Acquisition Cards Audit

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web

January 2008

Recommended for Approval to the Deputy Minister By the DAC on

Approved by the Deputy Minister on

PDF version
(60 KB, 14 pages)

Table of Contents

This publication is available upon request in accessible formats.

Contact:
Multimedia Services Section
Communications and Marketing Branch
Industry Canada
Room 264D, West Tower
235 Queen Street
Ottawa ON  K1A 0H5

Tel.: 613-948-1554
Fax: 613-947-7155
Email: ic.cmb-creative.ic@canada.ca

Permission to Reproduce
Except as otherwise specifically noted, the information in this publication may be reproduced, in part or in whole and by any means, without charge or further permission from Industry Canada, provided that due diligence is exercised in ensuring the accuracy of the information reproduced; that Industry Canada is identified as the source institution; and that the reproduction is not represented as an official version of the information reproduced, nor as having been made in affiliation with, or with the endorsement of, Industry Canada.

For permission to reproduce the information in this publication for commercial redistribution, please email: copyright.droitdauteur@pwgsc.gc.ca

Aussi offert en français sous le titre Vérification des cartes d'achat

1.0 Executive Summary

1.1 Introduction

Acquisition cards are approved for use to reduce and simplify the goods and services procurement process and to reduce or eliminate local purchase orders and petty cash funds. At Industry Canada (IC), the Financial and Materiel Management Directorate (FMMD) is the centre of expertise for Acquisition Cards and as such produces policies and procedures, provides directional guidance and is responsible for overall monitoring of the program. The Bank of Montreal (BMO) is the service provider for Industry Canada. Full payment is made by IC to BMO as soon as the statement becomes available.

The audit of Acquisition Cards sought to provide Industry Canada management with reasonable assurance that the risk management system is effective; the internal control system is adequate, efficient and effective; and the governance process defines and preserves values, sets goals, monitors activities and performance and defines accountability methods.

The scope of the audit covered all aspects of the use of acquisition cards at IC for the period from April 1, 2006 to March 31, 2007. During this period IC had approximately 700 cardholders who performed 26,260 transactions for a value of $8.7 million.

Our approach to the audit included an examination of the existing Management Control Framework (MCF) in place to monitor acquisition card activities within IC and ensure compliance with departmental and Treasury Board (TB) policies. Interviews, file reviews and transaction testing were conducted in IC's business units (ICBU), regions and headquarters during the period from January 2007 to September 2007. The Acquisition Card Audit was conducted in accordance with the approved 2006-2007 Audit Plan.

1.2 Main Findings

Governance

1. The IC Comptroller Branch's Policy on Acquisition Cards has not been updated to make reference to the consolidated billing process implemented at IC in October 2001, and does not fully reflect the TB Policy on Acquisition Cards.

2. Guidelines have not been developed to assist the manager in determining the need for issuing additional cards and what credit limits would be appropriate.

Controls

3. The BMO details system is not being used effectively to analyse acquisition card purchases overall. We found that when hospitality expenditures are paid through acquisition cards, required forms are incomplete or missing in some instances. There is currently no process in place to ensure that these transactions are verified by FMMD. Furthermore, there is no reporting to Management.

1.3 Recommendations

Governance

1. The Director General (DG), Financial Operations and Systems (FO&S) should ensure that the IC Comptroller Branch's Policy on Acquisition Cards is up to date and includes guidance on areas of risk including, but not limited to: what constitutes abuse and wilful disregard of the policy, highlighting the importance of adherence for sensitive transactions such as hospitality; guidelines to assist managers in determining if acquisition cards are needed; and appropriate credit limits and other limitations to the use of cards.

2. The DG, FO&S should develop mandatory awareness and information sessions for Regional Coordinators (RCs) and other key stakeholders on the guidelines developed to address the rules and procedures for issuing, using, documenting, authorizing and monitoring acquisition cards.

Controls

3. The DG, FO&S should review the methods and parameters used for the selection of the acquisition card transactions to be monitored and reported. Follow-up activities should form part of the review process.

1.4 Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the IC National Headquarters (NHQ), ICBUs and regions examined.

1.5 Audit Opinion

In my opinion, there are multiple risk areas presenting no serious risk exposure related to the control and governance processes of Acquisition Cards that require management attention.

2.0 About the Audit

2.1 Background

Acquisition cards were approved for use in government departments and agencies in late 1991 to reduce and simplify the goods and services procurement process and to reduce or eliminate local purchase orders and petty cash funds.

The BMO is the service provider for IC. Acquisition cards allow employees to charge purchases, for which full payment is made by IC to BMO as soon as the statement becomes available. The contract with BMO offers a rebate program, payable directly to the department. Rebates are based on variables such as the level of expenditures on the cards and faster balance settlement.

The TB Policy on Acquisition Cards holds departments responsible for establishing specific policies and procedures to ensure the economical and efficient use of acquisition cards and for designating a Departmental Coordinator (DC) and/or designate. Each DC is responsible for authorizing and issuing acquisition cards, monitoring program design to ensure reliable controls exist over the use of cards and managing their department's card programs. At IC, Regional Coordinators (RCs) facilitate the receipt, delivery and retrieval of acquisition cards and to respond to queries from managers and cardholders in the regions. Departments are also responsible for carrying out reviews and audits to determine whether cards are being used according to policy.

The IC Comptroller's Branch Policy on Acquisition Cards, dated August 2001, provides FMMD with the authority to oversee all activities related to acquisition cards. The Contracts and Materiel Management (CMM) division of FMMD is responsible for all activities related to the procurement aspects of card use. The financial aspects such as payments and reconciliation are also the responsibility of FMMD. All aspects of card issuance and distribution are the responsibility of the DC designated by CMM, which is assisted by the RCs in the regions and ICBUs.

The audit was conducted in accordance with the approved 2006–07 IC Audit Plan.

2.2 Objective

The audit objectives are:

  1. To assess the extent to which the existing management control framework (MCF) meets departmental and TB expectations and is functioning as intended.
  2. To determine the extent to which acquisition card activities are conducted in compliance with departmental and TB policies.

2.3 Scope

The audit covered all aspects related to the use of acquisition cards at IC for the period from April 1, 2006 to March 31, 2007. During this period IC had approximately 700 cardholders who performed 26,260 transactions with a value of $8.7 million.

2.4 Methodology

In support of the requirements under Treasury Board's Policy on Internal Audit, audit criteria were developed and linked to each audit objective under the categories of internal controls, governance and risk management.

Audit Approach

Interviews, file reviews and transaction testing were conducted in IC business units, regions and headquarters during the period January 2007 to September 2007.

The following activities were taken by the audit team:

  • Review TB policy and directives as they relate to the use of acquisition cards;
  • Examination of the IC Comptroller Branch's Policy on Acquisition Cards;
  • Conducting of a preliminary survey of the acquisition cards management framework, including a risk assessment, in the audit planning phase which resulted in an Audit Planning Memorandum dated May 2007, describing the acquisition cards field and outlining the proposed audit approach and audit criteria;
  • Development of an audit program including audit criteria and a sampling plan;
  • Conducting of interviews and inquiries with selected Finance and Administration staff, cardholders, Responsibility Centre Managers (RCMs), DC and RCs involved in acquisition card activities;
  • Analysis of procedures being followed in using acquisition cards and monitoring and reporting the transactions;
  • Follow-up on prior audit recommendations related to acquisition cards;
  • Detailed transaction testing, and,
  • Debriefing of key stakeholders in the regions and at headquarters on the preliminary results of the audit.

Sampling

A total sample of 858 transactions valued at $642 thousand were examined in detail. The sample consisted of 644 randomly selected transactions valued at $234 thousand plus a judgmental sample of 214 valued at $408 thousand selected to ensure that high risk transactions were included.

3.0 Findings and Recommendations

3.1 Introduction

This section presents detailed findings from the audit of Acquisition Cards at IC. Findings are based on the evidence and analysis from both our initial risk analysis and the detailed audit conduct. In addition to the findings presented below, observations of conditions that were non-systemic and of low materiality and risk have been communicated to management for their consideration.

3.2 Governance

Finding 1: Outdated and Incomplete Policy

The IC Comptroller Branch's Policy on Acquisition Cards has not been updated to make reference to the consolidated billing process implemented at IC in October 2001, and does not fully reflect the TB Policy on Acquisition Cards.

IC policies, guides and manuals should be clear and consistent with the governmental (and departmental) policies and processes related to acquisition cards.

We found that the IC Comptroller Branch's Policy on Acquisition Cards (issued in August 2001) had not been updated to make reference to the consolidated billing process implemented at IC in October 2001. In addition, the IC Policy does not fully reflect the TB Policy on Acquisition Cards in terms of the following omissions:

  • A definition of what constitutes abuse and wilful disregard of the operating policy and the consequences for these actions (TB policy reference 5.c);
  • An explicit statement that the acquisition card must not be used after the expiry date indicated on the card (TB policy reference 5. g.vii); and
  • A specific mention of purchasing authority that stipulates that the cardholder or the person who authorizes the purchase must have the delegated purchasing authority (TB policy reference 6.c.).
Recommendation 1

The DG, FO&S should ensure that the IC Comptroller Branch's Policy on Acquisition Cards is up to date and includes guidance on areas of risk including, but not limited to: what constitutes abuse and wilful disregard of the policy, highlighting the importance of adherence for sensitive transactions such as hospitality; guidelines to assist managers in determining if acquisition cards are needed; and appropriate credit limits and other limitations to the use of cards.

Finding 2: Insufficient Guidelines and Training

Guidelines have not been developed to assist the manager in determining the need for issuing additional cards and what credit limits would be appropriate.

Skills, knowledge and training for acquisition cards should be sufficient, available and provided in a timely manner where required.

Guidelines have not been developed to assist the manager in determining the need for cards and what credit limits would be appropriate. Cards are issued to employees at the discretion of the individual manager.

IC has initiated communication methods to ensure the dissemination of policies and best practices. These initiatives include intranet references, policies and procedures, internal publications such as "Staying in Touch" and local intranet messages or reminders. We found that information is not always effectively disseminated throughout the Department, between regions, ICBUs and headquarters and that some procedures in the regions and ICBUs are different from those at headquarters. For example, the new finance monthly checklist was not used at the time of our visit to the regions in June and July 2007, although the new process was implemented by headquarters as of .

DC and RCs indicated that they have not received any formal training and their knowledge of Acquisition Card requirements were acquired through on the job experience.

Recommendation 2

The DG, FO&S should develop mandatory awareness and information sessions for RCs and other key stakeholders on the guidelines developed to address the rules and procedures for issuing, using, documenting, authorizing and monitoring acquisition cards.

3.3 Controls

Finding 3: Gaps in Monitoring and Reporting

The BMO details system is not being used effectively to analyse acquisition card purchases overall. We found that when hospitality expenditures are paid through acquisition cards, required forms are incomplete or missing in some instances. There is currently no process in place to ensure that these transactions are verified by FMMD. Furthermore, there is no reporting to Senior Management.

TB requires departments to identify unusual card use patterns to determine whether card practices are improving and whether errors are within tolerable limits.

Monitoring functions are the responsibility of the DC and FMMD and they have established a control framework and monitoring system to mitigate risks associated with acquisition cards. We found however that the parameters used in Audit Command Language (ACL) software used by FMMD for tracking anomalies and high-risk transactions have not been significantly revised since its inception to ensure that high-risk transactions are identified.

FMMD consider hospitality events sensitive. Pre-approval should be obtained, forms completed and claims submitted with proper supporting documentation. In some instances when hospitality expenditures are paid through acquisition cards, required forms are incomplete or missing. We also found that there is currently no process in place to ensure that these transactions are verified by FMMD.

Monitoring activities should result in bringing all relevant non compliance cases to the attention of the RCMs and / or actively reminding cardholders of the need to adhere to the policy requirements.

We found that although transaction information is available online through BMO to help the DC and the RC manage and monitor acquisition card usage; the BMO details system is not being used effectively to analyse acquisition card purchases. There was limited analysis of patterns of card usage, card limits, number of multiple cardholders and frequency of card use and associated risks.

RCs are often most aware of the business details in their area of responsibility and are in a better position to conduct monitoring activities for their regions. Neither the results of monitoring activities nor the overall level of purchase activity conducted using acquisition cards is reported to Senior Management.

Recommendation 3

The DG, FO&S should review the methods, staff and parameters used for the selection of the acquisition card transactions to be monitored and reported. Follow-up activities should form part of the review process.

4.0 Annex A: Detailed Audit Criteria

The following audit criteria (by audit objective) were developed and assessed:
Audit Objective:

  • To assess the extent to which the existing management control framework meets departmental and TB expectations and is functioning as intended.

Audit Criteria:

  • Risk management–The existing risk assessment process is adequate and controls are in place to mitigate the risks.
  • Policy framework –IC policies, guides and manuals are clear and consistent with governmental policies relating to acquisition cards.
  • Roles & responsibilities–IC organizational structure, roles and responsibilities are clearly defined, understood and documented.
  • Skills, knowledge and training–Skills, knowledge and training for acquisition cards are sufficient, available and provided where required in a timely manner.
  • Monitoring and reporting–Monitoring practices and controls are adequate to ensure compliance with acquisition card policies and practices. Information reported is sufficient, appropriate, and consistent.

Audit Objective:

  • To determine the extent to which acquisition card activities are conducted in compliance with departmental and TB policies.

Audit Criteria:

  • Issuance, distribution and cancellation of cards and authorization–Acquisition cards are issued, distributed, cancelled and authorized as required by TB and IC.
  • Acquisition card transactions–Transactions comply with TB and IC policy requirements.
  • Disputes and payment and reconciliation of consolidated billing–Disputes, payments and reconciliations are properly settled, paid, authorized and reconciled.

5.0 Annex B: Management Action Plan

Management Action Plan representing recommendations and planned actions or justification for no action
Recommendation (Section / Page) Planned Action or Justification for no action on the Recommendation Responsible Official Target Completion Date Revised Completion Date Current Status

1. The DG, FO&S should ensure that the IC Comptroller Branch's Policy on Acquisition Cards is up to date and includes guidance on areas of risk including, but not limited to: what constitutes abuse and wilful disregard of the policy, highlighting the importance of adherence for sensitive transactions such as hospitality; guidelines to assist managers in determining if acquisition cards are needed; and appropriate credit limits and other limitations to the use of cards. (Sn 3.2, p6)

FOSB will update the Acquisition Card Policy and ensure that it is updated on the IC Comptrollership and Administration Sector (CAS) Web site and include specific guidance on the risk associated to Acquisition Cards. CAS will also prepare guidelines to assist managers in determining who requires an acquisition card and how to establish the credit limit.

The policy and guidelines will be available to all IC users via the Comptrollership and Administration Sector's Web Site and will be distributed to all IC Departmental/Regional Coordinators (DC/RC) and Responsibility Centre Managers.

 DG, FOSB June 1, 2008
2. The DG, FO&S should develop mandatory awareness and information sessions for RCs and other key stakeholders on the guidelines developed to address the rules and procedures for issuing, using, documenting, authorizing and monitoring acquisition cards. (Sn3.2, p7) DG FOSB will develop a training package for all IC DC/RC and will deliver the training to all DC/RC. DG FOSB will also develop an awareness and information session for all Responsibility Centre Managers and for all acquisition card users (should they differ from the RCM). This awareness and information session will be mandatory to retain an existing acquisition card or to obtain a new acquisition card. DG, FOSB

Training/awareness information package available June 30, 2008.

Delivery of the training–Starting in Q2–2008-2009 and on-going thereafter.
3. The DG, FO&S should review the methods, staff and parameters used for the selection of the acquisition card transactions to be monitored and reported. Follow-up activities should form part of the review process. (Sn 3.3, p8)

FOSB is currently reviewing the ACL extract parameters for the selection of acquisition cards samples. As an additional measure in 2008–2009, the Quality Assurance team (throughout Industry Canada) will target all acquisition cards that contain hospitality transactions. The accounts verification is also done to ensure that all supporting documents are attached to the payment.

FOSB will implement a reporting process to CAS Chief Financial Officer for acquisition cards that do not meet the Policy requirements.

 DG, FOSB

New ACL extract to be produced for April 1, 2008.

Quality Assurance monitoring of hospitality events paid with acquisition cards implemented since December 2007.

Increase the monitoring of hospitality events paid with the acquisition cards to 100% — April 2008

Reporting to CAS CFO — To begin in Q1 — 2008–2009
 Report a problem
Date modified: