Continuous Auditing of Key Controls for Selected Processes - Annual Report for Fiscal Year 2018-19

Audit and Evaluation Branch
Natural Resources Canada
Presented to the Departmental Audit Committee
September 26, 2019

Table of Contents

• Introduction
  • Accomplishments this Year
  • Objectives
  • Scope
  • Methodology
• Key Findings and Recommendations
• Conclusion
• APPENDIX A - Audit Criteria- Continuous Audit of Pay and Benefits
• APPENDIX B - Audit Criteria- Continuous Audit of Travel
• APPENDIX C - Audit Criteria- Continuous Audit of Offshore Revenues and Transfers
• APPENDIX D - Audit Criteria- Continuous Audit of Grants and Contributions

Introduction

Continuous auditing provides ongoing assurance on specific management processes and controls to enable more timely insight into possible risk and control issues. It enables the provision of findings to management on key controls related to financial and non-financial processes in a timely manner. The combination of continuous and regular audit activities provides adequate coverage of the Department’s key processes and controls. During the annual Risk-Based Audit Planning exercise, consideration is given as to whether a continuous or standard assurance audit is the most effective approach for providing assurance.

Continuous audits can significantly enhance the internal control processes and frameworks within an organization. They differ from traditional audits, which tend to be more comprehensive in terms of their scope. Continuous audit activities undertaken by Natural Resources Canada’s (NRCan) Audit and Evaluation Branch (AEB) are formally reported through this annual assurance report on key controls. This report presents the results of the continuous auditing activities undertaken by the AEB in FY 2018-19.

Accomplishments this Year

With support from the Deputy Minister (DM), Senior Management, and the Departmental Audit Committee (DAC), the AEB continued to provide continuous auditing capacity for NRCan in 2018-19.

The continuous audit activities conducted in FY 2018-19 focused on identifying potential control issues related to specific processes identified in the approved 2018-21 Risk-Based Audit Plan. Accordingly, the following four areas were assessed via continuous auditing:

• Pay and Benefits;
• Travel;
• Offshore Revenues and Transfers; and
• Grants and Contributions (G&C).

The AEB was able to provide timely assurance to senior management and the DAC on the functioning of key controls for the areas identified above. Findings and recommendations resulting from the examination of these processes were provided to management in order to assist them with improving existing control mechanisms. These findings and recommendations were also presented to the DAC along with the associated management responses and action plans.

In addition to AEBs continuous audit activities, NRCan’s management was engaged in continuous monitoring in accordance with the Treasury Board’s (TB) Policy on Financial Management. The combined efforts by both the AEB and management have resulted in improvements to control processes and the correction of any identified control deficiencies.

Objectives

The objectives of the Continuous Audits performed was to provide reasonable assurance that:

1. Key controls concerning pay and benefits are in place and operating as intended for selected functions.
2. Key travel management process controls are in place and are working as intended.
3. Key financial and monitoring controls are operating effectively for selected offshore revenues and transfers.
4. Key financial and monitoring controls are in place and operating as intended for selected G&C payments.

Scope

The scope and period of review for each of the continuous audit activities was:

Pay and Benefits	November 1, 2017 – March 31, 2018
Travel	April 1, 2018 – September 20, 2018
Offshore Revenues and Transfers	October 1, 2017 – October 31, 2018
Grants and Contributions	April 1, 2018 – October 31, 2018

The key controls assessed during the four continuous audits are provided in Appendix A - Audit Criteria.

Methodology

The sample sizes for all continuous audits were selected to provide sufficient information to conclude on the operating effectiveness of selected controls.

1. The Continuous Audit of Pay and Benefits examined the following transaction types: acting appointments, return from leave without pay (LWOP); LWOP greater than 5 days; and, change in employment status (i.e. full-time to part-time). A total of 52 transactions were randomly selected for testing out of a population of 371.
2. The Continuous Audit of Travel examined the key controls for a sample of travel requests and travel expense claims that were submitted, processed and approved through the Shared Travel Services (STS) system. A total of 50 transactions were sampled out of a total travel request population of 4,220.
3. The Continuous Audit of Offshore Revenues and Transfers examined the key controls for a sample of 25 transactions that belonged to one of the following categories- (i) offshore royalty receipts and transfers; (ii) corporate income tax transfers (excluding Newfoundland and Nova Scotia); (iii) forfeiture receipts and transfers; (iv) crown share adjustments; (v) Net Profits Interest (NPI) receipts; (vi) Incidental Net Profits Interest (INPI) receipts.
4. The Continuous Audit of Grants and Contributions examined the key controls for a sample of 25 payment transactions administered by two programs, valued at $40.9 million. These transactions involved the administration of 54 separate contribution agreements.

Key Findings and Recommendations

The following summarizes the findings and recommendations for each of the continuous audit engagements. The audits provided reasonable assurances when arriving at conclusions for the key controls that were tested, which were assessed as either- effective, partially effective, or ineffective, based on the following criteria:

1. Effective: The key control was operating effectively throughout the audit period;
   
2. Partially effective: The key control was not operating effectively throughout the audit period; and,
   
3. Not effective: The key control was not in place.

Continuous Audit of Pay and Benefits

The continuous audit found that three control functions were partially effective, two were effective, and one was not effective. The following opportunities for improvement were noted:

1. Update the Department’s intranet to reflect updates to pay-related guidance; and ensure on-going communications to Departmental Managers regarding their responsibilities to:
1. Initiate acting appointments in a timely manner, where possible;
2. Understand the terms and conditions of their employees’ collective agreements.
2. Implement reporting of key pay-related performance indicators to senior management on a periodic basis; and,
3. Clarify roles and responsibilities for verification activities over employees’ current work schedules prior to making pay-related changes in PeopleSoft/Phoenix.

Continuous Audit of Travel

The continuous audit found that all eight key controls were assessed as effective and working as intended, in compliance with Central Agency and Departmental policies and procedures.

There were no audit recommendations resulting from this continuous audit. As well, the results of the follow-up on outstanding previous recommendations from the last iteration of this continuous audit in 2014, were found to be fully implemented and no additional follow-up was required.

Continuous Audit of Offshore Revenues and Transfers

The continuous audit found that the majority (18 of 22) of key financial and monitoring controls examined were effective, while four controls were partially effective. This was the first continuous audit of offshore revenues and transfers.

For the four partially effective controls, the continuous audit identified the following opportunities for improvement:

1. Review and update the Offshore Petroleum Management Division’s (OPMD) standard operating procedure (SOP) Manual to reflect current offshore revenue and payment practices and processes;
2. Update OPMD's SOP Manual to include procedures to manage late receipts from oil companies, if they were to occur;
3. Finalize and approve the strategy for future NPI and INPI audits and the extent to which this will include the adoption of a risk-based approach; and,
4. Provide regular status updates to senior management on the progress and results of the NPI and INPI audits.

Continuous Audit of Grants and Contributions

The continuous audit found that for the two programs tested nine of the ten key financial and monitoring controls are in place for the administration of Gs&Cs, and that they are generally working as intended. For the one key control that was assessed as partially effective, the audit identified an opportunity for improvement. The audit noted that a newly created program needed to develop and implement a formal approach to proponent monitoring commensurate with risk. This will allow the program to follow generally accepted practices identified in the guidance on recipient auditing administered by the Corporate Management Services Sector (CMSS) Centre of Expertise (CoE) on Gs&Cs.

The audit also followed-up on outstanding recommendations resulting from the previous iteration of this continuous audit, which took place in FY 2017-18. The audit found that all recommendations were fully implemented and no additional follow-up was required.

Conclusion

The Continuous Audit of Travel concluded with reasonable assurance that key controls surrounding the Department’s Travel Quality Assurance process, within the CMSS Finance and Procurement Branch are in place and working as intended. Therefore, the AEB will suspend continuous audit testing for these controls and identify a new process to be audited, based on the results of its FY 2020-25 Integrated Audit and Evaluation Planning process.

The following continuous audit areas will continue to be a part of the AEB’s 2019-24 Integrated Audit and Evaluation Plan, given that:

1. The Continuous Audit of Pay and Benefits provides management with assurance on the functioning of key controls for a process that is an ongoing priority for NRCan.
2. The Continuous Audit of Offshore Revenues and Transfers provides management with assurance on the functioning of key controls in place to ensure that the offshore revenues and transfers are accurate and processed in accordance with the Atlantic Offshore Accords Acts and the related Regulations. The continued testing will also ensure follow-up on the implementation of previous audit recommendations.
3. The Continuous Audit of Gs&Cs will continue to provide management with assurance on the functioning of key controls in place for the management of G&C payments given that NRCan relies significantly on Gs&Cs to deliver its programs. The continued testing will also ensure follow-up on the implementation of previous audit recommendations.

Management Responses

Management has responded with timely action plans to address the issues noted in the continuous audit activities. The AEB will continue to follow-up on the implementation of the management action plans, on an annual basis.

Acknowledgments

The AEB would like to thank those individuals who contributed to these continuous audits and particularly employees who provided their insights and comments.

Conformance with Professional Standards

In my professional judgement as Chief Audit and Evaluation Executive, the continuous audit activities along with this annual report conform with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the Government of Canada’s Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

Christian Asselin, CPA, CA, CMA, CFE
Chief Audit and Evaluation Executive
September 26, 2019

APPENDIX A - Audit Criteria- Continuous Audit of Pay and Benefits

The objective of the continuous audit was to provide reasonable assurance that key controls are in place and operating as intended for the following functions:

1. Initiation of acting appointments;
2. Changes in employment status between full-time and part-time;
3. Communications to employees on pay-related issues, roles and responsibilities;
4. Establishment and monitoring of service standards for processing pay action requests;
5. Return from LWOP greater than five days; and
6. Verification of pay action requests to collective bargaining agreements.

Key Control Activities
1. Initiation of acting appointments are administered in compliance with TBS guidance and relevant departmental policies.
2. Changes in employment status from full-time to part-time are implemented in compliance with TBS guidance and relevant departmental policies.
3. A sufficient communications plan has been designed and implemented to inform employees of pay-related issues roles and responsibilities.
4. Service standards for the processing of all PAR types capture the entire duration of time that transactions remain within the control of the DPLO, and are monitored and reported to management.
5. Roles and responsibilities for the processing and approving PARs (i.e. FAA S.34 authority) for return from LWOP greater than five days are clearly defined and documented, and are implemented in accordance with PSPC guidance.
6. Roles and responsibilities for the verification of PARs in compliance to relevant collective bargaining agreements are clearly defined and communicated.

Note: Control activities 4, 5, and 6 include follow-up procedures on management action plans to address recommendations stemming from the 2017 Continuous Audit of Pay and Benefits.

APPENDIX B - Audit Criteria- Continuous Audit of Travel

The objective of this continuous audit was to provide reasonable assurance that key travel management process controls are in place and are working, as intended. Specifically, the audit assessed whether:

1. Travel expenses are in compliance with Treasury Board and NRCan policies, directives and procedures; and
2. Monitoring of travel related expenses and/or activities are conducted to ensure compliance and these activities are proactively disclosed where applicable.

Key Control Activities
1. Travel expenditures incurred are focused on achieving the department's core mandate.
2. Travel expenditures are minimized when possible and where they are necessary are managed in an effective, efficient and economical manner.
3. Appropriate approvals are obtained prior to incurring travel expenses.
4. Travel expenses are supported by appropriate documentation.
5. Travel expense claims are reviewed under sections 34 & 33 and are appropriately authorized.
6. Travel financial transactions are transferred from EMS to SAP in an accurate and complete manner.
7. Monitoring activities are taking place and working as intended. Actions are taken to address deficiencies.
8. Travel expenses for selected departmental officials, including deputy ministers and senior public servants are disclosed in accordance with proactive disclosure requirements.

APPENDIX C - Audit Criteria- Continuous Audit of Offshore Revenues and Transfers

The objective of the continuous audit was to provide reasonable assurance that key financial and monitoring controls are operating effectively for the selected offshore revenues and transfers.

This Appendix details the specific key control areas to be tested as they relate to offshore revenues and transfer payments.

Key Controls
1. Offshore revenue cash receipts: An accurate notification of incoming revenue with SAP financial coding is sent to Accounts Receivable (A/R). The notification of incoming revenue is matched to the Credit Notice Report. Cash receipts are recorded accurately (GL/FRA/ECON) and for the proper period in SAP.
2. Transfer payments: Transfer payments are approved in accordance with FAA S.34 requirements. Transfer payments are approved in accordance with FAA S.33 requirements (including completion of the Account Verification Statutory Payment Checklist). Payment vouchers are recorded accurately (GL/FRA/ECON) and for the proper period in SAP.
3. Compliance with legislative and regulatory timelines: NRCan ensures that receipts from oil companies are received by the last day of the month following the month to which they relate (royalty, NPI and INPI only). NRCan’s Revenue Fund is credited within 10 working days after the end of each month that the remittance is received. Payment is made to the province before the end of the month in which the credit to the revenue fund was made. The calculation of the deflated oil price is provided to the oil companies within the first 7 days of the month.
4. Accruals of revenues (receipts) and transfers (payments): PAYEs are established, and reversal entries are accurate, recorded in the correct period, and reviewed and approved by the Corporate Reporting Unit. PAYE reversal entries are prepared accurately and recorded in the correct period. PAYEs are approved in accordance with FAA S.34 requirements. PAYEs are approved in accordance with FAA S.33 requirements (including the Quality Assurance Checklist for PAYE), and reviewed and approved by the Corporate Reporting Unit.
5. Tracking, monitoring, and reconciliation: Incoming offshore revenues (receipts) and outgoing transfers (payments) are accurately tracked in a central repository. NPI and INPI submissions are reviewed and monitored on a monthly basis. Monthly revenues and payments are reconciled using SAP. NRCan ensures that it obtains from the oil companies an annual INPI reconciliation within 150 days of the end of each period including an accuracy attestation. An annual reconciliation between a cash basis and a year-end basis is performed.
6. Audit plan to validate NPI and INPI revenues: An audit plan that considers risk has been established and audits are conducted. Audit results are reported to senior management and in a timely manner. Assessed amounts owing or refunds are communicated and applied against the oil company.

APPENDIX D - Audit Criteria- Continuous Audit of Grants and Contributions

The objective of this continuous audit was to provide reasonable assurance that key financial and monitoring controls are in place and working as intended for the selected G&C payments and related contribution agreements. The controls to be tested are as follows:

Key Financial and Monitoring Controls
1. The selected project met the selection criteria of the program and was recommended by the selection committee.
2. The contribution agreement or amended contribution agreement is signed by an individual with the appropriate delegated financial signing authority for transfer payments / grants and contributions.
3. Commitments (section 32 (S.32) of the FAA) are entered into the NRCan SAP financial system when agreements are signed.
4. Requests by recipients for payments are reviewed: to ensure compliance with stacking provisions; with sufficient procedures and rigour to assess their accuracy, reasonableness, eligibility and compliance with program terms and conditions and are authorized pursuant to S.34 of the FAA by individuals with appropriate delegated financial signing authority; and, to ensure advance payments (if any) are in accordance with program terms and conditions and comply with the Directive on Transfer Payments.
5. Authorization is completed pursuant to S.33 of the FAA and approved in the SAP financial system by an individual with the appropriate delegated financial signing authority.
6. Payments to recipients are recorded in the appropriate fiscal period.
7. Repayable contributions are monitored and recorded in the AMI system and any prior year payments deemed repayable have been correctly recouped in a timely manner.
8. A risk based plan for recipient audits is established, implemented and progress monitored.
9. Findings and recommendations identified during prior year site visits or recipient audits are addressed in a timely manner.
10. Proactive disclosure of grants and contributions over $25,000 is verified for accuracy and approved prior to web posting.