Continuous Auditing of Key Controls for Selected Processes – Annual Report for Fiscal Year 2021-22

Audit and Evaluation Branch
Natural Resources Canada

Presented to the Departmental Audit Committee, October 11, 2022

Table of Contents

• Introduction
  • Accomplishments this Year
  • Objectives
  • Scope
  • Methodology
• Key Findings and Recommendations
• Conclusion
  • Acknowledgments
  • Conformance with Professional Standards
• APPENDIX A - Audit Criteria - Continuous Audit of Acquisition Cards

Introduction

Continuous auditing provides ongoing assurance on specific management processes and controls to enable more timely insight into possible risk and control issues. It enables the provision of findings to management on key controls related to financial and non-financial processes in a timely manner. The combination of continuous and regular audit activities provides adequate coverage of the Department’s key processes and controls. During the annual risk-based audit planning exercise, consideration is given as to whether a continuous or standard assurance audit is the most effective approach for providing assurance.

Continuous audits can significantly enhance the internal control processes and frameworks within an organization. They differ from traditional audits, which tend to be more comprehensive in terms of their scope. Continuous audit activities undertaken by Natural Resources Canada’s (NRCan) Audit and Evaluation Branch (AEB) are formally reported through this annual assurance report on key controls. This report presents the results of the continuous auditing activities undertaken by the AEB in fiscal year (FY) 2021-22.

Accomplishments this Year

With support from the Deputy Minister, Senior Management, and the Departmental Audit Committee (DAC), the AEB continued to provide continuous auditing capacity for NRCan in FY 2021-22.

The continuous audit activities conducted in FY 2021-22 focused on identifying potential control issues related to specific processes identified in the approved 2021-26 Integrated Audit and Evaluation Plan (IAEP). Accordingly, the following area was assessed via continuous auditing:

• Acquisition Cards

The AEB was able to provide timely assurance to senior management and the DAC on the functioning of key controls for the area identified above. Findings and recommendations resulting from the examination of these processes were provided to management in order to assist them with further improving existing control mechanisms. These findings and recommendations were also presented to the DAC along with the associated management responses and action plans.

In addition to AEB’s continuous audit activities, NRCan’s management was engaged in continuous monitoring in accordance with the Treasury Board’s (TB) Policy on Financial Management. The combined efforts by both the AEB and management have resulted in improvements to control processes and the correction of any identified control deficiencies.

Objectives

The objective of the Continuous Audit performed was to provide reasonable assurance that key controls are in place and working as intended to support acquisition card processes.

Scope

The scope of the continuous audit examined 11 key controls for a sample of 45 acquisition card transactions initiated from March 1, 2021 to August 31st, 2021. This time period was selected to focus on recent transactions, and due to the availability of acquisition card transaction data from the existing acquisition card provider. AEB did ensure it considered the risks associated with the planned transition to a new acquisition card provider on the controls selected for testing.

The key controls assessed during the continuous audit are provided in Appendix A.

Methodology

• A combination of both judgmental and random sampling techniques was implemented for this audit. A total of 50 transactions were originally sampled, 30 of which were selected judgmentally and 20 of which were selected randomly.
• Judgmental samples were selected based on a number of high-risk transaction categories. The audit team also considered the timing of each transaction and the individual cardholders performing the purchases to help ensure samples from several unique cardholders were selected, and that the overall sample provided adequate coverage of the six-month scope period. The remaining 20 samples were selected using random sampling, in which every transaction occurring during the scope period had an equal chance of being chosen for examination.

Key Findings and Recommendations

The following summarizes the findings and recommendations for the continuous audit engagement. The audit provided reasonable assurances when arriving at conclusions for the key controls that were tested, which were assessed as either- effective, partially effective, or ineffective, based on the following criteria:

1. Effective: The key control was operating effectively throughout the audit period;
2. Partially effective: The key control was not operating effectively throughout the audit period; and,
3. Not effective: The key control was not in place.

Continuous Audit of Acquisition Cards

The continuous audit found that, of the 11 key controls examined, nine controls are operating effectively, and two controls were deemed to be partially effective.

The continuous audit identified the following opportunities for improvement related to the processing and monitoring of acquisition card transactions within the Department:

• Ensuring that procedures and guidance for acquisition cards are accurate and up-to-date; and,
• Ensuring quality assurance activities are conducted in a timely manner by exploring process automation to enhance sampling and testing efficiency.

The continuous audit also found that all outstanding recommendations from previous continuous audits in this area have been fully implemented.

Conclusion

Looking forward to the next continuous audit annual report, future engagements will include:

• The Continuous Audit of Acquisition Cards, focusing primarily on outstanding recommendations from the previous iteration of the audit;
• The Continuous Audit of Pay and Benefits Processes, which will provide management with assurance on the functioning of key controls in place around NRCan’s HR-to-Pay process, as the topic continues to be an on-going priority for the Department; and finally,
• The Continuous Audit of Leave Management, which will provide management with assurance on the functioning of key controls in place around leave management processes. This is an area that has not been examined in recent AEB engagements. 

Acknowledgments

The AEB would like to thank those individuals who contributed to these continuous audits and particularly employees who provided their insights and comments.

Conformance with Professional Standards

In my professional judgement as Chief Audit and Evaluation Executive, the continuous audit activities along with this annual report conform with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the Government of Canada’s Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

Michel Gould, MBA, CPA, CMA, CIA
Chief Audit and Evaluation Executive
October 11, 2022

APPENDIX A – Continuous Audit of Acquisition Cards Key Controls

The objective of this continuous audit was to provide reasonable assurance that key controls are in place, and working as intended, to support acquisition card processes. The continuous audit has also followed-up on outstanding recommendations resulting from previous iterations of this engagement.

The following key controls were tested during the conduct phase of the audit:

Key Controls

1. An individual has been designated as the Acquisition Card Coordinator.
2. A list of all outstanding acquisition cards is maintained by the Acquisition Card Coordinator.
3. The Acquisition Card Coordinator maintains documentation for each cardholder (RCM approval and signature that cardholder has signed acknowledgement of their cardholder roles and responsibilities).
4. Changes of RCMs are communicated to the Acquisition Card Coordinator to ensure that email addresses are changed accordingly.
5. The Acquisition Card Coordinator is notified through the Employee Departure form when an individual leaves NRCan in order to cancel the acquisition card.
6. Proper expenditure initiation authority, as well as commitment authority (Financial Administration Act [FAA] Section 32), is exercised in a timely manner for each sampled transaction by individuals with the appropriate financial delegation.
7. Proper certification authority (FAA Section 34) is exercised in a timely manner for each sampled transaction by individuals with the appropriate financial delegation.
8. Proper payment authority (FAA Section 33) is exercised in a timely manner for each sampled transaction by individuals with the appropriate financial delegation.
9. Sampled acquisition card transactions committed in the financial system are coded appropriately.
10. The monthly BMO statement is reconciled to the cleared individual card transactions.
11. An effective post-payment verification program is in place to monitor the use of acquisition cards, including appropriate communication and reporting mechanisms.