Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Horizontal Internal Audit of High Risk Expenditure Controls in Small Departments and Agencies


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Appendix 1: Departments and Agencies Included in the Audit Engagement

  1. Assisted Human Reproduction Canada
  2. Canadian Artists and Producers Professional Relations Tribunal
  3. Canadian Forces Grievance Board
  4. Canadian Human Rights Commission
  5. Canadian International Trade Tribunal
  6. Canadian Transportation Agency
  7. Copyright Board Canada
  8. Financial Consumer Agency of Canada
  9. Human Rights Tribunal of Canada
  10. Military Police Complaints Commission of Canada
  11. NAFTA Secretariat — Canadian Section
  12. National Battlefields Commission, The
  13. Public Service Staffing Tribunal
  14. Registrar of the Supreme Court of Canada
  15. RCMP External Review Committee
  16. Registry of the Competition Tribunal

Appendix 2: Objectives and Related Criteria

The objective of the audit was to assess the adequacy and effectiveness of processes in place to identify higher-risk transactions, which consequently enable more efficient account verification practices.

Objectives Criteria
Risk assessment processes are designed to identify high-risk payments for focused attention and verification.
  • The organization has established and documented appropriate internal policies specific to the account verification process.
  • The organization’s direction and approach to risk management are formally articulated and documented.
  • The documented risk identification process is rigorous; it considers risks at both the entity level and the activity level and assesses internal and external sources of risk.
  • All appropriate levels of management are involved in analyzing risks.
  • All appropriate functional areas — for example, line managers, internal auditors, security, and legal representatives — are involved in the analysis of risk.
  • Risk information is regularly presented and discussed at established management and oversight committee meetings.
Verification processes are designed to ensure that payments are verified in a cost-effective and efficient manner while maintaining the level of control required under the Account Verification policy.
  • The organization has an entity-specific account verification policy. It also has appropriate and adequate account verification procedures.
  • Other financial management policies and procedures are maintained by the organization.
  • Financial management policies and procedures are regularly and effectively communicated within the organization.
  • Responsibility for monitoring compliance with financial management laws, policies and authorities is clear and communicated through, for example, job descriptions, organization charts, or division or branch mandates.
  • Compliance monitoring is appropriately and effectively applied through a documented risk-based quality assurance process, including a documented sampling strategy.
  • Reports to the oversight body include clear statements that compliance has been maintained or that breaches have been noted.
Monitoring processes exist to inform the organization, on an ongoing basis, of the effectiveness of the account verification processes.
  • In accordance with the Policy on Active Monitoring, organizations actively monitor their management practices and controls using a risk-based approach.
  • Management review is ongoing and timely.
  • Significant control breakdowns are reported to management in a timely way.
  • The organization’s internal audit group periodically assesses the account verification processes.
  • Recommendations are considered, and deficiencies are investigated and resolved in a timely fashion.

Appendix 3: Management Action Plan

The following table presents the recommendations and a description of the actions being taken to address them. Each recommendation is assigned a risk ranking of high, medium or low, based on the relative priorities of the recommendations and the extent to which the recommendations indicate non-compliance with Treasury Board policies.

Recommendations Overall Risk Ranking Management Action Plan
1.  SDAs should formalize their process for identifying high-risk transactions, which could be presented in a brief guidance document. Those responsible for the governance function over expenditure management and those with functional insight should be involved. Medium SDAs have agreed to formalize their risk identification and resulting account verification policies and guidance. Implementation is expected to be completed by March 31, 2010.
2.  SDAs should ensure that risks are clearly identified and documented for the account verification process. High SDAs will ensure that risks are clearly identified and that those responsible for account verification receive the necessary guidance or training to carry out a risk-based account verification process. Implementation is expected to be completed by April 2010.
3.  SDAs should ensure that those with delegated authority for section 34 certification receive the necessary training and pass the appropriate Government of Canada tests to prove they understand their responsibilities prior to this delegation. High SDAs will ensure that individuals with section 34 delegated authority receive appropriate training or have the authority removed.
4.  SDAs should formalize their identification of high-risk transactions so that control processes are commensurate with risk tolerances, thereby ensuring both the effectiveness and efficiency of the account verification process. This could be established in a succinct briefing document, once all relevant management personnel agree on the risk identification process. High SDAs are or will be developing guidance or checklists to ensure that account verification processes are consistent with risk. Implementation is expected to be completed by March 31, 2010.
5.  SDAs that have streamlined controls over low-risk transactions should establish a sampling plan designed to periodically provide assurance that those transactions subject to low-risk account verification continue to warrant this classification. Low SDAs that are implementing low-risk transaction account verification processes will develop sampling strategies. These strategies will be in place by March 31, 2010.
6.  SDAs should provide guidance, such as checklists, for quality assurance over low- versus high-risk transactions. Medium SDAs will develop checklists to identify the procedures required for low- and high-risk transactions. This guidance is expected to be implemented by June 2010.

Appendix 4: Links to Applicable Legislation, Policies and Guidance

*   Since this audit report was prepared, the Treasury Board Account Verification policy and the Policy on Delegation of Authorities were rescinded effective October 1, 2009, and replaced respectively by the Directive on Account Verification and the Directive on Delegation of Financial Authorities for Disbursements. The conclusions in the report are not affected by these changes.


[1].  This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing. However, the Office of the Comptroller General has not undergone an external assessment at least once in the past five years or been subject to ongoing monitoring or to periodic internal assessments of its horizontal internal audit activity that would confirm its compliance with the standards.

[2].  Since this audit report was prepared, the Treasury Board Account Verification policy was rescinded effective October1, 2009, and replaced by the Directive on Account Verification. The conclusions contained in the report are not affected by this change.