Audit of Key Financial Controls - Year 4 - October 2014

Table of Contents

• Executive summary
• A - Introduction
  • 1. Background
  • 2. Audit objectives
  • 3. Audit scope
  • 4. Audit approach
  • 5. Statement of conformance
• B - Findings, recommendations and management responses
  • 1. Progress made on the previous years’ recommendations
    • 1.1 Progress made on the previous years’ recommendations
  • 2. Select key financial controls common to all classes of transactions
    • 2.1 Delegation of financial signing authorities
    • 2.2 Quality assurance process over Financial Administration Act Section 34 certification
    • 2.3 FAA Section 33 certification
    • 2.4 Management review of expenditures and commitments
    • 2.5 Accrued liabilities at year-end
    • 2.6 System access and segregation of duties
    • 2.7 Journal entry review
  • 3. Select key financial controls specific to classes of transactions
    • 3.1 Grant and contribution agreements
    • 3.2 Salary and wage expenses
    • 3.3 Non-insured health benefits
    • 3.4 Purchase of goods and services
    • 3.5 Acquisition card purchases
    • 3.6 Drug submissions and evaluation revenues
    • 3.7 Accounts receivable
    • 3.8 Capital assets
• C - Conclusion
• Appendix A – Specific lines of enquiry and criteria
• Appendix B – Scorecard
• Appendix C - Health Canada’s internal control over financial reporting framework
• Appendix D – Risk profile of transactions
• Appendix E – Corrective actions and follow-up activities

Executive summary

In support of the Treasury Board Policy on Internal Control, Health Canada’s (the Department) Deputy Minister and Chief Financial Officer are required to sign an annual representation letter acknowledging their responsibilities for maintaining an effective system of internal control over financial reporting.

The objective of this audit was to provide reasonable assurance that internal controls over financial reporting are operating effectively to mitigate the risk of material misstatement in the Department’s financial statements. The audit focused on testing the controls that help Health Canada meet its control objectives and address management’s responsibility over the completeness, validity and accuracy of its financial reporting. Select controls from two categories of key financial controls were tested as part of the audit: common key controls and specific key controls. The audit covered transaction processing activities for fiscal year 2013-14.

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Audit. Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion.

The audit concluded that the Department’s internal controls over financial reporting are generally operating effectively to mitigate the risk of material misstatement. The majority of the common and specific key controls were generally operating effectively. The audit also found that previous years’ recommendations were fully implemented.

The common key controls are those found across the most significant classes of transactions. Six of the seven controls were generally operating effectively. The audit observed that improvement is required to strengthen access controls to SAP, to ensure that mutually exclusive roles cannot be assigned to a single user.

The specific controls supplement the common key controls. Nine of the ten controls were generally operating effectively. The audit noted that monitoring of salary payments needs to be conducted, as described in the Compensation Monitoring Framework.

Management agrees with the two recommendations outlined in the report and has provided an action plan that will improve the effectiveness of the Department’s internal controls over financial reporting.

A - Introduction

1. Background

Reliable financial reporting provides transparency and accountability on public funds spent to achieve departmental objectives. To this effect, Treasury Board (TB) has put in place policies to strengthen financial reporting, and requires departments to have an effective risk-based system of internal controls. These include the following.

• The TB Policy on Internal Control requires that the Deputy Head sign an annual departmental Statement of Management Responsibility including Internal Control over Financial Reporting.
• The TB Policy on Financial Resource Management, Information and Reporting requires that the Deputy Head take measures to ensure that the Department can sustain a control-based audit of its annual financial statements.

In addition, Deputy Heads and Chief Financial Officers are required to sign an annual Letter of Representation to the Auditor General and the Deputy Receiver General in support of the public accounts, covering their responsibilities for internal control over financial reporting and assertions over the integrity of financial information.

In support of the Policy on Internal Control, at Health Canada (the Department), the Chief Financial Officer Branch (CFOB) has developed the Internal Control over Financial Reporting (ICFR) Framework (see Appendix C).This framework provides direction for the implementation of the ICFR. It identifies and documents the supporting processes, procedures and related internal controls in place to mitigate financial reporting risks. Six main classes of processes were identified to support reliable financial reporting:

• Management of parliamentary appropriations;
• Revenue/receivable/receipts;
• Purchasing/payable/payments, including transfer payments;
• Payroll;
• Capital assets; and,
• Financial statement, year-end and reporting.

This is the fourth year of a recurring (annual) audit aimed at assessing the operating effectiveness of key financial controls. A number of changes took effect in FY2013-14. These changes include the first full year of implementation for the Procure to Pay (P2P) initiative, which allows for electronic approvals of commercial invoices; the centralization of regional accounting offices into two hubs, one for Western Canada (Winnipeg) and one for Eastern Canada (Ottawa); and the creation of the Shared Services Partnership (SSP), which includes the provision of services such as invoice processing and procurement activities.

Notwithstanding the changes, the select key financial controls being tested as part of this audit are fundamental to the operation of the Department and should remain effective in a challenging environment.

2. Audit objectives

The objectives of the audit were to:

• Determine whether select key controls in support of the departmental financial statements are operating effectively, in order to mitigate the risk of material misstatements in terms of ensuring the validity, completeness and accuracy of the financial transactions reported; and,
• Follow up on the progress made on the implementation of the management action plan developed in response to the previous years’ key financial controls internal audit recommendations.

3. Audit scope

The scope encompassed a review of the operational effectiveness of key financial controls that are either common or specific to the following significant classes of transactions.

• Contribution agreements;
• Salary and wage expenses;
• Non-insured health benefits;
• Purchase of goods and services;
• Acquisition card purchases;
• Drug submissions and evaluation revenues;
• Accounts receivable; and,
• Capital assets.

The audit covered transaction processing activities for fiscal year 2013-14. The Internal Control Division (ICD) within CFOB performed and documented testing of Health Canada’s processes for part of the year 2013-14. Following an examination and assessment of the methodology and testing documentation performed by ICD, the audit team decided to rely on some of their tests results.

The audit coverage included controls exercised in the National Capital Region and other regions. The controls tested were predominantly within CFOB, but the audit also reviewed the control activities that fell under the responsibility of the offices of secondary interest.

The audit focused on the same significant classes of transactions and key controls that were reviewed and assessed in year 3, when applicable.

4. Audit approach

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

The audit included an analysis of financial statement data; the identification of the significant classes of transactions; a review of key business process flowcharts and control matrices; and discussions with management regarding significant changes in business processes.

In assessing the effectiveness of key financial controls, the audit included interviews with Health Canada employees, the review of documentation (for example, departmental policies and procedures, relevant documentation in support of financial transactions), observation of key processes and controls and an analysis of financial and non-financial data using computer-assisted audit techniques and tools.

Where possible, reliance was placed on work performed by other parties, such as CFOB’s ICD, to support the Statement of Management Responsibility Including Internal Controls over Financial Reporting, as well as internal audits recently conducted by the Portfolio Audit and Accountability Bureau (PAAB), such as the Audit of the Non-Insured Health Benefits – Medical Supplies and Equipment, Vision Care and Mental Health, tabled at the Health Canada Departmental Audit Committee in March 2014. PAAB is also currently completing the Audit of Procurement and Contracting in fiscal year 2014-15.

5. Statement of conformance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

B - Findings, recommendations and management responses

1. Progress made on the previous years’ recommendations

1.1 Progress made on the previous years’ recommendations

Audit criterion: Progress is made on the previous year’s recommendations.

There were no new recommendations in the 2013 Audit of Key Financial Controls (KFC). The audit followed-up on the outstanding recommendations issued in the 2011 and 2012 KFC audits. During fiscal year 2013-14, management has fully implemented the ten committed actions for these recommendations.

Audit of Key Financial Controls (Year 1)

Delegation of financial signing authorities (recommendation 1)

Management revised the departure process and form, which now includes verification that specimen signature cards are cancelled when an employee leaves the Department. The management’s action plan for this recommendation has now been fully implemented.

Accounts receivable for grants and contributions (recommendation 5)

The Chief Financial Officer Branch (CFOB) has updated the Accounts Receivable Policy and the related roles and responsibilities and procedures. The First Nations and Inuit Health Branch’s (FNIHB) procedure and guideline documents have been updated accordingly. The management’s action plan for this recommendation has now been fully implemented.

Audit of Key Financial Controls (Year 2)

System access and segregation of duties (recommendation 1)

All accounting transactions are now being processed by the Eastern and Western Accounting Hubs. The Hub service delivery structure allows CFOB to maintain a segregation of duties by ensuring that the separation exists on a functional basis. Management’s action plan for this recommendation has now been fully implemented.

Risk assessment for grants and contributions (recommendation 2)

As part of the Department’s grants and contributions (G&C) initiative, which includes the implementation of a new system, CFOB led a working group to revise and clarify the roles and responsibilities of the various stakeholders in the G&C process. This resulted in confirmation that it is the program’s responsibility to perform the quality assurance, including the verification that the payment schedule is in accordance with the Risk Tolerance Strategy. This was approved and communicated by the Chief Financial Officer (CFO) and the program assistant deputy ministers (ADM). Management’s action plan for this recommendation has now been fully implemented.

2. Select key financial controls common to all classes of transactions

2.1 Delegation of financial signing authorities

Audit criterion: Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid.

Certification under Section 34 of the Financial Administration Act (FAA) requires account verification of all expenditures processed at the Department. Such certification aims to provide assurance over the validity and accuracy of transactions by certifying that goods and services were received or that a grant or contribution recipient is eligible for payment.

Financial signing authority is delegated to various management levels throughout the Department, including to the cost centre manager (CCM) and administrator level, by the Minister and the Deputy Head. These authorities are then granted to employees at various management levels by creating and activating specimen signature cards, which are maintained in a Lotus Notes database used to authenticate whether an employee has a valid delegation of financial signing authority. In January 2014, the Department began using SAP as the tool for authorizing, approving and storing specimen signature cards. There were approximately 2,100^{Footnote 1} active signature cards in the database as of March 2014.

Certification under FAA Section 33 (payment authority) ensures that payments are subject to authorized requisitions, are lawful charges against the appropriation and are within the appropriations level. This requires that appropriate processes and controls be in place to verify accounts under FAA Section 34, as stated in the Department’s delegation of financial signing authorities document. Section 33 of the FAA relies on the specimen signature cards to substantiate whether an employee has a valid Section 34 delegation of financial signing authority. Consequently, it is essential that the controls over the creation and activation of specimen signature cards operate effectively, to comply with the FAA and central agency policy instruments and prevent unauthorized expenditures.

Activation of specimen signature cards

As of January 2014, the creation of specimen signature cards is facilitated through SAP. This change will enable the online validation of cost centre information and will reduce errors associated with a manual review. A sample of 30 cards was tested to determine if the officers responsible for activating the cards had verified their validity (for example, approved by a supervisor with delegated authority, mandatory training had been taken and issued to an eligible the Department employee). Test results indicated that two cards were approved by supervisors who did not have delegated authority for all the cost centres identified in the employee’s card, and one instance where the card was activated prior to the CCM approval. These cards were activated prior to the transition to SAP. No issues were identified with cards created after the transition to SAP. While some exceptions were noted, the new process now in place addresses the issues noted. Therefore, no recommendation will be made.

Termination of specimen signature cards

An employee’s specimen signature card may be terminated for two reasons: the employee’s responsibilities have changed or the employee has left the Department. In the first circumstance, the signature card is edited to reflect the new responsibilities, provided the employee retains financial signing authority. In the second circumstance, the signature card is simply cancelled.

Since the financial officers rely on the accuracy of the specimen signature card database when conducting FAA Section 33 certification, the termination of signature cards needs to be completed in a timely manner.

In year 1 of this recurring audit, it was recommended that the Chief Financial Officer (CFO) ensure that specimen signature cards are terminated in a timely manner. In response, management has implemented a quarterly review of specimen signature cards, in addition to the existing annual review. As well, the mandatory departure process and form (as of February 2014) now includes verification that specimen signature cards are cancelled when an employee leaves the Department.

Using computer-assisted audit techniques, the auditors assessed the accuracy of the database throughout the year by analysing the timeliness of the termination of specimen signature cards for departed employees. The analysis showed that improvements have been made. Overall, 53% of the cards for terminated employees were not cancelled at the employee’s departure. This rate is an improvement over previous years. Furthermore, 19 of the cards (that is, approximately 21%) had still not been terminated 90 days after the employees’ departure dates.

Overall, controls over the maintenance of specimen signature cards are adequate. While timeliness of the termination of specimen signature cards requires improvement, the new mandatory departure process is expected to address this issue.

2.2 Quality assurance process over Financial Administration Act Section 34 certification

Audit criterion: Quality assurance performed over Financial Administration Act Section 34 certification is effective.

In accordance with the Treasury Board (TB) Directive on Account Verification, when exercising payment authority for payments pursuant to Section 33 of the Financial Administration Act (FAA), Health Canada employs a risk-based approach in performing the quality assurance review over FAA Section 34 account verification process. A well-functioning quality assurance process ensures that a high standard of integrity and accountability is maintained in the spending of public money and supports sound stewardship of financial resources.

The quality assurance process aims at ensuring that the FAA Section 34 certification is properly and consistently performed. This provides assurance that transactions are valid, accurate and properly authorized. For high-risk transactions, it acts as a main control to ensure that the transactions are accurate and valid and that errors (if detected) are corrected prior to payment. For low-risk transactions, the quarterly sampling results provide insight into the effectiveness of the FAA Section 34 certification and, if necessary, action plans can be developed. For both types of transactions, errors are corrected where deemed necessary. See Appendix D for the risk profile of transactions.

Fiscal year 2013-14 was a period of change for the Financial Operations Directorate (FOD), the unit responsible for conducting the quality assurance over FAA Section 34 account verification. The changes include completion of the transition to two accounting hubs and the implementation of SAP Procure to Pay (P2P) for commercial invoice processing.

As illustrated in Diagram 1, all transactions undergo a minimum quality assurance, which focuses on verifying the appropriateness of FAA Section 34 authorization, the financial coding and vendor information. The implementation of SAP-P2P has automated the verification of FAA Section 34 authorization for commercial invoices. Minimum quality assurance reviews for payment requests related to contribution agreements are still being conducted manually. A risk profile (low or high) is then assigned, based on the nature and value of the transactions, through a “gating” process.

Source: Health Canada’s Statistical Sampling Training Guide (2009-10)

Transactions deemed as high-risk undergo full quality assurance prior to payment. This includes verifying whether the backup documentation provided supports the payment request, whether the financial coding is appropriate, that claimed amounts are in accordance with the corresponding contract or funding agreement, and that procurement documents and payment requests comply with TB and departmental policies.

Those identified as low-risk are paid immediately after a minimal quality assurance is performed; however, they may be subject to a full quality assurance through quarterly statistical sampling. This process is referred to as the post-payment quality assurance process.

Errors identified through quality assurance that call into question the validity of the payment request must be followed-up and corrected, such as inappropriate FAA Section 34 financial signing authority or an invoice price that is not in accordance with the contract/funding agreement.

Table 1 provides a breakdown by risk profile of the transactions recorded in fiscal year 2013‑14. It demonstrates that even though the proportion of high-risk transactions was 4% of the total population in terms of number, these transactions represented 85% of the total dollar value.

Quality assurance over FAA Section 34 account verification encompasses most payment transactions, including grants and contributions, accounts payable, travel claims, honoraria, acquisition cards, etc. However, it does not cover salary and wage expenditures, since they are subject to a different quality assurance process discussed in Section 3.2 of this report.

The main aspects of the quality assurance process include:

• the gating of transactions;
• the identification of errors in account verification;
• the logging of results of the quality assurance review; and,
• the quality assurance or statistical sampling on low-risk transactions.

Gating of transactions for the quality assurance process

The gating of transactions is an important aspect of the quality assurance process. It determines whether a transaction is low risk or high risk, thereby determining the level of quality assurance (minimum or full) to be performed prior to payment. The audit tests determined that the gating of transactions is working effectively.

Identification of errors in account verification

The quality assurance review entails verification that FAA Section 34 account verification has been performed properly. This process provides evidence on the effectiveness of FAA Section 34 account verification.

The audit tested a random sample of 30 transactions recorded in fiscal year 2013-14. The audit noted four instances where the individual certifying under FAA Section 34 did not have the authorization for the cost centre. The results indicated that the quality assurance function could be improved.

In addition, there were nine instances where supporting documentation could not be found at the time of the audit. Auditors rely on these documents to support account balances and transactions. Therefore, the auditors were not able to assess the effectiveness of the quality assurance review for those transactions. This issue was also noted by the Internal Control Division (ICD) in its work. This is primarily the result of the transition from regional accounting offices to the two accounting hubs. In the Statement of Management Responsibility including Internal Control over Financial Reporting, management indicated that operating practices for the safeguarding of supporting documents are being clarified and standard practices are being improved to assist with the performance of the quality assurance process on payments.

Logging of results of the quality assurance review

Health Canada’s Statistical Sampling Training Guide requires that all errors identified during the quality assurance review for both low- and high-risk transactions be logged in SAP. This is regarded as the most significant output of the quality assurance process, because it provides the necessary data to report on the overall adequacy and reliability of the account verification process and allows management to develop corrective actions where necessary, in line with the TB Directive on Account Verification.

In year 1, the audit noted that not all errors were being recorded, as required.  In response, actions were committed and implemented by management. The current audit found that, for the sample of 30 transactions reviewed, there were three instances where not all of the errors identified by the quality assurance reviewer had been logged in SAP. This reduces the accuracy of the information presented to management.

Quality assurance of low-risk transactions

As noted earlier, all low-risk transactions undergo minimum quality assurance prior to payment. In addition, a sample of these transactions is selected on a quarterly basis, to undergo full quality assurance. CFOB analyses errors and develops the action plans. The Shared Services Partnership’s (SSP) Statistical Sampling Framework provides guidance on corrective actions and follow-up activities (see Appendix E).

The audit examined the results of the statistical sampling on low-risk transactions for all quarters of fiscal year 2013-14. The results indicated that 78 out of 836 transactions sampled were identified with critical errors, which indicates that controls over low-risk transaction are not operating effectively. Additional analysis of the results showed that nearly half of the errors were attributed to acquisition card transactions.

Management has developed action plans to address the errors on acquisition card purchases, including communications to cardholders and cost centre managers, reminding them of their responsibilities. Starting in fiscal year 2014-15, quarterly samples of acquisition card transactions will be taken separately from other low-risk payments. Based on the planned actions, no recommendation will be made.

In conclusion, while some exceptions were noted, select key financial controls related to quality assurance over the FAA Section 34 certification process were generally operating effectively. Actions are being taken to reduce the acquisition card transactions errors.

2.3 FAA Section 33 certification

Audit criterion: Certification under Financial Administration Act Section 33 is performed, and an appropriate segregation of duties exists with Financial Administration Act Section 34 certification.

The authority to request payments in accordance with Section 33 of the FAA is referred to as payment authority. Pursuant to this section, a financial officer with delegated payment authority must ensure that:

• FAA Section 34 is properly exercised by validating that the Section 34 signatory has a valid delegated authority to authorize the expense and that there is auditable evidence that the quality assurance over the adequacy of the Section 34 account verification has taken place; and,
• Expenditures are a lawful charge against the appropriation.

The FAA Section 33 payment authorization performed by financial officers is a key control to ensure the accuracy and legality of transactions.

The auditors evaluated the performance of the FAA Section 33 certification using the sample of transactions selected for the quality assurance review and concluded that certification under FAA Section 33 is performed and an appropriate segregation of duties exists with FAA Section 34 certification.

2.4 Management review of expenditures and commitments

Audit criterion: Cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.

Health Canada’s Policy on Budget Management, which is part of the departmental Budget Management Framework, requires that cost centre managers be accountable and responsible for their assigned budgets. This includes the effective stewardship and control over budgets and commitments and the monitoring of surpluses/deficits and forecasts on an ongoing basis.

Cost centre managers, with the support of branch financial management advisors (in the National Capital Region) and regional financial management advisors (in other regions), are required at month-end to review expenses charged to their cost centres through the Department’s management variance reporting (MVR) process. The activity entails a review of the validity, accuracy and completeness of expenses. CFOB is responsible for ensuring that the month-end MVR exercise is adequately conducted and documented through a challenge function. This process is considered a key control over financial reporting.

In conclusion, cost centre managers reviewed commitments and expenditures recorded in SAP for completeness, validity and accuracy.

2.5 Accrued liabilities at year-end

Audit criterion: Financial management advisors review and challenge the completeness, validity and accuracy of transactions payable at year-end.

As per the TB Policy on Payables at Year-End (PAYEs), departments and agencies must identify and quantify liabilities to outside organizations and individuals resulting from operations up to and including March 31^st in each fiscal year. In the absence of certainty, estimates must be used to determine the amounts of liabilities, as long as reasonably accurate values can be assigned.

As per the departmental year-end procedures, cost centre managers and administrators must submit PAYE requests for goods and services of value greater than or equal to $1,000 (except for salary-related items, where the minimum threshold is $400, for interdepartmental settlements, where there is no threshold, and for grants and contributions, where there is no minimum threshold), for which an invoice has not been received or when account payables or payments cannot be recorded by the required cut-off date.

In addition, financial management advisors are responsible for reviewing and challenging PAYE requests to ensure that the appropriate supporting documentation is provided to support a valid liability. For fiscal year 2013-14, PAYEs amounted to $132 million, compared to $153 million in 2012-13 and $132 million for fiscal year 2011-12.

The audit tested the review and challenge function exercised over both PAYEs related to the previous fiscal year that had yet to be cleared and PAYEs recorded as part of the 2013-14 year-end procedures. Sufficient evidence was provided to demonstrate adequate management oversight for both types of transactions at the departmental level.

In conclusion, the financial management advisors reviewed and challenged the completeness, validity and accuracy of transactions payable at year-end.

2.6 System access and segregation of duties

Audit criterion: Access to SAP is restricted and the segregation of duties is enforced.

The segregation of duties is a key concept in internal control that mitigates the occurrence of fraud and errors. An example of incompatible duties that must be segregated is the maintenance of vendor master files and the recording of purchase orders. Prior to granting or modifying access, CFOB performs tests to ensure that users do not receive access to incompatible functions. In addition, in the Corporate Services Branch (CSB), Information Management Services Directorate (IMSD) conducts tests to monitor the segregation of duties on a semi-annual basis. In order to monitor the segregation of duties in the departmental financial system, Health Canada follows tests that have been standardized across the federal government. These tests are based on a matrix of critical functions that rate risk as low, medium or high.

In 2012, the KFC year 2 audit recommended that the CFO, in collaboration with the Assistant Deputy Minister, CSB ensure that an appropriate segregation of duties is enforced and that the monitoring of the segregation of duties in SAP is performed according to the established monitoring schedule. In response, actions were committed and measures were put in place to ensure the segregation of duties. All accounting transactions are now being processed by the Eastern and Western Accounting Hubs. The hub service delivery model allows CFOB to maintain a segregation of duties by ensuring that the separation exists on a functional basis. Management’s action plan for this recommendation has now been fully implemented.

In fiscal year 2013-14, the migration of Accounting Operations to two accounting hubs was implemented in phases, to allow for business process redesign and change management activities. In addition, a new travel system was implemented, which resulted in changes to business processes and the security access required by end-users. Fiscal year 2013-14 was a transition year, with the implementation of business process changes and system enhancements.

The auditors tested the segregation of duties to determine whether individuals had access to incompatible functions. The results indicated that some CFOB users had access to incompatible duties at some point during the fiscal year, as described in Table 2.

This finding is explained by the phased migration strategy of Accounting Operations and the implementation of the new travel system. Management indicated that further actions will be taken to review security roles and to ensure alignment of business processes, and additional monitoring will be performed.

In conclusion, management is strengthening access controls to SAP.

Recommendation 1

It is recommended that the Chief Financial Officer review and strengthen access controls to the departmental financial system, to ensure that mutually exclusive roles cannot be assigned to a single user.

Management response

2.7 Journal entry review

Audit criterion: Journal entries are reviewed by a second person and accompanied by appropriate supporting documentation.

At the time of the audit, a policy incorporating journal voucher requirements had yet to be approved. However, FOD issued a publication on March 22, 2013, advising of the requirement for more stringent verification controls for routine and non-routine journal vouchers, and announcing that a policy on journal vouchers would be forthcoming.

In its publication, FOD indicated that:

“…Journal Vouchers (JVs) are one of the methods of making adjustments to accounts in SAP, and must be properly controlled to ensure that financial information accurately reflects the activities of the department. As part of the ongoing testing of financial processes, gaps in controls have been identified. These gaps must be successfully addressed in order to have auditable Financial Statements. One of the deficiencies noted has been in the area of verification controls for routine and non-routine journal vouchers.

A JV request must include:

• the journal voucher request form;
• a source document such as a copy or screen-print of the SAP Detailed Expenditure (100) Report and/or other supporting documentation;
• a description / reason for the JV; and
• approval by the responsible financial manager(s).”

As in fiscal year 2012-13, journal voucher forms are rarely used. The audit found occasions where there were no signs of review by a second person, that is to say the responsible financial manager. This is consistent with the work performed by the ICD, which also noted a lack of verification of journal vouchers.

The weaknesses in the internal controls surrounding JVs could lead to potential material financial reporting misstatement. The MVR process is a compensating control, but it is still expected that JVs will be entered, reviewed and documented appropriately.

In conclusion, no recommendation will be made, since CFOB is in the process of adopting a formal standard for JVs, to clarify the requirements for supporting documentation and review.

3. Select key financial controls specific to classes of transactions

3.1 Grant and contribution agreements

Audit criterion: Reconciliation of payment requests from the Management of Contracts and Contributions System (MCCS) to SAP is performed. Contribution agreements are reviewed and closed out to ensure that receivables arising from overpayment are recorded.

Agreement/recipient risk assessments

Since 2010, programs are required to use the Enterprise Risk Management – Agreement/Recipient Risk Assessment Tool (ERM-ARRAT), which is designed to assess and manage the risks associated with recipients and with funding agreements. This tool is to be used to assess risks annually for all funding agreements, as well as to reassess risks for existing multi-year agreements.

The recipient’s risk rating profile determines the risk tolerance strategy, which includes risk mitigating activities such as determining the amount of advance payments, establishing applicable holdbacks and monitoring activities. This means that recipients with the highest risk are subject to a lower advance payment, a maximum holdback on the final payment and an increase in reporting requirements. Conversely, recipients with a low risk can benefit from a higher advance payment, a minimum holdback and a decrease in reporting requirements.

Prior to the approval of the funding agreement and FAA Section 32 spending authority, program officers are responsible for ensuring that a risk assessment has been conducted and that advance payments and applicable holdbacks are in accordance with the established risk tolerance strategy.

In 2012, the Audit of Key Financial Controls - Year2 recommended that the CFO ensure that the results of the annual risk assessments are properly reflected in the agreements put forward to support grants and contributions payments.

As part of the Department’s G&C initiative, which includes the implementation of a new system, CFOB led a working group to revise and clarify the roles and responsibilities of the various stakeholders in the G&C process. This resulted in confirmation that the responsibility for performing the quality assurance, including the verification that the payment schedule is in accordance with the Risk Tolerance Strategy, is a program responsibility. This was approved and communicated by the CFO and the program ADMs. Management’s action plan for this recommendation has now been fully implemented.

The audit examined a sample of 30 agreements to determine if the risk assessments had been completed using the ERM-ARRAT or attached to the Management of Contracts and Contributions System (MCCS). The audit found that the risk assessments were completed using the ERM-ARRAT or attached to the MCCS.  Management has indicated that the new Grants and Contributions Information Management System (GCIMS) will have controls to prevent the issuing of agreements without proper risk assessments.

Reconciliation of payment transactions between the grants and contributions systems and the departmental financial system

Grants and contributions payment requests are initiated in the MCCS and the Lotus Notes Grants and Contributions Database. The MCCS is used by the FNIHB programs, while the Lotus Notes database is used by other branches. Reconciliations between these systems and SAP contribute to providing assurance that grants and contributions agreement expenditures are complete and accurate.

Monthly reconciliations of both the MCCS and the Lotus Notes database to SAP are prepared in the National Capital Region by CFOB. The resulting variances are sent to regional/branch senior financial officers for comment and sign-off. These monthly reconciliations provide assurance that the transmission of grants and contributions expenditures is complete and accurate.

The audit reviewed three months of fiscal year 2013-14 and found that the reconciliations had been prepared and reviewed for both systems.

Review and close-out of contributions agreements

The review and close-out of contribution agreements are necessary to ensure that all the terms and conditions have been met and that receivables arising from overpayment are recorded in the departmental financial system and collected, as required. The timely close-out and the communication of results to Finance are necessary to ensure the completeness and accuracy of the Department’s financial information, and specifically accounts receivable.

The 2011 Audit of Key Financial Controls found that in some regions, no formal contribution agreement closure process existed, with the risk of having some outstanding receivables not being recorded and collected. A recommendation was made to address this issue (see Section 3.7).

The audit found that the review and close-out of contribution agreements was generally operating effectively.

In conclusion, the reconciliation of payment requests from the MCCS to SAP were performed, and actions have been taken to address the review and close-out of contribution agreements to ensure that receivables arising from overpayment were recorded.

3.2 Salary and wage expenses

Audit criterion: Compensation verifiers review payroll registers to confirm the accuracy of payroll transactions.

Compensation verifier review of pay registers

According to the TB Directive on Financial Management of Pay Administration and Guideline on Common Financial Management Business Process for Pay Administration, responsibilities for FAA Section 34 certification are to be shared between cost centre managers, compensation advisors and compensation verifiers at different stages of the pay administration cycle. The financial controls over pay administration are common for both the Department and the Public Health Agency of Canada under the Shared Services Partnership (SSP).

Since October 2013, pay account files and the payroll function have been gradually transferred to Public Works and Government Services Canada (PWGSC)’s Pay Centre. It is anticipated that all Health Canada pay account files will be transferred to PWGSC by October 2015.

Until the transfer of pay account files is completed, Health Canada’s pay administration is under the responsibility of Corporate Services Branch, Human Resource Services Directorate (CSB-HRSD), and includes compensation advisors and verifiers. Compensation advisors are responsible for the accuracy of pay input through FAA Section 34 certification. Compensation verifiers are responsible for reviewing the payroll registers and individual salary payments, as part of a quality assurance process. This review is the final opportunity to confirm the accuracy of payroll transactions prior to payment.

The current audit reviewed employee pay transactions against payroll registers and other output reports for fiscal year 2013-14, to determine whether verification was performed on the accuracy of payroll transactions. The audit found that the pay verification to confirm accuracy of payroll transactions was appropriately performed.

FAA Section 33 quality assurance review

The TB Policy on Internal Control states that the CFO is responsible for establishing and maintaining a system of internal control that is monitored and reviewed and for ensuring that timely corrective measures are taken when issues are identified. This includes a quality assurance review, which provides assurance on the adequacy and reliability of the account verification process.

The TB Directive on Account Verification states that: “Financial officers are responsible for ensuring that payments and interdepartmental settlements are verified when exercising payment authority for payments pursuant to section 33 of the Financial Administration Act.” The Directive further states that: “although account verification is normally performed prior to payment, completing account verification after the payment has been made is permitted in certain situations.”

FAA Section 33 post-payment quality assurance or account verification for payroll transactions is the responsibility of financial officers under CFOB. Since pay administration is under the responsibility of CSB-HRSD in the SSP, the task of performing a quality assurance review or account verification is conducted by CSB-HRSD and the results are shared with CFOB, to provide assurance on the adequacy and reliability of the account verification process.

In the context of pay transactions, the audit reviewed the Compensation Monitoring Framework, which was updated earlier this year. The framework includes cyclical and on-site monitoring activities that are aimed at providing assurance that controls are effective. The Audit of Key Financial Controls – Year 3 found that the monitoring activities were not completed until December 2013. The audit found no evidence that CSB-HRSD conducted monitoring activities of salary payments for fiscal year 2013-14.

Performing this control activity and sharing the results with CFOB is important because it serves to complete the FAA Section 33 payment authorization process, by validating that pay transactions are lawful, accurate and properly authorized. CFOB’s certification of salary payments under FAA Section 33 is only partially complete without the performance of CSB-HRSD’s quality assurance post-payment verification. The lack of post-payment verification increases the risk of undetected unlawful payments and financial reporting misstatements.

The responsibility of conducting quality assurance procedures on pay transactions will be assumed by PWGSC once pay administration functions have been transferred. However, quality assurance procedures for the period leading up to the transfer of the pay account files should continue to be performed by CSB-HRSD and to be reported to CFOB.

The audit found that the pay verification to confirm the accuracy of payroll transactions was appropriately performed; however, the audit found no evidence of salary payments monitoring, as described in the Compensation Monitoring Framework.

Recommendation 2

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, conduct cyclical and ongoing monitoring activities for salary payments and report to the Financial Operations Directorate, as described in the Compensation Monitoring Framework.

Management response

3.3 Non-insured health benefits

Audit criterion: Non-insured health benefits claims are reconciled with Health Information Claim Processing System (HICPS) funding requests. The external auditor’s report on the adequacy of the service provider’s controls is obtained and reviewed by management.

The Non-Insured Health Benefits (NIHB) Program provides eligible First Nations and Inuit populations in Canada with coverage for a limited range of medically necessary health-related goods and services that are not provided through private insurance plans, provincial/territorial health or social programs, or other publicly funded programs. This includes pharmacy, dental, vision, mental health, medical supplies and equipment, medical transportation, provincial health premiums and other health care benefits. During fiscal year 2013-14, approximately $905 million was spent on non-insured health benefits.

Reconciliation of NIHB claims processed in the Health Information Claims Processing System with funding requests

Dental, pharmacy and medical supplies and equipment claims, which account for a significant part of all non-insured health benefits expenditures, are mostly processed and paid by an external service provider through the Health Information Claim Processing System (HICPS). The service provider summarises the claims processed and submits a claim for reimbursement. These claims are analysed and reconciled with information found in the HICPS and approved for payment (FAA Section 34). Claims are then forwarded to CFOB for FAA Section 33 certification and the payment is processed accordingly. These analyses and reconciliations are key controls aimed at ensuring that non-insured health benefits expenses are accurately recorded and processed, in compliance with FAA requirements. These and other procedures and controls are documented for reference in the NIHB HICPS financial control framework. The audit concluded that the procedures and controls regarding non-insured health benefits expenditures processed through HICPS are applied effectively.

Review of the external audit report over HICPS claim processing

Health Canada obtains an annual audit report from the service provider. The corresponding audit is carried out by external auditors and provides assurance that the service provider’s controls are appropriately designed and operating effectively in a manner that ensures the validity, completeness and accuracy of the claims processed. As in previous years, an unqualified opinion was issued by the external auditors for fiscal year 2013-14. NIHB Program management indicated their acceptance of the audit report.

In conclusion, non-insured health benefits claims were reconciled with Health Information Claim Processing System (HICPS) funding requests, and an external auditor’s report on the adequacy of the service provider’s controls was obtained and reviewed by management. These actions provide assurance that controls specific to the processing of non-insured health benefits were operating effectively.

3.4 Purchase of goods and services

Audit criterion: Purchase orders over $10,000 are reviewed for accuracy, completeness and validity.

Review of contracts over $10,000

In 2013, the Department implemented a procurement service delivery model that includes the implementation of new SAP Procure-to-Pay (P2P) technology. This new technology provides for electronic approvals of procurement transactions, and has enabled the centralization of the procurement and contracting functions to two hubs, Winnipeg and Ottawa.

Under the new process, all contractual proposals for the procurement of goods and services are reviewed and/or prepared by procurement specialists. This helps to ensure that contractual documents are in accordance with Government Contracts Regulations, relevant policies and departmental delegation of financial authorities, and that an appropriate procurement vehicle is used. This review also provides assurance of the validity and accuracy of purchases of goods and services over $10,000.

Some high-complexity/high-sensitivity requirements will need approval by the departmental review committee, based on a two-tier governance model:

• Tier I – New Contract and Requisition Control Committee (CRCC) model.
  • Chaired by the responsible PG-05 managers and supported by subject matter experts, on an ‘as needed’ basis, such as a financial resource or legal and human resources expert.
• Tier II – the Shared Services Contract Review Committee (SS-CRC) providing oversight.
  • Chaired by senior management at the Department.
  • To complement and support Tier I, the SS-CRC will review and recommend for approval any contracts that are particularly complex or deviate from policies and regulations.

In conclusion, purchase orders over $10,000 were reviewed for accuracy, completeness and validity. The audit found that the review of purchase orders over $10,000 was generally operating effectively.

3.5 Acquisition card purchases

Audit criterion: Monitoring of monthly acquisition card reconciliations and quality assurance reviews of acquisition card transactions are performed.

Official reconciliation report

Acquisition card purchases are paid prior to the reconciliation of purchases by the cardholder and FAA Section 34 certification, as permitted under the TB Directive on Account Verification. To provide assurance over the accuracy and completeness of acquisition card purchases, cardholders are responsible for completing transaction reconciliations to their statement of accounts. CFOB monitors these reconciliations to ensure that they are adequately completed. Interviews conducted with CFOB and the documentation review provided evidence that this oversight role is adequately fulfilled. However, it was observed that nearly half of the reconciliation reports were submitted to finance after the due date. In addition, there were 104 instances where the reconciliation reports had not been completed at the time of the audit. This means that for these instances, FAA Section 34 certification has not been performed. While the amounts for these purchases were not material for financial statement purposes, it is an indication that controls over the official reconciliation reports need to be strengthened. At the time of the audit, management indicated that new measures have been implemented for coming year to ensure that all reconciliation reports are completed. Starting in fiscal year 2014-15, the process for following up on outstanding reconciliation reports will include more timely reminders to acquisition cardholders and the cost centre managers responsible for performing FAA Section 34 certification. If the reconciliation reports are not provided to Accounting Operations after the reminders, the acquisition card may be cancelled. Therefore no recommendation will be made.

Quality assurance over acquisition cards

In addition to the monitoring of monthly reconciliations, financial officers conduct quality assurance reviews of acquisition card transactions. All transactions are subject to a minimal quality assurance procedure to ensure that all items included on a statement are reconciled in SAP and that FAA Section 34 is appropriately documented. High-risk transactions undergo a full quality assurance review, while lower-risk transactions are subject to a full quality assurance on a sample basis. This sample of lower-risk transactions has been included as part of the statistical sampling exercise through the use of SAP, as is the case for accounts payable transactions. Through this review, selected transactions are examined for appropriate supporting documentation and sign-off. Errors identified through this review are recorded.

The audit tested a sample of 30 monthly statements, including transactions that have undergone a full quality assurance to determine whether it was performed adequately and appropriately. No significant errors were identified as a result of this review. While the audit noted timeliness of reconciliation reports as an issue, overall, the reconciliation of payments to acquisition card transactions and the quality assurance review were operating effectively.

3.6 Drug submissions and evaluation revenues

Audit criterion: Billing information from the Drug Submission Tracking System (DSTS) is reconciled with invoices from SAP.

Drug submission and evaluation fees are tracked in the Drug Submission Tracking System (DSTS), which is operated by the Health Products and Food Branch (HPFB) and is outside of SAP. As there is currently no interface between DSTS and SAP, DSTS data has to be input manually in the financial system. The absence of an interface also requires the regular reconciliation of the amounts recorded in the two systems to ensure accuracy and completeness. In fiscal year 2013-14, re-spendable revenue amounted to $259 million, with drug submission and evaluation fees accounting for $30 million.

On a monthly basis, the designated individual in CFOB reconciles invoiced amounts in the invoicing system (DSTS) against SAP to ensure the completeness and accuracy of the revenues recorded in SAP. In the current year, a sample of reconciliations was tested and it was found that the reconciliations performed were adequately designed and operating effectively.

In conclusion, tests conducted on fee revenues demonstrated that the manual transfers and reconciliation activities were performed adequately.

3.7 Accounts receivable

Audit criterion: Suspense and clearing accounts are monitored and cleared.

The Health Canada’s Policy on Receivables Management and Charging Interest on Overdue Accounts requires that all receivable transactions be invoiced recorded and reported accurately and promptly. Failure to do so can result in receivables not being collected and inaccurate financial reporting. One of the most significant sources of accounts receivable comes from the closing of contribution agreements.

MCCS reports are compared to accounts receivable in SAP. The current audit found that all receivable amounts tested in MCCS were found in SAP.

In year 1 of this recurring audit, it was recommended that coordination be improved between accounting offices and contribution programs to ensure that all receivables, including those resulting from close-outs of contribution agreements, be recorded in the departmental financial system in an accurate and timely manner. The management’s action plan for this recommendation has now been fully implemented.

Since fiscal year 2012-13, CFOB has implemented measures to improve the accuracy of the accounts receivables recorded in the departmental financial system. These measures include estimates of the receivable amounts resulting from contribution agreements from branch/region financial management advisors (B/RFMA) at year-end. The audit examined the estimates provided by the B/RFMAs and no errors were noted.

In conclusion, receivables resulting from the close-out of contribution agreements are recorded in the departmental financial system.

Monitoring and reconciliation of suspense and clearing accounts

CFOB performs the monitoring and reconciliations of various suspense and clearing accounts, including deposits, petty cash and interdepartmental settlements.

These reconciliations are generally performed on a monthly basis, but the frequency of the reconciliation may be different, depending on the nature of the account or the volume of activity. Discrepancies and variances identified through the reconciliation process are raised with cost centres. Regular monitoring and the clearing of suspense accounts help to ensure the accuracy of financial information.

Evidence was obtained to support that reconciliations were performed on a regular basis and that account balances were verified.

Overall, the suspense and clearing accounts were monitored and cleared.

3.8 Capital assets

Audit criterion: Controls over the conduct of an annual Capital Assets Review are operating effectively to ensure that the capital assets are well-managed and properly accounted for.

Health Canada’s Asset Management Policy Framework defines capital assets as assets with a useful life greater than one year and a per-item cost of $10,000 or greater. The Department holds a variety of capital assets including buildings, machinery, equipment and vehicles. As per the Department’s financial statements, the value of these assets (net of accumulated amortization and impairment losses) amounted to $140 million as of March 31, 2013 and $129 million as of March 31, 2014. Due to the significance of this amount, regular reviews of the capital asset inventory are needed to ensure the accuracy of the information found in the financial statements.

Physical count of capital assets

Since 2009, CFOB has conducted an annual review of its capital asset inventory aimed at ensuring that Health Canada's capital assets are well-managed and properly accounted for. Once the review is complete, the necessary changes or adjustments are made in the departmental financial system. Since 2012, in addition to asking the CCMs to verify asset existence and completeness, the Materiel and Assets Management Division also performed physical count verification procedures on all high-dollar value items, as well as a sample of other assets for quality assurance.

The auditors reviewed the reports produced as part of the annual review exercise, as well as the quality assurance procedures to ascertain whether appropriate actions were taken to address the issues raised in the reports. The review showed that management is making progress in addressing the issues, such as assets with inaccurate cost centre number or cost centre manager name information.

In conclusion, controls over the conduct of an annual Capital Assets Review were operating effectively.

C - Conclusion

The audit concluded that the Department’s internal controls over financial reporting are generally operating effectively to mitigate the risk of material misstatement. The majority of the common and specific key controls were generally operating effectively. The audit also found that previous years’ recommendations were fully implemented.

The common key controls are those found across the most significant classes of transactions. Six of the seven controls were generally operating effectively. The audit observed that improvement is required to strengthen access controls to SAP, to ensure that mutually exclusive roles cannot be assigned to a single user.

The specific controls supplement the common key controls. Nine of the ten controls were generally operating effectively. The audit also noted that the monitoring of salary payments needs to be conducted, as described in the Compensation Monitoring Framework.

Management agrees with the two recommendations presented in the report and has provided an action plan that will improve the effectiveness of the Department’s internal controls over financial reporting.

Appendix A – Specific lines of enquiry and criteria

Appendix B – Scorecard

Appendix C - Health Canada’s internal control over financial reporting framework

Appendix D – Risk profile of transactions

Source of information: Shared Services Partnership’s Statistical Sampling Framework.

Appendix E – Corrective actions and follow-up activities

The Treasury Board Directive on Account Verification notes that financial officers are responsible for requesting corrective action when critical errors are identified during the quality assurance process for payment authority. Based on the results of the sampling period, accounting offices will take immediate corrective actions and may also determine that an action plan for follow-up be developed.

Corrective actions

All critical errors identified during the pre- and post-payment process must be corrected by the accounting office, and the Section 34 manager must be informed of the error. A critical error is an error serious enough to require that the payment not be/should not have been made, for example:

• Section 34 is not signed by an authorized officer for the cost centre.
• Back-up documentation does not support the payment.
• The amount of the payment is not in accordance with or exceeds the price or payment terms contained in the procurement document.

For non-critical errors, corrections will be made by the accounting office when it is considered efficient; however in all cases, the Section 34 manager should be informed of the error. A non-critical error is an error identifying that the requirements of Section 34 account verification were not fully complied with at the time of payment; however, the error was not serious enough to prevent payment or to negatively impact financial information recorded in the financial system.

If the account verification completed by a specific Section 34 signatory is found to be continually inadequate, there may be a requirement to suspend Section 34 authority.

Follow-up activities

Accounting offices will implement follow-up activities aimed at reducing errors while strengthening the Department’s oversight role. Follow-up will include, for example:

• Reviewing sampling results and identifying problematic areas.
• Working with branches, programs and cost centre managers to further define issues and assist in identifying potential solutions.

Further analysis may be required by the accounting office to identify whether a specific organization, transaction type, etc., is the cause of the error. A separate quarterly sample for continued errors for these transactions may be generated.

Source of information: Shared Services Partnership’s Statistical Sampling Framework.