Canadian Food Inspection Agency
www.inspection.gc.ca
Common menu bar links
Institutional links
-
About the CFIA
-
Subjects
-
Proactive Disclosure
Send this page by
emailAudit of the Financial Management Control Framework: Fundamental Controls (Sections 32, 33 & 34 of the FAA)
The audit scope included CFIA's non-pay financial transactions for the period of April 1, 2008 to March 31, 2010.
July 2010
Table of Contents
- 1.0 Executive Summary
- 2.0 About the Audit
- 3.0 Findings and Recommendations
- Appendix A: Audit Criteria
- Appendix B: Management Response and Action Plan
1.0 Executive Summary
1.1 Introduction
Canadian Food Inspection Agency (CFIA or the Agency) headquarters are in Ottawa (the National Capital Region) with four operational areas: Atlantic, Quebec, Ontario and Western. These operational areas are divided into 18 regional offices, 185 field offices (including border points of entry) and 408 offices in non-government establishments (such as processing facilities). CFIA also operates 12 laboratories and research facilities that provide scientific advice, develop new technologies, provide testing services and conduct research.
Agency budgets reached their highest point during the past two years and staff has increased by 13.7 per cent over 2006 in support of its programs. As of March 31, 2010 the number of Financial Management (FI) full-time equivalents within CFIA was 67, with 49 employed with Finance, Administration and Information Technology (FAIT) and 18 working outside of FAIT.
A comprehensive and effective financial management control framework is critical in providing stewardship over public funds while achieving CFIA’s strategic objectives. Strong financial management and related internal controls are critical components of the Stewardship component of the Government of Canada’s Management Accountability Framework (MAF).
The importance of financial controls is heightened by the priority that is being placed on matters of financial management and stewardship by central agencies.
1.2 Audit Objective and Scope
The objective of this audit is to provide assurance that the Financial Management Control Framework of CFIA ensures that financial transactions are carried out with due diligence, that financial transaction information is reliable and has integrity, and that there is compliance with Sections 32, 33, and 34 of the Financial Administration Act (FAA).
The audit scope included CFIA’s non-pay financial transactions for the period of April 1, 2008 to March 31, 2010. The scope was national, with fieldwork in the National Capital Region (NCR) and telephone interviews, on-site visits to regional and area staff members located in Atlantic, Quebec, Ontario, and Western Canada.
The scope excluded transactions related to revenue management as well as acquisition cards which were each audited separately by the Internal Audit Directorate (IAD) during the same timeframe. Revenue management and acquisition cards carry distinct policy and directive requirements and both audits covered Sections 32, 33 and 34 of the FAA as applicable.
1.3 Findings & Recommendations
Governance
Finding: A comprehensive, integrated and documented financial management control framework has yet to be fully developed and implemented. Documentation of financial management processes and controls with regard to Sections 32, 33 and 34 of the FAA is informal and not well communicated.
Recommendation:
The Executive Director, Financial Services should ensure that CFIA’s financial management control framework is clearly defined, detailed, integrated and well communicated to field staff.
Controls
Finding: Sufficient and appropriate controls are in place to monitor compliance with FAA Sections 32, 33 and 34. In the majority of criteria and transactions assessed, CFIA is compliant with the specific expectations of Sections 32, 33 and 34 of the Financial Administration Act. In some instances; delegations, commitments or authorizations related to FAA Section 32 are not consistent with requirements of the Financial Administration Act.
Recommendation:
The Executive Director, Financial Services should ensure that all requirements of federal legislation, TB policies and directives, and CFIA policies related to Sections 32, 33 and 34 of the Financial Administration Act are communicated and followed.
Risk Management
Finding: There is a risk management approach in place to ensure that financial transactions are processed with due regard to inherent risks relevant to Sections 32, 33 and 34 of the FAA.
1.4 Statement of Assurance
In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.
1.5 Audit Opinion*
In my opinion, the fundamental controls within the financial management control framework has weaknesses, with low risk exposures related to the governance and internal control processes that require management attention.
Peter Everson
Chief Audit Executive, CFIA
* The audit opinion is based on overall materiality and risk as represented by the noteworthy findings and recommendations reported.
2.0 About the Audit
2.1 Background
Canadian Food Inspection Agency (CFIA or the Agency) headquarters are in Ottawa (the National Capital Region) with four operational areas: Atlantic, Quebec, Ontario and Western. These operational areas are divided into 18 regional offices, 185 field offices (including border points of entry) and 408 offices in non-government establishments (such as processing facilities). CFIA also operates 12 laboratories and research facilities that provide scientific advice, develop new technologies, provide testing services and conduct research.
Agency budgets reached their highest point during the past two years and staff has increased by 13.7 per cent over 2006 in support of its programs. As of March 31, 2010 the number of Financial Management (FI) full-time equivalents within CFIA was 67, with 49 employed with Finance, Administration and Information Technology (FAIT) and 18 working outside of FAIT.
The following table presents the Agency’s spending levels and human resources complement for the fiscal years 2009-10 through 2011-12.
| CFIA Financial and Human Resources | 2009-10 | 2010-11 | 2011-12 |
|---|---|---|---|
| Financial Resources ($ millions) | 597.0 | 592.8 | 583.8 |
| Human Resources (Full-Time Equivalents) | 6,357 | 6,311 | 6,217 |
The successful achievement of the Agency’s strategic outcomes depends in part on the implementation of an effective Financial Management Control Framework (FMCF). Effective financial management and controls help to ensure timely and accurate financial reporting; compliance with authorities; financial stewardship; and accountability for the effective control of public resources.
CFIA’s financial management controls have been developed and implemented with the intent that financial transactions should be handled in a manner consistent with:
- The Financial Administration Act,
- Treasury Board’s (TB) Directive on Account Verification (effective October 1, 2009 and Replaces the TB Policy on Account Verification);
- The TB Directive on Delegation of Financial Authorities for Disbursements (and CFIA delegation documents);
- CFIA’s corporate frameworks and with all other related financial management legislation, polices, regulations and controls as applicable depending on the type of transaction.
2.2 Objective
The objective of this audit is to provide assurance that the Financial Management Control Framework of CFIA ensures that financial transactions are carried out with due diligence, that financial transaction information is reliable and has integrity, and that there is compliance with Sections 32, 33, and 34 of the Financial Administration Act (FAA). The audit was identified in the 2009-2012 Risk-Based Audit Plan.
2.3 Scope
The audit scope included CFIA’s non-pay financial transactions for the period of April 1, 2008 to March 31, 2010. The scope was national, with fieldwork in the National Capital Region (NCR) and telephone interviews, on-site visits to regional and area staff members located in Atlantic, Quebec, Ontario, and Western Canada.
The scope excluded transactions related to revenue management as well as acquisition cards which were each audited separately by the Internal Audit Directorate (IAD) during the same timeframe. Revenue management and acquisition cards carry distinct policy and directive requirements and both audits covered Sections 32, 33 and 34 of the FAA as applicable.
2.4 Methodology
TB’s Management Accountability Framework (MAF) criteria and the results of the initial entity risk assessment were used as a starting point for the audit criteria. High-level criteria that were customized to reflect the objectives and scope of this audit are contained in Appendix A.
A non-statistical judgmental sample of 60 financial transactions was selected for this audit. In selecting our sample size and selection criteria, we considered previous work related to compliance with fundamental financial controls as represented by Sections 32, 33 and 34 of the FAA. CFIA’s financial quality control procedures for Sections 32, 33 and 34 of the FAA identified low error rates and the Agency’s external auditor, the Office of the Auditor General (OAG), has made no observations related to compliance with Sections 32, 33 and 34 of the FAA as part of their financial statement audit.
Our audit approach included the following high level audit approaches: identification and collection of documents/data; data analysis; document and data evaluation and interpretation; recording of observations/variances; and concluding on observation(s) with regard to the stated criterion.
Specific methodologies included testing of transactions (vouching, tracing), inspection of documents, computation (independent calculations), interviews and analysis of data.
The audit was conducted in a manner consistent with the TB Policy on Internal Audit.
3.0 Findings and Recommendations
3.1 Introduction
This section presents detailed findings from the audit of the fundamental controls of the Financial Management Control Framework at CFIA. Findings are based on the evidence and analysis from both our initial risk analysis and the detailed audit conduct.
In addition to the findings presented below, observations of conditions that were outside of the working scope of the audit and are non-systemic and of lower materiality and risk have been communicated to management for their consideration.
3.2 Governance
Finding 1: Basic Financial Management Control Framework with Limited Documentation
A comprehensive, integrated and documented financial management control framework has yet to be fully developed and implemented. Documentation of financial management processes and controls with regard to Sections 32, 33 and 34 of the FAA is informal and not well communicated.
We expected that the Agency’s financial management control framework would be in alignment with one or more recognized frameworks, for example COSO or CoCo, through integration with TB’s Management Accountability Framework (MAF) and Core Management Controls.
The CFIA document, An Overview of Internal Control over Financial Reporting is available though not distributed to field staff. The document lists key controls and activities under the headings of; Control Environment, Risk Assessment, Control Activities, Information and Communication and Monitoring. The Overview is not dated and bears no signature or other evidence of approval or authority.
A document (Management Control Framework) was completed by Finance, Administration and Information Technology (FAIT) and advised to members of the Agency’s Audit Committee. This describes aspects of the Agency’s control framework, focusing on key controls related to Section 32, 33 and 34 of the Financial Administration Act (FAA). This document indicates that the control framework consists of a group of mapped and documented key processes completed in 2006-07, key policies, procedures and quality assurance plans. This document notes that further work is to be performed in the area of Control Certifications. This document is also not dated nor formally approved.
Roles and responsibilities relevant to internal control over financial reporting are not defined and understood across the Agency. Further, we observed that the documented key processes completed in 2006-07 are not well communicated to field staff. There are no direct linkages in the financial management control framework. For example, there is an opportunity for the Agency to more clearly integrate its Quality Assurance plan into its financial management control framework to more clearly demonstrate how the plan provides assurance in the overall transaction processing cycles. There are no guidelines as to how the financial management control framework is kept up to date.
The absence of a comprehensive, integrated and documented financial management control framework represents an elevated risk to the integrity of financial reporting in the Agency. Further, the Agency may encounter challenges in the future when sign-off is required on the Statement of Management Responsibility required under the TB Policy on Internal Control. The Agency may also encounter challenges to demonstrate compliance with the TB Policy on Financial Management Governance.
Recommendation:
The Executive Director, Financial Services should ensure that CFIA’s financial management control framework is clearly defined, detailed, integrated and well communicated to field staff.
3.3 Controls
Finding 2: Some Non-Compliance with FAA Sections 32.
Sufficient and appropriate controls are in place to monitor compliance with FAA Sections 32, 33 and 34. In the majority of criteria and transactions assessed, CFIA is compliant with the specific expectations of Sections 32, 33 and 34 of the Financial Administration Act. In some instances; delegations, commitments or authorizations related to FAA Section 32 are not consistent with requirements of the Financial Administration Act.
We expected that controls would be in place to ensure due diligence, reliability, and integrity of financial transactions and consistent compliance across the Agency with Sections 32, 33 and 34 of the FAA.
The FAA is the federal government’s legislative authority with respect to financial management. Three sections of the Act are critical to ensuring that controls are in place over expenditures made from parliamentary appropriations.
- Section 32 of the FAA covers the control of financial commitments chargeable to each Parliamentary appropriation.
- Section 34 of the FAA deals with the need to certify that goods and services were received or that a recipient is eligible for payment.
- Section 33 of the FAA relates to the need to ensure that payments are subject to authorized requisitions, lawful and within the appropriations level. Officers exercising Section 33 payment authority must have adequate assurance that the Section 34 certification has been provided.
We found that controls are in place to monitor compliance for approvals under Sections 32, 33 and 34 of the FAA and to react to deviations as part of the Agency’s Quality Assurance Plan.
The Quality Assurance plan is designed to monitor compliance with Sections 32, 33 and 34 of the FAA based upon on an ongoing evaluation of relevant risks. The results of monitoring completed under the Quality Assurance Plan are documented and communicated to the Vice President of Finance, Administration and Information Technology on a quarterly basis along with recommendations and action plans to address identified findings.
A non-statistical judgmental sample of 60 financial transactions representing expenditures of $2,585,695.61 was examined. Detailed testing (based on specific expectations of the TB and CFIA policies) of the 60 transactions found that most transactions met the criteria. Of the transactions tested, we found that 10 out of the 60 sampled transactions had errors related to Section 32, and 3 out of the 60 had errors under Section 34 of the FAA that were associated with the Section 32 errors found. We found no errors related to section 33 of the FAA.
Section 32 Concerns
Section 32 of the FAA, referenced in both the CFIA and TB policies, requires that only individuals who have appropriate delegated authority may authorize expenditures (subject to the limits and conditions established by the delegation). The individual with the appropriate delegation must ensure that the funds are available to meet the commitments.
The CFIA Commitment Policy states that a commitment must be established for individual expenditures above $500.
Of the transactions tested, we found the following types of Section 32 errors:
- Authority Request (AR) not signed before the purchase date;
- AR not amended to cover the actual expense or the expense was 10% over the AR;
- AR signed after the invoice date (by an individual with appropriate level of delegation of authority);
- AR signed by an individual who did not have authority over particular Fund/Cost Centre;
- Service agreement over $10,000 not routed through the National Procurement and Contracting Service Centre (NPCSC); and
- Commitment created in SAP (CFIA’s Accounting System) after expenditure incurred.
Recommendation:
The Executive Director, Financial Services should ensure that all requirements of federal legislation, TB policies and directives, and CFIA policies related to Sections 32, 33 and 34 of the Financial Administration Act are communicated and followed.
3.4 Risk Management
Finding 3: A Risk Management Approach for FAA Sections 32, 33 and 34.
There is a risk management approach in place to ensure that financial transactions are processed with due regard to inherent risks relevant to Sections 32, 33 and 34 of the FAA.
We expected that the Agency would have a risk management approach in place to ensure that financial transactions are processed with due regard to inherent risk relevant to Section 32, 33 and 34 of the FAA.
Risks relevant to Sections 32, 33 and 34 of the FAA are assessed on an ongoing basis. Accounting Operations completes a formal consultation process to identify risks relevant to financial transaction processing on an annual basis prior to the approval of the Agency’s Quality Assurance plan. A presentation is provided to the Resource Management Oversight Committee (RMOC) and input is requested from committee members before the Quality Assurance plan is approved by the Vice President of Financial Administration and Information Technology. Finance Committee members are invited to share their perspective on areas of potential risk and such commentary is considered in the development of the Quality Assurance and Monitoring Plan.
Appendix A: Audit Criteria
Governance
- CFIA’s financial management control framework is in alignment with one or more recognized control frameworks, for example COSO or CoCo, through the integration with the Management Accountability Framework and the Core Management Controls.
- The Agency can demonstrate progress toward compliance with the TB Policy on Internal Control which came into effect on 1 April 2009 as evidenced by progress towards a demonstrated capability to support the assertions contained in the Statement of Management Responsibility Including Internal Control Over Financial Reporting.
- Controls are in place to monitor compliance with Sections 32, 33 and 34 of the Financial Administration Act (FAA) and to react to compliance deviations on a consistent basis across the Agency.
Controls
- CFIA supports the consistent implementation and training for compliance with Sections 32, 33 and 34 of the FAA across the Agency.
- Controls are in place to ensure due diligence, reliability, and integrity of financial transactions and consistent compliance across the Agency with Sections 32, 33 and 34 of the FAA.
Risk Management
- There is a risk management approach in place to ensure that financial transactions are processed with due regard to inherent risk relevant to Section 32, 33 and 34 of the FAA.
Appendix B: Management Response and Action Plan
Management Response:
Finding 1: CFIA is required to comply with the TBS Policy on Internal Control by the end of fiscal year 2010-2011. During the preparation and approval processes of the Financial Statements and Public Accounts, individual control components are reviewed with members of the internal audit committee. Management believes the Agency’s financial management controls are appropriately addressed through the current processes which include policies, procedures, memos, guidance and consultation through committees such as RMOC and Finance.
Finding 2: Management does not agree with the reference to section 33 in the recommendation. Consistent with CFIA policies, Accounts Payable Service Centre offices ensure the completeness of the required documentation and necessary adjustments are always made prior to the transaction being processed and the cheque being issued.
| Audit Recommendation | Proposed Management Actions | Responsible Official(s) | Implementation Date |
|---|---|---|---|
| 1. The Executive Director, Financial Services should ensure that CFIA’s financial management control framework is clearly defined, detailed, integrated and well communicated to field staff. | CFIA has a financial management control document which has been shared with senior management. In the coming months, it will be further enhanced, integrated, and formalized as part of the work on the Internal Control Policy, for which the Agency needs to comply with by March 31, 2011. | ED, Financial Services | April 1, 2011 |
| 2. The Executive Director, Financial Services should ensure that all requirements of federal legislation, TB policies and directives, and CFIA policies related to Sections 32, 33 and 34 of the Financial Administration Act are communicated and followed. | All issues identified during the audit are related to Section 32 and the following actions have / will be implemented: | ||
| The CFIA Commitment Policy will be updated to be in line with the recent, updated TBS commitment policy. | ED, Financial Services | March 2011 | |
| The CFIA will continue its annual review of the Financial Delegation Instruments. Clarification of Section 32 requirements will be on the objective of this year’s review. Any new information will be communicated (Zlist, email, Merlin, etc.) | ED, Financial Services | December 2010 | |
| Continuous effort will be put forth with respect to training (such as the Financial Overview training) where 37 sessions were delivered across Canada in 2009-2010. In addition, the target audience has been expanded for this fiscal year. Also, the “Managing for Success” mandatory training oriented toward managers has recently been enhanced. | ED, Financial Services | Ongoing | |
| A monitoring procedure to ensure compliance with the Procurement and Contracting policy has recently been implemented. Reports will be presented to the Vice-President, FAIT for managers who entered into procurement or contractual arrangements exceeding $10K. Repeat offenders may have their delegation of financial signing authority suspended. A similar process will be implemented for the Acquisition Card policy. | ED, Financial Services | March 2011 | |
| Within Accounting Operations, employees working in the Accounts Payable Service Centres are required to acknowledge their responsibilities by signing a statement of roles and responsibilities on an annual basis as part of the Performance Feedback and Review Record (PFR) process. | ED, Financial Services | Ongoing | |
| The CFIA will continue to send official communications to managers and staff by means of electronic correspondence (Infobulletins). | ED, Financial Services | Ongoing |
