Internal Audit Report
Audit of Acquisition Cards

March 2017

Table of Contents

1.0 Executive Summary

Background

Government acquisition cards provide a cost-effective, secure and convenient method of procuring and paying for goods and services while ensuring effective financial control.

At the Canadian Food Inspection Agency (CFIA or Agency), there are over 500 active acquisition cards with 29,000 transactions and annual expenditures of $13 million. The use of acquisition cards is governed by the Treasury Board Directive on Acquisition Cards and the Financial Administration Act (FAA), and is inherently subject to government and public scrutiny. On this basis, the audit was included as part of the approved CFIA 2016-17 Risk-based Audit Plan.

Audit Objective and Scope

The objective of the audit was to provide assurance on the adequacy and effectiveness of controls to support the management of the acquisition card program, including compliance with applicable legislation, policies, standards and directives. The scope of the audit covered acquisition card processes in place, and transactions that occurred between April 2015 and June 2016.

Key Audit Findings

The Agency has a well-defined control framework over the use and management of acquisition cards. More specifically, the following good management practices were noted:

  • Policy and guidelines related to the management and use of acquisition cards are well defined and consistent with expectations of Treasury Board;
  • Procedures and tools are in place that support policy and the administration of the acquisition card program;
  • Performance of the responsibilities of the key stakeholders in the administration of the program including the National Acquisition Card Coordinator and management and staff of Accounting Operations is in accordance with related Treasury Board and CFIA directives and expectations;
  • Monitoring and quality assurance mechanisms are in place to review acquisition card transactions, identify potential concerns and take appropriate actions; and,
  • Effective and regular reporting of the results of monitoring and quality assurance activities to senior management are carried out.

Conclusion

There are adequate and effective controls in place to support the management of the acquisition card program, including compliance with applicable legislation, policies, standards and directives. Opportunities for improvement were noted which are addressed by the recommendations to this report.

2.0 Introduction

2.1 Background

Acquisition cards are credit cards issued to employees of the Government of Canada to enable them to make timely purchases in support of government operations. The use of acquisition cards simplifies the purchases of goods and services, by providing a convenient and less burdensome method of procurement and payment while ensuring effective financial control. Their use offers the potential to realize economic benefits via operational efficiencies in the procurement and payment processes, and through volume rebates offered by the card issuer.

The use of acquisition cards within the Canadian Food Inspection Agency (CFIA) is a preferred method of procurement and payment of goods and services when the purchase is within delegated transaction authority and it is efficient, economical and operationally feasible. In March 2014, the Corporate Management Branch (CMB) implemented the Procurement to Payment Process – Acquisition Card Purchase Process - $10,000 and Under to provide an integrated process to be followed in the requisitioning, procuring, recording and paying for goods and services purchased using Acquisition Cards.

The use of the acquisition card is subject to requirements of the CFIA Directive on Acquisition Cards and the supporting CFIA Standard on the Use of Acquisition Cards in addition to those set forth in the Treasury Board Directive on Acquisition Cards.

The Financial Services Directorate, CMB, is responsible for the overall management of CFIA's acquisition card program. Within the Financial Services Directorate, the National Acquisition Card Coordinator (NACC) is responsible for administering the acquisition card program, including card authorization, issuance, cancellation, and monitoring of use. The Corporate Accounting and Monitoring unit is responsible for conducting monitoring compliance of acquisition card transactions in accordance with the Financial Administration Act and financial compliance instruments, as part of its quality assurance responsibilities over all financial transactions.

The majority of acquisition cards are Mastercard (over 500 cards active as of June 30, 2016). There were also 5 Visa credit cards, for use by certain employees that buy specific items from vendors that do not accept payments through Mastercard. During the period of April 1, 2015 to June 30, 2016 there were 35,141 total transactions, amounting to $15,239,372.

2.2 Objective

The objective of the audit was to provide assurance that there are adequate and effective controls in place to support the management of the acquisition card program, including compliance with applicable legislation, policies, standards and directives.

2.3 Scope

The scope of the audit covered the design and operational effectiveness of the management controls in place to support CFIA's use and management of acquisition cards. Specifically, the audit:

  • Assessed processes and activities of the Corporate Management Branch (CMB) relating to the policy framework supporting the issuance, control and cancellation of acquisition cards and the monitoring of transactions and reporting of related results; and,
  • Assessed the extent of compliance with key aspects of central agency and CFIA policies and directives relating to expenditure authorization, eligibility, certification, and procurement requirements.

The audit was carried out between September and November 2016, and covered transactions and activities that took place from April 2015 to June 2016.

2.4 Approach

The audit was conducted in accordance with the requirements of the TB Policy on Internal Audit and followed the Internal Auditing Standards for the Government of Canada.

The audit was planned and performed so as to obtain reasonable assurance that the audit objective was achieved. A risk assessment was conducted at the beginning of the audit to establish the audit criteria (refer to Appendix A), which were accepted by management. The audit findings are based on a comparison of the conditions in place at the time of the audit with the audit criteria.

Audit procedures included:

  • Process mapping
  • Walk-throughs and review of key related administrative and monitoring processes and activities related to acquisition cards undertaken by CMB;
  • Interviews with acquisition card holders, responsibility centre managers and CMB managers and staff;
  • Review of supporting documentation and data analysis of acquisition card transactions;
  • Testing of acquisition card issuance and cancellation processes;
  • Detailed testing of acquisition card transactions for the purposes of assessing:
    • The effectiveness of the monitoring and quality assurance activities undertaken by CMB (49 transactions tested); and,
    • The level of compliance to CFIA and TB requirements (126 transactions tested).

2.5 Statement of Conformance

The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the CFIA's internal audit quality assurance and improvement program. Sufficient and appropriate auditing procedures were performed and evidence gathered in accordance with Institute of Internal Auditor's International Standards for the Professional Practice of Internal Auditing and to provide a high level of assurance over the findings and conclusion in this report. The findings and conclusions expressed in this report are based on conditions as they existed at the time of the audit, and apply only to the entity examined.

3.0 Findings and Recommendations

3.1 Control Framework over the Acquisition Card Program

A policy framework is in place, and roles, responsibilities and accountabilities are well defined, communicated, and adequately supported by procedural documents.

The Treasury Board Directive on Acquisition Cards requires that Chief Financial Officers establish risk-based management practices and controls (control framework) to ensure economical, efficient and secure use of acquisition cards. A control framework includes clear policies and procedures, clear roles and responsibilities, training and safeguard controls over the issuance and cancellation of cards.

The audit found that the Agency has in place a suite of policy and guidance documents for acquisition cards. Key among these documents are the Directive on Acquisition Cards, Standard on the use of Acquisition Cards and, the Procurement to Payment Process for acquisition card purchases under $10,000. The documents are available on the Agency's intranet, and are current and consistent in all key respects, with the policy, requirements and expectations as set out by Treasury Board.

We also noted that there are mechanisms in place to support understanding of the policies and related requirements. The CFIA policy and guidance documents clearly outline the responsibilities of key stakeholders in the acquisition card program. In addition, the NACC provides active support to all users.

There are effective controls in place for card management relating to issuance, credit limits, tracking and cancellation of acquisition cards.

We examined the processes for administration of the acquisition card program covering issuance, setting credit card limits, and cancellation of cards.

The audit found that the issuance procedures are followed, limits are dully approved and card cancellations take place in a timely manner. The centralization of card management responsibilities under the office of the NACC is a strong overall control in ensuring process consistency and effectiveness.

Cards are issued only after key policy requirements are met, including responsibility centre manager (RCM) signed authorization, provision of training to the prospective card holders, and signed acknowledgement of responsibilities by the card holder.

The NACC maintains a current log of acquisition cards and is diligent in tracking limit changes. Incidences of compromised, lost, or stolen cards are also tracked and reported to senior management as part of regular reporting.

Testing of card cancellation confirmed that card holders and RCMs are diligent in informing the NACC of cardholder departures so that the card can be cancelled in a timely manner. For the sample of departures tested, the card was cancelled by the NACC immediately upon receipt of notification by the RCM and / or cardholder.

3.2 Compliance

The Agency's acquisition card usage and transactions are generally in compliance with the policy framework.

RCMs have a critical role to play in ensuring the integrity of the purchase process through the use of acquisition cards. Managers are accountable for purchases, both before and after the transaction takes place. CMB, through its Account Payable Centres, reviews the transaction to exercise payment authority under Section 33 of the FAA.

Managers are required to sign off on a monthly reconciliation of credit card transactions. Their signature signifies their accountability under section 34 of the FAA that the goods and services have been received.

We tested compliance with the key controls/requirements of the FAA and the TB Directive on Account Verification using a sample of 126 transactions that were selected by using targeted and random methods of sampling. Specifically, we tested that expenditures were:

  • properly pre-authorized (s. 32 FAA)
  • approved by the delegated financial authority (s. 34 FAA)
  • supported by complete documentation as required by the Treasury Board Directive on Account Verification

We noted that from the total of 126 expenditures tested, 93% were appropriately pre-authorized (s. 32) and 95% were appropriately approved (S. 34) by a valid delegated financial authority. These percentages are only slightly lower than CMB's targeted compliance rate for critical errors. Further, a review of supporting documentation showed a level of compliance of 92% regarding the requirement to maintain appropriate supporting documentation with reference to proof of services rendered or goods received.

In addition, we tested the sample for certain procedures and best practices that are Agency-specific, described in the Standard on the Use of Acquisition Cards which is the compliance instrument intended to regulate the use and administration of acquisition cards. The audit found the following:

  • Pre-approval for IT assets - 2 out of 2 (100%) identified did not obtain IMIT's pre-approval
  • Quotes for goods and services - 12 out of 38 (32%) did not obtain quotes as recommended by the Standard
  • Assets exceeding $1,000 reported for tracking purposes – 11 out of 16 (69%) did not contact Assets Management for determination of asset identification requirement.

Overall, compliance against these procedural requirements is low. It is also noted that CMB does not monitor for compliance to procedural requirements. Non-compliance against procedural requirements may reduce the Agency's ability to ensure compatibility with its IT networks, properly track assets and demonstrate good value.

Recommendation 1:

The Vice President, Corporate Management Branch should reconfirm standard procedures and best practices on the use of acquisition cards, and communicate these to managers and card holders to ensure awareness.

3.3 Monitoring and Reporting

Risk-based quality assurance and monitoring activities are undertaken. However, monitoring could be enhanced through strengthening data analytics and expanding to cover all policy requirements.

In accordance with the TB Directive on Account Verification, financial officers are responsible for exercising payment authority (s. 33 of the FAA) and implementing a risk-based quality assurance and monitoring activity.

The audit found that NACC carries out monthly monitoring. The monitoring procedures are documented and activities are undertaken in a consistent manner. Follow up is taken where potential instances of non-compliance related to expenditure eligibility, use of the card by someone other than the card holder, or potential transaction splitting practices are identified.

Monitoring results are appropriately summarized and included in the formal reports provided within a reasonable time frame to senior management. As part of these reports, the NACC also provides various metrics on the acquisition card program including but not limited to: spending by Branch, top vendors by amount, and instances of lost or stolen cards.

Accounting Operations undertakes quarterly monitoring as part of its risk-based quality assurance plan over account verification for non-pay expenditures. The plan allows for the potential random selection of acquisition card transactions as part of the sample reviewed. In addition to this, Accounting Operations also undertakes monthly risk-based monitoring specifically of acquisition card transactions. This monitoring includes transactions identified as 'high risk' and is aimed to ensure that use of the card by all acquisition card holders is tested over a four year cycle.

The audit tested the quality assurance and monitoring activities undertaken by Accounting Operations by reviewing 29 transactions that had been subjected to monthly monitoring procedures and 20 transactions that were part of the quarterly non-pay quality assurance testing. The results of the testing confirmed that monitoring and quality assurance is undertaken pursuant to established processes.

However, audit testing and interviews confirmed that there are certain aspects of the acquisition card policy suite that are not subject to monitoring. These include obtaining quotes, obtaining equipment numbers for low-value assets and consulting with IMIT Branch for IT related purchases. In addition, we noted in our sample work that complete documentation supporting receipt of goods was not always available from the card holder or the delegated manager in support of Section 34 approval. Active monitoring or introducing other mechanisms to ensure compliance related to the above aspects of the policy would reinforce desired actions to be taken by cardholders and RCMs.

Monitoring is generally a manual process. For example, the review of the population of transactions and selecting the sample for testing is primarily a manual process for Accounting Operations and exclusively manual for NACC. Although data analytics software applications with data mining and analysis functionality are available, they are not used to their fullest potential in the monitoring/QA processes.

Maximizing the use of available computer applications in selecting the samples could lead to improved efficiency by automating the methods to detect and monitor certain behavior, and by allowing for repeat tests that can be run on the data at any time.

Recommendation 2:

The Vice President, Corporate Management Branch should consider enhancing its quality assurance and monitoring activities by:

  • Expanding the use of data analytics
  • Expanding monitoring or introducing other mechanisms to ensure compliance with the CFIA Standard on the use of Acquisition Cards.

Appendix A: Audit Criteria

Criterion

Line of Enquiry 1: Overall Control Framework
1.1 There are adequate policies, directives and procedures in place to govern Acquisition Card activities and related expenditures
1.2 There are mechanisms in place to support personnel in understanding and discharging their responsibilities and complying with related policy and directive requirements on a continuous basis
1.3 There is due diligence exercised in managing the issuance, control and cancellation of Acquisition Cards
Line of Enquiry 2: Compliance
2.1 Acquisition card purchases are properly authorized in accordance with the FAA section 32 and related CFIA requirements
2.2 Acquisition card purchases are properly reviewed in accordance with the FAA section 34 and related CFIA requirements
Line of Enquiry 3: Monitoring and Reporting
3.1 Adequate monitoring and quality assurance activities are undertaken to manage key risks, support the continuous effective operation of controls, and ensure compliance to policies and procedures.
3.2 Reporting of results of monitoring and QA activities is appropriate and timely to inform management decisions
3.3 There is risk based and timely follow up and response to identified issues and concerns

Appendix B: Management Response and Action Plan

Overall Management Response: CMB's in agreement with the findings of the audit.

Audit Recommendation Management Response and Action Plan Implementation or Completion Date Responsible Lead (s)

CMB will review the Standard on the use of the acquisition cards and make changes if needed or reconfirm the standard.

CMB will communicate the standard and the identified opportunities for improvements to:

Card Holders

  • Reminder email (periodically)
  • Incorporate findings in the Acquisition Card initial training
  • Incorporate findings in the Financial Overview training for administrative assistants

Managers

  • Message to managers
  • Incorporate findings in the Financial Overview training for managers.
November 2017 Accounting Operations, Financial Services, CMB

Recommendation 2:

The Vice President, Corporate Management Branch should consider enhancing its quality assurance and monitoring activities by:

  • Expanding the use of data analytics
  • Expanding monitoring or introducing other mechanisms to ensure compliance with the CFIA Standard on the use of Acquisition Cards.

Response:

CMB will review its processes with a risk lens that will determine the priorities and any further actions.

CMB will also incorporate the findings of the audit in the training material and communications.

Plan:

Consider the use of advanced tools for data analytics (Ex: IDEA, BMO online system, etc.). Possibly incorporate in the monitoring procedures of the NACC if feasible.

Incorporate the findings of the audit in the current monitoring by NACC and QA (regarding findings related to contacting IT and Assets)

CMB will consider amending the signature block on the Acquisition card report to describe the responsibilities accompanying section 34.

CMB will contact BMO to inquire if a section 34 signature block can also be added on the Acquisition card statement itself.

August 2017 Accounting Operations, Financial Services, CMB
Date modified: