Audit of Regions (Atlantic, Quebec, and Prairie and Northern)

June 2011
Recommended for approval to the Deputy Minister by
Departmental Audit Committee on October 20, 2011

Approved by the Deputy Minister on October 26, 2011

Table of contents

• 1.0 Executive Summary
  • 1.1 Introduction
  • 1.2 Objective and Scope
  • 1.3 Main Findings
  • 1.4 Recommendations
  • 1.5 Audit Opinion
  • 1.6 Statement of Assurance
• 2.0 About the Audit
  • 2.1 Background
  • 2.2 Audit Context
  • 2.3 Audit Objective
  • 2.4 Audit Scope
  • 2.5 Audit Criteria
  • 2.6 Audit Methodology
• 3.0 Findings and Recommendations
  • 3.1 Introduction
  • 3.2 Governance
  • 3.3 Risk Management
  • 3.4 Internal Control
• 4.0 Overall Conclusion
• Appendix A: Audit Criteria/Audit Objective
• Appendix B: Management Action Plan

1.0 Executive Summary

1.1 Introduction

The Regional Operations Sector (ROS) is Industry Canada's main presence throughout Canada, serving a key role in advancing regional economic interests. As the Department's eyes and ears in the regions, the Sector supports strategic policy development and decision making by gathering and disseminating regional intelligence and analysis. ROS also serves as the Department's main service delivery arm in the regions.

In support of Industry Canada's mandate, the ROS serves the needs of their regional clients through the delivery of programs and services, and supports the development and understanding of national policies, programs and regulations. ROS staff work in Industry Canada's five regions: Atlantic, Quebec, Ontario, Prairie and Northern, and Pacific. Each region is led by a Regional Executive Director.

In accordance with the approved Industry Canada 2010–2011 Multi-Year Risk-Based Audit Plan, the Audit and Evaluation Branch (AEB) undertook an audit of Corporate Services in the regions.

AEB completed an audit of Corporate Services in the Ontario Region in 2003. Since then, the role of Corporate Services in the regions has changed significantly; the program clients to whom Corporate Services provides services have also changed.

In this, the first of two planned regional audits, AEB examined the Atlantic, Quebec, and Prairie and Northern regions.

1.2 Objective and Scope

The objective of this audit was to provide reasonable assurance to management that specific core management controls, as identified in the audit criteria, for Corporate Services (Finance and Administration) in three regions—Atlantic, Quebec, and Prairie and Northern—are operating effectively.

A number of sub-objectives were established to provide assurance that:

• roles and responsibilities are clear
• there is a formal risk management process that identifies risks and develops mitigation strategies
• regional Corporate Services (Finance and Administration) ensured compliance with Sections 32, 33 and 34 of the Financial Administration Act, and
• regional Corporate Services (Finance and Administration) ensured that financial transactions were carried out:
  • with due diligence
  • in compliance with Treasury Board Policies and with Industry Canada's Financial Control Framework.

The scope of the audit was the core management controls that were assessed during the planning phase as medium high and medium risk within Corporate Services (Finance and Administration), in the three regions. These controls are identified in the audit criteria.

The scope of the audit excluded Human Resources; Communications; Policy, Analysis and Intelligence; and contracting and procurement in the regional offices. Program clients were also excluded from the scope of the audit.

For sampling purposes, the audit covered the period April 1, 2009 to December 31, 2010.

1.3 Main Findings

Governance

In all three regions, roles and responsibilities are clearly defined and understood within the Finance and Administration directorate.

Risk Management

Risk management at the Finance and Administration directorate level, and at the regional level, is carried out formally and informally in a fashion that results in the identification of risks and the development of mitigation strategies.

Internal Controls

Section 32, 33 and 34 activities are carried out by authorized positions.

Financial transactions are carried out with due diligence. The regions monitor adherence to expenditure policies, directives and internal processes and procedures. Expenditures are in compliance with Treasury Board Policies, Industry Canada's Financial Control Framework and Directives.

Budgets are properly established, managed and communicated. Financial reports are reviewed and approved and these reports are communicated to regional management, the Assistant Deputy Minister (ADM) of Regional Operations and the Comptrollership and Administration Sector (CAS).

Finding 1.0: The use of blanket travel authorities limits management oversight on the mode of transportation used and the related prepaid costs.

Blanket travel authorities allow a staff member to book transportation without requesting management's approval for individual trips. Subsequent travel claim forms do not always clearly identify prepaid transportation costs, therefore limiting the amount of management oversight.

1.4 Recommendations

Internal Controls

Recommendation 1.0:

It is recommended that the Assistant Deputy Minister of Regional Operations review the travel claim process and use of the blanket travel authority, to allow greater oversight of costs.

1.5 Audit Opinion

In my opinion, the specific core management controls audited for Corporate Services (Finance and Administration) in the three regions are operating effectively, with no material weaknesses noted. 

1.6 Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the entities examined and within the scope described herein. This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada.

Susan Hart
Chief Audit Executive, Industry Canada

2.0 About the Audit

2.1 Background

The Regional Operations Sector is Industry Canada's main presence throughout Canada, serving a key role in advancing regional economic interests. As the Department's eyes and ears in the regions, the Sector supports strategic policy development and decision making by gathering and disseminating regional intelligence and analysis. ROS also serves as the Department's main service delivery arm in the regions.

In support of Industry Canada's mandate, the ROS serves the needs of their regional clients through the delivery of programs and services, and supports the development and understanding of national policies, programs and regulations. ROS staff work in Industry Canada's five regions: Atlantic, Quebec, Ontario, Prairie and Northern, and Pacific. Each region is led by a Regional Executive Director (RExD).

All regions share a common departmental mandate, although individual regional priorities differ with respect to the contribution they make towards it.

The regions use satellite offices in addition to their district offices to ensure goals and objectives are met. In January 2011, there were 30 full-time employee positions in the Atlantic Region, 47 in the Quebec Region, 64 in the Ontario Region, 45 in the Prairie and Northern Region, and 34 in the Pacific Region.

Regional offices consist of the same directorates: Corporate Services (Finance and Administration, and Human Resources); Communications; and Policy, Analysis and Intelligence. They provide various level of support to the following program clients:

• Canadian Intellectual Property Office (CIPO)
• Chief Informatics Office (CIO)
• Competition Bureau (CB)
• Measurement Canada (MC)
• Office of the Superintendent of Bankruptcy (OSB)
• Spectrum, Information Technologies and Telecommunications (SITT).

The program clients do not report to the RExDs but rather to the Heads of their programs at National Headquarters. The level of service a client requires depends on the region and the program. These services range from a full slate of corporate services to simply providing advice on an as required basis.

The following chart shows the general organizational structure in the regions.

Figure 2.1: Hierarchical report in Ottawa, services provided by the Region

OSB, MC, CB and CIO operate with three regions instead of five: Eastern, Ontario, and Western. SITT recently announced that it will adopt a three-region model consisting of Quebec, Ontario/Atlantic, and Western regions.

Industry Canada's five regions are working towards a Common Services Memorandum of Understanding. They have identified the services to be provided to program clients and the differences in the depth of those services region by region. They have also developed a common set of services that all regions will provide to each program client. The Common Services initiative is currently under discussion with the program client community.

As noted above, Corporate Services in the regions consists of Finance and Administration, and Human Resources.

The Finance function includes financial planning and analysis, accounting operations, and financial policy and systems.

The Administration function includes accommodations, security, health and safety, access to information and privacy, mail service, reception co-ordination, inventory control, asset management, central file co-ordination, relocation advice, tenant services, telecommunications, petty cash, and contracting and procurement.

Finally, Human Resources includes awards and recognition, compensation and benefits, employment equity and diversity, human resource planning, labour relations, learning and development, official languages, staffing, and values and ethics.

This audit examined management controls that support corporate services, excluding Human Resources, delivered by three of the Department's five regions; Atlantic, Quebec and Prairie and Northern.

2.2 Audit Context

In accordance with the approved Industry Canada (IC) 2010-2011 Multi-Year Risk-Based Audit Plan, the Audit and Evaluation Branch (AEB) undertook an audit of the Corporate Services in the Regions.

AEB last audited the regions in 2003 when it completed an audit of Corporate Services in the Ontario Region. Since then the role of Corporate Services in the regions has changed significantly, and the programs served have also changed.

In this, the first of two planned regional audits, the Atlantic, Quebec, and Prairie and Northern regions were examined.

2.3 Audit Objective

The objective of this audit was to provide reasonable assurance that specific management controls, as identified in the audit criteria, for Corporate Services (Finance and Administration) within the three regions—Atlantic, Quebec, and Prairie and Northern—are operating effectively. A number of sub-objectives were established to provide assurance that:

• roles and responsibilities are clear
• there is a formal risk management process that identifies risks and develops mitigation strategies
• regional Corporate Services (Finance and Administration) ensured compliance with Sections 32, 33 and 34 of the Financial Administration Act, and
• regional Corporate Services (Finance and Administration) ensured that financial transactions were carried out:
  • with due diligence
  • in compliance with Treasury Board Policies and with Industry Canada's Financial Control Framework.

2.4 Audit Scope

The scope of the audit was the core management controls that were assessed during planning as medium high and medium risk within Corporate Services (Finance and Administration), in three regions—Atlantic, Quebec, and Prairie and Northern—as identified in the audit criteria. For sampling purposes, the audit covered the period April 1, 2009 to December 31, 2010.

The scope of the audit excluded Human Resources; Communications; Policy, Analysis and Intelligence; contracting and procurement in the regional offices; and regional program clients.

2.5 Audit Criteria

The audit criteria were developed based on a detailed review of documentation provided by regional management and/or researched by AEB, preliminary interviews with regional management, and a detailed assessment of the risks facing Corporate Services in the three regions based on the Management Control Framework, using Treasury Board's Core Management Controls as defined in November 2007.

Appendix A lists the audit criteria and demonstrates the relationship between the criteria and the audit objectives.

2.6 Audit Methodology

This internal audit was conducted in accordance with the Treasury Board Policy on Internal Audit and Internal Auditing Standards for the Government of Canada. The audit approach consisted of the following:

• Planning Phase—A risk assessment of the core management controls, as defined by Treasury Board's Core Management Controls, November 2007, for governance, internal control and risk management processes, was conducted in Corporate Services (Finance and Administration) in the three regions. Evidence gathered through document review and interviews with key stakeholders was synthesized to identify areas of medium high and medium risk. The results of the risk assessment contributed to the development of audit criteria and the audit program used during the conduct of the audit.
• Document Review—The audit team reviewed documents including, but not limited to, regional business plans and risk assessments, budgets, budget variance analyses, organizational charts, values and ethics statements, a presentation on the Common Services initiative, checklists, error reports, e-mails / communiqués between finance managers and regional personnel, intra-net sites, and financial monitoring visit reports from CAS.
• Interviews—Auditors visited all three regions and interviewed the following personnel at each site:
  • Director/Manager of Finance and Administration
  • Manager of Financial Services
  • Manager of Administration
  • Finance and/or Administration Officers
  • Regional Executive Director.
• Operation and Maintenance (O&M) File Review—The audit team performed two types of file tests on O&M expenditures (excluding salaries and related costs). Test 1 reviewed Section 33 services provided by Finance and Administration to program clients (e.g. SITT, CB, OSB, MC) in the region. Test 2 assessed regional directorate O&M expenditures for policy compliance, including whether authorized personnel carried out Sections 32, 33 and 34. Samples drawn for both tests were objective, random and representative.

The audit team analyzed and assessed the information gathered through the above activities against the audit criteria that were developed during the planning phase of the audit.

The planning phase of this engagement was from October 2010 to January 2011. Audit fieldwork was conducted from February 2011 to April 2011. Debrief meetings were held with each region separately at the end of May 2011 to validate the accuracy of the findings in this report.

3.0 Findings and Recommendations

3.1 Introduction

This section presents detailed findings from the audit of the Atlantic, Quebec, and Prairie and Northern regions. The findings are based on evidence and analysis from both the initial risk assessment and the detailed audit.

In addition to the findings below, AEB has communicated observations of conditions that were non-systemic and of low materiality and risk to management, orally and in a management letter, for consideration.

3.2 Governance

Clarity of roles and responsibilities

Region, Finance and Administration:

Policies and procedures that define authorities and responsibilities for Finance and Administration in the regions include:

• Industry Canada's Financial Control Framework
• Financial Administration Act
• Delegation of Authorities Policy, and
• various financial policies (i.e. travel directive, acquisition cards, hospitality, and membership).

AEB's file review/testing and interviews, and the results of the AEB planning questionnaires completed by ROS employees, provided evidence that employees know and understand these policies/procedures.

The file review/testing indicated that signing under Sections 32, 33 and 34 of the Financial Administration Act was carried out by authorized positions, and that expenditures were in compliance with policies and adhered to Industry Canada's Financial Control Framework.

Region, Finance and Administration as a service provider for program clients:

ROS has been responsible for the regional delivery of common corporate services (Finance, Administration, Human Resources and Communications) since the creation of the Department in 1993. This role was confirmed during the Regional Review exercise concluded in 2007. The RExD is accountable for the delivery of services and provides line direction to the regional staff.  

The level of corporate services a regional office provides to regional programs varies slightly from client to client and region to region. Services in each region were based on historical offerings and have evolved accordingly. AEB interviews with ROS management in each region indicated that corporate service offerings are well defined and communicated (e.g. through such means as regional intranet sites, wikis, meetings, and visits to district offices).

Common Services initiative:

The Common Services initiative has two objectives: to standardize service delivery across the five regions and to ensure appropriate roles and responsibilities for both the programs and the regional staff providing the services. It is a product of consultation and discussion among the five RExDs, the regional Directors/Managers of Finance and Administration, staff from CAS and program clients.

A draft of the Common Services Memorandum of Understanding has clearly defined the proposed roles and responsibilities and has been communicated to program clients and CAS.

During this audit, management (RExDs and Directors/Managers of Finance and Administration) from all three regions indicated that the status of this initiative was still unclear. Agreements have been reached with some sectors and discussions continue with others. Items under discussion include the resources required to redistribute work and the separation of roles and responsibilities between ROS and the program clients.

3.3 Risk Management

Results of the risk management process

Risk management at the operational level of the Finance and Administration directorate:

Operational risk assessments and mitigation strategies are discussed regularly during ROS management weekly/monthly meetings.

According to interviews from all three regions, the Director of Finance and Administration meets with his managers weekly, when possible, to identify, discuss and take action on risks. As well, risk is managed indirectly; for example, purchases and projects are prioritized based on operational needs.

The key risk of budget overspending (or lapsing) is reduced because of the budget monitoring controls in place at both the Finance and Administration directorate level and the regional (i.e. RExD) level. In all three regions, financial managers communicate regularly with each directorate (under the RExD) to review the financial situation and estimates.

Examples of other internal controls developed and implemented to mitigate risks regarding finance and administrative activities include:

• weekly meetings between RExDs and Directors/Managers
• the Financial Control Framework including regular monitoring by the regional finance group and CAS
• the designation in each region of at least two individuals authorized to sign Section 33 – this allows for proper segregation of duties and for back-up during holidays, illness, etc.
• training (both formal and informal)
• Business Continuity Plan.

As a best practice, in one of the regions, each directorate formally develops an annual business plan that identifies risks and mitigation strategies.

Risk management at the regional level:

In each region, the Director/Manager of Finance and Administration is involved, along with the RExD and the other Directors, in the annual regional planning exercise, which identifies, documents and communicates risks and develops mitigation strategies.

Each of the three regions developed a regional business plan for 2010–2011. Each plan had a section entitled Risk Assessment and Mitigation at the regional level.

Examples of risks identified at the regional level included: the operational environment, financial budgets and human resources outreach efforts, and record management systems.

Given the size of Corporate Services, Finance and Administration, the audit team considers the level of effort on risk management to be appropriate.

3.4 Internal Control

Compliance with Sections 32, 33 and 34 of the Financial Administration Act

The auditors carried out two distinct tests to assess the objective.

The first test involved verifying Section 33 services provided by Finance and Administration to program clients (i.e. SITT, CB, OSB, MC) for operation and maintenance expenditures, excluding salaries and related costs. This included verifying financial signing authority and compliance with Industry Canada's Financial Control Framework. The testing revealed no errors in the sample.

The second test involved verifying Section 32, 33 and 34 services provided by Finance and Administration to the regional directorates regarding operation and maintenance expenditures, excluding salaries and related costs. Compliance with relevant policies, procedures and directives was also tested.

The results for compliance are reported below with regard to due diligence. With regard to the testing of Section 32, 33 and 34 authorizations, the audit team found instances of missing appropriate signatures of approval. The team's assessment of these errors indicated that they were isolated and non-systemic.

In both tests, all signatures were by authorized individuals in authorized positions.

Financial transactions are carried out with due diligence

The regions interpret and monitor adherence to (financial) policies as evidenced in the result of the audit file review:

• finance officers verify the arithmetic and per diem on travel claims
• original documents are attached to claims when required
• acquisition cards are reconciled to original receipts
• proper departmental forms are filled out for conference, travel and hospitality approval, and
• monitoring checklists are filled out for high risk transactions, as defined in Industry Canada's Financial Control Framework.

In all regions, there is evidence that the Manager of Finance and Administration and/or the Manager of Finance provides a challenge function and takes corrective action regarding errors in financial transactions or misinterpretation of policies and directives.

A best practice of management internal control over Section 34 was identified in one region. When the Manager of Finance detects an error in the completion of Section 34 requirements, he fills in a standard form he developed. This form is then sent to the Section 34 officer along with all the original documents for correction. Any errors are logged into a spreadsheet and a report is generated monthly, as required, for the manager's meetings. The report tracks errors by type, regional office directorate and program client. AEB review of the monthly reports indicated that corrective measures have been taken.

Timely budgets are developed at an appropriate level of detail, and managers with assigned budget authority and responsibility monitor their budgets and forecasts on a regular basis. A review of the regional budgets and variance analysis reports revealed that information is broken down to the standard object level and by directorate.

Funds are allocated and the budget distributed at the beginning of the fiscal year in conjunction with the regional planning exercise. In May the ADM of ROS sends a memo communicating initial budget allocations for the fiscal year. The memo distribution list includes the RExDs of all five regions.

Finance and Administration is responsible for managing and reporting on the development, monitoring and forecasting of the RExD budget. Finance and Administration generates monthly variance analysis reports. Each directorate is responsible for explaining its variances and adjusting its forecasts. Budgets and variance analysis reports are presented at the RExD meeting, which includes directors.

Financial reporting is reviewed and approved by regional management. Approved reports are sent to ROS headquarters for review, consolidation and approval by the ADM. The information is then submitted to CAS.

CAS receives updated year-end budget forecasts from each sector monthly through the Financial Status Reporting process. For each reporting period, CAS prescribes an acceptable variance range between budgeted forecasts and year-end expenditures. This target was met by all three regions for 2009–2010. At the time of the audit, the Regional Operations financial report for 2010–2011 was not available.

Compliance with Treasury Board Policies and with Industry Canada's Financial Control Framework, Directives and Procedures

AEB's file testing confirmed compliance with the FCF. No material or systemic errors were detected.

In general, files tested for hospitality, acquisition card, membership, and travel policy compliance complied with the relevant policies:

• All hospitality expenditures had required pre-approvals, used appropriate forms, etc. and were in line with policy.
• Acquisition card purchases were in line with the Treasury Board Acquisition Card directive for issues such as allowable expenditures and expenditure limit. As well, there was no apparent circumvention of expenditure limits and payments were made in time to avoid interest costs.
• Payments to Chambers of Commerce of all membership dues exceeding $700 were pre-approved by the ROS ADM.
• The majority of travel claims had required pre-approvals, used appropriate forms, had original supporting documentation, and were in line with policy – with some exceptions involving internal processes and procedures. AEB assessment of the missing pre-approvals indicated that they were isolated and non-systemic.

Finding 1.0: Management oversight on use of blanket travel

Regional staff who are required to travel frequently to conduct their work have been granted blanket travel authority (BTA). A BTA is an authorization for travel that is continuous or repetitive in nature, with no variation in the terms and conditions of trips, and where it is not practical or administratively efficient to obtain prior approval from the employer for each individual trip.

BTAs do not always clearly identify restrictions on the mode of transportation and the related costs. The use of a BTA allows the booking of transportation without management's approval for individual trips. Subsequent travel claim forms do not always clearly identify the mode of transportation or the prepaid transportation costs, therefore limiting the amount of management oversight. However, some travel claims presented after the travel occurred do include, with other travel receipts, information on transportation that identifies the costs.

Recommendation 1.0:

It is recommended that the Assistant Deputy Minister of Regional Operations review the travel claim process and use of the blanket travel authority, to allow greater management oversight of transportation and the related costs.

4.0 Overall Conclusion

Overall, the specific management controls, as identified in the audit criteria, for Corporate Services (Finance and Administration) within the Atlantic, Quebec, and Prairie and Northern regions are operating effectively.

Appendix A: Audit Criteria/Audit Objective

Appendix B: Management Action Plan