1.1 On behalf on the Office of the Comptroller General (OCG), Audit Services Canada (ASC) recently completed the audit fieldwork of Phase II of the Horizontal Audit, Delegation of Signing Authority. During the conduct of their fieldwork, the Audit Division of the Department of Foreign Affairs and International Trade Canada (DFAIT) and ASC had several discussions regarding the methodology for Phase II. Internal Audit Division determined that the scope of Phase II did not include the examination of the segregation of duties with respect to personnel at headquarters (HQ) who possessed an Electronic Authorization and Authentication (EAA) key. It was felt that this area should be reviewed as it is an important control in carrying out the requirements of the Treasury Board Secretariat's (TBS) Policy on Delegation of Authorities. Moreover, it is a key financial management control that will be repeatedly considered in future years as DFAIT moves to annually audited financial statements.
2.1.1 The objective of this engagement was to determine whether personnel at HQ with an EAA key are in compliance with the segregation of duties control criteria as outlined in the TBS Policy on Delegation of Authorities.
2.2.1 The scope of the audit included an examination of the:
2.2.2 With respect to the Delegation of Signing Authority chart maintained by the Financial Management and Accountability Policy Division (SMO), its use was limited to verifying whether personnel with an EAA key had been granted Section 33 financial signing authority. (See Appendix A for description of the relevant Sections of the Financial Administration Act.)
2.2.3 ZIV used the following audit criteria to assess departmental practices with respect to EAA keys:
The department should be able to demonstrate that proper segregation of duties with respect to EAA keys are in place and in accordance with the TBS Policy on Delegation of Authorities, Appendix A, guideline 6.1(a) which states that
"Persons who are delegated authority to make decisions may be delegated either spending or payment authority, but usually not both. However, in small establishments, this distinction is not always possible, especially when an officer is assigned responsibilities as an alternate for another officer or when a financial officer administers a budget. In such circumstances, it may be necessary to delegate both types of authority to a single officer. Whenever this is done, the officer will never exercise both types of authority on the same payment."
2.3.1 The audit was conducted in accordance with Canadian generally accepted auditing standards. The audit took place during the period of May to June 2007.
2.3.2 The audit approach consisted of completing the following major tasks: interviewing appropriate personnel with knowledge of the payment cycle, obtaining a report listing the personnel with an EAA key along with their IMS user profiles and performing analytical procedures to determine if there was a lack of segregation of duties (i.e. if an individual with an EAA key could input and process a payment through IMS).
2.3.3 During the performance of the fieldwork, it was determined that the main financial control was the certification of a payment in accordance with Section 33 of the Financial Administration Act (FAA). As such, our focus shifted from the EAA of payments to their certification.
3.1 The audit team observed that there is a lack of segregation of duties occurring in multiple areas. In each of the following scenarios (3.2 through 3.4), the lack of segregation of duties allows the IMS user to circumvent the control associated with Section 33.
There are fifteen users who have payment and modification rights in the IMS financial module. Four of the fifteen users have not been delegated Section 33 authority as per the Department's Delegation of Signing Authority chart. Nine of the fifteen users also have input rights.
The audit team observed that *** has access to the blank manual cheques as well as the cheque signature block. *** user profile also provides input and modification rights in the IMS financial module. This creates a segregation of duties issue as *** can process an invoice, approve its payment and print, sign and issue a manual cheque.
Director General, International and Domestic Financial Management (SMF)
3.4 For the fifteen individuals with incompatible access within IMS, review the responsibilities associated with their current position and immediately revoke non-required IMS rights. In addition, for the four individuals that have not been delegated Section 33 authority, immediately revoke their payment rights within IMS.
3.5 Review, in consultation with Corporate Financial Systems (SMSF), the IMS user profile assigned to each position within Financial Operations, Domestic (SMFH) with the objectives of ensuring proper segregation of duties and maintaining operational efficiency.
3.6 Develop and implement procedures that ensure, prior to granting payment rights within IMS, that the Departmental Delegation of Signing Authority chart and the individual's specimen signature card are examined to verify that the user has been delegated Section 33 authority.
3.4 This recommendation has been implemented. The four individual who are not in positions with delegated FAA Section 33 authority have had their payment rights removed from IMS.
A review of the responsibilities of individuals with the ability to create/modify documents in IMS and perform a payment run is underway. Where operation necessity requires both of these functions, mitigating controls will be implemented, such as a review of documents created by the individual. This review will be completed by the end of fiscal year 2007-08. When possible, the transaction codes used to create vendor invoices will be removed from these users.
3.5 A review of IMS user profile assigned to each position is underway. Currently, only *** have access to both the blank cheque stock and the cheque signature stamp. As these two positions also have the ability to create documents and perform payment runs, a procedure to review manual cheques will be created. The transaction codes used to create vendor invoices will be removed from these users. Additionally, the necessity of being a cheque printing site will be reviewed. These reviews will be completed by the end of fiscal year 2007-08.
In conjunction with the review of the responsibilities of individuals with the ability to create/modify documents in IMS and perform a payment run, quarterly Segregation of Duty (SOD) Reports will be produced by Financial Systems and provided to International and Domestic Financial Management (SMF) for confirmation that mitigating controls still exist for employees who are in conflict of segregation of duties, the reports are to be signed off by the Director SMF.
3.6 This recommendation has been implemented.
Form 1764 must be authorized by Deputy Director or Management Consular Officer and above. These managers assign roles as defined on the 'Management Systems' website and are based upon job duties. FAA S.32, 33, and 34 are not included in the core role definition but may be assigned depending on position and/or organizational requirements. Managers who authorize this access must ensure the incumbent occupies an appropriate position on the Delegation of Authorities Chart and completes a specimen signature card.
Effective October 2007, a new procedure was implemented that requires the written approval of SMF on mission and HQ F110 Payment Run Authorization prior (SMS) providing access.
In addition, quarterly Segregation of Duty (SOD) Reports and FAA Section 33 reports will be produced by Corporate Financial Systems (SMSF) and provided to SMF to confirm that mitigating controls are in place for employees who have been identified as having potentially conflicting roles in IMS. SMF will also be required to validate the continued requirement for FAA S.33 authority in the system.
4.1 The audit team noted a number of observations regarding the payment process cycle that did not relate specifically to segregation of duties issues. These observations are described below.
4.2 Business process documentation. The audit team observed that documentation does not exist which describes the business process for certifying a payment under Section 33 of the FAA and carrying out the EAA approval process. This creates a risk of inconsistency in the application of both processes.
4.3 Granting and removing IMS user rights. There are no formal guidelines or procedures established for granting and removing IMS user rights. This creates a risk of inconsistency and inefficiency in operations. The audit team also noted that a departmental form does not exist for purposes of identifying when IMS user rights are to be modified (i.e. when an user changes positions). As a result, IMS users could exercise financial authorities not assigned to their new position.
4.4 Acting situations. The audit team observed inconsistency in the application of procedures with respect to acting appointments. The current process to regulate IMS user rights between substantive and acting positions is an automated time expiry feature. This feature ensures that IMS rights are removed at the end of an acting appointment with the concurrent reinstatement of the rights associated with the user's substantive position. However, this automated time expiry feature is not being applied to all acting situations.
4.5 Specimen signature cards (SSR). The audit team observed that there were missing, out-dated and duplicate SSR cards on the "I" drive. SMFH resources may not, therefore, have access to complete and accurate SSRs when exercising Section 33 authority.
Director General, International and Domestic Financial Management (SMF)
4.6 Prepare documentation describing the Section 33 certification and the EAA business processes.
4.7 Ensure that the scanned SSR cards on the "I" drive are properly maintained and kept up to date.
Director General, Budgeting, Analysis and Reporting (SME)
4.8 Develop documentation that:
4.9 Revoke the current IMS rights of a user before new IMS rights are granted when approving the EXT 1764.
4.10 Develop a departmental form to notify SME of the need to remove the IMS rights of a user under pre-defined situations.
Management Action Plan and Timeframe
4.6 Documentation describing the FAA Section 33 certification and the EAA business process will be prepared by the end of fiscal year 2007-08.
4.7 A procedure on Specimen Signature Cards will be developed that will include their creation, maintenance, verification and safeguarding in HQ and Missions. The procedure will propose that a review of the Specimen cards validity be conducted every six months, and that the electronic/hard copy documents be updated accordingly. This review will be performed as part of the rollout of the new delegation instrument in January 2008, which incidentally follows the summer rotation of employees abroad. (This is the draft response provided in both Phase I and Phase II Audit of Delegation of Financial Authorities.)
4.8 This recommendation has been implemented:
4.9 This recommendation has been implemented. When an individual changes positions, SME removes previous access and provides new access based on the new 1764 form as authorized by the manager.
4.10 This recommendation has been implemented. A departmental form is being used. The 1764 form, section 11(a) indicates (Delete Account).
Visit Department of Justice
No contract or other arrangement providing for a payment shall be entered into with respect to any program for which there is an appropriation by Parliament or an item included in estimates then before the House of Commons to which the payment will be charged unless there is sufficient unencumbered balance available out of the appropriation or item to discharge any debt that, under the contract or other arrangement, will be incurred during the fiscal year in which the contract or other arrangement is entered into.
No charge shall be made against an appropriation except on the requisition of the appropriate Minister of the department for which the appropriation was made or of a person authorized in writing by that Minister.
No payment shall be made in respect of any part of the public service of Canada unless, in addition to any other voucher or certificate that is required, the deputy of the appropriate Minister, or another person authorized by that Minister, certifies: