Audit of Key Financial Controls – Year 3

October 2015

For readers interested in the PDF version, the document is available for downloading or viewing:

Audit of Key Financial Controls – Year 3 (PDF document - 676 KB- 29 pages)

Table of Contents

Executive summary

In support of the Treasury Board of Canada’s Policy on Internal Control, the Public Health Agency of Canada’s (the Agency) Deputy Head and Chief Financial Officer are required to sign an annual representation letter acknowledging their responsibilities for maintaining an effective system of internal controls over financial reporting.

The objective of this audit was to provide reasonable assurance that select key financial controls in support of the Agency’s financial statements are operating effectively. The audit focused on testing the controls that help the Agency meet its control objectives and address management’s responsibility over the completeness, validity and accuracy of its financial reporting. Select controls from two categories of key financial controls were tested as part of the audit: common key controls and specific key controls. The audit covered transaction processing activities for fiscal year 2014-15.

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Audit. Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion.

The audit concluded that select key financial controls in support of the Agency’s financial statements are generally operating effectively.

Improvements are required to strengthen the management of specimen signature cards; reduce the error rates for acquisition card transactions; ensure that sign-off of management variance reports is obtained; ensure that journal voucher entries are supported with appropriate documentation; and ensure that close-out procedures for contribution agreements are conducted in a timely manner.

Management agrees with the five recommendations outlined in the report and has provided an action plan that will improve the effectiveness of the Agency’s internal controls over financial reporting.

A - Introduction

1. Background

Reliable financial reporting provides transparency and accountability for public funds spent to achieve Agency’s objectives. To this effect, Treasury Board (TB) has put in place policies to strengthen financial reporting, and requires departments to have an effective risk-based system of internal controls. These include the following.

  • The TB Policy on Internal Control requires that the Deputy Head sign an annual departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting; and
  • The TB Policy on Financial Resource Management, Information and Reporting requires that the Deputy Head take measures to ensure that the Agency can sustain a control-based audit of its annual financial statements.

In addition, deputy heads and chief financial officers are required to sign an annual Letter of Representation to the Auditor General and the Deputy Receiver General in support of the Public Accounts, covering their responsibilities for internal control over financial reporting and assertions over the integrity of financial information.

In support of the Policy on Internal Control, the Office of the Chief Financial Officer (OCFO) is updating the Internal Control over Financial Reporting (ICFR) Framework, which provides direction for the implementation of the ICFR. It identifies and documents the supporting processes, procedures and related internal controls in place to mitigate financial reporting risks. Five main classes of processes were identified to support reliable financial reporting (see Appendix C):

  • Management of Parliamentary Appropriations
  • Purchasing, payables and payments, including transfer payments;
  • Payroll;
  • Capital assets; and
  • Financial statement, year-end and reporting.

Health Canada’s Financial Operations Directorate (FOD) provides accounting operations services to the Agency through a Shared Services Partnership (SSP) agreement.

This recurring (annual) audit is aimed at assessing the operating effectiveness of key financial controls. A number of changes took effect in fiscal year 2014-15, including the implementation a new system for managing transfer payments and the migration of all pay services to a common service provider.

Notwithstanding the changes, the select key financial controls being tested as part of this audit are fundamental to the operation of the Agency and should remain effective in a challenging environment.

2. Audit objective

The objectives of the audit were to:

  • Determine whether select key financial controls in support of the Agency’s financial statements are operating effectively, in order to mitigate the risk of material misstatements in terms of ensuring the validity, completeness and accuracy of the financial transactions reported; and
  • Follow up on the progress made on the implementation of the management action plan developed in response to the previous year’s key financial controls internal audit recommendations.

3. Audit scope

The scope of this audit encompassed a review of the operational effectiveness of key financial controls that are either common or specific to the following significant classes of transactions:

  • Grants and contributions agreements;
  • Salaries and wages expenses;
  • Purchase of goods and services;
  • Acquisition card purchases; and
  • Capital assets.

The audit covered transaction processing activities for fiscal year 2014-15. The controls tested are predominantly within the OCFO and the Shared Services Partnership-Financial Operations Directorate (SSP-FOD), but the audit also reviewed the control activities that fall under the responsibility of the offices of secondary interest and cost centre managers.

4. Audit approach

In assessing the effectiveness of key financial controls, the audit conducted interviews with Agency employees, reviewed documentation (for example, Agency policies and procedures, relevant documentation in support of financial transactions), observed key processes and controls and analyzed financial and non-financial data using computer-assisted audit techniques and tools.

Where possible, reliance was placed on work performed by other parties, such as the Shared Services Partnership-Internal Control Division, to support the Statement of Management Responsibility Including Internal Controls over Financial Reporting.

5. Statement of conformance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

B - Findings, recommendations and management responses

1. Progress made on previous year's recommendations

Audit criterion: Progress is made on the previous year’s recommendations.

Management has fully implemented the committed actions for recommendations made in the previous year’s report (see Appendix F).

Management variance review of expenditures (Recommendation 1)

Management has modified the wording of the signature box on the management variance review (MVR) report to ensure that it reflects the nature of the work performed for post-payroll review of salary expenditures, in support Financial Administration Act (FAA) Section 34 certification. An updated MVR instructional deck has been provided to branches, outlining the requirement to obtain sign-off at the cost centre manager level, to serve as evidence of FAA Section 34 certification of pay expenditures. Management’s action plan for this recommendation has been fully implemented.

System access and segregation of duties (Recommendation 2)

Management has reviewed security roles and removed access to incompatible duties. Quarterly monitoring of FIRMS’ employees with access to Post-Invoice and Payment Run for production support purposes was also performed. Management’s action plan for this recommendation has been fully implemented.

Salary and wage expenses (Recommendation 3)

Quarterly monitoring and reporting of salary payments was performed.  Management’s action plan for this recommendation has been fully implemented.

2 Select key financial controls common to all classes of transactions

2.1 Delegation of financial signing authorities

Audit criterion: Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid.

The Financial Operations Directorate (FOD), through the Shared Services Partnership (SSP) agreement, is responsible for the controls over the maintenance of specimen signature cards.

Financial signing authority is delegated to various management levels throughout the Agency by the Minister and the Deputy Head. These authorities are then granted to employees at various management levels by creating and activating specimen signature cards, which are maintained in SAP. There were approximately 3,400Footnote 1 active signature cards in the database as of March 2015.

Certification under FAA Section 33 (payment authority) ensures that payments are subject to authorized requisitions, are lawful charges against the appropriation and are within the appropriations level. This requires that appropriate processes and controls be in place to verify accounts under FAA Section 34, as stated in the Agency’s delegation of financial signing authority document. Section 33 of the FAA relies on the specimen signature cards to substantiate whether an employee has valid Section 34 delegation of financial signing authority. Consequently, it is essential that the controls over the creation and activation of specimen signature cards operate effectively, to comply with the FAA and central agency policy instruments and prevent unauthorized expenditures.

Activation of specimen signature cards

Prior to activating a specimen signature card, specimen signature card editors must verify the validity of the request (for example, approved by a supervisor with delegated authority, mandatory training has been taken, issued to an eligible Agency employee and only one substantive card per individual in most cases).

The audit reviewed specimen signature cards to verify that they were approved by a supervisor with delegated authority and found no significant issues. Tests were also performed to verify that employees have only one active substantive card. The audit found that 3 % of cardholders had been issued more than one active substantive card, including instances where cardholders had active specimen signature cards at different management levels (for example, a cardholder with a specimen signature card for the same cost centre(s) at the CCA and the CCM levels) This reduces the reliability and effectiveness of the signature cards as a preventative control. As noted in Section 2.2, the SAP-P2P process relies on the signature card database to determine whether a user has the appropriate level of delegated authority for FAA Section 34 certification and approval. As such, employees with multiple cards may be able to exercise FAA Section 34 approval on invoices that exceed their delegated authority.

Termination of specimen signature cards

An employee’s specimen signature card may be terminated for two reasons: the employee’s responsibilities have changed or the employee has left the Agency. In the first instance, the signature card is edited to reflect the new responsibilities, provided that the employee retains financial signing authority. In the second instance, the signature card is simply cancelled. A mandatory departure process and departure application tool was implemented to facilitate the timely cancellation of cards. Furthermore, SSP-FOD performs an annual review of specimen signature cards as a mitigating control, to cancel any cards that are no longer required.

Since the financial officers rely on the accuracy of the specimen signature card database when conducting FAA Section 33 certification, the termination of signature cards needs to be completed in a timely manner.

The audit assessed the accuracy of the database throughout the year by analyzing the timeliness of the termination of specimen signature cards for departed employees. The audit found instances where specimen signature cards were not cancelled in a timely manner (for example, more than 30 days after the employee’s departure).
 
A mandatory departure application was implemented in 2014, to streamline and automate the process for notifying Finance (and other areas) of an employee’s departure, so that appropriate action can be taken (such as the cancellation of specimen signature cards). However, the use of the departure application was noted as an area for improvement in the Annex to the Statement of Management Responsibility. As a result, management has developed an action plan to ensure that the departure application is used consistently and that all the departure applications are closed on a timely basis.

Overall, improvements are required to ensure the effectiveness of controls over the maintenance of specimen signature cards.

Recommendation 1

It is recommended that the Chief Financial Officer implement controls so that unnecessary specimen signature cards are cancelled on a timely basis.

Management response

Management agrees with the recommendation.

The current procedure requires specimen signature card editors to review and cancel unnecessary cards when a new card is entered. This existing procedure needs to be applied consistently.

2.2 Quality assurance process of FAA Section 34 certification

Audit criterion: The quality assurance performed over Financial Administration Act Section 34 certification is effective.

In accordance with the Treasury Board Secretariat (TBS) Directive on Account Verification, when exercising payment authority for payments, pursuant to Section 33 of the Financial Administration Act (FAA), the Agency employs a risk-based approach to performing the quality assurance review over the FAA Section 34 account verification process. A well‑functioning quality assurance process is a key control, ensuring that a high standard of integrity and accountability is maintained in the spending of public money and supporting sound stewardship of financial resources.

Under the Section 34 of the FAA,
managers are required to certify that:

  • Goods were supplied or the service rendered;
  • The price charged is in accordance with the contract;
  • Supporting documentation is complete;
  • The financial coding is correct; and
  • The payee is eligible and entitled to the payment.

Source: TBS Directive on Account Verification

The objective of the quality assurance process is to confirm that the FAA Section 34 certification is properly and consistently performed. This provides assurance that transactions are valid, accurate and properly authorized. For high-risk transactions, it acts as a main control to ensure that the transactions are accurate and valid and that errors (if detected) are corrected prior to payment. For low-risk transactions, the quarterly sampling results provide insight into the effectiveness of the FAA Section 34 certification and, if necessary, action plans can be developed. For both types of transactions, errors are corrected where deemed necessary. See Appendix D for the risk profile of transactions.

As illustrated in Figure 1, all transactions undergo a minimum quality assurance, which focuses on verifying the appropriateness of FAA Section 34 authorization, the financial coding and vendor information. The implementation of SAP-P2P has automated the verification of FAA Section 34 authorization for commercial invoices. Minimum quality assurance reviews for payment requests related to contribution agreements are still being conducted manually. A risk profile (low or high) is then assigned, based on the nature and value of the transactions, through a “gating” process.

Figure 1: Quality Assurance Review Process

Quality Assurance Review Process
Source: Shared Services Partnership Statistical Sampling Training Guide
Figure 1: Quality Assurance Review Process - Text Description

As Figure 1 illustrates, every transaction, regardless of whether it is a transfer payment, a commercial invoice or a general accounts payable, is subject to some form of quality assurance to verify the appropriateness of Financial Administration Act Section 34 authorization, the financial coding and vendor information.

Minimum quality assurance reviews are conducted manually for payments related to contribution agreements. As for commercial invoices and general accounts payable, the implementation of SAP-P2P has automated FAA Section 34 authorization.

Once a transaction has gone through a minimum quality assurance, it is then assigned a high or low risk profile, based on its nature and value. High-risk transactions undergo a full quality assurance review, while low-risk transactions are submitted for payment. However, low-risk transactions may be subject to the post-payment quality assurance process, a full quality assurance conducted quarterly on a statistical sampling of transactions.

All transactions deemed as high-risk undergo full quality assurance prior to payment. This includes verifying whether the backup documentation provided supports the payment request, whether the financial coding is appropriate, that claimed amounts are in accordance with the corresponding contract or funding agreement and that procurement documents and payment requests comply with TB and Agency policies.

Those identified as low-risk are paid immediately after a minimal quality assurance is performed; however, they may be subject to a full post-payment quality assurance through quarterly statistical sampling. This process is referred to as the Post-Payment Quality Assurance Process.

Errors identified through quality assurance that call into question the validity of the payment request must be followed-up and corrected, such as inappropriate FAA Section 34 financial signing authority or an invoice price that is not in accordance with the contract or funding agreement.

Table 1 provides a breakdown by risk profile of the transactions recorded in fiscal year 2014‑15. It demonstrates that even though the proportion of high-risk transactions was 12% of the total population in terms of numbers, these transactions represented 88% of the total dollar value.

Table 1: Transactions by risk profile, fiscal year 2014-15
Risk Profile No. of Transactions Value
Number (%) ($M) (%)
High 4,200 12% 293.0 88%
Low 31,000 88% 38.4 12%
Total 35,200 100% 331.3 100%

Source: Agency’s financial system, fiscal year 2014-15

Quality assurance over FAA Section 34 account verification encompasses most payment transactions, including grants and contributions, accounts payable, travel claims, honoraria and acquisition cards. However, it does not cover salary and wage expenditures, since they are subject to a different quality assurance process discussed in Section 3.2 of this report.

The main aspects of the quality assurance process include:

  • The gating of transactions;
  • The identification of errors in account verification;
  • The logging of results of the quality assurance review; and
  • The quality assurance or statistical sampling on low-risk transactions.
Gating of transactions for the quality assurance process

The gating of transactions is an important aspect of the quality assurance process. It determines whether a transaction presents a low risk or a high risk, thereby determining the level of quality assurance (minimum or full) to be performed prior to payment.

The audit determined that not all transactions were subject to the gating process. Due to system changes to improve reporting on the use of temporary help services and the implementation of the new grants and contributions management system, new document types were introduced in the Agency’s financial system in 2014-15. The gating profiles were not updated to include these new document types. As a result, transactions for temporary help services paid through acquisition cards were not assigned a risk rating and were not included in the population of low-risk transactions subject to quarterly statistical sampling. Although transactions from the new grants and contributions system were not assigned a risk rating, appropriate quality assurance was performed. Management has since updated the gating profiles for fiscal year 2015-16.

Identification of errors in account verification

The quality assurance review entails verification that FAA Section 34 account verification has been performed properly. This process provides evidence of the effectiveness of FAA Section 34 account verification.

The audit tested a sample of transactions recorded in fiscal year 2014-15 and noted one instance where FAA section 34 was not signed by an authorized officer; one instance where back-up documentation did not support the payment; and one instance where payment was not in accordance with Agency policies.

Logging of results of the quality assurance review

The Shared Services Partnership Statistical Sampling Training Guide requires that all errors identified during the quality assurance review for both low- and high-risk transactions be logged in SAP. This is regarded as the most significant output of the quality assurance process, because it provides the necessary data to report on the overall adequacy and reliability of the account verification process and allows management to develop corrective actions where necessary, in accordance with the TBS Directive on Account Verification.

The audit found that, for the sample of transactions reviewed, errors identified by the quality assurance reviewer had been logged in SAP.

Post-payment quality assurance of low-risk transactions

As noted earlier, all low-risk transactions undergo minimum quality assurance prior to payment. In addition, a sample of these transactions is selected on a quarterly basis, to undergo full post-payment quality assurance. SSP-FOD analyzes errors and develops the action plans. The SSP’s Statistical Sampling Framework provides guidance on corrective actions and follow-up activities (see Appendix E).

Starting in fiscal year 2014-15, management also took separate quarterly samples of acquisition card transactions from other low-risk payments.

The audit examined the results of the statistical sampling on low-risk transactions for fiscal year 2014-15. The results indicate that the error rate for accounts payable transactions was consistently below the tolerable error rate; however, acquisition card transactions exceeded the Agency’s tolerable error rate. It should be noted that, as of March 2015, the Agency had approximately 100 acquisition cards. Efforts were made to address the error rate for acquisition cards, including communications to all card holders; however, this did not have a significant impact, as demonstrated in Table 2.

Table 2: Statistical sampling error by quarter

Low-Risk Transaction Group

2014-15 Error Rate

Q1 Q2 Q3 Q4 2014-15
Accounts Payable 6.5% 0.6% 0.0% 2.6% 2.4%
Acquisition Cards 14.0% 13.1% 8.4% 12.2% 11.9%

Analysis of the errors identified through statistical sampling of acquisition card transactions showed that errors related to expenditure initiation account for the largest proportion of the errors. Corrective actions consisting mostly of communications with cardholders have had limited effect on reducing the error rate at the Agency level. Furthermore, while action plans developed to address identified errors have reduced the errors related to expenditure initiation, other types of errors have increased, thus offsetting any gains made in this area.

In conclusion, post-payment quality assurance is performed over FAA Section 34 certification. However, action plans developed to address identified errors have not succeeded in reducing the error rates for acquisition card transactions.

Recommendation 2

It is recommended that the Chief Financial Officer develop and implement controls to reduce errors for acquisition card transactions to an acceptable level.

Management response

Management agrees with the recommendation.

The Shared Services Partnership-Financial Operations Directorate will enhance the communication with cardholders to raise awareness and will implement an enforcement strategy to ensure compliance.

2.3 FAA Section 33 certification

Audit criterion: Certification under FAA Section 33 is performed and an appropriate segregation of duties exists with FAA Section 34 certification.

The SSP-FOD is responsible for the quality assurance of FAA Section 33 certification.

The authority to request payments in accordance with Section 33 of the FAA is referred to as payment authority. Pursuant to this section, a financial officer with delegated payment authority must ensure that:

  • FAA Section 34 has been properly exercised by confirming that the Section 34 signatory has a valid delegated authority to authorize the expense and that there is auditable evidence that the quality assurance over the adequacy of the Section 34 account verification has taken place; and
  • Expenditures are a lawful charge against the appropriation.

The FAA Section 33 payment authorization performed by financial officers is a key control for ensuring the accuracy and legality of transactions.

The audit found that certification under FAA Section 33 is performed and an appropriate segregation of duties exists with FAA Section 34 certification.

2.4 Management review of expenditures and commitments

Audit criterion: Cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.

The OCFO’s Resource Management and Analysis Division (RMAD) is responsible for coordinating the management variance reporting (MVR) process by providing instruction, advice and Agency-wide tools to branches. RMAD’s financial management advisors (FMA) also support program managers by providing tactical advice and performing a challenge role for commitments recorded in SAP and for forecasted expenditures recorded in the MVR.

Responsibility for the review of actual expenditures and commitments and the development of forecasts rests with program management. Reviews are conducted by cost centre managers (CCM) in consultation with branch business managers and FMAs, with a view to ensuring that the year-end forecast is an accurate reflection of each division’s operational plan. The activity entails a review of the validity, accuracy and completeness of expenses. Business managers within branches are responsible for ensuring that the MVR exercise is adequately conducted and documented, including the collection of MVR sign-off by various levels of management. This process is considered a key control over financial reporting. In 2014-15, the MVR process was conducted on four pre-determined occasions throughout the year (June, August, October and December).

Cost centre manager attestation and sign-off of MVRs

In 2014, the Audit of Key Financial Controls, Year 2, recommended that the OCFO amend the management variance review attestation text to reflect the nature of the work performed for the review of salary expenditures and that sign-off be obtained at the cost centre manager level, to serve as evidence of FAA Section 34 post-payroll certification of pay expenditures. As such, since 2014-15, the MVR also serves as the CCMs’ post-payroll FAA Section 34 certification of the salary and wage expenditures. To that effect, the OCFO modified the wording of the signature box on the MVR report and updated the instructional deck outlining the process for preparing a good forecast with the MVR tool. The deck indicated that CCMs must perform post-payroll FAA Section 34 certification of salaries by performing a post-payroll review of pay expenses under their budgetary responsibility and by signing their MVR. The audit expected that evidence of sign-off of MVRs at the CCM level would be available from branches.

The audit found that the review of commitments and expenditures recorded in SAP for completeness, validity and accuracy met the audit criteria. The review performed on salary expenditures for completeness, validity and accuracy supported CCM post-payroll certification of salary expenditures under FAA Section 34. MVRs were signed at the regional director, director general and branch head levels and retained by the branches and the OCFO.

The audit also found that in most cases, approval of MVRs by budget holders and managers at levels subordinate to the director general and regional director was obtained verbally or by email, and that MVRs were not physically signed. Therefore, there is insufficient evidence that post-payroll FAA Section 34 certification was obtained from CCMs for salary expenditures.

Recommendation 3

It is recommended that the Chief Financial Officer communicate management variance review sign-off requirements and monitor compliance with this requirement, so that sign-off is obtained from cost centre managers with budgetary responsibilities, for the purpose of Financial Administration Act Section 34 post-payroll certification of salary expenses.

Management response

Management agrees with the recommendation.

The Office of the Chief Financial Officer (OCFO) will communicate the requirement to obtain sign‑off for the management variance review forecasts by all cost centre managers.  The OCFO will develop ongoing risk-based monitoring as part of the implementation of a controls-based financial framework for the internal control over financial reporting (ICFR).

2.5 Accrued liabilities at year-end

Audit criterion: Review and challenge of payables at year-end are performed to ensure completeness, validity and accuracy.

The OCFO’s RMAD and the Centre for Grants and Contributions are responsible for managing payables at year-end, while the SSP-FOD is responsible for reviewing payables at year-end (PAYE) to ensure that there is appropriate supporting documentation before posting them to SAP.

As per the TB Policy on Payables at Year-End (PAYE), departments and agencies must identify and quantify liabilities to outside organizations and individuals resulting from operations up to and including March 31st of each fiscal year. In the absence of certainty, estimates must be used to determine the amounts of liabilities, as long as reasonably accurate values can be assigned.

As per the Agency’s year-end procedures, cost centre managers and administrators must submit PAYE requests for goods and services of value greater than or equal to $1,000 (except salary‑related items, where the minimum threshold is $400; interdepartmental settlements, where there is no threshold; and grants and contributions, where there is no minimum threshold), for which an invoice has not been received or when accounts payable or payments cannot be recorded by the required cut-off date. In addition, notwithstanding the fact that a PAYE could be established from a reasonable estimate, supporting documentation must be provided for all PAYEs. Where goods are received, a packing slip is sufficient. For consulting services, timesheets and an assessment of the work completed as of March 31st should be provided. This helps to ensure a sufficient audit trail for follow-up purposes.

The audit tested the review and challenge function exercised over both PAYEs related to the previous fiscal year that have yet to be cleared and PAYEs recorded as part of the 2014-15 year-end procedures. For both types of transactions, sufficient evidence was provided to demonstrate adequate management oversight.

In conclusion, the financial officers reviewed and challenged the completeness, validity and accuracy of transactions payable at year-end.

2.6 System access and segregation of duties

Audit criterion: Access to SAP is restricted and the segregation of duties is enforced.

The segregation of duties is a key concept in internal control that mitigates the occurrence of fraud and errors. Incompatible segregation of duties occurs when the same person or function can perform tasks in multiple phases of a single process. An example of incompatible duties that must be segregated is the creation or maintenance of vendor master files and the recording of purchase orders or vendor invoices. Prior to granting or modifying access, SSP-FOD performs tests to ensure that users do not receive access to incompatible functions. In addition, the Corporate Services Branch (CSB), Information Management Services Directorate (IMSD) and SSP-FOD conduct tests to monitor the segregation of duties on a semi-annual basis. In order to monitor the segregation of duties in its financial system, the Agency uses tests that have been standardized across the federal government. These tests are based on a matrix of critical functions that rate risk as low, medium or high.

The audit verified that semi-annual monitoring was conducted by CSB-IMSD and SSP-FOD, and tested the segregation of duties to determine whether employees had access to incompatible functions. Audit tests of segregation of duties found no users with access to incompatible functions. However, the audit found that the semi-annual monitoring exercise was only completed once during fiscal year 2014-15. An improvement opportunity related to access control was identified in the Annex to the Statement of Management Responsibility, and management developed an action plan to communicate roles and responsibilities and to assess frequency of the periodic monitoring exercise by March 2016. Therefore, no recommendation will be made.

In conclusion, SAP access is restricted but monitoring of segregation of duties needs to be performed semi-annually to ensure that the segregation of duties is enforced.

2.7 Journal entry review

Audit criterion: Journal entries are reviewed by a second person and accompanied by appropriate supporting documentation.

Journal vouchers (JV) are used to make adjustments in the Agency’s financial system (SAP), to ensure that financial information is accurate and properly coded. As part of the financial policy renewal project, the Standard on Journal Vouchers was developed to formalize the process and the responsibilities for creating, approving, reviewing and entering JVs into SAP. The audit expected to find that effective controls were in place to ensure that journal vouchers were managed in accordance with Agency standards.

The Standard, approved on November 7, 2014, identifies the supporting documentation and approval requirements for routine and non-routine JVs. Requirements of the new Standard include:

  • JV request form;
  • Written justification that clearly supports the need for the JV;
  • Supporting documentation;
  • Written approval by the JV Approving Authority (for example, CCM);
  • Review of the JV request by the accounting office responsible for processing the JV and file all documentation; and
  • JV transactions that have an impact on the Agency’s financial statements have been validated by a second finance officer.

The audit examined JVs and found that they were reviewed, but noted cases where documentation to support the JV was insufficient.

Recommendation 4

It is recommended that the Chief Financial Officer implement controls over the management of journal vouchers, in accordance with the Agency Standard on Journal Vouchers.

Management response

Management agrees with the recommendation.

The audit samples indicate that control has been improved since the implementation of the Agency Standard on Journal Vouchers in November 2014. Additional training will be provided to ensure compliance with the current standard.

As part of the ICFR assessment for financial close, SSP-FOD annually tests journal vouchers samples for the Agency. The annual test results will be shared with the Agency for monitoring purposes.

 

3. Select key financial controls specific to classes of transactions

3.1 Grant and contribution agreements

Audit criterion: Reconciliation of payment requests from GCIMS to SAP is performed. Contribution agreements are reviewed and closed out, to ensure that receivables arising from overpayment are recorded.

The Office of the Chief Financial Officer’s (OCFO) Centre for Grants and Contributions is responsible for the controls over the grant and contribution agreements. In fiscal year 2014-15, expenditures on grants and contributions totalled $250 million.

Reconciliation of payment transactions between grants and contributions systems and the Agency’s financial system

Since the start of 2014-15, the Lotus Notes database has been replaced by the Grants and Contributions Information Management System (GCIMS), which includes linkages to the Agency’s financial system for payment purposes.

Responsibility for the GCIMS to SAP reconciliation process is under the OCFO’s Centre for Grants and Contributions (CGC). A high-level reconciliation report available in GCIMS identifies variances by fund between GCIMS and SAP; however, it does not provide detailed information on items that do not reconcile. Therefore, a detailed reconciliation of GCIMS to SAP financial information is performed manually by CGC at four pre-determined occasions throughout the year and at year-end.

These reconciliations between GCIMS and SAP are key controls in providing assurance that the transmission of grants and contributions expenditures to SAP is complete and accurate, and should be conducted on a regular basis. The audit found that reconciliation of payment requests from GCIMS to SAP was performed.

Review and close-out of contribution agreements

The review and close-out of contribution agreements are necessary to ensure that all the terms and conditions have been met and that receivables arising from overpayment are recorded in the Agency’s financial system and collected, as required.

The audit reviewed a sample of 30 contribution agreements and found that in 10 instances, the close-out review had yet to be completed in GCIMS. Due to the implementation of GCIMS in fiscal year 2014-15, a close-out process had not been fully developed and integrated within GCIMS.

In conclusion, reconciliation of payment requests from GCIMS to SAP was performed. Improvements are required, however, to ensure that contribution agreements are reviewed and closed out, so that receivables arising from overpayment are recorded in a timely manner.

Recommendation 5

It is recommended that the Chief Financial Officer develop and implement procedures for the timely close-out of grants and contributions agreements within the Grants and Contributions Information Management System.

Management response

Management agrees with the recommendation.

The Financial Management section of the Standard Operating Procedures will be updated to clearly reflect the roles and responsibilities of the Centre for Grants and Contributions Operations Team with regards to close-out procedures for grants and contributions using the Grants and Contributions Information Management System. To ensure completeness and that all requirements have been met, training will be provided to the Operations Team, which includes completion of existing financial verification documents such as the cash flow, the payment checklist and the financial summary form, as well as the use of a file content checklist that specifies steps and tools to be used (for example, a copy of any refunds, close-out letter and reminder letter re: closing of a project).

3.2 Salary and wage expenses

Audit criterion: Compensation verifiers review payroll registers to confirm accuracy of payroll transactions.

Compensation verifier review of pay registers

According to the TBS Directive on Financial Management of Pay Administration and the Guideline on Common Financial Management Business Process for Pay Administration, responsibilities for FAA Section 34 certification are to be shared between cost centre managers and Pay Centre verification advisors at different stages of the pay administration cycle.

In 2014-15, as a result of the Transformation of Pay Administration Initiative, the administration of all Agency payroll files, along with the authority to conduct FAA Section 34 certification of pay input components, was transferred to a common service provider. Since the transfer of pay files, the Agency no longer performs pay administration activities and relies on the common service provider to obtain assurances on the effectiveness of controls over salary transactions. The service provider will provide such assurance by issuing quarterly Quality Assurance Review Reports and an annual Letter of Representation.

FAA Section 33 quality assurance review

The adequacy and reliability of the account verification process on payroll transactions is the responsibility of the OCFO. The TBS Directive on Account Verification states that: “Financial officers are responsible for ensuring that payments and interdepartmental settlements are verified when exercising payment authority for payments pursuant to Section 33 of the Financial Administration Act.” The Directive further states that: “although account verification is normally performed prior to payment, completing account verification after the payment has been made is permitted in certain situations.”

The audit found that during 2014-15, the Agency has not received assurance that controls over payroll transactions were effective since the Agency received only one Quality Assurance Review Report that covered transactions for March and April 2014. This is a government-wide challenge. The Agency relied on the management variance review process as a compensating control to ensure the accuracy of payroll transaction.

Since April 2015, quality assurance reviews have resumed, with the first 2015-16 Quarterly Quality Assurance Review Report being provided to the Agency in August 2015. Management indicated that a government-wide meeting is expected to be held with the common service provider in fiscal year 2015-16, to discuss the Letters of Representation to be issued and the management action plan on quality assurance reviews.

In conclusion, the Agency was not provided with assurance to confirm accuracy of payroll transactions by the common service provider. No recommendation will be made, given that a government-wide meeting will be held this fiscal year to resolve the matter.

3.3 Purchase of goods and services

Audit criterion: Purchase orders over $10,000 are reviewed for accuracy, completeness and validity.

Review of contracts over $10,000

The SSP-FOD is responsible for the controls over purchase orders.

Proposals for the procurement of goods and services are reviewed and/or prepared by procurement specialists. This helps to ensure that contractual documents are in accordance with Government Contracts Regulations and relevant policies and Agency delegation of financial authorities, and that an appropriate procurement vehicle is used. This review also provides assurance over the validity and accuracy of the purchase of goods and services over $10,000.

The audit found that purchase orders over $10,000 were reviewed for accuracy, completeness and validity.

3.4 Acquisition card purchases

Audit criterion: Monitoring of monthly acquisition card reconciliations and quality assurance reviews of acquisition card transactions are performed.

The SSP-FOD is responsible for the monitoring of monthly acquisition card reconciliations and the quality assurance reviews of acquisition card transactions.

Official reconciliation report

Acquisition card purchases are paid prior to the reconciliation of purchases by the cardholder and the FAA Section 34 certification, as permitted under the TBS Directive on Account Verification. To provide assurance of the accuracy and completeness of acquisition card purchases, cardholders are responsible for completing a reconciliation of the transactions with their statement of accounts.

The SSP-FOD monitors these reconciliations to ensure that they are adequately completed. The documentation reviewed provided evidence that this oversight role is adequately fulfilled. The audit found that monitoring of reconciliations was performed.

Quality assurance over acquisition cards

In addition to the monitoring of monthly reconciliations, financial officers conduct quality assurance reviews of acquisition card transactions. All transactions are subject to a minimal quality assurance procedure, to ensure that all items included on a statement are reconciled in SAP and that Section 34 of the FAA is appropriately documented. High-risk transactions undergo a full quality assurance review, while lower-risk transactions are subject to a full quality assurance on a sample basis. As noted in Section 2.2, a sample of lower-risk transactions has been included as part of the statistical sampling exercise through the use of SAP, as is the case for accounts payable transactions. Through this review, selected transactions are examined for appropriate supporting documentation and sign-off. Errors identified through this review are recorded, and action plans are developed to address issues noted.

The audit tested a sample of monthly statements, which included transactions that underwent a full quality assurance to determine whether it was performed adequately and appropriately. The audit found that quality assurance reviews of acquisition cards transactions were performed adequately. Errors on acquisition card transactions have been identified, as noted in Section 2.2, and the error rate on acquisition card transactions has remained high despite efforts to reduce it. A recommendation has been made in Section 2.2 of this report (see Recommendation 2).

Overall, the reconciliation of payments to acquisition card transactions was operating effectively, and quality assurance review were conducted. However, improvements are required to reduce the error rate on acquisition card transactions.

3.5 Capital assets

Audit criterion: The annual capital assets review is conducted to ensure a proper accounting of capital assets.

The OCFO and the SSP-FOD share the responsibility for the controls over the effectiveness of the conduct of the annual capital assets review.

The Agency’s Capital Assets Accounting Standard defines capital assets as assets with a useful life greater than one year and a per-item cost of $10,000 or greater. The Agency holds a variety of capital assets. Aside from buildings, the items include mostly machinery and equipment, vehicles and IT equipment and software.

Physical count of capital assets

The SSP-Materiel and Assets Management Division conducts the Agency’s annual capital asset review. This review complies with the requirements stated in the Agency’s Asset Management Policy. The audit reviewed the reports produced as part of the annual review exercise, as well as the quality assurance procedures, to ascertain whether appropriate actions were taken to address the issues raised in the reports. The review showed that the physical count of the capital asset inventory was conducted and appropriate actions were taken to address issues raised.

In conclusion, an annual capital assets review is conducted to ensure proper accounting of capital assets.

C - Conclusion

The audit concluded that select key financial controls in support of the Agency’s financial statements are generally operating effectively.

Improvements are required to strengthen the management of specimen signature cards; reduce the error rates for acquisition card transactions; ensure that sign-off of management variance reports is obtained; ensure that journal voucher entries are supported with appropriate documentation; and ensure that close out procedures for contribution agreements are conducted in a timely manner.

The areas for improvement noted in this report will collectively strengthen the effectiveness of the Agency’s internal controls over financial reporting.

Appendix A - Lines of enquiry and criteria

Audit of Key Financial Controls, Year 3
Criteria title Audit criteria
Line of enquiry 1: Progress made on the previous year’s recommendations
Line of enquiry 2: Select key financial controls common to all classes of transactions
2.1 Delegation of financial signing authorities Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid.
2.2 Quality assurance process over FAA Section 34 certification The quality assurance performed over Financial Administration Act Section 34 certification is effective.
2.3 FAA Section 33 certification Certification under FAA Section 33 is performed and an appropriate segregation of duties exists with FAA Section 34 certification.
2.4 Management review of expenditures and commitments Cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.
2.5 Accrued liabilities at year‑end Review and challenge of payables at year-end are performed to ensure completeness, validity and accuracy.
2.6 System access and segregation of duties Access to SAP is restricted and the segregation of duties is enforced.
2.7 Journal entry review Journal entries are reviewed by a second person and accompanied by appropriate supporting documentation.
Line of enquiry 3: Select key financial controls specific to classes of transactions
3.1 Grants and contributions payments Reconciliation of payment requests from GCIMS to SAP is performed. Contribution agreements are reviewed and closed out to ensure that receivables arising from overpayment are recorded.
3.2 Salary and wage expenses Compensation verifiers review payroll registers to confirm accuracy of payroll transactions.
3.3 Purchase of goods and services Purchase orders over $10,000 are reviewed for accuracy, completeness and validity.
3.4 Acquisition card purchases Monitoring of monthly acquisition card reconciliations and quality assurance reviews of acquisition card transactions are performed.
3.5 Capital assets The annual capital assets review is conducted to ensure a proper accounting of capital assets.

 

Appendix B – Scorecard

Audit of Key Financial Controls, Year 3
Line of enquiry Responsibility 2013 Recs 2014 Recs 2015 Recs Rating
Line of enquiry 1: Prior years' recommendations
Progress made on prior year's recommendations         Satisfactory
Line of enquiry 2: Select  key common controls
1. Delegation of financial signing authorities SSP-FOD 1   1 Needs minor improvement
2. Quality assurance of FAA Section 34 certification SSP-FOD/OCFO 2   2 Needs moderate improvement
3. FAA Section 33 Certification SSP-FOD       Satisfactory 
4. Management review of expenditures and commitments (MVR exercise) RMAD   1 3 Needs minor improvement
5. Accrued liabilities at year-end RMAD / CGC       Satisfactory
6. System  accesses and segregation of duties SSP-FOD   2   Needs minor improvement 
7. Journal entry review SSP-FOD     4 Needs moderate improvement
Line of enquiry 3: Select key specific controls
  Statement of Operations Balance Sheet
Grant and Contribution Agreements Salaries and wages Purchase of goods and services Acquisition card purchases Capital Assets
1a. Reconciliation of payment transactions between contribution systems and SAP CGC 3     Satisfactory        
1b. Review and close-out of contribution agreements CGC 4   5 Needs minor improvement        
2. Quality assurance of payroll (peer verification) HRSD-SSP   3     Needs minor improvement      
3. Review of contracts over $10,000 SSP-FOD           Satisfactory    
4. Reconciliations of card statements of account SSP-FOD              Satisfactory  
5. Physical count of capital assets SSP-FOD/ OCFO 5             Satisfactory

 

Appendix C – The Public Health Agency of Canada’s internal control over financial reporting framework

Internal Control over Financial Reporting Framework (ICFR)

Control Environment

  • Entity Level Controls
  • Information Technology General Controls

Financial Risk Assessment and Financial Risk Management

  • Financial Reporting Objectives
  • Financial Reporting Risks

Monitoring

  • Ongoing and Separate Monitoring and Assessment
  • Reporting and Deficiencies

Control Activities

For each business process below:

  1. integration with assessment of risks over financial reporting
  2. supporting policies and procedure assessment
  3. management of information (e.g., IT Applications Controls and Database and Records Management controls)
Management of Parliamentary Appropriations
  • Budgeting/Forecasting
  • Funding Resource Allocation
Revenue/Receivables/Receipts
  • Revenues
  • Accounts Receivable
  • Cash Receipts
Purchasing/Payables/Payments
  • Transfer Payment
  • Contracting/Procurement
  • Travel
Payroll
  • Employee Data Management
  • Payroll Processing
Capital Assets
  • Asset Lifecycle Management
Financial Statement, Year-End and Reporting
  • General Ledger Maintenance
  • Year-end Processes
  • Financial Statements Preparation
  • Accruals and Management Estimates
Information and Communication
  • Financial Reporting Information
  • Internal Communications
  • Internal Control Information
  • External Communications

Appendix D – Risk profile of transactions

High-risk transactions include highly sensitive transactions, for example when an error in payment is non-recoverable or when payments are largely judgmental, subject to interpretation, involve very large dollar amounts or are considered highly error prone.

High-risk transactions Threshold
General accounts payable invoices Greater than $25,000
Grants and Contributions Any amount
Conference
Court awards (federal and other) and damage and other claims against the Crown
Ex gratia payments
Honoraria
Relocation
Travel – non-public servants
Membership fees (for example, fees for professional designations)
Travel – public servants $1,500 or greater
Hospitality

Low-risk transactions include transactions that are not sensitive in nature, have little or no potential financial loss associated with them or have a low error rate with a low dollar-value impact of error, usually to medium dollar value, and are recoverable.

Low-risk transactions Threshold
General accounts payable invoices Up to $25,000
Travel – public servants Less than $1,500
Hospitality
Non-insured health travel Any amount

Source of information: Shared Services Partnership’s Statistical Sampling Framework.

Appendix E – Corrective actions and follow-up activities

The Treasury Board Secretariat Directive on Account Verification notes that financial officers are responsible for requesting corrective action when critical errors are identified during the quality assurance process for payment authority. Based on the results of the sampling period, accounting offices will take immediate corrective actions and may also determine that an action plan for follow-up be developed.

Corrective actions

All critical errors identified during the pre- and post-payment process must be corrected by the accounting office, and the Section 34 manager must be informed of the error. A critical error is an error serious enough to require that the payment should not be/have been made, for example:

  • Section 34 is not signed by an authorized officer for the cost centre.
  • Back-up documentation does not support the payment.
  • Amount of the payment is not in accordance with or exceeds the price or payment terms contained in the procurement document.

For non-critical errors, corrections will be made by the accounting office when it is considered efficient; however, in all cases the Section 34 manager should be informed of the error. Non-critical error is an error identifying that the requirements of Section 34 account verification were not fully complied with at the time of payment; however, the error was not serious enough to prevent payment or to negatively impact financial information recorded in the financial system.

If the account verification completed by a specific Section 34 signatory is found to be continually inadequate, there may be a requirement to suspend Section 34 authority.

Follow-up activities

Accounting offices will implement follow-up activities aimed at reducing errors, while strengthening the Agency’s oversight role.  Follow-up will include, for example:

  • Reviewing sampling results and identifying problematic areas.
  • Working with branches, programs and cost centre managers to further define issues and assist in identifying potential solutions.

Further analysis may be required by the accounting office to identify whether a specific organization, transaction type, etc., is the cause of the error. A separate quarterly sample for continued errors for these transactions may be generated.

Source of information: Shared Services Partnership's Statistical Sampling Framework.

Appendix F - Overview of progress made on previous year's recommendations

Recommendation 1 Accountability
Modified the management variance review attestation text to ensure that it reflects the nature of the work performed for the review of salary expenditures; and amended the management variance review process is to include sign-off at the cost centre manager level, to serve as evidence of Finance Administration Act Section 34 certification of pay expenditures. Office of the Chief Financial Officer (OCFO)
Actions Initial Date StatusTable 7 footnote *

1. Work with Accounting Operations and Systems to ensure that the management variance review attestation text is modified to reflect the nature of the work performed related to the review of salary expenditures.

2014-12-31 5

2. Communicate the requirement to obtain sign-off for management variance review forecasts by all cost centre managers.

2014-12-31 5
Recommendation 2 Accountability
Review and strengthen access controls for the Agency’s financial system to ensure that mutually exclusive roles cannot be assigned to a single user. Accounting Operations and Systems Division, FOD, Shared Services Partnership
Actions Initial Date Status

1. Review of the security access of the users with incompatible duties and make adjustments to security roles or remove user access to security roles.

2015-03-31 5

2. Perform quarterly monitoring of the FIRMS’ employees with access to Post Invoice and Payment Run for production support purposes, to ensure that no transactions are posted.

2015-03-31 5
Recommendation 3 Accountability
Conduct cyclical and ongoing monitoring activities for salary payments Human Resources, Corporate Services Branch in the Shared Services Partnership
Actions Initial Date Status

1. Conduct quarterly monitoring and reporting, in accordance with the CSB Compensation Monitoring Framework.

2015-05-30 5

Page details

Date modified: