M expenses are managed as follows:

• centrally Managed Cost Pools (CMCP): assigned CMCP budgets are managed by cost centre managers who provide sections 32 and 34 approvals for all O&M expenses covered by the CMCP. CMCP are commonly used for O&M payments such as facilities and asset management, information technology hardware and software acquisitions and maintenance, learning investment fund as well as postage and courier
• decentralized expenses: business line managers have their own budgets and provide sections 32 and 34 approvals of O&M expenses that fall within their budgets, such as travel, hospitality expenses and professional services

There are differences in the way regions and NHQ are managing their O&M expenses. In 2 regions, most O&M costs are centrally managed, including office supplies. In these regions, interviews with AC holders confirmed that due to the centralization of cost pools, the use of their ACs is very limited

Most managers with a section 34 delegation and AC holders interviewed indicated they had a good understanding of O&M costs under their responsibilities, common cost pools and the related processes. The audit team confirmed that the approvers of the 45 files sampled had effectively completed their delegation of authority training.

Testing results

The audit team encountered challenges in obtaining a complete payments details data set for the $728 million of O&M payments processed during 2017 to 2018 and the first quarter of 2018 to 2019. Challenges were mainly due to a lack of clarity in the definition of which transactions are considered O&M payments and which SAP document types, general ledger or financial reporting accounts need to be queried to obtain O&M payments details. Subsequently, Chief Financial Officer Branch (CFOB) provided the requested payments details data to the audit team.

Through interviews, documentation reviews and testing of 150 payment transactions, the audit team noted the following:

Expenditure initiation and section 32 approval

• Expenditure initiation approval is the first step in the expenditure process before section 32 approval. Section 32 provides the authority to incur expenditures or to obtain goods or services that will result in the expenditure of funds. The audit team was only able to confirm evidence of section 32 approval in SAP for 30% of the transactions tested
• In one region, section 32 was not performed on postage and courier costs, which represent a significant portion of the overall common cost pool budget. Regional management services is not in a position to effectively forecast the related expenses incurred, creating a risk of over or under-spending the postage and courier budget

Section 34 approval

• 97% of the payments tested (146 out of 150) were approved by the appropriate section 34 delegated authority
• 100% of the payments tested were for the purchase of goods or services that were within the mandate of Employment and Social Development Canada’s operations or that were authorized for ACs

Section 33 approval

• 81% of the payments tested (122 out of 150) were approved by the appropriate section 33 delegated authority. The 19% error rate was due to section 33 approvals completed by an officer without the required delegated authority. Access to the electronic authentication authorization key and the standard payment system was granted to the officer to complete section 33 approvals without validation of the officer’s delegation. There are no controls within SAP that prevent section 33 approvals of O&M payments from being completed by officers without the required delegated authority. CFOB provided evidence to the audit team that the section 33 delegated authority for the officer was corrected in July 2018, which is after the period under audit

Segregation of duties

• 100% of the transactions tested (150) respected the segregation of duties: the same incumbent did not certify both Financial Administration Act (FAA) section 33 and FAA section 34 on the same transaction

Accuracy and timeliness of payments

• 90% of the payments tested (135 out of 150) had the correct amount, vendor, financial coding, invoice in SAP and were paid in a timely manner
• 93% of the O&M payments tested (140 out of 150) were paid within 30 days of the payment due date. The service standard of the TB Directive on Payments is 95%
• 88% of the O&M payments tested (132 out of 150) had the correct tax amounts or tax jurisdictions coded in SAP

2.3 Quality assurance and monitoring activities are in place

Quality assurance and monitoring

A section 33 control framework, revised in May 2018, outlines how the FAA and the TB Directive on Delegation of Spending and Financial Authorities are complied with. The framework outlines quality assurance activities including account verifications to be completed on O&M payments. These activities are detailed in the “section 33 control framework - accounts payable Quality Assurance Plan” (QAP).

The QAP also outlines the roles and responsibilities for account verification, the risks as well as sampling methodologies to be used to select the payments for account verification.

Pre-payment verifications are completed for all transactions gated as high risk in SAP before section 33 approval is completed. However, post-payment verifications are not completed on these transactions. Therefore, it is not possible to confirm whether pre-payment verifications on high risk transactions are effective.

Post-payment verifications are completed on a sample of O&M transactions gated as low and medium risks. Accounts payable officers in the Montréal and Winnipeg payment processing centres complete these verifications and enter the results in SAP.

Testing results

Through interviews, documentation reviews and testing of 45 account verifications conducted, the audit team noted the following with respect to quality assurance and monitoring of payments:

• 100% (45) of the transactions sampled were properly gated in SAP as low or medium risk in accordance with the risk management matrix as presented in QAP
• 100% (45) of the transactions sampled were correctly selected for post-verification sampling in accordance with the sampling methodology presented in the QAP
  • 100 % (25) of the account verifications that had a pass rating were correctly assessed based on the information available in SAP. However, section 32 approval was available for only 16% of the transactions verified (4 of 25) with a pass rating. The account verification unit indicated that checking section 32 approval will be included in their procedures for 2019 to 2020 account verifications
  • 90% (9 of the 10) of the account verifications that identified critical error codes had evidence in SAP of the error being corrected
  • 50% (5 of the 10) of the account verifications that identified non-critical error codes had evidence in SAP of the error being corrected. The audit team was informed that it is optional to correct non-critical errors
• The audit team could not verify whether account verifications were completed in accordance with the QAP and which officer performed the verification as the procedures completed are not documented in SAP. Only the error codes or the pass rating results are manually entered in SAP.

Based on the above, management might want to consider documenting the completion of the account verification procedures in SAP in order to provide an oversight mechanism to ensure that account verification procedures are completed in accordance with the QAP.

2.4 Controls are in place to issue and monitor acquisition cards

Acquisition card controls

During 2017 to 2018, 50,806 transactions totalling $34 million of goods and services were purchased using an AC. ACs are used as a convenient way to buy and pay for low dollar value, low risk goods and services. They also facilitate the procurement process for managers and employees and streamline the payment process for suppliers and departmental accounting units. ACs provided to staff must only be used to purchase goods and services for conducting government business.

ACs are issued and approved by the national AC coordinator team in NHQ who is also responsible for completing the monthly sampling of transactions to verify compliance.

The departmental AC policy details the length of time that the card will be suspended depending on the number of occurrences of misuse or other actions in contradiction to the policy. The national AC coordinator team identified 17 misuse cases during 2017 to 2018.

Testing results

Through interviews, documentation reviews and testing of 50 transactions, the audit team noted the following with respect to issuance and monitoring of ACs:

• ACs were used as the correct procurement mechanism since 98% (49 out of 50) of the transactions were for eligible purchases
• 96% (48 out of 50) of transactions were approved by the appropriate section 34 delegated authority
• while 100% of the payments tested (50) had evidence that a FAA section 33 was performed, only 74% of the AC payments tested (37 out of 50) were approved by the appropriate FAA section 33 delegated authority
• the AC monitoring plan outlines the nature of the AC transaction categories monitored, the required monthly sampling percentage by category and the sampling methodology. The audit team found that the AC monitoring procedures may benefit from some opportunities for improvement since:
  • monthly sampling does not allow for rotational periodic sampling of transactions based on past monitoring results and/or new identified risks
  • monthly sampling focuses more on the probability of misuse and does not necessarily take into account the impact of the risks (in other words, the materiality of this risk if materialized) related to the transactions selected for monitoring, and
  • the unavailability of transactions details including items purchased does not facilitate effective risk identification and assessment when selecting transactions for monitoring
• AC holders and managers with section 34 delegation interviewed indicated they receive recurring or similar monitoring information requests. These requests appear to be triggered by the supplier’s name instead of the risks associated with the transaction
• interviewees confirmed that AC holders have access to appropriate resources such as online resources, a help line and an informal network of colleagues
• interviewees also indicated that the training provided prior to the issuance of the AC card does not include enough practical aspects to enable cardholders to use the card effectively, complete financial coding of transactions, complete the monthly account reconciliation and resolve any unmatched transactions in SAP
• evidence of successful completion of the mandatory SAP AC training was only available for 36% (18 out of 50) of the sample. However, all AC holders interviewed indicated they completed the mandatory training
• cardholders receive monitoring requests from the national AC coordinator team after having sent their complete reconciliation package to the payment processing centres. Interviews confirmed that the coordination between the national AC coordinator team in NHQ and the payment processing centres could be improved to minimise duplication of time and effort devoted to answering AC transactions inquiries

Management may want to consider revising the criteria used for monitoring of AC transactions.

3. Conclusion

Overall, O&M payments were mostly processed in accordance with the requirements of applicable TB policies and directives as well as departmental policies and procedures. The majority of O&M payments were processed accurately and in a timely manner and were approved by officers with proper financial delegated authority. There is an opportunity to better document section 32 approval in SAP.

Controls to issue and monitor ACs are established in accordance with applicable TB policies and directives as well as departmental policies and procedures.

4. Statement of assurance

In our professional judgement, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for the Audit of Controls Around Payment Processes – Operations and Maintenance. The evidence was gathered in accordance with the Treasury Board Policy on Internal Audit and the International Standards for the Professional Practice of Internal Auditing.

Appendix A: Audit criteria assessment

Audit criteria: Vendor records management: It was expected that the Department has mechanisms to detect erroneous or non-legitimate vendor records and prevent unauthorized access to establish or modify vendor records in SAP in accordance with the TB Standard on Vendor Record and departmental procedures.

Rating: Sufficiently controlled; low-risk exposure

Audit criteria:
Processing of operations and maintenance payments: It was expected that the Department has implemented controls to:

• verify that FAA sections 32, 33 and 34 approvals of O&M payments are performed by officers with proper financial authority delegations in accordance with the TB Directive on Delegation of Spending and Financial Authorities process and issue accurate O&M payments in a timely manner

Rating: Controlled, but should be strengthened; medium-risk exposure 

Audit criteria:
Reporting and Monitoring of Payment Processes: It was expected that the Department:

• has a quality assurance process, based on a sound sampling methodology, that addresses the key risks associated with O&M payments
• verifies that quality assurance activities are executed by officers in accordance with the departmental QAP
• monitors O&M payment processes in SAP and reports on the results of account verification activities to facilitate targeted corrective action 

Rating: Sufficiently controlled; low-risk exposure

Audit Criteria:
Issuance and Monitoring of Acquisition Cards: It was expected that the Department has established controls to:

• issue acquisition cards to authorized employees who have received training and expenditure authorization approval in accordance with the TB Standard on Acquisition Card Payment, and
• monitor acquisition card usage and report monitoring results, including compliance issues identified for corrective action 

Rating: Sufficiently controlled; low-risk exposure

Appendix B: Financial signing authorities definitions

Expenditure initiation is the authority to incur expenditures or to obtain goods or services that will result in the expenditure of funds. It is the first step in the expenditure process.

Commitment authority (section 32) is the authority to ensure there is a sufficient unencumbered balance available before entering into a contract or other arrangement before a commitment is made.

A decision to spend (expenditure initiation authority) would be made in conjunction with commitment authority to ensure there are available funds in the appropriation

Transaction authority is the legal authority to enter into contracts, including acquisition card purchases, and to sign off on legal entitlements.

Certification authority (section 34) is the authority to certify, before making a payment for the performance of work, the supply of goods or the rendering of services, that:

• the work has been performed, the goods have been supplied or the services have been rendered
• the terms and conditions of the contract or the agreement have been met, including price, quantity and quality
• the payee is entitled to or eligible for payment

Payment authority (section 33) is the authority to requisition payments. Individuals exercising payment authority must ensure that no requisition is made when:

• the payment is not a lawful charge against an appropriation
• the payment would result in expenditure in excess of the appropriation
• the payment would reduce the balance available in an appropriation, making it unable to meet the commitments charged against it
• the invoice is inaccurate