Audit of PCO’s Accounts Payable Function
[*] An asterisk appears where sensitive information has been removed in accordance with the Access to Information Act and Privacy Act.
[ PDF version ]
January 16, 2017
On this page
- Acronyms used in this report
- Statement of Conformance
- 1.0 Introduction
- 2.0 Conclusion
- 3.0 Audit Findings and Recommendations
- 4.0 Management Response
- 5.0 Management Action Plan
Acronyms used in this report
- PCO - Privy Council Office
- FAA - Financial Administration Act
- TBS - Treasury Board Secretariat
- TB - Treasury Board
- SAP - Government of Canada’s Financial System – SAP (Systems, Applications and Products)
- FPAD - Finance, Planning and Administration Directorate
- PIC - Policy on Internal Control
- CCM - Cost Centre Manager
- DCFO - Deputy Chief Financial Officer
- ED - Executive Director
- PPV - Post Payment Verification
- FPSIC - Financial Policies, Systems and Internal Control
Statement of Conformance
In my professional opinion as the Privy Council Office’s (PCO’s) Chief Audit Executive, this audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of PCO’s quality assurance and improvement program.
Chief Audit Executive
Director, Audit and Evaluation
Canadians expect the federal government to be well managed and to be accountable for the prudent stewardship of public funds, the safeguarding of public assets, and the effective, efficient and economical use of public resources. They also expect reliable and transparent reporting on how the government spends public funds to achieve results for Canadians.
The spending of public money requires that integrity, accountability, and transparency are maintained to a high standard. This requires establishing appropriate account verification processes that promote sound stewardship of financial resources. Account verification provides an independent means to ensure that the work has been performed, that the goods have been supplied or the services rendered, that relevant contract or agreement terms and conditions have been met, that the recording of payment information is accurate, and that all authorities have been exercised in compliance with the Financial Administration Act (FAA).
The FAA provides legislative requirements for the financial administration of the Government of Canada. Section 32 of the FAA provides the authority to commit funds against an appropriation before an expense is incurred. Section 34 provides the authority to certify that goods were received or services were rendered as contracted for. Section 33 provides the authority to release funds for payment after verifying that Section 34 has been properly exercised.
The Treasury Board Secretariat (TBS) Directive on Account Verification (the Directive) requires that accounts for payment and settlement are verified in a cost-effective and efficient manner. Further, account verification processes are to be designed and conducted in a way that will maintain probity while taking into consideration the varying degrees of risk associated with each payment. The Directive also requires that account verification practices be monitored to ensure that varying levels of controls exist over high, moderate, and low-risk payments and that these controls function as designed.
It is important to note that Treasury Board (TB) is currently undergoing a Financial Management Policy Suite Renewal which is expected to be rolled out in April 2017.
This Audit of PCO’s Accounts Payable Function was approved by the Clerk of the Privy Council as part of PCO’s 2015-16 to 2017-18 Risk-Based Audit Plan.
The overall objective of the Audit was to provide assurance on the adequacy of PCO’s control framework over the department’s accounts payable function and the degree to which the function is operating as intended.
The scope included the framework of financial and management oversight controls in place at PCO over the accounts payable function, including the alignment of departmental processes, procedures and practices with TB policies and directives, and with other applicable authorities.
All phases of delegated spending authorities, including expenditure initiation, commitment, and payment, were assessed as part of this Audit. The scope period was updated from the original Terms of Reference to include Accounts Payable records from fiscal year 2015-16 and the first two quarters of fiscal year 2016-17.
Salary expenditures and controls were excluded from the scope of this Audit. Also excluded were acquisition cards transactions as an audit in that area was recently completed.
As of May 9, 2016, the responsibility for the creation and maintenance of PCO’s external vendor accounts was transferred to the TBS, the owner of our SAP, the Government of Canada financial system. Therefore, the scope for the creation and maintenance of external vendor accounts was applied only to the first two quarters of 2016-17. The scope for the creation and maintenance of internal vendors included fiscal year 2015-16 and the first two quarters of 2016-17, as this process had not changed nor been transferred. In addition, SAP system controls were not in scope for this audit.
1.4 Audit Criteria
To achieve the audit objective, both the audit team and management agreed on the following five (5) audit criteria to establish the baseline expectations about PCO’s control framework over the Department’s accounts payable function:
- Roles, responsibilities, and accountabilities related to the accounts payable function are documented, understood and communicated department-wide;
- Post-payment quality assurance activities performed on low risk transactions are established to identify and remediate areas of non-compliance;
- Processes and procedures are established and are consistently applied to support the management of vendor accounts;
- Risk-based management practices and controls have been established to ensure effective internal controls over verification of high risk transactions; and
- Appropriate financial controls are applied to the delegation of financial authorities associated with the expenditure process.
1.5 Approach and Methodology
The audit was conducted in three phases: planning, examination and reporting. During the planning phase, the audit team conducted interviews with PCO officials, gathered and reviewed relevant documents and conducted a risk assessment to ensure that the audit objective and scope were focussed on the areas of greatest risk and significance. The audit team identified audit criteria to be used during the examination phase of the audit and produced an Audit Planning Document which communicated the results of the planning phase, presented the proposed audit criteria to management, and sought management’s concurrence with the audit criteria. Once management’s concurrence with the audit criteria was obtained, the audit entered the examination phase, at which time the audit team executed the testing procedures that were outlined in the Audit Planning Document, performed data analysis, and reviewed supporting documents to obtain sufficient information and audit evidence to draw conclusions against the agreed-upon audit criteria.
At the conclusion of the examination phase, audit findings were prepared and validated with appropriate levels of management. A draft audit report was prepared and provided to the Assistant Deputy Minister, Corporate Services Branch for acceptance and development of a management action plan to address the audit’s recommendations (see Section 5.0). At PCO, draft audit reports, including management action plans, are tabled at the Department’s Audit Committee for review and acceptance, after which they are jointly recommended by the Chief Audit Executive and the Chair of the Audit Committee to the Clerk of the Privy Council for formal approval.
PCO has established key components of an effective framework of management controls over the Accounts Payable function. However, areas within this framework have been identified where improvements to existing controls would strengthen the effectiveness of the control framework.
The framework features PCO’s 2016-17 Account Verification Sampling Plan (hereafter referred to as the Sampling Plan) approved by the Clerk which is well-aligned with TBS’s 2014 Directive on Account Verification. The concept of account verification sampling has been in place at PCO since May 2010; however, with the approval of the current Sampling Plan, the Finance, Planning and Administration Directorate (FPAD) has now applied a more formalized approach and a more structured set of controls to the account verification process.
As well, in support of the TB Policy on Internal Control (PIC), PCO has developed the Internal Control over Financial Reporting Framework which outlines the major responsibilities and processes that PCO undertakes in order to effectively manage the accounts payable function. This framework identifies and documents the supporting processes, procedures and related internal controls in place to mitigate financial risks.
Included within the Sampling Plan are structures that facilitate the identification of high, medium and low risk payment transactions1, the identification and categorization of errors, resolution methods for issues associated with account verification, and controls to ensure payment transactions are approved by managers with appropriate financial authority.
All high risk financial business processes have been formally documented to fulfill PIC requirements and financial transactions have been classified into high, medium and low risk categories - these were identified through a risk assessment exercise outlined in the Sampling Plan.
Controls over accounts payable activities have been developed and implemented by the FPAD. Audit results indicate that opportunities exist to improve: (i) the documenting and communication of roles and responsibilities for FPAD staff and delegated managers; (ii) the audit trail to support accounts payable activities and decisions; and (iii) the capturing and implementation of remedial action to improve the overall account verification process.
The following sections detail the audit findings and recommendations as well as management’s response and action plan.
3.0 Audit Findings and Recommendations
3.1 Roles and Responsibilities
It was expected that roles, responsibilities, and accountabilities for accounts payable activities are documented, understood and communicated department-wide.
Accountability is the duty to report on the fulfillment of responsibilities. A key accountability control is an appropriate organizational structure that clarifies authorities, responsibilities, and the duty to report. Considered collectively, authority is the right to direct and exact performance, responsibility is the obligation to perform, and accountability is the duty to report on performance.
Having delineated responsibilities, delegated authorities, segregated duties, and clear lines of communication supports effective internal control and reinforces management expectations.
The audit team reviewed relevant documentation and interviewed departmental staff with financial responsibilities to confirm roles and responsibilities were in place, understood and communicated.
Audit results indicate that while Cost Centre Managers (CCMs) are generally knowledgeable about their financial accountabilities, there is limited up-to-date documentation outlining the roles and responsibilities of PCO personnel who are involved in processing accounts payable transactions, including CCM support staff and FPAD employees.
The Clerk-approved Sampling Plan clearly defines roles and responsibilities for FPAD staff and for individuals with Section 34 delegated financial authority which are well aligned with the TBS Directive on Account Verification. However, neither this document nor the roles and responsibilities information it contains have been communicated or circulated at a broad level and there has not been any other apparent means by which these roles and responsibilities have been communicated. As such, this is seen as an area for improvement within the control framework.
As well, the job description for the FPAD Account Verification Advisors responsible for verifying financial transactions to ensure the adequacy and compliance to financial internal controls has not been updated since 2000 and is not reflective of the current operating environment.
Control checklists have also been developed and are incorporated in the Sampling Plan. The purpose of these checklists is to support and control the various steps in the account verification process. However, audit testing revealed that these checklists are not being consistently used.
In the absence of internal guidance, the CCMs and/or their administrative staffs are required to contact FPAD for assistance and guidance. This adds an extra burden to FPAD’s already high volume workload.
Overall, while roles and responsibilities for the processing of financial transactions are defined and supported by clear authorities, the audit found that they have not been effectively communicated.
It is recommended that the Deputy Chief Financial Officer (DCFO) and Executive Director (ED) FPAD ensures that the roles and responsibilities for accounts payable activities are communicated to PCO personnel with responsibility for processing financial payment transactions.
3.2 Processing of Accounts Payable Transactions
A well-functioning quality assurance process ensures that a high standard of integrity and accountability is maintained in the spending of public money and supports the sound stewardship of financial resources. In accordance with the TBS Directive on Account Verification, when exercising payment authority pursuant to Section 33 of the FAA, PCO employs a risk-based approach in performing quality assurance reviews over the FAA Section 34 account verification process for low risk transactions. High risk transactions are fully verified by the Account Verification Advisors and Financial Officers prior to payment.
3.2.1 Post Payment Quality Assurance on Low Risk Transactions
It was expected that post-payment quality assurance activities performed on low risk transactions are established to identify and remediate areas of non-compliance.
Audit results indicate that post-payment verification (PPV) of low risk transactions performed by FPAD is satisfactory and that a comprehensive audit trails exists to demonstrate due diligence. However, the efforts to implement remedial action could be improved.
Low risk transactions have been identified in the Sampling Plan and the classification of these transactions was established through a risk analysis conducted by FPAD. The risk analysis methodology was based on both quantitative and qualitative criteria that were used to determine the level of risk by transaction type.
As outlined in the Sampling Plan, a review of Section 34 is performed by the Account Verification Advisors on low risk transactions. Checklists have been developed that detail specific verification steps to be taken by the Account Verification Advisors prior to Section 33 approval. The checklists also encompass a section to be completed by the Financial Officer prior to certifying under Section 33. Per the Sampling Plan, low risk transactions are processed without further review before being certified under Section 33 for payment. As mentioned, audit testing revealed the checklists are not being used.
PPV on low risk transactions is carried out, as per the Sampling Plan, by the Financial Policies, Systems and Internal Control (FPSIC) unit of FPAD. On a quarterly basis, a Statistical Sampling Report is prepared for the ED of FPAD that identifies and classifies critical and quality control errors that were found during the PPV review of these low risk transactions. The results of the PPV are to be used to draw conclusions on the reliability of the account verification process related to the population of low risk transactions.
A total of thirty (30) low risk transactions were selected for audit testing from the population of transactions that had been subjected to PPV sampling by FPSIC. Errors that were noted by FPSIC during the PPV sampling were also acknowledged by the audit team, but because these errors had already been acknowledged by FPSIC, they were not identified as errors by the audit team for testing purposes.
Of the thirty (30) low risk transactions tested, there were issues on three (3) transactions relating to Section 32 and one (1) case where the applicable supporting documentation was not with the accounts payable file. It was noted that in some cases, Section 32 was being approved by an authorized individual on the internal requisition (form PCO 84) whereas the Section 32 signature on the legally binding contract was signed by an individual without appropriate Section 32 authority. Management explained that as long as the PCO 84 form was signed by an appropriately delegated officer at PCO, they accepted that officer’s signature under Section 32. During the audit, FPAD informed the audit team they were strengthening this control and related internal procedures to ensure the appropriate S.32 signature now appears only on the PCO 84 form and that henceforth, this document will be used to capture the required S.32 authority.
As outlined in the Sampling Plan, when significant errors are observed either for a cost centre, for a specific process or for a certain type of transaction, training or information sessions are to be provided by FPAD. When errors relate to a lack of clarity of an internal policy, directive or procedure, amendments or updates to the policy, directive or procedure are to be produced. The observation of high critical error rates should result in a review of the reliability of the account verification process and, if applicable, corrective action.
Although the Statistical Sampling Reports are being produced on a quarterly basis, there is little evidence that the results are being communicated to relevant stakeholders and that remedial action is being implemented.
As per the Sampling Plan, the Account Verification Advisors are responsible to log all critical errors twice per year which is aimed at contributing to the FPSIC assessment on the quality of Section 34 activities. As noted above, these checklists are not being used by the Account Verification Advisors as the roles and responsibilities outlined in the Sampling Plan have not been widely communicated. The absence of the additional information this procedure would produce does not allow for a complete and fulsome picture of the entire account verification system.
3.2.2 High Risk Transaction Processing
It was expected that risk-based management practices and controls have been established to ensure the effective verification of high risk transactions.
Audit results indicate that there was adequate evidence on file to demonstrate that full account verification on high risk transaction is being performed; however the applicable checklists are not being used. Audit testing revealed that there were three (3) issues relating to Section 32 which had to do with file maintenance activities.
Financial signing authority is delegated to various management levels throughout the Department by the Prime Minister and the Clerk. These authorities are then granted to employees at various management levels by creating and activating specimen signature cards, which are maintained in a database. The process must ensure that the signatures of persons authorized to exercise financial authorities can be authenticated before or after the processing of the transaction.
Account verification provides a means to ensure that the work has been performed, that the goods have been supplied and/or the services rendered, that relevant contract or agreement terms and conditions have been met, that the transactions are accurate, and that all authorities have been complied with. As per the FAA, all payments are to be certified pursuant to Sections 33 and Section 34. Departments are responsible for establishing risk-based management practices and for ensuring that controls are in place and working as intended to maximize the effectiveness of internal controls over account verification.
The TBS Directive on Account Verification has the objective of ensuring that accounts for payment and/or interdepartmental settlements are verified in a cost-effective and efficient manner while maintaining the required level of control to ensure the prudent management of financial resources.
FPAD has developed its Sampling Plan which is to be updated annually. The Sampling Plan outlines the methodology that is used to determine the risk ranking of payment transactions. The criteria to evaluate the risk levels include: impact; likelihood; the type of payment; the dollar value; the supplier or payee; and the current error rate from particular PCO organizations.
All high risk transactions are subjected to a full review and are pre-verified prior to being paid. Checklists have been developed to facilitate the verification carried out by FPAD Account Verification Advisors. PCO has also developed a Section 34 checklist to assist CCMs in carrying out their financial responsibilities.
Audit testing revealed that FPAD is not using the checklists as identified in the Sampling Plan and only six (6) of the forty-five (45) high risk transactions tested contained a checklist completed by the CCM.
According to the Sampling Plan, errors detected in high risk transactions are to be logged and summarized in a spreadsheet in order to help assess deficiencies. When significant errors are detected in high risk transactions, FPAD is to notify the appropriate CCM and/or their administrative staff and is to provide advice on the nature of the error and what appropriate action should be taken.
FPAD is not currently populating the spreadsheet to capture detected errors and as such this control is not functioning as intended and is not contributing to the effectiveness of the account verification system.
It is recommended that the DCFO and ED FPAD, in further implementing the Sampling Plan, ensures that the available checklists are used to augment the error identification process for both high and low risk transactions, that all errors are consistently recorded, and that these errors are, when appropriate, communicated back to those responsible for the errors in order for them to implement appropriate corrective measures.
3.3 Management of Vendor Accounts
It was expected that processes and procedures are established and consistently applied to support the management of vendor accounts.
Audit results indicate that appropriate segregation of duties is in place for the creation, modification and deletion of internal vendor accounts. However, it was noted that the audit trail maintained on file needs to be more comprehensive and that there were 38 cases (76 records) of active duplicate vendors in the database.
A Vendor (payee) file is to contain all the necessary information on a vendor (vendors can be either individuals or organizations) that is required to control vendor files and effectively make payments. This information includes names, addresses, and bank account information. The integrity and accuracy of the Master Vendor file information is one of the foundations for efficient and effective payment processing.
PCO has two types of Master Vendor files. The first type is for external goods and services providers and the second type encompasses PCO employees for the reimbursement of non-salary expenditures such as travel expenses, membership fees, training, etc.
Appropriate segregation of duties is in place within the system as there is only one individual at PCO with access to create internal vendor accounts. External vendors are created by the TBS Cluster2 at the request of PCO; this became effective May 9, 2016.
As well, it is important to avoid having duplicate vendors within PCO’s system of vendor accounts because they create a risk of issuing duplicate payments. Failing to resolve duplicate vendors in the Master Vendor file can result in the same duplicate payment scenario repeatedly occurring. While detecting duplicate payments is important, it is even more important to stop the cause of the duplicate payments from recurring by ensuring that only one (1) active vendor account exists for each vendor. This is done by periodically reviewing vendor files and eliminating any duplicate vendors in the system.
A review of the PCO Master Vendor file by the audit team revealed that there were 2,737 active vendor accounts at the time of the audit. Thirty-eight (38) active cases (76 records or 3%) of duplicate vendors were identified through audit testing. Nine (9) of the cases were vendors with similar names and the same address, postal code and phone number. Twenty-six (26) of the cases were vendors with the identical name, address, postal code and phone number. There were three (3) cases where the same individual held both external and internal vendor accounts.
Ten (10) vendor files were tested to determine whether a comprehensive audit trail existed for the management of vendor accounts. Eight (8) of the ten (10) files reviewed did not contain sufficient documentation of support the vendor details in the file. When this was brought to management’s attention, management informed the audit team that past practices saw PCO retain much of the evidence supporting vendor accounts on PCO’s payable files rather than on the individual Vendor files.
No evidence was found to indicate that internal procedures or guidance for the management of vendor accounts has been documented.
It is recommended that the DCFO and ED FPAD conduct an assessment on an annual basis of the Master Vendor file and vendor management practices to improve controls by eliminating duplicate vendors and by ensuring that a comprehensive audit trail is maintained in the individual Vendor files.
3.4 Delegated Financial Authorities
It was expected that appropriate financial controls are applied to the delegation of financial authorities associated with the expenditure process.
It was found that the specimen signature cards which delegate financial signing authority to individuals within the Department are approved by the appropriate level of authority; however, the audit trail was not robust enough to demonstrate that directives and policies are being respected. Also, specific acting dates were not consistently recorded either in the database or on the paper copy of the signature cards that are held on file.
The delegation of financial authority mechanism establishes one of the fundamental internal controls in the financial management system of government. Delegated authorities empower managers to achieve departmental and government objectives, while maintaining accountability for decisions.
The TBS Directive on Delegation of Financial Authorities for Disbursements, along with other supporting policy instruments, outlines the general principles and elements of financial signing authority in the federal government.
The financial delegation instrument that was in place for the scope period of the audit and the table of equivalent positions are reflective of the operating environment at PCO. [*]
In order to be delegated financial signing authority, mandatory training is required prior to the delegation being put in place. Of the ten (10) delegation files tested, half did not contain confirmation from Human Resources that the required training had taken place.
Of these ten (10) delegation files, three (3) were for acting positions. When an acting assignment occurs, delegated authorities are to be controlled by noting the start and end dates of the acting assignment on file. When these dates are not recorded, the control over the delegation of the financial authority is rendered ineffective. For the three (3) acting assignments included in the ten (10) files tested, all three of the signature cards did not contain start and end dates of the acting assignments either in the database comments box or on the physical signature cards on file.
As per the TBS Directive on Delegation of Financial Authorities for Disbursements, controls pertaining to all delegated financial authorities are to be reviewed and updated annually. PCO has a checklist in place to assist in conducting the annual review of delegated financial signing authorities. Only two (2) of the files tested contained the checklist, and one file contained a partial checklist, to demonstrate that the annual review had taken place.
In addition to the mandatory training on financial delegation, FPAD offers in-house training to finance staff exercising account verification responsibilities. FPAD is currently updating their in-house training on the delegation of financial authorities. The target audience of the training is the PCO administrative community, accounts payable staff, managers with delegated authority and procurement staff. A strategy is being developed to implement this training.
It is important to note that PCO is participating in a TBS Pilot Project which is implementing a Financial Signing Authority application in SAP. This is a three-phase Project which is currently in Phase 1. The goal of the Pilot Project’s Phase 3 is to have the actual specimen signature cards and delegation instruments available in SAP. The Pilot Project’s Phase 3 is estimated to be completed in 2017-18.
It is recommended that the DCFO and ED FPAD strengthen the controls over maintaining and updating specimen signature cards to ensure that start and end dates for acting assignments are appropriately recorded and that an adequate audit trail exists to demonstrate that applicable legislative and policy requirements are being met.
4.0 Management Response
Management accepts this report and will oversee the implementation of its recommendations.
5.0 Management Action Plan
Plan Audit of PCO’s Accounts Payable Function
Response and Planned Actions
It is recommended that the Deputy Chief Financial Officer and Executive Director Finance, Planning and Administration Directorate ensures that the roles and responsibilities for accounts payable activities are communicated to PCO personnel with responsibility for processing financial payment transactions.
|The Deputy Chief Financial Officer will work with the A/Director Accounting Operations to clarify the roles and responsibilities of the accounts payable team. We will develop a reference card to be distributed to all PCO managers. The reference card will clearly outline the manager’s roles and responsibilities with respect to the accounts payable function. The A/Director Accounting operations will work with the Manager-Financial policy, Systems and Internal controls to develop training material to be delivered to the accounts payable team.||CSB - FPAD||June 2017|
It is recommended that the Deputy Chief Financial Officer and Executive Director Finance, Planning and Administration Directorate, in further implementing the Sampling Plan, ensures that the available checklists are used to augment the error identification process for both high and low risk transactions, that all errors are consistently recorded, and that these errors are, when appropriate, communicated back to those responsible for the errors in order for them to implement appropriate corrective measures.
|FPAD will implement checklists for both high and low risk transactions. The use of those checklists will be mandatory for all account payable employees as well as employees performing the accounts verification process. Errors will be monitored and reported back to the A/Director Accounting Operations who will work with managers and supervisors to implement appropriate corrective actions.||CSB-FPAD||April 2017|
It is recommended that the Deputy Chief Financial Officer and Executive Director Finance, Planning and Administration Directorate conduct an assessment on an annual basis of the Master Vendor file and vendor management practices to improve controls by eliminating duplicate vendors and by ensuring that a comprehensive audit trail is maintained in individual Vendor files.
|With respect to the management of its financial system, PCO is part of the TBS cluster. The management of “external vendors” information is performed by TBS while PCO is responsible for managing the “internal vendor” information. TBS is developing a program that will clean up the vendor information and will use this program to clean up the “external vendor” information. TBS committed to sharing their program with PCO as soon as it becomes available. When we receive the program, PCO will undertake to clean up its “internal vendor” information. The assessment and review of both external and internal vendor files will be performed on an annual basis.||TBS-Cluster and CSB-FPAD||July 2017|
It is recommended that the Deputy Chief Financial Officer and Executive Director Finance, Planning and Administration Directorate strengthen the controls over maintaining and updating specimen signature cards to ensure that start and end dates for acting assignments are appropriately recorded and that an adequate audit trail exists to demonstrate that applicable legislative and policy requirements are being met.
|In working with the TBS Cluster, PCO will be implementing an automated specimen signature card system which will integrate with SAP. This will allow for better monitoring of specimen signature cards, better alignment with PCO’s delegation of authorities chart and government policies. Phase I of this project (input of the delegation chart and mandatory training in SAP will be completed by the end of March 2017. While Phase II and III (workflow and scanning of signature cards) will be implemented by the end of 2017-18.||CSB-FPAD||March 2018|
Report a problem or mistake on this page
- Date modified: