Foreign Affairs and International Trade Canada

international.gc.ca

Common menu bar

• Français
• Home
• Contact Us
• Help
• Search
• canada.gc.ca

Breadcrumb

1. Home
2. >
3. About the Department
4. >
5. Accountability

Audit of Expenditure Controls

September 2010

(PDF Version, 473 kB)^*

Personal and sensitive information has been edited from this report (shown in the report as "*****") in accordance with the provisions of the Privacy and Access to Information Acts.

Table of Contents

• Message from the Chief Audit Executive
• Executive Summary
  • Conclusion
  • Recommendations
• 1.0 Background
• 2.0 Observations and Recommendations
  • 2.1 There is currently no departmental risk assessment of payments to support a risk-based approach to expenditure processing at DFAIT.
  • 2.2 There is a need to document current processes and controls to provide the foundation for control/risk assessment and reengineering.
  • 2.3 There is no departmental Quality Assurance (Section 33 function) plan in place to guide the account verification process.
  • 2.4 The limited management monitoring, performance measurement and reporting regime should be improved to provide sound, comparative information for management decision-making to support the Deputy Minister in his role as accounting officer and move expenditure processing towards a cost-effective model.
  • 2.5 Our transaction testing found little evidence of error in the department's processing of payments based on the current 100% Quality Assurance process. Considering the results of our limited judgemental sample, nothing came to our attention to indicate that the controls in place were not effective.
• 3.0 Conclusion
  • Statement of Assurance
• Appendix A: About the Audit
  • Objective
  • Scope
  • Methodology
  • Criteria
  • Lines of Enquiry and Audit Criteria
  • Audit Criteria and Management Accountability Framework (MAF) Related Management Controls
• Appendix B: Management Action Plan
• Appendix C: Definitions
  • Account Verification
  • Expenditure Controls (For the Purpose of this Audit)
  • Monitoring
  • Quality Assurance
  • Quality Plan
  • Quality Planning
  • Risk
• Appendix D: Applicable Policies
• Appendix E: Section 33 and Section 34 Description
  • Excepts from the Financial Administration Act (R.S., 1985, c. F-11)
    • Section 33 of the Financial Administration Act
    • Section 34 of the Financial Administration Act

Message from the Chief Audit Executive

This report presents the results of an internal audit of expenditure controls within the Department of Foreign Affairs (DFAIT). This audit work formed part of the approved Risk-Based Internal Audit Plan for 2009-10. This internal audit completes the suite of financial management audits undertaken in fiscal year 2009-10 aimed at strengthening the Department’s resource management regime. Whereas previous audit work examined the allocation of resources within the Department, the focus of the audit of Expenditure Controls is to assess the controls in place leading to the payment of transactions.

Expenditure Control is important and high-risk because it is about how public funds are spent. DFAIT spends over $2 billion each year in support of its mandate. Managing expenditures goes to the core of accountability to Parliament for the use of public funds. In this regard, Parliament enacted three sections of the Financial Administration Act (FAA) that address the spending of public funds:

Section 32 - requires authorized managers to ensure sufficient availability of funds before initiating expenditure; and then, provides for the commitment of that expenditure initiation;

Section 34 - requires authorized managers to certify that the goods or services have been fully delivered before payment is made; and,

Section 33 - requires authorized financial officers to make payments in a form as prescribed by the Treasury Board.

The audit of expenditure control examined the process in place beginning with the Section 34 certification by the Manager and focused mostly on the verification of the transaction leading to and including the payment. This latter process is called Account Verification. Its requirements are set out in the Treasury Board Directive on Account Verification.

Our audit observed that DFAIT essentially conducts full pre-payment verification of 100% of its transactions, that is, all payments receive both Section 34 and Section 33 certification prior to being entered into the payment system. This means that all transactions, regardless of value, receive an equal amount of attention. This contrasts with a system that would be guided by a good appreciation of risks and would ensure that scarce resources give relative concentration to more complex, high-risk payments. In fact, current direction from the Treasury Board calls for an approach whereby payments are verified in a cost-effective manner – a manner that has the potential to improve control while delivering resource benefits.

The Account Verification process represents an opportunity for financial officials dedicated to processing payments to do so more effectively and to add value to the management of the expenditure process.

The audit recommendations are directed at a going-forward strategy to ensure that payment controls are documented and that monitoring occurs to support a risk-based approach that would articulate pertinent performance indicators, including acceptable tolerances. The objective would be to ensure focused, cost-effective controls that make best use of resources applied to account verification.

The Department's Chief Financial Officer has agreed with the audit recommendations and has developed an appropriate action plan.

Yves Vaillancourt, Chief Audit Executive, DFAIT

Top of page

Executive Summary

This report presents the results of an internal audit of Expenditure Controls within the Department of Foreign Affairs and International Trade. The audit formed part of the approved Risk-Based Internal Audit Plan for 2009-2010.

Expenditure Control is important and high-risk because it is about how public funds are spent. DFAIT spends over $2 billion each year in support of its mandate. Managing expenditures goes to the core of accountability for public funds. In this regard, Parliament enacted three sections of the Financial Accountability Act (FAA) that address the spending of public funds:

Section 32 - Transaction Initiation / Commitment Authority: This is the authority delegated by the Minister to management to certify that a sufficient unencumbered balance of funds remains in the appropriation to discharge the commitment.

Section 34 - Certification of Work Performance: This authority is delegated by the Minister to various levels of management, both at Missions and Headquarters, to enable them to administer programs and manage expenditures under their jurisdiction. These managers are responsible for certifying that work, goods or services have been received for the payment requested, that the charge is reasonable and correct, and that the payee is entitled to payment. Each transaction that undergoes Section 34 certification must be coded to indicate the type of transaction and the responsibility or cost centre where the expenditure was incurred. No expenditure can be made without a Section 34 authorization.

Section 33 - Payment Authority: Certification, normally by a financial officer, that management has carried out its duties appropriately under Section 34. Section 33 is the authority to requisition payments that are charged to appropriations.

The Office of the Comptroller General (OCG) has encouraged departmental internal audit functions to give attention to basic financial controls. That office has performed a number of internal audits across government that have dealt with expenditure controls; the most recent, reported in September 2009, addressed the controls applied to higher-risk expenditures. ¹DFAIT was not part of the OCG’s horizontal audit. The audit criteria, however, were adapted and used as the basis for this DFAIT audit conducted between June 2009 and February 2010. Details of the audit, including criteria, are listed and linked to the Management Accountability Framework and the applicable Core Management Controls in Appendix A – About the Audit.

The objective of this audit was to determine whether controls in place at DFAIT are cost-effective in processing expenditures – whether the payments are routine and low value or higher risk. For the purpose of this audit, expenditure controls include:

• Management authorization of payments for which they have budgetary control (Section 34);
• Financial verification of the payment to ensure that management fulfilled their responsibilities (Section 33); and,
• Overall management monitoring to provide assurance on the integrity of the expenditure process (Section 33).

This audit is consistent with the general direction of DFAIT Business Model decisions to look at cost-effectiveness and at sustainability over the long-term. It is also part of the overall assessment of financial management at DFAIT and focussed on answering the following question:

"Is the significance of a payment transaction being taken into consideration along with the risk level of the payment, in order to direct scarce resources to their best use?"

DFAIT is currently applying a conservative approach whereby prepayment verification occurs for 100% of payments. Despite the fact that 20% of the volume of expense account transactions represents 66% of the total dollar value, the department has not implemented an appropriate risk-managed process that would make use of sampling techniques. Consequently, there is little assurance that verification resources are being directed to their best use, as inordinate attention is given to high-volume, low value payments. There is also insufficient monitoring of the population of payments as a basis for on-going assessment of risks and tolerances. Opportunities to improve both the control and efficiency of expenditure processing can be pursued while achieving better compliance with pertinent Treasury Board Policy.

Implementing improvements in the area of expenditure controls will:

• have the potential to improve control while delivering resource benefits;
• support the Deputy Minister in his role as accounting officer as outlined in the Policy on Internal Control;
• support the Deputy Minister’s assurance in the Annual Letter of Representation to the Auditor General that internal controls are balanced against and proportional to the risks which they mitigate; and,
• align DFAIT practices with applicable Treasury Board direction whereby accounts are to be verified in a cost-effective manner.

The Horizontal Audit performed by the OCG reported results similar to what we found at DFAIT. The OCG audit stated: "[Large Departments and Agencies] LDAs are not taking advantage of risk management to help make their account verification practices more efficient. Most LDAs are applying 100% verification on all transactions when appropriate risk management strategies would result in more efficient practices."

DFAIT processed one million transactions valued at $2.4 billion through its expense accounts in FY 2008-2009. These one million transactions – $2.4 billion’s worth – big or small – consumed relatively equal amounts of departmental resources to receive quality assurance scrutiny commonly referred to as Section 33 authorization. A detailed description of the tasks involved in both Section 34 and Section 33 of the Financial Administration Act is contained in Appendix F.

DFAIT has expenditures occurring in 190 offices abroad and across Canada paid through the normal government system, journal vouchers, electronic funds transfer, cheques, credit cards for acquisitions, credit cards for travel and cash in many currencies. Payment is further complicated by foreign banking and challenged by fluctuating exchange rates and different business norms in other jurisdictions. Even though certain types of payments receive more detailed review than others, the varying degree of complexities of these transactions is not reflected in the approach that applies 100% pre-payment account verification. As well, there is duplication within the process which may minimize payment errors but consumes time and resources.

In view of this conservative approach to account verification, our audit found little evidence of error in the Department’s processing of payments. Based on the results of our sample, nothing came to our attention to indicate that the controls in place were not effective. At the same time, we cannot give assurance that verification resources are applied to best use, that higher risk transactions are receiving adequate attention, nor that the system is positioned to become progressively more cost-effective.

Conclusion

DFAIT has opportunities to improve the efficiency of expenditure processing. The Quality Assurance process (Section 33) represents an opportunity to use resources currently processing transactions more effectively to add value to the expenditure process and strengthen financial management at DFAIT. Implementing the following recommendations will guide the Department toward a risk-based and more cost-effective process.

Recommendations

1. The Department should design and implement a risk-based approach for expenditure authorization. Once designed it should be formalized in policy and procedures.
2. The Department should document current expenditure processes and controls to use as a baseline for developing a compliant and cost-effective risk based process.
3. A Quality Assurance plan to guide the Section 33 process should be developed, communicated, implemented and reported upon.
4. A system-wide monitoring and reporting process should be developed to enable a high degree of assurance surrounding the payment process, and to support the reliability of expenses reported in the financial statements.
5. Management should clearly understand that only the Minister has the right to determine the position levels that will be delegated financial authority. All cases of inappropriate delegation of authority should be rectified immediately. Finance should implement appropriate controls to ensure that this situation does not reoccur.

Top of page

1.0 Background

The Department of Foreign Affairs and International Trade’s (DFAIT) Risk-Based Audit Plan for 2009-2012 included the Audit of Expenditure Controls. The Financial Administration Act, enacted by Parliament, provides the foundation for sound financial management in government. With respect to expenditure controls, there are three sections of the Act that are particularly important:

Section 32 - Transaction Initiation / Commitment Authority: This is the authority delegated by the Minister to management to certify that a sufficient unencumbered balance of funds remains in the appropriation to discharge the commitment.

Section 34 - Certification of Work Performance: This authority is delegated by the Minister to various levels of management, both at Missions and Headquarters, to enable them to administer programs and manage expenditures under their jurisdiction. These managers are responsible for certifying that work, goods or services have been received for the payment requested, that the charge is reasonable and correct, and that the payee is entitled to payment. Each transaction that undergoes Section 34 certification must be coded to indicate the type of transaction and the responsibility or cost centre where the expenditure was incurred. No expenditure can be made without a Section 34 authorization.

Section 33 - Payment Authority: Certification, normally by a financial officer, that management has carried out its duties appropriately under Section 34. It is the authority to requisition payments that are charged to appropriations.

These three essential control points are embedded into the financial management regime of government, depicted below, to ensure that parliamentary appropriations are used and recorded appropriately. The audit scope included steps 4 and 5 with a stronger focus on step 5 – Section 33.

As indicated above, the Financial Administration Act is the legislation that defines the requirements for payment. Section 33 is the quality assurance portion of expenditure control. At headquarters Section 33 authorization for the majority of transactions is carried out centrally through Corporate Finance - Payment Services. At missions this responsibility is normally carried out by the Management Consular Officer who is a Canadian Based Employee.

Approximately $2.4 billion of expenditures for the department in FY 2008-2009 were processed through the expense accounts. Twenty percent of the volume of transactions accounted for sixty-six percent of the dollar value. The roughly one million transactions – $2.4 billion’s worth – big or small – all received quality assurance scrutiny associated with certification for payment (Section 33). An analysis of the payment distribution within DFAIT indicates a preponderance of low dollar value transactions.

This audit essentially asked "Is the significance of a payment transaction being taken into consideration along with the risk level of the payment, in order to direct scarce resources to their best use?" With this question in mind, the purpose of this audit was to provide an opinion on the extent to which the controls in place are efficient and effective in managing the risks related to DFAIT’s expenditures.

The objective of the Treasury Board Policy on Account Verification was to ensure that payments and settlement were verified as described in Section 33 and Section 34 of the Financial Administration Act, in a cost-effective and efficient manner while maintaining the required level of control. This policy supported the use of sampling tailored to reflect the risk level of the transactions under review. The Directive on Account Verification which replaced the Treasury Board Policy on Account Verification on October 1, 2009, made a stronger case for sampling by stating that financial officers are responsible for "establishing sound sampling plans and practices".

Following the Section 34 account verification, all payments receive two levels of Section 33 review prior to certification. Certain payments receive a more detailed review during the first step than others. There is duplication in these two levels of review – some of the same checks are performed by two separate people in the process. This is not the best use of resources.

Readers should keep in mind that payment processing at DFAIT is complex. DFAIT has expenditures that occur at headquarters in Ottawa and in 190 offices abroad and across Canada. Payments are made routinely through the normal government payment system as well as by electronic fund transfers, cheques, BMO acquisition cards, AMEX travel cards and cash in many currencies. The challenges of foreign banking, fluctuating exchange rates and business norms in other jurisdictions add to the complexity of expenditure control in the department and have an impact on the risk level of payments.

The internal audit sector of the Office of the Comptroller General (OCG) performed an internal audit engagement of High Risk Expenditure Controls in Large Departments and Agencies in September 2009. DFAIT was not part of that horizontal audit however the criteria for this audit were adapted from the OCG audit. The criteria are linked to the Management Accountability Framework and the applicable Core Management Controls in Appendix A – About the Audit.

Top of page

2.0 Observations and Recommendations

2.1 There is currently no departmental risk assessment of payments to support a risk-based approach to expenditure processing at DFAIT.

Despite the reality that 20% of the volume of transactions accounted for 66% ($1.6 B) of the dollar value of DFAIT’s expenses, the approach at headquarters and at missions was to apply 100% pre-payment certification (Section 33) procedures to expenditures. Without identifying high, medium or low risk payment types and processing them according to the risk level, there is the potential to miss significant errors due to the volume of less significant transactions being checked. As well, there is the risk of exceeding the capacity of available resources. Scarce resources freed from 100% Section 33 transaction certification could be better placed in testing controls, monitoring and reporting roles.

At headquarters we documented a more detailed level of scrutiny applied to certain payment types including: travel; hospitality; Foreign Service Directives; grants and contributions; travel cards; and, acquisition cards. As well, payments over ***** and a sample of one in every ***** payments were also subject to this more detailed review. While this indicates some form of stratification, there was no basis, such as materiality or historical error rates, provided for this threshold.

Through interviews with Heads of Mission and examination of the Head of Mission Handbook (2009) it was determined that risk assessment for payments is expected to be performed at missions. However, there is no uniform application, leaving individual Heads of Missions to do risk assessment at their discretion. We also interviewed three program areas at headquarters responsible for grants, contributions and real property where we noted that they assessed project risk which is implicitly linked to payment risk.

The Treasury Board Directive on Account Verification requires the establishment of risk-based management practices and controls to ensure effective internal controls over account verification. This is clearly stated as the responsibility of the Chief Financial Officer. It goes on to say that financial officers must ensure that all high-risk transactions are subjected to a full review of the transactions and that samples of medium and low-risk transactions are selected based on a sample selection methodology and are subjected to a review of the most important aspects of each selected transaction. Fundamental to implementing this process is the establishment of criteria and identification of high, medium and low risk payments. Criteria to identify risk level of transactions should include: consideration of the type of transaction; its potential impact with respect to reputational, operational and legal risk; the dollar value; and where appropriate, the current error rate.

Information on the volume of transactions, by type of expense, could be used to assist in determining risk levels of various types of expenditures and form the basis for a sampling plan.

The lack of risk identification and assessment has broad ramifications because without this step:

• Resources may not be appropriately distributed among types of payments or between payment processing and monitoring activities, resulting in excessive attention to low-value, routine payments and inadequate monitoring;
• An appropriate sampling method for processing payments cannot be established in compliance with the Treasury Board's Directive on Account Verification²; and,
• There are limitations on the Chief Financial Officer's ability to provide assurance on the state of controls for high risk payments.

Resources carrying out the Quality Assurance (section 33) process are distributed relatively evenly across all transactions given the current process of 100% verification. This has created the situation where resource utilization is not balanced against the financial risk of the transaction. A comparison of the work effort (resource utilization) to the financial dollar value of categories of expenditures indicates that there is a significant variance between the resources used for Section 33 and the financial risk posed – 50% of the resources are focussed on only 20% of the expenditures.

There are currently 17.2 full-time equivalents in DFAIT Headquarters providing Section 33 verification. These transactions range from very small, routine, low-risk transactions to very large, exceptional, higher-risk transactions.

The audit suggests transferring resources from the task of verifying Section 33 to conducting expenditure monitoring, trend analysis and reporting. This information would be valuable to Senior Management in determining whether or not controls in place on expenditures are appropriate and represent good financial management.

The following table indicates the resources that could be realigned by reducing the percentage of transactions that receive Section 33 verification at DFAIT Headquarters by 20, 30, and 50%.

DFAIT has not adopted a risk-based approach to account verification, and therefore controls related to expenditures cannot be assessed as cost-effective. Treasury Board has indicated, through the Directive on Account Verification, that there is no expectation that payments will be error-free; however, the process should be designed to remain within reasonable, established tolerance levels. Without a risk-based approach, the department is missing opportunities to improve the control over account verification and to generate resource savings. DFAIT is not currently well-positioned to move forward in the design and implementation of a cost-effective process.

Recommendation 1: The department should design and implement a risk-based approach for expenditure authorization. Once designed it should be formalized in policy and procedures.

2.2 There is a need to document current processes and controls to provide the foundation for control/risk assessment and reengineering.

Some useful information and tools exist that could be used in developing process control maps. For example, policies relevant to account verification were easily accessible from the Finance site of DFAIT’s Intranet and some bureaus had links directly to this site. Appendix C of the DFAIT Account Verification Policy included a checklist for employees who had been delegated Section 34 authority.

The expenditure process, however, has not been documented. A documented process provides the necessary information to understand "where we’re at" and facilitates the determination of required changes to get to "where we want to be". There are several other opportunities provided by documenting the process and controls including:

• Identifying key control points which would help DFAIT move to a mature system of testing controls as opposed to testing transactions;
• Revealing non-value-added activities, redundant steps and bottlenecks that could be quickly remedied;
• Identifying stages in the process where data can be collected and used for decision-making;
• Establishing performance measures and targets;
• Consistently applying processes and reducing the need for individual employees to develop their own tools and memory aids;
• Developing and communicating an understanding of the overall process; and,
• Training staff involved in the process.

Recommendation 2: The department should document current expenditure processes and controls to use as a baseline for developing a compliant and cost-effective risk based process.

2.3 There is no departmental Quality Assurance (Section 33 function) plan in place to guide the account verification process.

Quality Assurance is described in the Treasury Board Directive on Account Verification as the activities carried out by section 33 financial officers that provide assurance on the system of account verification.

The Quality Assurance (Section 33) function is important to ensure the integrity of payments and the accuracy of financial statements. Despite the importance, there is no plan to guide this operation. This limits the department's ability to clearly articulate and communicate:

"A good plan is like a road map... it shows the final destination and usually the best way to get there" – H. Stanley Judd

• concrete and measurable objectives;
• accountabilities;
• roles and responsibilities;
• the basis for the approach adopted;
• linkages to risk identification and assessment of transactions;
• resource requirements, current capacity and gaps;
• performance expectations, including delivery standards, acceptable error rates and risk tolerances;
• management monitoring regime;
• mechanism for corrective action;
• information requirements and the source of information;
• reporting relative to the defined performance parameters.

Developing a Quality Assurance plan would:

• provide a clear understanding of the function and its importance;
• lend guidance to those responsible;
• demonstrate due diligence in terms of key decisions around risk tolerance; and,
• support the effective use of resources.

The Treasury Board Policy and Directive state that this plan should be founded upon a risk-based sampling approach to certification of Section 33. As well, sampling techniques chosen should be sufficiently precise to allow conclusions to be drawn about the overall adequacy and reliability of the account verification process.

Recommendation 3: A Quality Assurance plan to guide the Section 33 process should be developed, communicated, implemented and reported upon.

2.4 The limited management monitoring, performance measurement and reporting regime should be improved to provide sound, comparative information for management decision-making to support the Deputy Minister in his role as accounting officer and move expenditure processing towards a cost-effective model.

Monitoring is described in the Treasury Board Directive on Account Verification as the activities which the Chief Financial Officer (CFO) establishes to oversee the implementation of the Account Verification Directive in the department. These activities should enable the CFO to bring to the Deputy Minister’s attention any significant difficulties, gaps in performance or compliance issues and to develop proposals to address them. Monitoring should also assist the CFO in reporting significant performance or compliance issues to the Office of Comptroller General.

Although tracking and monitoring of certain aspects of the process takes place, the information is not gathered in a way that makes it useful for management in monitoring the effectiveness of account verification. For example:

• Payment Services (SMFP) track documentation that had errors which were returned to bureaus for correction. This provides data on the number of payments returned for correction and the type of error noted. It is not compared, however, to the overall number of transactions processed. If it was, there would be information/trends on error rates that would be useful in determining risk levels and tolerances.
• Corporate Financial Systems (SMSF) prepares a report highlighting user profiles which are normally considered incompatible (i.e. access to activate 'payment run' and entering invoices). This report is sent to Financial Operations, International (SMFF) to ensure that there are mitigating controls in place.

It was noted, however, that data mining and analysis techniques, effective at identifying payment anomalies and trends, are not fully utilized as either a preventive or detective control. Reports were not designed, analyzed or distributed in a way to provide information to senior management on the effectiveness of expenditure controls.

Monitoring is an essential component of internal control frameworks and is expected to inform management as to whether or not controls are operating as expected. Effective monitoring would:

• Provide the Chief Financial Officer and the Deputy Minister with documentation to support their attestations related to departmental expenditure control;
• Support sound decision-making; and,
• Feed accurate information into the risk-based approach to make adjustments related to identified weaknesses, new trends or the changing environment.

Recommendation 4: A system-wide monitoring and reporting process should be developed to enable a high degree of assurance surrounding the payment process, and to support the reliability of expenses reported in the financial statements. Automated data analysis (i.e. duplicate payments) should be incorporated where possible and error rates and anomalies should be available for analysis.

2.5 Our transaction testing found little evidence of error in the department's processing of payments based on the current 100% Quality Assurance process. Considering the results of our limited judgemental sample, nothing came to our attention to indicate that the controls in place were not effective.

A judgemental sample was drawn to test the controls in place to ensure the integrity of the payment authorization and disbursement process. The absolute dollar value (including expenses paid as well as negative amounts that were recorded in the general ledger expense accounts) of the sample was $78 million. The sample was stratified as follows:

• 119 transactions total – forty-three transactions were from Missions and seventy-six were from headquarters;
• 101 transactions represented 10 types of commitment items (i.e. travel, salary and wages of locally engaged staff, etc.) were included;
• 8 transactions valued at greater than $2m – 5 from headquarters and 3 from missions (26m); and,
• 10 large transactions showing as negative amounts in the general ledger expense accounts ($48m).

Results indicated that account verification controls were effective at preventing inappropriate or incorrect payments. It should be noted however that this effectiveness is based on the current quality assurance process. Appropriate segregation of duties was noted in all transactions tested. Although not all transactions could be verified with respect to timeliness, payments had been made in a sufficiently timely manner that the department did not pay significant interest. Some minor errors were noted such as signatures not dated and the use of initials rather than signature. As well, two cases of incorrect general ledger coding (value $31,112 or .03% of total tested) were noted. There were, however, no findings that would have a significant effect on departmental reporting.

There were two cases where transactions were certified by employees who had been delegated signing authority but were not occupying positions at an organizational level included in the Delegation of Financial Signing Authorities Chart. In one case the Head of Mission had given signing authority to their assistant. In the second case the Financial Management Officer had given signing authority to the Deputy Financial Management Officer. This is troubling as only the Minister has the right to delegate authority.

Recommendation 5: Management should clearly understand that only the Minister has the right to determine the position levels that will be delegated financial authority. All cases of inappropriate delegation of authority should be rectified immediately. Finance should implement appropriate controls to ensure that this situation does not reoccur.

Top of page

3.0 Conclusion

The controls that are in place to manage the risks related to DFAIT’s expenditures cannot be considered cost-effective because no departmental-wide risk assessment has been conducted to support a risk-based approach to expenditure control.

• The Department is dedicating resources to the Account Verification and the Quality Assurance functions but the work is not being done as effectively and efficiently as possible because expenditures have not been identified as high, medium or low risk.
• Without identifying high, medium or low risk payments at DFAIT and processing payments accordingly, there is the potential to miss significant errors due to the volume of insignificant transactions being checked and the risk of exceeding the capacity of available resources.
• There is no department-wide Quality Assurance plan in place to guide departmental operations related to expenditure control.
• Management monitoring and reporting is not sufficient to facilitate the provision of high level of assurance on payment processing. As well, senior management does not have the information they need for sound decision-making and they do not have the information required to feed into a new risk-based approach.
• Based on transaction testing performed by the audit team, the errors found do not have a material impact on Departmental financial statements. Controls are in place to ensure the integrity of the payment authorization and disbursement process however they are not cost effective and do not represent the highest and best use of resources.
• The Department is not in compliance with the Treasury Board Directive on Account Verification that stipulates that there be a formal departmental-wide, risk-based approach which offers the potential to improve control while delivering resource benefits.

The Account Verification process represents an opportunity to use resources currently processing transactions at headquarters more effectively to add value to the expenditure process and strengthen financial management at DFAIT. Ensuring that administrative resources are used effectively is a key priority for government as noted in the recent government budget, the Speech from the Throne, the Message of the Clerk of the Privy Council and the Deputy Ministers of DFAIT.

Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the information contained in this report. This is based upon a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed with management. The evidence was gathered in compliance with Treasury Board Policy, Directives, and Standards on internal audit for the Government of Canada.

Original signed by:

Yves Vaillancourt, Chief Audit Executive, September 10, 2010

Top of page

Appendix A: About the Audit

Objective

The objective of the audit was to provide an opinion on the extent to which the controls in place are efficient and effective in managing the risks related to DFAIT’s expenditures. In order to assess this main objective, we have broken it down to more specific criteria to facilitate reporting on compliance, sound management practices and any implemented innovative or best practices observed across the Department. The audit criteria were as follows:

1. A risk assessment is performed on transactions.
2. The risk assessment leads to the development of departmental policies and procedures.
3. There is an internal quality assurance plan and process.

Controls are in place to ensure the integrity of the payment authorization and disbursement process.

Scope

The Office of the Chief Audit Executive will be addressing three components of the financial process in government: budget allocation, expenditures and financial reporting.

• Budget allocation was examined in the Resource Allocation Audit 2009.
• Financial reporting will be examined in the Audit of Financial Reporting that will take place in the near future.
• The focal point in this audit was on the expenditures component with attention on controls and the management of high risk payments.

The samples were drawn from transactions processed from August 1, 2008 to July 31, 2009. The scope included a review of the Information Management System.

Expenditures at Missions represented approximately one third of DFAIT spending. The percentage of the sample from Missions reflected this weighting.

Methodology

The audit was conducted in accordance with the Treasury Board Standards for Internal Audit. The following audit techniques were used in this audit of expenditure controls in order to conclude on each audit criterion:

• Review of legislative policy, procedures and directives obtained from bureaus, DFAIT and Treasury Board websites;
• Observe and document the account verification processes for different kinds of expenditures in order to develop the process control maps and identify the control points in the expenditure process;
• Testing a 119 sample of transactions to determine if: the risk based approach was applied at the transaction level; and, the application of expenditure controls including Section 33 and Section 34 at the transaction level were consistent and effective;
• Interviews were conducted with the following senior managers in selected bureaus and with DFAIT staff involved in expenditure controls. These interviews were based on interview guides prepared according to the objectives of the audit:
  • The Corporate Finance, Planning and Systems Bureau (SMD);
  • The Stabilization and Reconstruction Task Force (START)Secretariat (IRD);
  • Physical Resources Bureau (ARD);
  • The Global Partnership Program (IGX);
  • The Mission Client Services and Innovation (ASD);
  • Two former Heads of Mission; and
  • Payment Services staff (SMFP)

Criteria

This audit examined the degree of compliance with financial management legislation, policies and directives concerning the management and control of departmental expenditures, with a focus on high-risk payments as stated in the Chief Audit Executive’s Risk Based Audit Plan 2009-2012.

The internal audit sector of the Office of the Comptroller General (OCG) performed an internal audit engagement of High Risk Expenditure Controls in Large Departments and Agencies in 2009. DFAIT was not part of that horizontal audit however our criteria were adopted from the OCG audit. The audit lines of inquiry were linked to the Management Accountability Framework areas of Stewardship, accountability and Governance, and the applicable Core Management Controls of Governance, Stewardship, Accountability and Risk Management. Detailed lines of inquiry as well as criteria are described below.

Lines of Enquiry and Audit Criteria

1. A Risk Assessment is performed on transactions.

• 1.1 Departments must identify the risk level for various types of transactions processed by the department.
• 1.2 Criteria to identify risk level of transactions have been identified and documented. Criteria should include as a minimum:
  • 1.2.1 Consideration of the type of transaction;
  • 1.2.2 The dollar value. and where appropriate;
  • 1.2.3 The current error rate.
• 1.3 Comprehensive risk analysis has been conducted, documented and reviewed by Senior management within Finance and Program areas;
• 1.4 Prior to implementing sampling, a risk assessment, involving appropriate departmental managers, has been completed to determine the current state of account Verification (AV) in order to assess or develop appropriate controls.

2. The assessment leads to the development of policies and procedures.

• 2.1 DFAIT has established and documented internal policies outlining the extent of account verification required based on risk considerations.
• 2.2 Documentation to support approaches to Account Verification for high risk transactions is appropriate.
• 2.3 An effective mechanism to maintain and distribute policies, procedures and guidelines exist.
• 2.4 Internal training is appropriate to the account verification staff engaged in identification of risk.
• 2.5 Account Verification processes are documented for distinct processes and program activities based on identified risk.
• 2.6 Policy and procedures detail processes for those transactions identified as high risk.
• 2.7 Responsibility for review and revision to final management policies and authorities are known, understood by staff and applied accordingly.
• 2.8 Changes to policy and procedures are communicated to all stakeholders.
• 2.9 Staff with delegated authority for Section 33 and 34 of the Financial Administration Act (FAA), are aware and understand policy, procedure and responsibilities for Account Verification.

3. There is an internal quality assessment (QA) plan and process.

• 3.1 Financial Officers with payment authority pursuant to Section 33 FAA have established a QA review process that provides assurance of the adequacy of Section 34 AV. Specific QA processes are developed and applied to assess and confirm application of AV policy and procedures. The AV process provides for auditable evidence of verification including identifying the various individuals who perform the verification.
• 3.2 Senior Financial Officers are in a position to state that the appropriate controls are in place and are being properly and conscientiously followed based on the results of quality assurance and monitoring activities.
• 3.3 QA processes used to assess the adequacy of the account verification system must be tailored to reflect the risk level of the transaction under review. At a minimum detailed processes and quality assurance checklists are available and applied.
• 3.4 The results of QA are periodically reported to Senior Management. Reports include information on the degree of compliance information and breaches, including remedial actions if necessary.

4. Controls are in place to ensure the integrity of the payment authorization and disbursement process.

• 4.1 There is appropriate segregation of duties between Section 33 and 34 of the Financial Administration Act in the certification process.
• 4.2 Expenditures are certified pursuant to Section 33 and 34 of the Financial Administration Act by delegated authorities.
• 4.3 Payments are processed in the financial system in a timely manner.
• 4.4 Proper financial coding is used.

Audit Criteria and Management Accountability Framework (MAF) Related Management Controls

1. A Risk Assessment is performed on transactions.

   Risk Management

   RM-1 Management has a documented approach with respect to risk management.
   RM-2 Management identifies the risks that may preclude the achievement of its objectives.
   RM-4 Management assesses the risk it has identified.

2. The assessment leads to the development of policies and procedures.

   Stewardship

   ST-5 Financial management policies and authorities are established and communicated.

   Risk Management

   RM-3 Management identifies and assesses the existing controls that are in place to manage its risks.

   People

   PPL-4 The organization provides employees with the necessary training, tools, resources and information to support the discharge of their responsibilities.

   Accountability

   AC-1 Authority, responsibility, and accountability are clear and communicated.
   AC-2 Employees formally acknowledge their understanding and acceptance of their accountability.

3. There is an internal quality assessment (QA) plan and process.

   Stewardship

   ST-7 Compliance with financial management laws, policies and authorities is monitored regularly.
   ST-11 Appropriate system application controls exist.
   ST-16 Management compares results achieved against expectations on a periodic basis.

   Risk Management

   RM-1 Management has a documented approach with respect to risk management.
   RM-3 Management identifies and assesses the existing controls that are in place to manage its risks.

   People

   PPL-4 The organization provides employees with the necessary training, tools, resources and information to support the discharge of their responsibilities.

   Accountability

   AC-2 Employees formally acknowledge their understanding and acceptance of their accountability.

4. Controls are in place to ensure the integrity of the payment authorization and disbursement process.

   Stewardship

   ST-6 Financial management policies and authorities are reviewed regularly and revised, as required.
   ST-10 Transactions are coded and recorded accurately and in a timely manner to support accurate and timely information processing.
   ST-12 Records and information are maintained in accordance with laws and regulations.
   ST-13 There is appropriate segregation of duties.

Top of page

Appendix B: Management Action Plan

Top of page

Appendix C: Definitions

Account Verification:

In the Treasury Board’s Account Verification Directive, account verification is the review activity carried out by the section 34 authorities to ensure the correctness of the payment requested. The review covers the determination of payment obligations as well as the accuracy of payment information and should be done on a timely basis. It should provide auditable evidence on both the receipt of goods /services and the authorization by the delegated section 34 authorities.

Expenditure Controls (For the Purpose of this Audit)

This audit looked at the processes in place to manage how DFAIT ensures payments are made to the right vendor for the designated purpose at the correct amount and time. The extent of the review to ensure the above should be reflective of the risks from each type of expenditure.

Monitoring

Monitoring is described as the activities which the Chief Financial Officer (CFO) established to oversee the implementation of the Account Verification Directive in the department. These activities should enable the CFO to bring to the Deputy Minister’s attention any significant difficulties, gaps in performance or compliance issues, and to develop proposals to address them. Monitoring should also assist the CFO in reporting significant performance or compliance issues to the Office of Comptroller General. (From the Treasury Board Directive on Accounts Verification)

Quality Assurance

Quality Assurance is described in the ISO 9000 2005 Plain English Quality Management Dictionary as a set of activities intended to establish confidence that quality requirements will be met. In the Treasury Board’s Account Verification Directive, October 2009, quality assurance is described as the activities carried out by section 33 financial officers that provide assurance on the system of account verification. Its objective is to ensure the following:

• Account verification reviews have been properly performed by section 34 authorities.
• Payments are lawful and in accordance with the Financial Administration Act (FAA)
• The extent of verification is reflective of the risk level of the transaction reviewed.
• Sound sampling plans and practices are established based on risk levels of transactions.
• The sampling practices and techniques are sufficiently accurate and enable an opinion on the overall adequacy and reliability of the account verification process.
• The reasonability of payments made prior to account verification.
• The documentation of payments made prior to account verification.
• Reporting for income tax purposes is prepared in accordance to the Canada Revenue Agency requirements.
• Identifying critical errors and requesting corrective action.

Quality Plan

A quality plan is a document that is used to specify the procedures and resources that will be needed to carry out a project, perform a process, realize a product, or mange a contract. Quality plans also specify who will do what and when. (ISO 9000 2005 Plain English Quality Management Dictionary)

Quality Planning

Quality Planning involves setting quality objectives and then specifying the operational processes and resources that will be needed to achieve those objectives. Quality planning is one part of quality management. (ISO 9000 2005 Plain English Quality Management Dictionary)

Risk

The Institute of Internal Auditors defines risk as "the uncertainty of an event occurring that could have an impact on the achievement of objectives."

Top of page

Appendix D: Applicable Policies

1. Department of Foreign Affairs Account Verification Policy Effective Sept 24, 2004
2. Financial Administration Act (R.S., 1985, c.F-11) (FAA)
3. ISO 9000 2005 Plain English Quality Management Dictionary
4. Rescinded Treasury Board Policy on Account Verification (May 11, 1998)
5. Treasury Board Policy on Financial Management Governance
6. Treasury Board Directive on Account Verification October 1, 2009
7. Treasury Board Policy on Internal Control April 1, 2009

Top of page

Appendix E: Section 33 and Section 34 Description

Excepts from the Financial Administration Act (R.S., 1985, c. F-11)

Section 33 of the Financial Administration Act

1. No charge shall be made against an appropriation except on the requisition of the appropriate Minister of the department for which the appropriation was made or of a person authorized in writing by that Minister.
2. Every requisition for a payment out of the Consolidated Revenue Fund shall be in such form, accompanied by such documents and certified in such manner as the Treasury Board may prescribe by regulation.
3. No requisition shall be made pursuant to subsection (1) for a payment that:
   1. Would not be a lawful charge against the appropriation;
   2. Would result in an expenditure in excess of the appropriation; or
   3. Would reduce the balance available in the appropriation so that it would not be sufficient to meet the commitments charged against it.
4. The appropriate Minister may transmit to the Treasury Board any requisition with respect to which that Minister desires the direction of the Board, and the Board may order that payment be made or refused. R.S, c.F-10, s.26.

Section 34 of the Financial Administration Act

1. No payment shall be made in respect of any part of the public service of Canada unless, in addition to any other voucher or certificate that is required, the deputy of the appropriate Minister, or another person authorized by that Minister, certifies:
   1. In the case of a payment for the performance of work, the supply of goods or the rendering of services,
      1. that the work has been performed, the goods supplied or the service rendered, as the case may be, and that the price charged is according to the contract, or if not specified by the contract, is reasonable,
      2. where, pursuant to the contract, a payment is to be made before the completion of the work, delivery of the goods or rendering of the service, as the case may be, that the payment is according to the contract, or
      3. where, in accordance with the policies and procedures prescribed under subsection (2), payment is to be made in advance of verification, that the claim for payment is reasonable; or
   2. In the case of any other payment, that the payee is eligible for or entitled to the payment.
2. The Treasury Board may prescribe policies and procedures to be followed to give effect to the certification and verification required under subsection (1).

R.S., 1985, c. F-11, s. 34; 1991, c. 24, s. 13.

¹ Horizontal Internal Audit of High Risk Expenditure Controls in Large Departments and Agencies

² The Treasury Board Account Verification policy was rescinded effective October 1, 2009 and replaced by the Directive on Account Verification. Transactions tested for this audit were all dated prior to Oct 2009.

^*If you require a plug-in or a third-party software to view this file, please visit the alternative formats section of our help page.

Primary navigation

Date Modified:

2013-01-10