Audit of Key Corporate Controls – Final report

Publication information

To obtain a copy of this publication or an alternate format (Braille, large print, etc.) please fill out the Publication Request Form at www.ic.gc.ca/publication-request or contact:

ISED Citizen Services Centre
Innovation, Science and Economic Development Canada
C.D. Howe Building
235 Queen Street
Ottawa, ON K1A 0H5
Canada
Telephone (toll-free in Canada): 18003286189
Telephone (international): 6139545031
TTY (for hearing impaired): 18666948389
Business hours: 8:30 a.m. to 5:00 p.m. (Eastern Time)
Email: ISED@Canada.ca

Permission to Reproduce

Except as otherwise specifically noted, the information in this publication may be reproduced, in part or in whole and by any means, without charge or further permission from the Department of Industry, provided that due diligence is exercised in ensuring the accuracy of the information reproduced; that the Department of Industry is identified as the source institution; and that the reproduction is not represented as an official version of the information reproduced, or as having been made in affiliation with, or with the endorsement of, the Department of Industry.
For permission to reproduce the information in this publication for commercial purposes, please fill out the Application for Crown Copyright Clearance at www.ic.gc.ca/copyright-request or contact the ISED Citizen Services Centre mentioned above.

© Her Majesty the Queen in Right of Canada, as represented by the Minister of Industry, 2019.

Cat. No. Iu4 — 272 / 2020E — PDF
ISBN 978-0-660-33590-2

List of acronyms used in report

AEB
Audit and Evaluation Branch
CFSPB
Corporate Finance, systems and procurement branch
CIO
Chief Information Office
CMM
Contract and Materiel Management
CSPS
Canada School of Public Service
DCFO
Deputy Chief Financial Office
CMS
Corporate Management Sector
FAA
Financial Administration Act
FSA
Financial Signing Authority
HRG
Hogg Robinson Group
IOC
Investment Oversight Committee
IFMS
Integrated Financial and Materiel System
ISED
Innovation Science and Economic Development
PPMI
Procurement Process Modernization Initiative
QA
Quality Assurance
RCM
Responsibility Centre Managers
STS
Shared Travel Services
THCEE
Travel, Hospitality, Conference and Event Expenditures
THS
Temporary Help Services

1.0 Executive summary

1.1 Introduction

Contracting, acquisition cards, travel, and hospitality are key corporate activities that are subject to on-going scrutiny and analysis as part of exercising appropriate fiscal responsibility and stewardship over public funds. Based on the nature of these activities, the Department has established core controls over these activities ("Key Corporate Controls") that enable it to achieve its corporate objectives as well as comply with applicable policies and legislation.

Key Corporate Controls are supported by control frameworks and systems, as well as by established procedures, guidance and templates for both functional specialists and users. In addition, a training framework, which comprises a combination of ISED-mandated and Canada School of Public Service (CSPS) required training, which helps make key stakeholders with delegated authorities aware of their obligations and responsibilities.

In fiscal year 2018 — 2019, ISED engaged in contracting activities totaling over $207 million, and used acquisition cards for transactions worth $9.1 million. Additionally, the areas of travel, hospitality and conferences had transactions adding up to approximately $12 million.

1.2 Audit background

The objective of the audit was to provide assurance that core controls over contracting, acquisition cards, travel, and hospitality are effective, efficient, and support compliance with corresponding legislation, policies and directives.

The audit scope focused on the design and operating effectiveness of key controls for transactions, records and processes regarding contracting, acquisition cards, travel and hospitality carried out in national headquarters and the regions. Audit procedures covered the period from April 1, 2017 to March 31, 2019.

The scope included an assessment of:

  • Governance and oversight;
  • Effectiveness and efficiency of processes and tools;
  • Compliance with federal policies and regulations, including Financial Administration Act (FAA) sections 32, 34, 33 and 41;
  • Risk management;
  • Monitoring and reporting;
  • Proactive Disclosure; and
  • Continuous improvement.

1.3 Overview of audit results

Strengths

The Department has an established oversight body in place, the Investment Oversight Committee (IOC), which includes scrutiny of contracting activities based on pre-defined criteria that are documented in the terms of reference. The Corporate Management Sector (CMS) has an established quality assurance function that performs compliance monitoring activities on a quarterly and annual basis, which are formally reported and communicated to key stakeholders.

There is a defined training framework for functional specialists and employees with delegated authority, which includes required training provided by the Canada School of Public Service and mandatory ISED-specific courses provided in-house. Overall, based on file testing across all key corporate controls areas, compliance with applicable legislation and policies was high. Finally, the CMS travel group has implemented service standards that measure timeliness of payments, which are tracked and consistently met.

Areas for Improvement

The audit identified opportunities for improvement. Oversight and monitoring could be strengthened by incorporating analysis of risk and trend information, as well as presenting quality assurance results to the oversight committee. While a formal training framework is in place, a number of optional user trainings and guidance could reinforce consistency but are not widely communicated or known.

Record-keeping could benefit from more defined guidance, as sectors apply requirements inconsistently, and information is often missing, duplicated, or segmented across multiple repositories and formats. There is also an opportunity to achieve improved consistency in how delegated authorities are documented to ensure their validity. Lastly, key corporate controls have existing information and tools to inform continuous improvement, but these tools are not formally utilised to review and improve processes.

1.4 Audit opinion and conclusions

The Corporate Finance, Systems and Procurement Branch has oversight functions and processes in place to support the achievement of key corporate objectives and adherence to relevant policies and legislation. Information management controls and practices require strengthening and increased oversight in order to demonstrate full compliance with key responsibilities, and to increase the efficiency of operations. This could be further supported by communicating consistent guidance, which could raise the effectiveness of exercised delegated authorities.

1.5 Management response

Management has agreed with the findings included in this report and will take action to address all recommendations by March 31, 2021.

1.6 Statement of conformance

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Audit and Evaluation Branch's quality assurance and improvement program.

_________________________________________

Dawn Lumley-Myllari
Chief Audit Executive
Innovation, Science and Economic Development Canada

2.0 Background

2.1 Key corporate controls overview

Contracting, acquisition cards, travel, and hospitality are key corporate activities that are subject to on-going scrutiny and analysis as part of fiscal responsibility and stewardship over public funds. Based on the nature of these activities, the Department has established core controls over these activities ("Key Corporate Controls") that enable it to achieve its corporate objectives.

These controls include compliance controls as defined by the FAA, such as various financial signing authorities. Section 32 (S32) certifies that sufficient funds are available; section 34 (S34) refers to account verification to certify that work, goods or services were provided as agreed and are eligible for payment; and section 33 (S33) is the payment authorization for the funds to be released. As well, section 41 (S41) is the authority for the department to enter into contracts. Delegated authorities are exercised by at least two different people to maintain segregation of duties.

Within CMS, the Corporate Finance, Systems and Procurement Branch (CFSPB) is the lead branch responsible for each of the Key Corporate Controls, with additional decentralised activities performed by sectors through a delegated authority framework.

Contracting

Contracting within Innovation Science and Economic Development (ISED) is an essential activity, which spans across all programs and operations. Contracting vehicles can include purchase orders, call-ups against standing offers, service contracts, task authorizations, and contracts against supply agreements. Depending on the nature and value of the contracting activity, it is administered either directly by sectors, or by the Contract and Materiel Management (CMM) team, which also functions as an informal centre of expertise on contracting.

The Treasury Board Contracting Policy highlights departmental responsibilities to ensure that adequate control frameworks for due diligence and effective stewardship of public funds are in place and functioning appropriately. Accordingly, ISED has developed the Contracting Control Framework (CCF) to establish a functional relationship for contracting authorities between CMS and individuals exercising contracting authority in sectors. It also provides information on the processes and requirements for obtaining and exercising contracting and spending authority.

Based on the contracting records collected through the Integrated Financial and Materiel System, ISED initiated 3,879 contracts worth over $136M in FY 2017 — 2018 and 3,912 contracts worth over $207M in FY 2018 — 2019.

Several change initiatives are currently underway within CMS and across the Department as part of efforts to modernize and update procurement processes. Recent changes include the centralization of the procurement function, which established a direct reporting relationship between all procurement officers across the Department to the Director of CMM, as well as the Procurement Process Modernization Initiative (PPMI), which aims to expand ISED's enterprise resource planning software, SAP, to include automated, electronic procurement processes.

Acquisition Cards

Acquisition cards are payment vehicles designed to be used for the procurement of low-value goods and services. Eligible acquisition card purchases may range from office supplies to training and conference fees, as well as non-travel hospitality expenses.

The Treasury Board Directive on Payments,which came into effect on April 1, 2017,provides that acquisition cards be used when it is economical and feasible to do so, and that appropriate management practices and internal controls are in place. In addition, the Treasury Board Contracting Policy requires annual public disclosure of the volume and cumulative dollar value of all acquisition card transactions. In FY 2017-2018, ISED had approximately 20,000 transactions worth over $8.7M, while in FY 2018-2019, ISED had over 21,000 transactions worth approximately $9.1M.

ISED has established a Policy on Acquisition Cards, which came into effect on December 15, 2009, to provide employees with the necessary information required to obtain, safeguard and use acquisition cards. It was recently reviewed and updated with a new policy effective April 1, 2019.

While coordinators are responsible for card administration, Responsibility Centre Managers (RCM) are responsible for on-going management, including determining the number of acquisition cards required and the purchase limit for each card in their area of responsibility, as well as section 32 authorization under the Financial Administration Act (FAA). Posting officers within CMS are responsible for the actual payment of card balances, which is performed on a regular cycle associated with the generation of the billing statements.

Travel and Hospitality

Travel and hospitality expenses often receive high public and media scrutiny but are necessary to advance departmental priorities. The Treasury Board Directive on Travel, Hospitality and Conference and Event Expenditures (THCEE Directive), effective April 1, 2017, provides guidance on what are deemed reasonable and necessary costs in the context of conducting government business. It is supplemented by the National Joint Council Directive on Travel,which is focused on providing fair treatment to employees required to travel.

To provide transparency, ISED is required to disclose quarterly all senior employees' travel and hospitality expenses, as well as annual disclosures of all departmental travel, hospitality and conference expenditures. ISED's expenditures, as identified for fiscal year 2017 – 2018, totaled approximately $10 million for travel, $260,000 for hospitality and $692,000 for conferences. In 2018-2019, these areas amounted to approximately $11 million, $376,000, and $668,000 respectively.

2.2 Previous audit engagements

An audit of Contracting and Procurement Activities was conducted in 2012 by the Audit and Evaluation Branch with the objective to provide assurance that: (1) an adequate management control framework with respect to governance and internal control is in place to effectively support contracting and procurement activities, and, (2) contracting and procurement activities are processed in a manner that is compliant with applicable policies, procedures and regulations. The audit resulted in four recommendations in the areas of contract monitoring approach, procurement planning, retention of file documentation, and approval and use of appropriate contracting and procurement mechanisms. All recommendations have been closed.

In 2008, an Audit of Travel and Hospitality was conducted by the Audit and Evaluation Branch.

The objectives for this audit were to: (1) assess the adequacy of the management control framework for travel and hospitality, and, (2) provide assurance that travel and hospitality expenditures are in compliance with applicable policies and directives. The audit resulted in four recommendations in the areas of guidance and communication, verification of acquisition card hospitality expenses, sufficiency of pre-authorization of travel and hospitality expenditures and sufficiency of approval for payment of travel and hospitality expenditures. All recommendations have been closed.

3.0 About the audit

In accordance with the approved Innovation, Science and Economic Development (ISED) 2018 to 2021 Multi-Year Risk-Based Internal Audit Plan, the Audit and Evaluation Branch (AEB) undertook an audit of the Key Corporate Controls for contracting, acquisition cards, travel, and hospitality.

Audit Objective

The objective of the audit was to provide assurance that the core controls over contracting, acquisition cards, travel, and hospitality are effective, efficient, and support compliance with corresponding legislation, policies and directives.

Audit Scope

The audit scope focused on the design and operating effectiveness of key controls for transactions, records and processes of contracting, acquisition cards, travel and hospitality carried out in national headquarters and the regions. Audit procedures covered the period from April 1, 2017 to March 31, 2019.

The scope included an assessment of:

  • Governance and oversight;
  • Effectiveness and efficiency of processes and tools;
  • Compliance with federal policies and regulations, including FAA sections 32, 34, 33 and 41;
  • Risk management;
  • Monitoring and reporting;
  • Proactive Disclosure; and
  • Continuous improvement.

Methodology

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada.

Based on the identified risks, AEB developed the audit criteria and sub-criteria linked to the overall audit objective (see Appendix A).

The methodology used for this audit included various procedures to address the engagement's objective. This included, but was not limited to, review of documentation, interviews, performing walkthroughs of the key processes, transaction level sample testing and data analytics.

4.0 Findings and recommendations

4.1 Introduction

This section presents detailed findings from the audit of key corporate controls. The findings are based on evidence and analysis from both the initial risk assessment and the detailed audit work.

4.2 Monitoring and oversight

Compliance monitoring occurs quarterly, and results are provided to management. However, the testing methodology's procedures could be strengthened to better detect instances of contract-splitting. As well, an oversight body is in place for contracting activities. Both monitoring and oversight could be strengthened by more analysis of risk and trend information.

Monitoring

The majority of monitoring activities are performed by the Quality Assurance (QA) function within the Corporate Management Sector. QA tests key corporate controls on a quarterly and annual basis using defined risk-based methodologies and tools, across all sectors and discrete units. QA testing results are then aggregated and reported quarterly to the Deputy Chief Financial Officer (DCFO), as well as to the functional lead areas such as contracting.

In relation to contracting, QA testing is performed using a standard checklist to ensure consistent review. However, checklist criteria focuses predominantly on aspects of file completeness than on compliance, as highlighted by the following observations during re-performance:

  • When assessing the appropriateness of the contracting vehicle used, the review validates the appropriateness of the vehicle, but does not determine if it was the best option (i.e. full competitive, versus drawing from a standing offer); and
  • While tests to detect activities such as contract-splitting would require the review of multiple contracts with the same vendor, re-performance of tested files suggests that reviews were limited to single files. In addition, re-performance results did not always align with QA results in the areas of vendor performance forms, potential contract-splitting, and disclosure.

While QA results are formally reported to both sectors and the DCFO, along with recommendations for improvement for deficiencies, the QA function does not formally monitor implementation of intended actions. It was also noted that there is no guidance to address instances where files selected by QA for sample testing cannot be located.

Oversight

An Investment Oversight Committee (IOC) has been established, with a mandate to provide stewardship over Departmental funds in relation to the areas of procurement, grants and contributions proposals, and projects to ensure compliance with legislation, policies and internal processes, as well as activities supporting organisational objectives. The IOC holds bi-weekly meetings, or more if required, and records of decisions are documented for each meeting. Guidance is available to Sectors and Branches through templates for submissions that identify required information.

The committee has defined and documented terms of reference, which outline the types of procurement to be presented; specific contract types and dollar values are identified, as well as amendments to existing contracts in excess of pre-defined thresholds. However, while the types of procurement reviewed may be guided by informal considerations of risk, there was no evidence that the selection of these activities is informed by a formal risk methodology or by the results of the QA team's monitoring activities.

Oversight of travel, acquisition cards, hospitality and conferences is transactional in nature, and monitoring is performed through QA testing. While no formal oversight body exists for these activities, QA results are reported to senior management and to individual sectors.

Some sectors have established good practices to support oversight of their key activities, such as the Chief Information Office (CIO), who presents annual procurement plans for temporary help services (THS) to the IOC.

Overall, if QA testing does not incorporate reviews of other contracting activities performed by the same fund centre, there is a risk that improper contracting activities could remain undetected, and expose the department to complaints from unsuccessful bidders. As well, if QA results are not presented to the departmental oversight committee, oversight of contracting activities may not capture all areas of interest on an ongoing basis.

Preliminary Recommendation #1 (Medium Risk):

The Quality Assurance team should proactively strengthen detection of potential contract-splitting by updating the contracting testing methodology to include the review of all related contracting files.

Preliminary Recommendation #2 (Low Risk):

Results from quality assurance testing of contracting files should be presented to the Investment Oversight Committee, and include compliance rates, trends, and areas of highest risk in order to inform oversight areas of interest.

4.3 Guidance and training

Training for functional specialists is formally provided. However, detailed guidance for end users is not widely shared or known throughout the department.

Control Framework

A Financial Control Framework (FCF) has been implemented to set expectations for the delivery of financial operations and controls in the department, and is updated as needed to ensure continued alignment with Treasury Board policy requirements. The FCF defines roles and responsibilities, training, key financial processes and transactions to monitoring and reporting.

At the transactional level, it defines high-, medium-, and low-risk financial transactions. The extent of S33 activities is determined by the transaction's risk, and ensures high-risk transactions receive more attention than low-risk ones. The FCF also establishes risk thresholds for QA monitoring. Other types of transactions, such as travel and hospitality, have specific approval requirements and limits based on Treasury Board policy.

For contracting processes, the Contracting Control Framework (CCF) covers expectations for those officers exercising contracting authority across the department and training requirements. It also addresses roles and responsibilities, key process flows, as well as monitoring and reporting requirements.

Each control framework is supported respectively by delegated financial and contracting authorities charts approved by the Deputy Minister.

Signing Authority and Training

Granting of Financial Signing Authority (FSA) under S32, S34 and S41 is dependent upon successful completion of training requirements for functional specialists, Responsibility Centre Managers (RCM), and other officers with duties requiring delegated authority. The Integrated Financial and Materiel System (IFMS) is the official record for all delegated authorities and includes training information and training expiry dates, which are usually matched to the FSA end dates. IFMS is searchable by FSA number and name in order to facilitate validation.

Annual FSA reviews are performed to confirm the currency of delegations through validation from the sectors, however there is no such formalised process for S41 delegated authorities for those officers with the authority to initiate purchases under $10,000. Records maintenance varies depending on whether it is a contracting or financial authority, since different functional areas manage those FSAs. As an example, training certificates for contracting are saved in IFMS and GCDocs, whereas financial delegation training records are maintained through a tracking spreadsheet that is updated weekly based on CSPS training records.

User Guidance

Policy and process changes are communicated to functional specialists through teleconferences, wikis, and quarterly newsletters, as well as an annual symposium. In addition, templates and guidance, such as checklists and process maps, are available in the FCF and CCF.

For end users, guidance also exists for most key corporate control activities, but is either insufficient or not widely communicated:

  • User guidance for the travel system is available but not extensively shared. While departmental guidance is available on a wiki, its availability is not well-known; and
  • An in-house delegation of financial signing authority course has been developed to improve end-user knowledge for delegated financial authorities. However, training is not widely circulated.

As good practices, CIPO has developed travel user guidance, while the Communication Research Centre (CRC) has developed user and functional guidance across all key corporate control areas.

If guidance is unavailable or users are unaware of its existence, inconsistencies may occur across the department, leading to greater risk exposure of errors, as well as greater levels of effort for central functional authorities to correct the errors.

Preliminary Recommendations #3 (Low Risk):

CMS should develop a communication plan to ensure all departmental users are aware of the full guidance and training inventory.

4.4 Information management

Requirements for records management of key corporate control records are not well communicated and are inconsistently applied.

File Management

The key information systems are: IFMS, which is the primary financial system used by ISED; the GCDocs government-wide document management platform; the HRG system (Hogg Robinson Group) for travel; and Spend Dynamics for acquisition cards. Records for key corporate controls are maintained in multiple formats and locations, including within those systems and as hard copy documentation records. Active contracting files are held by either CMM or the sectors (depending on the nature and value of the contract), while closed files are held by the records management group within the Digital Transformation Service Sector (DTSS).

However, guidance documents offer inconsistent requirements for the management of records and information, as sectors may choose which types of information to keep, and where to store it:

  • Contracting and hospitality invoices may be sent to centrally managed CMS files, or maintained in the sectors. The electronic file does not indicate where the information is held; and
  • Paper contracting files are considered mandatory, however a number of files tested were found to be incomplete. Specifically, documentation of competitive contracting processes was not consistently included, with files missing either the original request, received quotes or completed evaluations.

Paper contracting records are often found in different locations than indicated, and a number of sample files selected for testing could not be found. Acquisition cards records maintenance is also a decentralized activity, with card coordinators directly supporting sectors and discrete units. Testing showed that acquisition card application and acknowledgement forms, as well as supporting transaction approval evidence are not consistently uploaded to IFMS and GCdocs.

Electronic records management capability exists for travel transactions, so all records are expected to be uploaded. However, evidence of S32 approvals for travel booked offline (i.e. outside of the system) was not always retained.

System Information

Delegated authority records are maintained in IFMS and are relied upon for validation of authority for financial transactions. However, controls to support delegated authority records within IFMS do not always support on-going, up-to-date administration:

  • Records of delegation for short-term acting appointments are created in email only, and are not always uploaded to IFMS as required;
  • IFMS has no embedded controls to ensure alignment between effective dates for training and delegated authorities; and
  • Documented explanations for FSA cancellations and effective end dates of FSA are not consistently updated.

With respect to acquisition cards, Spend Dynamics provides segregated cardholders and transactions records for ISED, CRC, CIPO and Measurement Canada respectively. IFMS holds corresponding FSA information for cardholders, including account limits, but information is manually updated and not always linked to information kept outside of the system:

  • The delegation tab in IFMS always shows a $5,000 account limit for cardholders, even if an increase may have been approved. Further, transaction limits are not recorded in IFMS, nor are approvals consistently maintained; and
  • There is no systematic way to match acquisition card numbers to the relevant or valid FSA, which limits the ability to verify the validity of the user. As such, a cardholder may be able to use their card even if the delegated authority is no longer valid.

Without consistently applied records management standards, management may not have access to accurate information, nor will it be able to effectively and efficiently monitor compliance.

Preliminary Recommendation #4 (Medium Risk):

CMS should, in consultation with DTSS, establish and communicate consistent records management practices for key corporate controls, including interim compensating controls for system limitations, and monitor their effectiveness.

4.5 File administration

Key corporate controls across all processes tested are generally compliant with policies and processes, with most gaps identified due to the quality and completeness of documentation to support delegated authorities.

For all key corporate controls included in the scope of the audit, samples of transactions were selected for testing against legislative and policy requirements, as well as internal processes, with transactions selected within fiscal years 2017 and 2018.

Data analytics were used to identify higher-risk transaction types and determine a judgemental sample. This sample was complemented by a statistical sample across sectors and included all key corporate control areas with the exception of travel, which could be analyzed at a population level due to higher automation of key controls.

In addition, a statistical sample of contracting files tested by Quality Assurance (QA) was also re-performed to ensure consistency, as well as a selection of automatically posted invoices either self-assessed or re-tested by QA. In instances where information or records could not be located, conclusions could not be provided to determine the effectiveness of the controls.

Contracting

Competitive contracts were generally managed in compliance with policy and process requirements across both the judgemental and statistical sample, with some exceptions relating to documentation and approvals. While instances of non-compliance were few, quality control could be strengthened to ensure that all delegated authorities are obtained prior to contract initiation, and that instances of non-compliance are detected in a timely manner. In addition, gaps were identified with regard to the completeness of documentation, as a number of files tested were missing sole-source or amendment justifications.

Travel

Travel files had an overall high compliance rate based on the judgemental sample testing results, with minor errors generally due to documentation gaps.

Acquisition Cards

The overall compliance rates for both S32 and S34 authorities were high. For both S32 and S34, noted exceptions were due to either the wrong Financial Signing Authority (FSA) number being used, or signatures not on file. For a few transactions, no supporting evidence could be located. In addition, S32 was done prior to payment in a number of files with some of the exceptions due to S32 not being dated.

Hospitality and Conferences

For sampled hospitality and conference transactions, the compliance rate for S32 and S34 were also high. Exceptions were noted primarily due to insufficient evidence maintained to support S32 and S34 approvals on file, including missing dates or dates after the expense was incurred.

In addition, similar to other areas, documentation gaps were identified, with pre-approval forms not always on file for both hospitality and conferences, and hospitality expense claims not on file in a number of files tested.

Timeliness of Invoice Processing and Account Verification

Testing also considered timeliness of payments based on the defined payment terms for the Government of Canada. For a third of hospitality and conference invoices tested, S33 verification occurred more than 30 days after the baseline date, resulting in those invoices being paid more than 30 days after the baseline date. For contracting invoices, overall compliance to account verification and appropriate authority was high, however timeliness of S33 verification from baseline date could also be improved to ensure payments are consistently made within terms. For acquisition card transactions, S34 occurred 60 days after purchase date for a proportionally high number of transactions tested.

However, if delegated authorities over expenses are not exercised diligently, this could impact the overall level of compliance to the Financial Administration Act.

Preliminary Recommendation #5 (Medium Risk):

In order to enhance timeliness and ensure consistency in the signing and dating of delegated authorities, CMS should strengthen its monitoring through the payment verification process.

4.6 Performance management and continuous improvement

Travel has established service standards, which are regularly met. While service standards exist for contracting, they were not tracked during the audit scope period. QA activities occur regularly to support compliance testing, but they could be leveraged to support more formal continuous improvement.

Service standards have been established over payments of traveller claims, and are tracked daily and monitored; travel claims were found to have been paid within the service standard in 99% of tested files. Payment timeliness is also tracked and monitored across all invoices by FOD on a monthly basis.

Within contracting, there are existing service standards with assigned timeframes, however, measurement points, such as start and end triggers dates, as well as exceptions, have not been clearly defined. While contracting service standards were not being tracked during the period of the audit, management has indicated that they have since begun tracking on a regular basis.

Additionally, while contracting has tools that could be used to inform continuous improvement, they are not consistently applied. For instance, CMS can submit questionnaires that speak to the client service they received, but feedback is not actively solicited, resulting in low response rates.

The Procurement Process Modernization Initiative (PPMI) aims to both standardise procurement processes and centralise key electronic records. This is being done through consultation and engagement of financial officers across the department, with regular status updates provided through the Stay in Touch newsletter and the annual Symposium. As well, QA performs regular reviews of their tools in order to update their guidance, checklist and templates based on consultations across sectors.

Without using current results to inform continuous improvement, the department risks mitigating the same recurring issues annually, and may not fully realise the benefits of increased efficiency.

Preliminary Recommendation #6 (Low Risk):

CMS should develop continuous improvement plans for contracting processes and documentation, and report annually to senior management on their effectiveness.

4.7 Management response and action plan

The findings and recommendations of this audit were presented to the Assistant Deputy Minister and Chief Financial Officer, Corporate Management Sector, and to representatives of the Corporate Management Sector. Management has agreed with the findings included in this report and will take action to address all recommendations by March 31, 2021.

Management response and action plan

Appendix A: Audit criteria

Audit of the Competition Bureau
Audit Criteria Sub-Criteria
  1. Effective governance and oversight are in place over key corporate controls.
  • 1.1  Effective oversight is in place for all key corporate controls.
  • 1.2  Roles, responsibilities and accountabilities are defined and communicated across the Department.
  • 1.3  Employees are provided with the necessary training, guidance and tools to meet their responsibilities.
  • 1.4  Risk management is integrated within key corporate controls and used effectively for planning, decision-making and reporting.
  1. Processes supporting key corporate controls are effective and efficient, and comply with applicable policies and frameworks.
  • 2.1  Processes are designed to align with policies and directives and effectively support operational objectives.
  • 2.2  Key controls are operating as designed and support compliance with applicable policies and directives.
  • 2.3  Service delivery standards have been defined, and performance is tracked and reported on an on-going basis.
  1. Monitoring and reporting of activities are timely and effective.
  • 3.1  Compliance with applicable policies and directives is monitored.
  • 3.2  Management is provided with accurate, relevant and reliable information for decision-making and reporting.
  • 3.3  Processes are in place to support the continuous improvement of key corporate activities.