ARCHIVED - Horizontal Internal Audit of High Risk Expenditure Controls in Small Departments and Agencies

• Previous Page
• Table of Contents
• Next Page

This page has been archived.

Executive Summary

The objective of the audit was to assess the adequacy and effectiveness of processes in place to identify higher-risk transactions, which consequently enable more efficient account verification practices. We examined the risk management over expenditure controls and the practices in place in a sample of small departments and agencies (SDAs) in order to determine whether expenditure management was being carried out in a cost‑effective and efficient manner while maintaining the required level of control.

Why This Is Important

In SDAs, effective risk management over expenditure controls allows for appropriate due diligence over transactions that require more rigorous review and greater efficiency over transactions that are of lower risk. Without an approach to account verification that considers risk levels specific to various types of transactions, proper attention may not be given to high-risk transactions, and transactions of lower risk may consume disproportionate levels of employee attention and departmental resources.

Overall Assessment

SDAs are not taking advantage of risk management to help make their account verification processes more efficient. Most SDAs deem all transactions to be high-risk, when appropriate risk management strategies would result in more efficient practices. Although some efficiency is being gained, risk tolerances have not been formally documented or agreed to by all appropriate levels of management.

Most SDAs have not formalized their identification of risks for account verification transactions. Although most SDAs say they deem all transactions to be high-risk, they have not documented this decision, nor do their processes reflect this. Furthermore, not all appropriate managers have been included in this risk determination.

Generally, those with delegated authority to certify that a good or service has been received are carrying out their responsibilities appropriately. There are no systemic weaknesses in this area. However, about one third of the SDAs included in our sample are not ensuring that the individuals with this delegated authority are taking mandatory Government of Canada training prior to receiving this delegation.

SDAs are not always following account verification processes in a manner that is commensurate with the risks identified for their quality assurance process. Although most SDAs state that all transactions are of high risk, they often intuitively apply fewer verification procedures over lower-risk transactions. As a result, appropriate sampling plans for transactions subject to low-risk verification do not exist in most cases. Nevertheless, those responsible for quality assurance are monitoring the results of account verification and discussing issues with management on a timely basis.

Conclusion

Overall, SDAs are not taking advantage of the more efficient verification practices that result from the proper identification of high-risk transactions. Most SDAs included in our sample stated that, given the low number of their transactions and increased public scrutiny, they deem all transactions to be high-risk. However, this risk tolerance is not commensurate with the quality assurance procedures performed. Nevertheless, SDAs are monitoring the results of quality assurance and informally providing this feedback to the appropriate level of management.

The Internal Audit Sector of the Office of the Comptroller General (OCG) has asked SDAs to prepare detailed action plans in response to this audit report. The audit results and recommendations received positive reactions from responsible officials within SDAs. There were good indications that improvements would be pursued. Furthermore, the OCG will facilitate the dissemination of information related to audit findings including sharing of best practices and training as requested.

Statement of Assurance

In my professional judgment as Executive Director, Operational Auditing, sufficient and appropriate procedures and evidence gathering were performed to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of September 3, 2009, in the departments reviewed, against pre‑established audit criteria. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.^[1]

Background

The Treasury Board Policy on Internal Audit requires the Comptroller General to lead horizontal audits in small departments and agencies (SDAs). Horizontal audits are designed to address risks that transcend individual departments in order to report on the state of governance, controls and risk management across the Government of Canada. This report presents the results of the horizontal audit of high-risk expenditure controls.

Expenditure controls in the Government of Canada are governed by the Treasury Board Account Verification policy and the Policy on Active Monitoring and by the Financial Administration Act (FAA).^[2]

The objective of the Account Verification policy is to ensure that accounts for payment and settlement are verified in a cost-effective and efficient manner while maintaining the required level of control. Account verification processes must be designed and conducted in a way that will maintain probity while taking into consideration the varying degrees of risk associated with each payment. This policy also requires that account verification practices be monitored to ensure that varying levels of controls exist over high- and low-risk transactions and that these controls are being carried out as designed.  Aspects of both the FAA and the Policy on Active Monitoring are important considerations in complying with the Account Verification policy. For example, active monitoring enables SDAs to use new information and changing conditions to accordingly revise their risk management strategies. The two sections of the FAA that are most relevant to the Account Verification policy are section 34, “Payment for work, goods or services,” and section 33, “Requisitions.”

Payment for work, goods and services (section 34) must be certified by someone with delegated authority from the minister. Certifying for section 34 implies that the work, good or service has been received in accordance with the terms and conditions established between the Government of Canada and the supplier of the work, good or service. Section 34 is typically delegated to project authorities — those generally responsible for completing the operations in line with the mandate of the department or agency.

After section 34 has been certified, payment requisitions are forwarded to the finance function, where someone with delegated section 33 authority will provide quality assurance to further certify requirements such as the following: the payment is in accordance with the budgeted amount, the section 34 authority has discharged his or her responsibilities appropriately, no signing officer will personally benefit from the payment, financial coding is done accurately, and other relevant policies have been respected. The certification of section 33 serves as official documentation to support the release of the funds. A risk management approach can be applied to the above responsibilities. For high-risk payments, however, all the requirements of quality assurance should be met; for low-risk transactions, reliance on the certification of the project authority may help reduce some of the time-consuming tasks associated with quality assurance.

Effective risk management over expenditure controls requires that the appropriate level of management in a department or agency determine which types of payments are of higher risk and should accordingly be subject to more thorough quality assurance in the section 33 verification process. To ensure appropriate monitoring, those transactions deemed lower-risk should be subject to more rigorous review on a sampled basis. This will ensure that the processes designed for lower-risk transactions result in sufficient due diligence and that any new risks can be identified. Under the Policy on Active Monitoring, SDAs must develop an early notice capability to detect and communicate unacceptable risks, vulnerabilities, control failures and deficiencies requiring remedial action. Effective risk management therefore allows for a more efficient use of the resources responsible for quality assurance requirements.

The SDA community in the federal government is extremely diverse, varying in, for example, organizational structure and size, budget, nature of work, and relationship with larger departments. Their budgets do not exceed $300 million per year, while personnel gross expenditures represent approximately 65% of expenditures. Their full‑time equivalents vary from 10 to 500 employees. These factors contribute to the nature of financial systems and controls that SDAs have implemented for decision making and accountability.

Audit Objectives, Scope and Approach

Objectives and Scope

The objective of the audit was to assess the adequacy and effectiveness of processes in place to identify higher-risk transactions, which consequently enable more efficient account verification practices.

For the 16 small departments and agencies (SDAs) included in our audit, we looked at risk management over expenditure controls, whether policies and procedures were designed to respect risk management principles, whether the controls designed were commensurate with the risks and whether appropriate monitoring mechanisms were in place.

Audit Approach

The audit was conducted in two phases. Consultants were engaged to support the Office of the Comptroller General audit team in both phases.

Phase 1

To select the SDAs to be included in the audit, we performed a risk analysis that used findings from previous horizontal audits and considered the centralization or decentralization of an SDA’s financial function, the nature of its business, and its size. We also ensured that the selected SDAs accounted for a significant volume of expenditures from a government-wide perspective. On the basis of this analysis, we chose the 16 SDAs listed in Appendix 1. These SDAs account for more than 20% of total SDA expenditures.

Phase 2

For each of the 16 SDAs, we carried out a document review to identify systemic strengths and weaknesses. Our review included documentation on risk, quality assurance and monitoring plans, and other departmental policies or procedures developed for expenditure management.

We interviewed managers from all parts of the expenditure management process including senior financial officials, and managers and project authorities responsible for account verification, to determine whether procedures were consistently understood and carried out. We also performed transaction testing to verify whether policies and procedures for account verification of high-risk transactions were being applied as intended. In total, 160 transactions from the period April 1 to December 31, 2008, were reviewed to determine whether the established procedures were being followed by the responsible officers.

• Previous Page
• Table of Contents
• Next Page