Audit of the Acquisition Card Procurement Program
Audit Report - March 2010
Table of contents
- 1.0 Executive Summary
- 2.0 Background
- 2.1 Audit Objectives
- 2.2 Scope
- 2.3 Approach
- 2.4 Audit Opinion
- 2.5 Statement of Assurance
- 2.6 Findings, Recommendations and Management Response
- Annex A – Main Criteria
1.0 Executive Summary
1.1 Background
Public Safety Canada (PS) delivers programs and develops policy on a wide range of public safety issues, including national security, emergency management, law enforcement, corrections, crime prevention, and border management. In striving to ensure the safety and security of Canadians, the Department supports the quality of life of all Canadians and directly contributes to the most fundamental responsibility of Government which is to protect our citizens. It plays a key role in ensuring cohesion and integration on policy and program issues within the Portfolio, and it works with other federal departments, other levels of government, first responders, community groups, the private sector and other countries to achieve its objectives. Through the development and implementation of clearly articulated policies and programs, the Department works towards the achievement of its strategic outcome: “A safe and resilient Canada”. It manages a budget of $426 million1 and has a workforce of approximately 1000 people.
The acquisition card program provides departments with a convenient and less burdensome method of procuring and paying for goods and services, while ensuring effective financial control. Authority for the acquisition card program is derived from the Treasury Board (TB) Policy on Acquisition Cards. The acquisition card presents an inherent risk of misuse and therefore one of the key challenges for departments is to establish internal procurement policies and practices that are flexible enough to meet business needs but also to safeguard departmental assets. PS has authorized the use of several acquisition cards. The AMEX acquisition card is to be used exclusively for Travel expenditures, whereas the Bank of Montreal (BMO) acquisition card is to be used for all other expenditures within the TB policy guidelines. The scope of this audit was limited to the BMO acquisition card.
Over the past few years, the usage of the BMO acquisition card has increased. Key statistics for the audited time period (October 1, 2006 to September 30, 2007) include:
- Annual expenditures of approximately $550K;
- Approximately 60 cardholders;
- Approximately 2500 annual individual purchases of generally non-complex goods averaging $230 per transaction;
- Various credit card limits ranging from $1,500 to $35,000 (approximately 85% of the cards had less than $10,000 credit limit) ; and
- Maximum value of any purchase restricted to $5,000 per transaction.
At the start of the audited time period, the Financial Services and Systems group was responsible for the acquisition card program; however the majority of this responsibility was transferred to the Contracting and Procurement Unit (CPU). It should be noted that both Financial Services and Systems and CPU, including those employees with acquisition card responsibilities, faced capacity issues which resulted in operational challenges. The priority for the CPU was to build capacity; this represents a significant challenge as all departments are competing for the same skill sets. Their main focus has been on the development of a contracting and procurement management control framework, while maintaining operations.
The risk-based audit plan, which was approved by the Departmental Audit Committee (DAC) in June 2008, included the carry-over assurance audit of the acquisition card procurement program to be completed in 2008-2009.
1.2 Audit Objectives and Scope
The purpose of the audit was to assess the appropriateness and effectiveness of the Management Control Framework (MCF) in place to support the BMO acquisition card program and to ensure activities were processed in compliance with applicable policies2, procedures and regulations.
The audit focused on the BMO acquisition card activities for the period between October 1, 2006 and September 30, 2007.
1.3 Audit Opinion
In the opinion of the Chief Audit Executive, the BMO acquisition card program MCF has moderate issues requiring management focus. While multiple risk areas were identified such as; lack of policy, limited procedures, insufficient approvals, and missing documentation, the overall exposure to the department is not significant.
1.4 Statement of Assurance
In the professional judgment of the Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to provide senior management with reasonable assurance of the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The criteria were based on the Treasury Board Secretariat (TBS) Management Accountability Framework (MAF) element related to “Effective Procurement” and the Canadian Institute of Chartered Accountants “Criteria for Control” (COCO) model. The opinion is applicable only to the entity examined.
1.5 Audit Findings
While, it is acknowledged that the BMO acquisition card expenditures were only 0.4% of the 2007-08 Operating and Maintenance actual expenditures, the public sensitivity and potential for misuse of this vehicle do require the establishment of a sound MCF based on an appropriate risk assessment.
The audit found that some of the key components of a sound MCF were not in place during the audited time period to effectively support the acquisition card program, including: clearly defined roles and responsibilities; training; policies, procedures and guidelines to enable individuals to perform their assigned responsibilities; and sufficient monitoring mechanisms to ensure compliance with laws, regulations, and policies, and to perform trend analysis.
The audit also found that the issuance and cancellation of BMO acquisition cards, as well as the expenditures incurred with the acquisition cards, were generally compliant with TB policies. Opportunities exist however to strengthen the procedures surrounding the administration and management of the applications, the appropriate authorization and documentation of individual expenditures, and the tracking of attractive items.
1.6 Management Response
Management agrees with all recommendations included in the Internal Audit of the Acquisition Card Procurement Program and is committed to do what is necessary to address each recommendation. Work is underway or completed in relation to each of these four recommendations.
Management expects that substantial implementation will be achieved before the end of the fiscal year 2009-10 and full implementation by the Summer 2010.
To this end, the new Treasury Board Directive on Acquisition Cards has been shared with Cardholders, a new departmental acquisition card coordinator has been designated, default settings have been reviewed with the card issuer to ensure they are effective and the roles and responsibilities have been reviewed to ensure appropriate segregation of duties.
Work remains to be done in the area of training and the monitoring of the usage of the Acquisition Cards.
2.0 Background
Public Safety Canada (PS) delivers programs and develops policy on a wide range of public safety issues, including national security, emergency management, law enforcement, corrections, crime prevention, and border management. In striving to ensure the safety and security of Canadians, the Department supports the quality of life of all Canadians and directly contributes to the most fundamental responsibility of Government which is to protect our citizens. It plays a key role in ensuring cohesion and integration on policy and program issues within the Portfolio, and it works with other federal departments, other levels of government, first responders, community groups, the private sector and other countries to achieve its objectives. Through the development and implementation of clearly articulated policies and programs, the Department works towards the achievement of its strategic outcome: “A safe and resilient Canada”. It manages a budget of $426 million3 and has a workforce of approximately 1000 people.
The acquisition card program provides departments with a convenient and less burdensome method of procuring and paying for goods and services, while ensuring effective financial control. Authority for the acquisition card program is derived from the Treasury Board (TB) Policy on Acquisition Cards. The acquisition card presents an inherent risk of misuse, and therefore one of the key challenges for departments, is to establish internal procurement policies and practices that are flexible enough to meet business needs but also to safeguard departmental assets. PS has authorized the use of several acquisition cards. The AMEX acquisition card is to be used exclusively for Travel expenditures, whereas the Bank of Montreal (BMO) acquisition card is to be used for all other expenditures within the TB policy guidelines. The scope of this audit was limited to the BMO acquisition card.
Over the past few years, the usage of the BMO acquisition card has increased. Key statistics for the audited time period (October 1, 2006 to September 30, 2007) include:
- Annual expenditures of approximately $550K;
- Approximately 60 cardholders;
- Approximately 2500 annual individual purchases of generally non-complex goods averaging $230 per transaction;
- Various credit card limits ranging from $1,500 to $35,000 (approximately 85% of the cards had less than $10,000 credit limit) ; and
- Maximum value of any purchase restricted to $5,000 per transaction.
At the start of the audited time period, the Financial Services and Systems group was responsible for the acquisition card program; however the majority of this responsibility was transferred to the Contracting and Procurement Unit (CPU). It should be noted that both Financial Services and Systems and CPU, including those employees with acquisition card responsibilities, faced capacity issues which resulted in operational challenges. The priority for the CPU was to build capacity within the unit; this represents a significant challenge as all departments are competing for the same skill sets. Their main focus has been on the development of a contracting and procurement management control framework, while maintaining operations.
The risk-based audit plan, which was approved by the Departmental Audit Committee (DAC) in June 2008, included the carry-over assurance audit of the acquisition card procurement program to be completed in 2008-2009.
2.1 Audit Objectives
The purpose of the audit was to assess the appropriateness and effectiveness of the Management Control Framework (MCF) in place to support the BMO acquisition card program and to ensure activities were processed in compliance with applicable policies4, procedures and regulations.
2.2 Scope
The audit focused on the BMO acquisition card activities for the period between October 1, 2006 and September 30, 2007. The components of the management control framework that were examined as of September 30, 2007 included: business plans, risk management processes, roles, responsibilities, accountabilities, authorities, procedures, and monitoring mechanisms. Specific core controls were examined in regard to the issuance, distribution, cancellation and usage of cards.
2.3 Approach
The audit included various tests, as considered necessary, to provide senior management with reasonable assurance of the accuracy of the opinion. These tests included interviews, observations, walkthroughs, review of supporting documentation, sampling of transactions and analytical reviews.
Following a risk analysis conducted through interviews with Financial Services and Systems and Procurement and through the analysis of pertinent documentation, an audit program was developed to verify to what extent an adequate management control framework was in place and the use of the acquisition card was in compliance with applicable policies.
The audit approach involved interviews mainly with Financial Services and Systems and the Contracting and Procurement Unit, review of documentation (organization charts, roles and responsibilities, allocation of resources), and walkthroughs of the acquisition card procurement processes.A statistical sample of transactions was selected from the total population for testing the overall compliance. The sample size was 143 transactions (total population was approximately 2500 for the audited time period).5 The majority of the transactions within the sample were randomly selected, while the remaining portion was established based on data analysis or judgement, depending on the various expenditure categories and dollar value.
Audit criteria for the audit objective were developed based on fundamental principles underlying the TB policies and internal PS guidelines, as well as key components of a sound MCF. The main criteria used to provide assurance for the audit objective are referenced in Annex A.
2.4 Audit Opinion
In the opinion of the Chief Audit Executive, the BMO acquisition card program MCF has moderate issues requiring management focus. While multiple risk areas were identified such as; lack of policy, limited procedures, insufficient approvals, and missing documentation, the overall exposure to the department is not significant.
2.5 Statement of Assurance
In the professional judgment of the Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered, to provide reasonable assurance of the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The criteria were based on the TBS Management Accountability Framework (MAF) element related to “Effective Procurement” and the Canadian Institute of Chartered Accountants “Criteria for Control” (COCO) model. The opinion is applicable only to the entity examined.
2.6 Findings, Recommendations and Management Response
The audit expected to find that a sound MCF would be in place to effectively support the acquisition card program and that acquisition card activities would be processed in a manner that is compliant with applicable policies, procedures and regulations. The audit found that some of the key components of a sound MCF were not in place. The audit also found that while activities were generally compliant, there were several minor deviations. More specifically the findings are noted below.
2.6.1. Roles and responsibilities were not well defined, appropriately segregated, or fully documented.
In early 2007, the accountability for the acquisition card program was transferred from Financial Services and Systems to the CPU. However, as of February 2009, Financial Services and Systems was still involved in some activities, such as approval of credit card applications and BMO reporting access, while the CPU was building capacity within their function. This overlap of activities may create some processing inefficiencies, however the main risk stems from the inappropriate segregation of duties. The auditors found that the same person who granted acquisition cards also approved the payments; however these two functions are not compatible. Although the audit did not find any misuse of this procurement vehicle, the absence of appropriate segregation of duties increases the risk of inappropriate transaction processing or misappropriation.
2.6.2 No internal policy or procedures on the use of the acquisition card existed, as required by the TB Policy on Acquisition Cards.
Guidance on PS acquisition card activities came from the TB Policy on Acquisition Cards, informal communications from Financial Services and Systems and the Acquisition Card Departmental Coordinator (DC), and a general memorandum provided to new cardholders that states the categories of transactions that were not permitted with the card. In early 2007, PS required new cardholders to provide an “acknowledgement” of the terms of the acquisition card by signing the memorandum. No issues were found in regard to this new “acknowledgement” process. However, this cardholder memorandum did not have sufficient detail concerning:
- Allowable expenditure exceptions (i.e. recurring monthly charges, on-line purchases, vendor non-acceptance);
- The necessity of a competitive approach when cost-effective;
- The use of mandatory standing offers if they were in place;
- The inventory tagging procedures;
- When minor capital purchases were appropriate; and,
- What processes should be followed in cases where tax exemptions were not possible.
The audit also noted that there were no internal policies, procedures or guidelines identifying when specific expenditures should be procured by a centralized purchasing function. As a result, it was unclear when and what type of goods should be purchased centrally; for example the auditors noted that supplies, office furniture and IT goods were purchased outside of the departments centralized functions. This could lead to inefficiencies.
The TB Policy on Acquisition Cards requires that acquisition card purchases are recorded in the inventory management system if the value of the item exceeds the department’s threshold value for inventory purposes, or if the item is deemed to be “attractive”, such as technology items that are easily transported and at high risk of theft. When applicable, the auditors attempted to trace the goods, as per the acquisition card invoices, to the inventory tracking system, however this was not possible due a weak audit trail (no invoice references etc) and lack of inventory procedures. Such procedures would identify what types of assets are to be recorded and tracked, including those items considered “attractive”, what pre-approvals are required, and how these procedures are to be integrated within the acquisition card procurement program. Lack of clear direction and appropriate guidance impacts the effectiveness and efficiency of the program and increases the risk of misuse.
2.6.3 Training needs were not defined, nor was formal training provided for support staff or acquisition card users.
The audit expected to find an appropriate training plan reflective of the CPU risk tolerances for acquisition card usage, as recommended by the TBS Acquisition Card Program, Best Practices Guide. Although general Delegation of Financial Authorities training was a requirement for those exercising specific Financial Administration Act (FAA) authorities, such as procuring goods, there was no consistent or complete approach to training for either new card holders, or refresher training, for existing card holders. Furthermore, interviews with PS employees indicated inconsistent interpretations of processes and requirements. Lack of appropriate training may increase the risk of non-compliance.
2.6.4 No formal monitoring program, based on an assessment of risk, was defined, documented or implemented.
The audit expected to find a defined and documented monitoring program specific to the acquisition card program, based on an appropriate assessment of risk and commensurate to the level of risk which they are intended to mitigate. The audit found that some post-transactional monitoring activities were performed by both Financial Services and Systems and the CPU, however, they were not based on a comprehensive assessment of risks, and as a result of this insufficient monitoring program, several fundamental control failures went undetected.
The BMO acquisition card application requires the CPU to identify for each cardholder, if applicable, any restrictions in the usage of the card that would be different from the generic department-wide restrictions expected to be in place by default. The CPU assumed that both these department-wide and individual cardholder restrictions would be applied and enforced by BMO. Examples of these restrictions included; dollar limit per transaction, credit limits, and prohibited cash advances. However, the auditors found a disconnection between these assumed restrictions and what was actually in place; for example, transaction dollar limit and vendor restriction controls were not always applied. As a result, the department was relying on controls that did not exist. While this oversight did not result in material errors, specific monitoring activities would have identified the issues related to those controls as well as weaknesses in the completion of the applications by CPU.
While both the CPU and Financial Services and Systems reviewed monthly BMO transactional detail by cardholder, and Financial Services and Systems reviewed and reconciled 100% of the required supporting documentation (i.e. original receipts) to the BMO statements, the evidence of these monitoring controls, their impacts, and follow-up actions, were not fully documented, consequently it was difficult to assess their effectiveness. Furthermore, the evidence of these controls will form part of the support needed for the Chief Financial Officer and Deputy Head to sign the Statement of Management Responsibility Including Internal Control Over Financial Reporting as per the new TB Policy on Internal Control that took effect in April 2009 and will be implemented in PS in fiscal year 2011-2012.
Formal monitoring, based on an assessment of risks, is required to ensure that anomalies and recurring trends are identified, corrective actions are taken, and follow-up monitoring is conducted in an efficient manner to prevent future incidents and provide lessons learned. An appropriate risk assessment should consider the entire control environment of the acquisition card program, including but not limited to, outsourced contractual agreements, transactional processing, and staffing capacity.
2.6.5 The CPU did not produce reports on acquisition card purchasing trends and anomalies.
It was expected that information on the acquisition card program would be regularly available to support decision-making and oversight activities. While some ad hoc analysis was performed when requested by Program Managers or TBS, the CPU did not produce regular reports for management on acquisition card activity. Furthermore, the information required to support management decision-making and oversight responsibilities had not been identified.
Overall recommendation in support of a strengthened management control framework:
1. The Corporate Management Branch (CMB) should continue to strengthen key components of the acquisition card program management control framework to ensure effective and efficient operations by using a risk-based approach to:
- Define roles and responsibilities including a responsibility matrix with appropriate segregation of duties;
- Develop an internal acquisition policy, as well as the associated procedures and guidelines. These policy, procedures and guidelines should include but are not limited to:
- Appropriate review processes and procedures to incorporate lessons learned and new requirements;
- Pre-approval procedures and documentation for individual usage of the card;
- Clarity of documentation for appropriate evidence of fair, transparent, and competitive vendor selection for acquisition card expenditures; and,
- Defined and documented requirement for acceptable evidence for unusual purchases or exceptions to the general purchase restrictions (i.e. recurring charges, on-line purchases).
- Define training needs and develop a training plan;
- Develop and document a formal monitoring program. This program should include, but is not limited to:
- Procedures for documenting observed deviations from CPU and Financial Services and Systems policies and procedures, and the actions taken to correct or prevent future occurrences;
- Procedures to review “Signature” cards to ensure they are current and accessible to those who require them;
- Define information requirements and produce regular reports on acquisition card activity for management committee; and
- Develop an internal inventory management policy, as well as the associated procedures and guidelines.
Management Action Plan | Completion Date |
---|---|
Management agrees with the recommendation. | |
1. The following steps will be actioned by the Corporate Management Branch: | |
The new Treasury Board Directive on Acquisition Cards became effective October 1, 2009. The TB directive clearly lays out the roles and responsibilities of the key positions. The Directive will be shared with staff along with a new acknowledgement form and limitations/obligations on the use of the card. DG – Corporate Services Division (CSD). | December 31, 2009 |
Departmental procedures or guidelines will be developed to ensure full compliance with the new TB directive issued after the audit. Director –Program Services (PS). | March 31, 2010 |
Roles and responsibilities will be clarified. DG - CSD and Comptroller. | March 31, 2010 |
Contracting staff will undertake training to develop regular reports on credit card activity and will be provided access to Details on Line. Chief – Materiel Management (MM). | March 31, 2010 |
The Department is exploring the option of providing access to departmental cardholders to the BMO Details on Line site to allow them to download their monthly statements. This will provide more time for the payment process and minimize interest paid. Chief – MM. | March 31, 2010 |
Financial Operations staff will be provided access to the BMO site to undertake payment queries. Chief – MM. | March 31, 2010 |
Default settings will be applied by BMO as of November 10, 2009 to restrict the purchase of airline tickets, fuel, car rentals and cash advances. Director – PS. | Completed |
A process will be developed to ensure that signature cards are current. Director Financial Services and Systems. | March 31, 2010 |
Signature cards will be made available through RDIMS, the departmental Records and Documents Management System. Chief – MM. | Completed |
Training on the use of credit cards will be incorporated into the contracting training modules currently being developed. Chief – MM. | March 31, 2010 |
A monitoring program will be formally established to determine procedures for documenting observed deviations from policies and procedures, and the actions taken to correct or prevent future occurrences. Chief – MM. | March 31, 2010 |
An internal inventory management policy will be developed, as well as the associated procedures and guidelines. | June 30, 2010 |
2.6.6 The issuance and cancellation of BMO acquisition cards was generally compliant with TB policies, with only minor deviations.
It was expected that all acquisition card applications would be appropriately completed with sufficient detail, authorized according to the PS Delegation of Financial Authority, and cancelled in a timely manner when required, in accordance with TB Policy on Acquisition Cards. These activities were generally compliant however the auditors identified two areas to be strengthened, which are noted below.
Role of the Departmental Coordinator (DC):
The DC is responsible for authorizing the issuance of acquisition cards, for the monitoring program designed to ensure reliable control over the use of acquisition cards, and overall management of the departmental acquisition card program. As part of this role, the DC is responsible to authorize and forward the completed acquisition card application form to BMO for processing. BMO is only supposed to process applications based on the authenticity of the PS DC approval. The DC, in essence, has ultimate authority to authorize a procurement card. While there was a reasonable assignment of the DC role based on position, the communication of this assignment to BMO was sometimes, informal (by email), incomplete (missing documentation), and without documented management approval. For example, the auditors were not able to obtain complete documentation from the CPU supporting the initial assignment and approval of the DC. Appropriate management approval of the assignment of this accountability, aligned with the Delegation of the Financial Authorities, and formally documented, minimizes the potential for abuse and ensures available support in the event of a dispute with BMO over unauthorized cardholders.
Cost Centre on the Acquisition Card Application:
The TB Policy on Acquisition Cards requires certain information to be provided on the acquisition card application form, including among other things, the name of the department and the responsibility centre, commonly referred to as the cost centre. Financial Services and Systems informed the auditors that for simplicity, the DC often referenced a generic consolidated PS Cost Centre on the acquisition card application form. While this may simplify the application process, it makes it difficult to determine the appropriateness of the Responsibility Centre Manager’s (RCM) authority. The auditors interpreted that the TB policy requirement was to ensure that all expenditures had an appropriate funding source and an accountable designate. Without alignment of the Cost Centre to the RCM, it is unclear whether the RCM is simply authorizing the employee to have a card, or officially authorizing expenditure initiation and available funding in alignment with the credit limit on the application form.
Recommendations:
2. The CMB should determine and document the appropriate procedures to be followed in the assignment of the DC role, and its communication to BMO.
3. The CMB should strengthen documentation of the application process by ensuring the appropriate alignment of the responsible RCM to the Cost Centre on the application form.
Management Action Plan | Completion Date |
---|---|
Management agrees with the recommendations. | |
2. The following steps will be actioned by the Corporate Management Branch: | |
The ADM, CMB will formally approve the assignment of the coordinator and back-up. DG – CSD. | Completed |
3. The following steps will be actioned by the Corporate Management Branch: | |
Except for the corporate cards issued (cards issued in centralized functions such as administration) the RC will be linked to the manager requesting the card. Chief – MM. | March 31, 2010 |
2.6.7 Compliance issues existed in theusage of the acquisition cards and in the authorization and documentation of individual expenditures.
Appropriate Usage:
It was expected that acquisition card transactions would be compliant with the restrictions identified in the TB Policy on Acquisition Cards and the PS cardholder memorandum. The auditors found that 12% of the sampled transactions did not comply with the restrictions. Non-compliant transactions included: furniture, which should have been procured from a National Master Standing Offer; capital goods, restricted by the PS cardholder memorandum, which should have been procured using another method; and travel and vehicle maintenance, which should have been procured with a different card. Based on interviews, the causes of these deviations were due to cardholder misunderstandings on restricted procurement and in some cases employees were unable to use the appropriate procurement card. While these deviations were reasonable based on explanations, acquisition card restrictions are put in place to facilitate operations while providing for external reporting, internal tracking, and cost-effective purchasing.
It was expected that each individual acquisition card transaction would be limited to $5000 as per delegated financial authorities, and not be split between multiple purchases to circumvent the delegated financial authorities. The audit found general compliance with the authorized delegation of authority. It was exceeded in 1% of the sampled transactions, where the total value of a purchase was split between two transactions (down payment for hotel and equipment rentals). While the nature of the transactions was reasonable, these transactions did not comply with TB Contracting Policy and the delegation of financial authority.
Additionally, in 5% of the sampled transactions, IT purchases were made to the same vendor within a couple of days, for items totaling more than $5000 overall. It was explained that the IT organization purchases IT supplies on an as needed basis for the entire department and this could require multiple purchases of similar types of products with the same vendors in a short period of time. Based on discussions with the IT function, combined with the fact that the individual transactions were generally not identical, the auditors concluded that there was no intentional contract splitting. However, without clear documentation in regard to the IT procurement strategy, there is a risk of the perception of non-compliance, and unfair procurement practices.
Authorization:
The TB Acquisition Card policy states that unless the cardholder has expenditure authority, any use of the card must be pre-approved by an appropriate person who has this authority in order to ensure that the budget is available and that a valid requirement for such goods and services exists. However, the Receiver General Guidelines, also note that this process may not always be practical. It was expected there would be documentation in regard to the PS interpretation of this TB Acquisition Card policy requirement aligned with the Receiver General Guidelines. The auditors found no formal interpretation, however the CPU and Financial Services and Systems indicated that they do not require evidence of pre-approval for individual expenditures (with the exception of specific IT purchases, Training, and Hospitality expenditures). It was noted, based on a non-representative sample of interviews with PS employees, that communication between the cardholder and the RCM regarding the purchase did occur; however, there were no explicit expenditure pre-approvals documented by the cardholder or maintained in the transaction payment files sampled. While this pre-approval may not be considered by the CPU to be a key control in the acquisition card environment, having clarity within a PS policy as to what is required to address the TB requirement, will further enforce accountabilities and financial alignment.
It was expected that employees exercising Section 34 of the FAA, as per the PS Delegation of Financial Authorities, would have the appropriate delegation, which would be supported with a signed “Signature” card. The audit found in 8% of the sampled transactions, some form of deviation. These deviations included:
- Insufficient evidence of a valid “Signature” card;
- Inappropriate approval by RCM for his own acquisition card expenses; and
- Insufficient documentation on the “Signature” card for the period of time for which the employee had delegated financial authorities (i.e. Expiry Date).
Given the nature of the expenditures made through the acquisition card program, the lack of an effective inventory management system as noted previously, and the cost-benefit of performing additional audit procedures, the audit does not conclude on the actual receipt of, or business requirement for, the good or service. It should be noted that Financial Services and Systems implemented improvements to the Delegation of Financial Authorities and related “Signature” cards which should address some issues, however the implementation was outside of the timeframe of the audit and was not assessed.
Documentation:
As per the PS cardholder memorandum and the TB Policy on Acquisition Cards, all credit card receipts, appropriately itemizing the details of the purchases and applicable taxes, must be attached and reconciled to the individual monthly BMO statements. While this is a requirement to comply with Section 34 of the FAA, it also allows the necessary validation by Financial Services and Systems before a payment is made. The auditors found that in 20% of the sampled transactions the receipts were missing and in some cases the complete BMO statement was not on file. While it is recognized that there may be a need for flexibility in the application of the TB policy, without the enforcement of this documentation, there is the risk of inappropriate items going undetected, ineffective monitoring controls, and inefficiencies due to time spent by the support functions to inquire and justify these items.
Although activities were generally compliant, and the findings were not significant, the aggregate amount of multiple minor issues or internal control deviations, compounds the risk of misuse and non-compliance.
Recommendation:
4. The CMB should develop and document an appropriate IT procurement strategy which would include the review of the usage restrictions, transactional limits, etc. for acquisition cards.
Management Action Plan | Completion Date |
---|---|
Management agrees with the recommendations. | |
4. The following step will be actioned by the Corporate Management Branch: | |
CPU will review with IT the departmental practices with a view to ensuring that the use of acquisition cards to procure IT assets is compliant with the new TB directive on acquisition cards. Chief – MM. | March 31, 2010 |
Annex A – Main Criteria
- An appropriate management control framework has been established based on a risk-based assessment
- Roles and responsibilities for all stakeholders were clearly defined, documented, and effectively communicated
- Training needs were defined, assessed and provided in a timely manner
- Monitoring and control mechanisms were clearly defined, and implemented consistently
- Issuance, cancellation and documentation of acquisition cards were compliant with TB and PS policy and guidelines
- Transactions were compliant with TB and PS policy and guidelines
- Sufficient and appropriate documentation was maintained throughout the acquisition card activities so as to allow for effective decision making and provide evidence of due diligen
Notes
1 Source 2009-10 Report on Plan and Priorities
2 Including the TB Policy on Acquisition Cards dated January 1, 1998
3 Source 2009-10 Report on Plan and Priorities
4 Including the TB Policy on Acquisition Cards dated January 1, 1998
5 This is based on a level of confidence of 97%, an expected error rate of 3% and a precision rate of 3%.
- Date modified: