This audit considered the systems that existed at the time of the audit in 2002 and the review in 2006 and took into account any new systems that were introduced since then.
June 2010
During FY 2008-09, CFIA generated $54.3 million in non-tax revenue from the regulatory services it delivers. Revenue is obtained through over 1,200 fees for service covering 14 programs and is retained by CFIA. Revenue has remained stable since 2005-06 (2005-06 - $58.6 million; 2006-07 - $57.6 million; 2007-08 - $60.9 million).
Sections 24 and 25 of the Canadian Food Inspection Agency Act provide the Minister with the authority to fix fees to be paid for services delivered, use of facilities, products, rights and privileges. Before fixing any fee, the Minister is required to consult with any person or organization that he or she considers to be interested in the matter and to publish the fees in the Canada Gazette. The National Accounts Receivable Service Centre (NARSC), part of the Finance, Administration and Information Technology Branch (FAIT), in Moncton manages accounts receivable, approves credit, processes documentation for billings purposes, manages delinquent accounts and prepares periodic reports.
This audit was approved in the Internal Audit Directorate’s (IAD) 2009-12 Multi-Year Risk-Based Audit Plan and is a follow-up to two reports: an internal audit of revenue management conducted in 2002 by IAD; and, a 2006 consultant’s review (contracted by FAIT) focusing on processes associated with inspections, invoicing, and revenue and receivable reconciliations.
The objective of the audit is to provide senior management with assurance that the control weaknesses identified in previous audits of revenue management have been rectified and that controls are working as intended. The scope of this audit examined the controls surrounding revenue management and compliance with applicable requirements and policies to the revenue streams. This audit considered the systems that existed at the time of the audits in 2002 and 2006 and took into account any new systems that were introduced since then.
Finding 1:
Accountability for revenue management in the CFIA is unclear.
Recommendation 1:
FAIT, in consultation with Branch management, should ensure that
managers who charge fees are involved and held accountable for revenue in their offices.
Finding 2:
There is limited monitoring of revenue at both the national and local level.
Recommendation 2:
FAIT, in consultation with Branch management, should develop a
monitoring framework for revenue that will ensure that fees charged for services are complete and accurate.
Finding 3:
Local office controls for revenue management are incomplete.
Recommendation 3:
The Operations Branch, in consultation with FAIT and the Policy and
Programs Branch should develop detailed guidelines and procedures to control all revenue processes, including the reconciliation of service requests
to invoices, and control over the receipt, use and inventory of pre-numbered forms.
Finding 4:
No formal risk assessment has been conducted of revenue management in the CFIA.
Recommendation 4:
FAIT, in consultation with Branch management, should conduct a formal
risk assessment of the CFIA revenues to identify material risks and develop appropriate
strategies to mitigate these risks.
In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.
In my opinion, revenue management has notable weaknesses, with risk exposure, related to the governance, internal control and risk management processes that require management attention.
Peter Everson
Chief Audit Executive, CFIA
* The audit opinion is based on overall materiality and risk as represented by the noteworthy findings and recommendations reported.
Canadian Food Inspection Agency (CFIA) headquarters are in Ottawa (the National Capital Region) with four operational areas: Atlantic, Quebec, Ontario and Western. These operational areas are divided into 18 regional offices, 185 field offices (including border points of entry) and 408 offices in non-government establishments (such as processing facilities). CFIA also operates 15 laboratories and research facilities that provide scientific advice, develop new technologies, provide testing services and conduct research.
During FY 2008-09, CFIA generated $54.3 million in non-tax revenue from the regulatory services it delivers (see Appendix A for details). Revenue is obtained through over 1,200 fees for service that cover 14 programs. The largest sources of revenues for 2008-09 are the Meat Inspection Program (41.65% of total revenues), Animal Health (17.14%), Fish Inspections (11.91%) and Plant Health (11.79%). Revenue is retained by CFIA and has remained stable since 2005-06.
There are some 300,000 invoices and 85,000 payments processed annually; there are 25,000 client accounts of which 9,000 are considered active; there are 326 sales offices across Canada; and, the accounts receivable as at December 31, 2009 was $6.1 million. Invoicing is carried out both electronically and manually with 90 percent estimated to be electronic.
Sections 24 and 25 of the Canadian Food Inspection Agency Act provide the Minister with the authority to fix fees to be paid for services delivered, use of facilities, products, rights and privileges. Before fixing any fee, the Minister is required to consult with any person or organization that he or she considers to be interested in the matter and to publish the fees in the Canada Gazette. The National Accounts Receivable Service Centre (NARSC), part of the Finance, Administration and Information Technology Branch (FAIT), in Moncton manages accounts receivable, approves credit, processes documentation for billings purposes, manages delinquent accounts and prepares periodic reports.
This audit was approved in the Internal Audit Directorate’s (IAD) 2009-12 Multi-Year Risk-Based Audit Plan and is a follow-up to two reports: an internal audit of revenue management conducted in 2002 by IAD; and a 2006 consultant’s review (contracted by FAIT) focusing on processes associated with inspections, invoicing, and revenue and receivable reconciliations.
The 2002 audit noted control weaknesses that increased the CFIA risk of financial loss due to fraud, and with respect to the completeness of revenues collected. The 2006 consultant’s report indicated that essentially the same control weaknesses identified in the 2002 audit continued to exist. There were 21 recommendations in the 2002 audit report and nine in the 2006 review related to issues concerning: invoicing; roles and responsibilities; payment processing; and technology in use.
The objective of the audit is to provide senior management with assurance that the control weaknesses identified in previous audits of revenue management have been rectified and controls are working as intended.
The scope of this audit examined the controls surrounding revenue management and compliance with applicable requirements and policies to the revenue streams. This audit considered the systems that existed at the time of the audit in 2002 and the review in 2006 and took into account any new systems that were introduced since then.
The scope of the 2002 IAD audit included all components of revenue management: costing of activities; pricing and fee setting; the billing of services; collection of amounts due and control of accounts receivables; plus, the recording and reporting of revenue. This audit focused on those components in the 2002 audit and the 2006 review where weaknesses had been identified.
Audit criteria and detailed sub-criteria (see Appendix B) were developed to serve as standards against which our assessment could be made, clarify the audit objectives and form a basis for the work plan and the conduct of the audit. For each of the criteria, the relationship to governance, internal control and risk management or a combination of the three were identified. For this audit, we determined the audit criteria to be as follows:
An audit program was developed that provided an outline of the audit procedures and tests to conduct to conclude on the audit objectives. The audit program included identifying and collecting documents and data; data analysis; document/data evaluation and interpretation; recording of observations and variances; and concluding on observations with regard to the stated criterion. Methodologies included reviewing documents, testing transactions, interviewing staff and analyzing data.
Visits were made to the NARSC and to seven offices across Canada. In addition, telephone surveys were conducted with an additional nine sales offices, many of which are located in remote areas and reported low volumes of revenue. During the site visits, emphasis was placed on obtaining audit evidence to support the control weaknesses observed in the previous audits. A walk-through of transactions, using judgmental sampling selected from key revenue streams, was conducted at the sites visited to confirm our understanding of the processes and controls.
The sales offices visited and surveyed by telephone covered $9.7 million of revenue; or 18 percent of the total revenue reported in 2008-09. These offices generated approximately 34,000 invoices; or 11 percent of the total invoices processed in that year.
This section presents detailed findings from the audit of revenue management at CFIA. Findings are based on the evidence and analysis from both our initial risk analysis and the detailed audit conduct.
Positive progress has been made since the 2002 audit report and the 2006 consultant study which, combined, contained 30 recommendations to improve revenue management– 21 in 2002 and nine in 2006. Three recommendations from the 2002 audit report and two from the consultant report have yet to be implemented; these deal with control and monitoring issues which are presented below in the detailed findings. The remaining recommendations have either been implemented (9), are in the process of being implemented (15) or are no longer applicable (1).
Progress to date has included a modernization initiative to review the fee schedule and develop a costing methodology, an Accounts Receivable Management Policy, increased usage of electronic invoicing, Interactive Voice Recognition to deal with credit card payments, posting a ‘cash only’ listing to identify clients in default, and a working group to deal with a data entry backlog for fish imports.
In addition to the findings presented below, observations of conditions that were non-systemic and of low materiality and risk have been communicated to management for its consideration.
We would expect that an effective management control framework is in place that identifies roles and responsibilities and assigns accountability to the appropriate individuals. Accountability requires an acknowledgement and assumption of responsibility for actions, decisions and policies within the scope of a manager’s role.
In CFIA, a centralized model for the control framework has been adopted through the use of a National Accounts Receivable Service Centre (NARSC) to process revenue collections and manage accounts receivable. The NARSC is part of the Finance, Administration and Information Technology (FAIT) Branch and its responsibilities and accountabilities are to manage, report and collect accounts receivable following initiation of the revenue process by the Operations, Programs and Science Branches.
Operations Branch managers in the offices which were visited during the audit or interviewed by phone, advised that their main responsibilities are to ensure inspections are carried out, licences and certificates are processed, and the safety of Canadians is assured. Few managers were aware of the amount of revenue their office is generating. Managers also indicated that their performance objectives did not include responsibility for revenue.
In the Operations Branch, financial officers, particularly in the field, have little involvement with revenue management. Their focus is primarily on budgetary and expenditure matters.
In February 2010, FAIT and the Operations Branch forwarded a memorandum, signed by both parties, to all managers within CFIA. The memorandum was in response to a concern raised by the Office of the Auditor General about all cost recoverable services being invoiced. The memorandum reminded managers of the need for them to verify that staff is completing invoices as required, that electronic invoicing is used to the extent possible and that there is a system to control and account for all pre-numbered forms.
The lack of management accountability for revenue, coupled with limited involvement of financial staff within the Operations Branch with revenue management, creates a risk that CFIA may not be collecting all revenues that are due.
Recommendation 1.0:
FAIT, in consultation with Branch management, should ensure that
managers who charge fees are involved and held accountable for revenue in their offices.
Management is responsible for ensuring that their activities are working effectively and that suitable management practices and controls are in place and functioning appropriately. To this end, we would expect that managers monitor practices and controls, and take early and remedial action in areas where significant deficiencies are encountered or improvements are needed.
The CFIA’s Accounts Receivable Management Policy states that Operations, Programs and Science Branch staff are responsible for ensuring that all services provided have been billed. The February 2010 memo, jointly issued by FAIT and the Operations Branch, re-enforces this fact and reminds managers of this responsibility. The Accounts Receivable Management Policy is silent on the responsibility for monitoring or reviewing the internal controls and practices associated with revenue generation.
The NARSC has built multi-level controls into its systems to ensure that invoices have been properly completed and posted to the financial system and can only perform this role if the invoice has been submitted to the NARSC for processing. The NARSC does not monitor or control whether an invoice at the Branch level has been generated for each service provided. The Accounts Receivable Management Policy indicates only that NARSC is responsible for monitoring activities related to the receivables management process. The NARSC considers that the responsibility to verify that all services have been billed lies elsewhere.
In the offices that were visited during this audit, managers were not undertaking monitoring to ensure the accuracy and completeness of invoicing and that all services were being billed. Managers indicated they did not know the amounts of revenue being generated in their office and offered that financial information was not available to allow them to monitor revenue. Revenue transactions were handled by clerical staff without review by their supervisors.
Without effective monitoring, both nationally and at the local level, there is a risk that errors in revenue may occur and go undetected.
Recommendation 2.0:
FAIT, in consultation with Branch management, should develop a
monitoring framework for revenue that will ensure that fees charged for services are complete and accurate.
We would expect that effective controls exist over the management of revenues to ensure compliance with regulatory and policy requirements and proper accounting for all revenues.
The 2002 audit report and a subsequent consultant report from 2006 raised concerns about the adequacy of revenue controls in that there was no methodology in place to track a service request for a permit or certificate and the invoice, and that there were few operating policies and procedures to assist managers in fulfilling their obligations and meeting their accountabilities. These concerns raised in these reports are still valid. None of the sites visited, or those interviewed by phone, reconciled service requests to invoices. Offices visited had no documented procedures on how to process revenue transactions, and relied on locally-developed procedures.
CFIA has electronic systems currently in use for revenue management which include a built-in invoicing module. These systems, referred to as “front end” systems, have the advantage of populating fields automatically on the invoice, reducing the amount of information to be entered when completing an invoice, and facilitate the tracking of service requests to invoices. These systems include the Multi-Commodities Activities Program (MCAP), the Import Control Tracking System (ICTS) and the Import Permits System (IPS). About 30% of all invoicing is done electronically through these systems.
Other electronic systems, such as the Export Certificate System (ECS) which is used for fish exports, do not have a built-in invoicing system. Revenues associated with these systems and a variety of other revenues use the Stand-Alone Electronic Invoicing (STEL) system. STEL requires data to be keyed directly into the application and, therefore, is more prone to error, and does not facilitate the tracking of service requests to invoices. STEL accounts for approximately 60% of all invoicing.
NARSC analysis indicates that approximately 10% of invoicing is done manually. Manual invoicing uses forms that have a pre-printed control number which allows each office to administer a forms control management system. Some of the offices that were covered in the audit had procedures that would allow them to effectively control the use of the manual invoice forms. However, in other locations, no records were made that would allow the tracking of usage of forms. It was also observed that forms were not kept in a secure manner, and could be accessed by any staff. The February 2010 memo, signed by both FAIT and the Operations Branch, emphasized the need for a system to be in place to account for all pre-numbered forms where manual invoicing is used. Field offices, however, have not been provided guidelines on how to implement such a system.
The lack of reconciliations of service requests to invoices and the absence of documented procedures on how to process revenues, including the use of pre-numbered forms, increase the risk of error in revenue earned by the CFIA.
Recommendation 3.0:
The Operations Branch, in consultation with FAIT and the Policy and
Programs Branch should develop detailed guidelines and procedures to control all revenue processes, including the reconciliation of service requests
to invoices, and control over the receipt, use and inventory of pre-numbered forms.
A risk assessment is an important tool that provides management with an objective evaluation of a program or activity to identify potential situations that could harm an organization, an indication of the likelihood and severity of an event occurring, and the identification of mitigating measures to effectively prevent or control an event from happening. We would expect that the CFIA management identify the risks that may preclude the Agency from achieving its objectives for revenue.
In 2008-09 CFIA revenues were $54.3 million. These revenues are generated from a variety of different sources by the Operations, Policy and Programs and Science Branch, dispersed across 326 sales offices coast to coast, involve a large number of computer systems, and include a wide variability of processes and charges. The volume of revenue activity is significant. There are 300,000 invoices and 85,000 payments processed annually, and there are 25,000 client accounts of which 9,000 are active.
There has been no formal risk assessment of revenue management undertaken in the CFIA. There are factors that lessen exposure to risk in revenue, such as the low dollar value of many of the revenue transactions, and the increasing use of electronic invoices. However, revenue is approximately 8% of the CFIA spending budget, and control weaknesses exist. Without a formal risk assessment, the Agency cannot demonstrate that its exposure to risks related to revenue is at an acceptable level.
Recommendation 4.0:
FAIT, in consultation with Branch management, should conduct a formal
risk assessment of the CFIA revenues to identify material risks and develop appropriate
strategies to mitigate these risks.
Revenues | Food Safety and Public Health | Science and Regulation | Animal and Plant Resource Protection | 2009 Totals | 2008 Totals |
---|---|---|---|---|---|
Inspection fees | $24,710 | $9,209 | $3,941 | $37,860 | $42,805 |
Registrations, permits, certificates | 2,154 | 6,836 | 1,439 | 10,429 | 11,693 |
Miscellaneous fees and services | 9 | 2,239 | 1,240 | 3,488 | 3,878 |
Establishment license fees | 1,716 | 139 | - | 1,855 | 1,776 |
Grading | 236 | 2 | - | 238 | 224 |
Administrative monetary penalties | 365 | - | - | 365 | 522 |
Interest | 36 | 5 | 23 | 64 | 73 |
Total Revenues | 29,226 | 18,430 | 6,643 | 54,299 | 60,971 |
There is an effective management control framework in place for managing revenues and the technology for capturing revenues is current and
state-of –the art.
Sub-criteria:
Effective controls exist over the management of revenues to ensure compliance with regulatory and policy requirements and proper accounting for
all revenues.
Sub-criteria
Management identifies the risks that may preclude the Agency from achieving its objectives for revenue.
Sub-criteria
Management Response
The overriding management issue underlying the findings of this audit is that the revenue collected for operational activities is not recorded directly against those activities. Revenues are collected and allocated as part of the overall budget process. Without direct attribution, operational managers place lower priority on revenue billing than is desirable. As we move through the User Fee Modernization Project, we will consider changing this model.
Finding 1: Revenue management within the Agency is a joint responsibility between FAIT (Financial Services), Operations Branch, and PPB. There are two processes in revenue management. First, branches (Operations and PPB) are responsible for the provision of services and the issuance of an invoice. Second, FAIT’s National Account Receivable Centre is responsible to record the invoice in the financial system and to collect revenues.
The Accounts Receivable Management Policy clearly defines the responsibilities and accountabilities of all parties involved. All stakeholders agree that there is a need to remind all involved of their responsibilities; especially at the supervisor level.
Finding 2: Presently, the decentralization of inspection activities across the country and the complexity of the user fee structure, would make it very difficult for FAIT to implement efficient monitoring of revenues. However, more monitoring could be implemented to address whether an invoice is generated for each service provided.
Finding 3: The Agency has recently initiated a review of its user fees. The results of this user fee modernization project may streamline the fee schedule and simplify the management of service delivery and invoicing.
The National Accounts Receivable Service Centre has provided Operations Branch with detailed instructions related to the control of revenue processes. In addition, training is provided to operations staff through net meeting or direct response to requests for guidance on revenue management processes.
To a large extent, the Stand Alone Electronic Invoicing System (STEL) has addressed the issue of forms control. Currently 92.5% of all invoicing revenues are completed through a version of electronic invoicing. Based on the increased usage of electronic invoicing, the dollar value associated with manual invoicing is not a large component of the revenue totals.
Finding 4: On the matter of risk assessments, a summary analysis was prepared by FAIT following concerns raised by the Office of the Auditor General during the 2009 year end audit. The analysis also outlined the resources and efforts that would be required to completely eliminate the remaining manual invoices. FAIT concluded that with the increased level of automatic invoices, the majority of the risk was already mitigated.
1. FAIT, in consultation with branch management, should ensure that managers who charge fees are involved and held accountable for revenue in their offices.
Proposed Management Actions | Responsible Official(s) | Implementation Date |
---|---|---|
FAIT Branch – Develop a “Revenue Management Toolkit” to assist local office managers in ensuring roles and responsibilities are followed and aid in the training of new staff. The toolkit would include: a listing of contacts for advice, website links to operating procedures related to revenue management, and service standards. | ED, Financial Services | December 31, 2010 |
FAIT Branch – Continue to provide revenue reports and advice to the branches when requested, as well as guidance and training to the financial officers in Operations Branch in the area of reporting. | ED, Financial Services | Ongoing |
Operations Branch – Messaging is emphasized at many levels of Branch Management committees from ED, RD, IMs and Area Management teams to ensure managers, staff, financial and resource officers clearly understand that cost recovery and their role within the process is a priority. | Director, Management Services Directorate | Ongoing |
FAIT and Operations jointly issued a communiqué in February 2010 to all managers outlining their roles and responsibilities. | ED, Financial Services | Completed |
2. FAIT, in consultation with branch management, should develop a monitoring framework for revenue that will ensure that fees charged for services are complete and accurate.
Proposed Management Actions | Responsible Official(s) | Implementation Date |
---|---|---|
The FAIT Branch will provide operations with a generic form control process for manual invoicing of document. | ED, Financial Services | Sept 30, 2010 |
In addition, a monitoring exercise will be implemented to ensure that “planned actions” from section 3 (below) are implemented. | ED, Financial Services | March 31, 2011 |
3. The Operations Branch, in consultation with FAIT and the Policy and Programs Branch should develop detailed guidelines and procedures to control all revenue processes, including the reconciliation of service requests to invoices, and control over the receipt, use and inventory of pre-numbered forms.
Proposed Management Actions | Responsible Official(s) | Implementation Date |
---|---|---|
Operations Branch will perform a periodic reconciliation of invoices generated for services provided at the local office level including procedures to ensure an adequate audit trail between the program documentation (service) and the invoice document. | Director, Management Services Directorate | Dec 31, 2010 |
4. FAIT, in consultation with Branch management, should conduct a formal risk assessment of the CFIA revenues to identify material risks and develop appropriate strategies to mitigate these risks.
Proposed Management Actions | Responsible Official(s) | Implementation Date |
---|---|---|
FAIT and Operations Branch will document the controls and accountability assigned to each branch that is required for the management of revenue. | ED, Financial Services | March 31, 2011 |
A summary analysis on manual invoicing was prepared by FAIT. It concluded that with the increased level of automatic invoices, the majority of the risk was already mitigated. | ED, Financial Services | Completed |
The Risk Management Group in FAIT will be asked to review the findings to reconfirm or to identify any material risk. | Director, Risk Oversight | March 31, 2011 |