Audit of the Account Verification Framework - Final Audit Report - September 20, 2010

Table of Contents

1.0 Executive Summary

2.0 Introduction

3.0 Observations and Recommendations

4.0 Conclusion

5.0 Management Action Plan

Appendix A – Level of Risk by Audit Criteria

Appendix B – FAA Section 32, 34, 33 & Definitions

Appendix C – Links to Treasury Board Policies and Directives Related to Account Verification

Appendix D – Overview of Agent Affairs Program Phase IV Audit Approach and Ultimate Risk Model

List of Acronyms

AAP Agent Affairs Programs (Programmes des mandataires – PA)
AAU Agent Affairs Unit (Unité de coordination des mandataires – UCM)
CAE Chief Audit Executive (Dirigeant principal de la vérification – DPV)
CCM Cost Centre Manager (Gestionnaire de centre de coûts – GCC)
CFO Chief Financial Officer (Dirigeante principale des finances – DPF)
CFP Chief Federal Prosecutors (Procureurs fédéraux en chef – PFC)
CR Control Risk (Risque de contrôle – RC)
CSP Corporate Service Provider (Prestataire de services généraux – PSG)
DPF Drug Prosecution Fund (Fonds des poursuites en matière de drogue – FPD)
DPP Director of Public Prosecutions (Directeur des poursuites pénales – DPP)
DR Detection Risk (Risque de détection – RD)
FAA Financial Administration Act (Loi sur la gestion des finances publiques – LGFP)
HQ Headquarters (Administration centrale – AC)
IAD Internal Audit Division (Division de la vérification interne – DVI)
IFMS Integrated Financial Management System (Système intégré de gestion financière – SIGF)
IR Inherent Risk (Risque inhérent – RI)
LDA Large Departments and Agencies (Grands ministères et organismes – GMO)
MCF Management Control Framework (Cadre de contrôle de la gestion – CCG)
MoU Memorandum of Understanding (Protocole d’entente – PE)
NCR National Capital Region (Région de la capitale nationale – RCN)
O&M Operations & Maintenance (Fonctionnement et entretien – F et E)
OCG Office of the Comptroller General (Bureau du contrôleur général – BCG)
PPSC Public Prosecution Service of Canada (Service des poursuites pénales du Canada – SPPC)
SDA Small Departments and Agencies (Petits ministères et organismes – PMO)
TBS Treasury Board Secretariat (Secrétariat du Conseil du Trésor – SCT)
URM Ultimate Risk Model (Modèle du risque ultime – MRU)

1.0 Executive Summary

This report presents the results of an internal audit of the Public Prosecution Service of Canada (PPSC) account verification framework. The PPSC was created on December 12, 2006 with the coming into force of the Director of Public Prosecutions Act, Part 3 of the Federal Accountability Act. The PPSC is an independent prosecution service, whose main objective is to prosecute offences under federal statutes in a manner that is independent of any improper influence and that respects the public interest.

The spending of public money requires that integrity, accountability, and transparency are maintained to a high standard. This requires establishing appropriate account verification processes that promote sound stewardship of financial resources. Account verification provides an independent means to ensure that the work has been performed, the goods supplied or the services rendered, relevant contract or agreement terms and conditions have been met, the recording of payment information is accurate, and all authorities have been exercised in compliance with the Financial Administration Act (FAA).

The FAA provides legislative requirements for the financial administration of the Government of Canada. Section 32 of the FAA provides the authority to commit funds against an appropriation before an expense is incurred. Section 34 of the FAA provides the authority to certify that goods were received or services rendered as contracted. Section 33 provides the authority to release funds for payment after verifying that Section 34 has been properly exercised.

The Treasury Board Secretariat (TBS) Directive on Account Verification requires that accounts for payment and settlement are verified in a cost-effective and efficient manner. Further, account verification processes are to be designed and conducted in a way that will maintain probity while taking into consideration the varying degrees of risk associated with each payment. The Directive also requires that account verification practices be monitored to ensure that varying levels of controls exist over high, moderate, and low-risk payments and that these controls function as designed.

The Internal Audit Division (IAD) identified the account verification framework at the PPSC as a high risk area following its audit planning consultations with the Chief Financial Officer (CFO) and the Director of Public Prosecutions (DPP). An audit of account verification activity was initiated in advance of the organization’s initial risk-based audit plan.

1.1 Audit Objective

The overall objective of the audit was to provide assurance that the account verification activities applied to PPSC transactions occur in an effective manner while maintaining the required level of control. In particular, the objectives were:

  • To determine the adequacy of the overall control framework for the payment and settlement of accounts and to confirm that the PPSC has structured its account verification activities in accordance with central agency and departmental policies and directives; and
  • To determine the extent to which there is compliance with central agency and departmental policies and directives pertaining to account verification for accounts payable transactions.

The audit scope included interviews with cost center managers, financial personnel in headquarters, the National Capital Regional Office, a regional office in the territories, and four other regional offices that were selected based on materiality and risk. Procedures, guidelines and practices were examined, as well as the monitoring and reporting mechanisms in place. The audit team examined a sample of payment transactions from the fiscal year 2008-2009. Consideration was also given to improvements made to account verification practices subsequent to the audit period.

1.2 Audit Conclusion

In this audit the IAD examined the PPSC account verification framework. The audit team noted that a substantial effort is being made by the personnel responsible for certifying payments and settlements to be efficient, and to comply with policies and directives in what is considered a complex working environment. The audit team did observe some good practices that collectively could be used to strengthen account verification practices and internal controls.

The general conclusion is that PPSC is in compliance with applicable TBS policies for the period under review, with the exception of a number of administrative practices that need to be addressed to ensure full compliance with central agency direction. While the audit did not find any instances of misappropriation of funds or incorrect payments, there are components of the overall control framework that need to be enhanced, specifically in the areas of practices and procedures, roles and responsibilities, and monitoring and reporting.

The Chief Audit Executive (CAE) has requested that the CFO prepare an action plan to address the recommendations contained in this report. The management action plan can be referenced in section 5 of the report. In six to twelve months the CAE will follow-up with the CFO to ensure that the management action plan has been implemented or is sufficiently underway.

1.3 Summary of Findings and Recommendations

What the audit team considers to be the most significant findings and recommendations are summarized below. Detailed findings and recommendations are included in section 3 of this report.

The PPSC has opportunities to improve the effectiveness of its account verification framework. The implementation of the following recommendations will guide the PPSC toward a more compliant account verification framework. A list of all recommendations relating to this audit and management response to the recommendations can be referenced in section 5 of this report.

Roles and Responsibilities

  • A PPSC accountability framework including roles and responsibilities and lines of communications was in place for the certification and settlement of payments and the conduct of account verification. However, the accountability framework in most regions was not clearly defined, communicated, and established as expected.

It is recommended that the CFO ensure that roles and responsibilities for the PPSC staff engaged in the certification and settlement of payments and account verification are properly documented, communicated, periodically reviewed, reinforced, and comply with applicable TBS policies.

Monitoring and Reporting

  • Monitoring and reporting approaches have not been fully developed and implemented to ensure payment processing and account verification practices are consistent with applicable legislative and policy requirements.

It is recommended that:

  • The CFO design and develop a formal monitoring approach for account verification that takes into consideration the use of standardized reports, methodology, and tools.
  • The Director of Agent Affairs Unit (AAU) establish a formal follow-up system to track Audit and Systems’ report recommendations to ensure corrective actions have been taken.
  • The Director of AAU, in consultation with the CFO, establish a standard reporting protocol to provide status updates on the follow-up of recommendations.

Risk Management

  • A formally recognized risk-based approach was not in place that reflects the risk level of the payment transactions undergoing account verification.

It is recommended that the CFO design, develop and implement a formal risk-based approach for the account verification that is consistent with the TBS Directive on Account Verification and the recommendations from the Office of the Comptroller General (OCG).

Contracting Authority Responsibilities

  • Contracts and purchase orders have not been established for some expenditures where required.

It is recommended that the CFO provide ongoing communication and awareness training to management and account verification personnel regarding the need to establish, maintain and reference contracts and the requirement to validate contract terms, conditions and rates from pre-established contracts.

Section 34 of the Financial Administration Act - Authorization Responsibilities

  • Valid Section 34 performance certification approvals were present in the majority of the payment files reviewed. However, over 33% of the payment files did not contain sufficient documentation for the Section 34 cost centre authority to adequately certify that the work was performed or that the goods were supplied or services rendered in accordance with terms and conditions of an agreement or contract.

It is recommended that the CFO develop guidance documentation or checklists to assist managers responsible for Section 34 account verification to properly carrying out their verification duties regarding proof of performance. Guidance documentation would be particularly helpful in instances where payment types have specific and unique terms and conditions.

Section 33 of the Financial Administration Act - Financial Officer Responsibilities

  • A number of internal controls related to the account verification processes are not working as designed, and the amount of rigour applied is insufficient to provide reliance on Section 34 certifications.

It is recommended that the CFO:

  • develop and implement a checklist specific to the verification of PPSC transactions, as a means of strengthening Section 33 functions and supporting consistent payment verification;
  • review the feasibility of implementing a national post-payment Quality Assurance process to ensure compliance with the Directive on Account Verification; and
  • in consultation with the Director of Agent Affairs review the account verification process to ensure that there is proper delegated authority in place and compliance with Section 33 of the FAA.

1.4 Statement of Assurance

In my professional judgment as the PPSC CAE, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusion provided and contained in this report. The audit findings and conclusion are based on a comparison of the conditions as they existed at the time of the audit, against pre-established and approved audit criteria that were agreed upon with PPSC management.

I wish to express my appreciation for the cooperation and assistance afforded to the audit team by PPSC and the Corporate Service Provider management and staff at headquarters and in the regional offices.

 

Philip Morton
Chief Audit Executive

___________________

2.0 Introduction

2.1 Background

The Public Prosecution Service of Canada (PPSC) was created on December 12, 2006 with the coming into force of the Director of Public Prosecutions Act, Part 3 of the Federal Accountability Act (FAA). The PPSC is an independent prosecution service, whose main objective is to prosecute offences under federal statutes in a manner that is independent of any improper influence and that respects the public interest.

While the PPSC is an independent organization, it relies on another government department as its corporate service provider (CSP). The PPSC acquires corporate services through a Memorandum of Understanding (MoU) for areas such as finance, human resources, information management, information technology, administration, and library. During the life of the MoU the PPSC will be working towards increasing its corporate services capacity and expertise thereby reducing its reliance on the CSP. Part of this reliance includes the adoption of the CSP’s policies and procedures in corporate services areas until such time as the PPSC develops its own.

The spending of public money requires that integrity, accountability, and transparency are maintained to a high standard. This requires establishing appropriate account verification processes that promote sound stewardship of financial resources. Account verification provides an independent means to ensure that the work has been performed, the goods supplied or the services rendered, relevant contract or agreement terms and conditions have been met, the recording of payment information is accurate, and all authorities have been exercised in compliance with the FAA.

The FAA provides legislative requirements for the financial administration of the Government of Canada. Section 32 of the FAA provides the authority to commit funds against an appropriation before an expense is incurred. Section 34 of the FAA provides the authority to certify that goods were received or services rendered as contracted. Section 33 provides the authority to release funds for payment after verifying that Section 34 has been properly exercised.

The TBS Directive on Account Verification requires that accounts for payment and settlement are verified in a cost-effective and efficient manner. Further, account verification processes are to be designed and conducted in a way that will maintain probity while taking into consideration the varying degrees of risk associated with each payment. The Directive also requires that account verification practices be monitored to ensure that varying levels of controls exist over high, moderate, and low-risk payments and that these controls function as designed.

The IAD considered the account verification framework at the PPSC as a high risk area following its audit planning consultations with the CFO and the DPP, therefore an audit of this activity was initiated in advance of the organization’s initial risk-based audit plan.

Account verification and Section 33 activities for PPSC transactions occur both in headquarters (HQ) and in the regional offices. PPSC personnel perform account verification and Section 33 activities in the territorial regional offices. In the other regional offices, the CSP performs account verification and Section 33 activities on behalf of the PPSC pursuant to the MoU. In this regard, the CSP acts as an accountable agent of the PPSC and as a custodian of the data and information on behalf of the PPSC. The PPSC can undertake, as required, quality assurance and compliance audits on its transactions, invoices, and processes for services rendered to ensure that they reflect the provisions in Annex B of the MoU.

Account verification is performed prior to payment by PPSC financial personnel in HQ, as well as by the CSP financial personnel who process payments through the Integrated Financial and Materiel System (IFMS). In the regional offices with the exception of those in the territories, there are no PPSC financial personnel; therefore, the CSP performs the financial function for the PPSC pursuant to the MoU. Should the financial clerks determine that an error had been made; the documentation would be sent back to the cost centre manager (CCM) who signed the FAA Section 34 for correction.

Transactions excluding Crown Counsel Fees and Disbursements for the Drug Prosecution Fund (DPF) represented $19,414,344 of Operating & Maintenance (O&M) expenditures in fiscal year 2008-2009.

Account Verification Framework for Crown Agent Transactions

The PPSC relies on both staff and private-sector lawyers (Crown Agents) to conduct prosecutions on behalf of the federal Crown. The audit and systems group performs pre-payment monitoring of amounts that are considered “high risk”, e.g. Crown Agents who are considered high risk, mega or high complexity cases, or payments exceeding the budgeted threshold limit for a particular case.

Account verification and Section 33 activities related to transactions involving Crown Agents are performed by the PPSC in HQ for all regional offices by the audit and systems group within the Agent Affairs Unit (AAU). The Agent Affairs Program (AAP) provides Crown Agents who are retained to act as non-employed Federal Prosecutors in court proceedings. The authority to appoint agents is assigned to the DPP by Section 7 and Section 9 of the Director of Public Prosecutions Act. This unit administers its account verification and Section 33 separately from the rest of the PPSC.

The audit and systems group reviews low and medium risk amounts on a post-payment basis. Sample transactions are randomly selected from an extract of the financial system each quarter. Crown Counsel Fees and Disbursements for the DPF represented $34,670,801 of O&M expenditures in fiscal year 2008-2009.

2.2 Objectives and Scope

The overall objective of the audit was to provide assurance that the account verification activities applied to the PPSC’s transactions occur in an effective manner while maintaining the required level of control. In particular, the objectives were:

  • To determine the adequacy of the overall control framework for the payment and settlement of accounts and to confirm that the PPSC has structured its account verification activities in accordance with central agency and departmental policies and directives; and
  • To determine the extent to which there is compliance with central agency and departmental policies and directives pertaining to account verification for accounts payable transactions.

The audit scope included interviews with CCMs, financial personnel in HQ, the National Capital Regional (NCR) Office, a regional office in the territories, and four other regional offices that were selected based on materiality and risk. Procedures, guidelines and practices were examined, as well as the monitoring and reporting mechanisms in place. The audit team examined a sample of payment transactions from the fiscal year 2008-2009. Consideration was also given to improvements made to account verification practices subsequent to the audit period.

2.3 Methodology

2.3.1 Planning

The planning phase consisted of obtaining and documenting background information to gain an understanding of the payment and account verification guidelines and processes taking place within the PPSC; the development of an audit program; initial meetings with key PPSC personnel; the review and analysis of payment data; the development of audit objectives and scope, as well as audit criteria and methodology.

2.3.2 Conduct Phase

The conduct phase included the review and analysis of documentation, interviews with officials from PPSC HQ and the regions, interviews with financial officers from the CSP, identification and documentation of the processes used for payments and account verification, including roles, responsibilities and accountabilities, monitoring, risk management practices, as well as the other lines of enquiry, and assessed these against approved criteria. The audit team also assessed whether systems, controls and practices in place were in line with the FAA and TBS policies related to accounts payable.

The auditors reviewed a statistically representative sample of 320 payment transactions from the IFMS payable module for 2008-2009 selected from the 7 regional offices chosen for audit visits in order to determine whether or not relevant payment and account verification practices were in compliance with policies and directives. This sample size was appropriate to provide the level of assurance in the context of the audit and provided for a 95% level of confidence.

2.3.3 Reporting Phase

A status report was presented to the PPSC Departmental Audit Committee in April 2010 with preliminary findings. Throughout the audit, observations and findings were confirmed with the Chief Federal Prosecutors (CFP) and the CSP Regional Directors of Finance for each region visited, as well as the CFO. Finally, a draft report was sent to the DPP, the CFO, the Director of the AAP, and members of the PPSC Audit Committee for their review and comment.

3.0 Observations and Recommendations

In this section of the report, the observations and recommendations are structured around audit criteria derived from government policies and regulations pertinent to account verification. In particular, this section presents observations on the effectiveness of the Management Control Framework (MCF) and compliance with account verification policies.

3.1 Management Control Framework

The audit team found the MCF governing the PPSC’s payment and settlement of accounts is generally in place and administered with due diligence. However, the audit team determined from observations and analysis that there are components of the account verification framework that need to be strengthened.

3.1.1 Departmental Policies and Procedures

Specific directives, procedural documentation, and work tools have not been sufficiently developed and implemented that would provide clarity and consistency in performing account verification activities.

Criterion: Departmental policies, directives, and procedures are documented and are consistent with TBS policies and directives.

Detailed written directives and procedures for the PPSC account verification function are essential. Documented practices provide a link between an organization’s goals and objectives and its day-to-day operations. The lack of documented procedures increases the risk of loss of funds and inefficient operations. Written procedures are also beneficial for the training of current and new employees and are a valuable resource in the event that an employee leaves the organization. Procedures should include sufficient information to permit an individual who is unfamiliar with the operations to adequately perform his/her role and responsibilities within predefined limits. Interviews with PPSC management and administrative support personnel identified sound interpretation of how to properly verify a payment prior to approval. However, there were several inconsistencies noted in explanations during the testing of payment transactions.

As the PPSC is a relatively new organization, it follows the CSP policy suite that is based on the TBS Directive on Account Verification and on the FAA. PPSC HQ Finance is responsible for writing and communicating directives, procedures, and for providing policy interpretation or expert advice. PPSC HQ Finance may write directives or procedures to further clarify TBS and the CSP policies. Updates to policies, directives and procedures are issued by HQ Finance through e-mail notices or Finance Bulletins.

PPSC has not implemented a departmental directive relating to account verification or to commitment control. Other than a few non-standard checklists and basic procedures that some regions have developed and implemented on their own, PPSC managers and administrative support staff do not have a complete set of desk procedures for account verification that are integrated with policies to provide guidance for the processing and approval of payments prior to Section 34 certification.

The audit observed that account verification management practices and internal controls have not been formally documented for the following:

  • the identification of high risk, moderate, and low risk transactions;
  • pre-payment verification procedures;
  • post-payment verification procedures;
  • sampling techniques; and
  • reporting mechanisms.

The absence of relevant documented procedures and work tools has resulted in inconsistencies in the administration of the payments and misunderstandings related to accountabilities. The absence of well documented procedures may be a contributing factor to some of the anomalies and inconsistencies found in the processing of payments and account verification practices across the PPSC.

Recommendation:

Recommendations to address these procedural issues are outlined in the specific sections of the report where they are discussed in detail.

3.1.2 Roles and Responsibilities

A PPSC accountability framework including roles and responsibilities and lines of communications was in place for the certification and settlement of payments and the conduct of account verification. However, the accountability framework in most regions was not clearly defined, communicated, and established as expected.

Criterion: To determine whether roles and responsibilities of the parties involved are clearly stated and well communicated.

Clearly stated and well communicated roles and responsibilities are essential in ensuring accountability and ownership. The accountability framework for the administration of payment processing and account verification was structured for most regional offices as outlined in the responsibility matrix following the text below. Most of the responsibilities are being adhered to as intended in the MoU.

Roles and responsibilities surrounding account verification have not been adequately documented and in some cases are not established as expected. Authority to approve payments under FAA Section 34 is clearly understood to be that of the CCM or other delegated authorities. However, our file reviews and interviews have demonstrated that for vendor payments, the validation of pre-approval and the gathering of appropriate pre-approval documentation was not consistent. Responsibilities for the gathering and examining of supporting documentation for account verification needs to be clearly defined. Further, the audit team observed in the Northern regional office examined that significant responsibilities that should have been segregated were being carried out by one individual. Specifically, those duties related to the issuing, controlling and release of cheques. The audit team was informed by the CFP that immediate action was taken to resolve this control deficiency.

The failure to clarify and reinforce the roles and responsibilities of staff involved in the processing and account verification of payments has contributed to inefficiencies, issues related to non-compliance with policies, and the emergence of an inconsistent accountability structure.

Responsibility Matrix
Typical Regional Office Control Structure where an other government department is a Corporate Service Provider (CSP)
(not including HQ or Northern Offices)
Key Financial Services for Accounts Operations Chief Federal Prosecutor (Office) Corporate Service Provider (Accounting
Services)		 CSP/PPSC Acquisition Management
Section 32 Initiation      
• Expenditure Initiation Authority *    
• Commitment Authority *    
• Input commitments in IFMS   *  
• Contracting *   *
Section 34 Certification      
• Perform account verification prior to signing FAA Section 34. *    
• Delegated Authority to approve transactions under FAA Section 34. * *
(functional)		  
• Hold Specimen Signature Cards   *  
• Providing invoices and appropriate information. * * *
Section 33 Certification      
• Account Verification in support of FAA Section 33.   *  
• Issue Payment Proposal and Payment Run.   *  
• Reporting of anomalies.   *  
Training      
• Provide as required training sessions in financial policies.   *  

Recommendation

  • 1. It is recommended that the CFO ensure that roles and responsibilities for the PPSC staff engaged in the certification and settlement of payments and account verification are properly documented, communicated, periodically reviewed, reinforced, and comply with applicable TBS policies.

3.1.3 Awareness and Training

While numerous forms of communication and training exist on various aspects of account verification across all regions, communication and training are not sufficient to ensure that all responsible PPSC parties are fully aware of their roles and specific responsibilities.

Criterion: Management and staff involved in the processing of payment transactions and account verification activities are aware of applicable policies, directives and practices and have been trained in the conduct of their roles and responsibilities.

An important aspect of the management of the account verification process is to ensure that all those involved in the account verification process are fully aware of their responsibilities and have received appropriate training.

Interviews and the review of applicable documentation have identified that:

  • All CFPs and other employees with Section 34 delegation interviewed had completed mandatory delegation of authority training followed by an online knowledge assessment;
  • PPSC staff involved in account verification such as business coordinators and administrative support staff received either informal training only or on-the-job training on responsibilities relating to the processing of payments. The CSP offers formal classroom training in the regions on financial systems and policies.
  • Some PPSC CFPs, senior managers and administrative support staff indicated that they were not comfortable with their understanding of responsibilities related to Section 32 and Section 34 of the FAA.
  • Staff can access various policies and generic procedures through the PPSC and the CSP’s Intranet Sites.
  • E-mail is used to inform staff of updates to TBS financial management policies.
  • Any questions regarding financial matters are directed to the CSP regional finance groups or to PPSC HQ finance for clarification.

Of particular concern were the insufficient information and training for certification of payments as it pertains to Section 34 of the FAA and to the responsibilities under the TBS Directive on Account Verification. This circumstance presents a general concern as managers and support staff who do not receive adequate training on the expectations of payment processing and payment certification are more likely to commit procedural errors which could result in the payment of invalid or ineligible expenses. PPSC managers who took the mandatory delegation of financial authority training would benefit from supplementary departmental procedural training to ensure complete understanding and application of their responsibilities.

While numerous forms of communication and training exist on various aspects of payment processing and approval across all regions, they are not sufficient to ensure that all responsible parties are fully aware of their roles and specific responsibilities.

Recommendation

  • 2. It is recommended that the CFO identify where account verification training is incomplete or insufficient and provide appropriate training to ensure PPSC staff carry out their responsibilities in compliance with PPSC procedures and TBS applicable policies and directives.

3.1.4 Monitoring and Reporting

Monitoring and reporting approaches have not been fully developed and implemented to ensure payment processing and account verification practices are consistent with applicable legislative and policy requirements.

Criterion: An effective regime is in place to actively monitor and report the state of management practices and controls for transaction processing and account verification.

Monitoring is described in the TBS Directive on Account Verification as the activities that the CFO establishes to oversee the implementation of the Directive in the department. These activities should enable the CFO to bring to the attention of the DPP any significant payment difficulties or compliance issues and to develop action plans as needed to address them. Monitoring should also assist the CFO in reporting significant compliance issues to the CFPs and senior managers.

Various levels of formal and informal monitoring and reporting was being carried out by staff engaged in the processing of payments and account verification and some good practices were observed among the regions visited. For example, amonitoring function was established by the CSP’s Finance Group in the BC region with respect to account verification activities and results; they addressed error trends, critical errors and recurring errors, to allow for early and effective remedial action to be taken. The results of this monitoring are shared with appropriate parties within the region, including the CFP. However, interviews and audit tests indicated that monitoring and reporting approaches have not been fully developed nationally for the PPSC to ensure payment processing and account verification practices are consistent with policy and legislative requirements.

Generally the effectiveness of the monitoring and reporting is limited in part by the lack of an approach that is applied nationally and makes use of standardized reports and tools. Monitoring results were not compiled for analysis and used in management reporting and methods improvement. The audit team also learned through interviews that in all but one region financial staff were unable to dedicate the time required to formally report on payment and account verification monitoring results for their respective region due to resource constraints.

The AAU in HQ performs extensive analysis of each Crown Agent’s files on at least an annual basis and reports results to the Agent Supervisors in the regional offices. These reports contain analysis and recommendations for the Agent Supervisors to implement with the Crown Agents. While some follow-up reporting was done by the Agent Supervisors, there is no formal monitoring or follow-up reporting mechanism in place to track all recommendations and ensure corrective action is taken. Without an effective follow-up system in place, the AAU cannot provide assurance to the CFO that the financial risks of the program have been sufficiently identified and mitigated.

Protection against both financial loss and ineffective administration of account verification requires that payment processes comply with policy. Compliance is validated through management oversight, exercised through monitoring and reporting of account verification issues and results.

Recommendation:

It is recommended that:

  • 3. The CFO, design and develop a formal monitoring approach for account verification that takes into consideration the use of standardized reports, methodology, and tools.
  • 4. The Director of AAU establish a formal follow-up system to track Audit and Systems’ report recommendations to ensure corrective actions have been taken.
  • 5. The Director of AAU, in consultation with the CFO, establish a standard reporting protocol to provide status updates on the follow-up of recommendations.

3.1.5 Risk Management

A formally recognized risk-based approach was not in place that reflects the risk level of the payment transactions undergoing account verification.

Criterion: Account Verification practices are risk-based and compliant with central agency direction.

The TBS Directive on Account Verification requires that accounts for payment and settlement are verified in a cost-effective and efficient manner while maintaining the required level of control. Account verification processes must be designed and conducted in a way that will maintain probity while taking into consideration the varying degrees of risk associated with each payment. This directive also requires that account verification practices be monitored to ensure that varying levels of controls exist over high- and low-risk transactions and that these controls are being carried out as designed. Fundamental to implementing this process is the establishment of criteria and identification of high, medium and low risk payments. Criteria to identify a risk level of transaction should include consideration of the type of transaction, complexity of the policies, volume and complexity of the transaction, the dollar value, and error rate.

The recent Horizontal Internal Audits of High Risk Expenditure Controls in Large and Small Departments and Agencies (LDAs and SDAs) conducted by the Office of the Comptroller General (OCG) stated: “LDAs and SDAs are not taking advantage of risk management to help make their account verification practices more efficient. Most LDAs and SDAs are applying 100% verification on all transactions when appropriate risk management strategies would result in more efficient practices.” The Policy on Internal Audit states that: “Deputy heads of all departments are responsible for taking into account the results of internal audits directed, led and/or performed by the Office of the Comptroller General.

The PPSC has not implemented a risk-based approach for the account verification function. Regions review all payment transactions prior to approval under Section 34, and again prior to certification under Section 33. Most regions in our sample deem all transactions to be high risk given the increased public scrutiny and the reputation risk to the organization if a payment is improper or inaccurate. The organization has not implemented an appropriate risk-managed process that would make use of a sampling methodology. Consequently, there is little assurance that verification resources are being utilized efficiently as there is a tendency to focus a disproportionate amount of their attention to high-volume, low value payments. There is also insufficient monitoring of the payment population as a basis for on-going assessment of risks and compliance with policy. (See Appendix A – Level of Risk by Audit Criteria)

In contrast, the AAU has implemented a risk-based sampling strategy as part of post-payment verification. This strategy follows the Directive on Account Verification and focuses analysis on high risk transactions to best allocate limited resources across the approximately $39,000,000 disbursed annually to Crown Agents.

Recommendation:

  • 6. It is recommended that the CFO design, develop and implement a formal risk-based approach for the account verification that is consistent with the TBS Directive on Account Verification and the recommendations from the OCG.

3.2 Compliance with Policy

Sound financial management is a critical part of running the day-to-day operations of any federal department or agency. It is central to delivering programs and enabling organizations to manage public money with prudence and probity. Financial management allows an organization to manage and track its expenditures, produce complete and accurate financial statements, and account for where and how it spends taxpayers' dollars. If an organization does not have appropriate financial controls in place, there is a risk that abuses will occur and that it will spend more than Parliament has authorized.

Specifically, well-functioning financial controls provide the foundation for sound financial management. Appropriate controls enable an organization to comply with legislation, directives, and policy. In essence, financial controls represent important mechanisms and processes for ensuring that government departments comply with the FAA specifically, Section 32, Section 34, and Section 33.

The audit team found the PPSC to be in general compliance with TBS policies for the period under audit review with the exception of a number of administrative practices that need to be strengthened to ensure full compliance.

3.2.1 Processing in Compliance with Policy

PPSC account verification practices and controls have not been formally documented which has resulted in some inconsistencies and compliance issues relating to the processing of payments.

Criterion: Systems, controls, and practices are in line with the FAA, TBS, and PPSC policies on accounts payable.

The PPSC has a management framework in place for compliance with Sections 32, Section 33, and Section 34 of the FAA that consists of business practices, formal and informal systems, and internal controls. (The accountability framework and controls for the administration of payments and account verification was structured for most regional offices as outlined in the Responsibility Matrix in section 3.1.2 of this report). There was auditable evidence to conclude that account verification procedures were being applied to the majority of PPSC transactions prior to the issuance of payments.

Through interviews and the review of payment files, it was determined that the PPSC has not formally documented its expenditure processing and account verification control framework. Some tools, practices and control procedures are documented and some are available on the Intranet, but they are not well integrated and consolidated into a single, comprehensive framework. Regions have developed and implemented their own control processes to help carry out their responsibilities. Consequently, regional practices and tools are not necessarily complete and are not always consistent across the organization.

The absence of formally documented processes has contributed to the anomalies and compliance issues identified in this report related to expenditure processing. In addition, the PPSC is missing out on the opportunity to:

  • Identify key control points which would help the PPSC move to a mature system of evaluating controls as opposed to testing transactions;
  • Identify non-value-added activities, redundant steps and bottlenecks that could be quickly remedied;
  • Identify stages in the process where data can be collected and used for decision–making;
  • Establish performance measures and targets;
  • Consistently apply business processes and reduce the need for individual employees to develop their own tools and memory aids;
  • Develop and communicate an understanding of the overall account verification process;
  • Share best practices amongst regional offices; and
  • Effectively train staff involved in the account verification process.

Good control practices and tools were noted in various regions that could be applied in the development of process control maps. For example, policies relevant to account expenditure processing and verification were accessible on the PPSC and the CSP Corporate Accounting Group’s Intranet site and some regions had developed checklists and procedures for employees with account verification responsibilities. In addition, the CSP Finance has developed a comprehensive set of process charts that could be used as a source of reference in documenting PPSC’s processes and controls.

Recommendation

  • 7. It is recommended that the CFO document and communicate account verification management practices and controls to individuals and financial officers responsible for certifying payments and settlements to ensure effective internal controls over account verification.

3.2.2 FAA Section 32 Expenditure Initiation Authority and Commitment Authority

Practices varied amongst regions in regard to the degree and consistency in which transactions were initiated against an authorized expenditure, approved by the right authority, and subsequently recorded in the financial system to commit funds as per FAA Section 32.

Criterion: Transactions are initiated against an authorised expenditure, approved by the right authority, and subsequently recorded in the appropriate financial system module to commit funds as per FAA, Section 32.

Section 32 of the FAA provides the authority to commit funds against an appropriation before an expense is incurred. The most critical step of the expenditure process is comprised of two elements under the federal spending authority: expenditure initiation and fund commitment authority. Both elements must be performed prior to making a decision to making a purchase.

  • Expenditure Initiation Authority is the authority to incur expenditure or to make an obligation to obtain goods or services that will result in the eventual expenditure of funds. This includes the decision to hire staff, to order supplies or services, to authorize travel, relocation or hospitality or to enter into some other arrangement for program purposes.
  • Fund Commitment Authority - Is the authority to carry out one or more specific functions related to the control of financial commitments as required in the Directive on Expenditure Initiation and Commitment Control. Another element of this authority is to ensure that there is a sufficient unencumbered balance available before entering into a contract or other arrangement.

In some regions significant expenses were incurred where there was little evidence of pre-approvals by delegated authorities. Overall, expenditure initiation approvals were not found for 50% of the transactions sampled. Where pre-approvals are not provided, management may not be able to control the amounts and types of good and services incurred and expenses may be paid without the proper authority having approved them in advance.

The audit found no consistency in fund commitment practices amongst the regions as to when funds should be committed and for which types of goods and services. Some regions recorded commitments for all types of purchases, some regions recorded commitments just prior to payment, while other regions recorded funds commitment only for travel, utility and contracting expenses. Of the payments sampled from the IFMS, we found only 55% of payment transactions sampled had funds committed prior to the suppliers’ invoice date. Where a contract was involved, funds were committed in the IFMS at the time the purchase order was created. The audit team concluded that there is no formally recognized policy or approach for recording and reporting of funds commitments.

In the case of Crown Agent files, expenditures are initiated electronically prior to work being performed. However, the authority to initiate expenditures has not been formally delegated. As such, individuals involved with account verification activities are not in a position to validate that proper approval was given in advance. Also, commitments are not entered into the IFMS when expenses are initiated. Instead, commitments are entered when an invoice is received from a Crown Agent (i.e., as a means to ensure that the commitment amount will exactly match the invoice amount). Procedures have not been developed for estimating Crown Agent costs, in part because of the uncertainty of the exact level of effort and related costs for each case.

Application of Section 32 of the FAA is critical for ensuring that total expenses for an activity do not exceed the approved budget and that the proper expenditure initiation authority has been applied in advance of program activity and related expenditures. Overall compliance with Section 32 could be improved by standardizing procedures for recording and reporting of funds commitment and monitoring and reporting of exceptions.

Recommendation

  • 8. It is recommended that the CFO take the necessary measures to ensure all acquisitions for goods and services are formally pre-authorized and that standardized procedures are applied for recording and reporting funds commitment (including Crown Agents).

3.2.3 Contracting Authority Responsibilities

Contracts and purchase orders have not been established for some expenditures where required.

Criterion: Purchase orders and contracts are properly prepared, approved by the right authority, within the authorized limits and timely issued, routed through the purchasing function when required and entered in the financial system.

Proper completed contracts or purchase orders should be in place so, when an invoice is received, account verification personnel can determine whether goods or services being invoiced have been received or rendered as arranged. In addition to validating the correctness of the payment request, account verification staff should be ensuring the vendor is entitled to or eligible for the requested payment. In 5 of the 7 regions visited, PPSC personnel involved with account verification activities did not demonstrate an adequate understanding of procurement requirements.

From the audit sample of 320 payments, 100 payments were examined where contracts or purchase orders were required due to the dollar amount(s) of the transaction(s). Contracts were not prepared for 43 payments where contracts ought to have been in place. Further, the audit identified that 14 payments were made where contracts had been created after the work had been performed.

The audit also found that no standing offer documentation was maintained by PPSC for any of the 33 sampled payments resulting from call-ups against standing offers. Standing offers contain key information including negotiated rates, terms and conditions, and maximum payment / payment limitations. Specific sections of standing offers need to be available in order to validate whether the vendor is charging the correct rates, as well as whether call-up rules have been properly applied and services acquired fall within the scope of the standing offer.

Particular concern was noted with regards to contracting for printing activity and the PPSC requirement to competitively award printing jobs over $10,000. We found account verification personnel in each of the regions visited did not validate the rates being charged by printers against negotiated rates. In two regions visited pre-established contracts (e.g., service contracts established in advance of ongoing service needs) had not been set-up, even though these regions require far in excess of $10,000 of printing each year. For three other regions contracts had been established, however, personnel did not verify the rates being charged by the printer and the majority of payments did not reference the contract.

Until November 2009 the PPSC relied, for the most part, on the CSP to administer contracting services and to apply the CSP’s contracting authority to execute contracts with PPSC vendors. In November 2009 the CSP ceased acting as PPSC’s contracting authority, but continues to provide acquisition services in the regional offices. Since that time, the PPSC has been increasing its capacity to recommend and deliver appropriate procurement strategies for the entire organization.

Recommendation

  • 9. It is recommended that the CFO provide ongoing communication and awareness training to management and account verification personnel regarding the need to establish, maintain and reference contracts and the requirement to validate contract terms, conditions and rates from pre-established contracts.

3.2.4 FAA Section 34 Authorization Responsibilities

Valid Section 34 performance certification approvals were present in the majority of the payment files reviewed. However, over 33% of the payment files did not contain sufficient documentation for the Section 34 cost centre authority to adequately certify that the work was performed or that the goods were supplied or services rendered in accordance with terms and conditions of an agreement or contract.

Criterion: The authorized persons with delegated authority exercise the proper verification and certification, as per Section 34 of the FAA. An effective regime is in place to actively monitor and report the state of management practices and controls for transaction processing and account verification.

The business processes and internal controls in place for Section 34 of the FAA should be effective in ensuring that the PPSC has received the goods or services paid for and that they are provided in accordance with the terms and conditions initially agreed to with the supplier (e.g., quantity, price, condition, etc;). Controls should also be effective in ensuring that expenditures comply with TBS policies and directives and that the payment certification is made by an official who has the proper authority under the PPSC Delegation of Financial Signing Authorities instrument.

The audit team found over 90% of the sample invoices examined were properly certified by a delegated authority pursuant toFAA Section 34, the authenticity of financial signing authorities was verified using signature specimen cards. The majority of delegated managers assigned support staff the responsibility to review procurement terms and conditions to ensure that invoices were consistent with the basis of payment and that proper support documentation was included with the invoice and attached to the payment. In respect of the effectiveness of Section 34 processes and controls, the audit found the following:

  • Procedures and guidelines related to the PPSC’s application of the Section 34 delegated authority were not sufficiently developed, particularly with regard to the amount of supporting documentation required to validate a payment, and to demonstrate that a payment had been properly verified;
  • 51% of invoices and support documentation did display auditable evidence (e.g. checkmarks or stamps) to substantiate that pre-Section 34 account verification had taken place (The majority of the deficiencies were for payments other than travel and utilities);
  • 40% of non-travel transactions did not have sufficient supporting documentation on file to validate the payment; and
  • 23% of payments were not made within the 30 day invoice payment period.

For Crown Agent files, AAU staff performs both pre-payment and post-payment verification as part of Section 34 certification. A checklist is completed for pre-payment verification by the AAU accounting operations group before Section 34 is certified. The AAU audit and systems group conduct a sophisticated risk-based post-payment review. Audit interviews and file reviews revealed similar findings as those stated in the bullets above; all files reviewed were certified under Section 34 by a delegated authority, but for many Crown Agent files there was insufficient documentation on the case file to demonstrate Agent Supervisor pre-approvals for certain expenses related to case work.

Submitting invoices for payment without adequate supporting documentation, or other evidence, could result in either ineligible expenses being paid, or time delays and additional effort in determining the correctness of the payment.

Recommendation

  • 10. It is recommended that the CFO develop guidance documentation or checklists to assist managers responsible for Section 34 account verification to properly carrying out their verification duties regarding proof of performance. Guidance documentation would be particularly helpful in instances where payment types have specific and unique terms and conditions.

3.2.5 Financial Officer FAA Section 33 Responsibilities

A number of internal controls related to the account verification processes are not working as designed, and the amount of rigour applied is insufficient to provide reliance on Section 34 certifications.

Criterion: Employees with payment authority pursuant to FAA Section 33 provide assurance of the adequacy of the FAA Section 34 account verification. There exists auditable evidence of the verification process which includes the identification of the various individuals who performed the verification. Different person exercised signing authority pursuant to both FAASection 33 and 34.

As per the TBS Directive on Account Verification, “financial officers with payment authority pursuant to FAA Section 33, must provide assurance of the adequacy of the Section 34 account verification and be in a position to state that a process is in place and is being properly and conscientiously followed.” As well, “the account verification process must provide for auditable evidence of verification including identifying the various individuals who performed the verification.” Departments when developing their specific policies and procedures for the verification of accounts pursuant to FAA Section 34 and for the quality assurance review of the adequacy of Section 34 account verification should take into account risk factors such as the level of decentralization and the use of automated expenditure management systems.

The audit reviewed account verification activities in the PPSC subject to three different processes:

  • With respect to regional offices in the provinces, PPSC employees at HQ with payment authority pursuant to FAA Section 33 rely on the CSP’s Regional Accounting personnel to provide assurance regarding the adequacy of the FAA Section 34 account verification.
  • In the territories, PPSC finance staff and administrative support personnel have assumed the FAA Section 33 responsibilities. However, concerns regarding separation of duties were observed relating to payment authority and issuing and controlling of cheques.
  • In the case of Crown Agents, once Section 34 has been certified by a delegated authority, there is no validation to ensure that account verification occurred. AAU accounting operations is informed verbally that Section 34 has been signed. The pay run is then sent to PPSC Finance and subsequently approved without any further verification. Although there is no review as part of Section 33, there is adequate segregation of duties between the individuals certifying Section 34 and Section 33. However, unlike most regions where the CSP’s accounting personnel have delegated Section 33 authority, no one within the AAU has such authority.

All PPSC expenditures are reviewed pursuant to Section 33 of the FAA, except for Crown Agent files. When the CSP Regional Finance Groups were involved in the Section 33 approval there was adequate segregation of duties between persons exercising authority pursuant to both Section 33 and Section 34. There was auditable evidence to substantiate that Section 33 had been performed on 67% of the payments sampled.

Only 35% of payments sampled by the audit passed three key audit criteria: (i) a valid expenditure initiation pre-approval, (ii) a valid Section 34 approval, and (iii) adequate supporting documentation. Further, in many cases we found funds were not being committed in the financial system before invoices were received. Lastly, contracts were not always in place and some files did not contain auditable evidence to conclude that account verification had taken place.

The review of Crown Agent files revealed similar anomalies: (i) supporting documentation on file was insufficient to demonstrate Agent Supervisor pre-approvals of certain expenses related to case work; and (ii) over a quarter of the files did not contain auditable evidence of account verification.

While account verification practices and controls have been established to address non-compliance issues in the payment process, anomalies are still not being detected; indicating that some account verification controls are not in place or are not functioning as designed. As a consequence, there is a risk that invoices could be paid without auditable evidence to substantiate whether appropriate approvals have been completed and proper contracts established.

Some government departments have adopted a post-payment verification regime as a cost-effective quality assurance solution. Post-payment verification is a process whereby expenditures are independently reviewed by financial officers. The extent and timing of the review is generally risk-based, with high and moderate-risk expenditures often pre-audited prior to payment. Low-risk payments are sampled after payment. We note that PPSC personnel involved with Section 33 Payment Authorization are neither sampling nor validating payments from the Payment Run, nor are they monitoring or reporting on expenditure anomalies.

The audit team has concluded that a number of internal controls related to the account verification processes are not working as designed, and the amount of rigour applied is insufficient to provide reliance on Section 34 certifications.

Recommendation

It is recommended that the CFO:

  • 11. develop and implement a checklist specific to the verification of PPSC transactions, as a means of strengthening Section 33 functions and supporting consistent payment verification;
  • 12. review the feasibility of implementing a national post-payment Quality Assurance process to ensure compliance with the Directive on Account Verification; and
  • 13. in consultation with the Director of Agent Affairs review the account verification process to ensure that there is proper delegated authority in place and compliance with Section 33 of the FAA.

4.0 Conclusion

In this audit the IAD examined the PPSC account verification framework. The audit team noted that a substantial effort is being made by the personnel responsible for certifying payments and settlements to be efficient, and to comply with policies and directives in what is considered a complex working environment. The audit team did observe some good practices that collectively could be used to strengthen account verification practices and internal controls.

The general conclusion is that PPSC is in compliance with applicable TBS policies for the period under review, with the exception of a number of administrative practices that need to be addressed to ensure full compliance with central agency direction. While the audit did not find any instances of misappropriation of funds or incorrect payments, there are components of the overall control framework that need to be enhanced, specifically in the areas of practices and procedures, roles and responsibilities, and monitoring and reporting.

The CAE has requested that the CFO prepare an action plan to address the recommendations contained in this report. The management action plan can be referenced in section 5 of the report. In six to twelve months the CAE will follow-up with the CFO to ensure that the management action plan has been implemented or is sufficiently underway.

5.0 Management Action Plan

Risk Ranking Recommendation Management Response and Action Plan Office of Primary Interest Initial Target Date for Completion
Roles and Responsibilities
Medium 1. It is recommended that the CFO ensure that roles and responsibilities for the PPSC staff engaged in the certification and settlement of payments and account verification are properly documented, communicated, periodically reviewed, reinforced, and comply with applicable TBS policies. 1. The roles and responsibilities of individuals engaged in the account verification process are defined in the account verification directive published by TBS. The CFO agrees to communicate these roles and responsibilities via a Finance Info bulletin during 2010/11. CFO March 2011
Awareness and Training
Medium 2. It is recommended that the CFO identify where account verification training is incomplete or insufficient and provide appropriate training to ensure PPSC staff carry out their responsibilities in compliance with PPSC procedures and TBS applicable policies and directives. 2. The CFO agrees to identify training requirements for individuals involved in the process of account verification. A list of available training will be communicated to PPSC staff via a Finance Info bulletin during 2010/11.

If funds are available, the Finance and Acquisition Directorate with colleagues from other corporate services could hold an annual training workshop to offer financial information.		 CFO March 2011
Monitoring and Reporting
  It is recommended that:      
Medium 3. The CFO, design and develop a formal monitoring approach for account verification that takes into consideration the use of standardized reports, methodology, and tools. 3. A formal procedure for monitoring compliance with financial policies has been developed and communicated to employees on October 13, 2009 via a Finance Info Bulletin. As per this procedure the CFO submits a semi-annual report to the DPP that identifies the circumstances of non-compliance and measures taken to prevent non-compliant practices. CFO Already implemented
High 4. The Director of AAU establish a formal follow-up system to track Audit and Systems’ report recommendations to ensure corrective actions have been taken. 4. As part of the first three phases of the comprehensive review and audit of agent activities we are currently tracking the recommendations made and corrective actions taken by means of specific observations in subsequent reports. We have begun the implementation of an interim process for the tracking of these reports and recommendations in a systematic manner to ensure that all reports are commented upon and that all corrective actions are noted and reviewed in subsequent reviews of the agent firms. With the implementation of Phase IV of the audit process these reports will be automatically tracked and the responses / corrective actions monitored as part of the proposed Ultimate risk Model (URM) database - these responses and corrective actions will be a key component of the URM determination for each agent firm (see Appendix D). Director, AAU On-Going & Phase IV implementation is dependant on additional resources being available – Completion expected 6 months after resources have been secured.
High 5. The Director of AAU, in consultation with the CFO, establish a standard reporting protocol to provide status updates on the follow-up of recommendations. 5. With the implementation of Phase IV of the audit process we will begin to move from agent specific reporting to area/region/province/national level reporting on activities of agents. The recommendations made throughout the audit process will be key elements for improved reporting on agent activities. Additional resources will be required for the final design as well as implementation of Phase IV of the comprehensive review and audit of agent activities.

We will continue to keep the CFO advised of the protocols used in the review of agent activities. This review will be periodic and will commence prior to the implementation of Phase IV, and throughout the implementation.		 Director, AAU & CFO Phase IV implementation is dependant on additional resources being available. Phase IV will be completed 18 months after resources have been secured.
Risk Management
Low 6. It is recommended that the CFO design, develop and implement a formal risk-based approach for the account verification that is consistent with the TBS Directive on Account Verification and the recommendations from the OCG. 6. At the moment, there is no risk management strategy and process when exercising payment authority under Section 33 of the FAA. Until the rate of errors detected at the certification of Section 34 of the FAA attains an acceptable tolerance level of 7%, the CFO will not implement a risk management process. In the meantime, the CFO will evaluate the requirements and cost effectiveness of implementing a risk management process such as statistical sampling when exercising payment authority under Section 33 of the FAA. CFO March 2012
Processing in Compliance with Policy
Medium 7. It is recommended that the CFO document and communicate account verification management practices and controls to individuals and financial officers responsible for certifying payments and settlements to ensure effective internal controls over account verification.. 7. The CFO will document the account verification management practices and controls. CFO March 2012
FAA Section 32 – Expenditure Initiation Authority and Commitment Authority
Medium 8. It is recommended that the CFO take the necessary measures to ensure all acquisitions for goods and services are formally pre-authorized and that standardized procedures are applied for recording and reporting funds commitment (including Crown Agents). 8. The CFO agrees to communicate the requirements from the Directive on Expenditure Initiation and Commitment Control published by TBS via a Finance Info bulletin during 2010/11. The CFO will develop and communicate procedures on the recording and reporting of commitments during 2010/11. CFO March 2011
Contracting Authority Responsibilities
High 9. It is recommended that the CFO provide ongoing communication and awareness training to management and account verification personnel regarding the need to establish, maintain and reference contracts and the requirement to validate contract terms, conditions and rates from pre-established contracts.





 9. A departmental directive on acquisition was developed and communicated on April 1, 2010. This directive outlines to the project authority (e.g. the person responsible for the outcomes of a contract) their contracting responsibilities of defining requirements and establishing contracts. Therefore, responsibility to define requirements and establish contracts is with the project authority (i.e., managers)

The CFO agrees to identify training requirements for individuals involved in the process of account verification. A list of available training will be communicated to PPSC staff via an Acquisition Info bulletin during 2010/11.

If funds are available, the Finance and Acquisition Directorate with colleagues from other corporate services could hold an annual training workshop to offer acquisition information.		 CFO March 2011
FAA Section 34 Authorization Responsibilities
Medium 10. It is recommended that the CFO develop guidance documentation or checklists to assist managers responsible for Section 34 account verification to properly carrying out their verification duties regarding proof of performance. Guidance documentation would be particularly helpful in instances where payment types have specific and unique terms and conditions. 10. The CFO agrees to develop and communicate checklists to assist individuals responsible for certification under Section 34 of the FAA. CFO March 2011
Financial Officer FAA Section 33 Responsibilities
  It is recommended that the CFO:      
Medium 11. develop and implement a checklist specific to the verification of PPSC transactions, as a means of strengthening Section 33 functions and supporting consistent payment verification; 11. The CFO agrees to develop and communicate checklists to assist individuals responsible for certification under Section 33 of the FAA. CFO March 2011
Medium 12. review the feasibility of implementing a national post-payment Quality Assurance process to ensure compliance with the Directive on Account Verification.; and 12. The CFO will evaluate the requirements and cost effectiveness of implementing a risk management process such as statistical sampling when exercising payment authority under Section 33 of the FAA (discussed in #6 above). CFO  
High 13. in consultation with the Director of AAU, review the account verification process to ensure that there is proper delegated authority in place and compliance with Section 33 of the FAA. 13. The CFO will ensure that individuals certifying under Section 33 of the FAA have the proper delegated authorities.

The AAU will work with the CFO to ensure that the appropriate level of Section 33 delegation is established and implemented.		 CFO & Director, AAU  

Appendix A – Level of Risk by Audit Criteria

High:
 
finding is individually significant and prevents audit reliance on controls for the area affected;
Medium:
 
finding does not individually prevent audit reliance on controls for the area affected but the combined impact of several findings with a medium ranking can prevent reliance on controls for audit purposes for that area.
Low:
 
Efficiency item only.

 

Criteria Management Accountability Framework (MAF) or Core Management Control Element TBS or Departmental Policy or Directives Level of Risk
1.1 Departmental Policy and Procedures • Stewardship ST-5 & 6 TB Directive on Account Verification (Effective October 1, 2009)  
Medium
 
1.2 Roles and Responsibilities • Accountability AC-1 TB Directive on Account Verification (Effective October 1, 2009) High - in the North
Medium
 
1.3 Awareness and Training • People PPL-4 TB Directive on Account Verification (Effective October 1, 2009)

TB Policy on Learning, Training and Development		  
Medium
 
1.4 Monitoring and Reporting • Stewardship ST-7, ST-14, ST-18, ST-20

• Results and Performance RP-2, RP-3		 TB Directive on Account Verification (Effective October 1, 2009) High - in Agent Affairs
Medium
 
1.5 Risk Management • Risk Management M-1 TB Directive on Account Verification (Effective October 1, 2009)  
 
Low
2.1 Processing in Compliance with Policy • Stewardship ST-10 TB Directive on Account Verification (Effective October 1, 2009) High- in the North
Medium
 
2.2 FAA Section 32 • Stewardship ST-10 Directive on Expenditure Initiation and Commitment Control;

FAA Section 32		  
Medium
 
2.3 Contracting Authority Responsibilities • Stewardship ST-10 TBS Contracting Policy and Directives High
 
 
2.4 FAA Section 34 • Stewardship ST-10 TB Directive on Account Verification (Effective October 1, 2009)

FAA Section 34		  
Medium
 
2.5 FAA Section 33 • Stewardship ST-10, ST-13 TB Directive on Account Verification (Effective October 1, 2009) FAA Section 33 High- in Agent Affairs
Medium
 

Appendix B – FAA Section 32, 34, 33 & Definitions

Definitions

Authentication (authentification)
Is the process by which an authorization is verified to ensure, before further processing, that the authorizer can be positively identified, that the integrity of the authorized data was preserved and that the data are original.

Certification authority (pouvoir d'attestation)
Is the authority, according to Section 34 of the Financial Administration Act to certify, before payment, contract performance and price, entitlement or eligibility for the payment.

Commitment authority (pouvoir d'engager des fonds)
Is the authority to carry out one or more specific functions related to the control of financial commitments as required in the Directive on Expenditure Initiation and Commitment Control.

Delegate (also delegated or delegation) (déléguer)
Is an action by which a person (i.e., delegator), vested with specific statutory authority, assigns a specific power or function to another.

Deputy Minister (sous-ministre)
For the purpose of this directive, is a deputy of a minister referred to in section 24 (2) (c) of the Interpretation Act.

Designate (désigner)
Is the act of appointing a person to exercise specific authorities or functions.

Expenditure initiation authority (pouvoir d'engagement des dépenses)
Is the authority to incur an expenditure or to make an obligation to obtain goods or services that will result in the eventual expenditure of funds. This includes the decision to hire staff, to order supplies or services, to authorize travel, relocation or hospitality or to enter into some other arrangement for program purposes.

Expenditure process (processus de dépenses)
Includes both spending and financial authorities.

Financial authorities (pouvoirs financiers)
Is certification and payment authority for purposes of this directive.

Full authority (pleins pouvoirs)
Is the authority that extends to the limit of the associated budget allocated to the position. It is limited by applicable legislation, policies and directives.

Incumbent or officeholder (titulaire)
Is the holder of a position or office including a person appointed to an office on an acting or temporary basis. An incumbent does not have to be a federal public service employee.

Management practices and controls (pratiques et contrôles de gestion)
Are policies, processes, procedures and systems that enable a department to operate its programs and activities, use its resources effectively, exercise sound stewardship, fulfill its obligations and achieve its objectives.

Payment authority (Pouvoir de payer)
Is the authority to requisition payments according to Section 33 of the Financial Administration Act.

Spending authority (pouvoir de dépenser)
Consists of three elements: expenditure initiation authority, commitment authority and transaction authority.

Transaction authority (Pouvoir d'exécuter une operation)
Is the authority to enter into contracts, including acquisition card purchases, or sign-off on legal entitlements (e.g. employment insurance payments).

Appendix C – Links to Treasury Board Policies and Directives Related to Account Verification

Appendix D – Overview of Agent Affairs Program Phase IV Audit Approach and Ultimate Risk Model

Phase IV Audit Approach:

Phase IV will be the final implementation phase of the audit and review of agent activities. We plan to incorporate all aspects of the agent firm’s business into a comprehensive metric of their ultimate risk. As part of the determination of the risk level for an agent firm we will incorporate findings from the review of agent accounts, the review of their file and timekeeping practices, on-site reviews and audits of their activities, quality self-assessment (and follow-up on that assessment by regional supervision staff), comments from the broader legal community and comments from clients. A key strategy in the development of Phase IV is the use of a “continuous audit” approach to develop an on-going review of the work preformed.

Ultimate Risk Model:

The Ultimate Risk Model, URM, or Auditing Risk Model, is a methodology by which a population may be assigned a risk factor which will allow more focused attention by the reviewing authority on the ‘problem children’ yet giving good assurance that the entire population has been reviewed to appropriate standards. In establishing the model three factors are taken into consideration. They are:

  • the IR or Inherent Risk (the risk that a given set of transactions / work are susceptible to misstatements or errors); in looking at IR the presence of controls, and the application of those controls, such as the Litigation Code Set, are taken into consideration.
  • The CR or Control Risk (the presence of internal controls, such as good file management, good timekeeping, good training and other factors). There is always a value for CR, even with in-house applications, since it is impossible to manage and control all aspects of an individual or an organization.
  • The DR or Detection Risk (the chance that the reviewing authority will not be able to detect a material misstatement or breach); this risk is mitigated by the establishment of good benchmarks, the building of good statistical models.

The URM is then a mathematical formula URM = IR x CR x DR, this leads to a factor which when applied to a given organization, or groups of organizations, establishes the sample size used to examine their work.