Foreign Affairs, Trade and Development Canada
Symbol of the Government of Canada

Foreign Affairs, Trade and Development Canada

international.gc.ca

Audit of Expenditure Controls

September 2010

(PDF Version, 473 kB)*

 

Personal and sensitive information has been edited from this report (shown in the report as "*****") in accordance with the provisions of the Privacy and Access to Information Acts.

Table of Contents

Message from the Chief Audit Executive

This report presents the results of an internal audit of expenditure controls within the Department of Foreign Affairs (DFAIT). This audit work formed part of the approved Risk-Based Internal Audit Plan for 2009-10. This internal audit completes the suite of financial management audits undertaken in fiscal year 2009-10 aimed at strengthening the Department’s resource management regime. Whereas previous audit work examined the allocation of resources within the Department, the focus of the audit of Expenditure Controls is to assess the controls in place leading to the payment of transactions.

Expenditure Control is important and high-risk because it is about how public funds are spent. DFAIT spends over $2 billion each year in support of its mandate. Managing expenditures goes to the core of accountability to Parliament for the use of public funds. In this regard, Parliament enacted three sections of the Financial Administration Act (FAA) that address the spending of public funds:

Section 32 - requires authorized managers to ensure sufficient availability of funds before initiating expenditure; and then, provides for the commitment of that expenditure initiation;

Section 34 - requires authorized managers to certify that the goods or services have been fully delivered before payment is made; and,

Section 33 - requires authorized financial officers to make payments in a form as prescribed by the Treasury Board.

The audit of expenditure control examined the process in place beginning with the Section 34 certification by the Manager and focused mostly on the verification of the transaction leading to and including the payment. This latter process is called Account Verification. Its requirements are set out in the Treasury Board Directive on Account Verification.

Our audit observed that DFAIT essentially conducts full pre-payment verification of 100% of its transactions, that is, all payments receive both Section 34 and Section 33 certification prior to being entered into the payment system. This means that all transactions, regardless of value, receive an equal amount of attention. This contrasts with a system that would be guided by a good appreciation of risks and would ensure that scarce resources give relative concentration to more complex, high-risk payments. In fact, current direction from the Treasury Board calls for an approach whereby payments are verified in a cost-effective manner – a manner that has the potential to improve control while delivering resource benefits.

The Account Verification process represents an opportunity for financial officials dedicated to processing payments to do so more effectively and to add value to the management of the expenditure process.

The audit recommendations are directed at a going-forward strategy to ensure that payment controls are documented and that monitoring occurs to support a risk-based approach that would articulate pertinent performance indicators, including acceptable tolerances. The objective would be to ensure focused, cost-effective controls that make best use of resources applied to account verification.

The Department's Chief Financial Officer has agreed with the audit recommendations and has developed an appropriate action plan.

Yves Vaillancourt, Chief Audit Executive, DFAIT

Top of page

Executive Summary

This report presents the results of an internal audit of Expenditure Controls within the Department of Foreign Affairs and International Trade. The audit formed part of the approved Risk-Based Internal Audit Plan for 2009-2010.

Expenditure Control is important and high-risk because it is about how public funds are spent. DFAIT spends over $2 billion each year in support of its mandate. Managing expenditures goes to the core of accountability for public funds. In this regard, Parliament enacted three sections of the Financial Accountability Act (FAA) that address the spending of public funds:

Section 32 - Transaction Initiation / Commitment Authority: This is the authority delegated by the Minister to management to certify that a sufficient unencumbered balance of funds remains in the appropriation to discharge the commitment.

Section 34 - Certification of Work Performance: This authority is delegated by the Minister to various levels of management, both at Missions and Headquarters, to enable them to administer programs and manage expenditures under their jurisdiction. These managers are responsible for certifying that work, goods or services have been received for the payment requested, that the charge is reasonable and correct, and that the payee is entitled to payment. Each transaction that undergoes Section 34 certification must be coded to indicate the type of transaction and the responsibility or cost centre where the expenditure was incurred. No expenditure can be made without a Section 34 authorization.

Section 33 - Payment Authority: Certification, normally by a financial officer, that management has carried out its duties appropriately under Section 34. Section 33 is the authority to requisition payments that are charged to appropriations.

The Office of the Comptroller General (OCG) has encouraged departmental internal audit functions to give attention to basic financial controls. That office has performed a number of internal audits across government that have dealt with expenditure controls; the most recent, reported in September 2009, addressed the controls applied to higher-risk expenditures. 1DFAIT was not part of the OCG’s horizontal audit. The audit criteria, however, were adapted and used as the basis for this DFAIT audit conducted between June 2009 and February 2010. Details of the audit, including criteria, are listed and linked to the Management Accountability Framework and the applicable Core Management Controls in Appendix A – About the Audit.

The objective of this audit was to determine whether controls in place at DFAIT are cost-effective in processing expenditures – whether the payments are routine and low value or higher risk. For the purpose of this audit, expenditure controls include:

  • Management authorization of payments for which they have budgetary control (Section 34);
  • Financial verification of the payment to ensure that management fulfilled their responsibilities (Section 33); and,
  • Overall management monitoring to provide assurance on the integrity of the expenditure process (Section 33).

This audit is consistent with the general direction of DFAIT Business Model decisions to look at cost-effectiveness and at sustainability over the long-term. It is also part of the overall assessment of financial management at DFAIT and focussed on answering the following question:

"Is the significance of a payment transaction being taken into consideration along with the risk level of the payment, in order to direct scarce resources to their best use?"

DFAIT is currently applying a conservative approach whereby prepayment verification occurs for 100% of payments. Despite the fact that 20% of the volume of expense account transactions represents 66% of the total dollar value, the department has not implemented an appropriate risk-managed process that would make use of sampling techniques. Consequently, there is little assurance that verification resources are being directed to their best use, as inordinate attention is given to high-volume, low value payments. There is also insufficient monitoring of the population of payments as a basis for on-going assessment of risks and tolerances. Opportunities to improve both the control and efficiency of expenditure processing can be pursued while achieving better compliance with pertinent Treasury Board Policy.

Implementing improvements in the area of expenditure controls will:

  • have the potential to improve control while delivering resource benefits;
  • support the Deputy Minister in his role as accounting officer as outlined in the Policy on Internal Control;
  • support the Deputy Minister’s assurance in the Annual Letter of Representation to the Auditor General that internal controls are balanced against and proportional to the risks which they mitigate; and,
  • align DFAIT practices with applicable Treasury Board direction whereby accounts are to be verified in a cost-effective manner.

The Horizontal Audit performed by the OCG reported results similar to what we found at DFAIT. The OCG audit stated: "[Large Departments and Agencies] LDAs are not taking advantage of risk management to help make their account verification practices more efficient. Most LDAs are applying 100% verification on all transactions when appropriate risk management strategies would result in more efficient practices."

DFAIT processed one million transactions valued at $2.4 billion through its expense accounts in FY 2008-2009. These one million transactions – $2.4 billion’s worth – big or small – consumed relatively equal amounts of departmental resources to receive quality assurance scrutiny commonly referred to as Section 33 authorization. A detailed description of the tasks involved in both Section 34 and Section 33 of the Financial Administration Act is contained in Appendix F.

DFAIT has expenditures occurring in 190 offices abroad and across Canada paid through the normal government system, journal vouchers, electronic funds transfer, cheques, credit cards for acquisitions, credit cards for travel and cash in many currencies. Payment is further complicated by foreign banking and challenged by fluctuating exchange rates and different business norms in other jurisdictions. Even though certain types of payments receive more detailed review than others, the varying degree of complexities of these transactions is not reflected in the approach that applies 100% pre-payment account verification. As well, there is duplication within the process which may minimize payment errors but consumes time and resources.

In view of this conservative approach to account verification, our audit found little evidence of error in the Department’s processing of payments. Based on the results of our sample, nothing came to our attention to indicate that the controls in place were not effective. At the same time, we cannot give assurance that verification resources are applied to best use, that higher risk transactions are receiving adequate attention, nor that the system is positioned to become progressively more cost-effective.

Conclusion

DFAIT has opportunities to improve the efficiency of expenditure processing. The Quality Assurance process (Section 33) represents an opportunity to use resources currently processing transactions more effectively to add value to the expenditure process and strengthen financial management at DFAIT. Implementing the following recommendations will guide the Department toward a risk-based and more cost-effective process.

Recommendations

  1. The Department should design and implement a risk-based approach for expenditure authorization. Once designed it should be formalized in policy and procedures.
  2. The Department should document current expenditure processes and controls to use as a baseline for developing a compliant and cost-effective risk based process.
  3. A Quality Assurance plan to guide the Section 33 process should be developed, communicated, implemented and reported upon.
  4. A system-wide monitoring and reporting process should be developed to enable a high degree of assurance surrounding the payment process, and to support the reliability of expenses reported in the financial statements.
  5. Management should clearly understand that only the Minister has the right to determine the position levels that will be delegated financial authority. All cases of inappropriate delegation of authority should be rectified immediately. Finance should implement appropriate controls to ensure that this situation does not reoccur.

Top of page

1.0 Background

The Department of Foreign Affairs and International Trade’s (DFAIT) Risk-Based Audit Plan for 2009-2012 included the Audit of Expenditure Controls. The Financial Administration Act, enacted by Parliament, provides the foundation for sound financial management in government. With respect to expenditure controls, there are three sections of the Act that are particularly important:

Section 32 - Transaction Initiation / Commitment Authority: This is the authority delegated by the Minister to management to certify that a sufficient unencumbered balance of funds remains in the appropriation to discharge the commitment.

Section 34 - Certification of Work Performance: This authority is delegated by the Minister to various levels of management, both at Missions and Headquarters, to enable them to administer programs and manage expenditures under their jurisdiction. These managers are responsible for certifying that work, goods or services have been received for the payment requested, that the charge is reasonable and correct, and that the payee is entitled to payment. Each transaction that undergoes Section 34 certification must be coded to indicate the type of transaction and the responsibility or cost centre where the expenditure was incurred. No expenditure can be made without a Section 34 authorization.

Section 33 - Payment Authority: Certification, normally by a financial officer, that management has carried out its duties appropriately under Section 34. It is the authority to requisition payments that are charged to appropriations.

These three essential control points are embedded into the financial management regime of government, depicted below, to ensure that parliamentary appropriations are used and recorded appropriately. The audit scope included steps 4 and 5 with a stronger focus on step 5 – Section 33.

Table of Financial Management Regime
StepsDescription
Step 1Parliamentary Appropriations to Departments
Step 2Departmental Allocation of Funds
Step 3Management Commitment of Funds (Section 32)
Step 4Management Authorization of Payment (Section 34)
Step 5Financial Certification of Payment (Section 33)
Step 6Payment recorded in Financial System
Step 7Financial Reporting to Parliament.

As indicated above, the Financial Administration Act is the legislation that defines the requirements for payment. Section 33 is the quality assurance portion of expenditure control. At headquarters Section 33 authorization for the majority of transactions is carried out centrally through Corporate Finance - Payment Services. At missions this responsibility is normally carried out by the Management Consular Officer who is a Canadian Based Employee.

Approximately $2.4 billion of expenditures for the department in FY 2008-2009 were processed through the expense accounts. Twenty percent of the volume of transactions accounted for sixty-six percent of the dollar value. The roughly one million transactions – $2.4 billion’s worth – big or small – all received quality assurance scrutiny associated with certification for payment (Section 33). An analysis of the payment distribution within DFAIT indicates a preponderance of low dollar value transactions.

This audit essentially asked "Is the significance of a payment transaction being taken into consideration along with the risk level of the payment, in order to direct scarce resources to their best use?" With this question in mind, the purpose of this audit was to provide an opinion on the extent to which the controls in place are efficient and effective in managing the risks related to DFAIT’s expenditures.

The objective of the Treasury Board Policy on Account Verification was to ensure that payments and settlement were verified as described in Section 33 and Section 34 of the Financial Administration Act, in a cost-effective and efficient manner while maintaining the required level of control. This policy supported the use of sampling tailored to reflect the risk level of the transactions under review. The Directive on Account Verification which replaced the Treasury Board Policy on Account Verification on October 1, 2009, made a stronger case for sampling by stating that financial officers are responsible for "establishing sound sampling plans and practices".

Following the Section 34 account verification, all payments receive two levels of Section 33 review prior to certification. Certain payments receive a more detailed review during the first step than others. There is duplication in these two levels of review – some of the same checks are performed by two separate people in the process. This is not the best use of resources.

Readers should keep in mind that payment processing at DFAIT is complex. DFAIT has expenditures that occur at headquarters in Ottawa and in 190 offices abroad and across Canada. Payments are made routinely through the normal government payment system as well as by electronic fund transfers, cheques, BMO acquisition cards, AMEX travel cards and cash in many currencies. The challenges of foreign banking, fluctuating exchange rates and business norms in other jurisdictions add to the complexity of expenditure control in the department and have an impact on the risk level of payments.

The internal audit sector of the Office of the Comptroller General (OCG) performed an internal audit engagement of High Risk Expenditure Controls in Large Departments and Agencies in September 2009. DFAIT was not part of that horizontal audit however the criteria for this audit were adapted from the OCG audit. The criteria are linked to the Management Accountability Framework and the applicable Core Management Controls in Appendix A – About the Audit.

Top of page

2.0 Observations and Recommendations

2.1 There is currently no departmental risk assessment of payments to support a risk-based approach to expenditure processing at DFAIT.

Despite the reality that 20% of the volume of transactions accounted for 66% ($1.6 B) of the dollar value of DFAIT’s expenses, the approach at headquarters and at missions was to apply 100% pre-payment certification (Section 33) procedures to expenditures. Without identifying high, medium or low risk payment types and processing them according to the risk level, there is the potential to miss significant errors due to the volume of less significant transactions being checked. As well, there is the risk of exceeding the capacity of available resources. Scarce resources freed from 100% Section 33 transaction certification could be better placed in testing controls, monitoring and reporting roles.

At headquarters we documented a more detailed level of scrutiny applied to certain payment types including: travel; hospitality; Foreign Service Directives; grants and contributions; travel cards; and, acquisition cards. As well, payments over ***** and a sample of one in every ***** payments were also subject to this more detailed review. While this indicates some form of stratification, there was no basis, such as materiality or historical error rates, provided for this threshold.

Through interviews with Heads of Mission and examination of the Head of Mission Handbook (2009) it was determined that risk assessment for payments is expected to be performed at missions. However, there is no uniform application, leaving individual Heads of Missions to do risk assessment at their discretion. We also interviewed three program areas at headquarters responsible for grants, contributions and real property where we noted that they assessed project risk which is implicitly linked to payment risk.

The Treasury Board Directive on Account Verification requires the establishment of risk-based management practices and controls to ensure effective internal controls over account verification. This is clearly stated as the responsibility of the Chief Financial Officer. It goes on to say that financial officers must ensure that all high-risk transactions are subjected to a full review of the transactions and that samples of medium and low-risk transactions are selected based on a sample selection methodology and are subjected to a review of the most important aspects of each selected transaction. Fundamental to implementing this process is the establishment of criteria and identification of high, medium and low risk payments. Criteria to identify risk level of transactions should include: consideration of the type of transaction; its potential impact with respect to reputational, operational and legal risk; the dollar value; and where appropriate, the current error rate.

Distribution of Expense Payments less than $20,000 (Top 80%)

Information on the volume of transactions, by type of expense, could be used to assist in determining risk levels of various types of expenditures and form the basis for a sampling plan.

The lack of risk identification and assessment has broad ramifications because without this step:

  • Resources may not be appropriately distributed among types of payments or between payment processing and monitoring activities, resulting in excessive attention to low-value, routine payments and inadequate monitoring;
  • An appropriate sampling method for processing payments cannot be established in compliance with the Treasury Board's Directive on Account Verification2; and,
  • There are limitations on the Chief Financial Officer's ability to provide assurance on the state of controls for high risk payments.

Resources carrying out the Quality Assurance (section 33) process are distributed relatively evenly across all transactions given the current process of 100% verification. This has created the situation where resource utilization is not balanced against the financial risk of the transaction. A comparison of the work effort (resource utilization) to the financial dollar value of categories of expenditures indicates that there is a significant variance between the resources used for Section 33 and the financial risk posed – 50% of the resources are focussed on only 20% of the expenditures.

There are currently 17.2 full-time equivalents in DFAIT Headquarters providing Section 33 verification. These transactions range from very small, routine, low-risk transactions to very large, exceptional, higher-risk transactions.

The audit suggests transferring resources from the task of verifying Section 33 to conducting expenditure monitoring, trend analysis and reporting. This information would be valuable to Senior Management in determining whether or not controls in place on expenditures are appropriate and represent good financial management.

The following table indicates the resources that could be realigned by reducing the percentage of transactions that receive Section 33 verification at DFAIT Headquarters by 20, 30, and 50%.

Table of Potential Resource Realignment at Headquarters
ScenarioResources Utilized for Section 33 at Headquarters3Resources Available for Realignment
(3)Source of Data: Quality Assurance Function Management.
Current Process 100% Verification17.200
Reduction of 20% of Volume13.553.65
Reduction of 30% of Volume11.855.35
Reduction of 50% of Volume8.608.60

DFAIT has not adopted a risk-based approach to account verification, and therefore controls related to expenditures cannot be assessed as cost-effective. Treasury Board has indicated, through the Directive on Account Verification, that there is no expectation that payments will be error-free; however, the process should be designed to remain within reasonable, established tolerance levels. Without a risk-based approach, the department is missing opportunities to improve the control over account verification and to generate resource savings. DFAIT is not currently well-positioned to move forward in the design and implementation of a cost-effective process.

Recommendation 1: The department should design and implement a risk-based approach for expenditure authorization. Once designed it should be formalized in policy and procedures.

2.2 There is a need to document current processes and controls to provide the foundation for control/risk assessment and reengineering.

Some useful information and tools exist that could be used in developing process control maps. For example, policies relevant to account verification were easily accessible from the Finance site of DFAIT’s Intranet and some bureaus had links directly to this site. Appendix C of the DFAIT Account Verification Policy included a checklist for employees who had been delegated Section 34 authority.

The expenditure process, however, has not been documented. A documented process provides the necessary information to understand "where we’re at" and facilitates the determination of required changes to get to "where we want to be". There are several other opportunities provided by documenting the process and controls including:

  • Identifying key control points which would help DFAIT move to a mature system of testing controls as opposed to testing transactions;
  • Revealing non-value-added activities, redundant steps and bottlenecks that could be quickly remedied;
  • Identifying stages in the process where data can be collected and used for decision-making;
  • Establishing performance measures and targets;
  • Consistently applying processes and reducing the need for individual employees to develop their own tools and memory aids;
  • Developing and communicating an understanding of the overall process; and,
  • Training staff involved in the process.

Recommendation 2: The department should document current expenditure processes and controls to use as a baseline for developing a compliant and cost-effective risk based process.

2.3 There is no departmental Quality Assurance (Section 33 function) plan in place to guide the account verification process.

Quality Assurance is described in the Treasury Board Directive on Account Verification as the activities carried out by section 33 financial officers that provide assurance on the system of account verification.

The Quality Assurance (Section 33) function is important to ensure the integrity of payments and the accuracy of financial statements. Despite the importance, there is no plan to guide this operation. This limits the department's ability to clearly articulate and communicate:

"A good plan is like a road map... it shows the final destination and usually the best way to get there" – H. Stanley Judd

  • concrete and measurable objectives;
  • accountabilities;
  • roles and responsibilities;
  • the basis for the approach adopted;
  • linkages to risk identification and assessment of transactions;
  • resource requirements, current capacity and gaps;
  • performance expectations, including delivery standards, acceptable error rates and risk tolerances;
  • management monitoring regime;
  • mechanism for corrective action;
  • information requirements and the source of information;
  • reporting relative to the defined performance parameters.

Developing a Quality Assurance plan would:

  • provide a clear understanding of the function and its importance;
  • lend guidance to those responsible;
  • demonstrate due diligence in terms of key decisions around risk tolerance; and,
  • support the effective use of resources.

The Treasury Board Policy and Directive state that this plan should be founded upon a risk-based sampling approach to certification of Section 33. As well, sampling techniques chosen should be sufficiently precise to allow conclusions to be drawn about the overall adequacy and reliability of the account verification process.

Recommendation 3: A Quality Assurance plan to guide the Section 33 process should be developed, communicated, implemented and reported upon.

2.4 The limited management monitoring, performance measurement and reporting regime should be improved to provide sound, comparative information for management decision-making to support the Deputy Minister in his role as accounting officer and move expenditure processing towards a cost-effective model.

Monitoring is described in the Treasury Board Directive on Account Verification as the activities which the Chief Financial Officer (CFO) establishes to oversee the implementation of the Account Verification Directive in the department. These activities should enable the CFO to bring to the Deputy Minister’s attention any significant difficulties, gaps in performance or compliance issues and to develop proposals to address them. Monitoring should also assist the CFO in reporting significant performance or compliance issues to the Office of Comptroller General.

Although tracking and monitoring of certain aspects of the process takes place, the information is not gathered in a way that makes it useful for management in monitoring the effectiveness of account verification. For example:

  • Payment Services (SMFP) track documentation that had errors which were returned to bureaus for correction. This provides data on the number of payments returned for correction and the type of error noted. It is not compared, however, to the overall number of transactions processed. If it was, there would be information/trends on error rates that would be useful in determining risk levels and tolerances.
  • Corporate Financial Systems (SMSF) prepares a report highlighting user profiles which are normally considered incompatible (i.e. access to activate 'payment run' and entering invoices). This report is sent to Financial Operations, International (SMFF) to ensure that there are mitigating controls in place.

It was noted, however, that data mining and analysis techniques, effective at identifying payment anomalies and trends, are not fully utilized as either a preventive or detective control. Reports were not designed, analyzed or distributed in a way to provide information to senior management on the effectiveness of expenditure controls.

Monitoring is an essential component of internal control frameworks and is expected to inform management as to whether or not controls are operating as expected. Effective monitoring would:

  • Provide the Chief Financial Officer and the Deputy Minister with documentation to support their attestations related to departmental expenditure control;
  • Support sound decision-making; and,
  • Feed accurate information into the risk-based approach to make adjustments related to identified weaknesses, new trends or the changing environment.

Recommendation 4: A system-wide monitoring and reporting process should be developed to enable a high degree of assurance surrounding the payment process, and to support the reliability of expenses reported in the financial statements. Automated data analysis (i.e. duplicate payments) should be incorporated where possible and error rates and anomalies should be available for analysis.

2.5 Our transaction testing found little evidence of error in the department's processing of payments based on the current 100% Quality Assurance process. Considering the results of our limited judgemental sample, nothing came to our attention to indicate that the controls in place were not effective.

A judgemental sample was drawn to test the controls in place to ensure the integrity of the payment authorization and disbursement process. The absolute dollar value (including expenses paid as well as negative amounts that were recorded in the general ledger expense accounts) of the sample was $78 million. The sample was stratified as follows:

  • 119 transactions total – forty-three transactions were from Missions and seventy-six were from headquarters;
  • 101 transactions represented 10 types of commitment items (i.e. travel, salary and wages of locally engaged staff, etc.) were included;
  • 8 transactions valued at greater than $2m – 5 from headquarters and 3 from missions (26m); and,
  • 10 large transactions showing as negative amounts in the general ledger expense accounts ($48m).

Results indicated that account verification controls were effective at preventing inappropriate or incorrect payments. It should be noted however that this effectiveness is based on the current quality assurance process. Appropriate segregation of duties was noted in all transactions tested. Although not all transactions could be verified with respect to timeliness, payments had been made in a sufficiently timely manner that the department did not pay significant interest. Some minor errors were noted such as signatures not dated and the use of initials rather than signature. As well, two cases of incorrect general ledger coding (value $31,112 or .03% of total tested) were noted. There were, however, no findings that would have a significant effect on departmental reporting.

There were two cases where transactions were certified by employees who had been delegated signing authority but were not occupying positions at an organizational level included in the Delegation of Financial Signing Authorities Chart. In one case the Head of Mission had given signing authority to their assistant. In the second case the Financial Management Officer had given signing authority to the Deputy Financial Management Officer. This is troubling as only the Minister has the right to delegate authority.

Recommendation 5: Management should clearly understand that only the Minister has the right to determine the position levels that will be delegated financial authority. All cases of inappropriate delegation of authority should be rectified immediately. Finance should implement appropriate controls to ensure that this situation does not reoccur.

Top of page

3.0 Conclusion

The controls that are in place to manage the risks related to DFAIT’s expenditures cannot be considered cost-effective because no departmental-wide risk assessment has been conducted to support a risk-based approach to expenditure control.

  • The Department is dedicating resources to the Account Verification and the Quality Assurance functions but the work is not being done as effectively and efficiently as possible because expenditures have not been identified as high, medium or low risk.
  • Without identifying high, medium or low risk payments at DFAIT and processing payments accordingly, there is the potential to miss significant errors due to the volume of insignificant transactions being checked and the risk of exceeding the capacity of available resources.
  • There is no department-wide Quality Assurance plan in place to guide departmental operations related to expenditure control.
  • Management monitoring and reporting is not sufficient to facilitate the provision of high level of assurance on payment processing. As well, senior management does not have the information they need for sound decision-making and they do not have the information required to feed into a new risk-based approach.
  • Based on transaction testing performed by the audit team, the errors found do not have a material impact on Departmental financial statements. Controls are in place to ensure the integrity of the payment authorization and disbursement process however they are not cost effective and do not represent the highest and best use of resources.
  • The Department is not in compliance with the Treasury Board Directive on Account Verification that stipulates that there be a formal departmental-wide, risk-based approach which offers the potential to improve control while delivering resource benefits.

The Account Verification process represents an opportunity to use resources currently processing transactions at headquarters more effectively to add value to the expenditure process and strengthen financial management at DFAIT. Ensuring that administrative resources are used effectively is a key priority for government as noted in the recent government budget, the Speech from the Throne, the Message of the Clerk of the Privy Council and the Deputy Ministers of DFAIT.

Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the information contained in this report. This is based upon a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed with management. The evidence was gathered in compliance with Treasury Board Policy, Directives, and Standards on internal audit for the Government of Canada.

Original signed by:

Yves Vaillancourt, Chief Audit Executive, September 10, 2010

Top of page

Appendix A: About the Audit

Objective

The objective of the audit was to provide an opinion on the extent to which the controls in place are efficient and effective in managing the risks related to DFAIT’s expenditures. In order to assess this main objective, we have broken it down to more specific criteria to facilitate reporting on compliance, sound management practices and any implemented innovative or best practices observed across the Department. The audit criteria were as follows:

  1. A risk assessment is performed on transactions.
  2. The risk assessment leads to the development of departmental policies and procedures.
  3. There is an internal quality assurance plan and process.

Controls are in place to ensure the integrity of the payment authorization and disbursement process.

Scope

The Office of the Chief Audit Executive will be addressing three components of the financial process in government: budget allocation, expenditures and financial reporting.

  • Budget allocation was examined in the Resource Allocation Audit 2009.
  • Financial reporting will be examined in the Audit of Financial Reporting that will take place in the near future.
  • The focal point in this audit was on the expenditures component with attention on controls and the management of high risk payments.

The samples were drawn from transactions processed from August 1, 2008 to July 31, 2009. The scope included a review of the Information Management System.

Expenditures at Missions represented approximately one third of DFAIT spending. The percentage of the sample from Missions reflected this weighting.

Methodology

The audit was conducted in accordance with the Treasury Board Standards for Internal Audit. The following audit techniques were used in this audit of expenditure controls in order to conclude on each audit criterion:

  • Review of legislative policy, procedures and directives obtained from bureaus, DFAIT and Treasury Board websites;
  • Observe and document the account verification processes for different kinds of expenditures in order to develop the process control maps and identify the control points in the expenditure process;
  • Testing a 119 sample of transactions to determine if: the risk based approach was applied at the transaction level; and, the application of expenditure controls including Section 33 and Section 34 at the transaction level were consistent and effective;
  • Interviews were conducted with the following senior managers in selected bureaus and with DFAIT staff involved in expenditure controls. These interviews were based on interview guides prepared according to the objectives of the audit:
    • The Corporate Finance, Planning and Systems Bureau (SMD);
    • The Stabilization and Reconstruction Task Force (START)Secretariat (IRD);
    • Physical Resources Bureau (ARD);
    • The Global Partnership Program (IGX);
    • The Mission Client Services and Innovation (ASD);
    • Two former Heads of Mission; and
    • Payment Services staff (SMFP)

Criteria

This audit examined the degree of compliance with financial management legislation, policies and directives concerning the management and control of departmental expenditures, with a focus on high-risk payments as stated in the Chief Audit Executive’s Risk Based Audit Plan 2009-2012.

The internal audit sector of the Office of the Comptroller General (OCG) performed an internal audit engagement of High Risk Expenditure Controls in Large Departments and Agencies in 2009. DFAIT was not part of that horizontal audit however our criteria were adopted from the OCG audit. The audit lines of inquiry were linked to the Management Accountability Framework areas of Stewardship, accountability and Governance, and the applicable Core Management Controls of Governance, Stewardship, Accountability and Risk Management. Detailed lines of inquiry as well as criteria are described below.

Lines of Enquiry and Audit Criteria

1. A Risk Assessment is performed on transactions.

  • 1.1 Departments must identify the risk level for various types of transactions processed by the department.
  • 1.2 Criteria to identify risk level of transactions have been identified and documented. Criteria should include as a minimum:
    • 1.2.1 Consideration of the type of transaction;
    • 1.2.2 The dollar value. and where appropriate;
    • 1.2.3 The current error rate.
  • 1.3 Comprehensive risk analysis has been conducted, documented and reviewed by Senior management within Finance and Program areas;
  • 1.4 Prior to implementing sampling, a risk assessment, involving appropriate departmental managers, has been completed to determine the current state of account Verification (AV) in order to assess or develop appropriate controls.

2. The assessment leads to the development of policies and procedures.

  • 2.1 DFAIT has established and documented internal policies outlining the extent of account verification required based on risk considerations.
  • 2.2 Documentation to support approaches to Account Verification for high risk transactions is appropriate.
  • 2.3 An effective mechanism to maintain and distribute policies, procedures and guidelines exist.
  • 2.4 Internal training is appropriate to the account verification staff engaged in identification of risk.
  • 2.5 Account Verification processes are documented for distinct processes and program activities based on identified risk.
  • 2.6 Policy and procedures detail processes for those transactions identified as high risk.
  • 2.7 Responsibility for review and revision to final management policies and authorities are known, understood by staff and applied accordingly.
  • 2.8 Changes to policy and procedures are communicated to all stakeholders.
  • 2.9 Staff with delegated authority for Section 33 and 34 of the Financial Administration Act (FAA), are aware and understand policy, procedure and responsibilities for Account Verification.

3. There is an internal quality assessment (QA) plan and process.

  • 3.1 Financial Officers with payment authority pursuant to Section 33 FAA have established a QA review process that provides assurance of the adequacy of Section 34 AV. Specific QA processes are developed and applied to assess and confirm application of AV policy and procedures. The AV process provides for auditable evidence of verification including identifying the various individuals who perform the verification.
  • 3.2 Senior Financial Officers are in a position to state that the appropriate controls are in place and are being properly and conscientiously followed based on the results of quality assurance and monitoring activities.
  • 3.3 QA processes used to assess the adequacy of the account verification system must be tailored to reflect the risk level of the transaction under review. At a minimum detailed processes and quality assurance checklists are available and applied.
  • 3.4 The results of QA are periodically reported to Senior Management. Reports include information on the degree of compliance information and breaches, including remedial actions if necessary.

4. Controls are in place to ensure the integrity of the payment authorization and disbursement process.

  • 4.1 There is appropriate segregation of duties between Section 33 and 34 of the Financial Administration Act in the certification process.
  • 4.2 Expenditures are certified pursuant to Section 33 and 34 of the Financial Administration Act by delegated authorities.
  • 4.3 Payments are processed in the financial system in a timely manner.
  • 4.4 Proper financial coding is used.

Audit Criteria and Management Accountability Framework (MAF) Related Management Controls

Table of Audit Criteria and Management Accountability Framework (MAF) Related Management Controls
Audit Criteria and Management Accountability Framework (MAF) Related Management Controls

Governance and Strategic Directions

The essential conditions — internal coherence, corporate discipline and alignment to outcomes — are in place for providing affective strategic direction, support to the minister and Parliament, and the delivery of results.

Public Service Values

Through their actions, departmental leaders continually reinforce the importance of public service values and ethics in the delivery of results to Canadians (e.g. democratic, professional, ethical and people values).

Results and Performance

Relevant information on results (internal, service and program) is gathered and used to make departmental decisions, and public reporting is balanced, tranparent, and easy to understand

Policy and Programs

Departmental research and analytic capacity is developed and sustained to assure high quality policy options, program design and advice to ministers.

People

The department has the people, work environment and focus on building capacity and leadership to assure its success and a confident future for the Public Service of Canada.

Citizen-Focused Service

Services are citizen-centred, policies and programs are developed from the "outside in", and partnerships are encouraged and effectively managed.

Risk Management

The executive team clearly defines the corporate context and practices for managing organizational and strategic risks proactively

Stewardship

The departmental control reime (assets, money, people, services, etc.) is integrated and effective, and its underlying principles are clear to all staff.

Accountability

Accountabilities for results are clearly assigned and consistent with resources, and delegations are appropriate to capabilities.

Learning, Inovation and Change Management

The department manages through continuous innovation and transformation, promotes organizational learning, values corporate knowledge, and learns from its performance.

  1. A Risk Assessment is performed on transactions.

    Risk Management

    RM-1 Management has a documented approach with respect to risk management.
    RM-2 Management identifies the risks that may preclude the achievement of its objectives.
    RM-4 Management assesses the risk it has identified.

  2. The assessment leads to the development of policies and procedures.

    Stewardship

    ST-5 Financial management policies and authorities are established and communicated.

    Risk Management

    RM-3 Management identifies and assesses the existing controls that are in place to manage its risks.

    People

    PPL-4 The organization provides employees with the necessary training, tools, resources and information to support the discharge of their responsibilities.

    Accountability

    AC-1 Authority, responsibility, and accountability are clear and communicated.
    AC-2 Employees formally acknowledge their understanding and acceptance of their accountability.

  3. There is an internal quality assessment (QA) plan and process.

    Stewardship

    ST-7 Compliance with financial management laws, policies and authorities is monitored regularly.
    ST-11 Appropriate system application controls exist.
    ST-16 Management compares results achieved against expectations on a periodic basis.

    Risk Management

    RM-1 Management has a documented approach with respect to risk management.
    RM-3 Management identifies and assesses the existing controls that are in place to manage its risks.

    People

    PPL-4 The organization provides employees with the necessary training, tools, resources and information to support the discharge of their responsibilities.

    Accountability

    AC-2 Employees formally acknowledge their understanding and acceptance of their accountability.

  4. Controls are in place to ensure the integrity of the payment authorization and disbursement process.

    Stewardship

    ST-6 Financial management policies and authorities are reviewed regularly and revised, as required.
    ST-10 Transactions are coded and recorded accurately and in a timely manner to support accurate and timely information processing.
    ST-12 Records and information are maintained in accordance with laws and regulations.
    ST-13 There is appropriate segregation of duties.

Top of page

Appendix B: Management Action Plan

Management Action Plan
Audit RecommendationManagement ActionArea ResponsibleExpected Completion Date
1. The department should design and implement a risk-based approach for expenditure authorization. Once designed it should be formalized in policy and procedures.SMD will develop a risk-based approach for expenditure authorization.  
An overall approach, including objectives and milestones, will be elaborated.SMFJune 30, 2010
Assessment of risk level (high, medium, low) by type of transactions, the dollar value and the current error rate;SMFSept. 30, 2010
Update the Departmental policy on Account Verification and procedures (see # 3 Quality Assurance plan) as required.SMF/SMOMarch 31, 2011
2. The department should document current expenditure processes and controls to use as a baseline for reengineering a compliant and cost-effective risk based process.Current payment processes will be mapped, by transaction type and key controls identified.SMFSept 30, 2010
3. A Quality Assurance plan to guide the Section 33 process should be developed, communicated, implemented and reported upon.Once the risk based sampling plan (recommendation #1) is elaborated, a Quality Assurance (QA) Framework will be developed, implemented and communicated as required.SMFMarch 31, 2011
An implementation plan will be developed, including key objectives and milestones.SMFSept 30, 2010
4. A system-wide monitoring and reporting process should be developed to enable a high degree of assurance surrounding the payment process and to support the reliability of expenses reported in the financial statements. Automated data analysis (i.e. duplicate payments) should be incorporated where possible and error rates and anomalies should be available for analysis.Monitoring activities will be developed with the objective of high level analysis to support CFO and DM attestation. These monitoring activities will look at comparative data, error rates, and provide information on trends.SMFDecember 31, 2010
Key performance measurements will be developed and assessment reports will be produced and shared with the branches.SMFDecember 31, 2010
The new monitoring and reporting process will be communicated and presented to the Branches.SMDJanuary 15, 2011
5. Management should clearly understand that only the Minister has the right to determine the position levels that will be delegated financial authority. All cases of inappropriate delegation of authority should be rectified immediately. Finance should implement appropriate controls to ensure that this situation does not reoccur.SMD will ensure that training materials for HOMs and MCOs emphasize the concept of financial delegated authority.SMOJune 30, 2010
The two (out of 119) instances where transactions were certified by individuals not occupying positions included in the Delegation Chart will be investigated.SMFJune 30, 2010

Top of page

Appendix C: Definitions

Account Verification:

In the Treasury Board’s Account Verification Directive, account verification is the review activity carried out by the section 34 authorities to ensure the correctness of the payment requested. The review covers the determination of payment obligations as well as the accuracy of payment information and should be done on a timely basis. It should provide auditable evidence on both the receipt of goods /services and the authorization by the delegated section 34 authorities.

Expenditure Controls (For the Purpose of this Audit)

This audit looked at the processes in place to manage how DFAIT ensures payments are made to the right vendor for the designated purpose at the correct amount and time. The extent of the review to ensure the above should be reflective of the risks from each type of expenditure.

Monitoring

Monitoring is described as the activities which the Chief Financial Officer (CFO) established to oversee the implementation of the Account Verification Directive in the department. These activities should enable the CFO to bring to the Deputy Minister’s attention any significant difficulties, gaps in performance or compliance issues, and to develop proposals to address them. Monitoring should also assist the CFO in reporting significant performance or compliance issues to the Office of Comptroller General. (From the Treasury Board Directive on Accounts Verification)

Quality Assurance

Quality Assurance is described in the ISO 9000 2005 Plain English Quality Management Dictionary as a set of activities intended to establish confidence that quality requirements will be met. In the Treasury Board’s Account Verification Directive, October 2009, quality assurance is described as the activities carried out by section 33 financial officers that provide assurance on the system of account verification. Its objective is to ensure the following:

  • Account verification reviews have been properly performed by section 34 authorities.
  • Payments are lawful and in accordance with the Financial Administration Act (FAA)
  • The extent of verification is reflective of the risk level of the transaction reviewed.
  • Sound sampling plans and practices are established based on risk levels of transactions.
  • The sampling practices and techniques are sufficiently accurate and enable an opinion on the overall adequacy and reliability of the account verification process.
  • The reasonability of payments made prior to account verification.
  • The documentation of payments made prior to account verification.
  • Reporting for income tax purposes is prepared in accordance to the Canada Revenue Agency requirements.
  • Identifying critical errors and requesting corrective action.

Quality Plan

A quality plan is a document that is used to specify the procedures and resources that will be needed to carry out a project, perform a process, realize a product, or mange a contract. Quality plans also specify who will do what and when. (ISO 9000 2005 Plain English Quality Management Dictionary)

Quality Planning

Quality Planning involves setting quality objectives and then specifying the operational processes and resources that will be needed to achieve those objectives. Quality planning is one part of quality management. (ISO 9000 2005 Plain English Quality Management Dictionary)

Risk

The Institute of Internal Auditors defines risk as "the uncertainty of an event occurring that could have an impact on the achievement of objectives."

Top of page

Appendix D: Applicable Policies

  1. Department of Foreign Affairs Account Verification Policy Effective Sept 24, 2004
  2. Financial Administration Act (R.S., 1985, c.F-11) (FAA)
  3. ISO 9000 2005 Plain English Quality Management Dictionary
  4. Rescinded Treasury Board Policy on Account Verification (May 11, 1998)
  5. Treasury Board Policy on Financial Management Governance
  6. Treasury Board Directive on Account Verification October 1, 2009
  7. Treasury Board Policy on Internal Control April 1, 2009

Top of page

Appendix E: Section 33 and Section 34 Description

Table of Section 33 and Section 34 Description
Section 34 Checklist from DFAIT Account Verification Policy 2004Section 33 check list from SMD – Payment Made to Vendor4
(4)Corporate Finance, Planning & Systems Bureau (SMD)
Each time a Manager or other employee delegated Section 34 of the FAA certifies a request for payment, the following must be considered:
Step 1 - The work has been performed, the goods supplied or the services rendered or in the case of other payments, the payee is entitled to or eligible for the payment;Step 1 - Ensure section 32 and 34 of FAA is signed by an officer with the appropriate delegated authority
Step 2 - Ensure section 32 and 34 is legible (print or stamp the name) for identification/verification
Step 2 - Relevant contract or agreement terms and conditions have been met including price, quantity and quality. If in exceptional circumstances, the price is not specified by the contract, that it is reasonable;Step 3 - Ensure that the value of the invoice is in accordance with the agreement.

Ensure the invoiced amount is in accordance with the contract and the services fall within in the scope, value and timeline of the Contract.

Ensure to attach the contract, PO, LPO, agreement letter or other appropriate documents to the KR.
Step 3 - The invoice is an original document supported by original receipts and other pertinent documents;Step 4 - Ensure all ORIGINAL INVOICES are attached to the KR.
Step 4 - The account has not been previously been paid, in whole or in part;
Step 5 - The payment is being charged to the appropriate fiscal year and the correct financial coding has been provided i.e. Fund + Fund Center + G/L Account;Step 5 - Ensure the FINANCIAL CODING is correct (G/L and Fund)

Ensure that the fiscal year to which the payment is to be charged clearly indicated and is the payment being charged to the correct period.
Step 6 - Where a payment is made before the completion of work, delivery of goods or rendering of services, as the case may be, that such advance payment is required by the contractual terms of the contract;Step 6 - If the payment is being made prior to the completion of the work, delivery of the goods or rendering of the services, ensure it is done in accordance with the Contract.
Step 7 - The transaction is accurate, applicable discounts have been deducted, charges not payable have been eliminated, and extensions and computations on the invoices are correctly totaled;Step 7 - Ensure all the applicable discounts and charges that are not payable (e.g. provincial sales tax) have been deducted from the invoice. PST number to be provided to supplier.

Ensure the calculations on the invoice are correct and equals the amount of the KR.
Step 8 - All relevant statutes, regulations, orders in council and Treasury Board policies have been complied with (e.g. travel policy, hospitality, etc.);Step 8 - Ensure that the payment being made is in accordance with relevant statutes, regulations, orders in Council and TB directives.
Step 9 - Ensure that the full name and address is clearly indicated on the KR and identical to information on supporting documents such as invoices, purchase orders, contract or standing offer and that the Vendor Code is appropriate for that supplier and address.
Step 9 - No personal benefit will accrue to the individual by exercising Section 34 of the FAA authority.

Excepts from the Financial Administration Act (R.S., 1985, c. F-11)

Section 33 of the Financial Administration Act

  1. No charge shall be made against an appropriation except on the requisition of the appropriate Minister of the department for which the appropriation was made or of a person authorized in writing by that Minister.
  2. Every requisition for a payment out of the Consolidated Revenue Fund shall be in such form, accompanied by such documents and certified in such manner as the Treasury Board may prescribe by regulation.
  3. No requisition shall be made pursuant to subsection (1) for a payment that:
    1. Would not be a lawful charge against the appropriation;
    2. Would result in an expenditure in excess of the appropriation; or
    3. Would reduce the balance available in the appropriation so that it would not be sufficient to meet the commitments charged against it.
  4. The appropriate Minister may transmit to the Treasury Board any requisition with respect to which that Minister desires the direction of the Board, and the Board may order that payment be made or refused. R.S, c.F-10, s.26.

Section 34 of the Financial Administration Act

  1. No payment shall be made in respect of any part of the public service of Canada unless, in addition to any other voucher or certificate that is required, the deputy of the appropriate Minister, or another person authorized by that Minister, certifies:
    1. In the case of a payment for the performance of work, the supply of goods or the rendering of services,
      1. that the work has been performed, the goods supplied or the service rendered, as the case may be, and that the price charged is according to the contract, or if not specified by the contract, is reasonable,
      2. where, pursuant to the contract, a payment is to be made before the completion of the work, delivery of the goods or rendering of the service, as the case may be, that the payment is according to the contract, or
      3. where, in accordance with the policies and procedures prescribed under subsection (2), payment is to be made in advance of verification, that the claim for payment is reasonable; or
    2. In the case of any other payment, that the payee is eligible for or entitled to the payment.
  2. The Treasury Board may prescribe policies and procedures to be followed to give effect to the certification and verification required under subsection (1).

R.S., 1985, c. F-11, s. 34; 1991, c. 24, s. 13.


1 Horizontal Internal Audit of High Risk Expenditure Controls in Large Departments and Agencies

2 The Treasury Board Account Verification policy was rescinded effective October 1, 2009 and replaced by the Directive on Account Verification. Transactions tested for this audit were all dated prior to Oct 2009.


*If you require a plug-in or a third-party software to view this file, please visit the alternative formats section of our help page.

Footer

Date Modified:
2013-01-10