The audit was Agency-wide in scope and covered acquisition card transactions for the period of April 1, 2008 to September 30, 2009.
June 2010
The Canadian Food Inspection Agency (CFIA or, the Agency) has used acquisition cards since the Agency's inception in 1997. Within certain restrictions, purchases of goods and services under $5,000 can be requisitioned, paid for and received by the cardholder (the limit was changed to $10,000 on December 29, 2009). As at April, 2010 there were 770 acquisition cardholders with active cards within the Agency. During the period of April 1, 2008 to September 30, 2009 there were 63,062 transactions amounting to $19,806,068.82.
Within the levels of procurement authority delegated to CFIA by Treasury Board (TB) and Public Works and Government Services Canada; CFIA's Policy on Acquisition Card Program together with the Treasury Board's (TB) Policy on Acquisition Cards (superseded by the TB Directive on Acquisition Cards; effective as of October 1, 2009) govern the use of acquisition cards for Agency procurement and payment of goods and services where it is efficient, economical and operationally feasible to do so.
The objective of this audit is to provide management with assurance as to the adequacy and effectiveness of controls over acquisition cards, as well as compliance with Agency and Treasury Board policies.
The audit was Agency-wide in scope and covered acquisition card transactions for the period of April 1, 2008 to September 30, 2009. The policies in force for transactions during this period were the 1998 TB Policy on Acquisition Cards and CFIA's Policy on Acquisition Card Program. In the interest of providing forward-looking advice, we also assessed the consistency of CFIA's Policy on Acquisition Card Program with TB's new Directive on Acquisition Cards; that became effective October 1, 2009.
Finding 1:
CFIA policies are inconsistent with the new TB Directive on Acquisition Cards.
Recommendation 1:
The Executive Director, Assets and Security Management Directorate should ensure that the CFIA policy suite is updated to remain consistent with the TB Directive and other internal CFIA policies.
Finding 2:
Transactions identified through monitoring and reporting that are inconsistent with CFIA's Policy on Acquisition Card Program or the TB Policy on Acquisition Cards are left unaddressed by specific corrective actions.
Recommendation 2:
The Executive Director, Assets and Security Management Directorate should ensure that appropriate corrective actions are undertaken in cases of non-compliance.
Finding 3:
Responsibility Center Managers receive incomplete training with regard to their roles and responsibilities in managing acquisition cards.
Recommendation 3:
The Executive Director, Assets and Security Management Directorate should ensure that training and guidance is provided to Responsibility Center Managers with regard to their roles and responsibilities for Acquisition Cards.
Finding 4:
In the majority of criteria and transactions assessed, CFIA is compliant with the specific expectations of TB's Policy on Acquisition Cards and CFIA's Policy on Acquisition Card Program. In some instances; controls, expenditure amounts or authorizations for FAA Section 32 are inconsistent with policy requirements.
Recommendation 4:
The Executive Director, Assets and Security Management Directorate should ensure that the requirements of federal legislation, TB policies and directives, and CFIA policies related to acquisition cards are communicated and followed.
Finding 5:
A formal risk management approach for CFIA's acquisition card program remains to be developed. Risks are unidentified and assessed and systemic mitigation strategies remain to be implemented.
Recommendation 5:
The Executive Director, Assets and Security Management Directorate should ensure that the acquisition card program formalizes and implements an appropriate risk management framework.
In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.
In my opinion, CFIA has weaknesses, with low risk exposures related to the governance, internal control and risk management processes relative to the acquisition cards program that require management attention.
Peter Everson
Chief Audit Executive, Canadian Food Inspection Agency
* The audit opinion is based on overall materiality and risk as represented by the noteworthy findings and recommendations reported.
The Canadian Food Inspection Agency (CFIA or, the Agency) has used acquisition cards since the Agency's inception in 1997. Within certain restrictions, purchases of goods and services under $5,000 can be requisitioned, paid for and received by the cardholder (the limit was changed to $10,000 on December 29, 2009). As at April, 2010 there were 770 acquisition cardholders with active cards within the Agency. During the period of April 1, 2008 to September 30, 2009 there were 63,062 transactions amounting to $19,806,068.82.
Within the levels of procurement authority delegated to CFIA by Treasury Board (TB) and Public Works and Government Services Canada; CFIA's Policy on Acquisition Card Program together with the Treasury Board's (TB) Policy on Acquisition Cards (superseded by the TB Directive on Acquisition Cards; effective as of October 1, 2009) govern the use of acquisition cards for Agency procurement and payment of goods and services where it is efficient, economical and operationally feasible to do so. Obligations and responsibilities of management and acquisition card holders are outlined in TB policy with financial transactions expected to be in compliance with the Financial Administration Act (FAA), particularly sections 32, 33, and 34.
The Contracting and Procurement Policy Directorate (CPPD) falls under the Finance, Administration and Information Technology Branch (FAIT). The National Procurement and Contracting Service Centre (NPCSC) is situated under the CPPD and is mandated to nationally manage the Agency's procurement and contracting activities according to CFIA and TB policies, national and international trade agreements and the program objectives of the Government of Canada.
The National Acquisition Card Coordinator (NACC) for the Agency is part of the National Procurement and Contracting Service Centre (NPCSC); is responsible for the administration of the acquisition card program, and is responsible for contact between cardholders and the financial institution granting the cards.
An audit of the CFIA Acquisition Card Program was completed in March 31, 2002. The original scope of the audit encompassed a review and assessment of the overall framework in place for managing purchases using acquisition cards. Subsequent follow-ups reported that all 13 recommendations had been implemented.
The objective of this audit is to provide management with assurance as to the adequacy and effectiveness of controls over acquisition cards, as well as compliance with Agency and Treasury Board policies.
The audit was Agency-wide in scope and covered acquisition card transactions for the period of April 1, 2008 to September 30, 2009. The policies in force for transactions during this period were the 1998 TB Policy on Acquisition Cards and CFIA's Policy on Acquisition Card Program. In the interest of providing forward-looking advice, we also assessed the consistency of CFIA's Policy on Acquisition Card Program with TB's new Directive on Acquisition Cards; that became effective October 1, 2009.
The audit was conducted in a manner consistent with the TB Policy on Internal Audit. The following steps were taken by the audit team to meet the audit objectives:
We examined a stratified, non-statistical, judgemental sample of 150 transactions (totalling $414,096) out of the total of 63,062 acquisition card transactions ($19,806,068.82) during the period April 1, 2008 to September 30, 2009. The sample included 70 randomly selected transactions and 80 higher risk transactions. Higher risk transactions included items that the financial system recorded as either duplicate transactions, those over $10,000, week-end transactions or those with unusual vendors.
This section presents detailed findings from the audit of Acquisition Cards at CFIA. Findings are based on the evidence and analysis from both the initial risk analysis and audit conduct.
We would expect to find that CFIA policies, guides and manuals are consistent with the TB Policy on Acquisition Cards.
CFIA's Policy on Acquisition Card Program states that the Acquisition Card Program is governed by TB's Policy on Acquisition Cards. Effective October 1, 2009, a new TB Directive on Acquisition Cards superseded the TB Policy on Acquisition Cards. The Agency reviews TB updates annually and changes to the Agency's Policy on Acquisition Card Program are made as required. In 2009, the decision was made to delay the update until the new TB Directive became effective. As of April, 2010 the Agency's Policy on Acquisition Card Program differs from the new TB Directive in several ways including the following:
As a result, Agency Policy now differs from the new TB Directive which includes the following:
Recent changes to the CFIA Policy on Acquisition Card Program to increase the transaction ceiling to $10,000 in December, 2009 placed the policy in conflict with the CFIA Procurement to Payment Process: Acquisition Card Purchase Process - $5,000 and Under, which limited acquisition card purchases to $5,000. As well, a CFIA National Info Bulletin was sent out in April, 2007 informing Agency staff that the 'per transaction limit' had been increased to $10,000 while the CFIA Policy on Acquisition Card Program was not formally updated until December, 2009. The Agency moved to address these inconsistencies in February, 2010 with a formal policy update.
Updating the CFIA policy suite to reflect current TB policies and directives in a timely manner will help to reduce the risk of non-compliance with TB direction as well as inconsistencies within the financial management policy framework of CFIA.
Recommendation 1.0:
We would expect to find that monitoring and reporting practices are completed as per CFIA's Policy on Acquisition Card Program and the TB Policy on Acquisition Cards.
Both the National Procurement and Contracting Service Centre and the National Accounts Payable Service Centre are required to undertake periodic reviews to determine whether acquisition cards are being used as per TB and Agency policy. To monitor Agency acquisition card use CFIA uses the credit card provider's web-based system and the Agency's accounting system, SATURN, which is used to capture financial information and process payments to the credit card provider.
The credit card provider's system allows the Agency to perform acquisition card monitoring and pre-programmed reporting functions (e.g.: spending patterns, and card status). Transaction information is available to the National Acquisition Card Coordinator (NACC) from the credit card provider. The system is used to analyze acquisition card purchases through information such as Purchase Analysis Reports. On a quarterly basis, the NACC undertakes and reports on a review of transactions and explanations for unusual transactions.
CFIA's accounting system includes all acquisition card transactions, which are entered either electronically by the cardholder or by staff in the National Accounts Payable Service Centres (NAPSC) in Guelph or Montreal. Each month, cardholders verify the accuracy of their statements, which are then approved FAA section 34 (goods received / services performed) by their Responsibility Center Manager (RCM) and sent to Accounts Payable (NAPSC) for payment (FAA Section 33). Each month, as per the CFIA policy, NAPSC quality assurance (Monitoring and Financial Controls Unit) - reviews a random sample of 8 cardholder's transactions in each NAPSC plus 2 additional cardholders from each NAPSC based on perceived level of risk. The activities undertaken by NAPSC quality assurance during FY 2008-2009 were as follows:
|
Acquisition Card Transactions | NAPSC Quality Assurance | ||
---|---|---|---|---|
Quarter (FY 2008/09) | Amount Invoiced | # of Transactions | Amount Sampled | # of Transactions |
Q1 | $ 2,067,874.54 | 7,512 | $ 15,808.94 | 124 |
Q2 | $ 3,237,090.97 | 11,306 | $ 58,591.70 | 212 |
Q3 | $ 3,318,659.84 | 9,801 | $ 54,518.01 | 185 |
Q4 | $ 3,680,966.91 | 10,507 | $ 48,856.36 | 173 |
Totals | $ 12,304,592.26 | 39,126 | $ 177,775.01 | 694 |
NAPSC verified 694 transactions amounting to $177,775.01. The verification represents 1.77% of the total dollar amount and 1.44% of the total transactions. Monitoring reports from both the NACC as well as NAPSC's quality assurance include instances (such as insufficient supporting documents, financial coding, or payment amount errors) where acquisition card transactions have occurred that are not in compliance with either the TB or CFIA acquisition card policies.
There is a clear practice with regard to how and to whom reports on non-compliance are communicated. Policy, systems, practices, roles and responsibilities with regard to requirements for corrective actions related to non-compliant transactions remain undeveloped as is the definition of, or follow-up on specific corrective actions to be taken.
The risk of patterns and instances of non-compliant acquisition card use can be mediated in part by a systemic approach to rectify non-compliant expenditures through clear corrective action and follow-up.
Recommendation 2.0:
We would expect to find that training on using acquisition cards is available and provided in a timely manner. The National Acquisition Card Coordinator (NACC) is expected to ensure that mandatory training on the use of acquisition cards is delivered prior to card issuance. All cardholders receive training prior to receiving their cards.
Roles and responsibilities of Responsibility Center Managers (RCMs) are set out in CFIA's Policy on Acquisition Card Program. By virtue of their position, RCMs are often responsible for multiple cardholders. They are responsible for establishing credit limits in line with the authorities delegated to the RCM (and based on the individuals spending needs), for setting restrictions on the use of the cards and for ensuring the proper use of the acquisition cards.
While RCMs do not receive the training required of the cardholders; they must complete the Agency's 'Managing for Success' training for managers with delegated authorities and a small part of this course is specifically dedicated to the use of acquisition cards. RCM's are also invited to listen in on the training delivered by the NAAC and there are 'SAP Credit Card Information Sessions' as well as the 'Financial Overview' course available to all Agency staff throughout the year. The Agency has yet to develop and deliver specific guidelines or training available to RCMs on issues such as what constitutes an appropriate credit limit or when an increase is required (limits range from $1,000 to $200,000).
RCMs with incomplete training on acquisition cards may result in oversight and purchases that are inconsistent with policies.
Recommendation 3.0:
We would expect to find that acquisition card transactions comply with TB Policy on Acquisition Cards and CFIA Policy on Acquisition Card Program.
Policy Compliance
Detailed testing (based on the specific expectations of the TB and CFIA policies) of the 150 sampled transactions found that all transactions met the following criteria:
Policy Non-Compliance
In a small number of instances, controls that we expected to find were not fully implemented in compliance with the expectations of the TB and CFIA policies:
In our sample of 150, there were two (2) instances in which the transaction was over the cardholder's per transaction limit. A total of 36 transactions (24%) were over the $5,000 limit set by the CFIA policy in place at the time; and of those, three (3) transactions were over the new $10,000 limit.
Section 32 Concerns
Section 32 of the FAA, referenced in both the CFIA and TB policies, requires that only individuals who have appropriate delegated authority may authorize expenditures (subject to the limits and conditions established by the delegation). The individual with the appropriate delegation must ensure that the funds are available to meet the commitments.
The CFIA Commitment Policy states that a commitment must be established for individual expenditures above $500. This policy also states that acquisition cards have their own commitment and payment process that should be followed. The CFIA Policy on Acquisition Card Program does not identify the threshold at which Authority Request (AR) is or is not required, nor does it reference the CFIA Commitment Policy.
Our testing of a sample of 150 transactions ($414,096) found that 43 (29%) of those over $500 had no approved AR prior to purchase. CFIA policy states that cardholders with no budgetary control must ensure appropriate expenditure initiation authority is in place prior to purchasing goods or services. CFIA policy does not state if an AR is required for a purchase under $500 or when a blanket authority may be accepted.
Recommendation 4.0:
We would expect to find that a risk assessment process exists including identified controls to mitigate the risks. Risk assessments include an overall assessment of risk exposure in terms of the likelihood of occurrence and the impact of the risk should it occur. Each of these risks are prioritized and mitigated, monitored and accepted.
A formal risk management framework for CFIA's acquisition card program remains undeveloped. Risks have not been identified and assessed nor have systemic mitigation strategies been implemented. While quarterly monitoring and reports are undertaken and ad hoc responses are implemented, a mature risk management approach may help to mitigate some of the control issues identified.
Identifying, assessing and updating risks in a systemic manner in terms of the Agency's acquisition card program will help to ensure a sound understanding of the risks involved in CFIA's acquisition card program and promote the development of strategies to mitigate these risks.
Recommendation 5.0:
Governance
Risk Management:
Control:
It is our understanding that CFIA's Acquisition card Program is well managed and is compliant with the expectations of TB's Policy on Acquisition Cards and CFIA's Policy on Acquisition Card Program. When Acquisition cards were first introduced to the Government of Canada, they were meant to replace the Local Purchase Order as a fast and efficient procurement process for low risk, high volume transactions. Raising the financial limits on the cards in this environment now means that procurement can be made up to $10K without the normal procurement rigor being applied. In our policy review, FAIT will consider this risk and put in place to ensure that expected procurement practices are followed, whether a card is used for payment or not. The management accepts the recommendations and proposes the following action plan. ASMD will work in cooperation with Financial Services for Action 1 which focuses on the review of existing policies, for Action 2 for the development of a monitoring plan, and Action 4 for the development of a communication plan. Action 3 and 5 will be the responsibility of ASMD.
The Executive Director, Assets and Security Management Directorate should ensure that the CFIA policy suite is updated to remain consistent with the TB Directive and other internal CFIA policies.
Proposed Management Actions | Responsible Official(s) | Implementation Date |
---|---|---|
The CFIA policy suite that refers to the administration of the acquisition card will be reviewed and updated to comply with the new TB Directive and other internal CFIA policies, and will include new appropriate sanction provisions (e.g. suspension and revocation of an acquisition card) in the event of non-compliance. | ED, Assets and Security Management Directorate | March 31, 2011 |
The CFIA Commitment Policy will be updated to be in line with the recent, updated TBS commitment policy. | ED, Financial Services | March 31, 2011 |
The Executive Director, Assets and Security Management Directorate should ensure that appropriate corrective actions are undertaken in cases of non-compliance.
Proposed Management Actions | Responsible Official(s) | Implementation Date |
---|---|---|
The ED, ASMD will prepare and formalize, in consultation with Financial Services, a written Monitoring Plan for the Acquisition Card. |
ED, Assets and Security Management Directorate |
December 31, 2010 |
This plan will include the application of consequences in cases where there is misuse and non-compliance with the Policy; and include the communication of consequences for non-compliance to acquisition card holder and responsible managers. |
ED, Financial Services |
December 31, 2010 |
The Executive Director, Assets and Security Management Directorate should ensure that training and guidance is provided to Responsibility Center Managers with regard to their roles and responsibilities for Acquisition Cards.
Proposed Management Actions | Responsible Official(s) | Implementation Date |
---|---|---|
To develop and submit to ED, ASMD, for approval, specific written guidelines for Responsibility Center Managers (RCMs) on what constitutes an appropriate credit limit and on when an increase is required. To communicate such guidelines to RCMs through bulletin and/or training. |
ED, Assets and Security Management Directorate |
March 31, 2011 |
The Executive Director, Assets and Security Management Directorate should ensure that the requirements of federal legislation, TB policies and directives, and CFIA policies related to acquisition cards are communicated and followed.
Proposed Management Actions | Responsible Official(s) | Implementation Date |
---|---|---|
To develop a communication plan and submit to ED, ASMD, for approval, to clarify issues (and best practices) related to expenditure initiation authority (from RCMs) and commitment management. |
ED, Assets and Security Management Directorate |
September 30, 2010 |
To develop a communication plan and submit to ED ASMD for approval, to inform cardholders of changes to the policy suite such as sanction provisions (as indicated in Action #1). |
ED, Assets and Security Management Directorate |
March 31, 2011 |
The Executive Director, Assets and Security Management Directorate should ensure that the acquisition card program formalizes and implements an appropriate risk management framework.
Proposed Management Actions | Responsible Official(s) | Implementation Date |
---|---|---|
To formalize and implement a Risk Management Plan for contracting and procurement, including acquisition card management. |
ED, Assets and Security Management Directorate |
March 31, 2011 |