Language selection

Financial Management and Controls Audit - Phase II (September 2008)

ACKNOWLEDGEMENT

Audit and Evaluation Division acknowledges the time and effort given by departmental managers and staff to provide information associated with this report.

Executive Summary

The need for enhanced risk-based controls to support compliance with the Financial Administration Act (FAA) has always existed. It has taken on greater importance because of the Federal Government's move toward Audited Financial Statements (AFS) for all departments and the passing of the Federal Accountability Act, 2006. These new initiatives require that financial controls not only be developed based on a risk assessment process, but also be documented and tested for their efficiency.

The Financial Management and Controls Audit Phase II was approved by the Audit and Evaluation Committee (AEC) chaired by the Deputy Minister and was conducted during the fiscal year 2007-2008. This audit is one in a series of financial management and control audits to assess whether VAC's financial control framework is adequate to ensure that :

  • allocated funds are spent for their intended purposes and within approval limits;
  • financial information is accurate; and
  • appropriate controls are maintained over expenditures.

The audit's objectives were:

  • to determine the root causes of systemic financial and administrative issues that hinder compliance with respect to the control, processing or disbursement of expenditures;
  • to provide an appraisal of financial and administrative compliance with legislative, central agency and Departmental directions regarding petty cash, acquisition cards and Departmental Bank Accounts; and
  • to develop a systematic program of audits that examines on a cyclical basis the financial and administrative functions, activities and processes for expenditure, and identifies the audit techniques and procedures to carry out such audits.

The first objective of the assignment was conducted as an audit consultation intended to add value and improve the organization's governance, risk management and control processes. The second objective was addressed as an assurance audit, and the third has led to the development of audit guides and the identification of audit techniques and procedures for future audits and will be ongoing.

The audit examined whether the Department effectively discharges responsibilities as required under the FAA Sections 32, 33 and 34, and included an examination of Entity-level controls Footnote 1 that reviewed the following: departmental stewardship, employee training and employee skills to perform their responsibilities.

Objective I - Completed as a Management consultation, has provided recommendations for improvements regarding training and resource requirements, better risk identification, the management and documentation of challenge issues re Section 33 approval, the need for management to seek new authorizations to better meet veterans' changing needs, and for Senior Management to reiterate adherence to the Values and Ethics Policies particularly regarding compliance with legislation and policies of the Central agencies and the Department.

Objective II - was an audit of transaction-level controls involving the examination of processes to ensure compliance with legislative, central agency and Departmental directions regarding petty cash, acquisition cards and Departmental Bank Accounts (DBA).

The audit was conducted in accordance with Standards for the Professional Practice of Internal Auditing adopted by the Government of Canada. These standards require that the audit be planned and performed to obtain reasonable assurance that the administration of the following disbursement functions: cashier, petty cash, DBA, and acquisition cards, are delivered in accordance with governing authorities.

In the auditors' opinion, except for the observations noted in this report, there is reasonable assurance that the disbursements conform with governing authorities, in all material respects.

Objective III - resulted in the creation of Audit Guides and the identification of audit techniques and procedures for future audits and is ongoing.

Veterans Affairs Canada (VAC) is a Department undergoing significant changes. Organizational and demographic changes are compounded by restrictive and outdated authorities, and by a culture defined by PricewaterhouseCoopers LLP(PwC) as "...a client-centered culture." Footnote 2

The root causes affecting the efficacy of the controls are:

  • Lack of an effective financial management control framework.
  • Insufficient resources (administrative) and a need for additional training for financial and administrative support staff to fulfil their roles and responsibilities.
  • Insufficient follow-up by the offices of primary interest regarding findings and recommendations of: internal audits, internal control reviews, and the Office of the Auditor General's Public Accounts audits (slow remediation efforts).
  • No official documented challenge process regarding contentious authorization of budget resource allocation and payment issues.
  • Problems with the segregation of duties re Sections 32, 33 and 34.
  • A ‘management culture' that sometimes struggles to balance client needs and controls.

The recommendations contained in this report are intended to improve the development, management and application of entity-level controls as well as transaction-level financial controls regarding compliance with Sections 32, 33 and 34 of the FAA.

Given the phased nature of this audit, it is acknowledged that senior management and program managers have already initiated some actions to address a number of the observations contained in this report.

A synopsis of the recommendations follows:

  • Ensure finance and administration staff receive training and development similar to the discontinued financial modules of the middle management and supervisors orientation training program.
  • Circulate updated financial policies and bulletins and provide staff explanatory briefings as necessary.
  • Complete and promulgate a comprehensive financial management control framework.
  • Enhance controls associated with the release of program, procedural and policy information.
  • Identify, promote and monitor the training required by all financial officers and administrative staff.
  • Ensure adequate training is provided to all delegated staff on authorities under FAA specifically Sections 32, 33 and 34.
  • Develop an improved process for remediation of deficiencies identified in internal audit reports, internal control reviews and Office of the Auditor General Public Accounts Audits.
  • Develop clear and concise controls associated with awarding contracts and payments.
  • Modernize and/or expand the existing authorities to better address Veterans' needs and to better control the use of Other Health Purchased Services (OHPS) allocation in addressing the new demands.
  • Establish a documentation process for all situations where the authority of the Section 33 officers is challenged.
  • Ensure the appropriate segregation of duties and compliance with the FAA.
  • Minimize use of Departmental Bank Account cheques for travel.
  • Enhance existing procedures to ensure consistent methods of reimbursement for Veterans travel.

1.0 Introduction

This audit of Veterans Affairs Canada's Financial Management Controls Phase II was carried out in accordance with the approved Departmental Audit and Evaluation Plan 2006-2009.

The breakdown of internal controls in the private and public sectors, e.g., Enron and WorldCom in the United States (US) and the Gomery enquiry in Canada has resulted in the enactment of the Sarbanes-Oxley Act in the US, as well as the Federal Accountability Act in Canada. In addition, there has been increased pressure from the Federal Government for the development and implementation of comprehensive Management Accountability Frameworks (MAFs) in Canada for all government departments and agencies. Scrutiny of federal government departments and agencies has increased considerably as have calls for enhanced entity-level controls.

The April 2006 Policy on Internal Audit established standards and requirements for Chief Audit Executives and internal audit functions in an effort to reinforce internal audits across government and to reposition it as a basis for effective and credible governance. Footnote 3

The policy states that "Chief Audit Executives (CAEs) will provide annual holistic opinions to deputy heads and audit committees on the effectiveness and adequacy of risk management, control and governance processes in their departments, as well as reporting on their individual risk-based audits." Footnote 4

In addition, effective April 1, 2010 all federal government departments will have to prepare audited financial statements as part of their reporting requirements to Treasury Board (TB). As a result, most if not all departments are conducting various studies to assess their readiness. VAC has now committed to a 2010/2011 time frame for VAC's audited financial statements.

This audit is one in a series of financial management and control audits to assess whether VAC's financial control framework is adequate to ensure that:

  • allocated funds are spent for their intended purposes and within approved limits;
  • financial information is accurate; and
  • appropriate controls are maintained over expenditures.

2.0 Audit Objectives, Scope and Methodology

2.1 The Audit Objectives were to:

  • Determine the root causes of systemic financial and administrative issues that hinder compliance with respect to the control, processing or disbursement of expenditures; and to develop appropriate audit recommendations for management's corrective actions;
  • Provide an appraisal of financial and administrative compliance with legislative, central agency and Departmental directions concerning expenditures and revenues (e.g., Financial Administration Act (FAA) Sections 32, 33 and 34); and
  • Develop a systematic program of audits that examines on a cyclical basis the financial and administrative functions, activities and processes for expenditures, and identifies the audit techniques and procedures to carry out such audits.

2.2 Scope

This audit examined whether the Department effectively discharges responsibilities as required under the FAA Sections 32, 33 and 34. It included an examination of Entity-level controls Footnote 5 and examined the following: departmental stewardship, employee training and employee skills to perform their responsibilities. Also included were reviews of the controls associated with security clearances, systems access and conflict of interest.

The second objective was an assurance audit of financial and administrative compliance with legislative, central agency and Departmental directions regarding petty cash, acquisition cards and Departmental Bank Accounts.

The third objective involved the development of a systematic program of audits that examine on a cyclical basis the financial and administrative functions, activities and processes for expenditures and will be ongoing.

VAC was included in the 2005 Report of the Auditor General of Canada – Status Report on Progress Made by Selected Departments and Agencies in Addressing Financial Control Weaknesses. The Office of the Auditor General (OAG) examined and rated financial systems controls in the following: FreeBalance; General Information Technology (IT) Environment; and the Client Service Delivery Network (CSDN). The controls examined were: electronic security; monitoring; manual processing; and control features optimization. The assessment was a follow-up to a controls assessment completed in 2001-2002 by the OAG. This audit did not reexamine the areas covered in that report.

This study looked at financial management and controls in Head Office and the Western and Ontario regions.

2.3 Approach and Methodology

The auditors used a ‘blended' engagement that incorporated elements of both consultative and assurance activities into one consolidated approach. Auditors:

  • Reviewed internal documentation of previous financial audits and management letters
  • Reviewed the FAA and other relevant TB and VAC's policy and regulations
  • Reviewed selected financial management control audits conducted by other government departments i.e., (Audit of Departmental Financial Controls, Industry Canada, 2006, Audit of Key Financial Processes At the Banff National Park Field Unit, Parks Canada Agency, 2005, Public Account Audits, 2005, 2006)
  • Identified and used relevant controls and fundamental audit criteria from Draft 4, KPMG Footnote 6 document, Treasury Board of Canada, Secretariat, Fundamental Controls
  • Reviewed VAC's Values and Ethics Framework.
  • Developed Audit programs, questionnaires and criteria
  • Conducted interviews with officials from Head Office (HO), Ontario and Western regional and district office staff
  • Solicited information from, and interviewed staff on the following areas: governance, organizational culture, training received and required, security clearances and conflict of interest.

The audit also examined financial and administrative compliance with legislative, central agency and Departmental directions regarding expenditures and revenues (e.g., FAA Sections 32, 33 and 34) for the petty cash; cashier function, acquisition cards and Departmental Bank Accounts (DBAs).

Reviews of the following were also completed by the auditors:

  • controls in place to facilitate contracts issued by the two regions visited (Ontario and Western) and HO;
  • controls (manual and system) in place regarding reconciliation of regional accounts;
  • signing authorities based on specimen signature cards;
  • access privileges granted to regional users of the financial system;
  • controls in place for use of acquisition cards;
  • internal controls in the financial administration function including the exercise of Sections 32, 33 and 34 responsibilities.

Auditors debriefed the key stakeholders during the fieldwork phase to inform them of preliminary audit findings.

3.0 Criteria

The following criteria were used:

  • Financial management and administration staff are aware of the FAA, appropriate policies and regulations needed to perform their jobs.
  • Authorities are appropriately delegated, clearly defined and documented.
  • Controls are in place to ensure that contracting and expenditures are compliant with Treasury Board (TB) policy and VAC's policies.
  • FAA Sections 32, 33 and 34 requirements are met and appropriate documents are retained.
  • Effective and efficient controls are in place to ensure segregation of duties.
  • Effective controls are in place to mitigate risks arising from:
    1. inadequate security clearances for staff working in finance and administration, inappropriate access to systems; and
    2. conflict of interest situations.
  • Compliance with legislation, policies and procedures (acquisition card, DBA, cashier disbursements, travel) are accurately calculated, documented, timely, and the procedures used are compliant with TB policies.

In addition to the above criteria, relevant core management controls and criteria from the ‘Treasury Board of Canada, Secretariat, Fundamental Controls' prepared by KPMG (2006) for TBS which are linked to the Management Accountability Framework (MAF) were also applied.

4.0 Audit Observations and Recommendations

4.1 PCP Current Funding Levels

Criteria (4.1)

Financial Management and Administration staff are aware of the legislation (FAA), and appropriate policies and regulations needed to perform their jobs.

Core Management Controls (4.1)

  • Employees formally acknowledge their understanding and acceptance of their accountability.
  • Objectives have been identified and communicated (internally and externally).
  • The organization provides employees with the necessary training, tools, resources and information to support the discharge of their responsibilities.
  • Management has a documented approach with respect to risk management.
  • Management regularly assesses the risks it has identified.
  • Management appropriately communicates its risk and risk management strategies to key internal and external stakeholders.
  • Change initiatives are well communicated.

Audit observations (4.1)

  • Availability and access to TB and VAC policies exist on the Intranet.
  • There is a need for staff with delegated authorities to receive additional training specifically related to the administration of FAA Sections 32, 33 and 34.
    • Experienced finance staff were very familiar with the FAA, policies and regulations necessary to do their jobs.
    • Among new administration staff, where there has been a high turnover, some staff were not sufficiently trained or aware of the FAA and other relevant policies and regulations to do their jobs.
  • VAC's Financial Management Controls Framework (FMCF) was reported to be under development. It would increase staff awareness and functionality if VAC had a comprehensive FMCF.
  • Staff at Kirkland Lake Consolidated Accounts Payable Processing (CAPP) Centre, Ontario Region reported that additional training is needed for new directors on expenditures associated with hospitality. In addition, districts visited expressed concerns regarding interpretation of the hospitality policy.
  • Staff reported getting incorrect program information from subject matter experts in HO. On several occasions the information received was not always the information officially sanctioned by VAC.
  • The reduction of quarterly meetings of the Finance Personnel and Administrative group was stated as a contributing factor to regional finance staff not kept abreast of changes to programs and services.
  • Some issued policies and directives were not updated as necessary; bulletins were issued but not always followed up with amendments when changes occurred. Examples of current information not communicated in a timely manner included information regarding programs and services of the new Veterans Charter and changes to Veterans Program Policy Manual (VPPM) meal rates.
  • Occasionally program staff in the district offices were aware of program changes affecting financial procedures before regional finance staff responsible for processing transactions. This situation caused problems with financial officers exercising Section 33 authorizations.
  • No formal risk assessment process is conducted within Finance Division as part of the yearly planning and priorities process. This increases the probability of high dollar value expenditures not receiving the appropriate levels of attention in the internal review plan.

R1 - R3 Recommendations

R1 Management Response

R1 It is recommended that the Director General, Finance Division, Senior Assistant Deputy Minister Policy, Programs and Partnerships Branch, Assistant Deputy Minister, Service Delivery and Commemoration Branch, and Director General, Human Resources Division ensure that:

  • Finance and Admin staff receive additional training and development similar to the discontinued financial modules of the middle management and supervisor orientation training program; and,
  • updates to financial policies and bulletins are completed, expeditiously circulated and staff receive explanatory briefings as necessary.

Management agrees. Human Resources and National Operations Division have completed extensive analyses of corporate training needs inclusive of Finance in the last couple of years. The NVC Learning group in NOD developed a comprehensive Case Management training package in 2007. Finance developed the Delegated Financial Authorities (DFA) module. This DFA module was delivered in all districts and regional offices in 2008 by training specialists with finance support.

As well, Finance will be pursuing a "program specific and/or targeted" training strategy.

Management agrees. Policy work is ongoing while operational priorities take precedence. TBS has created a new Financial Management Policy Framework (Enterprise-wide) which may be approved in 2008.

Bulletins, policy updates, etc. are distributed regularly via email with highlights itemized. VAC website is updated.

Management Action Plan
Corrective Action to be taken OPI (Office of Primary Interest) Target Date
Training objectives will be identified, developed and achieved within the umbrella of the Audited Financial Statements (AFS) project.
  • A senior FI will be dedicated to development of position specific training programs
Finance September 2008
  • Specific packages will be developed to be delivered to small groups or individuals
Finance /
SDC (Regional Finance) /
Human Resources
September 2009
  • Training will be delivered on a staggered basis as development is completed.
Finance January 2009/10 Footnote 7
Ongoing review and response to TBSs' new financial management policy initiatives. When TBS policies, directives, standards and guidelines are approved and released, VAC Finance will prepare action plan to undertake policy review. Finance December 2008
R2 Management Response

R2 It is recommended that the Director General, Finance Division complete and promulgate as soon as possible a comprehensive financial management control framework.

Management agrees. TBS originated the enterprise-wide Financial Management Control Framework (FMCF) decades ago with the Financial Administration Act and the subsequent regulatory framework that envelopes all financial activity. The introduction of the Federal Accountability Act has spawned a number of initiatives to enhance the enterprise FMCF... especially TBS' new Financial Management Policy Framework.

Management Action Plan
Corrective Action to be taken OPI (Office of Primary Interest) Target Date
Process is in place for ongoing review and response to TBS' new financial management policy initiatives. Finance Completed
A FMCF will be explored in conjunction with the AFS project. Finance April 2010 Footnote 8
R3 Management Response

R3 It is recommended that the Director General, Finance Division complete a comprehensive risk assessment annually as part of the process to be followed for the introduction of audited financial statements.

Management agrees.

Management Action Plan
Corrective Action to be taken OPI (Office of Primary Interest) Target Date
The AFS project will include developing an approach to a financial risk assessment process. Finance April 2010 Footnote 9

4.2 Appropriate Delegation of Authorities

Criteria (4.2)

Authorities are appropriately delegated, clearly defined and documented.

Core Management Controls (4.2)

  • Authority, responsibility and accountability are clear and communicated.
  • Employees formally acknowledge their understanding and acceptance of their accountability.
  • The organization has sufficient dedicated resources to support research and policy analysis.

Audit observations (4.2)

  • Generally, the Department's authorities are appropriately delegated, clearly defined and documented. Authority is formally delegated by the Minister and/or Deputy Minister to subordinates.
  • VAC has established financial bulletins, policies and procedures. Some policies and procedures were not being updated periodically as required, due to a shortage of resources within the Financial Policy Planning and Systems Directorate.
  • VAC has an up-to-date Delegation of Authorities Manual. In all samples reviewed authorities are delegated to positions and not to persons; levels of signing authorities were clearly stated and documented.
  • Staff with delegated authority for Sections 32 and 34 needed additional training to effectively perform their jobs.
  • Section 32 is not done in district offices (DOs) of the Western Region because of lack of training and high turnover of staff, as a result, commitments for DOs in the former Prairie Region are completed in the Western Regional Office.
  • VAC has a process in place to ensure that all signature cards are updated as required.
  • A small percentage of cards retained in the field offices visited were prepared but not signed by senior officers. This was more evident where the senior officer was located in a different office/province.
  • Some copies of signature cards for employees who were no longer working in the designated areas were still on file.
  • There were instances where specimen signature cards were authorized by one officer but were signed by a different person.
  • The delegation of Section 34 signing authority to a subordinate, who is not a level IV manager and cannot take the mandatory training, requires clarification. This issue has created problems for district administration officers signing Section 34, while in an acting capacity.

R4 Recommendation

R4 Management Response

R4 It is recommended that the Director General, Finance Division, Senior Assistant Deputy Minister, Policy, Programs and Partnerships Branch, Assistant Deputy Minister, Service Delivery and Commemoration Branch, and Director General, Human Resources Division, identify, promote and monitor the training required by all financial officers and administrative staff. RC Managers should ensure that their staff with delegated authority and staff working in any financial capacity complete the identified training.

Management agrees.

Management Action Plan
Corrective Action to be taken OPI (Office of Primary Interest) Target Date
The DG, Finance will identify and promote the training required by all financial officers, administrative staff and others with financial responsibilities. Finance December 2008
SDC and PPP will incorporate financial training into the training plan for these identified positions. SDC / PPP March 2009
Training will be developed as per Recommendation No. 1 Finance / HR September 2009
SDC and PPP will ensure that all positions have completed this training by the target dates identified by Finance. SDC / PPP April 2010 Footnote 10

4.3 Controls

Criteria (4.3)

Controls are in place to ensure that contracting and expenditures are compliant with TBS policy and VAC's policies.

Core Management Controls (4.3)

  • A formal process is in place to challenge the assumptions and related resource allocations within the budget.
  • Compliance with financial management laws, policies and authorities is monitored regularly.

Contracting is an area under review and was recently reviewed by VAC's Audit and Evaluation Division's (AED) Contracting Audit (2007) and Audit/Evaluation of the Residential Care Program - Ontario Region (2006). In addition, a number of observations were made in recent Public Accounts Audits, and most recently in the PricewaterhouseCooper's Audit Readiness Assessment and the Horizontal Pilot Audit Phase II, conducted by the Office of the Comptroller General.

Audit observations (4.3)

  • VAC's Finance Division as well as Veterans Services Branch (VSB) were recipients of several recommendations calling for enhanced controls associated with contracting.
  • The preliminary work completed on AED's Phase l of the Financial Management and Controls Audit (2005) identified several unaddressed observations/recommendations in both internal and external reports. These audits/reviews all indicated a lack of sufficient financial controls or the failure to adhere to controls where they existed, e.g., capital cost expenditures. While some of these recommendations have now been addressed, a number remain outstanding.
  • Senior finance staff interviewed stated that there has been a slow response to re-mediate observations and recommendations from internal and external audits and reviews.
  • The ‘department's culture' has been described as one where doing best for the client (i.e., client-centered) has challenged the department to find the balance between doing the right thing and doing things right.
  • The auditors found several examples where the financial officers' Section 33 signing authority was challenged. Based on a subsequent review, the payment was approved by another officer with delegated authority. In the absence of a defined exception process, questions were raised about the transparency of the process.
  • The practice of funding capital expenditures for long-term care institutions is recognized as requiring clarification in terms of the annual Appropriations Act, FAA, and TBM's Policy on Transfer Payments. These issues are currently under review with TB.
  • Finance staff have raised concerns and objections to capital expenditures paid to Long-term Care (Long-term Care) facilities and Operational Stress Injury (OSI) clinics. They have also challenged payments made to Veterans' organizations that were not compliant with the FAA, as well as some travel activities and expenditures.
  • Pricewaterhouse Coopers LLP in their draft report stated "Significant changes, including a cultural change are required to ensure a sound control framework is in place to support a controls reliant audit." Footnote 11
  • There is no formal process in place to document the differences in opinions surrounding assumptions and related expenditure activities. Challenges made by financial officers regarding expenditures are directed to management for their action. Examples included: capital cost authorization for Long-term Care institutions; use of questionable funding sources to facilitate new initiatives and projects and perceived inappropriate application of the Travel Policy; and payments to Veterans organizations not authorized under existing funding sources. Other observations included reimbursement for travel related expenses that were not compliant with TB Travel Policy.
  • In a number of cases, the responsible financial officer's challenge was overridden by a decision of management and authorization was provided by another officer with the delegated authority.
  • Financial officers signed off on some expenditures contentious/non-compliant they considered to be contentious/non-compliant to honour existing contracts between VAC and other private or provincial institutions because of the immediacy and pressure to address the increasing health care needs of clients.
  • In 2006, a committee involving the most senior levels of management was established to review VAC's existing authorities and to seek additional authorities to better facilitate the work of providing programs and services to clients, particularly in the area of capital contributions to Long-term Care institutions and OSI clinics. Results of this committee's report were requested but are still pending.
  • Changing health care needs of the older clients and new clients have resulted in the Department meeting those needs through changes to programs as well as new programs and services. Most additional changes have been provided for under existing authorizations. This has resulted in more expenditures being charged to a special purpose allotment, OHPS, as it is the most available avenue for funding the changing needs of clients.
  • Practices of charging new initiatives to existing and or restricted authorities or to OHPS may exposed the Deputy Minister and the Chief Financial Officer (CFO) to increased risk.
  • As a result of requirements for departmental audited financial statements commencing in 2010/2011, VAC will experience greater scrutiny as it will no longer be considered to be under the ‘materiality' radar of the central accounts audit of $1 billion, but rather the stand-alone audit materiality of $14 million.
  • A control weakness previously identified in OAG's Public Accounts Audits of 2005 and 2006 is the lack of post payment reviews of high expenditure activities by the Department. Since reorganization of the Western Region, they have reported being on track to complete the outstanding hospital reviews/audits.
  • On-site reviews of regional financial activities in DOs were not completed as required. Most offices visited reported that until this year there were no DO reviews completed in the previous three years.
  • A higher priority is required to ensure that post payment reviews are performed more frequently for large contract expenditures.
  • Ensuring that all terms and conditions of contracts/agreements have been met (FAA Section 34) is not being done effectively.
  • In the two regions visited, Ontario and Western Region, existing controls to ensure value for money with contracts for Special Equipment Recycling Program are inadequate. The DOs are charged with monitoring contracts and have reported concerns regarding current practices. Additional clarification is needed regarding the special equipment write-off policy. This will be addressed further as the Equipment Recycling Program is scheduled for a future audit by AED . In the meantime, it is suggested that a cost-benefit analysis be conducted to examine the efficacy regarding the practice of letting special equipment contracts.
  • Too much responsibility was located at the DO level, particularly in the positions of the District Director and the District Manager of Administration Services, re: contracting arrangements with Long-term Care facilities. This situation has recently been improved as the primary responsibility for contracting and management now rests with the Deputy Regional Director General and HO staff.

R5 - R7 Recommendation

R5 Management Response

R5 It is recommended that the Assistant Deputy Minister, Corporate Services Branch, Senior Assistant Deputy Minister, Policy, Programs and Partnerships Branch, and the Assistant Deputy Minister, Service Delivery and Commemoration Branch develop an improved process to react to and re-mediate in a timely manner any deficiencies that are identified in internal audit reports, internal control reports and OAG Public Accounts Audits.

Management agrees. The Deputy Minister, the three Assistant Deputy Ministers and the Director General, Finance Division met on this issue.

Management Action Plan
Corrective Action to be taken OPI (Office of Primary Interest) Target Date
A roles and responsibilities document is currently being drafted. CS October 2008
A process to monitor corrective action at the ADM level will be developed CS November 2008
R6 Management Response

R6 It is recommended that the Director General, Finance Division in consultation with stakeholders in the program areas develop clear and concise controls to better inform and facilitate the processes associated with awarding contracts and payments, specifically in the areas of capital contributions and payments to Veterans organizations.

Management agrees. This recommendation deals with a variety of specific issues which will all be subject to review in the AFS project.

Management Action Plan
Corrective Action to be taken OPI (Office of Primary Interest) Target Date
The issue of authorities for capital costs in Long-term Care facilities will be resolved during the OHPS review, scheduled to be completed in time for the 2009/2010 ARLU. PPP / SDC September 2008
The issue of payments to Veterans organizations is being discussed by ADM PPP and ADM CS and a plan will be developed to resolve them. PPP / CS September 2008
Finance will develop a process to formalize challenges and to have decisions around such challenges clearly documented. Finance October 2008
R7 Management Response

R7 It is recommended that the Assistant Deputy Minister, Corporate Services Branch, Senior Assistant Deputy Minister, Policy, Programs and Partnership Branch, Assistant Deputy Minister, Service Delivery and Commemoration Branch with the Director General, Finance Division expedite a process to modernize the Authorities needed to better address changing Veterans' needs and to better control the use of OHPS allocation.

Management agrees. VAC Program and Finance Division staff met with Treasury Board in May 2008 to discuss the next steps required for completion of the OHPS review.

Management Action Plan
Corrective Action to be taken OPI (Office of Primary Interest) Target Date
Based on the draft OHPS review report that was submitted to TBS, VAC will identify the three or four areas within the OHPS allotment where discussion and consultation with TBS is required to determine if existing authorities are sufficient, or if there is a need to review/revise current authorities, in order for VAC to address changing Veterans' needs. This work is to be completed prior to the submission of VAC's 2009-2010 Annual Reference Level Update submission in late September, 2008. PPP / SDC / CS September 2008

4.4 FAA Sections 32, 33 and 34

Criteria (4.4)

FAA Sections 32, 33 and 34 requirements are met and appropriate documents are retained.

Core Management Controls (4.4)

  • Records and information are maintained in accordance with laws and regulations.
  • Management through their actions, demonstrate that the organization's integrity and ethical values cannot be compromised.

In previous sections the need for better training and communication have been identified as existing constraints to the effectiveness of controls. A survey conducted by the Institute of Internal Auditors (IIA) entitled ‘IIARF Assessment of Entity-level Controls: Management's ‘tone at the top, examined how internal auditors assess this important entity-level control. IIA described ‘tone at the top' as the attitudes and beliefs of management toward corporate governance, ethics, internal controls and risk management. This section incorporates an assessment of entity-level controls at VAC.

Audit observations (4.4)

  • It was evident that in most cases requirements of FAA Sections 32, 33 and 34 are met and appropriate documentation are retained based on the existing financial and process controls.
  • Identified barriers to meeting some requirements of FAA Sections 32, 33 and 34 which hinder compliance with respect to controls, processing or disbursement of expenditures can best be categorized as inconsistencies in the application of entity-level controls (senior management overrides, insufficient training, overextended resources and communication problems).
  • Examples were reviewed where financial officers refused to sign Section 33 authorizations because they believed the payments were non-compliant with the FAA. These payments were later signed by senior management or other officers with signing authority as mentioned in the previous section.
  • Examples of management override of the financial officer's Section 33 authority pertaining to the discretionary interpretation of the travel policy and regulations were provided to the auditors.
  • When financial officers refuse to authorize approval of payment and those decisions were challenged, no documented process was followed and no official audit trail was preserved.
  • Resolutions of situations where signing authority was challenged are not circulated within the financial and program community to ensure that staff benefit from the decisions made to meet the requirements of and comply with the FAA.

R8 Recommendation

R8 Management Response

R8 It is recommended that VAC's Senior Management Committee continue to promote compliance with: the Department's Values and Ethics Code; FAA; financial controls; and other government and departmental policies and regulations. The Senior Management Committee should ensure they are aware of the areas and level of financial risk the Deputy Minister considers acceptable.

Establish a documentation process for all situations where the authority of the Section 33 officers to withhold approval of payment is challenged.

Management agrees. A meeting of the DM, the 3 ADMs, the Director General Finance and General Counsel was held to discuss the level of risk the DM is willing to undertake in relation to program management decisions.

Management Action Plan
Corrective Action to be taken OPI (Office of Primary Interest) Target Date
As a result of ADM meeting, Finance Division is drafting a Roles and Responsibilities document which will identify how program decisions which impact on the Section 33 process will be managed. This document will be signed off by all participating parties. Finance October 2008
A process will also be developed to escalate issues to senior management when required. Finance
ADM CS / ADM SDC
Senior ADM PPP
October 2008
Finance will develop a process to formalize challenges and to have decisions around such challenges clearly documented. Appropriate instructions will be sent to the Regional Accounting Offices. Finance
ADM CS / ADM SDC
Senior ADM PPP
October 2008

4.5 Effective and Efficient Controls

Criteria (4.5)

Effective and efficient controls are in place to ensure segregation of duties.

Core Management Controls (4.5)

  • Access to assets, records and information are limited to authorized individuals.
  • Authority, responsibility and accountability are clear and communicated.
  • Employees formally acknowledge their understanding and acceptance of their accountability.
  • There is an appropriate segregation of duties.
  • An appropriate organizational structure and clear lines of communication and reporting are established.

Audit observations (4.5)

There is no comprehensive VAC Financial Management Control Framework. What exists are a number of components that include:

  • the Financial Policy and Procedures Manual (FPPM);
  • the organizational and process controls of the IT and Security Systems;
  • the delegation of authority and segregation of responsibilities;
  • Departmental bulletins and guidelines that supplement TBS policies and regulations;
  • financial training and support to managers and staff;
  • account verification processes;
  • values and ethics training; and
  • review and control units which monitor activities that support the exercise of payment authority.

These components function with varying degrees of efficiency and effectiveness.

  • Section 34 is the delegated responsibility of the RC manager. Regional financial officers conducting institutional audits were required to sign the Section 34 and were reporting to the same section where financial officers approved payments under section 33 FAA. This practice existed because regional program staff were not sufficiently qualified to perform these reviews for Section 34 approvals.
  • Regional finance staff reported they were under pressure to process payments even though compliance to the FAA was in dispute.
  • Internal Control officers were involved with the preparation and review of budgets and contracts for Long-term Care institutions which they later audited.
  • Control weaknesses were observed in the process of purchases made through acquisition cards. The most common example was where all three signature blocks on the GC 92, Internal Requisition for Material/Services, were signed by the same person.
  • A review of travel files provided examples where the travel had been approved by a manager under Section 34 who was also a traveller in the group authorized.
  • Operational constraints identified by finance and administrative staff that indirectly impact the controls in place to ensure effective segregation of duties were: insufficient resources and training; lack of clear direction from HO; an environment of constant change; and concern, particularly in the Western Region, where there was uncertainty and apprehension, perceived, regarding their employment status, and high turn-over.
  • Finance Division in HO was also challenged by a shortage of staff, loss of corporate memory as experienced staff retired or left the Division; constant reorganization, introduction of new programs and services; and increasing demands from Central Agencies for increased documentation and reports.

Additional observations relevant to this section are presented under Section 5.0.

R9 Recommendation

R9 Management Response

R9 It is recommended that the Assistant Deputy Minister, Corporate Services Branch, Senior Assistant Deputy Minister, Policy, Programs and Partnerships Branch, and Assistant Deputy Minister, Service Delivery and Commemoration Branch, under the direction of the Director General, Finance Division review the duties that are required to be segregated and institute the training and changes necessary to ensure the appropriate segregation of duties and compliance with the FAA.

Management agrees.

Management Action Plan
Corrective Action to be taken OPI (Office of Primary Interest) Target Date
Segregation of duties will be assessed as part of the Audited Financial Statement project. Finance April 2010 Footnote 12

4.6 Effective Controls to Mitigate Risks

Criteria (4.6)

Effective controls are in place to mitigate risks arising from

  1. security clearance procedures and appropriate systems access for staff working in finance and administration and
  2. conflict of interest situations.

Core Management Controls (4.6)

  • Access to assets, records and information is limited to authorized individuals.
  • Appropriate system application controls exist.
  • The organization has a documented corporate values and ethics, code of conduct or equivalent policy.
  • Employees formally and regularly acknowledge compliance with the organization's corporate values and ethics, code of conduct or equivalent policy.

4.6.1 Security Clearance (SC) and System Access

The SC files for all employees working in HO Finance and employees working in Finance and Administration in Ontario and Western Regions were reviewed. Interviews were conducted with the Director, Security and Real Property Services and staff in areas responsible for managing SC in HO, regional and district offices.

Audit observations (4.6.1)
  • There were adequate controls in place with respect to the security clearance process. All employees are security cleared unless they are grandfathered.
  • All staff files examined had received appropriate levels of security clearance before commencing work at VAC. There is an improved system involving the early mail out of expiring clearances to respective areas that facilitates early completion thereby avoiding employees working with lapsed security clearances.
  • An assessment of efficiency of controls associated with security clearance for contracted staff was addressed in AED Contracting Audit - 2007.
  • Finance staff had appropriate levels of access to the Departmental information systems used for work.
  • Controls were in place to ensure that when staff move from one position to another and their access requirements change, they cannot have access associated with more than one position because it is based on the employee's LAN login ID. If an account is dormant for 6 months it is cancelled.
  • It was observed in a small number of instances that staff had access to information systems they no longer required to perform their current duties.
  • Staff were instructed not to review or access their own files or files of friends and relatives. CSDN can track this activity but it is not monitored on a regular basis.
  • With the turnover in staff anticipated and with the potential for increased numbers of new staff also being clients of VAC, better controls are needed for all systems.

4.6.2 Conflict of Interest

The draft VAC Policy on Values and Ethics and Conflict of Interest stipulates that employees "must within 60 days of their initial or any subsequent appointment, deployment or secondment, submit a confidential report to the Director General, Human Resources, which identifies those external activities that may give rise to a conflict of interest."

Managers and HR staff at HO and in the field were interviewed to determine if controls were in place regarding conflict of interest situations of staff working in finance and administration support.

A review of the ‘Report on Conflict of Interest Submissions' prepared by VAC's Human Resources Division for the time period 2001-2006 indicated that of the 102 cases submitted, only eight were found to be in a conflict of interest situation.

Audit observations (4.6.2)
  • VAC Policy on Values and Ethics and Conflict of Interest is circulated to staff, and training is provided to all staff. Because of the cyclical nature of training and high turn-over, some employees have not received training.
  • The policy requires a voluntary declaration of potential conflict of interest. During the study period no breaches were reported.
  • The Director, Information Management Services, prepared and released the ‘Procedure for the Identification of Employee/Client and the Safeguarding of their Files (New Client)' and some Questions and Answers regarding the same subject, to increase staffs' awareness.
  • Controls exist to prevent staff from having access to their own files.
  • If an employee is also a client and worked in a given office, his/her file would be transferred to another office for processing.
  • Staff can still access their immediate family's or friends program/client files (staff are cautioned against doing this).
  • It may also be possible for colleagues to review the client/staff's file and in some situations make changes to it. These factors increase the risk of breaches of client confidentiality and/or privacy, as well as the opportunity for financial improprieties through abuse of authority or collusion to intentionally defraud the government.
  • Because of the close relationship that exists between staff and some contracted employees, i.e., nurses and occupational therapists, the relationship between employer and employee is sometimes blurred. (Attendance at staff meetings, use of employers' accommodation, representing the employer outside the scope of the contract, were examples of situations reported.)
  • Effective March 1, 2008, the Senior Management Committee endorsed a new policy which addressed a number of the concerns identified in this seciton.
  • The issue of potential conflict of interest between VAC and some of its providers will be addressed further as a Conflict of Interest Audit is scheduled to be conducted by AED in 2008-2009.
  • As a result of changes to the Public Service Employment Regulations (effective April 1, 2006) granting priority status to members of the Canadian Armed Forces with a medical discharge as well as to RCMP discharged for a medical reason, it may be prudent for the department to consider the necessity for enhanced controls regarding the processing, privacy and confidentiality of employee/client files as well as develop and promulgate enhanced process and system controls.

5.0 Compliance with Legislation, Policies and Procedures

This section describes compliance with policies and procedures related to payment processing, receipt and deposit of public money. Specific areas examined were: payments made using petty cash funds, Departmental Bank Accounts and acquisition cards.

The audit was conducted in accordance with Standards for the Professional Practice of Internal Auditing adopted by the Government of Canada. These standards require that the audit be planned and performed to obtain reasonable assurance that the administration of the following disbursement functions: cashier, petty cash, DBA, and Acquisition cards, are delivered in accordance with governing authorities.

In the auditors' opinion, except for the observations noted in this report, there is reasonable assurance that the disbursements conform with governing authorities, in all material respects.

The audit observations and recommendations in this section are reported against a five-grade rating system (1 - unsatisfactory, 2 - significant improvements required, 3 - moderate improvements required, 4 - minor improvement required and 5 - controlled).

The table below summarizes the rating established by the audit team for each of the four areas examined in this section.

Table 1
Item Audit Observations
Petty Cash 4-Minor improvement required
Acquisition Card 4-Minor improvement required
Departmental Bank Account 3-Moderate improvements required
Receipt and Deposit of Public Money 4-Minor improvement required

5.1 Petty Cash

Petty cash expenditures should be made when it is not practical to use Receiver General or Departmental Bank Account (DBA) cheques. Veteran and employee travel claims up to $100 and hospitality claims up to $200 may be paid from petty cash. The holder of petty cash should submit an account of expenditures in order to replenish funds. The amount of the advance must not exceed the amount necessary to finance the expenditure contemplated for a six-week period.

Audit observations (5.1)

  • In each office petty cash boxes were maintained in a safe controlled area, with keys assigned to the cashiers and a spare key kept in a sealed envelope in the DD's or manager's office.
  • Petty cash funds were counted and balanced to the allocated amounts in each office visited (HO and DOs).
  • Petty cash transactions were reviewed and the safe contents were examined and documented.
  • Documentation to support transactions using petty cash was comprehensive and sufficient to provide an audit trail.
  • The Departmental procedures for petty cash were generally followed in the offices visited except for a few cases of input of inaccurate financial coding.
  • Petty cash funds were used to make a minor disbursement (from a trust fund) to a Veteran for the purpose of repairs at home and was coded as Veteran Travel.
  • The established petty cash advances in some offices exceeded the amount necessary to finance the expenditures expected for a six-week period. Director General, Finance Division should consider issuing a reminder to all responsibility centre managers to periodically review the petty cash flow and request petty cash advances only to the amount necessary to finance the expenditures expected for a six-week period.

5.2 Acquisition Cards

The acquisition card policy recommends the use of acquisition cards for departmental procurement and payment of goods and services where it is efficient, economical and operationally feasible to do so. Acquisition cards are intended for the purchase of low-value goods and services. In order to strengthen controls over the use of acquisition cards, RC managers and HO should follow the criteria as set out in the acquisition card Policy, FPPM, Chapter 7, Subject 16 and as outlined in Finance Bulletin FPPM 7-16. Segregation of duties is a fundamental control principle that should be maintained in the use of acquisition cards for procurement. Acquisition cards should be locked away routinely every night. RC managers and HO should monitor spending by acquisition card holders periodically. TB policy states that "no person shall exercise spending authority, i.e., Section 34, with respect to a payment from which he or she personally can benefit, directly or indirectly."

Audit observations (5.2)

  • Generally the policy relating to segregation of duties was being followed with purchases made with acquisition cards. However, as mention in section 4.5, the signature blocks on some GC 92s for purchases made with acquisition cards were all signed by the same person.
  • Acquisition card purchases were made within the card limit. There was one instance in the files reviewed where furniture costing over $4K was purchased using an acquisition card. In this case, there was no documentary evidence whether the items purchased were inventoried and given asset numbers.
  • An acquisition card was used to pay for tuition and books for a Veteran who was participating in the Vocational Rehabilitation Program. The financial coding used for this purchase was not correct. This practice of using incorrect financial codes leads to inaccurate program and operations expenditure data.
  • Contrary to the Department's telephony policy, cell phones were purchased using acquisition cards with a rationale of potential savings to the Crown.
  • There was one incident reported of an employee with an acquisition card who had received no training or information on policies and procedures.
  • An acquisition card was used to pay Veteran's travel, accommodation and meals.
  • Some employees were not leaving the acquisition cards secured in the office as directed by the policy.

5.3 Departmental Bank Accounts

Use of a DBA is restricted to payment of specific expenditures. The intent of DBAs is to provide better service over the counter. The Portfolio has a single centralized Departmental Bank Account to cover national operations. This account operates on a line of credit basis funded by a Receiver General account. No deposits may be made to this account nor can it be used for interdepartmental settlements. The maximum amount that can be paid out using the DBA is $5K except for paying locally engaged employees, where the Department has the authority to make such payments, and, for issuing an emergency salary advance under the Accountable Advance Regulations.

Audit observations (5.3)

  • All DBA cheques were kept in a locked safe.
  • DBA cheques were issued in significant amounts for the purpose of employee travel advances although they were within the allowable $5K limit.
  • In one instance, two DBA cheques for travel advances were issued on the same day to the same person for an amount totalling to $4,777. The Section 34 authorization was performed by the traveller which is non-compliant with the FAA.
  • The Section 34 signature was missing in a Claim for Veteran's Travel Expenses (DVA 244) form for payment using a DBA cheque.
  • In another instance a DBA cheque was issued where Section 34 approval was missing in both the Request for Payment form (GC 80) and in the DBA Voucher (PWGSC 8862-1).
  • Claims submitted by Veterans for reimbursement for travel to receive treatment benefits were paid by either DBA cheques or through the FHCPS.
  • In one instance, DBA cheques were issued for partial payment of the travel claim and the remaining portion was sent for payment processing through FHCPS. This type of processing increases the risk of payment errors and also reduces efficiency.
  • DBA cheques were used to pay hotel charges in excess of the $5K limit. This was above the limits allowed for the DBA and secondly, it was non-compliant with the approved method of payment for this category of expense.
  • It was also found that DBA cheques were issued to pay travel advances to Veterans who participated in a pilgrimage. This was outside the scope of the DBA policy.

R10 Recommendation

R10 Management Response

R10 It is recommended that the Director General, Finance Division:

  • instruct managers to verify the legitimate use of DBA cheques for employee travel advances and where policy permits, issue a Government Travel Card to those who travel frequently;
  • ensure that all payments made through Departmental Bank Account cheques are compliant with the policy and properly authorized with Section 34 signature;
  • ensure that DBA cheques for reimbursement of Veterans travel are utilized only in circumstances covered by and compliant with the policy; and
  • experts for advice prior to issuance of a Departmental Bank Account cheque.

Management agrees.

A joint memorandum from ADM/CS and ADM/VS was sent to all RDGs in January, 2008. Corporate Internal Control developed a review checklist and a sampling/reporting mechanism to ensure ongoing compliant use of the DBAs.

Please reference OAG 2006-2007 Public Accounts Audit - (corrective action No. 3).

Management Action Plan
Corrective Action to be taken OPI (Office of Primary Interest) Target Date
Effective April 1, 2008, Corporate Internal Control undertakes monthly DBA monitoring Finance Completed

A joint memorandum from ADM/CS and ADM/VS was sent to all RDGs in January, 2008. Corporate Internal Control developed a review checklist and a sampling/reporting mechanism to ensure ongoing compliant use of the DBAs.

Please reference OAG 2006-2007 Public Accounts Audit. - (corrective action #3.)

5.4 Receipt of Public Money

For adequate internal control for accounting purposes wherever possible, money-handling duties should not be performed by persons responsible for keeping accounts receivable records or involved in bank reconciliations. For receipt of money, arrangements should be made for two persons to be present while mail is being opened. All mail should be opened in the mail room unless it is clearly marked "Personal", "Confidential" or "To be opened only by addressee only" in which case it is to be forwarded to the addressee.

Audit observation (5.4)

  • Although the policy states for receipt of money, there should be two persons present while opening the mail and that all mail, except that marked as "Personal", "Confidential" or "To be opened only by addressee only" is to be opened in the mail room, this policy was not being followed in some of the small DOs visited and/or their satellite offices.

6.0 Distribution

  • Deputy Minister
  • Chief of Staff to the Minister
  • Chair, Veterans Review and Appeal Board
  • Senior Assistant Deputy Minister, Policy, Programs and Partnerships Branch
  • Assistant Deputy Minister, Corporate Services Branch
  • Assistant Deputy Minister, Service Delivery and Commemoration Branch
  • Director General, Finance Division
  • Deputy Coordinator, Access to Information and Privacy
  • Program Analyst, Treasury Board of Canada Secretariat
  • Office of the Auditor General
  • Comptrollership Branch
Date modified: