Government of Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links

About the CFIA > Sound Agency Management > Audits

Institutional links

Audit of Acquisition Cards

The audit was Agency-wide in scope and covered acquisition card transactions for the period of April 1, 2008 to September 30, 2009.

June 2010

Table of Contents

1.0 Executive Summary

1.1 Introduction

The Canadian Food Inspection Agency (CFIA or, the Agency) has used acquisition cards since the Agency's inception in 1997. Within certain restrictions, purchases of goods and services under $5,000 can be requisitioned, paid for and received by the cardholder (the limit was changed to $10,000 on December 29, 2009). As at April, 2010 there were 770 acquisition cardholders with active cards within the Agency. During the period of April 1, 2008 to September 30, 2009 there were 63,062 transactions amounting to $19,806,068.82.

Within the levels of procurement authority delegated to CFIA by Treasury Board (TB) and Public Works and Government Services Canada; CFIA's Policy on Acquisition Card Program together with the Treasury Board's (TB) Policy on Acquisition Cards (superseded by the TB Directive on Acquisition Cards; effective as of October 1, 2009) govern the use of acquisition cards for Agency procurement and payment of goods and services where it is efficient, economical and operationally feasible to do so.

1.2 Audit Objective and Scope

The objective of this audit is to provide management with assurance as to the adequacy and effectiveness of controls over acquisition cards, as well as compliance with Agency and Treasury Board policies.

The audit was Agency-wide in scope and covered acquisition card transactions for the period of April 1, 2008 to September 30, 2009. The policies in force for transactions during this period were the 1998 TB Policy on Acquisition Cards and CFIA's Policy on Acquisition Card Program. In the interest of providing forward-looking advice, we also assessed the consistency of CFIA's Policy on Acquisition Card Program with TB's new Directive on Acquisition Cards; that became effective October 1, 2009.

1.3 Findings and Recommendations

Governance

Finding 1:

CFIA policies are inconsistent with the new TB Directive on Acquisition Cards.

Recommendation 1:

The Executive Director, Assets and Security Management Directorate should ensure that the CFIA policy suite is updated to remain consistent with the TB Directive and other internal CFIA policies.

Finding 2:

Transactions identified through monitoring and reporting that are inconsistent with CFIA's Policy on Acquisition Card Program or the TB Policy on Acquisition Cards are left unaddressed by specific corrective actions.

Recommendation 2:

The Executive Director, Assets and Security Management Directorate should ensure that appropriate corrective actions are undertaken in cases of non-compliance.

Internal Control

Finding 3:

Responsibility Center Managers receive incomplete training with regard to their roles and responsibilities in managing acquisition cards.

Recommendation 3:

The Executive Director, Assets and Security Management Directorate should ensure that training and guidance is provided to Responsibility Center Managers with regard to their roles and responsibilities for Acquisition Cards.

Finding 4:

In the majority of criteria and transactions assessed, CFIA is compliant with the specific expectations of TB's Policy on Acquisition Cards and CFIA's Policy on Acquisition Card Program. In some instances; controls, expenditure amounts or authorizations for FAA Section 32 are inconsistent with policy requirements.

Recommendation 4:

The Executive Director, Assets and Security Management Directorate should ensure that the requirements of federal legislation, TB policies and directives, and CFIA policies related to acquisition cards are communicated and followed.

Risk Management

Finding 5:

A formal risk management approach for CFIA's acquisition card program remains to be developed. Risks are unidentified and assessed and systemic mitigation strategies remain to be implemented.

Recommendation 5:

The Executive Director, Assets and Security Management Directorate should ensure that the acquisition card program formalizes and implements an appropriate risk management framework.

1.4 Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.

1.5 Audit Opinion*

In my opinion, CFIA has weaknesses, with low risk exposures related to the governance, internal control and risk management processes relative to the acquisition cards program that require management attention.

Peter Everson
Chief Audit Executive, Canadian Food Inspection Agency

* The audit opinion is based on overall materiality and risk as represented by the noteworthy findings and recommendations reported.

2.0 About the Audit

2.1 Background

The Canadian Food Inspection Agency (CFIA or, the Agency) has used acquisition cards since the Agency's inception in 1997. Within certain restrictions, purchases of goods and services under $5,000 can be requisitioned, paid for and received by the cardholder (the limit was changed to $10,000 on December 29, 2009). As at April, 2010 there were 770 acquisition cardholders with active cards within the Agency. During the period of April 1, 2008 to September 30, 2009 there were 63,062 transactions amounting to $19,806,068.82.

Within the levels of procurement authority delegated to CFIA by Treasury Board (TB) and Public Works and Government Services Canada; CFIA's Policy on Acquisition Card Program together with the Treasury Board's (TB) Policy on Acquisition Cards (superseded by the TB Directive on Acquisition Cards; effective as of October 1, 2009) govern the use of acquisition cards for Agency procurement and payment of goods and services where it is efficient, economical and operationally feasible to do so. Obligations and responsibilities of management and acquisition card holders are outlined in TB policy with financial transactions expected to be in compliance with the Financial Administration Act (FAA), particularly sections 32, 33, and 34.

The Contracting and Procurement Policy Directorate (CPPD) falls under the Finance, Administration and Information Technology Branch (FAIT). The National Procurement and Contracting Service Centre (NPCSC) is situated under the CPPD and is mandated to nationally manage the Agency's procurement and contracting activities according to CFIA and TB policies, national and international trade agreements and the program objectives of the Government of Canada.

The National Acquisition Card Coordinator (NACC) for the Agency is part of the National Procurement and Contracting Service Centre (NPCSC); is responsible for the administration of the acquisition card program, and is responsible for contact between cardholders and the financial institution granting the cards.

An audit of the CFIA Acquisition Card Program was completed in March 31, 2002. The original scope of the audit encompassed a review and assessment of the overall framework in place for managing purchases using acquisition cards. Subsequent follow-ups reported that all 13 recommendations had been implemented.

2.2 Objective

The objective of this audit is to provide management with assurance as to the adequacy and effectiveness of controls over acquisition cards, as well as compliance with Agency and Treasury Board policies.

2.3 Scope

The audit was Agency-wide in scope and covered acquisition card transactions for the period of April 1, 2008 to September 30, 2009. The policies in force for transactions during this period were the 1998 TB Policy on Acquisition Cards and CFIA's Policy on Acquisition Card Program. In the interest of providing forward-looking advice, we also assessed the consistency of CFIA's Policy on Acquisition Card Program with TB's new Directive on Acquisition Cards; that became effective October 1, 2009.

2.4 Methodology

The audit was conducted in a manner consistent with the TB Policy on Internal Audit. The following steps were taken by the audit team to meet the audit objectives:

  • Review TB policies and directives as they relate to the use of acquisition cards;
  • Examine CFIA's Policy on Acquisition Card Program;
  • Conduct a preliminary survey of the acquisition card management framework as input to an Audit Planning Memorandum dated October 2009;
  • Conduct interviews and inquiries with selected Finance and Administration staff;
  • Analyze the procedures for the use of acquisition cards and monitoring and reporting the transactions; and
  • Examine a sample of acquisition card transactions.

We examined a stratified, non-statistical, judgemental sample of 150 transactions (totalling $414,096) out of the total of 63,062 acquisition card transactions ($19,806,068.82) during the period April 1, 2008 to September 30, 2009. The sample included 70 randomly selected transactions and 80 higher risk transactions. Higher risk transactions included items that the financial system recorded as either duplicate transactions, those over $10,000, week-end transactions or those with unusual vendors.

3.0 Findings and Recommendations

3.1 Introduction

This section presents detailed findings from the audit of Acquisition Cards at CFIA. Findings are based on the evidence and analysis from both the initial risk analysis and audit conduct.

3.2 Governance

Finding 1.0: Outdated Policy Suite

CFIA policies are inconsistent with the new TB Directive on Acquisition Cards.

We would expect to find that CFIA policies, guides and manuals are consistent with the TB Policy on Acquisition Cards.

CFIA's Policy on Acquisition Card Program states that the Acquisition Card Program is governed by TB's Policy on Acquisition Cards. Effective October 1, 2009, a new TB Directive on Acquisition Cards superseded the TB Policy on Acquisition Cards. The Agency reviews TB updates annually and changes to the Agency's Policy on Acquisition Card Program are made as required. In 2009, the decision was made to delay the update until the new TB Directive became effective. As of April, 2010 the Agency's Policy on Acquisition Card Program differs from the new TB Directive in several ways including the following:

As a result, Agency Policy now differs from the new TB Directive which includes the following:

  • Additional information on roles and responsibilities are defined for acquisition card coordinators, responsibility center managers and cardholders;
  • Responsibilities for the Chief Financial officer were included;
  • A list of activities that are considered appropriate and inappropriate are detailed; and
  • A section dedicated to consequences was added to look at instances of non-compliance and corrective measures.

Recent changes to the CFIA Policy on Acquisition Card Program to increase the transaction ceiling to $10,000 in December, 2009 placed the policy in conflict with the CFIA Procurement to Payment Process: Acquisition Card Purchase Process - $5,000 and Under, which limited acquisition card purchases to $5,000. As well, a CFIA National Info Bulletin was sent out in April, 2007 informing Agency staff that the 'per transaction limit' had been increased to $10,000 while the CFIA Policy on Acquisition Card Program was not formally updated until December, 2009. The Agency moved to address these inconsistencies in February, 2010 with a formal policy update.

Updating the CFIA policy suite to reflect current TB policies and directives in a timely manner will help to reduce the risk of non-compliance with TB direction as well as inconsistencies within the financial management policy framework of CFIA.

Recommendation 1.0:

The Executive Director, Assets and Security Management Directorate should ensure that the CFIA policy suite is updated to remain consistent with the TB Directive and other internal CFIA policies.

Finding 2.0: Corrective Actions Not Undertaken for Non-Compliance

Transactions identified through monitoring and reporting that are inconsistent with CFIA's Policy on Acquisition Card Program or the TB Policy on Acquisition Cards are left unaddressed by specific corrective actions.

We would expect to find that monitoring and reporting practices are completed as per CFIA's Policy on Acquisition Card Program and the TB Policy on Acquisition Cards.

Both the National Procurement and Contracting Service Centre and the National Accounts Payable Service Centre are required to undertake periodic reviews to determine whether acquisition cards are being used as per TB and Agency policy. To monitor Agency acquisition card use CFIA uses the credit card provider's web-based system and the Agency's accounting system, SATURN, which is used to capture financial information and process payments to the credit card provider.

The credit card provider's system allows the Agency to perform acquisition card monitoring and pre-programmed reporting functions (e.g.: spending patterns, and card status). Transaction information is available to the National Acquisition Card Coordinator (NACC) from the credit card provider. The system is used to analyze acquisition card purchases through information such as Purchase Analysis Reports. On a quarterly basis, the NACC undertakes and reports on a review of transactions and explanations for unusual transactions.

CFIA's accounting system includes all acquisition card transactions, which are entered either electronically by the cardholder or by staff in the National Accounts Payable Service Centres (NAPSC) in Guelph or Montreal. Each month, cardholders verify the accuracy of their statements, which are then approved FAA section 34 (goods received / services performed) by their Responsibility Center Manager (RCM) and sent to Accounts Payable (NAPSC) for payment (FAA Section 33). Each month, as per the CFIA policy, NAPSC quality assurance (Monitoring and Financial Controls Unit) - reviews a random sample of 8 cardholder's transactions in each NAPSC plus 2 additional cardholders from each NAPSC based on perceived level of risk. The activities undertaken by NAPSC quality assurance during FY 2008-2009 were as follows:

 

 Acquisition Card Transactions NAPSC Quality Assurance
Quarter (FY 2008/09) Amount Invoiced # of Transactions Amount Sampled # of Transactions
Q1 $ 2,067,874.54 7,512 $ 15,808.94 124
Q2 $ 3,237,090.97 11,306 $ 58,591.70 212
Q3 $ 3,318,659.84 9,801 $ 54,518.01 185
Q4 $ 3,680,966.91 10,507 $ 48,856.36 173
Totals $ 12,304,592.26 39,126 $ 177,775.01 694

NAPSC verified 694 transactions amounting to $177,775.01. The verification represents 1.77% of the total dollar amount and 1.44% of the total transactions. Monitoring reports from both the NACC as well as NAPSC's quality assurance include instances (such as insufficient supporting documents, financial coding, or payment amount errors) where acquisition card transactions have occurred that are not in compliance with either the TB or CFIA acquisition card policies.

There is a clear practice with regard to how and to whom reports on non-compliance are communicated. Policy, systems, practices, roles and responsibilities with regard to requirements for corrective actions related to non-compliant transactions remain undeveloped as is the definition of, or follow-up on specific corrective actions to be taken.

The risk of patterns and instances of non-compliant acquisition card use can be mediated in part by a systemic approach to rectify non-compliant expenditures through clear corrective action and follow-up.

Recommendation 2.0:

The Executive Director, Assets and Security Management Directorate should ensure that appropriate corrective actions are undertaken in cases of non-compliance.

3.3 Internal Control

Finding 3.0: Incomplete Training Coverage

Responsibility Center Managers receive incomplete training with regard to their roles and responsibilities in managing acquisition cards.

We would expect to find that training on using acquisition cards is available and provided in a timely manner. The National Acquisition Card Coordinator (NACC) is expected to ensure that mandatory training on the use of acquisition cards is delivered prior to card issuance. All cardholders receive training prior to receiving their cards.

Roles and responsibilities of Responsibility Center Managers (RCMs) are set out in CFIA's Policy on Acquisition Card Program. By virtue of their position, RCMs are often responsible for multiple cardholders. They are responsible for establishing credit limits in line with the authorities delegated to the RCM (and based on the individuals spending needs), for setting restrictions on the use of the cards and for ensuring the proper use of the acquisition cards.

While RCMs do not receive the training required of the cardholders; they must complete the Agency's 'Managing for Success' training for managers with delegated authorities and a small part of this course is specifically dedicated to the use of acquisition cards. RCM's are also invited to listen in on the training delivered by the NAAC and there are 'SAP Credit Card Information Sessions' as well as the 'Financial Overview' course available to all Agency staff throughout the year. The Agency has yet to develop and deliver specific guidelines or training available to RCMs on issues such as what constitutes an appropriate credit limit or when an increase is required (limits range from $1,000 to $200,000).

RCMs with incomplete training on acquisition cards may result in oversight and purchases that are inconsistent with policies.

Recommendation 3.0:

The Executive Director, Assets and Security Management Directorate should ensure that training and guidance is provided to Responsibility Center Managers with regard to their roles and responsibilities for acquisition cards.

Finding 4.0: Compliance with TB and CFIA Policies

In the majority of criteria and transactions assessed, CFIA is compliant with the specific expectations of TB's Policy on Acquisition Cards and CFIA's Policy on Acquisition Card Program. In some instances; controls, expenditure amounts or authorizations for FAA Section 32 are inconsistent with policy requirements.

We would expect to find that acquisition card transactions comply with TB Policy on Acquisition Cards and CFIA Policy on Acquisition Card Program.

Policy Compliance

Detailed testing (based on the specific expectations of the TB and CFIA policies) of the 150 sampled transactions found that all transactions met the following criteria:

  • A copy of the Acquisition Card statement, invoices, and substantiating documents were found on file;
  • The name of the person on the card was the purchaser;
  • The transaction was for an official government purchase;
  • Not a cash advance;
  • Not an interdepartmental transaction;
  • Payment was not made over a non-secure internet site;
  • The transaction was not after the card expiry date;
  • Not for Temporary Help Services;
  • Invoiced and quoted amounts were calculated correctly;
  • The Acquisition Card Register was signed by the RCM;
  • Specimen signature cards were valid;
  • Section 34 signed by someone other than the cardholder; and
  • Total amounts paid were equal to the total invoiced amounts.

Policy Non-Compliance

In a small number of instances, controls that we expected to find were not fully implemented in compliance with the expectations of the TB and CFIA policies:

  • Acquisition Card Register not signed by Cardholder (1); and
  • Card Statements not reconciled to Acquisition Card Register/SAP Printout (1).

In our sample of 150, there were two (2) instances in which the transaction was over the cardholder's per transaction limit. A total of 36 transactions (24%) were over the $5,000 limit set by the CFIA policy in place at the time; and of those, three (3) transactions were over the new $10,000 limit.

Section 32 Concerns

Section 32 of the FAA, referenced in both the CFIA and TB policies, requires that only individuals who have appropriate delegated authority may authorize expenditures (subject to the limits and conditions established by the delegation). The individual with the appropriate delegation must ensure that the funds are available to meet the commitments.

The CFIA Commitment Policy states that a commitment must be established for individual expenditures above $500. This policy also states that acquisition cards have their own commitment and payment process that should be followed. The CFIA Policy on Acquisition Card Program does not identify the threshold at which Authority Request (AR) is or is not required, nor does it reference the CFIA Commitment Policy.

Our testing of a sample of 150 transactions ($414,096) found that 43 (29%) of those over $500 had no approved AR prior to purchase. CFIA policy states that cardholders with no budgetary control must ensure appropriate expenditure initiation authority is in place prior to purchasing goods or services. CFIA policy does not state if an AR is required for a purchase under $500 or when a blanket authority may be accepted.

Recommendation 4.0:

The Executive Director, Assets and Security Management Directorate should ensure that the requirements of federal legislation, TB policies and directives, and CFIA policies related to acquisition cards are communicated and followed.

3.4 Risk Management

Finding 5.0: Ad Hoc Risk Management

A formal risk management approach for CFIA's acquisition card program remains to be developed. Risks are unidentified and assessed and systemic mitigation strategies remain to be implemented.

We would expect to find that a risk assessment process exists including identified controls to mitigate the risks. Risk assessments include an overall assessment of risk exposure in terms of the likelihood of occurrence and the impact of the risk should it occur. Each of these risks are prioritized and mitigated, monitored and accepted.

A formal risk management framework for CFIA's acquisition card program remains undeveloped. Risks have not been identified and assessed nor have systemic mitigation strategies been implemented. While quarterly monitoring and reports are undertaken and ad hoc responses are implemented, a mature risk management approach may help to mitigate some of the control issues identified.

Identifying, assessing and updating risks in a systemic manner in terms of the Agency's acquisition card program will help to ensure a sound understanding of the risks involved in CFIA's acquisition card program and promote the development of strategies to mitigate these risks.

Recommendation 5.0:

The Executive Director, Assets and Security Management Directorate should ensure that the acquisition card program formalizes and implements an appropriate risk management framework.

Appendix A: Audit Criteria

Governance

  • Monitoring and Reporting - Monitoring and reporting practices are timely and accurate as per Treasury Board (TB) Policy on Acquisition Cards.
  • Roles & Responsibilities - CFIA organizational structure, roles and responsibilities are clearly defined, communicated and documented.
  • Policy Framework - CFIA policies, guides and manuals are consistent with the TB Policy on Acquisition Cards.

Risk Management:

  • Risk Management - A risk assessment process exists including identified controls to mitigate the risks.

Control:

  • Issuance, distribution, cancellation of cards and authorization - Acquisition cards are being issued, distributed, cancelled and authorized as set out in the TB Policy on Acquisition Cards.
  • Acquisition Card Transactions - Transactions comply with the TB Policy on Acquisition Cards.
  • Payment and Reconciliation of Consolidated Billing - Disputes, payments and reconciliations are resolved, paid, authorized and reconciled as per the TB Policy on Acquisition Cards.
  • Training - Training on usage of acquisition cards is available and provided in a timely manner.
  • Segregation of Duties - There is appropriate segregation of duties.

Appendix B: Management Response and Action Plan

Management Response

It is our understanding that CFIA's Acquisition card Program is well managed and is compliant with the expectations of TB's Policy on Acquisition Cards and CFIA's Policy on Acquisition Card Program. When Acquisition cards were first introduced to the Government of Canada, they were meant to replace the Local Purchase Order as a fast and efficient procurement process for low risk, high volume transactions. Raising the financial limits on the cards in this environment now means that procurement can be made up to $10K without the normal procurement rigor being applied. In our policy review, FAIT will consider this risk and put in place to ensure that expected procurement practices are followed, whether a card is used for payment or not. The management accepts the recommendations and proposes the following action plan. ASMD will work in cooperation with Financial Services for Action 1 which focuses on the review of existing policies, for Action 2 for the development of a monitoring plan, and Action 4 for the development of a communication plan. Action 3 and 5 will be the responsibility of ASMD.

Management Action Plan

Recommendation 1:

The Executive Director, Assets and Security Management Directorate should ensure that the CFIA policy suite is updated to remain consistent with the TB Directive and other internal CFIA policies.

Proposed Management Actions Responsible Official(s) Implementation Date
The CFIA policy suite that refers to the administration of the acquisition card will be reviewed and updated to comply with the new TB Directive and other internal CFIA policies, and will include new appropriate sanction provisions (e.g. suspension and revocation of an acquisition card) in the event of non-compliance. ED, Assets and Security Management Directorate March 31, 2011
The CFIA Commitment Policy will be updated to be in line with the recent, updated TBS commitment policy. ED, Financial Services March 31, 2011

Recommendation 2:

The Executive Director, Assets and Security Management Directorate should ensure that appropriate corrective actions are undertaken in cases of non-compliance.

Proposed Management Actions Responsible Official(s) Implementation Date
The ED, ASMD will prepare and formalize, in consultation with Financial Services, a written Monitoring Plan for the Acquisition Card.

ED, Assets and Security Management Directorate

 December 31, 2010

This plan will include the application of consequences in cases where there is misuse and non-compliance with the Policy; and include the communication of consequences for non-compliance to acquisition card holder and responsible managers.

ED, Financial Services

 December 31, 2010

Recommendation 3:

The Executive Director, Assets and Security Management Directorate should ensure that training and guidance is provided to Responsibility Center Managers with regard to their roles and responsibilities for Acquisition Cards.

Proposed Management Actions Responsible Official(s) Implementation Date

To develop and submit to ED, ASMD, for approval, specific written guidelines for Responsibility Center Managers (RCMs) on what constitutes an appropriate credit limit and on when an increase is required. To communicate such guidelines to RCMs through bulletin and/or training.

ED, Assets and Security Management Directorate

 March 31, 2011

Recommendation 4:

The Executive Director, Assets and Security Management Directorate should ensure that the requirements of federal legislation, TB policies and directives, and CFIA policies related to acquisition cards are communicated and followed.

Proposed Management Actions Responsible Official(s) Implementation Date

To develop a communication plan and submit to ED, ASMD, for approval, to clarify issues (and best practices) related to expenditure initiation authority (from RCMs) and commitment management.

ED, Assets and Security Management Directorate

 September 30, 2010

To develop a communication plan and submit to ED ASMD for approval, to inform cardholders of changes to the policy suite such as sanction provisions (as indicated in Action #1).

ED, Assets and Security Management Directorate

 March 31, 2011

Recommendation 5:

The Executive Director, Assets and Security Management Directorate should ensure that the acquisition card program formalizes and implements an appropriate risk management framework.

Proposed Management Actions Responsible Official(s) Implementation Date

To formalize and implement a Risk Management Plan for contracting and procurement, including acquisition card management.

ED, Assets and Security Management Directorate

 March 31, 2011

Top of Page
Important Notices