This page has been archived.
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Final Report
The Internal Audit and Evaluation Bureau has completed an audit of acquisition cards. The objectives of the audit were to assess the adequacy and effectiveness of the management control framework for acquisition cards within the Treasury Board of Canada Secretariat (Secretariat) and ensure compliance with the Treasury Board Directive on Acquisition Cards and internal policies and procedures.
We conclude with a reasonable level of assurance that, although the Secretariat is generally compliant with the Treasury Board Directive on Acquisition Cards, attention is required to address key elements of the management control framework for acquisition cards. Specifically, these relate to objectives and goals; accountabilities, roles, and responsibilities; training; processes and procedures; and mechanisms for planning, risk assessment, and monitoring.
The audit approach and methodology followed the Internal Auditing Standards for the Government of Canada and the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.
The examination was conducted from January to March 2011. Acquisition card purchases from April 1, 2009 to March 31, 2010 were used to select a sample of cardholders and fund centre managers to test the current acquisition card management control and operating framework. Documents received were also reviewed to determine the degree to which a management control framework for acquisition cards has been developed and implemented within the Secretariat.
The audit consisted of interviews, documentation review, and an examination of a sample of purchases for trends using computer-assisted audit techniques. The audit evidence gathered is sufficient to provide senior management with reasonable assurance of the results derived from this audit.
In the professional judgment of the Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence has been gathered to support the accuracy of the opinion provided in this report. The opinion is based on a comparison of the conditions, as they existed at the examination phase of the audit, against pre-established audit criteria. The opinion is applicable only to the entities examined and for the time period and scope specified herein.
The Audit of Acquisition Cards is part of the approved Treasury Board of Canada Secretariat's (Secretariat's) Three Year Risk-Based Audit Plan 2010-2013.
Acquisition cards provide government departments with a convenient, simplified, and practical method of procuring and paying for goods and services while ensuring effective financial controls. Use of acquisition cards is governed by the Treasury Board Directive on Acquisition Cards and operates pursuant to section 2 of the Financial Administration Act. This directive replaced the 1998 Policy on Acquisition Cards.
The objectives of the audit were to assess the adequacy and effectiveness of the management control framework (MCF) for acquisition cards within the Secretariat and to ensure compliance with the Treasury Board Directive on Acquisition Cards and internal policies and procedures.
The audit's scope focused on the management control and operating framework for the Secretariat's acquisition card activities.The audit did not address the account verification process used for reconciling card statements nor the monthly processing of acquisition card payments. This was the subject of a recently conducted separate audit of account verification.
We conclude with a reasonable level of assurance that, although the Secretariat is generally compliant with the Treasury Board Directive on Acquisition Cards, attention is required to address key elements of the MCF for acquisition cards, specifically the following:
Regarding compliance with the Treasury Board Directive on Acquisition Cards and internal policies and procedures, we conclude that, although card activities are found to be generally compliant with this directive, opportunities exist to strengthen control with respect to timely card cancellation. Compliance was largely due to the general awareness of responsibilities based on previous experience and ad hoc practices in place throughout the Secretariat.
A management action plan is being developed by the Secretariat.
Acquisition cards provide government departments with a convenient, simplified, and practical method of procuring and paying for goods and services while ensuring effective financial controls.
Use of acquisition cards is governed by the Treasury Board Directive on Acquisition Cards and operates pursuant to section 2 of the Financial Administration Act. This directive replaced the 1998 Policy on Acquisition Cards.
Acquisition cards are credit cards issued to employees of the Government of Canada to enable them to make timely purchases in support of government operations. There are currently three types of credit cards used in government. The AMEX card is used exclusively for travel expenditures by employees. The fleet credit card is used for the operating and maintenance expenses of departmental vehicles. All other card purchases are to be made using the Bank of Montreal (BMO) MasterCard and/or the Canadian Imperial Bank of Commerce (CIBC) Visa card, depending on operational needs.
BMO is the service provider for the Secretariat. The contract with BMO offers a rebate program payable directly to the department. There are no user fees associated with the use of acquisition cards.
The scope of this audit was limited to the BMO acquisition card. Any references to "acquisition card" or "card" in this report pertain to the BMO acquisition card.
Within the Secretariat, the Corporate Services Sector (CSS) is responsible for managing acquisition cards. The Administration and Security Directorate (ASD) of CSS is responsible for overall management of the cards, and the Financial Management Directorate is responsible for accounting and payments related to card use.
Prior to February 1, 2009 the Department of Finance Canada provided shared services to the Secretariat, including contracting and procurement services. As a result of an Order in Council, the Secretariat became responsible for its own contracting and procurement services. It should be noted that since the transfer, the Contracting, Procurement and Material Management (CPMM) group within ASD faced capacity issues, staff turnover, and a lack of documented internal processes and procedures, which resulted in operational challenges. The priority for CPMM was to build capacity while maintaining operations. CPMM's focus has also been on developing a contracting and procurement MCF, including elements pertaining to the MCF for acquisition cards.
For the period from April 1, 2009 to March 31, 2010, 336 cards were used, which included 16 acquisition cards used at regional offices.
The total amounts procured with acquisition cards for the fiscal years ending March 31, 2009 and March 31, 2010 constituted 3.6 per cent and 3.9 per cent, respectively, of the total expenditures for goods and services for these two fiscal years. Goods and services expenditures for these two fiscal years are provided in Table 1.
Expenditure Type | Expenditures for Fiscal Year Ending March 31, 2009 |
Percentage of Total | Expenditures for Fiscal Year Ending March 31, 2010 | Percentage of Total |
---|---|---|---|---|
Note: Percentages may not total due to rounding. | ||||
Acquisition Card Transactions | $1,886,094 | 3.6% | $2,430,844 | 3.9% |
Other Goods and Services Transactions | $50,424,596 | 96.0% | $57,716,352 | 93.5% |
Capital Assets | $29,662 | 0.1% | $1,262,940 | 2.0% |
Other Vote 1 Balance Sheet Transactions | $149,303 | 0.3% | $322,392 | 0.5% |
Total Vote 1 Operating Expenditure | $52,489,655 | 100% | $61,732,528 | 100% |
Given the proposed increase in the use of such cards, the high level of public sensitivity, and the potential risk of misuse, the establishment of a sound MCF based on an appropriate risk assessment is required.
The objectives of the audit were to assess the adequacy and effectiveness of the MCF for acquisition cards within the Secretariat and ensure compliance with the Treasury Board Directive on Acquisition Cards and internal policies and procedures.
The audit focused on the following elements of the MCF:
Acquisition card purchases from April 1, 2009 to March 31, 2010 were used to select a sample of cardholders and fund centre managers to test the current acquisition card management control and operating framework.
The audit did not address the account verification process used for reconciling the card statements nor the monthly processing of acquisition card payments. This was the subject of a recently conducted separate audit of account verification. This previous audit examined a representative sample of card payments by the Secretariat to assess the level of compliance with the applicable policy or directive on account verification.
Included in the audit were the following two lines of enquiry:
The audit assessed whether management control activities and mechanisms were clearly defined, addressed known risks, were sufficient and effectively communicated, adequately monitored, and reported risks and major issues related to acquisition cards. The audit also assessed the level of compliance with applicable authorities through a detailed examination of a sample of purchases.
The audit approach and methodology was risk-based and followed the Internal Auditing Standards for the Government of Canada and the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that audit objectives are achieved. The audit included various tests considered necessary to provide such assurance, such as the following:
The management control framework (MCF) for acquisition cards requires improvements in a number of areas. Attention is required to fully develop, clearly articulate, and implement key MCF elements.
The audit expected that the Secretariat would have a sound MCF in place to provide reasonable assurance to management that the Secretariat's objectives for acquisition cards are achieved, to support effective decision making, and to flag significant control issues on a timely basis. It also expected that the MCF would be formally documented, maintained, and effectively communicated to all stakeholders involved in acquisition card activities.
The audit found that since the creation of a dedicated function in 2009, the Secretariat has undertaken a number of initiatives to develop key elements of an MCF. These initiatives related to considering the goals and objectives of the acquisition card activity and developing draft documents that define roles, responsibilities, and departmental procedures for card activities. Specifically, the audit found the following:
Further work is required to ensure clarity and completeness with respect to goals and objectives, roles and responsibilities, and processes and procedures. These documents need to be finalized, approved, and communicated to all employees involved in acquisition card activities.
The audit found that some of the key elements of a sound MCF were not in place to support acquisition card activities within the Secretariat. The missing elements pertained to planning and risk management, monitoring and reporting, and learning and training as follows:
Without improvements to the current MCF, the ability to identify and mitigate risks is impeded, increasing the potential for errors and abuse, particularly in an organization that intends to increase the use of acquisition cards to procure goods and services and use such cards to make payments against contracts and purchase orders.
It is recommended that the Assistant Secretary, Corporate Services Sector, undertake the following:
Acquisition card activity was found to be generally compliant with authorities; however, opportunities exist to strengthen the card cancellation process.
It is expected that risks relating to the stewardship of public resources are adequately managed through effective controls, including internal controls over financial reporting. The audit expected to find that card activities would be performed in a manner that is compliant with applicable authorities.
Overall, the audit found that general compliance with authorities was largely due to employees' general awareness of responsibilities based on previous work experience in other government departments and ad hoc practices in place throughout the Secretariat.
The audit found that the issuance and renewal of acquisition cards, as well as card usage and security, were generally compliant with the Treasury Board Directive on Acquisition Cards. However, weaknesses were noted in the knowledge of cardholders on types of allowable purchases, errors in classifying purchases for financial reporting, and inconsistent application of issued processes. In the opinion of the audit team, these errors would have been addressed if appropriate training had been provided, adequate procedures had been accessible to users, and monitoring activities had been in place.
The audit also found that oversight over the cancellation of cards on employee departure or transfer of cardholder responsibilities was weak. There was heavy reliance on the cardholder or fund centre manager to notify an individual in the CPMM group of a departure or requirement to cancel a card. The controls over ensuring that cards are cancelled on a timely basis would be strengthened if the individuals responsible for cancellation processes use the departmental information technology systems to identify cardholder departures or potential situations where a cardholder has changed positions within the department.
The audit recognizes the significant efforts made by the Administration and Security Directorate, Corporate Services Sector, in developing elements of an MCF since its creation in February 2009.
We conclude with a reasonable level of assurance that, although the Secretariat is generally compliant with the Treasury Board Directive on Acquisition Cards, attention is required to address key elements of the MCF for acquisition cards. Specifically, there is a need to:
Regarding compliance with the Treasury Board Directive on Acquisition Cards, opportunities exist to strengthen control with respect to timely card cancellation.
It is recommended that the Assistant Secretary, Corporate Services Sector finalize and formally approve draft documents relating to accountabilities, roles, responsibilities, procedures, guidelines, and related documents and make these accessible to stakeholders.
Management Action | Completion Date | Office of Primary Interest (OPI) |
---|---|---|
CSS agrees with the findings and recommendation | ||
CSS will integrate the management of the acquisition card function with the Financial Management Division (FMD) while retaining an oversight role with Contracting and Procurement (CPMM) | September 2011 | CSS/FMD |
Draft documents will be finalized, approved and promulgated. | March 2012 |
It is recommended that the Assistant Secretary, Corporate Services Sector develop, document, and institute a training program, planning and risk management, and monitoring and reporting activities to effectively support the acquisition card activities within the Secretariat.
Management Action | Completion Date | Office of Primary Interest (OPI) |
---|---|---|
CSS agrees with the findings and recommendations. | ||
Training and guidance will be incorporated into existing programs and products. This will ensure consistency and have one common contact within CSS. | September 2011 | CSS/FMD |
The 2007 Deloitte assessment will be reviewed in light of the planned increased usage of the card and a new risk assessment will be developed. | March 2012 | |
Acquisition card monitoring and reporting processes will be integrated into the continuous monitoring program that FMD is currently developing. | March 2012 |
It is recommended that the Assistant Secretary, CSS, strengthen the controls over card cancellation, using the information and tools available in the departmental information technology systems.
Management Action | Completion Date | Office of Primary Interest (OPI) |
---|---|---|
CSS agrees with the findings and recommendation | ||
CSS will strengthen the controls over card cancellation by: | CSS/FMD | |
Ensuring the Contracting and Procurement staff is notified when TRINET receives an electronic "Employee Departure" notification so that they can verify whether there is an acquisition card to be accounted for and taking cancellation action, if required. Note this process will be transferred to FMD. | Completed | |
Augment current credit card processes and monitoring activities (such as AMEX travel card) to include acquisition cards. | March 2012 |