Audit of Acquisition Cards at Health Canada and the Public Health Agency of Canada

List of Acronyms

CCM

Cost Centre Manager

CFO

Chief Financial Officer

CFOB

Chief Financial Officer Branch (HC)

DACC

Departmental Acquisition Card Coordinator

GL

General Ledger (in context of coding to expenditure accounts)

GST

Goods and Services Tax

HC

Health Canada

HST

Harmonized Sales Tax

ORR

Official Reconciliation Report

PHAC

Public Health Agency of Canada

QA

Quality Assurance

TBS

Treasury Board Secretariat

Executive Summary

Government acquisition cards provide a cost-effective, secure, and convenient method of procuring and paying for goods and services, while ensuring effective financial control.

The use of acquisition cards is governed by the Treasury Board Secretariat’s (TBS) Directive on Payments - Appendix B: Standard on Acquisition Card Payments, associated policies and directives, and the Health Canada (HC) and the Public Health Agency of Canada (PHAC) Standard on Acquisition Cards.

As of March 31, 2018, there were 516 active cardholders (449 at HC and 67 at PHAC), accounting for approximately 70,000 transactions and $40M in related expenditures ($29.5M for HC and $10.7M for PHAC) for fiscal year 2017-18.

What we examined

The objective of this audit was to assess the administration and effectiveness of management controls for the acquisition card program at HC and PHAC, and the extent of compliance to applicable legislation, standards, and procedures.

We reviewed the management control framework for the acquisition card program. The audit examined governance, risk management, and internal controls focusing in the areas of:

• reporting to management;
• quality assurance, verification, and monitoring mechanisms;
• control of acquisition cards (issuance, credit limits, tracking, and cancellation of acquisition cards); and
• compliance with policies and procedures.

Why it is important

The use of acquisition cards is encouraged as a tool for the procurement and payment of low-value and low-risk goods and services that are used to satisfy operational requirements. By its nature, the acquisition card process can bypass key preventative controls that are present in normal procure-to-pay processes, since individual cardholders have the ability to initiate an order, enter into a contract, and effect payment for a purchase. Consequently, although the cost in dollar amounts may be low, misuse of acquisition cards can lead to reputational risk for the Agency and the Department. Therefore, periodic independent audits are important for promoting compliance in the acquisition card program.

What we found

We found that there were effective and well-administered management controls in place for the acquisition card program at HC and PHAC. Furthermore, we concluded that, for the period under the scope of the audit, acquisition card use and related transactions complied with applicable legislation, restrictions, and administrative procedures. Effective management processes and practices were identified, including:

• a centralized structure in place for acquisition card program management, overseen by the Departmental Acquisition Card Coordinator (DACC);
• a suite of comprehensive policies, procedures, and related tools in place to support the administration and management of the program;
• monitoring and quality assurance mechanisms to support compliance with requirements and to identify and manage key risks associated with the use of acquisition cards; and
• regular reporting of acquisition card use, monitoring, and quality assurance activities to senior management.

We identified an opportunity to enhance monitoring activities by further strengthening the consolidation and communication of results produced by various monitoring and quality assurance mechanisms.

All issues identified as being minor in nature have been brought to management’s attention.

The area for improvement noted in this audit report and the associated recommendation, as well as consideration of the minor issues discussed with management, will collectively strengthen the management of the acquisition card program.

A - Introduction

1. Acquisition cards provide a convenient, simple, and cost-effective method for procuring goods and services for low-value and high-volume transactions, while at the same time maintaining effective financial control. They are intended to streamline the procurement process by allowing an employee to charge purchases of goods and services, and to settle these purchases directly with the company issuing the card. A single payment to the issuer for all monthly purchases made with acquisition cards allows departments to realize savings in the procurement and payment process. There is no fee charged for the use of these cards, and departments receive rebates in exchange for faster electronic settlement with the issuers.
2. At HC and PHAC, there were 516 active cardholders as of March 31, 2018 (449 at HC and 67 at PHAC). For fiscal year 2017-18, approximately 70,000 transactions were made using acquisition cards, amounting to $40M ($29.5M for HC and $10.7M for PHAC). Total acquisition card rebates generated during the same period amounted to approximately $562K.
3. The use of acquisition cards is governed by the TBS Directive on Payments - Appendix B: Standard on Acquisition Card Payments, the TBS Directive on Expenditure Initiation and Commitment Control, and the Financial Administration Act (FAA). Further guidance is provided by the Receiver General Manual, Chapter 9 - Government of Canada Acquisition Card Program. The HC and PHAC Standard on Acquisition Cards sets out specific requirements for the use of acquisition cards within the Department and the Agency.
4. HC and PHAC’s acquisition card program is administered by the Chief, Financial Policy at HC, who has been designated as the Departmental Acquisition Card Coordinator (DACC). The DACC is responsible for managing the delivery of the departmental acquisition card program, overseeing the Regional Acquisition Card Coordinators, providing advice, direction, and assistance as necessary, as well as communicating changes to the departmental acquisition card program across HC and PHAC.
5. During the planning phase of the audit, we determined that certain controls over the acquisition card program were robust, and meant a minimum risk of exposure. These included the existence of policy, procedure, and guidance documents and tools, mandatory training for card holders, and robust card issuance and cancellation processes and controls. As a result, this audit did not address these areas, focusing instead on examining areas of greater potential concern.

B - Findings, Recommendations and Management Responses

Oversight

Management Information

6. In order to exercise effective oversight, senior management requires sufficient and timely information related to programs, operations, and related processes.
7. We expected to find that senior management for both HC and PHAC receive complete, relevant, and timely information to support decision making related to the acquisition card program.
8. We reviewed the reporting provided to management during fiscal year 2017-18 and found that the quarterly “Acquisition Card Program Dashboard” and “Statistical Sampling Results” reports presented to management contained relevant and timely information that focused primarily on compliance with requirements and risks associated with misuse of acquisition cards. Metrics on the acquisition card program were also provided. Key information presented in these reports included:
   • Identification of the critical error rate through the quality assurance process, as well as related corrective actions taken;
   • Results of monitoring undertaken by DACC related to inactive cards, unusual transactions, and disputed charges;
   • Comparisons of rebates earned with prior periods;
   • Metrics on acquisition card use (spending, number of transactions, average expenditure); and
   • Conclusions on the ongoing operation of the acquisition card program, including the overall level of compliance with requirements.
9. Overall, we concluded that adequate and timely information was provided to support management decisions related to the acquisition card program.

Risk Management

Monitoring and Quality Assurance (QA) Mechanisms

10. Risk management is an integral component of good management that supports organizations in making informed decisions by identifying and mitigating threats, based on the level of perceived risk, risk tolerance, and the organization’s operational environment and associated constraints.
11. Acquisition cards, by their nature, are inherently less-than-suitable for effective preventative controls. As such, we expected to find strong detective controls in the form of monitoring to identify and manage key risks related to non-compliance and potential misuse.
12. A risk-based Quality Assurance Framework for HC and PHAC was established and documented. Consistent with the Risk Profile Matrix of the framework document and due to their nature and low value, acquisition card expenditures have been assessed as low risk. We noted that, although certain expenditures associated with higher risk (hospitality, seminars, conferences) were processed through acquisition cards, the overwhelming majority of associated expenditures were related to low-risk goods (office, medical, and lab supplies).
13. Through interviews and document examination, we found that there were three key mechanisms in place for monitoring and quality assurance of acquisition card activities: statistical sample testing, monthly targeted monitoring, and monthly verification of the Official Reconciliation Reports.

Statistical Sample Testing

14. Accounting Operations performed quarterly quality assurance activities related to acquisition card transactions, pursuant to the established Quality Assurance Framework. The Framework defined the reasonable parameters for statistical sampling, including a tolerable error rate of 8% for low-risk transactions and a 90% confidence level that the sampling results are representative of the overall population.
15. We reviewed the outputs of the quarterly quality assurance activities for 2017-18 and determined that activities had been carried out in a manner consistent with the Framework. The conclusions drawn and reported to senior management were supported by the quality assurance results. Furthermore, we found that the results of our own testing, as discussed in the ‘Compliance’ section of this report, were consistent with the results of the quality assurance activities carried out by Accounting Operations.

Monthly Targeted Monitoring

16. The Financial Policy Unit, under the DACC’s oversight, performed monthly targeted monitoring and review of transactions with potential high-risk attributes, focusing on those that were:
    • perceived as being for personal use, fraudulent, or non-compliant to policies;
    • made with unusual vendors;
    • outside business hours; and
    • were disputed by the cardholder.
17. Our own targeted testing, as discussed in the ‘Compliance’ section of this report, included transactions that had been tested under the targeted monitoring strategy of the Financial Policy Unit. We found that the results of our targeted testing were consistent with those of the targeted monitoring undertaken by the Financial Policy Unit.

Monthly Verification of the Official Reconciliation Reports (ORRs)

18. The ORR process was part of Accounting Operations’ ongoing verification procedures related to acquisition card purchases. Each month, the individual acquisition card statements that were reconciled by the cardholder, and reviewed and certified by the CCMs, were subjected to account verification procedures by the East and West Accounting Hubs. There was a documented process for conducting the ORR verification, supported by appropriate checklists. The process involved a minimum of quality assurance on all transactions, and full quality assurance on those transactions coded to ‘higher risk’ general ledger (GL) accounts, including hospitality, seminars, conferences, and membership fees.
19. We conducted a focused review of a sample of 49 ORRs (26 from HC and 23 from PHAC). The review confirmed that the Accounting Hubs were diligent in performing QA and verification procedures as required. Minimum QA^{Footnote 1} was performed on all ORRs, and higher-risk transactions were subjected to full QA^{Footnote 2}, as established in the verification procedures. The results of our review were consistent with those of the Hubs. Errors that were identified were primarily related to improper application of GST and HST, errors in GL coding, and inadequate documentation of receipt of goods and services. The review also confirmed that cardholders were diligent in reconciling their statements in a timely manner. Disputed transactions were identified, recorded in the financial system, and resolved in a timely manner (the card supplier, BMO, credited the cardholders’ accounts where applicable).
20. We also reviewed how results of the ORR verification were documented. We found that, while the East Hub maintained a more detailed monthly log of errors by error type, the process at the West Hub was less detailed, and errors were captured and recorded in an inconsistent manner. Consequently, it was not clear when errors were actually recorded as errors or merely corrected, nor was it easy to identify and consolidate errors by type. We noted that, subsequent to the conduct phase of the audit, the West Hub had been transferred to Indigenous Services Canada.
21. Through our review of documentation and follow-up discussions with accounting personnel at the East Hub, we found that when errors were identified, they were tracked and remedial actions were taken, including communication with cardholders and correcting errors. However, overall results of the ORR verification were not communicated to the Financial Policy Unit, nor was there consistent communication of the number of errors made by individual cardholders.
22. The program would benefit from a more comprehensive and consistent process to track, consolidate, and report on errors, including those identified through all monitoring and quality assurance activities, and associated to individual cardholders and CCMs. This would enhance the ability of the Financial Policy Unit and the DACC to:
    • take actions pursuant to the Standard on Corrective Measures for non-compliance monitoring;
    • more effectively target guidance and training; and
    • more effectively and efficiently tailor future monitoring and QA activities.

Recommendation 1

The Chief Financial Officer should ensure that results from all monitoring and quality assurance activities are consolidated and effectively communicated to the Departmental Acquisition Card Coordinator.

Management response

Control of Cards

23. The Receiver General Manual, Chapter 9 – Government of Canada Acquisition Card Program identifies issuance and control of cards as one key area that should be addressed by a departmental acquisition card control framework. Accordingly, we expected to find effective controls in place for card management relating to issuance, credit limits, tracking, and cancellation of acquisition cards.
24. During the planning phase of this audit, we found that controls over the issuance and cancellation of cards were robust and therefore represented a minimal risk exposure. This audit examined the appropriateness of card limits and other restrictions.

Card limits and other restrictions

25. We expected to find clearly documented restrictions on the use of acquisition cards that were consistent with the TBS Directive on Payments - Appendix B: Standard on Acquisition Card Payments and associated policies and directives. We also expected that financial limits related to the use of acquisition cards would be reasonable and reflect the needs and spending patterns of the cardholders.
26. We reviewed the HC and PHAC Standard on Acquisition Cards and determined that it reflected key requirements and restrictions of the associated TBS directives and of the guidance provided in the Receiver General Manual, Chapter 9 - Government of Canada Acquisition Card Program. Compliance with the requirements is addressed in the ‘Compliance’ section of this report.
27. We also found that the DACC uses the ‘blocking’ capability offered by the acquisition card supplier to effectively block the use of cards by merchant category, in order to minimize the risk of card use for ineligible purchases. We noted that implementation of this control risked inhibiting legitimate operational requirements, and as such, was implemented in a judicious manner.
28. We also examined the financial limits established for the use of acquisition cards. The individual transaction limit was set at $5K and was consistent with requirements of the HC and PHAC Standard on Acquisition Cards. Our review and analysis of acquisition card transactions found that, with the exception of very few purchases that were done using foreign currency, all transactions were within the transaction limit.
29. Our review of the process for issuing cards and setting monthly card limits found that cards were issued with a default limit of $25K, and increases to limits requested by CCMs were subject to DACC approval. We conducted an analysis of monthly spending activity for fiscal year 2017-18, and identified that, for a large number of cards, including for cards with a 25K default limit, the monthly limits far exceeded the average monthly spending and the maximum spent in any one month. For example, during fiscal year 2017-18, for 83 of the cards with a default limit of $25K (over 20% of all such cards), the maximum amount purchased on any one card was less than $2.5K, and the total for the year was less than $10K.
30. We found that the DACC identified cards that had been inactive for 90 days and confirmed with the respective CCMs if the cards were still required. Also, reviews of monthly card limits were undertaken, with only cards that exceeded the default $25K monthly limit being reviewed. The review conducted closest to the audit was done in June 2016. We were informed by the Financial Policy Unit that, subsequent to completion of the audit, a card limit review was conducted.
31. Card limits that are higher than necessary increase exposure to reputational and financial risk, as a result of potential misuse, comprising of the card, and other fraudulent activity.
32. It is the view of the DACC and the Financial Policy Unit that the operational benefits of having a default limit of $25K outweigh any associated risks. The 25K limit exists primarily to address procurement needs in cases where there are unexpected increases in purchasing volume, as in the case where one cardholder is required to ‘fill in’ for another who may be on leave or has left the organization.
33. We found that there was an effective process in place whereby card limits can quickly and efficiently be increased by the DACC at the request of the CCM. In light of this, the DACC is encouraged to consider a more regular review and challenge function related to monthly card limits. This may include a more flexible process for increasing limits upon demand, rather than setting higher limits as a contingency measure.

Compliance

34. As previously discussed, the requirements and restrictions related to the use of acquisition cards have been clearly defined at HC and PHAC, and were consistent with the requirements of the associated TBS policies and directives. Furthermore, during the planning phase of this audit, we found that there were additional controls to support compliance with requirements, including mandatory training as part of the card-issuance process, and supporting guidance, tools, and procedures, some of which are available on the MySource intranet site. Accordingly, we expected that acquisition card transactions would be compliant with TBS directives and with the established HC and PHAC standard and procedures.
35. We tested a sample of 272 randomly selected transactions (136 from HC, 136 from PHAC) to assess the effectiveness of controls and their level of compliance with requirements and restrictions. The testing criteria were the same as those used in the statistical sampling QA process pursuant to the established Quality Assurance Framework, as previously discussed in the ‘Monitoring and Quality Assurance (QA) Mechanisms’ section of this report. Overall, the transactions tested were processed pursuant to established procedures and compliant with the requirements of acquisition card standards. We found some errors (exceptions and instances of non-compliance). However, the sample’s critical^{Footnote 3} error rate was well within the tolerable 8% rate set by HC and PHAC for acquisition card transactions. The testing resulted in an overall non-critical error rate of 8.46%, primarily related to GL coding errors (3.31%) and the application of GST/HST (5.15%).
36. In addition to the random sample, we selected a sample of 147 ‘targeted’ transactions for review. These transactions were selected on the basis that they exhibited higher inherent risk of non-compliance due to various attributes, including but not limited to: expenditures related to specific policy requirements (hospitality, items requiring Chief Information Officer approval, awards, training, vehicle expenses, conference and seminars), purchases from unusual vendors, including online purchases, weekend and holiday transactions, and potential instances of ‘transaction splitting’ to circumvent the acquisition card individual transaction limit or delegated contracting authority limits. We found that, overall, the acquisition cards were used for allowable expenditures, transactions were processed in compliance with policy requirements, and there was no evidence of systemic transaction or contract splitting. The following error rates were noted in certain non-critical areas:
    • inappropriate application of GST/HST (13.29%); and
    • inappropriate GL coding (11.03%).
37. Notwithstanding the minor exceptions noted in non-critical areas, the level of compliance with TBS and HC/PHAC standards and procedures was within the tolerable rate set by HC and PHAC. Given the low materiality of acquisition card expenditures, the potential consequences of non-critical errors are unlikely to pose significant financial, reputational, or operational risks.
38. In addition to extensive guidance on MySource, the Financial Policy Unit reinforces requirements via communiqués to cardholders and CCMs. Continued reinforcement is encouraged for non-critical areas, including GL coding, application and treatment of HST, and purchases in the name of the department for online transactions. Implementation of Recommendation 1 will enhance the program’s ability to better focus targeted guidance and training activities to specific cardholders and CCMs.

Conclusion

39. We found that there were effective and well-administered management controls in place for the acquisition card program at HC and PHAC. Furthermore, we concluded that for the period under the scope of the audit, acquisition card use and related transactions complied with applicable legislation, related restrictions, and administrative procedures. Effective management processes and practices were identified, including:
    • a centralized structure in place for acquisition card program management overseen by the Departmental Acquisition Card Coordinator (DACC);
    • a suite of comprehensive policies, procedures, and related tools in place to support the administration and management of the acquisition card program;
    • monitoring and quality assurance mechanisms to support compliance to requirements and to identify and manage key risks associated with the use of acquisition cards; and
    • regular reporting of acquisition card use, monitoring, and quality assurance activities to senior management.
40. We identified an opportunity to enhance monitoring activities by further strengthening the consolidation and communication of results stemming from various monitoring and quality assurance mechanisms.
41. All issues identified as being minor in nature have been brought to management’s attention.
42. The area for improvement noted in this audit report and the associated recommendation, as well as consideration of the minor issues discussed with management, will collectively strengthen the management of the acquisition card program.

Appendix A – Scorecard

Audit of the Acquisition Cards at Health Canada and the Public Health Agency of Canada

Criterion	Rating	Conclusion	Rec #
Governance / Oversight
Management Information	No deficiencies	There is an established process for regular reporting. Overall, information provided to senior management is timely and sufficient to inform and support management decisions related to the acquisition card program. Potential areas of consideration for the expansion of information reporting have been discussed with management.	-
Risk Management
Monitoring and quality assurance mechanisms	Minor deficiencies	Effective quality assurance and monitoring mechanisms are in place to identify and address issues of misuse, non-compliance, and fraudulent activity. However, results from the QA and verification activities undertaken by the Accounting Hubs have not been consistently tracked or consolidated to systemically capture errors or instances of non-compliance by individual cardholders and CCMs. Implementation of an effective process to accomplish this would enhance the ability of the Financial Policy Unit and the DACC to:    take actions pursuant to the Standard on Corrective Measures; more effectively target guidance and training; and more effectively and efficiently tailor future monitoring and QA activities.	1
Control of Cards
Card limits and other restrictions	No deficiencies	Restrictions on card use are clearly defined and consistent with requirements of TBS directives. Transaction limits are established in accordance with the HC and PHAC Standard on Acquisition Cards, and monthly card limits are established based on CCM requests and approved by the DACC. However, for a number of cards, including some with a default limit of $25K, the limits do not reflect historical spending patterns. It is management’s opinion that the benefits of more liberal card limits outweigh the potential risk of operational impediments in situations where there is unexpected demand for the cards.	-
Compliance
Use of cards and compliance	No deficiencies	Acquisition cards are used as intended and the level of compliance to the Standard on Acquisition Cards is high, within the tolerable level established by HC and PHAC. Compliance was slightly lower for some non-critical areas, including GL coding, application and treatment of taxes, and documentation related to on-line purchases. Continued reinforcement of requirements in these areas is encouraged.	-

Appendix B – About the Audit

1. Audit Objective

The objective of this audit was to assess the administration and effectiveness of management controls over the acquisition card program at HC and PHAC, and the extent of compliance to applicable legislation, standards, and procedures.

2. Audit Scope

The scope of the audit included the management processes in place and acquisition card transactions processed between April 1, 2017 and March 31, 2018 for both HC and PHAC.

Work included a review of management processes in place and activities conducted by CFOB Accounting Operations (East Hub/National Capital Region and West Hub/Winnipeg) and the CFOB’s Financial Policy Unit.

Excluded from the scope of the audit are activities related to the issuance, renewal, and cancellation of acquisition cards, as well as performance of section 33 in accordance with the Financial Administration Act. Also excluded is Sex-and Gender-Based Analysis +. These areas have been deemed low-risk as a result of the work conducted by the audit team during the planning phase of the audit.

Audit Approach

The audit was conducted in accordance with the Treasury Board of Canada’s Policy on Internal Audit. Sufficient and relevant evidence was obtained to provide reasonable assurance in support of the audit conclusions.

Audit procedures that were employed during the examination phase to address the audit criteria included, but were not limited to:

• review of oversight and reporting of information;
• review processes for managing credit card limits;
• interviews with key personnel responsible for the acquisition card program;
• review of quality assurance mechanisms in place that identify, assess, mitigate, and report risks;
• testing internal controls and compliance of acquisition card use and related transactions to applicable directives and standards.

Statement of Conformance

This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the Office of Audit and Evaluation’s Quality Assurance and Improvement Program.

Appendix C - Lines of Enquiry and Criteria

Audit of the Acquisition Cards at HC and PHAC

Criteria Title	Audit Criteria
Line of Enquiry 1: Governance and Oversight
Management information	1. Management (Chief Financial Officer and Office of the Chief Financial Officer) receives complete and relevant information to support decision making as it relates to the acquisition card program.
Line of Enquiry 2: Risk Management
Monitoring and quality assurance mechanisms to address risk	Monitoring and quality assurance mechanisms are in place that identify, assess, mitigate, and report risks (misuse, abuse, and fraudulent activity).
Line of Enquiry 3: Control of Cards
Acquisition card limits	3.  Acquisition cards are controlled to ensure that credit card limits and other restrictions appropriately reflect spending patterns for cardholders.
Line of Enquiry 4: Compliance
Use of acquisition cards	4. Transactions are compliant with TBS and departmental directives and standards regarding acceptable use and restrictions.