Follow-up audit of Section 34 compliance in Systems Applications and Products (SAP)
On this page
- 1.0 Background
- 2.0 Audit findings
- 3.0 Conclusion
- 4.0 Statement of assurance
- Appendix A: glossary
Request other formats online or call 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105. Large print, braille, audio cassette, audio CD, e-text diskette, e-text CD and DAISY are available on demand.
Following the outcomes of the Audit of the Implementation of Delegation of Authority within Systems Applications and Products (SAP) in March 2015 and Internal Audit’s subsequent follow-up on the recommendations in April 2017, a follow-up audit on Section 34 compliance in SAP was included in the 2018-20 Risk-Based Audit Plan.
The following key findings were included in the March 2015 audit report:
- policies, procedures and guidelines pertaining to Financial Signing Authorities (FSA) exist and are aligned with legislative and Treasury Board policy requirements;
- process to grant Financial Signing Authority is well designed
- operating effectiveness of controls to grant Financial Signing Authority needs improvement
- financial transactions are appropriately authorized by the right individuals and auditable evidence is captured in SAP
- there are no monitoring mechanisms identifying transactions where incompatible FSA are exercised in SAP (Sections 34 and 33 by the same individual), and
- there is no formal process to monitor and update the Delegated Financial Signing Authority instruments
The audit report included the following recommendations:
The Chief Financial Officer (CFO) should:
- design and implement a formal process to monitor and update delegation instruments, electronic authorization matrices, specimen signature documents, validation and authentication processes, and
- design and implement controls to identify transactions for subsequent reviews where incompatible FSA are exercised in SAP
1.2 Audit objective
The objective of this audit was to assess whether the actions included in the Management Action Plan (MAP) related to the 2015 Audit of the Implementation of Delegation of Authority within SAP have been fully implemented.
The scope of this audit included key controls pertaining to FSA implemented in SAP, namely expenditure initiation, transaction and commitment authority (Section 32), contracting authority, certification authority (Section 34) and payment authority (Section 33) of the Financial Administration Act.
The audit was conducted using a number of methodologies including (but not limited to):
- process observation and analysis
- documentation review and analysis
- interviews with Chief Financial Officer Branch (CFOB) management and staff, and
- file review and analysis completed during the period under audit from April 1, 2017 to June 30, 2018:
- review of a sample of Branches’ responses for the annual review of FSA performed by CFOB
- review of a sample of actions taken by the Financial Delegation Unit (FDU) within CFOB on request for adjustments of FSA in SAP, and
- review of a sample of Specimen Signature Cards (SSCs)
2.0 Audit findings
2.1 Review and monitoring of Delegation of Financial Signing Authorities are formalized
Recommendation no. 1 from the 2015 Audit of the implementation of Delegation of Authority within SAP
- The CFO should design and implement a formal process to monitor and update delegation instruments, electronic authorization matrices, specimen signature documents, validation and authentication processes
CFOB is developing and will implement the electronic reporting tools to support the monitoring and updating of delegation-related instruments. (September 2015)
As the myEMS (SAP) reporting capability is brought online, CFOB will adjust the compensatory monitoring processes and document them accordingly to formalize the monitoring process. (March 2016)
As part of the implementation of the delegation of authority within SAP, CFOB maintains a registry of SSCs that includes the name and signature of the delegated authority; these SSCs are renewed every five years.
Specimen signature cards
The audit found that there is a process in place to receive, review, validate, update and activate SSCs. The following procedures were formally documented in September and October 2018:
- “Procedures to Analyze and Validate a New Financial Signing Authority Request”
- “Procedures on Entering and Verifying a Blanket Acting Designation Memorandum Request”, and
- “Procedures on Activating Blanket Acting Designation Memorandum Request”
The audit found that the operating effectiveness of controls relating to granting SSCs is working as intended. However, the granting of FSA could occur before receiving the SSC hard copies. Based on enquiry with the FDU, the audit team noted that in most cases this timing issue is due to the delegation of authority being granted electronically first (when the delegation is approved in SAP) and the SSC being signed by the manager shortly thereafter.
Interviews with representatives from the FDU and documentation review confirmed that there is a formal process to revoke the FSA from employees upon changes to their status or responsibilities such as departure, transfer or long-term leave.
Audit procedures completed by the audit team were designed to assess whether FSA were removed in accordance with the documented procedures for a sample of employees leaving the Department, transferring to another Branch or on long-term leave during the period under audit. Controls such as the reception of emails in the generic mailbox, verification of information and timely actions performed on removal of FSA were tested.
The audit found that the controls relating to the process to revoke FSA from employees upon changes to their status or responsibilities such as departure, transfer or long-term leave are working as intended.
Monitoring and update of the delegation-related instruments
CFOB developed and implemented tools and procedures to monitor and update the delegation-related instruments as described below.
To ensure that FSA are up-to-date in SAP, CFOB performs an annual review of FSA. As part of this review, the FDU generates a listing of individuals holding a financial delegation by Branch. The listing is then distributed to Assistant Deputy Ministers (ADMs) through SharePoint for review and validation of FSA within their respective Branches. Modifications to FSA, if required, are requested by the Branches when the financial authority is no longer required and/or the end date has to be modified. The FDU analyzes the listings provided by the ADMs before inputting the requested changes into SAP. Requests to cancel or remove FSAs are actioned by FDU; however, new FSA requests must be processed through myEMS portal following the standard delegation request process.
The most recent annual review of FSA was performed in March 2018. The audit found that the FSA review was adequately performed for all Branches. In addition, the procedures related to the annual review of FSA were formally documented in October 2018.
The audit team tested a representative sample of Branches’ responses to the annual review of FSA during the period under review to assess whether monitoring was performed in accordance with the documented procedures. Controls related to the review and approval of the listing of individuals holding a financial delegation, responses submitted by Branches to FDU and actions taken by FDU to action the FSA adjustments requested were tested by the audit team.
The audit found that the controls relating to the annual review of FSA are working as intended. No errors were found for 97.5% (39 out of 40) of the files reviewed by the audit team. One error was found for 2.5% (1 out of 40) of the files tested which is due to human error where the FSA delegation end date was incorrectly keyed into SAP.
Based on the results presented above, the audit determined that all actions to address this recommendation have been fully implemented.
2.2 Incompatible Financial Signing Authorities are monitored
Recommendation no. 2 from the 2015 Audit of the implementation of Delegation of Authority within SAP
The CFO should design and implement controls to identify transactions for subsequent reviews where incompatible FSA are exercised in SAP.
CFOB will develop and implement the reporting tools required to identify transactions where incompatible FSA are exercised. Once available, a periodic analysis of the transactions where incompatible FSA have been exercised in SAP will be performed. (March 2018)
The conflicting authority to exercise “Sections 33 and 34 authorities” was addressed when the CFO approved the updated Delegation Authorities matrix on March 22, 2016, which restricts the ability to exercise these authorities to Functional Specialists within CFOB.
Further, in response to this recommendation, CFOB initially committed to develop and implement reporting tools that would identify transactions where incompatible FSA are exercised. However, the SAP Center of Expertise was unable to produce a report identifying transactions for which conflicting authorities have been exercised during the period under audit. We were informed that three custom reports would have to be developed, each representing approximately one month of work for two resources excluding costs for future maintenance.
The briefing note presented and approved by the CFO on March 8, 2018 indicated that there is a significant level of effort required and the number of transactions on a yearly basis is considered to be low. As a result, Management agreed to accept the risks of not implementing this recommendation.
Taking into account the measures already taken by Management in this area, the audit concluded that all actions to address this recommendation have been fully implemented.
The actions included in the MAP related to the 2015 Audit of the Implementation of Delegation of Authority within SAP have been fully implemented.
4.0 Statement of assurance
In our professional judgement, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for the Follow-up Audit of Section 34 Compliance in SAP. The evidence was gathered in accordance with the Treasury Board Policy on Internal Audit and the International Standards for the Professional Practice of Internal Auditing.
Appendix A: glossary
- Assistant Deputy Ministers
- Chief Financial Officer
- Chief Financial Officer Branch
- Financial Delegation Unit
- Financial Signing Authorities
- Management Action Plan
- Specimen Signature Cards
Report a problem or mistake on this page
- Date modified: