Audit of the Management and Use of Acquisition Cards
May 20, 2016
[ PDF version ]
Acronyms Used in this Report
|CCM||Cost Centre Manager|
|FAA||Financial Administration Act|
|FCPD||Finance and Corporate Planning Division|
|PCO||Privy Council Office|
Within the federal government, the management and use of acquisition cards is governed primarily by the 2009 Treasury Board (TB) Directive on Acquisition Cards (the Directive) and by the Financial Administration Act (FAA). The Directive supports the 2009 TB Policy on Internal Control and establishes a consistent approach that supports effective financial controls for the administration of acquisition cards within departments. The Directive defines acquisition cards as “...charge cards that provide a convenient and practical method of procuring and paying for goods and services while maintaining financial control.” The use of acquisition cards simplifies the purchases of low-value goods and services, offering the potential to generate savings in procurement and expenditure processing.
To comply with the Directive and applicable TB policies, the Privy Council Office (PCO) developed its own Policy on Acquisition Cards (the Policy) in 2010. The Policy outlines a framework of financial and management oversight controls which is in place for the effective management of the Department’s Acquisition Card Program.
The use of acquisition cards has a degree of inherent risk of errors and/or fraud associated with it as cardholders are provided with credit cards to purchase goods/services. With the dollar value limit of these acquisition cards ranging from five thousand dollars to one hundred thousand dollars depending on the position the cardholder occupies at PCO, the level of risk varies. Most cards have low dollar value limits and are issued to administrative personnel who use these cards for low dollar value purchases (e.g. office supplies). A limited number of cards with higher dollar value limits are issued to senior PCO Executives who could use their cards for higher dollar value purchases, often under non-typical (e.g. emergency) circumstances. Given that the management and use of acquisition cards at PCO has not been subjected to any prior internal audit or review attention, assessing the associated control framework over these acquisition cards provides assurance on this control framework and supports fraud prevention and detection at PCO.
This Audit of the Management and Use of Acquisition Cards was approved by the Clerk of the Privy Council as part of PCO’s 2015-2016 to 2017-2018 Risk-Based Audit Plan.
The overall objective of this audit is to provide assurance on the adequacy and effectiveness of PCO’s control framework for the management and use of acquisition cards.
The scope of this audit included the framework of financial and management oversight controls in place for the effective management of PCO’s Acquisition Card Program, including the alignment of PCO’s Policy on Acquisition Cards with the TB Directive on Acquisition Cards.
1.4 Audit Criteria
To achieve the audit objective, both the audit team and management agreed on the following seven (7) audit criteria to establish the baseline expectations about PCO’s control framework over the management and use of acquisition cards:
- Roles and responsibilities for all acquisition card stakeholders are well defined, consistent with the TB Directive, documented, communicated and appropriately segregated.
- Appropriate governance structures have been established to escalate and resolve any issues related to the use of acquisition cards.
- Formal monitoring mechanisms are in place to confirm the appropriate authorization and compliance of individual expenditures.
- Effective processes have been established, documented and are functioning as intended for the appropriate approval of all acquisition card transactions and maintenance of sufficient evidence to ensure compliance to the Directive and applicable policies.
- Processes for the issuance, cancellation and documentation of acquisition cards have been established, are compliant with applicable policies and guidelines, and are functioning as intended.
- Formal training and tools have been developed to provide support to cardholders and Cost Centre Managers.
- Acquisition cards, including account information and transaction documentation, have been appropriately safeguarded.
1.5 Approach and Methodology
The audit was conducted in three phases: planning, examination and reporting. During the audit planning phase, the project team conducted interviews with PCO officials, gathered and reviewed relevant documents and conducted a risk assessment to ensure that the audit objective and scope were focussed on the areas of greatest risk and significance. The audit team identified proposed audit criteria to be used for the examination phase of the audit, developed an Audit Planning Document which documented the results of the planning phase and presented the proposed audit criteria, and then obtained management’s concurrence with these audit criteria. During the examination phase, the team executed the testing procedures that were outlined in the Audit Planning Document and analyzed card transactions and supporting documents to obtain sufficient information and audit evidence to draw conclusions against the agreed-upon audit criteria.
At the conclusion of the examination phase, audit findings were prepared and validated with appropriate levels of management. A draft audit report was prepared and provided to the Acting Assistant Deputy Minister, Corporate Services Branch for acceptance and for development of a management action plan to address the audit’s recommendations (see Section 5.0). At PCO, draft audit reports including management action plans are tabled at the Department’s Audit Committee for review and acceptance, after which they are jointly recommended by the Chief Audit Executive and the Chair of the Audit Committee to the Clerk of the Privy Council for formal approval.
1.6 Statement of Conformance
In my professional opinion as Chief Audit Executive, this audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of PCO’s quality assurance and improvement program.
Original signed by:
Chief Audit Executive
PCO has an adequate control framework in place for the effective management of acquisition cards, but opportunities exist to improve specific areas of this framework. The framework features PCO’s 2010 Policy on Acquisition Cards which is well-aligned with the TB’s 2009 Directive on Acquisition Cards. The Framework includes structures that facilitate the escalation and resolution of issues associated with acquisition card use, and controls that ensure card transactions are approved by managers with appropriate authority and are, for the most part, supported by appropriate documentation. Controls over distribution and collection of cards and oversight and review of card transactions are provided by the Finance and Corporate Planning Division (FCPD). However, audit results indicate opportunities exist to improve (i) the documenting of related FCPD business processes and (ii) the current approach being used to provide guidance and training to cardholders and Cost Centre Managers (CCMs).
The following sections detail the audit findings and recommendations as well as Management’s response and Action Plan.
3.0 Audit Findings and Recommendations
3.1 Roles and Responsibilities and Business Process Formalization
As noted in the Introduction to this report, acquisition cards are used because they provide a convenient and practical method of procuring and paying for goods and services while maintaining financial control, and because they simplify the purchases of low-value goods and services and offer the potential to generate savings in procurement and expenditure processing. The roles and responsibilities of acquisition card stakeholders at PCO are outlined at a high level in authority documents which have been communicated to stakeholders. The Department’s Policy on Acquisition Cards outlines the high level roles and responsibilities for cardholders, CCMs and the FCPD. Among other things, the Policy outlines that CCMs must sign under FAA Section 34 to confirm that the purchased goods and/or services have been satisfactorily provided, and that cardholders must obtain the CCM’s Section 34 approval and provide this, along with original invoices, to FCPD for processing of the transaction. However, with respect to the mandatory FAA Section 32 pre-authorization that is required from CCMs under the FAA, the Policy only states that the cardholder must obtain this pre-authorization in writing — there is no mention of having to obtain this from the CCM, nor is there mention in the Policy of the cardholder having to submit evidence of this pre-authorization to FCPD.
Requests for acquisition cards originate from the various organizational units within PCO and are submitted to FCPD using an “Acquisition Card Request Form”. When such a request is submitted, the card recipient must complete and sign various documents including an “Employee’s Acknowledgement of Responsibilities For A Corporate Charge Card” form which outlines roles and responsibilities at a high level. A sample of these forms was tested during the audit. Testing results indicate that in the case of active acquisition cards, sufficient documentation had been provided in all but two (2) cases to support the requests made and the dollar value limits associated with the requested cards, and the requests were approved by appropriate authorities. In the two (2) exceptional cases, explanations were provided by FCPD to the audit team that were deemed reasonable under the circumstances. Further, in October 2015, FCPD performed an analysis of these forms to identify any instances where either the forms could not be located or cardholders had not signed the appropriate forms. In any such instances, FCPD had the cardholders sign the appropriate documents. As a further check on the management of these cards, the audit team reconciled the most current FCPD listing of active cardholders to the listing of active cardholders held by the financial institution which provides acquisition cards and related accounts to PCO. All cardholders and their respective card limits as noted in FCPD’s listing reconciled to the financial institution’s records.
Interviews conducted with cardholders, CCMs, and FCPD noted that roles and responsibilities for the management and use of acquisition cards have been communicated and are, for the most part, reasonably understood. However, audit results reveal that some CCM responsibilities are not clearly understood, such as those associated with the aspects of PCO’s departure process that relate to the return of acquisition cards, and the level of CCM challenge required in relation to the eligibility of card purchases. Aside from the high-level roles and responsibilities documented in the Policy, audit results indicate that stakeholder roles and responsibilities are otherwise not captured in detail in a dedicated document for the benefit of these stakeholders. As a result, responsibilities outlined in the Policy are subject to varying degrees of interpretation and understanding by cardholders and their CCMs.
Given that the understanding of responsibilities for managing card related elements of PCO’s departure process were found to be inconsistent, the audit identified a potential risk in relation to the timely deactivation of acquisition cards upon cardholder movements or departures. Related to this, management had recognized issues with the overall departure process and has developed a modified departure process that is now being piloted within PCO. Once an upcoming departure or movement of a PCO cardholder is known, the new process requires that a “Departure Notification” form be immediately sent out to inform the appropriate PCO personnel of the upcoming departure, and that a departure checklist be subsequently used by the departing cardholder to obtain a signature from each applicable PCO division confirming that the departing cardholder has returned PCO assets (including acquisition cards) that had been entrusted to them. FCPD has highlighted that this revised process allows for a timelier deactivation of acquisition cards and therefore helps to mitigate the identified risk.
FCPD itself uses a variety of checklists and other tools to manage its acquisition card responsibilities, including the processing of card transactions. Audit tests reveal that FCPD conducts a thorough review of these transactions, including conducting a high-level review of the monthly acquisition card account statements from the financial institution to identify and address any transactions that may appear unusual or out of the ordinary. Audit testing results did not indicate any reason for concern about fraud in the use of acquisition cards, but did show that the processes for reviewing both acquisition card transactions and the related supporting documentation have themselves not been formally documented in a detailed manner. Also, even though processes for the escalation of any acquisition card issues within FCPD have been established, these processes are also not fully documented. As a result, significant reliance is being placed on the knowledge, experience and expertise of FCPD personnel to carry out their transaction processing and oversight activities effectively. This creates a risk that an inconsistent approach and/or an insufficient level of oversight and monitoring over acquisition card transactions may result, especially if there is turnover in the FCPD personnel who process acquisition card transactions. Given the variety and number of stakeholders, including FCPD, who are involved in the management and oversight of acquisition card use, having more formal documentation would better ensure a clear and consistent understanding of the management and use of acquisition cards in line with the Department’s expectations. Further, having more fully documented processes would better facilitate the orientation and training of new staff when necessary.
The Assistant Deputy Minister, Corporate Services Branch should develop a short “ready reference” document that provides acquisition cardholders and their Cost Centre Managers with comprehensive information on all of their roles and responsibilities in the management and use of acquisition cards.
The Assistant Deputy Minister, Corporate Services Branch should ensure that all key FCPD business processes and procedures associated with the management and use of acquisition cards are formally documented.
3.2 Training and Tools to Support Acquisition Card Stakeholders
PCO’s 2010 Policy on Acquisition Cards outlines the use of these cards for the procurement of goods and non-professional services of low dollar value. The Policy outlines the types of purchases that the acquisition card cannot be used for such as language training, membership fees, office furniture, and any travel-related expenses. Hospitality expenses can be paid with an acquisition card, but they require a pre-authorized “Hospitality Form” to be signed by a manager with the proper delegated financial authority.
Upon receiving an acquisition card, cardholders are provided with a one-page “Obligations of the Cardholder” document which briefly outlines some restrictions that apply to the use of the acquisition card. Also, cardholders are provided with the “Employee’s Acknowledgement of Responsibilities for a Corporate Charge Card” form which must be read, signed, and dated by the cardholder and his or her CCM. This form outlines that the cardholder acknowledges receipt of the card and that it is to be used for procurement in the course of his or her regular duties, that all transactions are to be pre-authorized by a departmental manager with FAA Section 32 expenditure initiation authority, and that the cardholders are responsible for safekeeping of the cards entrusted to them.
During the audit’s examination phase, a sample of acquisition card transactions was tested to determine if sufficient documentation was provided by the cardholder, including evidence of both the CCM’s mandatory Section 32 pre-authorization of each transaction and mandatory Section 34 confirmation of receipt of goods/services purchased. Testing was also done to determine if an adequate review of these transactions was conducted by FCPD to ensure the nature of the transaction was aligned to the Policy. While evidence of Section 34 signoff was submitted for all transactions tested, evidence of the mandatory Section 32 pre-authorization of purchases was not provided for approximately 28% of the transactions tested. These results confirm FCPD personnel are having to spend extra time and effort obtaining evidence of the mandatory pre-approvals from cardholders, which is resulting in processing inefficiencies.
As well, PCO’s Policy specifies a maximum threshold of $1,000 per acquisition card transaction for the procurement of goods and non-professional services of low value.1 However, audit testing indicates that purchases greater than this amount are being processed on acquisition cards and approved by CCMs. The audit did not find controls in place or any additional challenges by FCPD to keep transactions within the Policy’s maximum threshold. Discussions with cardholders, CCMs, and FCPD note that this maximum threshold is not seen as reasonable within the current environment as many potential acquisition card purchases exceed this amount. This appears especially true for PCO divisions whose purchasing needs may differ from the norm based on their distinct business requirements.
Through the testing performed and the interviews conducted with cardholders and CCMs, the audit highlights that the combination of the Policy and the other documents in use do not provide sufficient detail about the management and use of acquisition cards, including PCO’s associated processes and the restrictions that apply to the use of acquisition cards. In particular, those CCMs who were new to their role felt they require a more in-depth understanding of the processes around acquisition cards and the eligibility of purchases, specifically with regard to the types of purchases that can be made and any restrictions that would apply to these purchases. Further, audit results reveal that cardholders and CCMs are not provided with any specific in-house or other formal training regarding their roles and responsibilities in the management and use of acquisition cards.
With respect to the security of acquisition cards once they are distributed to cardholders, the Policy clearly states that “the cardholder must ensure that the card is kept in a secure location with controlled access when it is not being used”. Audit results indicate that some cardholders were unclear about proper storage procedures for their acquisition cards and that cardholders in general are using various practices when storing the acquisition cards entrusted to them. This introduces the risk that not all such practices will effectively restrict access to and ensure the security of these acquisition cards.
When taken as a whole, these audit results indicate there is an opportunity for PCO to enhance its overall approach to providing guidance and training to the various acquisition card stakeholders in support of the Department’s Policy on Acquisition Cards.
The Assistant Deputy Minister, Corporate Services Branch should develop a brief yet comprehensive in-house training session on the management and use of acquisition cards and ensure that all existing and future cardholders and Cost Centre Managers attend this training on a mandatory basis.
The Assistant Deputy Minister, Corporate Services Branch should conduct an assessment of PCO’s 2010 Policy on Acquisition Cards to determine if the dollar threshold specified in the Policy, or any other aspect(s) of the Policy, should be updated.
4.0 Management Response
Management accepts this report and will oversee the implementation of its recommendations.
5.0 Management Action Plan
Audit of the Management and Use of Acquisition Cards
Response and Planned Actions
|1. The Assistant Deputy Minister, Corporate Services Branch should develop a short “ready reference” document that provides acquisition cardholders and their Cost Centre Managers with comprehensive information on all of their roles and responsibilities in the management and use of acquisition cards.||CSB-FPAD will develop a comprehensive reference document that will provide acquisition card holders and responsibility centre managers with comprehensive information regarding their roles and responsibilities. We will also ensure that all new card holders receive a verbal briefing when they are provided with their acquisition card.||CSB-FPAD||September 30, 2016|
|2. The Assistant Deputy Minister, Corporate Services Branch should ensure that all key FCPD business processes and procedures associated with the management and use of acquisition cards are formally documented.||CSB-FPAD will adequately document business processes associated with the management and use of the acquisition cards. We will also include the management and use of acquisition cards in our monitoring plan for 2017-18.||CSB-FPAD||December 31, 2016|
|3. The Assistant Deputy Minister, Corporate Services Branch should develop a brief yet comprehensive in-house training session on the management and use of acquisition cards and ensure that all existing and future cardholders and Cost Centre Managers attend this training on a mandatory basis.||CSB-FPAD will develop briefing material and will provide a briefing to the acquisition card holders and the responsibility centre managers. We will ensure that all new card holders receive the training before they are handed their new acquisition card.||CSB-FPAD||December 31, 2016|
|4. The Assistant Deputy Minister, Corporate Services Branch should conduct an assessment of PCO’s 2010 Policy on Acquisition Cards to determine if the dollar threshold specified in the Policy, or any other aspect(s) of the Policy, should be updated.||CSB-FPAD will review the PCO 2010 Policy on Acquisition Cards. We will also align our new policy to the TBS Policy. Please note that TBS is reviewing its Financial Policy suite, which will have an impact on our timelines.||CSB-FPAD||December 31, 2016|
Report a problem or mistake on this page
- Date modified: