Audit of Key Financial Controls at Health Canada, 2015-16 Final Report

Download the alternative format
(PDF format, 852 KB, 38 pages)

Type: [Publication Type]

Published: 2017-03-24

Executive summary
A - Introduction
B - Findings, recommendations and management responses
C - Conclusion
Appendix A - Lines of enquiry and criteria
Appendix B - Scorecard
Appendix C -Health Canada's Internal Control over Financial Reporting Framework
Appendix D - Audit coverage of the key financial controls identified in the Internal Control over Financial Reporting Framework
Appendix E - Follow-up on previous year's recommendations
Appendix F - Health Canada responsibilities around key financial controls over payroll and trusted source responsibilities
Appendix G - List of acronyms

Executive summary

In support of the Treasury Board Policy on Internal Control, Health Canada's (HC) Deputy Minister and Chief Financial Officer are required to sign an annual representation letter acknowledging their responsibilities for maintaining an effective system of internal control over financial reporting.

The objective of this audit was to provide reasonable assurance that select key financial controls in support of the departmental financial statements are operating effectively. The audit focused on testing the controls that help HC meet its control objectives and address management's responsibility over the completeness, validity and accuracy of its financial reporting. The audit covered transaction processing activities for fiscal year 2015-16.

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion.

Why are key financial controls important?

An effective internal control system is critical for managing and meeting organizational goals, mitigating risks of error and fraud and building public confidence. Key controls serve to detect errors or control failures in a timely manner or prevent other control failures before they have an opportunity to become material. As such, they are fundamental for ensuring that risks related to the stewardship of public resources are adequately managed. These controls should remain effective in a challenging environment.

What was found?

The audit concluded that select key financial controls in support of the departmental financial statements are generally operating effectively. Areas requiring improvements include the management of expenditure initiation authorities for patient travel; journal vouchers; PAYEs; segregation of duties; pay transactions, including quality assurance review and document retention; and coding of travel requirements on purchase orders.

Management agrees with the seven recommendations set out in the report and has provided an action plan that will improve the effectiveness of HC's internal controls over financial reporting.

A - Introduction

1. Background

An effective internal control system is critical for managing and meeting organizational goals, mitigating the risk of error and fraud and building public confidence.

The Deputy Head, as the Accounting Officer, is accountable for the measures taken to maintain effective systems of internal control in the department^{Footnote 1}. To this effect, Treasury Board (TB) requires departments to have an effective system of internal controls to mitigate risks for:

the prudent stewardship of public funds;
the safeguarding of assets; and
reliable reporting.

The TB Policy on Internal Control requires that the Deputy Head sign an annual departmental Statement of Management Responsibility Including Internal Control over Financial Reporting. The TB Policy on Financial Resource Management, Information and Reporting requires that the Deputy Head take measures to ensure that the department can sustain a control-based audit of its annual financial statements.

At Health Canada (HC), the processes, procedures and related internal controls that impact reliable financial reporting are identified in the Internal Control over Financial Reporting Framework (ICFR) (see Appendix C). The Internal Control Division within the Chief Financial Officer Branch (CFOB) has established a risk-based strategy to monitor over 160 controls on a cyclical basis and to support a conclusion about the internal control system's ability to manage or mitigate risks pertaining to reliable financial reporting.

In recent years, the Office of Audit and Evaluation (OAE) has conducted a number of audits as part of a strategy to provide continuous assurance and support for HC's efforts to ensure it can sustain a control-based audit of its annual financial statements. These audits include the Audit of Internal Control over Financial Reporting and Financial Statement Readiness (June 2013), the Audit of Procurement and Contracting (March 2015) and previous years' Audits of Key Financial Controls (most recent: October 2015). These audits have contributed to the strengthening of controls in a number of key areas.

Rationale for the audit

The audit provides an independent assessment of the effectiveness of the regime for identifying and addressing control deficiencies related to reliable financial reporting. It supports the Departmental Audit Committee's responsibility for due diligence and constructive challenge of the evidence and action plans underpinning the certification in the annual Annex to the Statement of Management Responsibility.

Key financial controls are fundamental for ensuring that risks pertaining to the stewardship of public resources are adequately managed; the controls should remain effective in a challenging environment. Current challenges include modernization and shared responsibility, such as the Pay Transformation Initiative, the Health Canada-Public Health Agency of Canada Shared Services Partnership, and cluster support for Enterprise Resource Planning systems such as PeopleSoft and SAP.

2. Audit objectives

The objectives of the audit were to:

Determine whether select key controls supporting the departmental financial statements are operating effectively, in order to mitigate the risk of material misstatements in terms of ensuring the validity, completeness and accuracy of financial transactions; and
Follow up on the progress made on the implementation of the management action plan developed in response to the previous year's key financial controls internal audit recommendations.

3. Audit scope

The audit included a review of key financial controls that were either common or specific to the following significant classes of transactions:

Grants and contribution agreements;
Salary and wage expenses;
Non-insured health benefits;
Purchase of goods and services;
Acquisition card purchases;
Revenues from drug submissions and evaluation and Employee Assistance Services;
Accounts receivable; and
Capital assets.

The lines of enquiry and audit criteria are presented in Appendix A. An overview of the audit coverage of the key financial controls identified in ICFR is provided in Appendix D.

The audit covered transaction processing activities for fiscal year 2015-16. The controls tested were predominantly within CFOB, but the audit also reviewed control activities that fall under the responsibility of the offices of secondary interest and cost centre managers.

4. Audit approach

The audit project was conducted in conformity with the Treasury Board of Canada's Policy on Internal Audit.

In assessing the effectiveness of key financial controls, the audit comprised of interviews with employees, review of documentation (for example, departmental policies and procedures, relevant documentation), observation of key processes and controls and analysis of financial and non-financial data using computer-assisted audit techniques and tools. The audit leveraged the work performed by other parties such as the Office of the Auditor General, CFOB's Internal Control Division, the Office of the Procurement Ombudsman and other audits conducted by the Office of Audit and Evaluation, as appropriate.

5. Statement of conformance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canadaand the International Standards for the Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

B - Findings, recommendations and management responses

1. Follow-up on previous year's recommendations

Audit criterion: Progress is made on the previous year's recommendations.

The audit examined the implementation of the previous year's recommendations and found that management has fully implemented the committed actions for the recommendations made in the previous year's report (see Appendix E).

Cancellation of unnecessary specimen signature cards (recommendation 1)

Management sent a message to all specimen signature card (SSC) editors, reminding them of the requirement to conduct a review of SSCs and that unnecessary cards needed to be cancelled. An annual review of SSCs was conducted to ensure that duplicate or unnecessary cards were removed.

Reduction of accounting errors in acquisition card transactions (recommendation 2)

The Chief Financial Officer Branch (CFOB) updated the acquisition card training material. An enforcement strategy was implemented, consisting of sending a quarterly message to card-holders informing them of errors found during the QA exercise, along with advice and procedures to avoid these errors in the future.

Compliance to the Departmental Standard on Journal Vouchers (recommendation 3)

Training was provided to Accounting Operations staff who process journal vouchers. In addition, instructions providing guidance related to journal voucher review and supporting documentation requirements was distributed.

Reconciliation of the Grants and Contributions Information Management System to the departmental financial system (recommendation 4)

Management has implemented a monthly reconciliation process between GCIMS and SAP.

Timely recording and monitoring of receivables arising from the recovery of contribution agreement payments (recommendation 5)

Management has implemented the GCIMS Debt Managements Module for recording and monitoring receivables arising from recoveries of contribution amounts.

2. Select key financial controls common to all classes of transactions

2.1 Delegation of financial signing authorities

Audit criterion: Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid.

Financial signing authority is delegated to various management levels throughout Health Canada (HC) by the Minister and the Deputy Minister. These authorities are then granted to employees at various management levels by creating and activating specimen signature cards, which are maintained in SAP. There were approximately 3,400^{Footnote 2} active signature cards in the database as of March 2016.

Certification under FAA Section 33 (payment authority) ensures that payments are subject to authorized requisitions, are lawful charges against the appropriation and are within the appropriations level. This requires that appropriate processes and controls be in place to verify accounts under FAA Section 34, as stated in HC's delegation of financial signing authority document. Financial officers performing Section 33 of the FAA rely on the specimen signature cards to substantiate whether an employee has valid Section 34 delegation of financial signing authority.

With the changes related to the recent Pay Transformation Initiative, an external service provider (SP) also relies on the accuracy of the specimen signature card database. Consequently, it is essential that the controls over the creation and activation of specimen signature cards operate effectively, to comply with the FAA and central agency policy instruments and prevent unauthorized expenditures.

Activation of specimen signature cards

Prior to activating a specimen signature card, specimen signature card editors must verify the validity of the request (for example, approval by a supervisor with delegated authority, mandatory training has been taken and issued to an eligible HC employee, only one substantive card per individual, in most cases).

The audit examined specimen signature cards activated in fiscal year 2015-16 to verify that the review of specimen signature card requests by Specimen Signature Card Editors was adequately performed and found no issues.

Termination of specimen signature cards

An employee's specimen signature card may be terminated for two reasons: the employee's responsibilities have changed or the employee has left HC. In the first instance, the signature card is edited to reflect the new responsibilities, provided that the employee retains financial signing authority. In the second instance, the signature card is simply cancelled.

Timely termination of specimen signature cards is essential to support the financial officers' responsibilities for FAA Section 33 certification. As well, the external SP for the new payroll system relies on HC to provide up-to-date information on employees with FAA Section 34 authority for pay transactions. To this effect, a mandatory departure process and departure application tool was implemented to facilitate the timely cancellation of cards. Furthermore, CFOB performs an annual review of specimen signature cards as a compensating control, to cancel cards that are no longer required.

The audit assessed the accuracy of the database throughout the year by analyzing the timeliness of the cancellation of specimen signature cards for departed employees. The audit found some instances of cards being cancelled more than 30 days after the employee's departure.

Medical transportation officer (MTO) specimen signature card

As a result of the update of the TBS Directive on Travel, Hospitality, Conference and Events Expenditures, expenditure initiation for all non-local travel requires approval at the senior departmental manager level. This requirement applies to all non-local travel, including patient travel under the Non-Insured Health Benefits Program and the Indian Residential School Resolution Health Support Program. However, this created operational challenges because HC handles a large volume patient travel. Consequently, HC created a new functional-level specimen signature card to delegate expenditure initiation authority for patient travel to MTOs.

The audit compared a listing of users with access to create travel authorizations in the medical transportation recording system with a listing of MTO specimen signature cardholders to determine whether these users had been formally delegated expenditure authority for patient travel. It was observed that nearly 40% of the users with the ability to authorize patient travel did not have an MTO specimen signature card. As a result, there is a risk that employees exercising expenditure initiation authority for patient travel may not have been formally delegated these authorities.

Overall controls over the maintenance of specimen signature cards were operating effectively. However, improvements are required to ensure that MTO specimen signature cards are issued to the appropriate employees.

Recommendation 1

It is recommended that the Assistant Deputy Minister, Regional Operations, First Nations and Inuit Health Branch, ensure that employees with the authority to approve expenditure initiation for patient travel have a medical transportation officer specimen signature card.

Management response

Management agrees with recommendation.

FNIHB will confirm that regional employees in positions requiring them to approve non-insured non-emergency medical travel have a valid MTO specimen signature card.

2.2 Quality assurance process over Financial Administration Act Section 34 certification

Audit criterion: The quality assurance performed over Financial Administration Act Section 34 certification is effective.

A well-functioning quality assurance process is a key control, ensuring that a high standard of integrity and accountability is maintained in the spending of public money and supporting sound stewardship of financial resources.

Under Section 34 of the FAA, managers are required to certify that:

goods were supplied or the service rendered;
the price charged is in accordance with the contract;
supporting documentation is complete;
the financial coding is correct; and
the payee is eligible and entitled to the payment.

Source: TBS Directive on Account Verification

In accordance with the TBS Directive on Account Verification, HC employs a risk-based approach to performing the quality assurance review over Financial Administration Act (FAA) Section 34 account verification when exercising payment authority for payments, pursuant to Section 33 of the FAA.

The objective of the quality assurance process is to confirm that FAA Section 34 certification is properly and consistently performed. For high-risk transactions, it acts as a main control to ensure that the transactions are accurate and valid and that errors (if detected) are corrected prior to payment. For low-risk transactions, the quarterly sampling results provide insight into the effectiveness of FAA Section 34 certification and, if necessary, action plans are developed. For both types of transactions, errors are corrected as deemed necessary. This provides assurance that transactions are valid, accurate and properly authorized.

As illustrated in Figure 1, all transactions undergo a minimum quality assurance review,which focuses on verifying the appropriateness of FAA Section 34 authorization, the financial coding and vendor information. Minimum quality assurance reviews are either performed manually or are done automatically through SAP-P2P. A risk profile (low or high) is then assigned, based on the nature and value of the transactions, through a "gating" process.

**Figure 1: Quality Assurance Review Process**

Source: Shared Services Partnership Statistical Sampling Training Guide

Transactions identified as low-risk are paid immediately after the minimum quality assurance review is performed, but they may be subject to a full quality assurance review through quarterly statistical sampling. This process is referred to as the Post-Payment Quality Assurance Process.

All transactions deemed as high-risk undergo a full quality assurance review prior to payment. This includes verifying whether the backup documentation provided supports the payment request, the financial coding is appropriate, the claimed amounts are in accordance with the corresponding contract or funding agreement and procurement documents and payment requests comply with TB and departmental policies. Examples of high-risk transactions include all transfer payment transactions, membership fees and non-public servant travel.

Errors identified through quality assurance that call into question the validity of the payment request must be followed-up and corrected, such as inappropriate FAA Section 34 financial signing authority or an invoice price that is not in accordance with the contract or funding agreement.

Table 1 provides a breakdown by risk profile of the transactions recorded in fiscal year 2015-16. It demonstrates that even though the proportion of high-risk transactions was 5% of the total population in terms of numbers, these transactions represented 81% of the total dollar value.

Table 1: Transactions by risk profile, fiscal year 2015-16
Risk Profile	No. of Transactions		Value
Risk Profile	('000)	(%)	($ M)	(%)
High	19.30	5%	1,945.10	81%
Low	403.20	95%	467.60	19%
Total	422.50	100%	2,412.70	100%

Source: Health Canada's financial system, fiscal year 2015-16.

Quality assurance over FAA Section 34 account verification encompasses most payment transactions, including grants and contributions, accounts payable, travel claims, honoraria and acquisition cards. Salary and wage expenditures are not included, since they are subject to a different quality assurance process, which is discussed in section 3.2 of this report. In fiscal year 2015-16, interdepartmental settlement (IS) transactions were included in the post-payment testing and sampling approach. However, the Statistical Sampling Framework has not been updated to reflect this change. Management has indicated that the Statistical Sampling Framework is currently being revised to include this change.

The main aspects of the quality assurance process include:

the gating of transactions;
the identification of errors in account verification;
the logging of results of the quality assurance review; and
the quality assurance or statistical sampling of low-risk transactions.

Gating of transactions for the quality assurance process

The gating of transactions is an important aspect of the quality assurance process. It determines whether a transaction presents a low risk or a high risk as per the Statistical Sampling Framework, thereby determining the level of quality assurance (minimum or full) to be performed prior to payment. Gating is based on the financial coding used when creating a purchase order or when an invoice is entered.

The audit determined that some transactions for non-public servant travel were gated as low-risk rather than high-risk due to inaccurate financial coding used to create the purchase orders. Consequently, the transactions may not have been subject to the appropriate level of quality assurance review prior to payment. This is further discussed in section 3.4 of this report.

Identification of errors in account verification

The quality assurance review entails verification that FAA Section 34 account verification has been performed properly (for example, price charged is in accordance with the contract; supporting documentation is complete; financial coding is correct; and the payee is eligible and entitled to the payment). This process provides evidence of the effectiveness of FAA Section 34 account verification.

The audit tested transactions recorded in fiscal year 2015-16 and found that the quality assurance review was adequately performed.

Logging of results of the quality assurance review

Health Canada's Statistical Sampling Training Guide requires that all errors identified during the quality assurance review for both low- and high-risk transactions be recorded in SAP. This is regarded as the most significant output of the quality assurance process, because it provides the necessary data to report on the overall adequacy and reliability of the account verification process and allows management to develop corrective actions where necessary, in accordance with the TBS Directive on Account Verification.

The audit found that for the sample of transactions reviewed, errors on high-risk transactions identified by the quality assurance reviewer were recorded in SAP.

Post-payment quality assurance of low-risk transactions

As noted earlier, all low-risk transactions undergo a minimum quality assurance prior to payment. In addition, a sample of these transactions is selected on a quarterly basis, to undergo a full post-payment quality assurance. CFOB analyzes errors and develops the action plans.

The audit examined the results of the review of statistically sampled transactions for fiscal year 2015-16. The results indicate that the error rate for accounts payable and IS transactions was consistently below the tolerable error rate (8%). Acquisition card transactions exceeded HC's tolerable error rate in Q1, Q2 and Q3, but Q4 results indicate that measures put in place to address the high error rates are having a positive effect.

Table 2: Statistical sampling error, by quarter
Low-Risk Transaction Group	2015-2016 Error Rate
Low-Risk Transaction Group	Q1	Q2	Q3	Q4
Accounts Payable and IS	1.9%	1.3%	1.9%	1.9%
Acquisition Card	17.8%	13.9%	13.9%	4.4%

In conclusion, quality assurance over FAA Section 34 certification is performed.

2.3 FAA Section 33 certification

Audit criterion: Certification of non-salary expenditures under FAA Section 33 is performed and an appropriate segregation of duties exists with FAA Section 34 certification.

The authority to request payments in accordance with Section 33 of the FAA is referred to as payment authority. Pursuant to this section, a financial officer with delegated payment authority must ensure that:

FAA Section 34 has been properly exercised by validating that the Section 34 signatory had a valid delegated authority to authorize the expense and that there is auditable evidence that the quality assurance over the adequacy of the Section 34 account verification has taken place; and
Expenditures are a lawful charge against the appropriation.

The FAA Section 33 payment authorization performed by financial officers is a key control for ensuring the accuracy and legality of transactions.

The audit found that certification under FAA Section 33 for non-salary expenditures is performed and an appropriate segregation of duties exists with FAA Section 34 certification. FAA Section 33 certification of salary expenditures is discussed in section 3.2 of this report.

2.4 Management review of expenditures and commitments

Audit criterion: Cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.

Health Canada's Policy on Budget Management, which is part of the departmental Budget Management Framework, requires that cost centre managers be accountable and responsible for their assigned budgets.

Cost centre managers at all levels, with the support of branch financial management advisors (in the National Capital Region) and regional financial management advisors (in other regions), are required at month-end to review expenses charged to their cost centres through HC's management variance reporting (MVR) process. The activity entails a review of the validity, accuracy and completeness of expenses, including salaries. The review of salaries also serves as part of FAA Section 34 approval for salary expenditures.

As a result of the transfer of payroll administration functions to a government-wide SP and the implementation of the new payroll system (Phoenix), departments (including HC) have experienced a significant number of payroll errors that could result in misstatement of salary expenditures recorded in HC's financial system. To mitigate this risk, HC relies on the MVR review of salary expenditures to serve as a compensating control to validate the accuracy of salary expenditures posted to HC financial records (see section 3.2 for more explanations).

CFOB is responsible for ensuring that the month-end MVR exercise is adequately conducted and documented through a challenge function. This process is considered a key control over financial reporting.

The audit examined the MVR process and found that the review and challenge of cost centre manager's MVR was adequately performed.

In conclusion, commitments and expenditures recorded in SAP are reviewed for completeness, validity and accuracy.

2.5 Accrued liabilities at year-end

Audit criterion: Review and challenge of payables at year-end are performed to ensure completeness, validity and accuracy.

As per the TBS Directive on Year-End Recording of Payables (PAYE), departments and agencies must identify and quantify liabilities to outside organizations and individuals resulting from operations up to and including March 31st of each fiscal year. In the absence of certainty, estimates must be used to determine the amounts of liabilities, as long as reasonably accurate values can be assigned.

As per the departmental year-end procedures, cost centre managers and administrators must submit PAYE requests for goods and services of value greater than or equal to $1,000 (except for salary-related items, where the minimum threshold is $400, and for interdepartmental settlements and for grants and contributions, where there is no minimum threshold), for which an invoice has not been received or when accounts payable or payments cannot be recorded by the required cut-off date. In addition, branch or regional senior financial officers are responsible for reviewing and challenging PAYE requests to ensure that the appropriate documentation is provided to support a valid liability. The total amount of PAYEs created in fiscal year 2015-16 was $103 million.

The audit tested the review and challenge function exercised over PAYEs related to the previous fiscal year that had yet to be cleared, as well as over PAYEs recorded as part of the 2015-16 year-end procedures. The audit found that review and challenge of prior year PAYEs was performed.

For PAYEs created in fiscal year 2015-16, the audit examined a sample of 20 transactions and found that in two instances, the amount recorded was greater than the amount supported by the documentation.

In conclusion, payables at year-end transactions are reviewed and challenged for completeness and validity. However, improvements are required to ensure accuracy of PAYE transactions.

Recommendation 2

It is recommended that the Chief Financial Officer ensure that the PAYE amounts recorded agree with supporting documentation.

Management response

Management agrees with recommendation.

The accounting hubs will review and revise their internal procedure to ensure that the PAYE amounts recorded in SAP agree with supporting documentation.

2.6 System access and segregation of duties

Audit criterion: Access to SAP is restricted and the segregation of duties is enforced.

Segregation of duties is a key concept in internal control that mitigates the risk of fraud and errors. Incompatible duties exist when the same person can perform tasks or functions in multiple phases of a single process. An example of incompatible duties is the creation or maintenance of vendor master files and the recording of purchase orders or vendor invoices by the same individual.

Prior to granting or modifying access, CFOB performs tests to ensure that users do not receive access to incompatible functions. In some cases, CFOB will grant access to incompatible duties due to operational constraints. In these cases, the responsible manager must describe the mitigating control measures in a prescribed form. In addition, CFOB conducts tests to monitor the segregation of duties on a semi-annual basis. In September 2015, the frequency of the monitoring exercise was changed from semi-annually to monthly.

The audit tested the segregation of duties to determine whether individuals had access to incompatible duties. Audit tests found users with access to incompatible duties, as shown in Table 3.

Table 3: Access to incompatible duties at some point during fiscal year 2015-16
# of users	Access to incompatible duties		Description of risk
2	Customer Credit Memo	Process Incoming Payment	User can divert the payment from the customer by entering fictitious credit memos
4	Create Purchase Order	Exercise FAA Section 34 authorities as CCM	Goods could be misappropriated, since the same individual is able to approve a purchase as well as payment of the invoice

There is an absence of an approved documented policy to grant access to incompatible duties, such as a definition of operational constraints, a mitigating control measures definition and guidelines and the level of senior management approval needed.

The audit also verified whether monitoring of segregation of duties was conducted and found that it was performed as scheduled. However, monitoring activities did not include follow-up to verify that mitigating control measures committed to by the responsible manager had been implemented.

In conclusion, improvements are required for system access and segregation of duties.

Recommendation 3

It is recommended that the Chief Financial Officer enhance the enforcement and monitoring of segregation of duties.

Management response

Management agrees with recommendation.

The Financial Systems Team is working with the Internal Control Division to perform a review of the current procedure and system controls. A revised procedure document will be developed to strengthen the controls on the segregation of duties.

2.7 Journal entry review

Audit criterion: Journal entries are reviewed by a second person and accompanied by appropriate supporting documentation.

Journal vouchers (JV) are used to make adjustments in SAP, to ensure that financial information is accurate and properly coded to accurately reflect HC's activities. The Standard on Journal Vouchers (Standard) was developed to formalize the process and the responsibilities for creating, approving, reviewing and entering JVs into SAP. It identifies the supporting documentation and approval requirements for routine and non-routine JVs.

The audit examined a sample of 25 JVs to verify compliance with the Standard. The audit found that in 13 cases where documentation, or review and approval of journal vouchers did not meet the requirements of the Standard.

In conclusion, improvements are required to ensure that JVs are reviewed and approved by the appropriate delegated authority, and that forms and supporting documentation are completed in accordance with the Standard on Journal Vouchers.

Recommendation 4

It is recommended that the Chief Financial Officer ensure that journal voucher entries are managed in compliance with the Standard on Journal Vouchers.

Management response

Management agrees with recommendation.

The majority of the 13 journal vouchers that did not meet the requirements of the Standard on Journal Vouchers were related to automated system entries generated by SAP. The Financial Policy Team will review and update the Standard on Journal Vouchers to clarify that it does not apply to these transactions. The East and West Accounting Hubs have provided training to the staff who process journal vouchers, to ensure compliance with the current standard for manual journal vouchers.

3. Select key financial controls specific to classes of transactions

3.1 Grants and contributions payments

Audit criterion: Reconciliation of payment requests from GCIMS to SAP is performed. Contribution agreements are reviewed and closed out, to ensure that receivables arising from overpayment are recorded.

As of the start of fiscal year 2015-16, all of HC's grants and contribution (G&C) agreements are being managed in the Grants and Contributions Information Management System (GCIMS). This new system replaced the two legacy systems that were in place. It provides support to all aspects of the G&C lifecycle, from recipient application to file close-out. Specifically, GCIMS supports the management of G&C payments and amounts to be recovered (Debt Management Module) and contains an integrated document management component.

Reconciliation of payment transactions between GCIMS and SAP

In fiscal year 2015-16, grants and contributions programs were managed by the Strategic Policy Branch (SPB) ($271 million) and the First Nations and Inuit Health Branch (FNIHB) ($1,521 million).

The reconciliation of GCIMS to SAP contributes to providing assurance that grants and contribution agreement expenditures recorded in the departmental financial system and GCIMS are complete and accurate.

The audit found that reconciliations of GCIMS to SAP expenditures were conducted by CFOB's Transfer Payment Management Services (TPMS), and items that did not reconcile were adequately explained to ensure that SAP balances used for financial reporting were correct. However, it was noted that items recorded in SAP but not recorded in GCIMS were not adjusted in GCIMS. TPMS is currently developing a new GCIMS process that will eliminate the variance between the two systems by allowing the creation of records in both GCIMS and SAP.

Review and close-out of contribution agreements

The review and close-out of contribution agreements are necessary to ensure that all the terms and conditions have been met, that final payments are issued and that receivables arising from overpayments are recorded in the departmental financial system and collected. The timely close-out and communication of results to Finance are necessary to ensure the completeness and accuracy of HC's financial information, specifically accounts receivable.

The audit found that the review and close-out of contribution agreements, including the release of final payments and the recovery of amounts arising from overpayments, were operating effectively.

In conclusion, reconciliation of payment requests from GCIMS to SAP and the review and close-out of contribution agreements are performed.

3.2 Salary and wage expenses

Audit criterion: A trusted source reviews pay transactions to ensure proper authorization.

According to the TBS Directive on Financial Management of Pay Administration, the chief financial officer is responsible for the effectiveness of the financial controls related to pay administration, payroll accounting and payment requisitions. The head of human resources is responsible for the compensation policies and function. However, as a result of the Transformation of Pay Administration Initiative, roles and responsibilities and business processes related to pay administration have changed significantly. These changes include the transfer of pay administration responsibilities, previously under the responsibility of the Corporate Services Branch's (CSB) Human Resource Services Directorate (HRSD), to a government-wide service provider (SP), as well as the replacement of the Regional Pay System (RPS) with the new Phoenix payroll system.

The SP developed a Pay Centre Control Framework (Framework) designed to ensure the accuracy, completeness, integrity and timeliness of pay services. Under the Framework, HC is responsible for ensuring adherence to FAA Section 32; the completeness and accuracy of the information included in staffing requests; adherence to FAA Section 34; and an adequate audit trail to demonstrate compliance. Departmental responsibilities are summarized in Appendix F, Table 1.

To meet these responsibilities, the Framework requires that departments create trusted source (TS) roles, which are responsible for ensuring that information sent to the SP is accurate, complete and properly authorized under FAA Sections 32 and 34.

HC has therefore created distinct staffing and compensation TS functions. The staffing trusted source is part of HRSD's Client Service Division, while the compensation trusted source is part of HRSD's National Centralized HR Services Division. The responsibilities of the trusted source are summarized in Appendix F, Table 2.

Staffing trusted source

The staffing trusted source reviews staffing documents such as staffing action requests, letters of offer and acting assignments, to ensure that FAA Section 34 is adhered to prior to sending the documents to the SP. Staffing records sent to the SP are generally kept for a period of five years, as per the Library and Archives Canada Guidelines on Managing Government of Canada Information Resources.

The audit found that process controls pertaining to staffing trusted source activities were effective.

Compensation trusted source

The compensation trusted source reviews documents authorizing pay events, such as various types of leave, end of term and performance pay, to ensure that FAA Section 34 is adhered to prior to sending the documents to the SP.

The audit found that documents reviewed by the compensation TS are retained for a period no longer than six months after they are submitted to the SP, which is not sufficient to ensure that an audit trail is maintained. As well, it does not meet Library and Archives Canada Guidelines on Managing Government of Canada Information Resources, which is two years for compensation documents not related to departures.

The audit also found that time and labour transactions can be entered in the Phoenix pay system in two ways: 1) by the employee, or 2) with the assistance of a timekeeper.

Where employees enter time and labour transactions themselves, employees with access to the Phoenix self-serve option can enter extra duty data and select a cost centre manager to electronically approve the extra duty transaction. However, there are no controls within Phoenix to restrict approval of extra duty pay to manager(s) with delegated authority for specific cost centres. This increases the risk that extra duty transactions are not approved by a person with the proper delegated financial signing authority. HC relies on the review of salary expenditures as part of the MVR process to mitigate this risk, an approach suggested by the Office of the Comptroller General.

A timekeeper performs data entry of time and labour transactions for employees whose hours vary from one pay period to the next or who work in remote areas without system access. The audit found that there is currently no process in place to validate the accuracy of the data input--a key HC responsibility under the Pay Centre Control Framework (see Appendix F, Table 1). There is increased risk that data entry errors leading to incorrect pay amounts could go undetected. Management has indicated that a quality assurance plan is currently being developed by CFOB's Financial Operations Directorate, in collaboration with CSB's HRSD and the SP.

Recommendation 5

It is recommended that the Chief Financial Officer implement a quality assurance process to validate the accuracy of the data input by timekeepers.

Management response

Management agrees with recommendation.

CFOB is currently developing a sampling methodology to validate the accuracy of the data input by timekeepers. The development of the methodology is in consultation with the Financial Systems Team, the Internal Control Division, the Human Resources Services Directorate and Public Services and Procurement Canada (PSPC) resources within the Phoenix project. Note that the Phoenix system is currently not stable and time and labour reports that identify transactions entered by timekeepers only recently became available to departments; to date, HC has encountered significant difficulty running these reports successfully.

Recommendation 6

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, develop and implement guidelines for record keeping (conservation of documents) used to demonstrate adherence to FAA Section 34.

Management response

Management agrees with recommendation.

HRSD's National Centralized HR Services Division will develop and implement guidelines for record keeping and will communicate them to all compensation trusted sources.

Continuous monitoring of key controls for pay transactions

Given the changes in the pay process, the Internal Control Division, Financial Operations Directorate, as part of the Shared Services Partnership, has developed and performed testing procedures to monitor the effectiveness for staffing trusted source controls. Management has indicated that effectiveness testing procedures for the compensation trusted source will be developed and performed in 2016-17.

FAA Section 33 quality assurance process over adherence to FAA Section 34 for pay transactions

The TBS Directive on Account Verification states that: "Financial officers [i.e., CFOB] are responsible for […] ensuring that payments and interdepartmental settlements are verified […] when exercising payment authority for payments pursuant to Section 33 of the Financial Administration Act" (Section 6.3.1.1). The Directive further states that: "although account verification is normally performed prior to payment or interdepartmental settlement, completing account verification after the payment […] has been made is permitted in certain situations" (Section 6.3.4), which is the case for payroll transactions.

Under the Framework, the Post Payroll Quality Assurance (QA) process is conducted by the SP on behalf of departments and agencies. The SP is expected to perform quarterly QA reviews of pay transactions and report its findings through a QA report. The audit found that the SP conducted a QA review for the first quarter of fiscal year 2015-16. HC did not receive a QA report for the remainder of the year.

Since the transfer of pay files to the SP and the implementation of Phoenix, departments and agencies, including HC, have experienced a significant number of payroll errors impacting employees. Payroll errors can be reported by employees or program management to CSB-HRSD's National Centralized HR Services Division (NCHRSD), which in turn escalates issues to the SP. The NCHRSD logs and monitors reported issues escalated to the SP, but the financial impact of these issues on HC's financial records is not identified.

As noted in section 2.4, HC relies on the MVR review of salary expenditures as a compensating control to mitigate the risk that incomplete or inaccurate salary expenditures are posted to its financial records. This practice is in line with suggestions from the Office of the Comptroller General that departments apply temporary controls during the Phoenix implementation. Any variances at year-end between the amounts posted to the financial system and the forecasted salary expenditures could assist in identifying payroll errors and in preparing financial entries required to ensure that salary expenditures are reported accurately. In light of the current difficulties experienced with the Phoenix payroll system, HC would benefit from reminding managers and financial advisors of the importance of conducting a thorough salary review during the MVR process, in order to mitigate the risk that salary expenditures are misstated. The Financial Operations Directorate and the Resource Management Directorate have drafted a message to be issued to managers. This reminder will be re-issued periodically over the remaining of the fiscal year

In conclusion, management has made efforts to mitigate risks to the accuracy, completeness, integrity and timeliness of pay transactions. Continued efforts are required to ensure that transactions entered by timekeepers are reviewed for adherence to FAA Section 34, and that an adequate audit trail is maintained to demonstrate adherence to FAA Section 34.

3.3 Non-insured health benefits

Audit criterion: Non-insured health benefit claims are reconciled with Health Information Claim Processing System funding requests. The external auditor's report on the adequacy of the service provider's controls is obtained and reviewed by management. Recoveries for non-insured health benefit claims are reviewed for accuracy and completeness.

The Non-Insured Health Benefits (NIHB) Program provides eligible First Nations and Inuit populations in Canada with coverage for a limited range of medically necessary health-related goods and services that are not provided through private insurance plans, provincial and territorial health or social programs or other publicly funded programs. This includes pharmacy, dental, vision, mental health, medical supplies and equipment and medical transportation. In fiscal year 2015-16, expenditures for non-insured health benefits were $1,101 million.

Reconciliation of NIHB claims processed in the Health Information Claims Processing System with funding requests

Dental, pharmacy and medical supplies and equipment claims, which account for a significant part of all non-insured health benefit expenditures, are mostly processed and paid by an external service provider through the Health Information Claim Processing System (HICPS). The service provider summarizes the claims processed and submits a claim for reimbursement. These claims are analyzed and reconciled with information found in HICPS and approved for payment (FAA Section 34). Claims are then forwarded to CFOB for FAA Section 33 certification and the payment is processed accordingly. These analyses and reconciliations are key controls aimed at ensuring that non-insured health benefit expenses are accurately recorded and processed, in compliance with FAA requirements. These and other procedures and controls are documented for reference in the NIHB HICPS financial control framework. The audit concluded that the procedures and controls regarding non-insured health benefit expenditures processed through HICPS are operating effectively.

Review of the external audit report over HICPS claim processing

HC obtains an annual audit report from the external service provider. This provides assurance that the service provider's controls are appropriately designed and operating effectively in a manner that ensures the validity, completeness and accuracy of the claims processed. As in previous years, an unqualified opinion was issued by the external auditors for fiscal year 2015-16.

Recoveries for non-insured health benefit claims are reviewed for accuracy and completeness

As part of the Tripartite agreement between the federal government, the British Columbia (BC) government and the BC First Nations Health Council, responsibility for the design and delivery of First Nations health services in BC (including pharmaceutical, medical supplies and equipment and dental benefits) was transferred to the First Nations Health Authority (FNHA). To support a smooth transition to the FNHA in British Columbia, it was agreed that HC would continue to administer and deliver pharmaceutical, medical supplies and equipment and dental benefits to First Nations communities in British Columbia. The costs associated with providing these benefits are reimbursed by the FNHA.

The Payment Requisition and Reconciliation Committee (PRRC) provides oversight of the recovery for non-insured health benefits from the FNHA. On a bi-monthly basis, the PRRC reviews non-insured health benefit claims and determines the amount to be recovered from the FNHA. The audit concluded that recoveries for non-insured health benefits claims are reviewed for accuracy and completeness.

In conclusion, non-insured health benefits claims are reconciled with HICPS funding requests, an external auditor's report on the adequacy of the service provider's controls is obtained and reviewed by management, and recoveries for non-insured health benefit claims are reviewed for accuracy and completeness.

3.4 Purchase of goods and services

Audit criterion: Purchase orders are reviewed for accuracy, completeness and validity.

Review of contracts over $10,000

Proposals for the procurement of goods and services are reviewed or prepared by procurement specialists. This helps to ensure that contractual documents are in accordance with Government Contracts Regulations, relevant policies and HC's delegation of financial signing authorities, and that an appropriate procurement vehicle is used. This review also provides assurance over the validity and accuracy of the purchase of goods and services over $10,000.

In fiscal year 2015-16, the Office of the Procurement Ombudsman (OPO) conducted a Procurement Practice Review within select government departments and agencies that included HC. The report noted that improvements were required to ensure that standing offer (SO) and supply arrangement (SA) contracting procedures are followed and documented, that SOs and SAs are being used as intended, that they are monitored and that the benefits of using these tools are being fully realized. In response, management has implemented measures to address the recommendations in the OPO report. This included new checklists to assist in the review conducted by procurement officers.

An analysis performed to verify that transactions were gated appropriately under the quality assurance section of this report (section 2.2) revealed that some non-public servant travel transactions were gated incorrectly. To assess this further, a sample of 22 purchase orders was examined to determine whether the appropriate financial coding was used for travel commitments. The audit found that in all of the cases, travel commitments were coded to a non-travel related general ledger account on the purchase orders. This can impact the reliability of reporting. In addition, as noted in section 2.2, it also causes the subsequent accounts payable transaction to be classified as low-risk rather than high-risk, thereby affecting the level of quality assurance review performed prior to payment. The new checklist developed in response to the recommendations by the OPO includes a step to verify the reasonableness of the general ledger coding, since most contracts are routed to procurement officers for review or preparation. However, Task Authorization Documents prepared by cost centre managers are not subject to review by procurement officers.

In conclusion, purchase orders are reviewed for accuracy, completeness and validity. However, improvements are required for the review of Task Authorization Documents, particularly those pertaining to travel.

Recommendation 7

It is recommended that the Chief Financial Officer ensure the proper coding of travel requirements on Task Authorization Documents.

Management response

Management agrees with recommendation.

The accounting hubs will ensure that invoices with coding inconsistencies are returned to the cost centre managers (CCM) for correction. A Broadcast News message will be issued to remind CCMs that for Task Authorizations, the travel portion must be split out and coded accordingly.

3.5 Acquisition card purchases

Audit criterion: Monitoring of monthly acquisition card reconciliations and quality assurance reviews of acquisition card transactions are performed.

Acquisition card purchases are paid prior to the reconciliation of purchases by the cardholder and the FAA Section 34 certification, as permitted under the TBS Directive on Account Verification. To provide assurance over the accuracy and completeness of acquisition card purchases, cardholders are responsible for completing transaction reconciliations to their statement of accounts. CFOB monitors these reconciliations to ensure that they are adequately completed. The audit found that monitoring of reconciliations was performed.

Quality assurance over acquisition cards

In addition to the monitoring of monthly reconciliations, financial officers conduct quality assurance reviews of acquisition card transactions. All transactions are subject to minimum quality assurance procedures, to ensure that all items included on the monthly card statement are reconciled in SAP and that FAA Section 34 is appropriately documented. High-risk transactions undergo a full quality assurance review, while low-risk transactions are subject to a full quality assurance on a sample basis. As noted in section 2.2, a sample of low-risk transactions is included as part of the statistical sampling exercise through the use of SAP, as is the case for accounts payable transactions. Through this review, selected transactions are examined for appropriate supporting documentation and sign-off. Errors identified through this review are recorded and action plans are developed to address issues noted.

The audit tested a sample of monthly statements, including transactions that underwent a full quality assurance, and found that it was generally performed adequately and appropriately.

In conclusion, controls over acquisition cards were generally operating effectively.

3.6 Revenues

Audit criterion: Reconciliation of billing information and invoices from SAP is performed.

The audit examined two streams of revenue that are significant for financial statement purposes: drug submission and evaluation revenues and Employee Assistance Program revenues.

Drug submission and evaluation

Manufacturers are required to submit fees for the review and approval of drug submissions.

The audit obtained evidence that invoices are supported by sufficient documentation and appropriately calculated using the correct rates, based on the application and date of application.

Reconciliation between the Drug Submission Tracking System to SAP

Drug submission and evaluation fees are tracked in the Drug Submission Tracking System (DSTS), which is operated by the Health Products and Food Branch (HPFB) and is outside of SAP. As there is currently no interface between DSTS and SAP, DSTS data has to be input manually in the financial system. The absence of an interface also requires the regular reconciliation of the amounts recorded in the two systems to ensure accuracy and completeness.

On a monthly basis, CFOB reconciles invoiced amounts in the invoicing system (DSTS) against SAP, to ensure the completeness and accuracy of the revenues recorded in SAP. The audit found that the reconciliations were performed.

In conclusion, controls over drug submission revenues are operating effectively.

Employee Assistance Program

The Employee Assistance Program (EAP), provided to all government employees by the Employee Assistance Services (EAS), assists employees with personal and work-related problems that can affect their physical and emotional well-being as well as work performance. In fiscal year 2015-16, the EAS operated within the Regions and Programs Bureau; however, the program was transferred to CSB in April 2016.

Rates for the services are established under various Memorandums of Understanding or a multi-year Interdepartmental Letter of Agreement. Invoices are typically sent on a quarterly basis and charges are per-head or based on an hourly rate, depending on the terms of the agreement.

The audit found that invoices are supported by sufficient documentation; invoicing rates used were in accordance with established agreements or sales sheets and were authorized by the appropriate individual.

The final reconciliation of the EAS revenues between SAP and the spreadsheets used to track EAS revenues was completed in July 2016.

In conclusion, controls over EAP revenues are operating effectively; however, HC would benefit from ensuring that reconciliations of EAS invoicing to SAP are performed on a timely basis.

3.7 Accounts receivable

Audit criterion: Suspense and clearing accounts are monitored and cleared.

HC's Policy on Receivables Management and Charging Interest on Overdue Accounts requires that all receivables be recorded promptly in SAP when an amount can be reasonably estimated against a specific debtor. Failure to do so can result in receivables not being collected and inaccurate financial reporting. One of the most significant sources of accounts receivable comes from the recovery of overpayments from contribution agreements.

Contribution agreements debt management

The implementation of GCIMS includes a debt management module that allows the creation and management of accounts receivable records arising from the recovery of contribution payments. The debt management module was implemented late in 2015-16. Currently, Accounts Receivable Request Forms are prepared and approved by programs and created in GCIMS by the accounting hubs. The responsibility for recording the accounts receivable will be transitioned to regional users in fiscal year 2016-17. As such, GCIMS Operating Guidelines, including financial controls over the creation and management of accounts receivable records, are currently under development. For financial reporting purposes, an estimate of the receivable amounts resulting from contribution agreements was recorded at year-end.

Monitoring and reconciliation of suspense and clearing accounts

CFOB performs the monitoring and reconciliation of various suspense and clearing accounts, including deposits, petty cash and interdepartmental settlements.

These reconciliations are generally performed on a monthly basis, but the frequency of the reconciliation may differ, depending on the nature of the account or the volume of activity. Discrepancies and variances identified through the reconciliation process are raised with cost centres. Regular monitoring and clearing of suspense accounts help to ensure the accuracy of financial information. The audit found that reconciliations were performed on a regular basis and that account balances were verified.

In conclusion, suspense and clearing accounts were monitored and cleared.

3.8 Capital assets

Audit criterion: An annual capital assets review is conducted to ensure a proper accounting of capital assets.

HC's Asset Management Policy Framework defines capital assets as assets with a useful life greater than one year and a per-item cost of $10,000 or greater. HC holds a variety of capital assets, including buildings, machinery, equipment and vehicles. Regular reviews of the capital asset inventory are needed to ensure the accuracy of the information found in the financial statements.

Physical count of capital assets

CFOB conducts an annual review of its capital asset inventory aimed at ensuring that HC's capital assets are well-managed and properly accounted for. Once the review has been completed, the necessary changes and adjustments are made to the departmental financial system. The audit found that the physical count had been performed.

In conclusion, an annual capital assets review is conducted to ensure proper accounting of capital assets.

C - Conclusion

The audit concluded that select key financial controls in support of the departmental financial statements are generally operating effectively. Areas requiring improvements include the management of expenditure initiation authorities for patient travel; journal vouchers; PAYEs; segregation of duties; pay transactions, including quality assurance review and documents retention; and coding of travel requirements on purchase orders.

The improvements noted will collectively strengthen the effectiveness of HC's internal controls over financial reporting.

Appendix A - Lines of enquiry and criteria

Audit of Key Financial Controls at Health Canada, 2015-16
Criteria title	Audit criteria
Line of enquiry 1: Progress made on the previous year's recommendations
N/A	N/A
Line of enquiry 2: Select key financial controls common to all classes of transactions
2.1 Delegation of financial signing authorities	Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid.
2.2 Quality assurance process over FAA Section 34 certification	The quality assurance performed over Financial Administration Act Section 34 certification is effective.
2.3 FAA Section 33 certification	Certification of non-salary expenditures under FAA Section 33 is performed and an appropriate segregation of duties exists with FAA Section 34 certification.
2.4 Management review of expenditures and commitments	Cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.
2.5 Accrued liabilities at year-end	Review and challenge of payables at year-end are performed to ensure completeness, validity and accuracy.
2.6 System access and segregation of duties	Access to SAP is restricted and the segregation of duties is enforced.
2.7 Journal entry review	Journal entries are reviewed by a second person and accompanied by appropriate supporting documentation.
Line of enquiry 3: Select key financial controls specific to classes of transactions
3.1 Grants and contributions payments	Reconciliation of payment requests from GCIMS to SAP is performed. Contribution agreements are reviewed and closed out, to ensure that receivables arising from overpayment are recorded.
3.2 Salary and wage expenses	A trusted source reviews pay transactions to ensure proper authorization.
3.3 Non-insured health benefits	Non-insured health benefit claims are reconciled with Health Information Claim Processing System (HICPS) funding requests. The external auditor's report on the adequacy of the service provider's controls is obtained and reviewed by management. Recoveries for non-insured health benefit claims are reviewed for accuracy and completeness.
3.4 Purchase of goods and services	Purchase orders are reviewed for accuracy, completeness and validity.
3.5 Acquisition card purchases	Monitoring of monthly acquisition card reconciliations and quality assurance reviews of acquisition cards transactions are performed.
3.6 Revenues	Reconciliation of billing information and invoices from tracking systems to SAP is performed.
3.7 Accounts receivable	Suspense and clearing accounts are monitored and cleared.
3.8 Capital assets	An annual capital assets review is conducted to ensure proper accounting of capital assets.

Appendix B - Scorecard

Table 1 - Audit of Key Financial Controls at Health Canada, 2015-16
Line of Enquiry	2014 Recs	2015 Recs	2016 Recs	Rating
Line of enquiry 1: Previous year's recommendations
Progress made on the previous year's recommendations				Satisfactory
Line of enquiry 2: Select key common controls
1. Delegation of financial signing authorities		1	1	Needs minor improvement
2. Quality assurance over the FAA Section 34 certification	`	2		Needs minor improvement
3. FAA Section 33 certification				Satisfactory
4. Management review of expenditures and commitments				Satisfactory
5. Accrued liabilities at year-end			2	Needs minor improvement
6. System access and segregation of duties	1		3	Needs moderate improvement
7. Journal entry review		3	4	Needs moderate improvement

Table 2 - Audit of Key Financial Controls at Health Canada, 2015-16
Line of enquiry 3: Select key specific controls	2014 Recs	2015 Recs	2016 Recs	Statement of Operations						Balance Sheet
Line of enquiry 3: Select key specific controls	2014 Recs	2015 Recs	2016 Recs	Contribution Agreements	Salaries and Wages	Non--Insured Health Benefits (NIHB)	Purchase of Goods and Services	Acquisition Card Purchases	Revenues	Accounts Receivable	Capital Assets
1a. Reconciliation of commitments and payment transactions between GCIMS and SAP		4		satisfactory
1b. Review and close-out of contribution agreements				satisfactory
2. Review of adherence to FAA S.34 and quality assurance on pay transactions.			5, 6		needs moderate improvement
3a. Review of independent auditor's report over NIHB claims processing	2					Satisfactory
3b. Reconciliation of NIHB claims processed in HICPS with payments in SAP						Satisfactory
3c. Review of recoveries for NIHB Specified Health Benefit (SPB) claims						Satisfactory
4. Review of contracts			7				Needs minor improvement
5. Reconciliations of acquisition card statements of account								Satisfactory
6. Reconciliation of billing information from the Drug Submission Tracking System (DSTS) and the Employee Assistance Services revenues with SAP									Satisfactory
7. Monitoring and reconciliation of suspense and clearing accounts		5								Satisfactory
8. Capital asset review											Satisfactory

Appendix C -Health Canada's internal control over financial reporting framework

Framework Elements and Processes to Assure the Reliability of Financial Statements

Processes relating to Organiza-tional obligations, risk manage-ment and monitoring

Control Environment

Entry Level Controls
Information Technology General Controls

Financial Risk Assessment And Financial Risk Management

Financial Reporting Objectives
Financial Reporting Risks

Monitoring

Ongoing and Separate Monitoring and Assessment
Reporting and Deficiencies

Control Activities

For each business process below:

Integration with assessment of risks over financial reporting
Supporting policies and procedures assessment
Management of information (for example, IT Applications Controls and Database and Records Management Controls)

Management of Parliamentary Appropriat-ions

Budgeting/
Forecasting
Funding Resource Allocation

Revenue/Receivables/Receipts

Revenues
Accounts Receivable
Cash Receipts

Purchasing/Payables/Payments

Transfer Payment
Contracting/Proc-urement
Travel
First Nations and Inuit Health Benefits

Payroll

Employee Data Management
Payroll Processing

Capital Assets

Asset Lifecycle Management

Financial Statement, Year-End and Reporting

General Ledger Maintenance
Year-end Processes
Financial Statements Preparation
Accruals and Management Estimates

Information and Communic-ation

Financial Reporting Information
Internal Control Information
Internal Communications
External Communications

Appendix D - Audit coverage of the key financial controls identified in the Internal Control over Financial Reporting Framework

Table 1: Controls tested as part of the Audit of Key Financial Controls 2015-2016
Significant Business Processes	Amount ($ millions)per 2014-15 Financial Statements	Key Financial Controls (KFC) Identified in the Internal Control over the Financial Reporting Framework (ICFR)
Significant Business Processes	Amount ($ millions)per 2014-15 Financial Statements	Access	Segregation of Duties	Automated Controls (system prompts and lookups)	Reconciliation	Supervisor Review	S. 32	S.41	S. 34	Quality Assurance over S. 34 Certification	S. 33	Monitoring	MVR	Assurance	Safeguard of Assets	Supporting Documentation	Authorization	Process Specific Procedures	Total
Transfer Payments	$1,705
G&C - Other			1^a		1^a	2^a	2^b		2^b	1^a	1^a		1^a						11
G&C-FNIHB			1^a		1^a	2^a	2^b		2^b	1^a	1^a		1^a						11
Payroll	$968	3^a	2^a		2^a	3^b	1^b		1^a	4^a	2^a								18
Non-Insured Medical Travel (NIMT)	$199		1^a	1^b		1^b	1^b		2^b	1^a	1^a		1^a					1	10
Other Expenditures	$1,121
Express Script Inc. (ESI)			1^a				1^b		2^b		1^a		1^a	1^a					7
Procure to Pay (P2P)		4^a	2^a	3^a			1^b	1^a	2^b	4^a	1^a								18
Indian Residential School (IRS)			1^a			4^b	1^b		2^b	1^a	1^a		1^a						11
Vision			1^a	1		3^b	1^b		2^b	1^a	1^a		1^a						11
Capital Assets		4^a	1^a	1		2						1^a				2^a	1		12
Travel		1^a	1^a	1			2^b		1^b	1^a	1^a								8
Acquisition Cards												1*^a
Revenue	-$285	9^a	3^a		3^a	4^a						2^a	1^a		1			1	24
Financial Close		7^a	1^a			10^a						1^a	5^a					1	25
Total KFC in the ICFR	$3,708	28	16	7	7	31	12	1	16	14	10	4	12	1	1	2	1	3	166
Audit Coverage of the Key Financial Controls (KFC) Identified in the Internal Control over Financial Reporting Framework (ICFR)
Direct Assurance (Note 1)^a		28^a	16^a	3^a	7^a	18^a	-	1^a	1^a	14^a	10^a	4^a	12^a	1^a	-	2^a	-	-	117^a
Indirect Assurance (Note 2)^b		-	-	1^b	-	11^b	12^b	-	15^b		-	-	-	-	-	-	-		39^b
Total Audit Coverage of the KFC		28	16	4	7	29	12	1	16	14	10	4	12	1	-	2	-	-	156
^a Note 1 (Direct assurance): These key controls detect errors or control failures in a timely manner, and/or prevent other control failures before they have an opportunity to become material. Therefore, the effectiveness of these key controls is determined through audit tests conducted on these controls. ^b Note 2 (Indirect assurance): The effectiveness of these controls is obtained through audit tests conducted on the key controls noted (either on its own or in combination with other key controls tested). For example, the Quality Assurance over S.34 Account Verification is designed to identify and detect errors or control failures in FAA S.32 and FAA S.34 Certification. As such, an effective QA control provides assurance that a failure in S.32 or S.34 would not result in a material error. * denotes control tested as part of this audit, but not included in the CFOB monitoring strategy.

Appendix E - Follow-up on previous year's recommendations

The audit has examined the implementation of the previous year's recommendations and found that management has fully implemented the committed actions for recommendations made in the previous year's report.

Recommendations from Previous Years

Recommendation 1

Develop and implement controls so that unnecessary specimen signature cards are cancelled on a timely basis.

Accountability: Chief Financial Officer Branch (CFOB)

Table - Recommendation 1
Actions	Initial Due Date	Status^{Footnote *}
1.1 A message will be sent to all SSC editors to ensure compliance with the current procedures.	September 30, 2015	5
1.2 A review of SSC will be conducted to remove any duplicate SSCs. This process will also be included in the SSC annual review exercise.	November 30, 2015	5
Footnote 1 Audit assessment of the implementation status 1 - No progress or insignificant progress 2 - Planning stage 3 - Preparations for implementation 4 - Substantial implementation 5 - Full implementation Return to footnote * referrer

Recommendation 2

Develop and implement controls to reduce errors for acquisition card transactions to an acceptable level.

Accountability: Chief Financial Officer Branch (CFOB)

Table - Recommendation 2
Actions	Initial Due Date	Status^{Footnote *}
2.1 A quarterly message will be sent to all cardholders regarding errors identified during the quality assurance exercise along with the procedures and instructions to avoid these errors.	September 30, 2015	5
2.2 Acquisition card training material will be updated.	March 31, 2016	5
2.3 An enforcement strategy will be implemented to ensure compliance.	March 31, 2016	5
Footnote 1 Audit assessment of the implementation status 1 - No progress or insignificant progress 2 - Planning stage 3 - Preparations for implementation 4 - Substantial implementation 5 - Full implementation Return to footnote * referrer

Recommendation 3

Develop and implement controls to manage Journal vouchers, in accordance with the departmental Standard on Journal vouchers

Accountability: Chief Financial Officer Branch (CFOB)

Table - Recommendation 3
Actions	Initial Due Date	Status^{Footnote *}
3.1 Training sessions will be provided to CFOB staff who process journal vouchers.	December 31, 2015	5
3.2 A journal voucher instruction will be distributed to provide detailed guidance on review and supporting documentation requirements.	December 31, 2015	5
Footnote 1 Audit assessment of the implementation status 1 - No progress or insignificant progress 2 - Planning stage 3 - Preparations for implementation 4 - Substantial implementation 5 - Full implementation Return to footnote * referrer

Recommendation 4

Reconciliation of the Grants and Contribution Information Management system (GCIMS) and the Departmental financial system.

Accountability: Chief Financial Officer Branch (CFOB)

Table - Recommendation 4
Actions	Initial Due Date	Status^{Footnote *}
4.1 Implementation of a reconciliation process between GCIMS and SAP	November 30, 2015	5
Footnote 1 Audit assessment of the implementation status 1 - No progress or insignificant progress 2 - Planning stage 3 - Preparations for implementation 4 - Substantial implementation 5 - Full implementation Return to footnote * referrer

Recommendation 5

Implement controls to ensure the timely recording and monitoring, in the Departmental financial system, of receivables arising from recoveries of contribution amounts.

Accountability: Chief Financial Officer Branch (CFOB) and First Nations and Inuit Health Branch (FNIHB) Assistant Deputy Minister (ADM)

Table - Recommendation 5
Actions	Initial Due Date	Status^{Footnote *}
5.1 Implementation of the Debt Management module in GCIMS	March 31, 2016	5
Footnote 1 Audit assessment of the implementation status 1 - No progress or insignificant progress 2 - Planning stage 3 - Preparations for implementation 4 - Substantial implementation 5 - Full implementation Return to footnote * referrer

Appendix F - Health Canada responsibilities around key financial controls over payroll and trusted source responsibilities

The tables below presents the control responsibilities of government departments and agencies related to pay administration, as defined in the Pay Centre Control Framework, as well as the transactions reviewed by the staffing trusted source and the compensation trusted source

Table 1: Departmental responsibilities for ensuring compliance and overall alignment to government-wide standardized common business processes

Pre-payroll

Ensuring that the information on staffing requests documentation submitted to the Pay Centre is complete, accurate and that FAA Section 32 is adhered to.
Ensuring that FAA Section 34 is adhered to and that an adequate audit trail exists to demonstrate compliance.
Processes and controls around the accurate and timely input of employee data.
Sending a file to the service provider (SP) that identifies individuals who have Section 34 delegated authority and require access to review and certify time entries.
Trusted source is responsible for authenticating the signature of departmental individuals against delegation of authorities prior to sending pay information to the SP.

Payroll

Ensuring that FAA Section 33 is adhered to

Post payroll

Processes and controls to ensure that posted pay transactions for payment are approved by an individual with the appropriate delegation of authority.

Table 2: Trusted source responsibilities for review of pay transactions

Staffing Trusted Source

New Hire/Re-hire
Transfer-In
Extension of Term/Casual
Promotion
Secondment Agreement
Deployment
Change in Tenure
Dual Employment
Dual Remuneration
Acting Pay
Demotion
Conversion
Reclassification
Lay-Off

Compensation Trusted Source

Return from LWOP/Disability
Extra Duty Pay (compensatory leave)
Leave without Pay for more than 5 days
Emergency Salary Advance
Voluntary Cash-Out of Vacation and Compensatory Leave
Retirement and Acceptance
Resignation and Acceptance
Medical Retirement
End of Term (+ 30 day notice) contract
End of Casual/Student contract
Lay-Off
Dismissal
Reimbursement of Membership Fees
Leave With Income Averaging
Pre-Retirement Transition Leave
Performance Pay
Isolated Post and Government
Vacation Travel Allowance
Leave with Pay (for employees who do not have access to PeopleSoft)

Source: Guidelines and Procedures for Interacting with the Public Service Pay Centre and a Trusted Source

Appendix G - List of acronyms

ADM: Assistant Deputy Minister
BC: British Columbia Government
SFO: Senior Financial Officer
CCM: Cost Centre Manager
CFO: Chief Financial Officer
CFOB: Chief Financial Officer Branch
CSB: Corporate Services Branch
DSTS: Drug Submission Tracking System
EAP: Employee Assistance Program
EAS: Employee Assistance Services
FAA: Financial Administration Act
FNHA: First Nations Health Authority
FNIHB: First Nations and Inuit Health Branch
FOD: Financial Operations Directorate
G&C: Grants and contributions
GCIMS: Grants and Contributions Information Management System
HC: Health Canada
HICPS: Health Information and Claims Processing Services
HRSD: Human Resource Services Directorate
ICD: Internal Control Division
ICFR: Internal Control over Financial Reporting
IS: Interdepartmental Settlement
JV: Journal Vouchers
MOU: Memorandum of Understanding
MTO: Medical Transportation Officer
MVR: Management Variance Report
NIHB: Non-Insured Health Benefits
OAE: Office of Audit and Evaluation
OCG: Office of the Comptroller General
OPO: Office of the Procurement Ombudsman
PAYE: Payables at year-end
PSPC: Public Services and Procurement Canada
QA: Quality Assurance
SA: Supply arrangement
SO: Standing offer
SP: Service provider
SPB: Strategic Policy Branch
SSC: Specimen signature card
SSP: Shared Services Partnership
TB: Treasury Board
TBS: Treasury Board Secretariat
TS: Trusted source

Footnotes

Footnote 1

Financial Administration Act, section 16.4(1) (a)

Return to footnote 1 referrer

Footnote 2

Total number of specimen signature cards for HC, excluding specimen signature cards related to acting positions.

Return to footnote 2 referrer

Page details

Date modified:: 2017-03-27

Audit of Key Financial Controls at Health Canada, 2015-16 Final Report

Table of Contents

Executive summary

Why are key financial controls important?

What was found?

A - Introduction

1. Background

Rationale for the audit

2. Audit objectives

3. Audit scope

4. Audit approach

5. Statement of conformance

B - Findings, recommendations and management responses

1. Follow-up on previous year's recommendations

Cancellation of unnecessary specimen signature cards (recommendation 1)

Reduction of accounting errors in acquisition card transactions (recommendation 2)

Compliance to the Departmental Standard on Journal Vouchers (recommendation 3)

Reconciliation of the Grants and Contributions Information Management System to the departmental financial system (recommendation 4)

Timely recording and monitoring of receivables arising from the recovery of contribution agreement payments (recommendation 5)

2. Select key financial controls common to all classes of transactions

2.1 Delegation of financial signing authorities

Activation of specimen signature cards

Termination of specimen signature cards

Medical transportation officer (MTO) specimen signature card

2.2 Quality assurance process over Financial Administration Act Section 34 certification

Gating of transactions for the quality assurance process

Identification of errors in account verification

Logging of results of the quality assurance review

Post-payment quality assurance of low-risk transactions

2.3 FAA Section 33 certification

2.4 Management review of expenditures and commitments

2.5 Accrued liabilities at year-end

2.6 System access and segregation of duties

2.7 Journal entry review

3. Select key financial controls specific to classes of transactions

3.1 Grants and contributions payments

Reconciliation of payment transactions between GCIMS and SAP

Review and close-out of contribution agreements

3.2 Salary and wage expenses

Staffing trusted source

Compensation trusted source

Continuous monitoring of key controls for pay transactions

FAA Section 33 quality assurance process over adherence to FAA Section 34 for pay transactions

3.3 Non-insured health benefits

Reconciliation of NIHB claims processed in the Health Information Claims Processing System with funding requests

Review of the external audit report over HICPS claim processing

Recoveries for non-insured health benefit claims are reviewed for accuracy and completeness

3.4 Purchase of goods and services

Review of contracts over $10,000

3.5 Acquisition card purchases

Quality assurance over acquisition cards

3.6 Revenues

Drug submission and evaluation

Reconciliation between the Drug Submission Tracking System to SAP

Employee Assistance Program

3.7 Accounts receivable

Contribution agreements debt management

Monitoring and reconciliation of suspense and clearing accounts

3.8 Capital assets

Physical count of capital assets

C - Conclusion

Appendix A - Lines of enquiry and criteria

Appendix B - Scorecard

Appendix C -Health Canada's internal control over financial reporting framework

Framework Elements and Processes to Assure the Reliability of Financial Statements

Processes relating to Organiza-tional obligations, risk manage-ment and monitoring

Control Environment

Financial Risk Assessment And Financial Risk Management

Monitoring

Control Activities

For each business process below:

Management of Parliamentary Appropriat-ions

Revenue/Receivables/Receipts

Purchasing/Payables/Payments

Payroll

Capital Assets

Financial Statement, Year-End and Reporting

Information and Communic-ation

Appendix D - Audit coverage of the key financial controls identified in the Internal Control over Financial Reporting Framework

Appendix E - Follow-up on previous year's recommendations