Continuous Auditing of Key Controls for Selected Processes Annual Report for 2016-17

Presented to the Departmental Audit Committee (DAC)
December 14, 2017

Introduction

Continuous auditing provides ongoing assurance on specific management processes and controls to enable more timely insight into possible risk and control issues. It enables the provision of findings to management on key controls related to financial and non-financial processes in a timely manner. The combination of our continuous and regular audit activities provides adequate coverage of the Department’s key processes and controls. During the annual Risk-Based Audit Planning exercise, consideration is given as to whether a continuous or regular audit is the most effective approach for providing assurance.

Continuous auditing provides management with near real-time audit results on the effectiveness and efficiency of key controls on related transactions. As such, continuous audits can significantly enhance the internal control processes and frameworks within an organization. They differ from traditional audits, which tend to be more comprehensive in terms of their scope. On an annual basis, all continuous audit activities undertaken by Natural Resources Canada’s (NRCan) Audit and Evaluation Branch (AEB) are formally reported through this annual assurance report on key controls. This report presents the results of the continuous auditing activities undertaken by the AEB in fiscal year 2016-17.

Accomplishments This Year

With support from the Deputy Minister, Senior Management, and the Departmental Audit Committee (DAC), the AEB continued to provide continuous auditing capacity for NRCan in 2016-17.

The continuous audit activities conducted in 2016-17 focused on identifying potential control issues related to specific processes identified in the approved Risk-Based Audit Plan. Accordingly, the following two areas were assessed via continuous auditing: Acquisition Cards, and Grants and Contributions.

Based on the continuous audit engagements completed, the AEB was able to provide timely advice to senior management and the DAC on the functioning of key controls associated with selected acquisition cards and grants and contributions functions. Findings and recommendations resulting from these engagements were provided to management in order to assist them with improving existing control mechanisms. These findings and recommendations were also presented to the DAC along with the associated management responses and action plans.

Given that the Audit and Evaluation Branch recently provided advice on the pay framework and that processes in this area are still maturing, the Continuous Audit of Pay and Benefits processes and transactions was deferred to 2017-18. This examination includes functions recently assumed by NRCan from the Public Service Pay Centre (PSPC) and will be discussed in the Continuous Auditing of Key Controls Annual Report for 2017-18.

In addition to our continuous audit activities, NRCan’s management was engaged in continuous monitoring in accordance with the Treasury Board’s (TB’s) Policy on Internal Controls. The combined efforts by both the AEB and management have resulted in improvements to control processes and the correction of any identified errors.

Objectives

The objective of the Continuous Audit on Acquisition Cards was to provide reasonable assurance that key controls for acquisition cards were in place and working as intended.

The objective of the Continuous Audit of Grants and Contributions was to provide reasonable assurance that key financial and monitoring controls were in place and working as intended for the selected grant and contribution payments.

Scope

The scope of the continuous audit activities was:

• For the Acquisition Cards Audit, the period under review was January 1, 2016 – September 30, 2016.
• For the Grants and Contributions Audit, the period under review was March 1, 2016 – December 31, 2016.

The key controls assessed during the two continuous audits are provided in Appendix A - Audit Criteria.

Methodology

For the Acquisition Cards Audit, analytical tests were executed to identify key control risks within the NRCan acquisition card process. A judgmental sample of 40 high-risk transactions was selected and reviewed against the key controls. Transactions were also randomly selected from the acquisition card transactions that had previously undergone the Department’s quality assurance process to assess the effectiveness of this control.

For the Grants and Contributions Audit, the sampling methodology used for this continuous audit was as follows:

• NRCan’s G&C program expenditures totalled $209.6 million. Of this amount, $93.6 million was attributable to programs that had been subject to audit within the past three years. The remaining $116 million included five G&C programs administered by the Energy Sector and the Office of the Chief Scientist. These constituted the sampling population of this audit.
• From this sampling population, 64 payment transactions were judgmentally selected. These transactions involved the administration of 53 separate contribution agreements between NRCan and program proponents.

Key Findings and Recommendations

The following summarizes the findings and recommendations for each of the continuous audit engagements.

Continuous Audit of Acquisition Cards

Minor opportunities for improvement were identified during the Acquisition Cards Audit regarding the sample selection methodology for account verification and reviewing documentation retention requirements.

Audit recommendations were addressed to CMSS to continue to refine the sample selection methodology identified within the Quality Assurance of Account Verification Plan, using a risk-based approach, and to finalize and implement the Financial Correctives Measures Framework. The Plan should ensure an alignment to the Financial Corrective Measures Framework. It was also recommended that CMSS, in collaboration with Sectors and Information Management representatives, review the retention requirements for paper acquisition card statements and supporting documentation, and determine the feasibility of adopting electronic storage.

In addition, based on the control environment, the Department could consider increasing the transactional limit for the majority of cardholders, which would reduce administrative costs. It should also be noted that the audit testing did not identify any fraudulent acquisition card transactions (i.e., not NRCan business- related).

Continuous Audit of Grants and Contributions

Of the five programs examined as part of the Continuous Audit of Grants and Contributions, one of them did not meet the departmental Transfer Payments Policy requirement to have a risk-based plan for recipient audits; however, this program did take several steps to assess and monitor risk at both the program and project levels. The overall program risk was assessed as low in 2012 and again during a mid-program risk review.  In addition, the program reviewed all proponent requests for both eligibility and accuracy on an ongoing basis.  While these are positive practices, they do not replace the need for a risk-based recipient audit plan that is appropriately designed and implemented.  A lack of such a plan may result in transaction reviews not commensurate with the assessed level of project risk, leading to lower risk projects being reviewed excessively and higher risk projects not being adequately examined.

It should be noted that this program transferred responsibilities from a specialized task force to the Energy Sector during the final six months of its term, whereby the Energy Sector assumed a caretaker function for administering program and close-out activities.  The timing of the Continuous Audit corresponded with the program close-out period.

This finding was the result of an atypical situation whereby program administration was transferred from a specialized taskforce to the Energy Sector near the end of the Program’s term. This instance of a control deficiency is not reflective of the overall implementation of risk-based audit plans within the Energy Sector. As such, no recommendation was issued.

Conclusion

The Audit and Evaluation Branch concluded with reasonable assurance that most key controls are in place for the acquisition card process and for the administration of grants and contributions, and they are generally working as intended.

Management Responses

Management has responded with timely action plans to address the issues noted in the two continuous audit activities. The AEB will continue to follow-up on the implementation of the management action plans.

Acknowledgments

The AEB would like to thank those individuals who contributed to these continuous audits and particularly employees who provided their insights and comments.

Conformance with Professional Standards

In my professional judgement as Chief Audit and Evaluation Executive, the continuous audit activities along with this annual report conform with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

 

Christian Asselin, CPA, CA, CMA, CFE
Chief Audit and Evaluation Executive

 

APPENDIX A – CONTINUOUS AUDIT CRITERIA

CONTINUOUS AUDIT OF ACQUISITION CARDS

The objective of this continuous audit was to provide reasonable assurance that key controls for acquisition cards were in place and working as intended.

Specifically, the continuous audit assessed whether:

• Acquisition card use was in compliance with government and departmental policies and procedures; and
• Acquisition card monitoring and reporting activities were undertaken and effective.

Key Controls
1. An individual has been designated as the Acquisition Card Coordinator.
2. A list of all outstanding acquisition cards is maintained by the Acquisition Card Coordinator.
3. The Acquisition Card Coordinator maintains documentation for each cardholder (Responsibility Center Manager [RCM] approval and signature that cardholder has signed acknowledgement of their cardholder roles and responsibilities).
4. The Acquisition Card Coordinator is notified through the Employee Departure Form when an individual leaves NRCan in order to cancel the acquisition card.
5. For each acquisition card transaction, there is either a blanket commitment or the purchase has been authorized by the RCM before the purchase is made (Financial Administration Act [FAA] S.32).
6. All transactions are reviewed and approved by an individual with FAA S.34 delegated authority.
7. The BMO monthly invoice is approved under FAA S.33 by an individual who has been delegated the authority, but has not benefited by one of the acquisition card transactions included in the invoice.
8. The monthly BMO statement is reconciled to the cleared individual card transactions.
9. Changes of RCMs are communicated to the Acquisition Card Coordinator to ensure that email addresses are changed accordingly.
10. A post–payment verification program is in place for acquisition card use to select transactions and verify compliance to Government and Department policies and is reviewed regularly to ensure that it continues to operate using a risk-based approach.
11. Errors identified under the post–payment verification process are communicated to managers and followed up to verify that corrective action has been undertaken.
12. BMO-provided authorization codes are input into the Financial System to match the financial commitment.

CONTINUOUS AUDIT OF GRANTS AND CONTRIBUTIONS

The objective of this continuous audit was to provide reasonable assurance that payment and monitoring controls were in place and working as intended for the selected grant and contribution payments.

Key Controls
1. The selected project met the selection criteria of the program and was recommended by the selection committee.
2. The contribution agreement or amended contribution agreement is signed by an individual with the appropriate delegated financial signing authority for transfer payments / grants and contributions.
3. Commitments (S.32 of the FAA) are entered into the NRCan SAP financial system when agreements are signed.
4. Requests by recipients for payments are reviewed; to ensure compliance with stacking provisions and that federal resources are applied to initiatives in a fair and equitable manner; and with sufficient procedures and rigour to assess their accuracy, reasonableness, eligibility, and compliance with program terms and conditions, and are authorized pursuant to S.34 of the FAA by individuals with appropriate delegated financial signing authority.
5. Authorization is completed pursuant to S.33 of the FAA and approved in the departmental financial system (SAP) by an individual with the appropriate delegated financial signing authority.
6. Payments to recipients are recorded in the appropriate fiscal period.
7. Repayable contributions are monitored and recorded in the AMI system and any prior year payments deemed repayable have been correctly recouped in a timely manner.
8. A risk-based plan for recipient audits is established, implemented, and progress is monitored.
9. Findings and recommendations identified during prior year site visits or recipient audits are addressed in a timely manner.
10. Proactive disclosure of grants and contributions over $25,000 is verified for accuracy and approved prior to web posting.