ARCHIVED - Audit of the Key Financial Controls
Final Audit Report
Table of Contents
- Executive summary
- 1. Introduction
- 2. Findings, recommendations and management responses
- 2.1 Common key financial controls
- 2.1.1 Delegations of financial signing authorities
- 2.1.2 Quality assurance process over Financial Administration Act (FAA) section 34 certification
- 2.1.3 FAA section 33 certification
- 2.1.4 Management review of expenditures and commitments
- 2.1.5 Accrued liabilities at year-end
- 2.1.6 System access and segregation of duties
- 2.2 Specific key financial controls
- 2.1 Common key financial controls
- 3. Conclusion
- Appendix A - Lines of enquiry and audit criteria
- Appendix B - Scorecard
- Appendix C - Scoping approach
In preparation for auditable departmental financial statements, and in support of the Treasury Board of Canada's Policy on Internal Control, Health Canada's Deputy Minister and Chief Financial Officer are required to sign an annual letter of representation acknowledging their responsibilities for internal control and assertions over the integrity of financial information. In addition, the Deputy Minister must take measures to ensure that the Department can sustain a control-based audit of its annual financial statements.
The Audit of the Key Financial Controls focused on the controls that will help Health Canada meet its objectives related to these controls and address management's responsibility over the completeness, validity and accuracy of financial transaction processing, and ultimately the accuracy of the departmental financial statements.
This audit was included in the departmental Risk-Based Audit Plan for 2011-12. Two groups of key financial controls were tested as part of the audit. These were common key controls and specific key controls. Common key controls are those which are prevalent across the organization and/or affect the organization as a whole. An example of this would be quality assurance over account verification. Specific key controls have an effect on the Department's financial statements and originate from one specific area such as grants and contributions.
The objective of this audit was to provide the Deputy Minister and the Departmental Audit Committee with reasonable assurance that Health Canada's internal controls over financial reporting are operating effectively, in order to mitigate the risk of material misstatement. The audit covered control activities performed in fiscal year 2010-11. Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. An overview of the effectiveness of key financial controls, which were assessed as part of this audit and aligned with significant classes of transactions, is presented in Appendix B.
Based on the results of the audit work, for the audit period, it was determined that in general, Health Canada's internal controls over financial reporting has been operating effectively to mitigate the risk of material misstatement. However, to strengthen stewardship and accountability as well as enhance the management of Health Canada's Internal Controls over Financial Reporting, improvements are required in certain areas.
Common key controls
- Delegation of financial signing authorities: The process for validating specimen signature cards is operating effectively. However, timely termination of signature cards would provide assurance that information is current and accurate.
- Quality assurance process over the Financial Administration Act (FAA) section 34 certification: The process has been well designed. However, quality assurance would benefit from a more consistent approach to identifying, logging and reporting of errors; retaining appropriate supporting documentation; and assessing the impact of statistical sampling results.
- FAA section 33 certification: Was performed according to Treasury Board and departmental policies, and finance officers approving payments under FAA section 33 were not the same as the individual certifying under FAA section 34.
- Management review of expenditures and commitments: Monthly review of expenditures and commitments has been properly conducted.
- Accrued liabilities at year-end: The process for verifying the accuracy, completeness, and validity of payables at year-end is operating effectively, i.e. have been properly verified, appropriately supported and properly approved.
- System access and segregation of duties: Appropriate segregation of duties is analyzed when granting access and periodically monitored. The program to monitor appropriate segregation of duties requires improvements to ensure that tests address risks specific to the Department.
Specific key controls
- Grants and contributions agreements: The reconciliation to the departmental financial system has been conducted. However, the process for the close-out of contribution agreements needs to be strengthened to improve communication with finance.
- Salary and wage expenses - Pay verification has been well performed. However, improvements to the documentation of pay verification and continuous and timely monitoring of segregation of duties between pay creation and pay verification is required.
- Non-insured health benefits (NIHB) - The reconciliation of service provider claims to funding requests have been performed and controls over NIHB claims processing have been verified by independent auditors.
- Purchase of goods and services - Contracts over $10,000 value have been reviewed by Contract Requisition Control Committee.
- Acquisition card purchases - The reconciliation of payment to acquisition card statement, and monitoring of monthly reconciliation of acquisition card purchase by cardholder are operating effectively.
- Drug submission and evaluation revenues - The reconciliation of the drug submission revenue database to the departmental financial system has been performed.
- Accounts receivable for grants and contributions - Improved communication upon close out of contribution agreements is required to ensure timely and accurate recording and collection of accounts receivables.
- Capital assets - The annual review of capital assets has been performed and management has taken steps to address significant issues.
The report includes five recommendations aimed at addressing the above-noted areas where improvements are required. Management agrees with the recommendations and its response indicates its commitment to take action.
In recent years, government-wide initiatives, legislative changes and new policy requirements have been developed to strengthen public sector financial management and to improve the reliability of financial reporting. Some of these changes include:
- The Treasury Board of Canada's (TB) Policy on Financial Resource Management, Information and Reporting that requires the Deputy Head to take measures to ensure that the Department can sustain a control-based audit of its annual financial statements; and
- The TB Policy on Internal Control that requires the Deputy Head to sign on an annual basis for the Department the Statement of Management Responsibility Including Internal Control Over Financial Reporting.
In addition, the Deputy Minister and the Chief Financial Officer are required to sign an annual letter of representation to the Auditor General of Canada and to the Deputy Receiver General in support of the Public Accounts covering their responsibilities for internal control and assertions over the integrity of financial information.
In preparation for auditable departmental financial statements, and in support of the Policy on Internal Control, Health Canada's Chief Financial Officer Branch (CFOB) has developed the Internal Control over Financial Reporting Framework. This framework identifies and documents the supporting processes, procedures and related internal controls in place to mitigate financial reporting risks. As part of the framework, six main classes of processes were identified to ensure reliable financial reporting:
- Management of parliamentary appropriations;
- Purchasing/payable/payments including transfer payments;
- Capital assets; and
- Financial statement preparation, year-end and reporting.
Responsibility for financial management and financial transaction recording is distributed among branches and the regions. In the National Capital Region, the Accounting Operations and Systems Division, within the CFOB, is responsible for transaction processing for all branches. In other regions, this responsibility is fulfilled by regional finance officers, reporting to the Regions and Programs Branch.
This audit engagement was identified in Health Canada's Multi-Year Risk Based Audit Plan, which was endorsed by the Departmental Audit Committee on June 25, 2010 and subsequently approved by the Deputy Minister. This plan identifies approved audits to be conducted within the audit cycle.
This audit was the first of audits to be conducted annually in order to assess the operating effectiveness of key financial controls in support of the Department's efforts to ensure that its financial statements are auditable. This audit also supports the Department in meeting the requirements of the TB Policy on Internal Control.
1.2 Audit objectives
The objective of the audit was to determine whether key controls in support of the departmental financial statements are operating effectively, in order to mitigate the risk of material misstatement.
1.3 Scope and approach
The audit examined the effectiveness of the controls in place to ensure the validity, completeness and accuracy of the financial transactions reported in the departmental financial statements. The scope of the audit encompassed an assessment of the operational effectiveness of the key financial controls that are either common or specific to the following significant classes of transactions:
- Contribution agreements;
- Salary and wage expenses;
- Non-insured health benefits;
- Purchase of goods and services;
- Acquisition card purchases;
- Drug submissions and evaluation revenues;
- Accounts receivable; and
- Capital assets.
The significant classes of transactions and key controls were identified following an approach described in Appendix C. The key financial controls identified for each of the significant classes of transactions were then grouped into common or specific controls. The common controls, such as account verification, are those found across most significant classes of transactions. The specific controls are those that have been assessed as key for the significant classes of transactions. The specific controls, working in combination with the common controls, aim at providing a reasonable level of assurance that the transactions processed for the respective significant classes of transactions are valid, complete and accurate. Lines of enquiry and audit criteria are presented in Appendix A.
The audit included an evaluation of the accounting activities performed in fiscal year 2010-11 and the testing of controls in the National Capital Region and regions reporting to the Regions and Programs Branch. The audit also included an assessment of controls over payroll and systems access under the joint responsibility of the Corporate Services Branch and the CFOB as well as the capital asset inventory under the responsibility of the CFOB.
The analysis of financial statement data; the identification of the significant classes of transactions; a review of key process flowcharts and control matrices; and discussions with management regarding significant changes in business processes were used to identify key controls.
In validating and assessing the effectiveness of key financial controls, auditors conducted interviews with Health Canada employees, reviewed documentation (e.g. departmental policies and procedures, relevant documentation in support of financial transactions), and observed the execution of key processes and controls.
Results of previous work conducted by the Audit and Accountability Bureau as well as other parties such as the Office of the Auditor General (in support of Public Accounts of Canada) and CFOB's Internal Control Division (in support of the Statement of Management Responsibility Including Internal Control over Financial Reporting) have been leveraged for this audit.
1.4 Statement of assurance
In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.
2. Findings, recommendations and management responses
2.1 Common key financial controls
2.1.1 Delegations of financial signing authorities
Audit criterion: Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid.
Certification under Section 34 of the Financial Administration Act (FAA) requires account verification of all expenditures processed at Health Canada. Such certification aims to provide assurance over the validity and accuracy of transactions by certifying that goods and services were received or that a grant or contribution recipient is eligible for payment. Certification is received through the official authorization of FAA Section 34. Further, FAA Section 33 payment authorizations ensure that payments are subject to authorized requisitions, are lawful and are within the appropriations level; requiring that appropriate processes and controls are in place to ensure the integrity of FAA Section 34. Section 33 relies on specimen signature cards to validate that an employee has a valid Section 34 delegation of financial signing authority.
Financial signing authority is delegated by creating and activating specimen signature cards in a Lotus Notes database that constitutes the official reference to validate delegation of financial signing authority. There are approximately 3,000 active signature cardsFootnote 1 in the database.
It is essential that the controls over the creation and activation of specimen signature cards operate effectively in order to be compliant with the FAA and prevent unauthorized expenditures.
The audit examined the key controls that contribute to maintaining valid specimen signature cards, including the processes for activating, terminating and validating them. Based on the audit results, controls over the maintenance of specimen signature cards need to be strengthened to provide assurance that they remain current.
Activation of specimen signature cards
Health Canada has well-defined procedures to set-up specimen signature cards. A sample of 41 cards was tested to verify that the employees responsible for activating the cards in the database had performed verification steps to ensure that cards were valid. Test results indicated that verifications were adequately conducted.
Termination of specimen signature cards
The specimen signature card of an employee may be terminated for two main reasons: if the responsibilities of the employees have changed, or, if the employee has left the Department. In the first circumstance, provided that the employee has retained financial signing authorities, the signature card is terminated and a new one is created to reflect the new responsibilities. In the second circumstance, the specimen card is simply terminated. Since the financial officers rely on the accuracy of the specimen signature card database when conducting FAA Section 33 certifications, the termination of signature cards need to be completed in a timely manner.
Using computer-assisted audit techniques, auditors assessed the accuracy of the database throughout the year by analysing the timeliness of the termination of specimen signature cards for departed employees. In the fiscal year 2010-2011, 229 specimen signature cards needed to be terminated for employees who left the Department. The analysis showed that 80% of the cards were not terminated on the date the employee left the Department. Furthermore, 37% of the cards had not been terminated 90 days after the departure date.
Starting in February 2011, Health Canada conducted an automated review of all existing signature cards. Through this review, which is set to become an annual process, the specimen signature card system sent emails to supervisors asking that they confirm the validity of the financial authorities previously delegated. This process led to the termination of approximately 450 active signature cardsFootnote 2. Although the exercise had not been completed yet at the time of the audit, it was found to be effective since most of the cards identified by the auditors for departed employees were terminated. That said the result of the process demonstrates that signature cards are not terminated on a timely basis. Consequently, the accuracy of the main tool on which financial officers rely to exercise FAA Section 33 certification is not maintained throughout the year.
It is recommended that the Chief Financial Officer ensure that specimen signature cards are terminated through the year on a timely basis.
Management agrees with this recommendation.
CFOB is leading an initiative to enhance the existing process and controls on the various actions required when an employee is leaving the Department. This initiative will result in the development and implementation of a mandatory departure form. This form will include the requirement for the cancellation of the financial specimen signature cards.
In the interim, CFOB will remind all staff of the need to ensure they request the cancellation of their financial specimen signature cards prior to their departure, as well as the requirement for managers to provide assistance to their staff and monitor compliance.
CFOB will assess the monitoring tool used by the Audit and Accountability Bureau during the conduct of their audit. If applicable, CFOB will implement this tool once it is modified to function in a PeopleSoft environment.
Access to maintain specimen signature cards
In order to obtain financial signing authorities, employees must fill out signature cards in the Financial Signature Card Database and have them approved by their supervisor. These cards become valid only once they are activated by card editors who ensure their validity.
At the time of this audit, 45 card editors across the Department were listed as having access to the specimen signature card database. This list is reviewed annually to confirm that employees remain authorized to have the editor access.
2.1.2 Quality assurance process over Financial Administration Act (FAA) Section 34 certification
Audit criterion: Quality assurance is performed over the Financial Administration Act (FAA) Section 34 certification.
Under the FAA, authorized Section 34 managers are required to certify that work has been performed, the goods supplied or the service rendered; that the price charged is in accordance with the contract; and that the payee (including grant or contribution recipients) is eligible and entitled to the payment.
A well-functioning quality assurance process ensures that a high standard of integrity and accountability is maintained in the spending of public money, and supports sound stewardship of financial resources.
In fiscal year 2008-09, in accordance with the Directive on Account Verification issued by the Treasury Board of Canada, Health Canada began to use a risk-based approach to perform quality assurance over FAA Section 34 account verification. In fiscal year 2010-11, statistical sampling was implemented across the Department.
This quality assurance process encompasses most payment transactions including grants and contributions, accounts payable, travel claims, honoraria, etc. However, it does not cover salary and wage expenditures as they are subject to a notably different quality assurance process which is discussed in Section 2.2.2 of this report.
As illustrated in Diagram 1 below, all transactions undergo minimum quality assurance which focuses on appropriate FAA Section 34 authorization and valid financial coding and vendor information. They are then assigned a risk profile (low or high) based on the nature and value of the transactions through a process referred to as "gating".
Transactions considered as high risk, undergo full quality assurance prior to payment. Full quality assurance includes ensuring that appropriate supporting documentation and financial coding exists; that claimed amounts are in accordance with contracts, and compliance with Treasury Board and departmental policies. Those identified as low risk are paid immediately after minimum quality assurance is performed and are subject to a full quality assurance through quarterly statistical sampling. Below, this process is referred to as the Post-Payment Quality Assurance Process.
As per departmental guidance, errors identified through quality assurance that put into question the validity of the payment request must be followed-up and corrected. Examples include inappropriate FAA Section 34 financial signing authority, erroneous or missing financial coding, invoiced price not in accordance with the contract/funding agreement, or non-compliance with Treasury Board and departmental policy.
The table below provides a breakdown by risk profile of the transactions recorded in fiscal year 2010-11. It demonstrates that even though the proportion of high risk transactions was 10% of the overall population in terms of number, these transactions represented 89% of the dollar value.
Number of Transactions
|Source: Departmental Financial System, Fiscal year 2010-11. Figures exclude acquisition card transactions.|
The quality assurance process aims at ensuring that the FAA Section 34 certification is being properly and consistently followed. This provides assurance that transactions are valid, accurate and properly authorized. For high risk transactions, it acts as a main control to ensure accuracy and validity of the transactions, as errors (if detected) are corrected prior to payment. For low risk transactions, the quarterly sampling results provide insight into the effectiveness of the FAA Section 34 certification. Errors are corrected where deemed necessary. Furthermore, trends in errors are analyzed to detect whether they are indicative of control weaknesses and if necessary, action plans are implemented to address them.
Gating of transactions
The gating of transactions is an important aspect of the quality assurance process. It determines whether a transaction is low risk or high risk, thereby determining the level of quality assurance (minimum or full) to be performed prior to payment. Audit tests determined that the gating of transactions is working effectively.
Identification of errors in account verification
The quality assurance review entails a re-performance of the FAA Section 34 account verification to ensure it has been performed properly. Information collected through this process provides evidence on the effectiveness of the Section 34 account verification.
The audit tested a randomly selected sample of 108 transactions (including high and low risk), recorded in fiscal year 2010-11 from four regions, to determine whether the minimum and full quality assurance processes were adequately performed and to verify if all errors had been identified by the reviewer. The results of the testing are presented in the table below.
Errors Not Identified Through QA Review
Through re-performance of the full quality assurance, the audit found that not all errors were identified and, therefore, not corrected. Among the items noted:
- Five instances (all high risk) where the quality assurance review did not identify an error in the transaction, such as amount or financial coding errors;
- When performing a quality assurance review, among other steps, reviewers must confirm that the invoiced price is in agreement with the contract price, including rates where applicable. However, in two instances, the supporting documentation did not provide evidence that this verification was conducted.
Logging of results of quality assurance review
Quality assurance procedures require that all errors identified be logged, regardless of risk profile and that errors identified for low risk transactions must be reported (errors for high risk transactions are not reported since they are corrected prior to payment). This is regarded as the most significant output of the quality assurance process as it provides the necessary data required to report on the overall adequacy and reliability of the account verification process, and develops corrective actions where necessary, in line with the TB Directive on Account Verification. As evidenced below, the logging of quality assurance results is not being performed consistently.
There were eight instances, from the sample of 108 transactions selected for this audit, where errors were not recorded by the reviewer or were not appropriately recorded. These errors related to transactions classified as high risk. While the reviewer had identified the errors and appropriate corrective actions were taken, they were not logged in the departmental financial system, SAP, as required. This may lead to incomplete or inaccurate reporting of information and impact the ensuing risk assessment and remedial actions.
Through the use of computer-assisted audit techniques, the auditors analysed all 7,930 low risk transactions that were included in the samples selected in fiscal year 2010-11 as part of the Post-Payment Quality Assurance Process. The analysis confirmed 33 instances where the absence of supporting documentation was not logged as an error as required in the departmental procedures. This signifies that reports that are intended to provide management with an overall assessment of the effectiveness of FAA Section 34 account verification may not be complete.
In addition, the audit identified areas where current quality assurance procedures can be improved. First, errors identified for grant and contribution transactions are not logged in the departmental financial system and therefore are not reported. Although these transactions are all classified as high risk and subject to full quality assurance prior to payment, the recording of errors for this category of expenditures was scoped out of the initial implementation of the risk-based quality assurance over account verification as they involve a different business process. However, logging and reporting errors identified for these transactions would provide management with a more complete picture of the overall effectiveness of FAA Section 34 account verification.
Secondly, the results from the quality assurance performed on acquisition cards are not reported. Sampling procedures on acquisition card transactions are slightly different. However, these transactions are also subject to a quality assurance review as required by the TB Directive on Account Verification. For fiscal year 2010-11, expenditures on acquisition cards amounted to $48 million. In order to provide management with robust information on the overall adequacy of FAA Section 34 account verification, it is important that the results of this quality assurance review be communicated.
It is recommended that the Chief Financial Officer ensure that the quality assurance process is improved in the following areas:
- Identification and logging of critical errors; including verification of price in accordance with contracts, and missing supporting documentation;
- Reporting results of quality assurance over account verification with regards to grants and contributions transactions, as well as, acquisition card transactions.
Management agrees with this recommendation.
CFOB will enhance the Health Canada Statistical Sampling Plan to provide guidance on the interpretation of error codes and examples of their application to help ensure proper identification and logging of critical errors.
CFOB will modify the Health Canada Statistical Sampling Plan to expand the logging of errors for high risk transactions to include errors identified through the quality assurance process on grant and contribution transactions.
CFOB will report the results of the acquisition card transaction quality assurance review, in addition to the results of the quarterly statistical sampling results.
Low risk transactions - statistical sampling results
As previously mentioned in this report, all low risk transactions undergo minimum quality assurance prior to payment. In addition, a sample of these transactions is selected for each region, on a quarterly basis, to undergo full quality assurance. For this type of testing, the Department has established a tolerable error limit of 8%. That is to say that management considers the FAA Section 34 account verification process to be operating effectively if the error rate from the statistical sample is less than 8%. Where sampling results for a region is greater than 8%, senior finance officers are required to develop an action plan to address any issues identified through an analysis of the errors. The 8% rate was determined by Health Canada as the TB Directive on Account Verification provides no guidance in this area. The Department considers this to be appropriate as it proceeds towards auditable financial statements, and is focused on continuous improvement and enhancing controls.
The auditors reviewed a report that provides the results of the statistical sampling on low risk transactions for fiscal year 2010-11. The report indicates that 415 out of 7,930 transactions sampled were identified with critical errors for an overall error rate of 5.2% for the Department; hence, below the tolerable limit (8%) that was set. This suggests that the FAA Section 34 account verification is working from a departmental perspective. This said the actual rate could be somewhat higher than what is being reported because, as indicated in the previous sections, some critical errors were not recorded during the fiscal year.
A breakdown of the statistical sampling results show that there is great variability in error rates among the regions, and by quarters, with error rates ranging from 0% to as high as 20% (National Capital Region, Travel and Hospitality, 1st quarter of 2010-11). As this is the first year where logging of quality assurance errors was required, some variability is to be expected as the Department has just started to benefit from the resulting information to strengthen account verification where required. Error rates in excess of the tolerable level for any region may provide evidence that the FAA Section 34 account verification is not being performed effectively in that region.
The analysis of errors and the action plans developed by senior finance officers are generally reported to CFOB two months after the end of the quarter. Auditors reviewed a sample of these reports and noted that there is disparity in the level of analysis. This analysis is confined to errors within the sample and does not assess the extent of the issue over the population. In cases where the tolerable error rate was exceeded, additional analysis would be required to demonstrate where account verification was adequate and reliable, and where additional quality assurance work would be required.
It is recommended that the Chief Financial Officer develop clear guidance on the additional work required when the tolerable error rate has been exceeded in order to demonstrate the adequacy and reliability of account verification.
Management agrees with this recommendation.
CFOB will enhance the Health Canada Statistical Sampling Plan to provide guidance and clarification on the level of analysis and assessment as well as actions and follow-up required where the tolerable error rate has been exceeded.
In conclusion, the quality assurance process is generally well designed. However, as noted above, results of the sample testing demonstrate that improvements to the operating effectiveness of quality assurance over the FAA Section 34 certification are required in order for this process to provide assurance on the effectiveness of Section 34 account verification.
2.1.3 FAA Section 33 Certification
Audit criterion: Certification under FAA Section 33 is performed and appropriate segregation of duties exists with FAA Section 34 certification.
The authority to request payments in accordance with Section 33 of the Financial Administration Act is referred to as payment authority. Pursuant to this section, a financial officer delegated responsibility for payment authority is responsible to ensure that:
- FAA Section 34 was properly exercised by validating that the Section 34 signatory had a valid delegated authority to authorize the expense and that there is auditable evidence that the quality assurance over the adequacy of the Section 34 account verification has taken place; and
- Expenditures are a lawful charge against the appropriation.
The FAA Section 33 payment authorization performed by financial officers is a key control to ensure the accuracy and legality of transactions.
The auditors evaluated the performance of the FAA Section 33 certification using the sample of 108 transactions selected for the quality assurance review and found that it was performed according to Treasury Board and departmental policies. Financial officers approving payments under FAA Section 33 had valid delegated authority and were not the same as the individual certifying under FAA Section 34.
2.1.4 Management review of expenditures and commitments
Audit criterion: Cost center managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.
Health Canada's Policy on Budget Management, which is part of the departmental Budget Management Framework, requires that cost centre managers be accountable and responsible for their assigned budgets. This includes effective stewardship and control over budgets and commitments, and monitoring of surpluses/deficits and forecasts on an on-going basis. Monthly forecasts and management variance reporting processes are standardized for use by managers and expected resource utilization forecasts reflect a realistic outlook of the activities to be carried out.
Cost centre managers, with the support of branch senior financial officers (in the National Capital Region and regional senior financial officers in other regions), are required at month-end to review expenses charged to their cost centres through Health Canada's Management Variance Report (MVR) process. The activity entails a review of the validity, accuracy and completeness of expenses. The CFOB is responsible to ensure that the month-end MVR exercises are adequately conducted and documented through a challenge function. This process is considered a key control over financial reporting.
The audit concludes that MVR responsibilities, timelines and processes are all properly documented and communicated to delegated users. Furthermore, documentation review and interviews with cost centre managers and senior financial officers demonstrated that the MVR process is properly followed.
2.1.5 Accrued liabilities at year-end
Audit criterion: Senior financial officers review and challenge the completeness, validity and accuracy of transactions payable at year-end.
Section 37 of the Financial Administration Act requires that payables at year-end (PAYEs) be set up to ensure that cut-off is properly applied and existing liabilities are accounted for in the financial statements within the proper fiscal year. PAYEs are recorded at year-end, for goods and services as well as for grants and contributions, when accounts payable or payments cannot be recorded by the required cut-off date. For the fiscal year 2010-11, PAYEs amounting to $156 million were set-up.
During the past year, the CFOB has increased its focus on PAYEs by completing a clean-up of the old outstanding PAYEs and strengthening the controls for setting up new ones. A new form was developed for grants and contribution PAYEs where senior financial officers are required to review and sign-off on all new PAYEs before sending them to accounting officers for processing. Accounting officers perform quality assurance over the PAYE in order to confirm that appropriate supporting documentation and sign off are present before posting to the departmental financial system.
The audit tested a sample of 25 PAYE transactions, including 19 transactions for operating and maintenance expenses and 6 grants and contributions, to determine whether there was proper approval, verification and availability of backup documentation. No deficiencies were noted.
Furthermore, interviews with senior financial officers confirmed that the new requirements have been communicated and that a challenge function by senior financial officers is performed to ensure completeness, validity and accuracy of PAYE transactions.
2.1.6 System access and segregation of duties
Audit criterion: The access to the departmental financial system, SAP, is restricted and the segregation of duties is enforced.
The segregation of duties is a key concept in internal control. It increases protection from fraud and errors. An example of incompatible duties that must be segregated is the maintenance of vendor master files and the recording of purchase orders. In order to monitor the segregation of duties in the departmental financial system, SAP, Health Canada follows tests that have been standardized across the federal government. These tests are based on a matrix of critical functions which rate risks as low, medium or high.
In terms of high risk functions, the auditors analysed the SAP user access to determine whether the segregation of duties has been identified and is being monitored. The results of this review demonstrated that in general, incompatible duties are being monitored. [sensitive security-related information removed in accordance with the exemption provisions of the Access to Information Act]
Controls over access and the segregation of duties have also been included in the scope of Health Canada's internal Audit on SAP General Controls (September 2011). It assessed whether Health Canada has implemented SAP security monitoring activities in accordance with the guidelines prescribed across the federal governmentFootnote 3. As a result, the audit identified that no monitoring is done on a particular combination of incompatible duties. [sensitive security-related information removed in accordance with the exemption provisions of the Access to Information Act] This combination is recognized as a "moderate financial risk".
The above-noted audit recommended that monitoring to detect and address conflicts in the segregation of duties be enhanced. Management has committed to address the potential conflicts in segregation of duties and will identify other monitoring best practices in other departments that could be adopted by Health Canada. As a result, no additional recommendation is made in this report.
2.2 Specific key financial controls
2.2.1 Grants and contribution agreements
Audit criterion: Key financial controls specific to the processing of grants and contributions agreements are operating effectively.
Reconciliation of commitment and payment transactions between grants and contributions systems and the departmental financial system
Grants and contributions payment requests are initiated in the Management of Contracts and Contributions System (MCCS) and the Lotus Notes G&C Database. MCCS is used by the First Nations and Inuit Health Branch (FNIHB) programs and the Lotus Notes G&C database is used by other branches. Reconciliation between these systems and the departmental financial system, SAP, contributes to providing assurance that grants and contributions agreement expenditures are complete and accurate.
Monthly reconciliations of MCCS to SAP (broken down by regional accounting offices) are prepared by the CFOB. The variances are sent to regional senior financial officers for comments and sign off. The audit analyzed the reconciliation prepared for periods 11 and 12 of fiscal year 2010-11 and found no deficiencies. The reconciliation between the Lotus Notes G&C Database and SAP was also examined for period 12 and no deficiencies were found. These monthly reconciliations provide assurance that the transmissions of grants and contributions expenditures are complete and accurate.
Review and close-out of contributions agreements
The review and close-out of contribution agreements are necessary to ensure that all the terms and conditions have been met and that receivables are recorded in the departmental financial system and collected, as required.
The audit found that in some regions, no formal contribution agreement closure process exists that includes checklists/forms with a clear audit trail covering all key items such as receivables and program/finance sign offs. This could result in some outstanding receivables not being recorded and collected.
Efforts are being made to standardize the file close-out process in some regions, but more work is required. Timely close-out and the communication of results to finance would help to ensure the completeness and accuracy of the Department's financial information, specifically accounts receivables. A recommendation has been made to that effect in Section 2.2.7 (Accounts receivable).
2.2.2 Salary and wage expenses
Audit criterion: Key financial controls specific to the processing of salary and wage expenses are operating effectively.
According to the TB Directive on Financial Management of Pay Administration and Guideline on Common Financial Management Business Process for Pay Administration, responsibilities for FAA Section 34 certification are to be shared between cost centre managers, compensation advisors and compensation verifiers, at different stages of the pay administration cycle.
Compensation advisors are required to review the payroll registers for their assigned pay lists and review individual salary payments against pay action documentation processed for the pay cycle under review. This review is the final opportunity to confirm the accuracy of payroll transactions.
Health Canada's Audit of Payroll Administration (December 2010) concluded that cost centre managers' pre-payroll certification and verification procedures pursuant to FAA Section 34 are in compliance with requirements and are effective. As for the current audit, it noted that some users from the compensation sector hold multiple roles within the online pay system, giving them the ability to both create a transaction and perform the verification. The Corporate Services Branch's Compensation Unit has developed procedures to monitor that the segregation of duties is maintained between pay advisors and pay verifiers. However, this monitoring was not carried out throughout the fiscal year 2010-2011 and, therefore, does not provide sufficient assurance that proper segregation of duties has been observed.
The current audit reviewed payroll registers and other output reports for fiscal year 2010-11 to determine whether verification was performed on the accuracy of payments. A sample of 25 transactions was selected for testing. No payroll processing errors were found as a result of this review. However, five of the payroll transactions had an inadequate audit trail, signifying no evidence or inconclusive evidence of pay verification. This audit trail is important as it serves to provide evidence that the transaction has been through a quality assurance review by an authorized and qualified individual. In fact, Health Canada's Standard Operating Procedures for Pay Verification and Payment Release requires the use of a standard pay transaction stamp as evidence of verification by the Compensation Verifier under FAA Section 34 and of the review and posting completed by compensation advisors.
It is recommended that the Assistant Deputy Minister of the Corporate Services Branch ensure that:
- pay verification is appropriately documented by compensation verifiers; and
- the segregation of duties is continuously monitored between pay creation and verification in the on-line pay system.
Management agrees with this recommendation.
The Compensation Policy Centre will issue a reminder to all Health Canada compensation units that they are required to utilise the verification stamp as stated in Health Canada's Standard Operating Procedures for Pay Verification and Payment Release. The message will also stress the importance of adherence to this process as it provides evidence of pay transaction approval by the Compensation Verifier and work performed by the Compensation Advisor.
The Compensation Policy Centre will periodically monitor that the verification stamp is being used for each pay action in accordance with the Standard Operating Procedure for Payment Verification and Payment Release.
[sensitive security-related information removed in accordance with the exemption provisions of the Access to Information Act]
2.2.3 Non-insured health benefits
Audit criterion: Key financial controls specific to the processing of non-insured health benefits are operating effectively.
The Non-Insured Health Benefits (NIHB) Program provides eligible First Nations and Inuit populations in Canada with coverage for a limited range of medically necessary health-related goods and services not provided through private insurance plans, provincial/territorial health or social programs, or other publicly funded programs. This includes pharmacy, dental, vision, medical supplies and equipment, medical transportation, provincial health premiums and other health care benefits. In fiscal year 2010-11, approximately $576 million was spent on dental, pharmacy, medical supplies and equipment benefits.
Dental, pharmacy and medical supplies and equipment claims were mostly processed by an external service provider through the Health Information Claim Processing System (HICPS). The service provider summarises the claims processed and submits an invoice to the NIHB Program for payment twice a month. The Program verifies and reconciles the invoices with the claims processed and forwards it to the CFOB, where employees ensure that the payment is a lawful charge against an appropriation and processes the invoice for payment. This reconciliation is a key control which ensures that NIHB expenses are completely and accurately recorded in the departmental financial system, SAP.
Reconciliation of NIHB claims processed in HICPS to funding requests
An internal audit over the processing of pharmacy benefits was completed and reported in June 2011. The scope of this audit included the analysis of the pharmacy payment reconciliation process, which is the same as the reconciliation process for dental and medical supplies and equipment. The audit found the reconciliation process to be operating effectively and concluded that all invoices submitted by the service provider are reconciled before payments are approved under FAA Section 34. No additional work was performed in this audit.
Review of the 5970 report over NIHB claim processing
Health Canada requests a 5970-type audit reportFootnote 4 on the provider's internal controls in order to obtain further assurance over the validity, completeness and accuracy of claims processed. This report was prepared by external auditors and an unqualified opinion was provided for fiscal year 2010-11. Evidence was also obtained by program management concerning the review of this report.
In conclusion, the reconciliation of NIHB expenses with payment requests is operating effectively and controls over NIHB claims processing are operating effectively as evidenced by the 5970 report. This provides assurance that NIHB expenses are valid, complete and accurate.
2.2.4 Purchase of goods and services
Audit criterion: Key financial controls specific to the processing of purchase of goods and services are operating effectively.
Review of contracts over $10,000
Under a departmental policy, purchases greater than $10,000 (including all amendments, regardless of dollar value) require approval from one of the Contract Requisition Control Committees (CRCC). These committees are comprised of procurement and contracting officers and financial officers. The work of CRCCs is tracked in Health Canada's Contract Requisition and Reporting System (CRRS).
Approval by CRCCs helps to ensure that contractual documents are in accordance with Government Contracts Regulations, procurement vehicles, relevant policies, and departmental delegation of financial authorities. It also ensures that all contract documentation and coding is complete and uploaded to the correct systems (CRRS and SAP). The review and approval from the CRCC provides assurance over the validity and accuracy of purchases of goods and services over $10,000.
Auditors used computer-assisted audit techniques to test purchase orders over $10,000, issued in fiscal year 2010-11 to determine whether all purchases over $10,000 were reviewed by the CRCC. No significant error was found.
2.2.5 Acquisition card purchases
Audit criterion: Key financial controls specific to the processing of acquisition card purchases are operating effectively.
Acquisition card purchases are paid prior to the reconciliation of purchases by the cardholder and FAA Section 34 certification, as permitted under the TB Directive on Account Verification. Monthly reconciliations of acquisition card purchases are performed to ensure the validity and accuracy of the purchases.
To provide assurance over the accuracy and completeness of acquisition card purchases, payments to MasterCard are reconciled to all cardholder statements of accounts. In addition, CFOB monitors that monthly reconciliation of acquisition card purchases are completed by cardholders. Interviews conducted and documentation review provided evidence that these reconciliations are performed on a regular basis and account balances are verified.
In conclusion, the reconciliation of payments to acquisition card statements of accounts totals and the monitoring of the monthly reconciliation of acquisition card purchases are operating effectively to ensure the accuracy and completeness of acquisition card transactions.
2.2.6 Drug submission and evaluation revenues
Audit criterion: Key financial controls specific to the processing of drug submissions and evaluation revenues are operating effectively.
In fiscal year 2010-11, Health Canada user fee revenue amounted to approximately $76 million, and drug submission and evaluation revenue was the only significant user fee with approximately $17 million in pharmaceutical revenue.
Drug submission evaluation fees are tracked in the Drug Submission Tracking System (DSTS) outside of the departmental financial system, SAP. This system is operated by the Health Products and Food Branch (HPFB). There is currently no automated process for transferring / uploading DSTS transactions to SAP. Invoices are posted in SAP based on the work progress tracked in DSTS. Therefore, to ensure accuracy and completeness of the amounts recorded in SAP, it is important to have regular reconciliations of the amounts recorded in the two systems.
The HPFB currently has a process in place to reconcile the data between DSTS and SAP. A review and follow-up is conducted on unbilled entries in DSTS on a quarterly basis. This process helps to ensure that all revenues are recorded in SAP.
Overall, the reconciliation process is adequately designed. However, it was noted that the reconciliation for the fourth quarter of the fiscal year 2010-11 was not performed. This reconciliation provides assurance related to the completeness and accuracy of the financial information. Since it is used in the preparation of various reports, including the departmental financial statements, it is important that the reconciliation be performed before the closing of the books at year-end and the preparation of the final trial balance.
2.2.7 Accounts receivable
Audit criterion: Key financial controls specific to the processing of accounts receivable are operating effectively.
Health Canada's Policy on Receivables Management and Charging Interest on Overdue Accounts requires that all receivables transactions be invoiced, recorded and reported accurately and promptly. Failure to do so can result in receivables not being collected and inaccurate financial reporting. One of the most significant sources of accounts receivable comes from the closing of contributions agreements. As noted in the Section 2.2.1 (Grants and contribution agreements) of this report, the current close-out process does not ensure that all contribution agreement receivables are recorded in the departmental financial system, SAP.
Management of Contracts and Contributions System (MCCS) reports were compared to accounts receivable in SAP. It was found that there were receivables amounts in MCCS either not found in SAP or coded to an incorrect accounts receivable general ledger account in SAP. Furthermore, programs do not always notify Accounting Operations in advance for collection of cash receipts. Therefore, Accounting Operations is usually made aware that an account receivable existed when cash is received.
In conclusion, some receivables transactions for contributions are either not being recorded into SAP or are being recorded to an incorrect accounts receivable general ledger account.
It is recommended that the Chief Financial Officer, in collaboration with the Assistant Deputy Minister, First Nations and Inuit Health Branch and the Assistant Deputy Minister, Regions and Program Branch, ensure that coordination is improved between accounting offices and the contribution program, to ensure that all receivables, including those resulting from close-out of contribution agreements, are recorded in the departmental financial system in an accurate and timely manner.
Management agrees with this recommendation.
CFOB in collaboration with the Regions and Program Branch and the First Nations and Inuit Health Branch initiated work to assess the enhancements required to assist with the identification and recording of contributions receivables in an accurate and timely manner. This work will include an analysis of the assessment status of contribution agreement reports from prior years and reconciliation with the financial information reported in the departmental financial system as well as the development of procedures for the annual financial process including timelines.
Monitoring and reconciliation of suspense and clearing accounts
The CFOB performs monitoring and reconciliation of various suspense and clearing accounts including deposit clearing accounts, petty cash, and interdepartmental settlements.
These reconciliations are generally performed on a monthly basis, but the frequency of the reconciliation may be different depending on the nature of the account or volume of activity. Discrepancies and variances identified through the reconciliation process are raised with the appropriate individual within the cost center for follow-up. Regular monitoring and clearing of the suspense accounts help to ensure the accuracy of financial information.
Interviews were conducted and evidence was obtained that reconciliations were performed on a regular basis and account balances were verified.
Overall, the monitoring and reconciliation of suspense and clearing accounts worked effectively throughout fiscal year 2010-11.
2.2.8 Capital assets
Audit criterion: Key financial controls specific to the processing of capital assets are operating effectively.
Health Canada holds a variety of capital assets including buildings, machinery, equipment, and vehicles. The value of these assets (net of accumulated amortization and impairment losses) amounted to $157 million as at March 31, 2010 as per the Department's financial statements. A departmental policy defines capital assets as assets with a useful life greater than one year, and a per-item cost of $10,000 or greater. Due to the significance of this amount, regular reviews of the capital asset inventory are needed to ensure the accuracy of the information contained in the financial statements.
Physical count of capital assets
Each year, Health Canada conducts a review of its assets valued at $10,000 or greater. Once the review process is complete, the necessary changes/adjustments are made in the departmental financial system.
The auditors reviewed the report produced as part of the annual review exercise to ascertain whether appropriate actions have been taken to address issues raised in the report. This review showed that only one issue was still outstanding, i.e., an amount of $4 million in unverified assets. Efforts are being made to validate the existence of these assets as part of the 2011-12 review.
In conclusion, most of the issues identified in the annual capital asset review process have been addressed and corresponding results provide assurance that capital assets exist and are complete and accurate.
Based on the results of the audit work, it was determined that in general, Health Canada's internal controls over financial reporting are operating effectively to mitigate the risk of material misstatement. However, improvements are required in the execution of individual key controls as noted below.
Common key controls
In terms of the common key controls, those found across the most significant classes of transactions, are found to be operating effectively for the most part. However, areas of improvement were noted in three (3) of the key common controls.
The Specimen Signature Card Database is the Department's official source for verifying the delegated financial signing authority of a cost centre manager/administrator. Improvements to the administration of the database are required to ensure the information is current and accurate (which is relied upon for quality assurance and payment issuance).
The quality assurance over FAA Section 34 account verification provides assurance that managers with the delegated authority have properly and consistently followed the required procedures for ensuring the validity and accuracy of transactions. While this process is well designed, improvements can be made in ensuring that the work of the quality assurance reviewer is consistently performed, and by ensuring a more robust analysis of the errors identified through full quality assurance on low risk transactions.
System access and the segregation of duties helps to ensure mutually exclusive roles cannot be assigned to a single user, and reduces the Department's exposure to the risk of inappropriate action. The current continuous monitoring regime requires improvements as the tests developed to identify the segregation of duties issues have not been configured or tailored to Health Canada needs.
Specific key controls
These controls supplement the common key controls and help to provide assurance over the completeness and accuracy of financial information. Eight of the ten specific key controls were determined to be operating effectively.
Two areas where improvements are needed were identified. A standard close out process would provide assurance that contribution agreement terms and conditions have been met, and that recoveries, where required, are communicated. Recoveries that are not communicated to finance in a timely manner affect the accuracy and completeness of accounts receivable. The audit trail for the verification of payroll expenditures should be improved to provide evidence that quality assurance review has been performed by an authorized and qualified individual, and monitoring of the segregation of duties between pay creation and pay verification should be performed on a continuous basis.
An overview of the effectiveness of key financial controls, which were assessed as part of this audit and aligned with significant classes of transactions, is presented in Appendix B.
|Line of Enquiry 1: Key Financial controls common to all classes of transactions are operating effectively to ensure the completeness, validity and accuracy of transactions.|
|1. Delegation of financial signing authorities||Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid.|
|2. Quality assurance process over FAA Section 34 certification||Quality assurance is performed over Financial Administration Act (FAA) Section 34 certification.|
|3. FAA Section 33 certification||Certification under FAA Section 33 is performed and appropriate segregation of duties exists with FAA Section 34 certification.|
|4. Management review of expenditures and commitments (MVR)||Cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.|
|5. Accrued liabilities at year- end||Senior financial officers review and challenge the completeness, validity and accuracy of transactions payable at year end.|
|6. System access and segregation of duties||Access to the departmental financial system, SAP, is restricted and the segregation of duties is enforced.|
|Line of Enquiry 2: Key financial controls specific to classes of transactions are operating effectively to ensure the completeness, validity and accuracy of transactions.|
|1. Grants and contribution agreements||Key financial controls specific to the processing of grants and contributions agreements are operating effectively.|
|2. Salaries and wages expenses||Key financial controls specific to the processing of salary and wage expenses are operating effectively.|
|3. Non-insured health benefits||Key financial controls specific to the processing of non-insured health benefits are operating effectively.|
|4. Purchase of goods and services||Key financial controls specific to the processing of purchase of goods and services are operating effectively.|
|5. Acquisition card purchases||Key financial controls specific to the processing of acquisition card purchases are operating effectively.|
|6. Drug submissions and evaluation revenues||Key financial controls specific to the processing of drug submissions and evaluation revenues are operating effectively.|
|7. Accounts receivable||Key financial controls specific to the processing of accounts receivable are operating effectively.|
|8. Capital assets||Key financial controls specific to the processing of capital assets are operating effectively.|
- Controls operating effectively
- Controls need minor improvement
- Controls need moderate improvement
- Controls need improvement
- Controls not operating
- Controls not covered within the audit scope
|Common Key Controls||
|1. Delegation of financial signing authorities||CNMi|
|2. Quality assurance over FAA Section 34||CNMi|
|3. FAA Section 33 certification||COE|
|4. Management review of expenditures and commitments (MVR exercise)||COE|
|5. Accrued liabilities at year end||COE|
|6. System accesses and segregation of duties||CNMi|
Statement of Operations
|Contribution Agreement||Salaries and Wages||Non-insured health benefits (NIHB)||Purchase of goods and services||Acquisition card purchases||Drug submissions and evaluation revenues||Account Receivables||Capital assets|
|1. Reconciliation of commitments and payment transactions between contribution systems and the departmental financial system (SAP)||COE|
|2. Review and Close-out of Contribution Agreements||CNI|
|3. Quality assurance over payroll (peer verification)||CNMi|
|4. Review of 5970 type report over NIHB claim processing||COE|
|5. Reconciliation of NIHB claims processed in HICPS with payments in SAP||COE|
|6. Review of contracts over $10,000||COE|
|7. Reconciliation of card statements of account||COE|
|8. Reconciliation of the drug submission database with SAP||COE|
|9. Monitoring and reconciliation of suspense and clearing accounts||COE|
|10. Physical count of capital assets||COE|
Appendix C - Scoping approach
The initial step in determining the audit scope consisted in the decomposition of the departmental financial statement components into classes of significant transactions, for fiscal year 2009-2010. Using low, moderate, and high risk ratings, the risk of material misstatement was analysed for each class, based on the materiality of transactions posted in the departmental financial system, SAP, and the likelihood of errors.
In the context of this audit, the materiality analysis was based on a threshold of $45 million, which corresponds to approximately 1% of the Department's gross expenditures. Using this amount, the following rankings were determined:
- Low materiality
- Medium materiality
- High materiality
Classes of transactions with a low materiality level were scoped out of the audit.
The likelihood of errors was assessed using a number of factors such as the amount of transactions and the complexity and type (automated or manual) of processes. Classes of transactions with both a likelihood of errors ranked as low and a medium materiality were scoped out of the audit. In addition, certain classes of transactions were also excluded where it was found there was insufficient consistency in controls across regions, or that a substantive approach was more efficient.
The second step in determining the audit scope consisted of identifying the key financial controls found in each class of significant transactions. Key controls are those designed to meet Health Canada's control objectives and address management's responsibility over completeness, validity and accuracy of financial transaction processing.
The identification of key controls involved the following steps:
- Identification of significant risks to the integrity of the financial information reported in the financial statements;
- Review of documented systems and processes currently in place for the selected classes of significant transactions;
- Review of the controls activities in place that mitigate the identified significant risks; and
- Identification of controls considered key to address significant risks.
Section 5300, titled "Audit Evidence", of the Canadian Institute of Chartered Accountants Handbook states that "management is responsible for the fair presentation of financial statements that reflect the nature and operations of the entity. In representing that the financial statements are presented fairly, in all material respects, in accordance with generally accepted accounting principles, management implicitly or explicitly makes assertions regarding the recognition, measurement, presentation and disclosure of the various elements of financial statements and related disclosures."
The aforementioned assertions were used as the basis for the assessment of risk of material misstatement and the design and performance of audit procedures. The following assertions are the criteria used to identify and assess the key controls assessed during the conduct phase of the audit:
- Completeness: all transactions and events that should have been recorded are recorded;
- Existence: transactions and events recorded have occurred and pertain to the entity;
- Accuracy: amount and other data relating to the transaction have been recorded appropriately;
- Presentation/Classification: transactions and events have been recorded in the proper account; and
- Cut-off: transactions and events have been recorded in the correct accounting period.
Key financial controls identified for each of the classes of significant transactions were then sorted into common and specific controls. The common controls are those found in most classes of significant transactions.
- Date modified: