Common menu bar links
Breadcrumb Trail
ARCHIVED - Horizontal Internal Audit of High Risk Expenditure Controls in Small Departments and Agencies
This page has been archived.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Detailed Findings and Recommendations
Finding 1: Risk Identification
Although SDAs can identify high-risk expenditures, they are not using this knowledge to streamline their processes and allow for more efficient processing of transactions.
Our audit was designed to look at the SDAs’ risk management practices as they relate to account verification. We wanted to ensure that high-risk transactions had been identified and that appropriate controls were aligned with the certification of associated payments. We examined whether an appropriate level of management representing the governance function over account verification, risk management and controls was involved in risk identification. We verified whether the appropriate functional authorities were involved in risk identification, including those representing the governance function. Finally, we looked for documentation to support the identification of high-risk expenditures and supporting policies or procedures to identify the differences required in certifying high- versus low-risk payments.
We expected that high-risk transactions would be identified and articulated in writing at each of the SDAs included in our sample. We expected that the risks identified and the resulting impact on controls would be contained within policies and procedures or guidance used to inform those responsible for the account verification process. Given the SDA environment, we did not expect the resulting documents to be lengthy or a make-work exercise. Instead, we expected to see identified risks highlighted in the minutes of a senior management meeting or presented in a brief, half-page document. We also expected that the appropriate personnel would be included in risk identification, both those representing the governance of the SDA and those in the functional areas who could contribute valid input to this process.
Effective risk management involves the formalized identification of risks and resulting changes to the controls, which are important to ensure that the different levels of management share the same perspective on risk and that controls can therefore be designed to meet management’s needs and expectations.
A minority of SDAs formally identify high-risk payments. Some of the SDAs included in our sample are formally identifying and documenting their high-risk expenditures to support transaction types that need higher probity in the certification process. These SDAs also review the process at least once a year, and risk issues are discussed by established senior management committees.
However, the majority of SDAs are not documenting the types of transactions they consider high-risk. When those responsible for expenditure controls were interviewed, they were able to articulate the transaction types that they considered to be higher-risk. However, there was no formal way to ensure that all managers across the organization agreed with this risk identification or that all valid input had been considered.
Furthermore, most of the SDAs stated that they consider all transactions to be high-risk, given the minimal number of transactions occurring on a daily basis and the reputational risk to the SDA if a payment is made inaccurately. In most cases, this determination had not been documented.
Most SDAs do not include input on risks from all appropriate levels of management. Few SDAs could demonstrate that they have included appropriate members of management in their risk identification process. Without including all appropriate personnel in the risk management process — those representing the governance function and those with specific knowledge of risks — the identification of risks and the reaction to those risks may not be appropriate.
Most SDAs do not have guidance to support their risk identification and related verification procedures. Although we observed some good practices among the SDAs, such as formally notifying employees of identified risks through the development of procedures to follow in response to low versus high risk, this was not widespread. It is essential to provide those responsible for account verification with appropriate guidance on verification procedures that need to be applied for varying levels of risk. This ensures that practices are aligned with risk management decisions. Not having sufficient documentation on risk identification and risk tolerance to support personnel with a governance function over account verification could lead to inappropriate or inefficient controls being applied.
Recommendations
1. SDAs should formalize their process for identifying high-risk transactions, which could be presented in a brief guidance document. Those responsible for the governance function over expenditure management and those with functional insight should be involved.
2. SDAs should ensure that risks are clearly identified and documented for the account verification process.
Finding 2: Certification for Payments
Most project authorities have the necessary training to conduct their payment certification.
Project authorities (section 34) must ensure that proof of performance conditions exists prior to certifying for payment. The project authority certifies that the performance of work, the supply of goods, or the rendering of services complies with the terms and conditions of the agreement or contract and that the price charged complies with the contract or, in the absence of a contract, that it is reasonable.
We reviewed the extent of information, training and guidance available to project authorities to ensure that proof of performance conditions for the agreement are met before each payment is made.
We expected to find that, in addition to guidance or checklists, sufficient training would be provided to ensure that officials who verify proof of performance conditions know how to apply an appropriate level of scrutiny to determine that the performance conditions of the agreement are met before each payment is certified. Specific guidance would be especially appropriate when the proof of performance conditions are uniquely tailored for agreements not generally encountered in day-to-day situations — for example, contracting for professional services that include various performance criteria and reports required prior to payment approval.
The lack of program-specific account verification guidance for project authorities could lead to the misunderstanding and inconsistent application of practices related to account verification and not enough attention being paid to departmental or program-specific attributes or risks.
Certification for payments is being done by those with the authority to do so. Many project authorities with delegated section 34 responsibilities have delegated subordinates to review the contracting terms and conditions to ensure that the basis of payment agreed with the invoice received from the supplier. However, we found no instances where section 34 had been signed by someone not authorized to do so.
In some SDAs, those with delegated authority have not received required training. In about one third of the SDAs included in our sample, those with delegated signing authority have neither taken the required training nor written and passed the online tests designed to ensure that they understood their roles and responsibilities for section 34 authority prior to enacting delegated authorities. We also found that some of the SDAs were not aware of the required training and tests.
Those delegated authority for section 34 should fully understand the responsibility assigned to them; otherwise, the sign-off for payment of goods and services may not be done appropriately.
Recommendation
3. SDAs should ensure that those with delegated authority for section 34 certification receive the necessary training and pass the appropriate Government of Canada tests to prove they understand their responsibilities prior to this delegation.
Finding 3: Quality Assurance
SDAs are intuitively applying a risk-based approach to quality assurance for account verification.
We examined whether those responsible for quality assurance (section 33 certification) were performing their duties in an efficient and effective manner and respecting the risk management decisions for account verification established in their SDA. In those SDAs that had formally identified high-risk transactions, we wanted to ensure that a more efficient, streamlined control process was being followed for low-risk transactions and that a quality assurance strategy (including a sampling plan) had been developed to handle low-risk transactions in an appropriate fashion. For high-risk transactions, including in those SDAs where all transactions were deemed high-risk, we wanted to ensure that those responsible for quality assurance were respecting the risk level in their verification procedures. Finally, we wanted to verify whether those responsible for quality assurance were monitoring the process and accordingly reporting to the governance function on such areas as good practices, errors noted, systemic issues or any changes in risk identification or risk tolerance that needed to be discussed.
We expected that all SDAs would be following relevant control procedures for quality assurance for each transaction according to whether the payment was considered of high versus low risk. We expected that these control procedures would be clear and that evidence of the application of these controls would exist for each transaction. For those SDAs that recognized they had low-risk transactions and were therefore applying fewer controls for these transactions in their account verification process, we expected that a sampling plan would exist and would be carried out to ensure that the low-risk transactions were subject to an appropriate level of probity. Finally, we expected that results and errors would be monitored by those responsible for quality assurance and communicated to those with governance over this area on a timely basis.
It is important that expenditure controls for account verification be designed with effectiveness and efficiency in mind. Spending an inordinate amount of time verifying a low-risk transaction is not an effective use of an employee’s time. Controls should be designed and applied in a manner that corresponds to the risk tolerance of the SDA’s governance function to ensure that appropriate due diligence is being respected.
Identified high-risk transactions are often verified with low-risk considerations. In the majority of SDAs in our sample that consider all payment types to be high-risk, most actually perform fewer controls in areas that are intuitively low-risk. This means that the procedures being followed are not respecting the risk identification that determines all transactions are high-risk. Nevertheless, in SDAs where an approach for low-risk transactions exists and is being applied in a manner commensurate with the SDAs’ risk tolerances, the SDAs are demonstrating efficiency in their account verification process. However, this risk identification should be formalized to ensure that the identified high-risk areas are commensurate with the SDAs’ overall risk tolerances.
Furthermore, when following a low-risk verification process, it is imperative that sampling plans be developed to ensure that account verification over low-risk transactions is done appropriately. Given that these SDAs have streamlined control procedures in place, a sampling methodology for low-risk transactions is required to provide appropriate quality assurance.
Checklists to aid in the verification process are useful. Of the few SDAs included in our sample that are identifying high-risk transactions, half of them have checklists to assist those completing the requirements for quality assurance. These checklists identify the procedures required for low-risk transactions and the more stringent controls required for high-risk transactions. The checklists provide adequate documentation to demonstrate that the appropriate controls are being applied.
Most of the SDAs included in our sample could not provide adequate evidence of the control procedures being performed to meet their account verification requirements. Especially in light of the high employee turnover in most SDAs, evidence of work done must be documented in order to provide adequate support for past decisions made.
SDAs are monitoring the results of the account verification process. Half of the SDAs included in our audit monitor the results of the account verification process so that they can report on the areas where errors occur or where risk should be redefined in light of new circumstances. Such reports are made to those with appropriate governance over expenditure management, and although this is often done unofficially, it is seen as sufficient to meet the needs of senior management.
A good practice was noted. A few of the SDAs have been using the services of their parent department or agency to carry out their quality assurance responsibilities. This enables the SDA to take advantage of the larger resources in its parent department or agency. However, the majority of the parent departments and agencies providing this service have not adjusted their risk tolerance levels for SDA transactions to ensure that appropriate risk management is in place.
Recommendations
4. SDAs should formalize their identification of high-risk transactions so that control processes are commensurate with risk tolerances, thereby ensuring both the effectiveness and efficiency of the account verification process. This could be established in a succinct briefing document, once all relevant management personnel agree on the risk identification process.
5. SDAs that have streamlined controls over low-risk transactions should establish a sampling plan designed to periodically provide assurance that those transactions subject to low-risk account verification continue to warrant this classification.
6. SDAs should provide guidance, such as checklists, for quality assurance over low- versus high-risk transactions.
Conclusion
Overall, SDAs are not taking advantage of the more efficient verification practices that result from the proper identification of high-risk transactions. Most SDAs included in our sample stated that, given the low number of their transactions and increased public scrutiny, they deem all transactions to be high-risk. However, this risk tolerance is not commensurate with the quality assurance procedures performed. Nevertheless, SDAs are monitoring the results of quality assurance and informally providing this feedback to the appropriate level of management.
Management Action Plans
The findings and recommendations of this audit were presented to each department and agency included in the scope of the audit. They have reviewed the recommendations, provided responses and developed Management Action Plans as required. A summary of the responses received from SDAs included in the scope of this audit is included in Appendix 3. The Small Department and Agency Audit Committee (SDAAC) has been briefed on the audit findings and the departmental responses. The SDAAC will periodically receive reports on the actions taken where Management Action Plans are in place.
Deputy heads of other SDAs will take into account the results of this horizontal internal audit and will ensure that Management Action Plans are developed as deemed necessary.