ARCHIVED - Audit of Delegated Authority Under Section 34 of the Financial Administration Act
Internal Audit Report

This page has been archived.

December 2008

Table of Contents

• Executive Summary
• Introduction
  • Background
  • Risk Assessment
  • Audit Objective and Scope
  • Approach and Methodology
  • Audit Criteria
  • Statement of Assurance
• Audit Opinion
• Findings, Recommendations and Management Action Plan
  • Governance
  • Capability
  • Compliance With Governing Legislation and Policies
  • Specimen Signature Documents
  • Transaction Analysis
• Appendix A -- Results of Transaction Analysis
• Appendix B -- List of Acronyms

---

Executive Summary

Background

Pursuant to section 34 of the Financial Administration Act (FAA) and the Treasury Board (TB) Policy on Delegation of Authorities, signing authorities are delegated to the Canada Border Services Agency's (CBSA) various levels of management to enable them to administer programs and manage expenditures under their jurisdiction.

CBSA managers with delegated authority, the Comptrollership Branch, the branch management services units (BMSUs) and their regional equivalents, and the National Financial Transaction Centre (NFTC) all play significant roles in ensuring that section 34 of the FAA is performed in accordance with the relevant legislation, policies and directives.

The Audit Committee approved the Audit of Delegated Authority Under Section 34 of the Financial Administration Act as part of the internal audit plan for 2006-2007 that addressed compliance. No previous audits of this area have been conducted by the Internal Audit Directorate.

Planning of the audit started in late July 2006 and was suspended following notification in August 2006 of the Office of the Comptroller General's (OCG) horizontal audit on delegation of financial authorities. The CBSA was included in the OCG's Phase I review but was not selected for the more detailed assessment of Phase II. As a result, the CBSA's Internal Audit Directorate recommenced this audit to review compliance of delegated authorities under section 34 of the FAA.

Objective and Scope

The objective of the audit was to provide assurance on the following:

• That CBSA practices and controls on administering and exercising delegated authorities under section 34 of the FAA were compliant with legislation, TB policies and directives, and CBSA policies; and
• That proper controls were in place to ensure that transactions were appropriately authorized, with the correct financial coding, by delegated authorities.

The audit scope included selected headquarters branches and regions to ensure adequate and representative coverage. Three CBSA branches and three regions were subject to the audit. The audit included a review of a sample of transactions representing the period from April 1, 2007, to September 30, 2007; interviews with various levels of management with delegated authority; and a review of the administrative processes at the BMSUs and regional finance offices. Audit fieldwork was substantially completed in August 2008.

The audit scope did not include a review of section 32 or 33 of the FAA. Travel, hospitality and fleet management were also excluded since separate audits of these areas have been planned or have previously taken place.

Statement of Assurance

This audit engagement was planned and conducted in accordance with the Internal Auditing Standards for the Government of Canada.

Audit Opinion

The CBSA's practices on administering and exercising delegated authorities under section 34 of the FAA were generally compliant with the applicable legislation, policies and directives. Controls should be strengthened to ensure transactions are authorized with sufficient and appropriate documentation on file.

Main Observations

CBSA policies, directives and procedures for the administration of section 34 of the FAA were appropriately documented and communicated. In addition, CBSA policies and procedures were found to be consistent with governing legislation and TB policies and directives. Roles and responsibilities with respect to purchase order preparation and documentation retention standards were not clearly defined or understood. Training and desktop tools specific to section 34 certifications were found to be insufficient to allow managers to appropriately exercise their delegated authorities. Sampled specimen signature documents were properly completed, updated, signed, distributed and aligned with the incumbents' delegated authority. Audit transaction testing illustrated that transactions were generally compliant with the audit criteria; the largest area of non-compliance related to not maintaining sufficient and appropriate documentation on file to support section 34 certifications.

The audit recommended that the Vice-President of the Comptrollership Branch establish and communicate a written directive on when purchase orders should be prepared, consider ways to strengthen section 34 certification training and desktop tools, and ensure that the CBSA Finance and Administration Manual is updated to include a reference to supporting documentation that BMSUs and regional finance offices should retain on file.

Management Response

The Comptrollership Branch agrees with the recommendations in this report.

Introduction

Background

Pursuant to section 34 of the Financial Administration Act (FAA) and the Treasury Board (TB) Policy on Delegation of Authorities, signing authorities are delegated to the Canada Border Services Agency's (CBSA) various levels of management to enable them to administer programs and manage expenditures under their jurisdiction. The Minister of Public Safety and the President of the CBSA formally delegate and communicate spending and payment authorities through the financial delegation matrix. There are approximately 1,500 incumbents with delegated financial authorities throughout the CBSA and these authorities are communicated through specimen signature documents (SSDs).

The Comptrollership Branch is ultimately responsible for ensuring compliance with legislative and TB requirements. This branch is responsible for policies, procedures and controls related to the administration and exercise of delegated authorities and it also develops and maintains financial delegation instruments.

Primary responsibility for verifying individual expenditures and payments rests with incumbents who have been delegated the authority to confirm and certify entitlement, pursuant to section 34 of the FAA. These incumbents are responsible for certifying that work, goods or services have been received for the payment requested, that the charge is reasonable and correct, and that the payee is entitled to payment. Each transaction that undergoes section 34 certification must be coded to indicate the type of transaction and the responsibility or cost centre identifies the area where the expenditure was incurred.

The branch management services units (BMSUs), established in 2005 for each headquarters (HQ) branch or the equivalent regional finance office, are responsible for preparing SSDs for incumbents with financial signing authorities and for providing the support to administer and manage those functions related to the performance of section 34 of the FAA.

Once the section 34 certification has been properly executed and the information is inputted into the Corporate Administrative System (CAS) by the BMSU or regional office, all documentation is forwarded to officers having delegated payment authority under section 33 of the FAA. The National Financial Transaction Centre (NFTC) in Montréal currently has full payment authority for HQ and all CBSA regions, except the Pacific Region. Full payment authority for the Pacific Region is to be transferred to the NFTC by October 2008. For HQ and the remaining regions, the NFTC has ultimate responsibility for verifying individual expenditures, which includes providing assurance on the adequacy of the section 34 certification before payment is issued.

Prior to exercising delegated authority under section 34 of the FAA, new managers must undergo a five-day mandatory classroom course provided by the Canada School of Public Service. Before December 2006, managers had the option to take the five-day course or an online training course.

CBSA expenditures for the 2006-2007 fiscal year and for the first half of the 2007-2008 fiscal year were as follows:

Table 1 -- CBSA Total Expenditures

	Fiscal Year 2006-2007				Fiscal Year 2007-2008
	April 1 to September 30	%	October 1 to March 31	%	April 1 to September 30	%
Salaries	$377,821,935	76%	$401,779,787	65%	$388,253,341	73%
Capital and operations and maintenance (O&M)	$120,018,643	24%	$215,571,603	35%	$141,039,617	27%
Total	$497,840,578		$617,351,390		$529,292,958

Source: CAS

The Audit Committee approved this audit as part of the internal audit plan for 2006-2007 that addressed compliance. No previous audits of this area have been conducted by the Internal Audit Directorate.

Planning of the audit started in late July 2006 and was suspended following notification in August 2006 of the Office of the Comptroller General's (OCG) horizontal audit on delegation of financial authorities. The CBSA was included in the OCG's Phase I review but was not selected for the more detailed assessment of Phase II. As a result, the CBSA's Internal Audit Directorate recommenced this audit to review compliance of delegated authorities under section 34 of the FAA. The focus of the audit was to provide assurance that the exercise of section 34 certification was compliant with relevant directives and to evaluate whether controls were in place to ensure transactions were appropriately authorized and coded to the financial systems.

Risk Assessment

To assist in audit planning and to determine potential priorities and areas of audit, a risk assessment of the exercise of delegated authorities under section 34 of the FAA was conducted.

Based on the preliminary assessment of risks, the audit noted the following potential risk areas:

Financial management structure and practices

Roles and responsibilities -- There is a risk that roles and responsibilities have not been identified and communicated or that they are not well understood given the recent organizational restructuring involving the creation of BMSUs and the centralization of the section 33 function at the NFTC; this may result in non-compliance and increased error rates.

Training -- There is a risk that delegated managers and their support staff have not received adequate training to enable them to properly carry out section 34 certifications or to clearly understand the ramifications of not doing so.

Policies and procedures

There is a risk that the policies and procedures on section 34 certification are not complete, properly communicated or well understood by delegated authorities and support staff; this may result in non-compliance and inadequate controls over expenditures.

Monitoring and control

There is a risk that monitoring and reporting is inadequate to ensure compliance and reliability of data, and to identify problems and corrective measures.

Audit Objective and Scope

The objective of the audit was to provide assurance on the following:

• That CBSA practices and controls on administering and exercising delegated authorities under section 34 of the FAA were compliant with legislation, TB policies and directives, and CBSA policies; and
• That proper controls were in place to ensure that transactions were appropriately authorized, with the correct financial coding, by delegated authorities.

The audit scope included selected HQ branches and regions to ensure adequate and representative coverage. Three HQ branches (Comptrollership; Innovation, Science and Technology; and Strategy and Coordination) and three regions (Northern Ontario, Pacific and Quebec) were selected for audit examination. The examination included a review of the performance of section 34 certification at different levels of management and related administrative processes at the BMSUs and regional finance offices. A sample of transactions, representing the period from April 1, 2007, to September 30, 2007, from the selected branches and regions was examined. Expenditures at the selected branches and regions represented approximately 50% ($266.8 million) of CBSA expenditures for the sampling period. Audit fieldwork was substantially completed in August 2008.

The audit scope did not include a review of commitments under section 32 of the FAA or the final verification process conducted by officers performing the account verification and payment function under section 33 of the FAA. The Audit Committee approved, as part of the CBSA's three-year risk-based audit plan, a separate audit on section 33 of the FAA for the 2008-2009 fiscal year.

Transactions related to travel, hospitality and fleet management were the subject of recent CBSA internal audits and therefore were also excluded from the audit scope. In addition, acquisition cards were excluded from this audit because they will be reviewed as a separate future audit.

Approach and Methodology

The audit approach included a documentation review, interviews with key personnel, site visits and an examination of sampled transactions.

The documents reviewed included relevant legislation, TB policies and directives, CBSA policies and procedures, and other relevant documentation on the delegation of financial signing authorities. These included the Financial Administration Act, the CBSA Finance and Administration Manual and the CBSA Financial Administration Control Framework. SSDs were also reviewed to ensure that they were properly completed, updated, signed, distributed and aligned with the incumbents' delegated authority.

Key personnel in the Comptrollership Branch and other HQ branches were interviewed to gain an understanding of the audit area and to identify risks. A random selection of 37 delegated managers at different levels of the organization were interviewed. The purpose of these interviews was to gain an understanding of managers' roles and responsibilities under section 34 of the FAA, of training received, of transaction review activities and of the use of relevant policies, procedures and directives.

Site visits and interviews were conducted at the NFTC and with selected BMSUs at HQ and their equivalents in selected regions to observe, review and examine the administration of delegated authority under section 34 of the FAA.

A statistical sample of 142 transactions representing the period from April 1, 2007, to September 30, 2007, was reviewed to assess the accuracy, completeness and compliance of section 34 certifications with the FAA. The sample size for individual branches and regions was determined based on their percentage of the total expenditures in the population of transactions for the sampling period.

Audit Criteria

The following lines of enquiry and audit criteria were developed based on the results of the risk assessment analysis, the Criteria of Control (COCO) model[ 1 ] and Management Accountability Framework (MAF) elements.[ 2 ]

Line of enquiry	Audit criteria
Governance and Accountability	Roles, responsibilities and accountabilities are defined, communicated and understood. Policies, directives and procedures are documented and have been communicated. Delegated authorities and support staff are knowledgeable and trained.
Compliance with Legislation, Policies and Procedures	CBSA policies and procedures are compliant with legislation and TB policies and directives. SSDs are properly completed, updated, signed, distributed and aligned with incumbents' delegated authorities. Transactions are properly certified and processed under section 34 of the FAA.

Statement of Assurance

This audit engagement was planned and conducted in accordance with the Internal Auditing Standards for the Government of Canada.

Audit Opinion

The CBSA's practices on administering and exercising delegated authorities under section 34 of the FAA were generally compliant with the applicable legislation, policies and directives. Controls should be strengthened to ensure transactions are authorized with sufficient and appropriate documentation on file.

Findings, Recommendations and Management Action Plan

Governance

The TB Policy on Delegation of Authorities states that policies, directives and procedures for administering section 34 of the FAA should be in place and communicated to employees in both official languages. According to the COCO model, management authority, responsibility and accountability should be clearly defined and communicated. The FAA requires that delegated managers review appropriate evidence prior to exercising section 34 approval.

Bilingual policies, procedures and directives relating to section 34 of the FAA were available to all employees on the CBSA and TB Web sites. In addition, the Comptrollership Branch developed the Financial Administration Control Framework and a roles and responsibilities document that clearly outline the requirements for all individuals involved in the exercise of section 34 certification. However, based on the audit's review of policies, procedures and directives and on interviews with the selected HQ BMSUs and regional finance offices, the roles, responsibilities and accountabilities defined and communicated through these documents were not always understood.

For example, interviews indicated that there was an inconsistent understanding of the dollar amount for which a purchase order would be required. Further inquiries were made with two regional offices and it was found that different threshold limits were used to prepare purchase orders. One region was using a threshold limit of $5,000 while the other was using $1,500. The Comptrollership Branch advised that the limit was $250; however, there was no supporting policy or directive reference for this limit.

There is currently a gap in directives relating to when a purchase order should be prepared. As a result of this gap, there is a risk that purchase orders may not be prepared on a consistent basis. As discussed in detail in Section 3.5, there is another gap in directives related to the fact that documentation retention standards have not been defined or communicated in any TB or CBSA directive.

Recommendation

The Vice-President of the Comptrollership Branch should establish and communicate a written directive on the dollar value for which a purchase order should be prepared.

Management Action Plan	Completion date
Corporate Accounting and Financial Policy Division A CBSA directive will be written in consultation with the Contracting, Assets and Telecommunications Division to establish a dollar amount for which a purchase order would be required.	December 31, 2008
The directive will be sent to branch managers and financial contacts in a communiqué.	December 31, 2008

Capability

The COCO model states that employees should have the necessary skills, knowledge and tools to support the achievement of organizational objectives. It follows that in order to appropriately exercise their delegated signing authorities, managers should be provided with sufficient training and/or desktop tools, such as checklists. Training and tools should be sufficient to allow managers to verify whether the goods and/or services were received or rendered as intended when they are signing under section 34 of the FAA.

According to the TB Policy on Delegation of Authorities, managers must undergo training prior to exercising their delegated authorities. The current requirement is a five-day classroom training course provided by the Canada School of Public Service. Before December 2006, managers had the choice of participating in either the five-day course or an online training course.

Audit interviews were conducted with approximately 10% of managers with delegated signing authority [ 3 ] in the sampled branches and regions to confirm their participation in and understanding of section 34 certification training. All interviewees had undergone mandatory training; however, the majority of interviewees were not satisfied with the training they received, especially those that had only participated in the online training course. The online training course was not sufficiently detailed to provide them with a strong understanding of their roles and responsibilities under section 34 of the FAA. Interviewees who had taken the five-day classroom course were more confident in their understanding of their roles and responsibilities than those who had only done the online training course; however, even the five-day training course only allocated a half day to the discussion of section 34 roles and responsibilities and did not cover the required material thoroughly. Most interviewees felt that supplementary or refresher training in a classroom format would be beneficial to them.

There was a lack of sufficient training and desktop tools available to delegated managers that would have provided them with detailed coverage of the managerial roles and responsibilities required to sign under section 34 of the FAA.

The transaction analysis, described in Section 3.5, illustrates that, for the most part, managers exercised their authority under section 34 appropriately for the transaction sample; however, the areas of non-compliance found in the transaction sample support the above finding and the interview statements made by managers.

As a result of insufficient training and tools, delegated managers may sign off on transactions without understanding the implications or payment may be made for goods and services not received. Furthermore, a lack of understanding of delegated manager roles and responsibilities could lead to non-compliance with the FAA and may result in removal of delegated authorities.

Recommendation

The Vice-President of the Comptrollership Branch should consider ways to strengthen section 34 training and desktop tools, such as checklists, for delegated managers to aid them in performing the section 34 certification.

Management Action Plan	Completion date
Corporate Accounting and Financial Policy Division A checklist will be developed to help delegated managers perform the section 34 FAA certification.	March 31, 2009
Section 34 training will be developed and delivered to regional and HQ financial contacts who will in turn provide training to section 34 delegated managers.	March 31, 2009

Compliance with Governing Legislation and Policies

CBSA policies and procedures on the administration and exercise of section 34 certification should conform to the FAA and TB policies and directives. Any inconsistencies should be indicated and justified. It is CBSA's responsibility to ensure that the Finance and Administration Manual (FAM) published by the Comptrollership Branch and related bulletins are compliant with the FAA and the TB Policy on Delegation of Authorities.

CBSA policies and procedures were found to be compliant with the FAA and the relevant TB policies. CBSA bulletins were also reviewed and the elements related the exercise of delegated authorities under section 34 certification were consistent with the FAA and TB policies.

Specimen Signature Documents

The TB Policy on Delegation of Authorities and the FAM require that when a new appointee assumes the duties of a position of delegated authority, on an indeterminate or acting basis, that person may exercise the financial signing authorities of the position provided that the incumbent completes the required training and the necessary steps with respect to being issued a specimen signature document (SSD). An SSD is a document signed by the individual delegating authority and the incumbent receiving authority, either for a specified time period or on a standing basis.

The necessary steps for the issuance of SSDs include the following:

• The primary manager selects a number of employees that are to be designated as alternates;
• The primary manager arranges for the completion and distribution of SSDs for the alternates;
• When there is a permanent change in the incumbent of a position with delegated authority, the administrative/finance support staff arrange for the completion and distribution of an SSD for the new appointee and for the withdrawal and cancellation of the obsolete document of the predecessor;
• The designated administrative/finance support staff complete all the required information for the SSD;
• The designated support staff distribute a copy of each SSD to the required locations using a transmittal note; and
• All CBSA offices receiving SSDs place them in the current file and use the file for account verification purposes, in accordance with applicable policies and guidelines.

The audit reviewed 142 SSDs corresponding to the sampled/transactions and found the following:

• The documents reflected all the columns in the CBSA delegation matrix;
• Delegated authority was issued by the appropriate authenticator;
• Signatures of both delegated incumbents and the appropriate authenticator were indicated;
• Limits and restrictions on the SSDs matched the authorities in the delegation matrix;
• SSDs for acting incumbents and alternates were clearly identified;
• SSDs were issued only for incumbents who successfully completed the validation test; and
• The cost centre was accurate.

As well, interviews conducted with a sample of 37 managers representing different levels of management confirmed that managers understood their roles and responsibilities with respect to the completion, withdrawal, cancellation, amendment, distribution, receipt and use of SSDs.

Transaction Analysis

The 142 transactions sampled for the audit were evaluated against the criteria outlined in Appendix A, namely that the incumbent had a valid SSD, that the appropriate supporting transaction documentation was maintained on file, that the certification met FAA requirements, that the invoice corresponded to the approval documentation and that the financial coding was appropriate.

As illustrated in Appendix A, sampled transactions were generally compliant with the evaluation criteria:

• All but two incumbents in the sample had a valid SSD;
• Most supporting documentation was retained on file;
• Requisitions were kept for 80% of transactions;
• Purchase orders/contracts were retained for 83% of transactions;
• Proof that goods/services were received/rendered was on file for 99% of transactions;
• All but one transaction met the FAA requirement of retaining the invoice on file;
• The signed section 34 report was kept on file for all transactions;
• All but one transaction had a valid cost centre and a signature that corresponded to the SSD;
• The name of the signing incumbent was printed clearly for 85% of transactions;
• All approved amounts were made within the incumbents' designated signing authority dollar limits;
• In nearly all cases, the invoice corresponded to the approval documentation and the financial coding used was appropriate; and
• In a few cases, the individuals responsible for printing the names of incumbents, maintaining transaction files and updating financial coding to CAS did not adequately perform these responsibilities.

The audit noted that TB policies and directives did not state which documentation should be retained on file. The FAM did not require the BMSUs or regional offices to retain purchase orders, requisitions, contracts or receipts on file; it required only the invoice as documentation.

Gaps in directives relating to documentation requirements may result in no audit trail for monitoring purposes. An audit trail containing purchase orders, requisitions, contracts and receipts would help substantiate claims that these documents were reviewed prior to performing the section 34 certification, as required under the FAA.

If all steps required to carry out section 34 certification responsibilities are not performed, the consequences to the CBSA would include reputational risk and potential error or fraud. The CBSA may not receive goods or services as intended by the transactions.

Recommendation

The Vice-President of the Comptrollership Branch should ensure that the CBSA Finance and Administration Manual is updated to include a definition of the necessary documentation that should be retained by the branch management services units and regional finance offices to ensure sufficient evidence of section 34 certification is maintained on file.

Management Action Plan	Completion date
Corporate Accounting and Financial Policy Division The CBSA Finance and Administration Manual will be updated to identify the supporting documentation that should be retained by the branch management services units and regional finance offices to ensure sufficient evidence of the section 34 certification is maintained on file.	March 31, 2009

Appendix A: Results of Transaction Analysis

The following table illustrates the results of the analysis conducted on a sample of 142 transactions drawn from the three regions and three branches subject to audit examination:

Transaction Analysis Criteria	Number of Instances of Compliance	% of Total Transactions
1. The incumbent had a valid Specimen Signature Document (SSD)	140  /  142	99 %
2. The following documents were on file:
2a. The requisition	113  /  142	80 %
2b. The purchase order/contract	118  /  142	83 %
2c. Proof that goods/services were received/rendered	118  /  142	83 %
2d. The invoice	141  /  142	99 %
2e. The section 34 report	142  /  142	100 %
3. The section 34 certification complied with the following requirements:
3a. The cost centre was valid	140  /  142	99 %
3b. The signature corresponded to the SSD	140  /  142	99 %
3c. The name of the incumbent was clearly printed	120  /  142	85 %
3d. The approved amount was within the incumbent’s limits	142  /  142	100 %
4. The invoice corresponded to approval documentation as follows:
4a. The vendor information was the same on the purchase order and the invoice	112  /  113*	99 %
4b. The quantity invoiced was the same as the quantity ordered	113  /  113*	100 %
4c. The description of goods/services on the invoice was the same as on the contract/purchase order	113  /  113*	100 %
4d. The invoice price corresponded to the price on the contract/purchase order	113  /  113*	100 %
4e. The GST was correctly calculated	140  /  142	99 %
4f. The amount invoiced corresponded to the amount on the section 34 report	142 /  142	100 %
5. Financial coding used was appropriate.	136  /  142	93 %

* This criterion was evaluated only for the sample of transactions for which a purchase order was found on file. (142-29 = 113 transactions)

Appendix B: List of Acronyms

Acronym	Description
BMSU	branch management services unit
CAS	Corporate Administrative System
CBSA	Canada Border Services Agency
COCO	Criteria of Control
FAA	Financial Administration Act
FAM	Finance and Administration Manual
HQ	Headquarters
MAF	Management Accountability Framework
NFTC	National Financial Transaction Centre
OCG	Office of the Comptroller General
SSD	specimen signature document
TB	Treasury Board

---

Notes

1. The COCO model is a control framework developed by the Canadian Institute of Chartered Accountants. [Return to text]
2. The main MAF elements used to develop the audit lines of enquiry and criteria were Governance and Strategic Directions, Results and Performance, and Accountability. [Return to text]
3. Thirty-seven out of 396 managers with delegated authority from the three sampled HQ branches and the three regions were interviewed. [Return to text]