Audit of international banking

Final report

December 2019

Table of contents

• Symbols and Acronyms
• Executive summary
• 1. Background
• 2. Observations and Recommendations
  • 2.1 International Banking Structure
  • 2.2 Oversight Over Missions’ Banking Operations
  • 2.3 Local Bank Account Management
  • 2.4 Funding to Missions
  • 2.5 Payments Abroad
• 3. Conclusion
• Appendix A: About the Audit
• Appendix B: Management Action Plan

Symbols and Acronyms

List of Symbols

SMD

Financial Operations

SMF

Accounting Operations

SMFB

International Financial Project Group

SMFF

Financial Operations, International

List of Acronyms

CSDP

Common Service Delivery Point

FAA

Financial Administration Act

FAS

Financial Administration System

HOM

Head of Mission

HQ

Headquarters

MCO

Management Consular Officer

Executive summary

In accordance with Global Affairs Canada’s approved 2019-2020 Risk-Based Audit Plan, the Office of the Chief Audit Executive conducted an audit of International Banking.

Why it is important

The Department manages Canada's diplomatic and consular Missions and services abroad to enable the Government of Canada to effectively serve Canadians and advance our country's interests worldwide. International banking plays an important role in supporting the Department’s operations and mandate.

The Department was authorized to create, manage and maintain an international banking platform. In addition to setting up local bank accounts for Missions abroad, this authority includes issuing payments in various currencies and collecting revenue on behalf of the Government of Canada.

What was examined

The objective of the audit was to ensure that international banking activities are managed to support the departmental operations abroad and in compliance with applicable laws and policies. The audit examined processes, procedures and systems in place to support key departmental international banking activities. Interviews were conducted and documentation was reviewed up to and including October 2019. More details about the audit objective, scope and criteria are presented in Appendix A.

What was found

The audit concluded that departmental international banking activities are generally well managed, support departmental operations abroad, and are in compliance with applicable laws, regulations and policies. Roles and responsibilities with respect to international banking activities are generally well defined and communicated. The Department has put in place key processes and measures, and developed a monitoring framework, to mitigate risks associated with most international banking activities and increase operational efficiency to best support the Mission operations.

Some areas for improvements were noted, mostly in relation to documenting, updating and following departmental procedures, developing a comprehensive risk management framework for international banking activities, and ensuring the full implementation of the monitoring framework.

Recommendations

1. The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology should ensure that all departmental processes with respect to international banking operations are documented, updated and communicated.
2. The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology should establish a comprehensive risk management framework to support a risk-based monitoring approach for international banking activities.
3. The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology should ensure that adjustments noted in bank and cash account reconciliations are resolved by the Missions in a timely manner.
4. The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology should strengthen the banking signing authority process and monitoring.
5. The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology should seek authority to increase the threshold of the Department’s Working Capital Advance Account.

Statement of Conformance

This audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit, as supported by the results of the quality assurance and improvement program. Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report, and to provide an audit level of assurance. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management and are only applicable to the entity examined and for the scope and time period covered by the audit.

1. Background

In accordance with Global Affairs Canada’s approved 2019-2020 Risk-Based Audit Plan, the Office of the Chief Audit Executive conducted an audit of International Banking.

Departmental Context

International banking authorities are delegated by the Receiver General to Global Affairs Canada’s Financial Operations. These authorities, which have been in place since 1980, permit the Department to create, manage and maintain an international banking platform, in support of the Government of Canada’s operations abroad. At any time, the Department may have up to a maximum ceiling outstanding, as part of the Working Capital Advance Account (the Account) for Financing Missions Abroad.

Accounting Operations (SMF), the Common Service Delivery Points (CSDPs), and Missions, all play a role in the Department’s international banking activities.

The Department’s international banking mandate and functions are under the responsibility of the Director of SMF, who reports to the Director General, Financial Operations (SMD). SMF includes both the International Financial Project Group (SMFB) and Financial Operations, International (SMFF).

SMFB focuses on banking operations, providing banking and cash management advice and assistance to Missions, including: opening and closing bank accounts; fund transfers to Missions and return of funds to HQ; banking set-up arrangements; and, support to the centralized electronic banking platform, the Mission Online Payment Services (MOPS) and the Standard Payment System. Although SMFB had vacant positions in the past year, the team was able to maintain day-to-day operations.

SMFF plays a key role in monitoring and advisory services, risk assessments, as well as training and development. SMFF is also responsible for approving the use of cash accounts, certain methods of payments, and creating or modifying Mission vendor master records. Due to a recent pilot project where SMFF is currently operating a CSDP out of Headquarters, SMFF has had limited resources to play its monitoring role.

In the field, CSDPs are responsible for the processing of payments in the Financial Administration System (FAS) and the completion of monthly bank and cash account reconciliations on behalf of their Client Missions. CSDPs also have banking signing authority in cases where the Client Mission is using electronic fund transfers and online methods of payment.

Finally, the Head of Mission (HOM) is delegated with local banking administrative authorities within his or her jurisdiction and has banking signing authority. Missions are responsible for preparing payment requests and making payments when required. They are also responsible for liaising with local banks to ensure that banking set-up arrangements meet their operational needs.

2. Observations and Recommendations

This section sets out key findings and observations, divided into five general themes: international banking structure; oversight over Missions’ banking operations; local bank account management; funding to Mission management; and payments abroad.

2.1 International Banking Structure

Roles and Responsibilities

It was expected that roles, responsibilities and accountabilities related to international banking would be clearly defined, communicated and understood. Overall, the roles and responsibilities of the Missions, CSDPs, and Headquarters (SMFB and SMFF) are generally well understood, defined and communicated.

Although most roles and responsibilities with respect to international banking activities are described in Modus, some procedures were missing, incomplete or required updates. For instance, SMFB’s role in monitoring the Account for Financing Missions Abroad, and many of the steps undertaken by SMFB when transferring funds to Missions, are not properly documented. In addition, there are no departmental procedures for the preparation of letters sent to the bank with respect to banking signing authority. Procedures for the approval of online and bank transfer payments, the signatures on cheques, and personal drawings should be updated.

Recommendation 1:

The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology should ensure that all departmental processes with respect to international banking operations are documented, updated and communicated.

Government Policies, Legislation and Regulations

It was expected that relevant government policies, legislation and regulations would have been taken into consideration in the Department's internal policies, processes and procedures to properly articulate policy direction and management expectations. It was concluded that they are well integrated.

Furthermore, the Department ensures compliance with international regulations and the laws in force in each respective local banking jurisdiction. This is reflected in the contracts with the service provider of the centralized electronic banking platform, which includes a specific clause on anti-terror activities, as well as a clause that states the contract must be interpreted and governed, and the relations between the parties determined, by the laws in force in the banking jurisdiction in which the services are provided.

2.2 Oversight Over Missions’ Banking Operations

Risk Identification and Mitigation Measures

It was expected that management would identify all of the key risks that may preclude the achievement of its objectives, develop risk mitigation strategies and consistently oversee and monitor the implementation of these risk mitigation strategies. A documented risk management framework, which describes risks, assessments, mitigation measures and status, has not, however, been developed by SMF for international banking activities.

While there is no departmental risk management framework for international banking, risks related to this area are known to management. SMFF completes a thorough financial risk analysis of all Missions on an annual basis, which includes the identification of some international banking risk indicators, with corresponding scales, scores, risk level and weight, as well as an overall risk calculation for each Mission. The results of the financial risk analysis are then used to determine the level of monitoring to be exercised over the Missions, as well as training requirements for designated staff abroad.  

Several risk mitigation strategies were also developed to reduce risks, including bank reconciliations and segregation of duties, which are both key controls to mitigate the risk of error, inappropriate actions or fraud. Segregation of duties is generally embedded in the departmental expenditure and payment processes, as well as in the Delegation of Financial and Contractual Signing Authorities Instrument. For instance, Financial Administration Act (FAA) Section 33 authority is generally completed by the CSDPs prior to payment. Moreover, at Missions where certain authorized staff can create and modify vendors^{Footnote 1}, measures have been put in place to ensure that these individuals do not have section 34 signing authority.

The Department has also implemented several controls to address risks associated with payments. SMFF approval is required before the opening of a cash account, and prior to using direct debits and bank drafts as methods of payments. The departmental process requires that both manual and automated cheques be signed by two individuals^{Footnote 2} from the Mission with banking signing authority before they are mailed to, or picked up by, the individuals (e.g. Mission employees) or vendors. Moreover, for online payments, two authorized individuals at the CSDPs, or at the mission^{Footnote 3}, must review and make the payment using the Mission’s online banking system. Finally, the Department’s efforts to reduce the use of cash was confirmed through the analysis of the Fiscal Year 2018-2019 payments made by Mission, which revealed that the use of cash payments is decreasing when compared against data from the previous Fiscal Year. Cash was also only present in a relatively small number of Missions and was never used as the main method of payment.

To reduce the risk of exceeding the ceiling of the Account for Financing Missions Abroad, SMFB monitors the Account on a daily basis by extracting the balance of all bank accounts from SAP. Steps are in place, albeit undocumented, to reduce the amount if the ceiling is close to being reached.

Monitoring Activities

SMFF has developed a monitoring framework to provide oversight over certain banking operations and to monitor banking activity risks. The framework includes the monitoring of several key business processes: banking signing authority, bank and cash account management, funding to Mission bank accounts, payments, vendor account management, and, revenues.

Some monitoring activities were performed such as bank and cash account management, payments, FAS access roles, and acquisition cards. However, other key monitoring activities with respect to revenues and funding to Mission bank accounts; the status of the cash account reconciliations for each Mission and high-risk payments were not being carried out. While noncompliance was not found, there is a risk that payment anomalies may not be detected and corrected on a timely basis.

Recommendation 2:

The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology should establish a comprehensive risk management framework to support a risk-based monitoring approach for international banking activities.

SMFF Monitoring over Bank Reconciliations Completed by CSDPs

Monthly bank and cash account reconciliations are completed by CSDPs for their client Missions. These reconciliations are a key control to detect variances, errors and potential fraudulent activities; they facilitate the identification of payment anomalies and misuse of bank and cash accounts.

Certain verification procedures are performed by SMFF on the bank and cash account reconciliationsthat are completed by the CSDPs for their Client Missions. Specifically, a checklist is used by SMFF employees to review the following areas, amongst others: proper signature, variance in the closing balance between the verification of cash account and cash account reconciliation, proper approval of journal vouchers, and adjustments that are older than two months. According to management, SMFF Mission Advisors perform a review of all bank reconciliations of Missions identified as high risk and a limited review of critical deficiencies identified in the bank reconciliations of Missions identified as medium and low risk. The follow-up on critical deficiencies is done with all CSDPs except for one.

SMFF maintains annual delivery and deficiency statistics on bank and cash account reconciliations. Delivery statistics provide data on expected and received reconciliations, reconciliations received within 60 days, average receiving time (days), late reconciliations and average late time (days).  According to 2018-2019 delivery statistics, 61 percent of received bank and cash account reconciliations were submitted within 60 days. The average late time was 256 days. Delays in the submission of bank and cash account reconciliations may not enable timely detection of variances, errors and potential fraudulent activities.

Adjustments older than two months appear to be recurring, as they represent close to half of the deficiencies identified in 2018-19. For example, the statistics show 614 instances of adjustments between two and five months, and 336 instances of adjustments of more than five months. The latter is deemed by SMFF to be a critical deficiency. According to the departmental guidelines in the Bank Reconciliation and Certifications – Missions^{Footnote 4}, adjustments must be settled as soon as identified and should not be carried over two months.

It was concluded that the SMFF’s verification procedures were properly completed and all critical deficiencies were properly followed up on by SMFF’s Mission Advisors.

Recommendation 3:

The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology should ensure that adjustments noted in bank and cash account reconciliations are resolved by the Missions in a timely manner.

2.3 Local Bank Account Management

Banking Set-Up Arrangements

It was expected that banking set-up arrangements(i.e., methods of payment and type of bank accounts) would take into account reducing banking risks and increasing operational efficiency to best support Mission operations. SFMB favours the use of the Standard Payment System whenever possible, under which automated payments are made directly from the Receiver General’s account to the vendors’ accounts. In addition, the Department is in the process of expanding the centralized electronic banking platform that facilitates Missions’ banking operations and enables CSDPs to access their Client Missions’ bank accounts.

It was also demonstrated that banking set-up arrangements, including payment methods^{Footnote 5}, are based on the reality of Missions’ operational needs and the local laws and regulations in place. Missions that operate in cash-based societies where other methods of payment are either not acceptable, or are very limited, are able to obtain approval from SMFF to establish cash accounts. Similar to regular bank accounts, transactions from cash accounts must be recorded in FAS.

Opening and Closing Bank Account Procedures

It was expected that opening and closing bank account procedures would be documented, communicated and respected. Departmental procedures for opening and closing bank accounts were developed and are well documented in Modus. However, there are some inconsistencies in the application of the departmental procedures.

The documentation for bank accounts opened demonstrated a high-level of compliance with the criteria, some areas for improvement were identified. The audit team noted two instances where the New Bank Account Questionnaire should have been completed and submitted to SMFB, but the questionnaires could not be found. In one instance, validation by SMFB of departmental and bank-specific documents was completed prior to receiving central agency approval. In another instance, funds were transferred without any testing being completed.

The documentation for closed bank accounts revealed full compliance with the criteria, except for one instance where the bank confirmed that bank account amount was zero but did not confirm it was closed.

Bank Account Access

It was expected that there would be documented procedures in place to outline the process for obtaining and modifying banking signing authorities. Upon review, it was confirmed that documented procedures were developed for the preparation and approval of the Banking signing authority form. The form must be completed and signed by the Head of Mission who delegates signing authority for the Mission’s bank accounts to certain Canadian staff members at both the Mission and the corresponding CSDPs. Locally engaged staff must be granted authority by SMFF. The CSDP must then send the duly completed and approved form to SMFF and retain a hardcopy of the form for audit trail purposes. Once this process is completed, the Mission will prepare a letter to send to the local bank to request (or update) banking signing authority.

Criteria examined included amongst others: appropriateness of access; removal of access when applicable; and, annual updates of authority and bank access.

Over the past two years, SMFF has not requested Missions to complete and submit the signing authority forms. As a result, Missions have not updated the forms on an annual basis. Subject to these limitations, the available documents reviewed by the audit team were appropriate for each employee’s respective position, except in one case, where a locally engaged staff was not pre-approved by SMFF. Moreover, two forms completed in 2017-2018 were not signed by the Head of Mission as required. The audit team did note that the form was recently changed and no longer requires the signature of the Head of Mission. However, this change is inconsistent with existing departmental procedures.

Letters sent to the banks requesting the removal of banking signing authorities granted to certain individuals were done in a timely manner following the rotational process. The audit team identified six individuals whose banking signing authorities should have been removed due to a change in position. However, the audit team was unable to confirm that a formal request was submitted to the bank to request such removal, as only the most recent letters sent to the banks were requested.

Although departmental procedures do not provide guidance for the preparation of letters to send to the bank in regards to banking signing authorities, the audit team was informed by SMF that two authorized signatories are required, with one of them being either the Head of Mission, the Deputy Head of Mission, the Management Consular Officer (MCO) and Deputy MCO. Upon review, three of the letters sent to the banks to request changes to the banking signing authorities were not signed by two authorized signatures. Moreover, the comparison of some forms completed by the Missions in 2019 against the letters sent to the bank revealed discrepancies between half of the forms and letters.

Recommendation 4:

The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology should strengthen the banking signing authority process and monitoring.

2.4 Funding to Missions

Working Capital Advance Account for Financing Missions Abroad

In 1980, the Department received authority to establish departmental bank accounts abroad to permit the Department to make payments in foreign currencies and support the Government of Canada’s operations abroad. In 1988, the Department received authority to increase the amount that may be outstanding at any time against the Working Capital Advance Account for Financing Missions Abroad. The amount approved in 1988 now only covers two weeks of operating expenses.

Although some Missions have found ways to function with the two-week limit on operational expenditures, others have found it more challenging resulting in greater administrative burden and reduced operational flexibility. SMFB intends to request an increase in the threshold amount.

Recommendation 5:

The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology should seek authority to increase the threshold of the Department’s Working Capital Advance Account.

Funds transferred to Missions

It was expected that procedures for fund transfers would be documented, communicated, understood and respected. As further detailed below, most procedures for fund transfers are documented and communicated in Modus, and well understood by stakeholders. However, some procedures are not consistently applied, and internal procedures are not appropriately detailed.

According to departmental procedures, Missions are required to assess their operational needs and to only request funds that will be needed for the established time period. Criteria examined included: proper justification of fund requests; proper approval by the CSDP delegated authority; and, oversight by SMFB. Overall, an examination of the fund transfer process revealed a high-level of compliance with the criteria; however, some areas should be improved.

To assess the reasonableness of the estimates submitted by the Missions, SMFB developed estimates of each Mission’s operating expenses. When funds requested by the Missions exceeded SMFB’s estimates, the requests were not challenged. SFMB rarely refuses fund requests, especially with respect to requests for salary and pension. Since many missions pay their employees only once a month, SMFB explained that in those instances, it is normal to accept requests for funds exceeding the threshold. This practice still enables Missions to submit less frequent funding requests, increasing the risk of not being compliant with the Working Capital limit.

There were also 10 fund transfer transactions where the Large Value Transfer System requests were signed by one officer who did not have delegated authority of Section 34 of the Financial Administration Act (FAA) according to the signature card. Management explained that the individual was in a four-month acting role that would have allowed such signature, but the signature card had not been updated.

Funds transferred from Missions

Fund transfers from Missions to Headquarters have significantly decreased over time for three main reasons: less cash is being accepted at the Missions; most Missions accept online payments for consular services; and, SFMB closely monitors the Missions’ Working Capital to ensure it does not exceed the threshold. Excess funds may be transferred via diplomatic mail or wire transfers in accordance with procedures documented in Modus.

2.5 Payments Abroad

Payment Procedures

It was expected that procedures for payments would be well documented and communicated to all stakeholders. It was determined that procedures for payments are well documented and communicated to all stakeholders. Although well documented, areas of improvements were identified. For example, departmental procedures do not indicate the types of situation where Missions are entitled to approve online payments. Departmental procedures on bank transfers do not mention that CSDPs are authorized to approve transfers when they have access to their Client Mission bank accounts. Procedures on Mission cheques also do not indicate that no signatures from the Missions are required on cheques issued through the centralized electronic banking platform as they are signed by the Embassy of Canada.

It was also expected that payment procedures would comply with defined procedures, and that payments would be made correctly. Criteria that were examined included proper supporting documents; segregation of duties; completion of FAA Section 33 prior to payment; and, payment accuracy. Subject to the limitations described below, the review of payments revealed full compliance with the aforementioned criteria, except in a few instances.

The audit team encountered some challenges in the performance of the audit procedures. In some cash payments, the audit team was unable to confirm whether FAA Section 33 was completed prior to the cash payment being remitted to the individuals. As the audit team was unable to access bank accounts, it was unable to confirm if online payments and online bank transfers were approved by two individuals with banking signing authority. In a few instances, documentation supporting bank transfers was not made available to the audit team and cashed cheques issued by some Missions were retained by the banks, therefore the audit team was unable to confirm that they were signed by two designated individuals.

By the end of the audit, the letters confirming individuals with banking signing authority sent by the Mission to the bank were not available to the audit team. As a result, the team was unable to confirm whether some of the hardcopy bank transfers and cheques were signed by two authorised individuals. However, the audit team was able to confirm that they were signed by two individuals, with one of them being either the HOM or the MCO, which are positions with delegated banking signing authorities.

The audit team also reviewed the nature of direct debit transactions that took place during the scope period. This method of payment requires SMFF pre-approval because it involves funds being withdrawn from Mission bank accounts before FAA Sections 34/33 are completed. According to procedures, this method of payment should normally be used for utility payments (e.g., electricity, telephone, water). Thus, the audit team reviewed transactions for other types of payments made and determined that direct debit has been used to make a limited number of non-utility related payments that were not pre-approved by SMFF.

Finally, the audit team identified several instances of non-critical miscoded transactions. For example, transactions were sometimes coded as the wrong payment type. In 2018-19, a total of 42 payment transactions were wrongly coded as bank charges, which was discussed with the management at HQ.

3. Conclusion

The audit concluded that departmental international banking activities are generally well managed, support departmental operations abroad and are in compliance with applicable laws, regulations and policies. Roles and responsibilities with respect to international banking activities are generally well defined and communicated. The Department has put in place key processes and measures, and developed a monitoring framework, to mitigate risks associated with most international banking activities and increase operational efficiency to best support the Mission operations.

Some areas for improvement were noted, mostly in relation to documenting, updating and following departmental procedures, developing a comprehensive risk management framework for international banking activities, and ensuring the full implementation of the monitoring framework.

Appendix A: About the Audit

Objective

The objective of the audit was to ensure that international banking activities are managed to support the departmental operations abroad and in compliance with applicable laws and policies.

Scope

The audit examined processes, procedures and systems in place to support the departmental key international banking activities. Specifically, this covered:

• International banking structure;
• Oversight over Missions’ banking operations;
• Local bank account management;
• Funding to Mission management; and
• Payments abroad.

For the examination of overall management and oversight of international banking activities, the scope focused on the last two fiscal years (2017-18 and 2018-19); for funding and payment testing, the scope was limited to fiscal year 2018-19 and quarter 1 of fiscal year 2019-20.

Criteria

The criteria were developed following the completion of the detailed risk assessment and considered the audit criteria related to the Management Accountability Framework developed by the Office of Comptroller General of the Treasury Board Secretariat. The audit criteria were discussed and agreed upon with the clients. The detailed criteria are presented as follows.

Audit Criteria are reasonable and attainable expectations against which compliance, the adequacy of controls and overall performance are assessed. These audit criteria are based on acts and regulations, policy, guidelines, generally recognized industry norms, results of previous audits or other criteria developed in consultation with Program management. The following criteria were assessed during this audit and form the basis for developing audit observations and recommendations.

Criterion 1: Roles, responsibilities and accountabilities are clearly defined and communicated amongst all parties involved in international banking.

1. Roles, responsibilities and accountabilities related to international banking are clearly defined, communicated and understood.
2. There is appropriate segregation of duties.
3. The capacity is adequate to perform the duties related to international banking.

Criterion 2: Management has a documented approach with respect to risk management.

1. Management identifies the key risks that may preclude the achievement of its objectives, develops risk mitigation strategies and consistently oversees and monitors the implementation of risk mitigation strategies.

Criterion 3: Mission bank accounts abroad are managed according to authority and procedures.

1. Banking set-up arrangements take into account reducing banking risks and increasing operational efficiency to best support the Mission operations, based on country context.
2. Opening and closing bank account procedures are documented, communicated and respected.
3. Delegated access authorities to bank accounts are appropriate in relation to assigned responsibilities and monitored regularly.

Criterion 4: Fund transfers between HQ and missions are performed efficiently and effectively.

1. Procedures for fund transfers are documented, communicated, understood and respected.

Criterion 5: Payments abroad are performed accurately and in a timely manner to support Mission operations, and in compliance with applicable laws, regulations and policies.

1. Procedures for payments abroad address risks, including fraud risks, and reflect applicable laws, regulations and policies.
2. Payment procedures are documented, communicated and respected.
3. Adequate and updated IT applications are in place to support the processing of payments abroad.

Approach and Methodology

The audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that the audit objective is achieved.

In order to conclude on the above criteria, and based on identified and assessed key risks and internal controls associated with the related business processes, the audit methodology included, but was not limited to the following:

• Identified and reviewed relevant regulations, policies, and directives, and guidelines and operational standards on international baking;
• Gained an understanding of relevant processes and systems, as well as identified key risks and controls;
• Conducted process walkthroughs of opening and closing bank accounts, fund transfers from headquarters to missions, payments and fund transfers from missions to headquarters;
• Interviewed key departmental stakeholders and staff (refer to table 2);
• Performed data analysis and tested through file review and a judgemental sample (refer to Table 1);
• Performed analysis of international banking activities; and
• Applied other relevant methods as deemed necessary by the audit team.

Samples were selected using either a strictly risk-based approach or a combination of random and risk-based sampling. The following factors were taking into consideration in the selection:

• Risk related to payment method;
• Frequency of payment method used;
• Whether the CSDP has access to the Mission’s bank account;
• Risk related to type of banking account;
• Representation of Missions, regions, CSDPs and year;
• Materiality; and,
• Feedback and information obtained from interviews with key stakeholders.

Appendix B: Management Action Plan