Audit of Key Financial Controls

Executive summary

In support of the Treasury Board of Canada’s Policy on Internal Control, the Public Health Agency of Canada’s (Agency) Deputy Minister and Chief Financial Officer are required to sign an annual representation letter acknowledging their responsibilities for maintaining an effective system of internal control over financial reporting.

The objective of this audit, which was part of the departmental Risk-Based Audit Plan for 2012-15, was to provide reasonable assurance that the Agency’s internal controls over financial reporting are operating effectively to mitigate the risk of material misstatement in the Agency’s financial statements. The audit focused on testing the controls that help the Agency meet its control objectives and address management’s responsibility over the completeness, validity and accuracy of its financial reporting. Select controls from two categories of key financial controls were tested as part of the audit: common key controls and specific key controls. Common key controls are prevalent across the organization and/or affect the organization as a whole; for example, the quality assurance over account verification process. Specific key controls affect the Agency’s financial statements and originate from one specific area such as grants and contributions.

An overview of the effectiveness of the key financial controls reviewed during the audit is presented in Appendix B.

Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. Based on the results of the audit work, it was determined that the Agency’s internal controls over financial reporting are generally operating effectively to mitigate the risk of material misstatement. However, improvements are required in the execution of individual key controls as noted below.

Common key controls
In terms of the common key controls, those found across the most significant classes of transactions, are found to be operating effectively for the most part. However, areas of improvement were noted in two of the key common controls: Delegation of financial signing authorities and Quality assurance over FAA Section 34 certification.

Specific key controls
These controls supplement the common key controls and help to provide assurance over the completeness and accuracy of financial information. Four of the seven specific key controls were determined to be operating effectively while three areas were identified as needing improvements. The key controls requiring improvement are related to the administration of contribution agreements (two controls) and capital assets.

Management agrees with the recommendations and its response indicates its commitment to take action.

A - Introduction

1. Background

Government wide initiatives, legislative changes and new policy requirements have been developed to strengthen public sector financial management and improve the reliability of financial reporting. Some of these changes include:

• the Treasury Board of Canada (TB) Policy on Internal Control requires that the Deputy Head sign an annual departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting; and
• the TB Policy on Financial Resource Management, Information and Reporting requires that the deputy head take measures to ensure that the Department can sustain a control-based audit of its annual financial statements.

In addition, Deputy Heads and Chief Financial Officers are required to sign an annual Letter of Representation to the Auditor General and the Deputy Receiver General in support of the Public Accounts covering their responsibilities for internal control over financial reporting and assertions over the integrity of financial information.

In support of the Policy on Internal Control, the Office of the Chief Financial Officer has developed the Internal Control Framework. The Agency’s Framework provides direction for the implementation of the ICFR.

As part of the business transformation agenda resulting from the federal Budget 2012, both the Agency’s Financial Policy, Systems and Operations Division and the Assets and Material Management Division, and Health Canada’s Financial Operations Directorate have consolidated the delivery of their services under a single shared services partnership.

2. Audit objective

The objective of the audit was to determine whether select key controls in support of the departmental financial statements are operating effectively, to mitigate the risk of material misstatements in terms of ensuring the validity, completeness and accuracy of the financial transactions reported.

3. Audit scope

The scope of this audit encompassed a review of the operational effectiveness of key financial controls that are either common or specific to the following significant classes of transactions:

• Grants and contribution Agreements;
• Salaries and wages expenses;
• Purchase of goods and services;
• Acquisition card purchases; and
• Capital assets.

Lines of enquiry and audit criteria are presented in Appendix A.

The audit covered transaction processing activities for fiscal year 2012-13 and the sample included transactions from April 1, 2012 to March 31, 2013.

The audit coverage included controls exercised in the National Capital Region and other regions. The controls tested are predominantly within the Office of the Chief Financial Officer, but the audit also reviewed the control activities which fall under the responsibility of the offices of secondary interest.

Entity level controls (ELCs) and information technology general controls (ITGCs) are excluded from the scope of the audit. These controls focus predominantly on the control framework.

ELCs refer to those controls and practices in place that permeate across the department and that may have a direct or indirect impact or influence on the integrity of the department’s financial reporting. These include values and ethics, employee learning and awareness, governance, and risk management. ITGCs are controls that impact the overall department-wide Information Technology (IT) environment, such as access to computer programs and data, program changes, program development, and computer operations.

4. Audit approach

The audit included an analysis of financial statement data; the identification of the significant classes of transactions; a review of key business process flowcharts, and control matrices; and discussions with management regarding significant changes in business processes.

In assessing the effectiveness of key financial controls, the audit included interviews with the Agency and Health Canada employees, the review of documentation (for example, departmental policies and procedures, relevant documentation in support of financial transactions), observation of key processes and controls, and analysis of financial and non-financial data using computer assisted audit techniques and tools.

5. Statement of conformance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

B - Findings, recommendations and management responses

1. Select key financial controls common to all class of transactions

1.1 Delegation of financial signing authorities

Audit criterion: Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid.

The Financial Operations Directorate in the shared service partnership is responsible for the controls over the maintenance of specimen signature cards.

Certification under Section 34 of the FAA requires account verification of all expenditures processed at the Agency. Such certification aims to provide assurance over the validity and accuracy of transactions by certifying that goods and services were received or that a grant or contribution recipient is eligible for payment.

Financial signing authority is delegated to various management levels throughout the Agency including to the Cost Centre Manager/Administrator level, by the Minister and Deputy Head. These authorities are then granted to employees by creating and activating specimen signature cards that are maintained in a Lotus Notes database, which is used to authenticate whether an employee has a valid delegation of financial signing authority. There were approximately 400^{Footnote 1} active signature cards in the database as of March 2013.

Certification under FAA Section 33 (payment authority) ensures that payments are subject to authorized requisitions; are lawful charges against the appropriation and are within the appropriations level. This requires that appropriate processes and controls be in place to verify accounts under FAA Section 34, as stated in the Agency’s delegation of financial signing authorities document. Section 33 of the FAA relies on the specimen signature cards to substantiate whether an employee has a valid Section 34 delegation of financial signing authority. Consequently, it is essential that the controls over the creation and activation of specimen signature cards operate effectively to comply with the FAA and central agency policy instruments in order to prevent unauthorized expenditures.

Activation of specimen signature cards

The Agency has well-defined procedures to set-up specimen signature cards. A sample of 15 cards was tested to determine if officers responsible for activating the cards verified their validity (for example: approved by a supervisor with delegated authority, mandatory training has been taken and issued to an eligible Agency employee). Test results indicated that verifications were adequately conducted.

Termination of specimen signature cards

An employee’s specimen signature card may be terminated for two reasons: the responsibility of the employee changed, or the employee left the Agency. In the first circumstance, the signature card is edited to reflect the new responsibilities provided the employee retains financial signing authority. In the second circumstance, the signature card is simply cancelled.

Because the financial officers rely on the accuracy of the specimen signature card database when conducting FAA Section 33 certification, the termination of signature cards needs to be completed in a timely manner.

Using computer-assisted audit techniques, auditors assessed the accuracy of the database throughout the year by analysing the timeliness of termination of specimen signature cards for departed employees. The analysis showed that 57% of the cards for terminated employees were not cancelled at the employee’s departure.

Overall, controls over the activation of specimen signature cards are adequate. However, improvements are needed to ensure that cards are cancelled in a timely manner thereby ensuring the validity of the corresponding database on which reliance is placed for the purpose FAA Section 33 certification.

Recommendation 1

It is recommended that the Chief Financial Officer ensure that specimen signature cards are terminated through the year on a timely basis. lict of interest review process consisting of multiple steps of analysis and approvals.

Management response

Management agrees with this recommendation.

An initiative is currently being led under the shared services partnership to enhance the existing process and controls on the various actions required when an employee is leaving the Department or the Agency. This initiative will result in the development and implementation of a mandatory departure form. This form will include the requirement for the cancellation of the financial specimen signature cards.

The Financial Operations Directorate will implement a periodic monitoring tool which also monitors the specimen signature cards.

1.2 Quality assurance process over Financial Administration Act Section 34 certification

Audit criterion: Quality assurance performed over Financial Administration Act Section 34 certification is effective.

While the Financial Operations Directorate in the shared service partnership is primarily responsible for the quality assurance over Financial Administration Act (FAA) Section 34 certification, the Office of the Chief Financial Officer is responsible for monitoring the quality assurance.

In accordance with the Treasury Board Directive on Account Verification, the Agency employs a risk-based approach to perform quality assurance over FAA Section 34 account verification. A well-functioning quality assurance process provides a high level of assurance that a high standard of integrity and accountability is maintained in the spending of public money, and supports sound stewardship of financial resources.

The quality assurance process aims at ensuring that the FAA Section 34 certification is properly and consistently performed. In July of 2012, this process was expanded to include acquisition card transactions. This provides assurance that transactions are valid, accurate and properly authorized. For high risk transactions, it acts as a main control to ensure that the transactions are accurate and valid, and that errors (if detected) are corrected prior to payment. For low risk transactions, the quarterly sampling results provide insight into the effectiveness of the FAA Section 34 certification and, if necessary, action plans can be developed. For both types of transactions, errors are corrected where deemed necessary. See Appendix C for the risk profile of transactions.

As illustrated below in Diagram 1, all transactions undergo a minimum quality assurance which focuses on verifying the appropriateness of: FAA Section 34 authorization; the financial coding; and vendor information. A risk profile (low or high) is then assigned based on the nature and value of the transactions through a “gating” process.

Diagram 1: Quality Assurance Review Process

Source: Health Portfolio Shared Services Partnership Statistical Sampling Training Guide

Transactions deemed as high risk undergo full quality assurance prior to payment. This includes verifying whether the back-up documentation provided supports the payment request, whether the financial coding is appropriate, that claimed amounts are in accordance with the corresponding contract or funding agreement, and that the procurement document and payment request comply with TB and Agency policies.

Those identified as low risk are paid immediately after minimum quality assurance is performed and are subject to a full quality assurance through quarterly statistical sampling. This process is referred to as the Post-Payment Quality Assurance Process.

Errors identified through quality assurance that put into question the validity of the payment request must be followed-up and corrected, such as inappropriate FAA Section 34 financial signing authority, or an invoice price that is not in accordance with the contract/funding agreement. See Appendix D for corrective actions and follow-up activities.

Table 1 provides a breakdown by risk profile of the transactions (see Appendix C) recorded in fiscal year 2012-13. It demonstrates that even though the proportion of high risk transactions was 17% of the total population in terms of number, these transactions represented 85% of the total dollar value.

Quality assurance over FAA Section 34 account verification encompasses most payment transactions including grants and contributions, account payables, travel claims, honoraria, acquisition cards, etc. However, it does not cover salary and wage expenditures as they are subject to a different quality assurance process which is discussed in Section 2.2 of this report.

The main aspects of the quality assurances process include:

• Gating of transactions;
• identification of errors in account verification;
• quality assurance on grants and contributions payments;
• logging of results of quality assurance review; and
• statistical sampling for low risk transactions.

Gating of transactions for the quality assurance process
The gating of transactions is an important aspect of the quality assurance process. It determines whether a transaction is low risk or high risk, thereby determining the level of quality assurance (minimum or full) to be performed prior to payment. The audit tests determined that the gating of transactions is working effectively.

Identification of errors in account verification
The quality assurance review entails verification that FAA Section 34 account verification has been performed properly. This process provides evidence on the effectiveness of FAA Section 34 account verification.

The audit tested a random sample of 28 transactions selected from the Agency’s regions that were recorded in 2012-13 fiscal year. The results indicated that the quality assurance function was adequately performed and all critical errors were identified.

Logging of results of quality assurance review
The Health Portfolio shared services partnership’s Statistical Sampling Training Guide requires that all errors identified during the quality assurance review for both low and high risk transactions be logged in SAP, the departmental financial system. This is regarded as the most significant output of the quality assurance process as it provides the necessary data required to report on the overall adequacy and reliability of the account verification process, and allows management to develop corrective actions where necessary, in line with the TB Directive on Account Verification.

The audit found that from the sample of 28 transactions reviewed, all the errors identified had been logged in SAP.

Quality assurance of low risk transactions
As previously mentioned in this report, all low risk transactions undergo minimum quality assurance prior to payment. In addition, a sample of these transactions are selected on a quarterly basis, to undergo full quality assurance. The analysis of errors and the action plans developed by senior finance officers are to be reported to the Office of the Chief Financial Officer on a quarterly basis.

For this type of testing, the Health Portfolio shared services partnership has established a tolerable error limit of 8%. That is to say that management considers the FAA Section 34 account verification process to be operating effectively if the error rate from the statistical sample is less than 8%. Where sampling results for a region are greater than 8%, senior finance officers are required to develop an action plan (see Appendix D) to address any issues identified through an analysis of the errors. The 8% rate was determined by the Health Portfolio shared services partnership as the TB Directive on Account Verification provides no guidance in this area. “The tolerable error rate will be 8%, given that the Department is moving towards auditable financial statements, and is initially focused on continuous improvement and enhancing controls.”^{Footnote 2} Management indicated that the tolerable error limit has been decreased to 5% for fiscal year 2013-14.

The audit reviewed the results of the statistical sampling on low risk transactions for all four quarters of fiscal year 2012-13. The results indicated that 241 out of 2,616 transactions sampled were identified with critical errors for an annual weighted error rate of 10.5% for the Agency; hence, above the tolerable limit (8%). This suggests that the FAA Section 34 account verification process was not working from an Agency wide perspective. The results reviewed also showed variability in the error rates from statistical sampling results among the regions, and by quarter. Error rates ranged from 0% to as high as 33%. Results of the quality assurance (QA) process indicated that the Agency wide error rate was in excess of the tolerable limit for three of the four quarters during the fiscal year. The audit also noted that these quarterly reports outlining errors and action plans were not provided to the Office of the Chief Financial Officer.

In conclusion, a quality assurance process is in place. However, the number of errors found indicates that controls over transactions that are considered low risk and subjected to minimum quality assurance are not operating effectively. We found that the established maximum error rate of 8% for transactions selected through the Health Portfolio shared services partnership’s Statistical Sampling Framework had been exceeded by the Agency as whole for 2012-13.

Recommendation 2

It is recommended that the Chief Financial Officer monitors the quality assurance over Financial Administration Act Section 34 certification to ensure that appropriate action is taking place when the quality assurance tolerable error rate has been exceeded.

Management response

Management agrees with this recommendation.

The Chief Financial Officer will request the error reports from the Financial Operations Directorate on a quarterly basis to perform a review and verify that appropriate action is taking place when the tolerable error rate has been exceeded.

The Statistical Sampling Framework used allows for additional samples to be examined when warranted.

1.3 FAA Section 33 certification

Audit criterion: Certification under FAA Section 33 is performed and appropriate segregation of duties exists with FAA Section 34 certification.

The Financial Operations Directorate in the shared service partnership is responsible for the quality assurance over Financial Administration Act (FAA) Section 33 certification.

The authority to request payments in accordance with Section 33 of the FAA is referred to as payment authority. Pursuant to this section, a financial officer with delegated payment authority must ensure that:

• FAA Section 34 was properly exercised by validating that the Section 34 signatory had a valid delegated authority to authorize the expense and that there is auditable evidence that the quality assurance over the adequacy of the Section 34 account verification has taken place; and
• expenditures are a lawful charge against the appropriation.

The FAA Section 33 payment authorization performed by financial officers is a key control to ensure the accuracy and legality of transactions.

The auditors evaluated the performance of the FAA Section 33 certification using the sample of transactions selected for the quality assurance review and concluded that financial officers approving payments under FAA Section 33 had valid delegated authority and were not the same individual certifying under FAA Section 34.

1.4 Management review of expenditures and commitments

Audit criterion: Cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.

The Office of the Chief Financial Officer’s Resource Management and Analysis Division is responsible for the review of expenditures and commitments recorded in SAP.

The Management Variance Report (MVR) process is a review of the financial position of business units and can be conducted down to the cost centre level. The MVR methodology consists of estimating the level of total funding required to conduct program activities over the fiscal year by comparing actual expenditures and commitments at the end of a period against internal operational plans. Cost Centre Managers then estimate anticipated expenditures for the remainder of the year and identify corresponding lapses or deficits.

Responsibilities with regards to forecasting and the preparation of MVRs are communicated through call letters issued by the Office of the Chief Financial Officer. In addition to MVR call letters, some branches have developed additional guidelines and instructions to provide support to managers for the MVR process.

Branches are also supported by their assigned Financial Management Advisor (FMA) who provides advice and guidance and participates in the challenge process. The role of the FMA is to provide support in the conduct of the MVR process, tactical advice to branch managers on financial management matters, and to challenge the accuracy of amounts recorded as commitments and anticipated expenditures. The service provided by FMAs is essential to the promotion of sound financial management practices across the Agency.

The Office of the Chief Financial Officer is responsible to ensure that the month-end MVR exercise is adequately conducted and documented through a challenge function. This process is considered a key control over financial reporting.

Our documentation review and interviews demonstrated that cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.

1.5 Accrued liabilities at year-end

Audit criterion: Senior financial officers review and challenge the completeness, validity and accuracy of transactions payable at year end.

The Office of the Chief Financial Officer’s Resource Management and Analysis Division and Centre for Grants and Contributions are responsible for managing payables at year-end.

As per the TB Policy on Payables at Year-End(PAYEs) departments and agencies must identify and quantify liabilities to outside organizations and individuals resulting from operations up to and including March 31^st in each fiscal year. In the absence of certainty, estimates must be used to determine the amounts of liabilities, as long as reasonably accurate values can be assigned.

As per the departmental year-end procedures, cost centre managers and administrators must submit PAYE requests for goods and services of value greater than or equal to $1,000 (except salary-related items where the minimum threshold is $400, interdepartmental settlements where there is no threshold, and grants and contributions where there is no minimum threshold), for which an invoice has not been received or when account payables or payments cannot be recorded by the required cut-off date. In addition, notwithstanding the fact that a PAYE could be established from a reasonable estimate, supporting documentation must be provided for all PAYEs. Where goods are received, a packing slip is sufficient. For consulting services, timesheets and an assessment of the work completed as at March 31^st should be provided. This helps to ensure a sufficient audit trail for follow-up purposes.

In addition, senior finance officers are responsible for reviewing and challenging PAYEs to ensure that the appropriate supporting documentation is present before posting them to SAP.

The audit tested the review and challenge function exercised over both PAYEs related to the previous fiscal year that have yet to be cleared and PAYEs recorded as part of the year-end procedures. For both types of transactions sufficient evidence was provided to demonstrate adequate management oversight. Our review demonstrated that financial officers review and challenge the completeness, validity and accuracy of transactions payable at year end.

1.6 System access and segregation of duties

Audit criterion: Access to SAP is restricted and the segregation of duties is enforced.

The Financial Operations Directorate in the shared service partnership is responsible for the controls over the access to SAP and the enforcement of the segregation of duties.

Segregation of duties is a key concept for internal controls, which mitigates the occurrence of fraud and errors. An example of incompatible duties that must be segregated is the maintenance of vendor master files and the recording of purchase orders. To monitor the segregation of duties in the departmental financial system, the Agency follows tests that have been standardized across the federal government. These tests are based on a matrix of critical functions which rate risk as low, medium or high. Prior to granting or modifying access, the Financial Operations Directorate in the shared service partnership performs these tests to ensure that it does not result in incompatible functions. In addition, on a regular basis, the Corporate Service Branch in the shared service partnership conducts tests to monitor the segregation of duties.

Using computer-assisted audit techniques, auditors tested functions to determine whether individuals had access to incompatible functions. The results indicated that no users had access to incompatible duties, during fiscal year (for example: the posting of invoices in the departmental financial system and the processing of payments).

In conclusion, controls over the access to SAP and the enforcement of the segregation of duties are operating effectively.

1.7 Journal entry review

Audit criterion: Journal entries are reviewed by a second person and accompanied by appropriate supporting documentation.

The Office of the Chief Financial Officer has the primary responsibility for the controls over the journal entries. The Financial Operations Directorate has a policy and quality assurance responsibilities.

At the time of our audit, there was no policy incorporating journal voucher requirements. However, the Financial Operations Directorate (FOD) issued a publication on March 22, 2013 advising of the requirement for more stringent verification controls for routine and non-routine Journal Vouchers. At that time, it was also indicated that a policy on journal vouchers would be forthcoming for the Portfolio.

In its publication, FOD indicated that:

“…Journal Vouchers (JVs) are one of the methods of making adjustments to accounts in SAP, and must be properly controlled to ensure that financial information accurately reflects the activities of the Agency. As part of the ongoing testing of financial processes, gaps in controls have been identified. These gaps must be successfully addressed in order to have auditable Financial Statements. One of the deficiencies noted has been in the area of verification controls for routine and non-routine journal vouchers.

A journal voucher (JV) request must include:

• The journal voucher request form;
• a source document such as a copy or screen-print of the SAP Detailed Expenditure (100) Report and/or other supporting documentation;
• a description / reason for the JV; and
• approval by the responsible financial manager(s).”

As part of our audit, we found inconsistent documentation and review procedures in place for the processing of JVs. Journal voucher forms are rarely used and we found many occasions where there were no signs of review by a second person, that is, the responsible financial manager.

The weaknesses in the internal controls surrounding JV’s could lead to potential material misstatement. The MVR process is a compensating control but it is still expected that JV’s be entered, reviewed and documented appropriately.

However, based on the recent initiatives taken by the Financial Operations Directorate through its publication and intention to adopt a formal policy is a key step in strengthening the internal controls over JV. For this reason, no recommendation is made in this report.

2. Select key financial controls specific to classes of transactions

2.1 Grants and contribution agreements

Audit criterion: Select key financial controls specific to the processing of grants and contributions agreements are operating effectively.

The Office of the Chief Financial Officer’s Centre for Grants and Contributions is responsible for the controls over the grants and contributions agreements.

Agreement/Recipient risk assessments

The Agency utilizes the “Enterprise Risk Management Agreement/Recipient Risk Assessment Tool” that has been designed to assess and manage risks associated with recipients and funding agreements. This tool is to be used to assess risks annually for all funding agreements, as well as to reassess risks for existing multi-year agreements.

The recipient’s risk rating profile determines the risk tolerance strategy, which includes risk mitigating activities such as determining the amount of advance payments, establishing applicable holdbacks, and monitoring activities. This means that recipients with the highest risk receive pre-payments on a quarterly basis, and are subject to a maximum holdback on the final payment, as opposed to recipients with a low risk to which a single pre-payment can be made at the start of the year, with no or a minimum holdback.

The audit reviewed a sample of contribution agreements for fiscal year 2012-13 and found that the required risk assessments had been completed.

Reconciliation of payment transactions between grants and contributions systems and the departmental financial system

Grants and contributions payment requests are initiated in the Lotus Notes Grant and Contribution Database. Reconciliations between this system and SAP, contribute to providing assurance that grants and contributions agreement expenditures are complete and accurate.

Reconciliations of the Lotus Notes Database to SAP are included in the Agency’s process documentation. However, the audit found that no reconciliation is performed between the payments and commitments processed in the Lotus Notes database and SAP. As a result, there is no evidence that the commitments and payments transferred to SAP are complete and accurate.

Review and close-out of contributions agreements

Review and close-out of contribution agreements are necessary to ensure that all the terms and conditions have been met and that receivables arising from overpayment are recorded in the departmental financial system and collected, as required.

The current process does not ensure that all contribution agreement receivables are recorded in SAP. The information regarding outstanding balances is only communicated to Accounting Operations by Program once the reimbursement is received.

As part of our audit, we reviewed a sample of contribution agreements. One of these agreements included an overpayment in fiscal year 2012-13 that was not captured in the Agency’s financial records. Overall, we noted that no accounts receivable for known balances owing were processed by Accounting Operations and that no accrued receivables for estimated amounts owing were recorded through the year-end financial reporting process.

Our testing and interviews demonstrated that accounts receivable for overpayments related to both on-going and closed contribution agreements are not captured in the financial statements, and that improvements are needed to ensure the accuracy of financial information in SAP.

Recommendation 3

It is recommended that the Chief Financial Officer ensure that reconciliations between the Lotus Notes Grant and Contribution Database and SAP are prepared on a monthly basis and that all variances are investigated. A reconciliation should also be prepared as at March 31, 2013 to ensure that amounts reported in SAP are complete and accurate.

Management response

Management agrees with this recommendation.

The Office of the Chief Financial Officer will perform a reconciliation between the Grants and Contributions Database and SAP on a going forward basis effective immediately to ensure that amounts reported in SAP are complete and accurate.

Recommendation 4

It is recommended that the Chief Financial Officer ensure that coordination is improved between accounting offices and contribution programs, to ensure that all receivables, including those resulting from annual overpayments or close-out of contribution agreements, are recorded in the departmental financial system in an accurate and timely manner.

Management response

Management agrees with this recommendation.

The Office of the Chief Financial Officer, in collaboration with accounting offices, will initiate enhancements required to identify and record contributions receivables in an accurate and timely manner.

2.2 Salaries and wages expenses

Audit criterion: Compensation verifiers review payroll registers to confirm accuracy of payroll transactions.

Compensation verifier review of pay registers

The Corporate Services Branch – HR Directorate, in the shared service partnership is responsible for the controls over the pay registers.

According to the TB Directive on Financial Management of Pay Administration and Guideline on Common Financial Management Business Process for Pay Administration, responsibilities for FAA Section 34 certification are to be shared between cost centre managers, compensation advisors and compensation verifiers, at different stages of the pay administration cycle.

Compensation advisors are responsible for the accuracy of pay input through FAA Section 34 certification. Compensation verifiers are responsible to review the payroll registers and individual salary payments as part of a quality assurance process. This review is the final opportunity to confirm the accuracy of payroll transactions.

The current audit reviewed a sample of 10 employee pay transactions against payroll registers and other output reports for fiscal year 2012-13, to determine whether verification was performed on the accuracy of payments. No payroll processing errors were identified as a result of this review and the pay verification was appropriately documented by compensation verifiers.

FAA Section 33 quality assurance review

The TB Policy on Internal Control states that the Chief Financial Officer (CFO) is responsible for establishing and maintaining a system of internal control that is monitored, reviewed, and that timely corrective measures are taken when issues are identified. This includes a quality assurance review which provides assurance on the adequacy and reliability of the account verification process.

In the context of pay transactions, the current audit reviewed the latest draft of the Compensation Monitoring Framework that was updated in 2013 by the portfolio’s Corporate Services Branch. The framework includes cyclical and on-site monitoring activities that are aimed at providing assurance that controls are effective. It is currently being revised and will include the addition of a sampling strategy using a risk-based approach beginning in 2013-14. Performing this control activity and sharing its results with the CFO is important as it serves to demonstrate whether controls over the pay process are operating effectively, and that account verification over pay transactions is adequate.

In conclusion, pay verifier reviews have been adequately performed and are operating effectively. The implementation of monitoring activities in 2013-14 will provide greater assurance over the adequacy and effectiveness of the account verification process as it relates to pay transactions.

2.3 Purchase of goods and services

Audit criterion: Purchase orders over $10,000 are reviewed for accuracy, completeness and validity.

The Financial Operations Directorate in the shared service partnership is responsible for the controls over the purchase orders.

Review of contracts over $10,000

Up until February 2013, the departmental policy required that all purchases greater than $10,000, as well as all contract amendments regardless of dollar value, be approved by one of the Contract Requisition Control Committees (CRCC). These committees were comprised of procurement and contracting officers and financial officers. The work of CRCCs was tracked in the Contract Requisition and Reporting System (CRRS).

Approval by CRCCs helped to ensure that contractual documents are in accordance with Government Contracts Regulations, relevant policies, departmental delegation of financial authorities, and that an appropriate procurement vehicle is used. In addition to the review being conducted by the procurement officers, the review and approval by the CRCC provided assurance over the validity and accuracy of purchases of goods and services over $10,000.

In February 2013, the Agency implemented a Procurement Service Delivery Model which includes the implementation of new SAP Procure-to-Pay (P2P) technology. In the new process, the CRRS system is no longer in use and the Agency is now using the P2P in SAP. The procurement and contracting functions are now centralized in the two hubs, Winnipeg and Ottawa.

As part of the new process, the majority of contracting and procurement transactions are approved by the Cost Centre Manager (CCM) and by the Procurement Specialist (PG classification).

Some high complexity/high sensitivity requirements will require approval by departmental review committee based on a two-tier governance model as stated below.

• Tier I – New Contract and Requisition Control Committee (CRCC) model.
  • Chaired by the responsible PG-05 managers and supported by subject matter experts, on an ‘as needed’ basis, such as a financial resource, legal, and HR expert.
• Tier II – the Shared Services Contract Review Committee (SS CRC) providing oversight.
  • Chaired by Senior Management at the Department.
  • To complement and support Tier I, the SS CRC will review and recommend for approval any contracts that are particularly complex or deviating from policies and regulations.

The audit tested a random computer-generated sample of 15 contracts, in addition to the review of 25 tests performed by the Financial Operations Directorate’s Internal Control Division, to determine if purchase orders for over $10,000, issued in fiscal year 2012-13, were reviewed appropriately. No significant errors were found.

In conclusion, select key financial controls specific to the purchase of goods and services are operating effectively.

2.4 Acquisition card purchases

Audit criterion: Monitoring of monthly acquisition cards reconciliations and quality assurance reviews of acquisition cards transactions are performed.

The Financial Operations Directorate in the shared service partnership is responsible for the monitoring of monthly acquisition cards reconciliations and the quality assurance reviews of acquisition cards transactions.

Official reconciliation report
Acquisition card purchases are paid prior to reconciliation of purchases by the cardholder and FAA Section 34 certification, as permitted under the TB Directive on Account Verification. To provide assurance over the accuracy and completeness of acquisition card purchases, cardholders are responsible to complete a reconciliation of the transactions to their statement of accounts. The Financial Operations Directorate monitors these reconciliations to ensure that they are adequately completed. Interviews conducted with the Directorate and documentation reviewed, provided evidence that this oversight role is adequately fulfilled.

Quality assurance over acquisition cards
In addition to the monitoring of monthly reconciliations, financial officers conduct quality assurance reviews of acquisition card transactions. All transactions are subject to a minimal quality assurance procedure to ensure that all items included on a statement are reconciled in SAP and that section 34 of FAA is appropriately documented. High risk transactions undergo a full quality assurance review while lower risk transactions are subject to a full quality assurance on a sample basis. Since July 2012, the sample of lower risk transaction has been included as part of the statistical sampling exercise through the use of SAP as is the case for accounts payable transactions. Through this review, selected transactions are examined for appropriate supporting documentation and sign-off. Errors identified through this review are recorded.

The audit tested a sample of monthly statements which included transactions that underwent a full quality assurance to determine whether it was performed adequately and appropriately. No significant errors were identified as a result of this review. However, we have noted that the full quality assurance exercise consistently identifies errors related to the treatment of taxes (GST, HST or PST) made by the cardholders when reconciling their statement. The department may wish to improve the way taxes are being automatically calculated by the system.

Furthermore, although we have found that the quality assurance is being exercised effectively, some of the errors identified through this control require that the cardholder make necessary changes (coding or tax errors). The current error tracking function do not allow for proper follow-up on the required correction and as such, there is little oversight as to whether or not these errors are actually being corrected.

In conclusion, although areas of improvement have been noted, both the reconciliation of payments to acquisition card transactions, and quality assurance review are operating effectively.

2.5 Capital assets

Audit criterion: Controls over the conduct of an annual Capital Assets Review are operating effectively to ensure the capital assets are well managed and properly accounted for.

The Office of the Chief Financial Officer and the Financial Operations Directorate have a shared responsibility of the controls over the effectiveness of the conduct of the annual Capital Assets Review.

The Agency’s Capital Assets Accounting Standard defines capital assets as assets with a useful life greater than one year, and a per-item cost of $10,000 or greater. The Agency holds a variety of capital assets. Aside from buildings, the items include predominantly: machinery and equipment, IT equipment/software, and vehicles.

Physical count of capital assets

In June 2012, the Materiel and Assets Management Division (MAM) division launched the Agency’s third annual Capital Asset Review. This review complies with the requirements stated in the Agency’s Asset Management Policy. The audit reviewed the reports produced as part of the annual review exercise and quality assurance procedures to ascertain whether appropriate actions were taken to address the issues raised in the reports. There were no quality assurance procedures in place to ensure CCMs have entered the right information.

While the current inventory count is conducted by a CCM, there is a need for a quality assurance procedure to be implemented in order for controls over the conduct of the annual Capital Assets Review to be operating effectively.

Recommendation 5

It is recommended that the Chief Financial Officer ensure that a quality assurance procedure be implemented to validate the information provided by the various CCMs at the time of the Capital Asset Inventory Count.

Management response

Management agrees with this recommendation.

The Office of the Chief Financial Officer will ensure that proper quality assurances procedures are in place for the 2013 capital assets inventory exercise and those roles and responsibilities are clearly defined.

In addition, the Office of the Chief Financial Officer will ensure that a challenge function role is played to ensure that the information provided by the CCM is correct and that proper documentation exists.

C – Conclusion

Based on the results of the audit work, it was determined that the Public Health Agency of Canada (Agency)’s internal controls over financial reporting are generally operating effectively to mitigate the risk of material misstatement. However, improvements are required in the execution of individual key controls as noted below.

Common key controls
In terms of the common key controls, those found across the most significant classes of transactions, are found to be operating effectively for the most part. However, areas of improvement were noted in two of the key common controls: Delegation of financial signing authorities and Quality assurance over FAA Section 34 certification.

Specific key controls
These controls supplement the common key controls and help to provide assurance over the completeness and accuracy of financial information. Four of the seven specific key controls were determined to be operating effectively while three areas were identified as requiring improvements. The controls with areas of improvement were identified with respect to the administration of contribution agreements (two controls) and capital assets.

An overview of the effectiveness of key financial controls, which were assessed as part of this audit and aligned with significant classes of transactions, is presented in Appendix B.