Follow-up to the 2006 Audit of Departmental Financial Controls

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Audit and Evaluation Branch 
Industry Canada

Recommended for Approval to the Deputy Minister by the DAC on

Approved by the Deputy Minister on

This publication is available upon request in accessible formats.

Contact:  
Multimedia Services Section  
Communications and Marketing Branch

Industry Canada  
Room 264D, West Tower  
235 Queen Street  
Ottawa ON K1A 0H5

Tel.: 613-948-1554
Fax: 613-947-7155
Email: ic.cmb-creative.ic@canada.ca


Permission to Reproduce

Except as otherwise specifically noted, the information in this publication may be reproduced, in part or in whole and by any means, without charge or further permission from Industry Canada, provided that due diligence is exercised in ensuring the accuracy of the information reproduced; that Industry Canada is identified as the source institution; and that the reproduction is not represented as an official version of the information reproduced, nor as having been made in affiliation with, or with the endorsement of, Industry Canada.

For permission to reproduce the information in this publication for commercial redistribution, please email: copyright.droitdauteur@pwgsc.gc.ca

Aussi offert en français sous le titre Suivi de la vérification des contrôles financiers ministériels de 2006.


Table of Contents


Executive Summary

The Follow-up to the Audit of Departmental Financial Controls, which was tabled and approved at the Audit and Evaluation Committee in September 2006, was conducted during the period from May 2007 to February 2008. The follow-up assessed the extent of implementation of the management actions identified in the Management Action Plan for the 2006 audit and was conducted in accordance with the 2007–2008 Audit Plan approved by the Departmental Audit and Evaluation Committee.

The 2006 audit could not provide assurance that financial processes were being carried out in a consistent manner and that all required financial controls were in place and operating as intended. This placed the Deputy Minister and the Chief Financial Officer at risk of not being able to assess the design, implementation and maintenance of internal controls at a departmental level. The 2006 Audit Report contained 15 recommendations, the most critical of which addressed issues related to the exercising of departmental functional authority as well as those related to account verification and monitoring practices.

The results of the follow-up indicate that responsible officials have, for the most part, implemented the proposed actions to address the recommendations contained in the 2006 Audit Report. The Management Action Plan was prepared on the understanding that there would be no organizational changes or changes to reporting relationships with respect to the financial management function in the department. As a result, responsibility for those functions in the regions and autonomous units would continue to reside in the former Operations Sector and not with the Chief Financial Officer. As such, the Action Plan included the development of a Financial Control Framework to support a decentralized reporting structure wherein the ADMs of the new Regional Operations and Small Business and Marketplace Services sectors would be accountable for the financial activities within their respective sectors, but which did not apply to other organizational units in the department. The Framework outlined financial roles, responsibilities and accountabilities, with an increased focus on financial monitoring across the Sector, including liaising and reporting to the Comptrollership and Administration Sector (CAS) and sector heads. At the time of the follow-up, the Regional Operations and Small Business and Marketplace Services sectors, and the autonomous organizations reporting through these sectors, accounted for approximately 50 percent of all departmental financial officers exercising S.33 payment authority.

Subsequent to the Action Plan, in order to strengthen financial control practices from a departmental perspective, CAS entered into MOUs with the Regional Executive Directors and the heads of discrete organizations (Measurement Canada (MC), Canadian Intellectual Property Organization (CIPO), and FedNor) to provide CAS oversight of the account verification processes within regions/discrete organizations. These organizations were required to provide CAS with a detailed work plan of their account verification and monitoring activities and provide assurance, in the form of an annual sign-off, that the operation of financial processes and controls for which they are responsible are effective and reliable. In turn, CAS established an increased functional role over departmental financial control activities by creating a Functional Relationship Model and reorganizing CAS-FMMD to support such a model. Key features of this model included: having CAS as the single point of contact for questions related to account verification issues, coordinating monitoring and reporting requirements with regions and discrete units, performing regional visits, establishing a quality assurance unit to audit the quality of account verification processes and confirming compliance to the framework developed by the regional offices.

Further, since the approval of the Action Plan, other events have occurred which will impact on internal financial control systems in the Department. In 2006, CAS initiated a readiness assessment exercise to determine whether financial controls and capacities are in place to sustain ongoing audits by the Office of the Auditor General, the second phase of which includes the documentation of financial processes and internal controls which are key to support the preparation of departmental financial statements. It is CAS' intention to keep the documentation of these processes and controls evergreen. Also, in 2006, through the Federal Accountability Act, deputy ministers were designated as departmental accounting officers, which will impact how financial functional authority is exercised in the department. Specific responsibilities include ensuring that resources are organized to deliver departmental objectives in compliance with government policy and procedures and ensuring that there are effective systems of internal control.

The challenge remaining however is the absence of a financial control framework for the department as a whole. Audit testing of transactions during the follow-up noted significantly lower error rates for those organizations governed by the Financial Control Framework as compared to those organizations not governed by a framework. Approximately one-half of all officers exercising Section 33 FAA payment authority are still not bound by the requirements of the Regional Operations/SBMS framework. It is noted that CAS has indicated that a department-wide framework, to be modelled on the Regional Operations/SBMS framework, will be implemented early in 2008–09.

In light of the follow-up results, and given the absence of a department-wide financial control framework, it is recommended that a departmental audit of departmental financial controls be carried out during FY 2009–10 to assess the adequacy of the department's financial control framework. The purpose of such an audit would be to ensure that allocated funds are spent for their intended purposes within approved limits, and that appropriate controls are maintained over expenditures in compliance with applicable authorities.

Further, since the approval of the Action Plan, other events have occurred which will impact on internal financial control systems in the Department. In 2006, CAS initiated a readiness assessment exercise to determine whether financial controls and capacities are in place to sustain ongoing audits by the Office of the Auditor General, the second phase of which includes the documentation of financial processes and internal controls which are key to support the preparation of departmental financial statements. It is CAS' intention to keep the documentation of these processes and controls evergreen. Also, in 2006, through the Federal Accountability Act, deputy ministers were designated as departmental accounting officers, which will impact how financial functional authority is exercised in the department. Specific responsibilities include ensuring that resources are organized to deliver departmental objectives in compliance with government policy and procedures and ensuring that there are effective systems of internal control.

The challenge remaining however is the absence of a financial control framework for the department as a whole. Audit testing of transactions during the follow-up noted significantly lower error rates for those organizations governed by the Financial Control Framework as compared to those organizations not governed by a framework. Approximately one-half of all officers exercising Section 33 FAA payment authority are still not bound by the requirements of the Regional Operations/SBMS framework. It is noted that CAS has indicated that a department-wide framework, to be modelled on the Regional Operations/SBMS framework, will be implemented early in 2008–09.

In light of the follow-up results, and given the absence of a department-wide financial control framework, it is recommended that a departmental audit of departmental financial controls be carried out during FY 2009–10 to assess the adequacy of the department's financial control framework. The purpose of such an audit would be to ensure that allocated funds are spent for their intended purposes within approved limits, and that appropriate controls are maintained over expenditures in compliance with applicable authorities.

1.0 Background

The Audit and Evaluation Branch conducted a follow-up of the Departmental Financial Controls Audit which was tabled and approved at the Audit and Evaluation Committee in September 2006. The purpose of the follow-up was to assess the extent of the implementation of the completed management actions identified in the Management Action Plan.

The initial audit could not provide assurance that financial processes were being carried out in a consistent manner and that all required financial controls were in place and operating as intended. Further, the Deputy Minister and the Chief Financial Officer were at risk of not being able to assess the design, implementation & maintenance of internal controls at a departmental level.

The initial audit concluded the following as it related to each of the activities/elements examined:

Table 1
Subject Observation
Existence of Policies, Procedures and Guidelines Most financial policies, procedures and guidelines have been developed and communicated; however, auto-post and the complementary post-audit processes have not been documented.
Exercise of Departmental Functional Authority There was a need for financial processes to be carried out consistently across the department.
Organization of Financial Management in Regions and Discrete/Autonomous Organizations Officers in regions exercise payment authority without having clear assurance that they can rely on audit verification activities taking place in satellites offices.
Access Controls and Related Security Issues For the most part, IFMS access controls and related security measures were in place and operating as intended, however some controls could be strengthened.
Verification of the Authority to Approve Assistance Absence of documentation in the financial files to demonstrate that departmental grants and contribution payments had been approved by officials with delegated authority.
Claim Verification Process for G&C Payments Financial Officers have not established a process to assess the effectiveness of the claim verification process at the program level.
Account Verification Process for O&M Transactions A number of weaknesses in both account verification (Section 34 of the FAA) and payment approval (Section 33 of the FAA).
Financial Controls Over Collaborative Agreements Some weaknesses existed in the management of Specified Purpose Accounts.
Organization of Financial Files Weaknesses existed in the organization of HQ's financial files.
Training Programs Financial training courses did not address all key risk areas
Oversight of Expenditure Management Accountability Opportunities existed to strengthen aspects of the Corporate Comptroller's oversight role.
Oversight of Acquisition Cards Process Opportunities existed to strengthen the monitoring of acquisition card transactions.

The audit findings, conclusions and recommendations of the audit were accepted by the responsible management.

2.0 Objective of the Follow-up

The objective of the follow-up to the initial audit was to assess the extent to which departmental management has made progress in implementing its intended course of action arising from the recommendations contained in the September 2006 Departmental Financial Controls Report.

3.0 Scope of the Follow-up

The follow-up was department-wide in scope and encompassed the responsibilities assigned to all levels of Industry Canada management, the framework of financial control within the department as well as policies and procedures in place. The follow-up included an on-site review of processes and detailed sampling of expenditures within the Ontario, Quebec and Prairie and Northern regional offices. The Communications Research Centre (CRC), Measurement Canada Headquarters (MCHQ) and the Canadian Intellectual Property Office (CIPO) were also visited as discrete organizations exercising Section 33 of the Financial Administration Act (FAA).

This follow-up covered departmental O&M expenditures made during the fiscal year 2007/08 to the end of October 2007. The follow-up also included expenditures incurred within transfer payment programs, but excluded payments of salaries and salary-related costs and controls over departmental revenues.

4.0 Approach and Methodology

Follow-up efforts were carried out in two phases.

Phase I consisted of interviews with financial staff of the Comptroller and Administration Sector (CAS) as well as site visits to the Ontario Region, FedNor and the Pacific Region. Phase I concluded that a Financial Control Framework had been developed by SSIP in consultation with CAS which outlines roles and responsibilities for the Regional Operations and Small Business and Marketplace Services sectors staff carrying out financial responsibilities. This Framework came in effect in May 2007 and outlines roles and responsibilities, processes and a monitoring and reporting strategy for regional and non-direct regional reports. Memoranda of Understanding (MOUs) between the Financial Operations and Systems Branch (FOSB-CAS) and the Regional Executive Directors/Heads of Discrete Organizations had been signed to confirm accountabilities over the financial processes and controls within their respective organizations.

CAS is implementing a Functional Relationship Model which includes a reorganization of Financial and Materiel Management Directorate (FMMD) to support specific elements of the management response to the Financial Control Audit. This includes the creation of a Quality Assurance Team to act as a single point of contact for account verification monitoring and reporting.

Phase II focussed on the design of the system of departmental internal financial controls and included transaction testing to assess the effectiveness of the Functional Relationship Model and the Regional Operations Sector, Sector Strategies and Infrastructure Programs Branch (SSIP) Financial Control Framework.

Audit effort consisted of the following:

  1. Development of an approach and detailed methodology for conducting the follow-up, including planning of the assignment and assignment of tasks to staff.
  2. Interviews of key officials to validate the actions taken in response the audit report and obtain documentation referred to in the Action Plan. This included:
    1. Director of FMMD
    2. Manager, Public Accounts and Quality Assurance, FMMD
    3. A/Director and Manager, SSIP
    4. Head of the Quality Assurance Unit, CAS
    5. Head of the G&C Quality Control Unit, CAS.
  3. Assessment of information gathered in step one above to determine its impact on the Financial Control Framework.
  4. Selection of a representative sample of transactions (O&M and G&Cs) in the following organizations: CAS; CRC; MC-HQ; CIPO; Prairies and Northern Region (Winnipeg); Ontario Region (Toronto); and Quebec Region (Montreal).

5.0 Actions and Detailed Follow-up Findings

The following section summarizes the actions developed by departmental management to address the recommendations contained in the September 2006 Audit Report and the current status of their implementation.

Table of Contents

5.1 Development and Communication of Policies, Procedures and Guidelines

2006 Initial Recommendation #1 and Management Response

FMMD should document its auto-post and post-audit processes so that the organization of this important financial management activity is clearly communicated to those who need to know about these processes.

Management ResponseFMMD has drafted the auto-post procedures (Director FMMD.)

FMMD will send the procedures out to the regional financial officers and ask them to start doing their own post-audit based on the sample that FMMD will send on a monthly basis. After completing their post-audit, the regional officers will communicate the results to FMMD and SSSB (Director FMMD).

Follow-up Findings

This recommendation has been substantially implemented.

Our follow-up revealed that procedures were developed and distributed to the regional offices through the Sector Strategies and Infrastructure Programs Branch (SSIP) which outline the account verification process for the auto-post payments (less than $2,000) and its related post-audit process. It includes departmental policy and procedures for the statistical sampling methodology used in testing auto-post transactions at the Section 33 FAA payment requisition stage, describes the Section 34 FAA account verification process and the related roles and responsibilities for conducting the sampling. This procedure is also accompanied by an auto-post verification checklist.

We noted however, that the auto-post procedures are not available on the Corporate Finance website and have not been disseminated to all organizations of Industry Canada. Our site visits revealed that some discrete organizations were not aware of the written procedures and typically these organizations only recognize policies and procedures that are posted on the Industry Canada Intranet as being official.

5.2 Exercise of Departmental Functional Authority

2006 Initial Recommendation #2 and Management Response

The department should assess the organization of the financial management function in terms of overall responsibility and accountability for the design, implementation and maintenance of internal financial controls. In so doing, the department should consider the following:

  • The need for financial processes to be carried out consistently across the department;
  • The need for the SFO to exercise functional authority for financial management in the department through promulgation of financial management roles, responsibilities, authorities and reporting relationships; and establishment of an effective monitoring and review function and corresponding accountability mechanisms.
  • The need for assurance that financial controls are in place and operating as intended.

Management Response (FMMD)—Senior Management recently announced there would be no organizational changes or changes to reporting relationships with respect to the financial management function in the department. As a result, responsibility for those functions in the regions and autonomous units would continue to reside in the Operations Sector.

Operations Sector Response and Proposed Action(s) We recognize that additional work is required at the Sector level to ensure that financial controls are effective and operating as intended. For its part, the Operations Sector is undertaking the following in view of clarifying financial accountabilities and increasing it focus on transactional oversight, and review and monitoring:

  • To ensure the ADMs ultimate financial accountabilities are effectively discharged, Sectorial Strategies and Services Branch (SSSB) is developing a financial accountability framework complete with financial roles, responsibilities and accountabilities of finance personnel working in Regions and Discrete/Autonomous Units.
  • The framework will require that the most senior finance person in a Region or Discrete/Autonomous Unit have a direct reporting relationship with the Business Unit Head;
  • Further, work descriptions and performance agreements of those with financial authority will clearly articulate roles and responsibilities as they relate to financial operations;
  • SSSB will increase its focus on financial monitoring across the Sector and will develop and implement a more formal financial review process, whereby SSSB personnel will conduct regular visits to Regions and Discrete/Autonomous Units to ascertain the effectiveness of financial controls; review results will be shared with the ADMs and regularly with the CFO.
  • The Sector will work closely with CAS to sustain assurance that financial controls in Regions and Discrete/Autonomous Units are operating as intended and align with those in place elsewhere in the department. (Director, SSIP)

Note: Regions and Discrete/Autonomous Units currently seek and receive policy and process guidance from CAS via monthly teleconferences, annual face-to-face meetings and on an ongoing basis via CAS' intranet site. CAS also provides training to financial personnel in Regions and Discrete/ Autonomous Organizations regarding systems (IFMS; FRS) and policy (e.g., authority delegation). CAS will continue to be relied upon by Regions and Discrete/Autonomous Organizations to provide this important functional guidance.

Follow-up Findings

This recommendation has been substantially implemented.

A Financial Control Framework was developed by SSIP in April 2007. The monitoring and reporting procedures within the Framework provide for sharing results with CAS such that the CFO and by extension the DM, will have ongoing knowledge of financial results and accuracy in order that they may rely upon the attestations of their ADM colleagues. All staff governed by the Framework with Section 33 and Section 34 FAA authorities must sign a financial attestation form stating that they have read the framework and that they agree to abide by its requirements. This document was disseminated to all regional operations, however some financial staff in the discrete organizations were not fully aware of the Framework and had developed their own controls forms (checklists) and procedures. It is anticipated that the SSIP framework will provide the basis for a departmental financial control framework, to be applicable to all Industry Canada organizations. CAS officials indicated that a departmental framework would be in place as of April 2008.

In addition to the existing SSIP Framework, CAS has strengthened accountabilities by putting in place MOUs with the Regional Executive Directors, the President of Measurement Canada (MC), the Director General Federal Economic Development Initiative of Northern Ontario (FedNor) and the ADMs of the Regional Operations Sector and the Small Business and Marketplace Services Sector. An annual detailed workplan is to be prepared to confirm the accountability of the organizations in exercising delegated financial authorities. By signing an annual Letter of Representation, each business unit head will be attesting that they have consistently reviewed their financial activities and exercised due diligence on an ongoing basis. The workplan together with the Letters of Representation will provide assurance to the CFO and, by extension the DM, that their financial activities align consistently with those deployed in CAS.

The department is also undergoing a Financial Statements Readiness Assessment initiative which will determine whether the financial controls and capacity are in place to sustain an efficient financial statement audit by the Office of the Auditor General. Phase 1 of the assessment was to determine whether financial controls and capacity are in place while Phase 2 will identify, prioritize and implement solutions to remediate identified gaps.

Further, CAS has implemented a Functional Relationship Model which will increase its ability to manage new and evolving core responsibilities related to financial systems, financial records, reporting and financial controls, including oversight of all financial controls in programs. The Federal Accountability Act, launched in December 2006, strengthens accountabilities within departments by designating deputy ministers as accounting officers. Specific responsibilities include ensuring that resources are organized to deliver departmental objectives in compliance with government policy and procedures and ensuring that there are effective systems of internal controls.

5.3 Organization of Financial Management in Regions and Descrete/Autonomous Organizations

2006 Initial Recommendation #3 and Management Response

Payment authority should only be exercised with sufficient assurance as to the appropriateness of the account verification process leading to contract performance approval (Section 34 FAA).

The organization of financial responsibilities for processing payments should respect the Principle of segregation of duties.

Management Response—Since the audit, corrective actions have been taken in Regions and Discrete/Autonomous Units where weaknesses were cited in the audit report.

Segregation of Duties—Since the audit, Measurement Canada has reviewed its internal procedures pursuant to IC's delegation of authority instrument. Changes have been implemented which restrict the exercise of Section 34 to RC Managers only, thereby ensuring clearer segregation of duties in processing payments (President, Measurement Canada).

Monitoring, Account verification—Atlantic and Ontario Regions have put in place monitoring programs for their satellite offices. Monitoring programs typically involve regularly-scheduled visits to all satellite offices, examination of expenditure files for completeness, required use of account verification checklists, and specific actions related to above-average risk transactions (e.g., hospitality; memberships; travel) and the payment of G&C claims.

In addition to specific corrective actions, the audit report has served to increase awareness in other Regions as to the importance of their activities related to transactional oversight and monitoring. In Prairie and Northern and Quebec Regions, for example, all Section 33 authorizations are performed in a centralized location (Winnipeg and Montreal, respectively) and procedures are in place that ensures payments are not posted in the absence of appropriate supporting documentation. Pacific Region has in place a monitoring program that involves biannual visits to satellite offices, where file reviews are conducted and interviews are held with personnel with key financial responsibilities. Results of site visits/audits are shared with the appropriate satellite office director for further action, as necessary (Regional Executive Directors).

The Operations Sector recognizes that more could be done in this area to ensure consistent application of policy and procedure across all Regions and Discrete/Autonomous Units, particularly those with satellite office operations. To this end, SSSB is examining monitoring processes in place across all five Regions, as well as those in place in Discrete/Autonomous Units as and where appropriate, with a view to obtaining and sustaining a consistent level of assurance across the Sector (Director, SSIP).

Further, through periodic monitoring, SSSB ensures that CAS procedures regarding account verification are respected and applied consistently across the Sector (Director, SSIP).

Follow-up Findings

This recommendation has been substantially implemented.

Internal procedures at Measurement Canada headquarters have been strengthened and segregation of duties measures have been implemented. The detailed testing showed that section 34 was being exercised by the RC managers or their designated RCA.

The audit team visited three regional offices (Ontario, Prairies and Northern, and Québec), and three discrete organizations (Measurement Canada (HQ), CIPO and CRC) during Phase II of the follow-up to validate the implementation of management responses. Overall, it was noted that regional finance officers were fully aware of the Financial Control Framework developed by SSIP and that measures were in place to ensure adequacy of Section 34 FAA sign-off. All Section 34 authorities are required to sign an attestation to having read and understand the framework. They all have copies of the verification checklists on hand although it is not mandatory to complete one for each transaction. We noted that this was the case in the regional offices; however, some discrete organizations visited were not aware of the framework nor was it being applied for day-to-day operations.

The first quarterly monitoring conducted by CAS was completed in December 2007 which included sampling the first two quarters (April to September) of the fiscal year of 2007–2008. This sampling did not include CIPO, however we were advised by CAS that they would be included in future sampling. The results of the monitoring exercise were not available at the time of this writing.

5.4 Access Controls and Related Security Issues

2006 Initial Recommendation #4 and Management Response

The Corporate Comptroller together with the CIO, should:

  • review practices surrounding departmental manager sign off of departing employees to ensure that on the employee Exist Clearing Sheet managers are reminded to advise the IFMS Access Group of the departure;
  • strengthen the periodic review of User profiles (especially those that include incompatible functions) through enhanced segregation of duties and/or through the inclusion of compensating internal controls where considered appropriate (i.e. increase review of the transactions processed by these IFMS users);
  • reinforce monitoring of super-users so that an automatic log of specific types of transactions is produced and examined by FMMD (e.g. transactions creating a vendor code, inputting a financial transaction into IFMS, and approving payment should be logged for review; and
  • review practices surrounding the sharing of UserID and password for employees being trained on IFMS. Trainees could make use of the training module of IFMS or could be provided with a specific "training" UserIDs and passwords so that sharing with ongoing IFMS Users is not permitted.

Management Response—We agree that the Departure Process form could be modified to include a step to email IFMS Access if the employee has an IFMS user account. Currently, the RC Manager signs an attestation that "all access privileges to Industry Canada computers… have been revoked". However, because there is no specific reference to IFMS, this statement may not be clear. To minimize the risk in the past, all user ids that have not been used for 3 months are locked and the IFMS Sector Coordinator contacted. After 5 months of no activity, the user and Sector Coordinator are told that the account will be deleted unless they can justify a reason to retain the account.

Review of the user profiles has been strengthened since the audit. A segregation of duties report is now issued every quarter to the Manager of Financial Services. New reports have been available since May 2006, which enable the review of transactions performed by users who have been given special access. "IFMS All" access is only granted to one or two users and for a small period of time; usually only during a system upgrade. A special log which traces the transactions that the user has accessed is reviewed by IFMS Access team. This log will be provided to FMMD for review (Director, FMMD).

Training user identifications are currently available in a separate environment that grants the user access to all transactions for training purposes. It is not possible to issue a training ID in the production environment. Display only access is possible in production but this would not provide the user with sufficient access to learn the transaction.

FMMD will work with Security to modify the Exit form to include an area for the employees to indicate if they have access to the financial systems (RPS, SPS, IFMS, CMIS). FMMD will also look into modifying the Exit form to include the revocation of the signature card, if any exists (Director, FMMD).

SSSB will notify and remind business units, through the existing Operations Sector Finance Network, of employee departure procedures as they impact on the security of IFMS — specifically the requirement to notify the IFMS Access Group regarding departing employees and changes in responsibilities (Director, SSIP).

Follow-up Findings

This recommendation has been fully implemented.

We noted in our review that a new employee departure form specifically identifies all departmental financial systems (IFMS, GCRS, CMIS, FRS). Site visits revealed that in the regions the new IFMS policy (POL 001 dated March 2001 and modified on December 5, 2007) is followed and that one employee is assigned the responsibility to communicate with HQ to provide access to IFMS. Passwords are cancelled for individuals leaving the organization, on maternity leave or any other long term leave. We also noted that a new IFMS Access and Authorization Form was issued on November 9, 2007 and included as part of the modified IFMS policy.

On March 5, 2008 the password expiry period for the IFMS was reduced from 90 to 60 days. This is to comply with the Departmental Security Policy.

We noted, however, that there are still several instances of individuals with conflicting user roles in some regions due to limited number of staff available to process transactions. This risk has been mitigated with the quarterly segregation of duties reports and the access logs which are provided to the Manager of Financial Services.

5.5 Verification of the Authority to Approve Assistance

2006 Initial Recommendation #5 and Management Response

FMMD should establish a process to ensure that departmental grants and contribution payments have been approved by officials with delegated authority. For instance, all decisions made by Programs and Services Branch should be systematically placed on financial files. Where authorities are required from outside the department, there should be a statement to that effect on the Programs and Services Branch decision sheet. A re-verification of a sample of contribution projects should be examined to ensure that the proper level of authority was obtained.

Management Response—A new verification checklist has been prepared. All documents, which include the proper level of approval based on the dollar value of the agreement, are available on the project file (Director, FMMD).

A copy of all TB submission for each program will be available centrally within FMMD (Director, FMMD).

FMMD will create a new G&C unit within financial services to enforce quality control, follow up and monitor G&Cs agreements and related financial instruments. The G&Cs unit will be responsible for payables and revenues related to G&Cs (Director, FMMD).

The Operations Sector will increase its financial monitoring of the Sector, including the monitoring of the G&C payment process in conjunction with broader departmental direction from the new G&C unit to be created within CAS (Director, SSIP).

Follow-up Findings

This recommendation has been substantially implemented

The new G&C Unit in CAS reviews and processes payments for IC transfer payment programs in the National Capital Region. A complete 100 percent verification is conducted for these payments. FedNor and the Ontario region authorize payments for the programs in their respective regions. All employees in the CAS-G&C Unit appear to be properly trained in processing G&C transactions and their roles and responsibilities are clearly defined.

The detailed testing indicated that documents indicating the proper level of approval were on file. Copies of all Treasury Board submissions are obtained by FMMD and available to the G&C Unit staff.

New procedures and checklists were developed in September 2007 by the CAS G&C Unit to monitor financial G&Cs payment transactions. We noted the distribution of these procedures have been limited to the CAS G&C Unit. Also, there have been no procedures prepared for the handling of repayable contributions. It is further noted that the procedures that have been developed are not available on the IC Intranet although these checklist are included in the SSIP Financial Control Framework thus making them available to FedNor and the Ontario Region.

5.6 Claim Verification Process for G&C Payments

2006 Initial Recommendation #6 and Management Response

The Senior Financial Officer should:

  • direct that all programs are required to complete a Contribution (Claim) Verification Checklist as part of the claim verification process;
  • implement a process whereby the claim verification process each program uses must be reviewed periodically to ensure appropriateness in providing necessary assurance required to authorize payment under S.33 of the FAA. The same approach should be implemented by Regional Management Services Divisions who are responsible for approving payments under S.33 of the FAA; and
  • re-enforce the appropriate use of audit checklists by Financial Officers.

Management Response—With the creation of the new G&C unit, FMMD will meet with each program to design a checklist based on specific program requirements. FMMD will recommend their approach by sharing the checklists with the regional offices and assisting them in implementing similar processes. (Director, FMMD)

The Operations Sector will work with the new CAS G&C unit to design program-specific checklists and will coordinate the distribution and monitoring the use of the checklists across Operations Sector business units. (Director, SSIP)

Follow-up Findings

This recommendation has been partially implemented

Checklists have been developed and are included in the SSIP Financial Control Framework. The audit team tested a limited sample of 25 G&C files in the National Capital Region processed by CAS to verify the integrity of controls. Most of the files audited in our sample included a checklist for Section 34 and Section 33 FAA verification. Our assessment, however, revealed that monitoring of G&C payments requires improvement.

In total 76 percent (19 out of 25) of the transactions were accurate with no errors or anomalies. However 24 percent of the transactions (6 out of 25) contained errors or anomalies:

  • One file did not contain evidence that the required level of approval was obtained. In this instance, Cabinet approval was required as the agreement exceeded $20 million. This approval is now being added to the file.
  • In another instance, payment was issued based one Section 34 FAA signature. Under the delegation of authorities instrument, two project officers would be required to sign. This represents a serious error.
  • Another four transactions lacked documentation, had inadequate level of authority at the initiation stage, or had advances in excess of requirements.

5.7 Account Verification Process for O&M Transactions

2006 Initial Recommendation #7 and Management Response

The Senior Financial Officer should establish a process that will ensure thorough understanding of how account verification is being carried out across the department.

The existing 100 percent cursory review process should be enhanced through verification, on a sample basis, of the account verification steps undertaken to obtain assurance of contract performance (i.e. the completion of deliverables) as well as compliance with TBS and to departmental policies.

Management Response —The section 33/34 processes will be addressed (Director, FMMD).

FMMD will create a quality control team. This team will implement quality control processes for revenues, expenditures and public accounts (Director, FMMD).

The Operations Sector will increase its financial monitoring of the Sector, including the monitoring of the procedures related to account verification in conjunction with broader departmental direction from the new quality control unit to be created within CAS (Director, SSIP).

Follow-up Findings

This recommendation has been partially implemented

CAS has created a quality control team and account verification monitoring has been initiated in conjunction with SSIP. The CAS Quality Control team has three full-time Financial Officers. Roles and responsibilities for the unit have been established. A schedule for Quality Assurance site visits was developed and updated in November 2007. A sampling methodology and reporting requirement has been established and communicated.

The follow-up included testing of transactions within selected departmental organizations. Test results revealed a four per cent error rate for critical errors and 20 per cent error rate for noncritical errors (processing and documentation errors), for a total error rate of 24.03 per cent for all O&M transactions tested.

The following table compares error rates by organizations covered by the SSIP Financial Control Framework to those organizations not governed by a formal framework:

Table: Error Rates
  # Transactions Tested Critical Errors Non-Critical Errors Critical Error Rate Non-Critical Error Rate Overall Error Rate
Organizations Governed by SSIP Framework 133 3 21 2.26% 15.79% 18.05%
Organizations not Governed by a formal framework 100 7 25 7% 25% 32%
Department 233 10 46 4.29% 19.74% 24.03%

The results indicated that organizations governed by a formal framework had fewer errors than those organizations not governed by a formal framework. The difference may be attributed to the enhanced controls and monitoring of financial processes established through the Financial Control Framework, and conversely, the absence of such controls for all other organizations. In our opinion, the need for a robust, comprehensive financial control framework applicable to all Industry Canada organizations would strengthen overall departmental financial controls.

The follow-up noted concerns with the management of specimen signature cards. During testing, signature cards for 12 of the transactions were verified. Of these:

  • two could not be located as the signature on the payment was illegible and could not be identified by FMMD staff;
  • it was difficult to match signatures to specific fund centres as the area of authority section on the forms was inconsistently completed. There is no assurance that individuals are signing section 34 for funds centres for which they have delegated authority;
  • in two cases, the signature forms were located in the cancelled binder but it was unclear as to when the forms were cancelled;
  • several forms for individuals in acting positions were designated as "temporary acting – up to 1 year". A memo activating the acting authority is to be provided to FMMD for acting situations. In one instance, we could not locate the activation memo for an individual.

5.8 Financial Controls Over Collaborative Agreements

2006 Initial Recommendation #8 and Management Response

The Corporate Comptroller should remind all Financial Officers of the policy requirements relating to Specified Purpose Accounts.

Management ResponseFMMD will develop procedures and guidelines on how specified purpose account needs to be managed and communicate them across the department including regional offices (Director, FMMD).

Follow-up Findings

This recommendation has been substantially implemented.

New Specified Purpose Account (SPA) procedures were developed by CAS which reinforce procedural requirements and outline monitoring responsibilities but are not available on the IC Corporate Finance Intranet site. The current reference to SPAs on the site provides a much more simplified version of an SPA definition and does not include policy requirements and monitoring.

Our sampling of SPAs in one region and one discrete organization revealed that some issues still exist. For example, it was noted that the issue of payments being processed before funds are received still exists. The organization has not been able to comply with the Treasury Board (TB) policy for SPAs due to delays in finalizing an MOU with the province in obtaining approval signatures. In the past, contrary to policy, invoices were being paid from operating funds and the funds were reimbursed to the O&M budget by journal vouchers once the SPA money was received. The organization decided to suspend payments until such a time as the MOU was signed by the proper authorities.

This does not correct the issue since expenditures are still being initiated before funds are received, therefore creating a liability for the Department and could result in late payment charges. The CFO was advised of this situation in November 2007.

In another organization, we noted that there is still one SPA with no transactions. They have recently reviewed all SPAs and cancelled most accounts that had not been used and returned unspent cash to the fund providers.

5.9 Organization of Financial Files

2006 Initial Recommendation #9 and Management Response

The Chief Information Officer and the Corporate Comptroller should ensure that financial files are well maintained, with pertinent documents on all files to assist Financial Officers in fulfilling responsibilities.

Management Response — Effective April 2006 all original contracts and invoices are sent to the records room for filing. They are no longer kept on file until the contract is complete (Director, FMMD).

Follow-up Findings

This recommendation has been partially implemented.

CAS has indicated that all financial files are to reside in the records office. FMMD has stated that it has instituted a more controlled process relating to the management of financial files. Financial officers should no longer keep the payment files in their office and they have been instructed to retrieve files less frequently.

It was noted, however, that two of the 50 files requested for audit testing could not be found although they were located several weeks after our request. Further, eight of the 25 O&M files requested (32 percent) were missing key documentation.

5.10 Training Programs

2006 Initial Recommendation #10 and Management Response

The Senior Financial Officer should ensure that training and related tools are provided to managers and their administrative staff about responsibilities for approving contract performance.

The Senior Financial Officer should ensure that training and related tools are provided to Financial Officers and Financial Assistants on their payment approval Responsibilities.

Management Response: FMMD in collaboration with Financial Policy group will prepare an e-mail explaining the managers' responsibilities when given authority under section 32 and/or 34. FMMD will send this e-mail to individuals submitting specimen signature forms (Director, FMMD).

New policy on training for managers will help ensure that managers have the proper training to exercise financial authority (Director, FMMD).

Findings

This recommendation has been substantially implemented

FMMD has reviewed all existing delegated authorities to ensure the mandatory training has been taken. Site visits to the regions and HQ revealed that most of the employees with Section 34 FAA authority have received the mandatory training as outlined in the framework. Employees are issued a certificate when the courses are completed. Adequate lists of Section 34 and Section 33 FAA authorized signatures are maintained in the regional offices and discrete organizations and specimen signature cards are well maintained.

Some training at the regional level has been delayed due to the regional reorganization and it is anticipated that the training will be available in the near future.

5.11 Oversight of Expenditure Management Accountability

2006 Initial Recommendation #11 and Management Response

The Corporate Comptroller should:

  • review the post-audit process on low value transactions to take into consideration the risks associated with the complex nature of expenditure management in the department;
  • ensure that, on a consistent basis, results of current monitoring exercises are forwarded consistently to all Directors of Management Services Divisions in regions and discrete organizations so that they can learn from the results of oversight activities;
  • influence Regional Directors of Management Services Divisions to exercise more oversight of financial management activities in satellite offices and request that results of monitoring activities be reported to the Corporate Comptroller; and
  • regularly assess how various regions and discrete organizations are reviewing their systems of account verification upon which they rely to authorize payment under Section 33 FAA. This will involve visiting Management Services Divisions in regions to gain an understanding of oversight processes, and examining the results of their oversight activities.

Management Response: Financial and Materiel Management Directorate (FMMD) is currently reviewing the post-audit process. The document needs to be updated to account for the comments received from AEB (Director, FMMD).

Financial and Materiel Management Directorate (FMMD) will have a designated team to perform post-audit functions on expenditures in entities under the authority of the CFO (Director, FMMD).

With guidance from CAS/FMMD, and in the context of the departmental financial statement readiness assessment, the Operations Sector will ensure that monitoring processes in place are sufficient to assure that financial controls are operating effectively (Director, SSIP).

Findings

This recommendation has been fully implemented.

As note in Section 5.1 above, post-audit procedures were developed and distributed to the regional offices through the Sector Strategies and Infrastructure Programs Branch (SSIP). This procedure outlines the account verification process for the auto-post payments (less than $2,000) and its related post-audit process. It describes departmental policy and procedures for the statistical sampling methodology used in testing auto-post transactions at the Section 33 FAA payment requisition stage. It describes the Section 34 FAA account verification process and the related roles and responsibilities for conducting the sampling. This procedure is also accompanied by an auto-post verification checklist.

5.12 Oversight of the Acquisition Card Process

2006 Initial Recommendation #12 and Management Response

The Corporate Comptroller should establish a comprehensive, risk-based monitoring program for acquisition cards to coincide with the implementation of a consolidated payment approach for Acquisition Cards.

Management Response: A comprehensive monitoring process is in place (Director, FMMD).

FMMDCMM will undergo a review of all IC acquisition cards (Director, FMMD).

FMMD will also improve the monitoring process by tracking post audit critical errors, action taken and when the issue was resolved and reviewing the cardholder (committing critical errors) rate of error. Monitoring will be done on a monthly basis (Director, FMMD).

Findings

This recommendation has been partially implemented

A departmental audit of acquisition cards was completed and tabled at the Departmental Audit Committee on February 28, 2008. The audit noted that acquisition card monitoring functions are the responsibility of the Departmental Coordinator and FMMD and that a control framework and monitoring system to mitigate risks associated with acquisition cards have been developed. It was found, however, that the parameters used in Audit Command Language (ACL) software for tracking anomalies and high-risk transactions have not been significantly revised since its inception, thus increasing the risk of not identifying high-risk transactions.

Although transaction information is available online through BMO to manage and monitor acquisition usage; the BMO details system is not being used effectively to analyse acquisition card purchases. There was limited analysis of patterns of card usage, card limits, number of multiple cardholders and frequency of card use and associated risks.

It was also noted that neither the results of monitoring activities nor the overall level of purchase activity is reported to senior management.