Parks Canada
Symbol of the Government of Canada

Common menu bar links

Internal Audit and Evaluation Documents

Audit of Key Financial Processes - Strategy and Plans Directorate

Final Report
April 2010

Prepared by:
Paragon Review and Consulting Inc.

Table of Contents

Summary

1. Background

2. Objectives and Scope

3. Methodology

4. Statement of Assurance

5. Conclusions

6. Observations and Recommendations

6.1 Management Control Framework (MCF)
6.2 Hospitality & Food expenses
6.3 Contracting
6.4 Use of acquisition cards
6.5 Expenditures on Travel
6.6 Payments to Suppliers
6.7 Financial Coding
6.8 Telecommunication
6.9 Inventory

Printable Version


Note: To read the PDF version you need Adobe Acrobat Reader on your system.

If the Adobe download site is not accessible to you, you can download Acrobat Reader from an accessible page.

If you choose not to use Acrobat Reader you can have the PDF file converted to HTML or ASCII text by using one of the conversion services offered by Adobe.



Report presented to the Audit Committee at the meeting of June 30th, 2010

Summary

Parks Canada Agency (PCA) conducts cyclical audits of key financial, administrative and management practices in the field units, service centers and various branches at the national office and in the regions. The audits are based on compliance with the policies and practices of the Treasury Board Secretariat (TBS) and the Parks Canada Agency. The audit of Strategy and Plans Directorate was conducted as part of this cyclical audit program.

The objectives of this audit were to determine whether due diligence was being exercised in the key management processes and to provide assurance to senior management that the processes and controls in place at the Parks Canada Agency to limit risks of non-compliance with TBS and PCA policies were satisfactory.

The exercise included a review of the management control framework (MCF) for financial management as well as key processes in the following financial areas: hospitality charges, contracting, use of acquisition cards, travel expenses, inventory, telecommunication, payments to suppliers, and financial coding. This audit covered the period from April 1, 2009 to October 28, 2009.

The audit methodology consisted of a review of relevant vouchers, interviews with staff of the Parks Canada Agency and sampling of transaction controls in the main financial areas. The audit work was carried out between October 26, 2009 and January 15, 2010.

The audit engagement was planned and conducted to be in accordance with the Internal Audit Standards for the Government of Canada.

In general, the audit found that due diligence is being exercised in the key management process areas within the Strategy and Plans Directorate and that processes and controls in place are adequate to ensure compliance with TBS and PCA policies and practices. However, the audit team has identified opportunities to strengthen compliance and management of the key process areas.

Audit Report Rating Summary:

Ref. Management Process Rating
6.1 Management Control Framework YELLOW – Moderate Improvements Needed
6.2 Hospitality & Food expenses YELLOW – Moderate Improvements Needed
6.3 Contracting YELLOW – Moderate Improvements Needed
6.4 Use of Acquisition Cards BLUE – Minor Improvements Needed
6.5 Expenditures on Travel ORANGE – Significant Improvements Needed
6.6 Payments to Suppliers ORANGE – Significant Improvements Needed
6.7 Financial Coding BLUE – Minor Improvements Needed
6.8 Telecommunication – S&P ORANGE – Significant Improvements Needed
Telecommunication – OCIO YELLOW – Moderate Improvements Needed
6.9 Inventory ORANGE – Significant Improvements Needed

Below is our list of recommendations to the Chief Administrative Officer:

Management Control Framework

1.
The Chief Administrative Officer should ensure that:

  • All positions have a documented roles and responsibilities,
  • performance appraisals are completed in a timely manner to strengthen the alignment of priorities, goals, and objectives within S&P.
2.
The Chief Administrative Officer should ensure that controls are in place to capture in the financial system, variances reported in the template.

3.
The Chief Administrative Officer should ensure that specimen signatures are up to date, signed by the appropriate level of authority and reviewed at least once a year.

Hospitality expenses

4.
The Chief Administration Officer must ensure that hospitality activities are pre-authorized and properly signed under S.34 of the FAA.

5.
The Chief Administrative Officer need to provide and clarify the Directorate/Agency’s position on providing bottled water to Agency employees outside authorized hospitality functions.

Contracting

6.
The Chief Administrative Officer must ensure that non-competitive contracts are supported by a documented sole source justification.

Use of Acquisition cards

7.
The Chief Administration Officer must ensure that the Acquisition Card Coordinator role and responsibilities are documented to clearly identify the tasks to be completed in executing this role.

Expenditures on Travel

8.
The Chief Administration Officer must ensure that:

  • all trips on government business be authorized prior to the traveller’s departure and that all information that is required to be recorded on the TAA form is completed;
  • all documents required to support the travel claim are attached to the claim form;
  • all TAA, travel claim forms and Amex statements are approved by managers with the appropriate delegated financial authority;

Payments to Suppliers

9.
The Chief Administrative Officer must ensure that:

  • commitments are entered into the financial system and evidence of this should be documented on invoices and/or supporting documentation;
  • invoices are date stamped upon receipt;
  • invoices are signed off for S.34 by an individual with the appropriate delegated authority.

Financial Coding

10.
The Chief Administrative Officer must ensure that financial coding documented on invoices by S&P staff includes all the elements of the financial coding structure.

Telecommunication

11.
The Chief Administrative Officer must ensure that:

  • personal calls are identified on cell phone and blackberry invoices by the user of the devise;
  • monitoring of personal usage by managers is conducted on a periodic basis; and,
  • invoices are approved for payment by individuals with the appropriate delegated authority.

Inventory

15.
The Chief Administrative Officer must ensure that:

  • S&P administrative staff are trained on the use of the STAR system Plant Maintenance module;
  • inventory is recorded the STAR system;
  • periodic inventory counts are planned, count procedures are established, and counts are executed; and,
  • managers monitor and periodically report on inventory items valued between $1000 and $10,000 and attractive items valued at less than $1000 within their cost centre.

Below is our list of recommendations to the Chief Information Officer:

12.
The Chief Information Officer must ensure that acquisition requests for wireless devices (including cell phones) are standardized so that the required information is properly documented.

13.
The Chief Information Officer must ensure that non-standard requests receive the necessary approval by the CIO before proceeding with PWGSC.

14.
The Chief Information Officer must implement a system to monitor the acquisition and use of wireless devices in order to ensure policy compliance by the designated administrators.

1. Background

Parks Canada Agency (PCA) conducts cyclical audits of key financial, administrative and management practices in field units, service centers and various directorates at the national office and in the regions. Field units are groupings of national parks, national historic sites and national marine conservation areas that are usually in proximity to one another. Their proximity allows them to share management and administrative resources. The service centres support the organization in a variety of professional and technical disciplines.

The audit of Strategy and Plans Directorate was conducted as part of this cyclical audits program.

The Strategy and Plans Directorate is focused on the following key outcomes for the Parks Canada Agency: sound financial and investment management; effective and efficient corporate systems; and strategic agency positioning and policy development.

The Strategy and Plans Directorate consists of three branches: Strategic Planning, Finance, and the Office of the Chief Information Officer. All three branches report to the Chief Administrative Officer (CAO).

The CAO’s office consists of Administrative Services and Special Project Team. The managers of each of these areas report directly to the CAO. Informal Conflict Management group also report administratively to the CAO.

The Strategy and Plans Directorate provides the link to the Minister's strategic portfolio group and recommends the key financial and investment initiatives for the Parks Canada Agency. The principal clients of Strategy and Plans include the Executive Board, Service Centres, Field Units, Central Agencies and Parliament.

Most Strategy and Plans Directorate employees work at National Office, however, some staff members work in the field units or service centers. The annual operating budget for the Strategy and Plans Directorate is approximately $ 23.8 millions in 2009-10 as per the financial system STAR.

2. Objectives and Scope

The objectives of this audit were to confirm whether due diligence is being exercised in key management processes within Strategy and Plans Directorate and to provide assurance to senior management that processes and controls in place are adequate to ensure compliance with TBS and PCA policies and practices.

The audit comprised the review of the management control framework (MCF) as applied to financial management and the following key financial process areas:

  • Hospitality & food expenses;
  • contracting;
  • use of acquisition cards;
  • expenditures on travel;
  • inventory;
  • telecommunication;
  • payments to suppliers; and;
  • financial coding.

The audit covered transactions entered in the financial system (STAR) between April 1, 2009 and October 28, 2009.

3. Methodology

The audit methodology included the following activities:

  • interviews with Strategy and Plans Directorate management, operations managers and administrative staff, contracting specialist, and National Acquisition Card and Travel Card Co-ordinator responsible for key financial and administrative process areas;
  • interviews with Ontario Service Centre (OSC) transaction processing staff, who are responsible for processing the majority of transactions for the Strategy and Plans Directorate.
  • examination of relevant documentation, including Parks Canada Agency Corporate Plan 2009/2010-2013/14, S&P 2008-2009 to 2012-13 Business Plan, S&P Priorities 2009-2010 and Performance Expectations, 2010-2011 Business Planning process materials including corporate risk ratings, organization chart, PCA delegated signing authorities chart, minutes of S&P management meetings, minutes of Finance and Administration staff meetings, policies governing key financial process areas, training material for administration staff, various compliance checklists, and a sample of the budgets and financial reports prepared by the Corporate Services Manager; and;
  • examination of a sampling of transactions for each of the key financial process areas, as required.

The transaction sample used sorted data from STAR and is based on a proportional and judgmental selection for transactions relating to the areas covered in the audit. The documentation supporting the items selected was obtained from the various payment processing offices in the regions and examined at National Office. A visit was made to the OSC during the week of November 23 to examine the items processed there. The on-site work was carried out between October 26, 2009 and January 15, 2010. After fieldwork completion, representatives from the CAO‘s office were debriefed on the preliminary observations.

Our observations and recommendations have been made in accordance with the Audit Reporting Rating System described below:

Audit Reporting Rating System
RED Unsatisfactory Controls are not functioning or are nonexistent. Immediate management actions need to be taken to correct the situation.
ORANGE Significant improvements needed Controls in place are weak. Several major issues were noted that could jeopardize the accomplishment of program/operational objectives. Immediate management actions need to be taken to address the control deficiencies noted.
YELLOW Moderate improvements needed Some controls are in place and functioning. However, major issues were noted and need to be addressed. These issues could impact on the achievement of program/operational objectives.
BLUE Minor improvements needed Many of the controls are functioning as intended. However, some minor changes are necessary to make the control environment more effective and efficient.
GREEN Controlled Controls are functioning as intended and no additional actions are necessary at this time.

4. Statement of Assurance

The audit engagement was planned and conducted to be in accordance with the Internal Audit Standards for the Government of Canada.

5. Conclusions

In general, the audit found that due diligence is being exercised in the key management process areas within the Strategy and Plans Directorate and that processes and controls in place are adequate to ensure compliance with TBS and PCA policies and practices. However, the audit team has identified opportunities to strengthen compliance and management of the key process areas. Our observations and recommendations are outlined below in section 6.

6. Observations and Recommendations

6.1 Management Control Framework (MCF)

YELLOW Moderate improvements needed Some controls are in place and functioning. However, major issues were noted and need to be addressed. These issues could impact on the achievement of program/operational objectives.

To determine whether the management control framework is sufficient to ensure compliance with financial policies, we used the following audit criteria:

C1-
Information critical to the achievement of operational objectives is identified, collected, processed and transmitted quickly to the persons concerned.
C2-
Staff members’ roles and responsibilities, particularly with regard to control, are clearly defined, documented and communicated.
C3-
Business and operational plans are prepared in cooperation with the stakeholders concerned, and adequately establish the budget parameters, human and material resource needs, and security needs.
C4-
The control environment in place is conducive to sound and effective financial management.
C5-
The control activities conducted allow for shortcomings to be identified quickly and for corrective measures to be taken within a reasonable timeframe.
C6-
The control activities conducted ensure proper management of financial staff.
C7-
There are sufficient finance team members capable of achieving operational objectives.
C8-
Operational risks are assessed formally, on a regular basis.

6.1.1 Organizational Structure

The Strategy and Plans Directorate consists of three branches which report to the Chief Administrative Officer (CAO):

  • Strategic Planning which comprises the Corporate and Business Planning, Performance Measurement and Reporting and Cabinet Affairs groups;
  • Finance, which comprises the Financial Planning group, the Financial Operations, Policy and Systems group, and the Centre of Expertise for Procurement and Transfer Payments;
  • Office of the Chief Information Officer, which comprises is made up of the Information Technology group, the Information Systems group, the Information Management group, the Information Integration group, and the Portfolio Management group. The Office of the CIO is accountable for the planning, development, implementation and management of the corporate Information Management and Technology policies and plans. It is responsible for the operations of the Agency's corporate computing environment and corporate systems.

The CAO’s office consists of Administrative Services and Special Project Team. The managers of each of these areas report directly to the CAO. Informal Conflict Management group also report administratively to the CAO.

The majority of Strategy and Plans Directorate employees work at the National Office. Some staff members are located in the regions across the country.

Roles and Responsibilities

Strategy and Plans is responsible for:

  • Building relationships between Parks Canada Agency and central agencies on strategic policy, financial and administrative authorities and reporting issues, and information management;
  • Preparing accountability instruments, such as the Report on Plans and Priorities, Departmental Performance Report, and Financial Statements;
  • Providing analysis and recommendations on investment priorities and monitoring financial and non-financial performance;
  • Providing standards, direction and analysis on business plans; and,
  • Coordination of information technology investments and standards.

The S&P organization chart shows the lines of authority and reporting relationships of the various staff positions within the Directorate and its branches. The audit team was advised that the organization chart need to be updated due to many changes that have occurred within the Directorate. Since then, all required changes has been requested.

Roles and responsibilities of S&P staff members are documented in generic job descriptions and in performance appraisals. Employees who are required to perform specific tasks may be provided with another document that complements the generic job description (e.g. desk procedures, compliance checklist, detailed technical specification work plan etc.). The audit team was advised that a project is underway to formalize job descriptions and task management in S&P to strengthen employee performance expectations.

The Corporate Services Manager plays a key role in providing advice and assistance to the CAO and other managers and their administrative staff in connection with business planning, financial reporting and financial policies and directives. A detailed roles and responsibilities document has not been prepared for the position. This situation should be corrected to facilitate the transition when a change of staff occurs.

The completion of performance appraisals is an important factor in ensuring the alignment of priorities, goals, and objectives within S&P. Timeliness of the completion of these documents is critical. The optimal situation is that all appraisals are completed at the beginning of the year. This allows senior managers to develop work plans and objectives for their staff aligned with the Directorate’s priorities. The audit team was advised that at least one performance appraisal was completed seven months into the fiscal year (e.g. October 2009), which led to the delay of several employee appraisals under the manager supervision. A possible impact of such delay is a misidentification of priorities and objectives to meet by the managers in the unit. The timeliness of the preparation of these appraisals should be strengthened.

Recommendation
1.
The Chief Administrative Officer should ensure that:

  • All positions have a documented roles and responsibilities,
  • performance appraisals are completed in a timely manner to strengthen the alignment of priorities, goals, and objectives within S&P.
Management Response

Agree: We will ensure that documented procedures are shared within Strategy & Plans Administrative staff on an ongoing basis. A list of responsibilities will be assigned and documented by December 2010. Performance appraisals including the objectives for the upcoming year will be done in accordance with human resources directive. A process of monitoring is in place to ensure that the period allocated to submit all performance appraisals is respected.

Information and Communications

The Strategy and Plans Directorate has a management team that regroups directors and managers who directly report to the CAO. The management team meets weekly and often includes invited guests from other Directorates within the Agency. These meetings provide a forum for discussing corporate level issues and their impact on S&P operations. Other matters discussed include S&P priorities, financial and operational performance of the overall S&P Directorate, strategy and business planning including risk identification and mitigation, staffing actions, training requirements, and policy development. Minutes and records of decisions of these meetings are maintained.

Other established practices for communicating and sharing information with S&P personnel are as follows:

  • CAO has weekly bilateral meeting with each manager and staff member reporting directly to her;
  • Managers hold weekly meetings in person, by teleconference or video conference with their respective teams;
  • Bi-weekly meetings are held with S&P National Office administrative staff by the Corporate Services Manager;
  • S&P Management team retreats are held to deal with strategic and business planning for the Directorate;
  • Two or three times a year an all staff video conference is held;
  • Remote staff travel to National Office annually for meetings with S&P managers;
  • Development and use of on-line training tools such as the Finance and Administration Handbook and the new employees Orientation Guide; and,
  • S&P staffs are also made aware of changes to operations, policies and procedures by e-mails circulated to all staff and the PCA intranet site.

The audit team was advised that the outputs of all management team meetings and retreats are maintained in a Lotus database to be consulted only by the authorized personal. All financial and administration policies are available on the PCA intranet site and are accessible to all staff. The audit team found that the communication and sharing of information at S&P is open and works two ways.

Business Planning

The Strategy and Plans Directorate management team uses a new interactive business planning process which has been implemented during the current fiscal year. The new process brings people together to create synergies and increased accountability. The process is managed by the CAO’s office and has involved retreats with the management team to establish priorities, identify risks (e.g. critical business systems, potential health and safety issues, security of material and information assets), define roles and responsibilities and to present/share resulting plans and financial budgets. Directors are required to develop their individual plan and budget identifying human resources, material resources and security and to present it to the CAO and the management team. The CAO and the management team perform a challenging role on the plan and corresponding financial budgets. Budget templates were used to facilitate the preparation of the individual budgets and will be used to facilitate the rollup of the overall S&P budget. The intent is to have the final plan and budgets completed by March 31 and shared with all staff at the beginning of the new fiscal year.

The total operating budget of the Strategy and Plans Directorate for 2009–10 is approximately $23.8 million, 46% of which is for salaries.

Performance monitoring against operation plans and related financial budgets is conducted at many levels within S&P. Directors and managers review performance of staff through scheduled team meetings and weekly bilateral meetings with staff members. The CAO also reviews operational and financial performance of the management team through weekly management team and bilateral meetings. In these meetings a review of the results achieved against the plans and financial budgets is performed. The CAO’s office has developed a standardized template of key financial and other operational data to be reported on.Variances must be fully explained. Training has been provided to ensure that all managers and administrative staff understand how to use the reporting tool. In addition, the Corporate Service Manager provides advice and assistance to staff on how to use the templates as required. However, no official mechanism was in place, at the time of the audit, to ensure that variances expressed in the template have been recorded in a timely manner in the financial system in order to keep the budgeting information up to date and reliable.

The audit team concludes, with minor exceptions, that business planning and related operations and financial monitoring in S&P is conducted in cooperation with stakeholders resulting in adequate budget parameters and needs in terms of human and material resources and security.

Recommendation
2.
The Chief Administrative Officer should ensure that controls are in place to capture, in the financial system, variances reported in the template.

Management Response

Disagree: Management is responsible for ensuring that any variances identified during financial reviews, are reflected in the financial system, if relevant.

6.1.2 Control Environment and Monitoring

Most financial policies are on the intranet and are accessible to all S&P staff. Additional measures that have been put in place to ensure that staff have a good understanding of the financial polices include:

  • mandatory successful completion of the F&A 201 course is a prerequisite for obtaining spending authority;
  • administrative staff receive training on financial policies on ad-hoc basis, and explanatory documents are available on the Agency's Intranet;
  • PCA contracting officers located at National Office and in the regional service centres are available to staff to provide advise and assistance with contracting matters;
  • Corporate Services Manager is available to answer any questions regarding financial policy from managers and administrative staff. When policy changes are made the Corporate Services Manager sends an e-mail to all staff to keep them informed.
  • Corporate Services Manager conducts biweekly meetings with S&P national office administrative staff to provide update and training on financial processes and required compliance requirements. In addition, training tools and checklists have been developed to support learning.

Responsibility for compliance with financial policy lies with the person having spending authority under S.34 FAA. Some controls are performed by the Service Centres and Field Units finance groups to deal with any failures to comply with financial policies. According to the Instrument of delegation, all delegated authorities, including electronic delegation models, document signature specimens and validation and authentication processes... are to be reviewed and updated at least once a year. For effective controls by finance staff, the Specimen Signature Card register must be available and up to date. The audit found some examples where Specimen Signature Cards were either not kept up to date in accordance with the standards, or not existing. The audit team also noticed that some of the Specimen Signature Cards was not delegated in accordance with the section 2 of the Instrument of Delegation, (e.g. appropriate level of authority, fund center managers).

Statistical sampling is carried out nationally and the transactions selected are checked in detail. All missing information or failures to comply with a financial policy are communicated directly to the Corporate Services Manager for corrective action. In addition, the OSC transaction processing finance officers provide feedback to the Corporate Services Manager on errors found. The Corporate Services Manager uses this information to identify which financial policies and compliance practices need to be strengthened and accordingly implements remedial actions such as providing S&P national office administrative staff with updated training during biweekly meetings and order developing new processes or compliance checklists. This practice is done to reduce repetitive errors and confirm staff understanding of how to apply financial policies.

The CAO meets with the managers to review financial and operational performance. The audit team was advised that this process is detailed and that there is a high level of rigor in this process. Managers are required to fully explain financial and operating variances. During these meetings operational challenges, needs, and risks are addressed.

Actions taken by the CAO’s office to ensure that the monitoring activities are strong are as follows:

  • The CAO ensures managers understand accountabilities, authorities, values, & ethics;
  • A performance contract is developed for each member of the management team aligned with the business plan and PCA priorities and used to measure operational performance.
  • The CAO office provided guidance on the reporting requirements to Managers and their administration staff. Joint training sessions with administrative staff and Directors have been held; and,
  • Reference material is available on the common drive and Agency intranet.

With the exception of the monitoring of delegated financial authorities and related documentation within S&P, the audit team concludes that the control environment in S&P is adequate to achieve effective financial and operations management including the timely identification of challenges and their resolution.

Recommendations
3.
The Chief Administrative Officer must ensure that Specimen Signatures Cards are up to date, signed by the appropriate level of authority and reviewed at least once a year.

Management Response

Agree: Strategy & Plans Directorate is collaborating with PCH and Service Centres to implement a STAR functionality which will produce and maintain specimen signature card records directly in the financial system. This will be complete by July of 2010, and will support a more streamlined approach to ongoing review.

6.1.3 Risk Management

The Strategy and Plans Directorate does not have a formal documented risk assessment of its financial processes, however, risks are identified and assessed in the development of S&P priorities and business plan.

As part of the 2010-2011 business planning process, a risk session was held. The CAO and the management team participants identified risks linked to the corporate risks profile. Mitigation strategies are being developed and will be incorporated into the new business plan for 2010-2011. Interviews with managers found that risk is considered throughout the year in making business decisions and allocating resources.

The monitoring of risks is conducted on an ongoing basis by the CAO through management team meetings and bilateral meetings with directors and managers to review financial and operational performance.

The audit team concludes that risk identification and assessment is performed throughout the year on an informal basis.

No recommendation

6.2 Hospitality and food expenses

YELLOW Moderate improvements needed Some controls are in place and functioning. However, major issues were noted and need to be addressed. These issues could impact on the achievement of program/operational objectives.

To determine whether due diligence is being exercised in the financial process relating to hospitality expenses and whether controls in place are adequate to ensure compliance with policies, we have used the following audit criteria:

C1-
Hospitality functions take place in appropriate venues.
C2-
Financial limitations set out for hospitality expenses are respected.
C3-
Hospitality functions are approved by the appropriate authority prior to the event.
C4-
The recipients of hospitality are consistent with the Parks Canada Agency policy.
C5-
Payments made for hospitality functions comply with Parks Canada Agency provisions.
C6-
Transactions entered in the food account are in compliance and do not include any hospitality fees.

Observations

It is government policy to extend hospitality in an economical, consistent and appropriate way when it will facilitate government business or is considered desirable as a matter of courtesy. Government of Canada senior managers have been required since December 2003 to publish all hospitality expenses on their organization’s Web site.

Request for hospitality must always be approved by the delegated officer in charge before the activity takes place, using the appropriate form, which explains the nature and scope of the planned activity. Furthermore, the information on the form makes it possible to verify transaction have followed policies. The document must be completed, signed and submitted with the payment request.

When approval by the Minister (>$5,000) or by the CEO (between $1,500 and $5,000) is required, request for approval of hospitality must be submitted sufficiently in advance to ensure that authorization is received before the activity is held. Authorization by the CEO requires a minimum of two weeks, while a minimum of one month should be allotted for the Minister’s approval.

All hospitality transactions (e.g. seven) worth $2350, the total spending on hospitality for the first 8 months of 2009-10, were examined. The following issues were identified:

  • 2 transactions out of 7 were not pre-authorized and signed under S34 by the appropriate level of authority,
  • 2 transactions were incorrectly coded in STAR which worth $1320 or 56% of the hospitality account (recommendation addressed in section 6.7),
  • 3 transactions out of 7 where no listing of participants was provided.

As a best practice, a list of participants can be attached to the form in order to confirm the origin and number of the participants in attendance. It also shows that the person who authorized the hospitality expenses did not personally benefit from the event.

In addition, 7 transactions totalling $1005 which were charged to the food general ledger account were examined. The audit found that the transactions entered in the food account did not include any hospitality fees but they are accounted for bottled water provided to national office staff. These expenditures are not subject to hospitality and they are not engaged to fulfill PCA’s mandate.

Overall, the controls in place to manage and process hospitality expenses need to be strengthen.

Recommendation

4.
The Chief Administration Officer must ensure that hospitality activities are pre-authorized and properly signed under S.34 of the FAA.

Management Response

Agree: A note will be sent to all directors and managers by July 2010 to remind them that all hospitality expenses must be pre-approved, complete and signed by individual with appropriate level of delegated authority.

5.
The Chief Administrative Officer need to provide and clarify the Directorate/Agency’s position on providing bottled water to Agency employees outside authorized hospitality functions.

Management Response

Agree: The Agency will provide bottled water to employees only when the water is unsuitable for drinking. Strategy & Plans Directorate has cancelled bottled water deliveries in May 2010.

6.3 Contracting

YELLOW Moderate improvements needed Some controls are in place and functioning. However, major issues were noted and need to be addressed. These issues could impact on the achievement of program/operational objectives.

To determine whether due diligence is being exercised in the financial process relating to contracting and whether controls in place are adequate to ensure compliance with policies, we have used the following audit criteria:

C1-
Guidelines and procedures relating to contracting practices exist in the field unit/service centre and comply with TBS and PCA policies and directives.
C2-
Appropriate training and instruction is provided at all levels to ensure that staff are informed of and understand contracting policies and procedures.
C3-
Compliance with contracting policies and procedures is monitored.
C4-
Management reports relating to contracting activities are produced and used to monitor and supervise those activities.
C6-
The appropriate contracting mechanism is used.
C7-
Contracts are awarded fairly, bearing in mind the economy principle.
C8-
The nature of the work to be performed or article to be delivered is specified in the contracts.
C9-
The contracts include conditions to mitigate the risk of non-performance.
C10-
The contracts are approved by persons with the required authorization.

Observations

PCA contracting officers provide advice and assistance to S&P directorate staff on contracting matters. The current directive requires managers to use the contracts administration and procurement officer for all purchases over $5,000. The contracting officers provide managers with assistance in developing statements of work and evaluation criteria. The contract officers review the resulting statements of work and evaluation criteria to ensure that there will be a consistent and fair contract awarding process.

The audit team found that training and contracting tools, such as contract templates and Procurement and Finance Procedures guides, are available to managers to assist them with contracting activities. Administrative staff has received training on the use of the Temporary Help Standing Offer. Managers are also invited by contracts officers to consult the policy, which is posted on the Intranet. The F&A 201 course also covers the policy on contracting.

Monitoring of contracting activity is performed by the CAO through the review of variance analysis reports from directors and managers. The variance report includes a listing of established contracts and identifies future forecasted contracted resources required. The CAO during bilateral meetings with staff provides a challenge function on contracts needs and related spending. The PCA contracting target performance appraisals include a target on achieving an 80/20 ratio of competitive contracts versus non competitive contracts. All sole source contracts are required to be supported by a documented sole source justification. Annually a listing of all contracts is summarized at year end.

The audit focused on temporary help and professional services contracts. The audit team selected 100% of all temporary help and professional service contracts. The following table shows the breakdown of the selected contracts:

  2009-2010
No. Value
Temp Help 4 $318,625
Competitive sourcing 3 $219,803
Non-competitive sourcing 11 $90,937
Total 18 $629,365

The following instances of non-compliance were identified in the review of the contracts sampled:

  • 5 non-competitive contracts without sole source justification on file;
  • 3 contracts where no signature card was provided to determine whether the contract was approved by an individual with appropriate delegated authority; and,
  • 1 contract was provided to the audit team with insufficient documentation to complete the audit work.

Overall contracting process is adequate to ensure compliance with the contracting policies; however, the audit team has identified the documentation of sole source justifications as an area where improvement is required.

Recommendation

6.
The Chief Administrative Officer must ensure that non-competitive contracts are supported by a documented sole source justification.

Management Response

Agree: Training was provided to Strategy & Plans staff on contracting processes on April 22, 2010. Non-compliance issues related to sole source contracting were addressed with senior managers in May 2010. This will also be raised at an upcoming Middle Management information session.

6.4 Use of acquisition cards

BLUE Minor improvements needed Many of the controls are functioning as intended. However, some minor changes are necessary to make the control environment more effective and efficient.

To determine whether due diligence is being exercised in the financial process relating to acquisition cards and whether controls in place are adequate to ensure compliance with policies, we have used the following audit criteria:

C1-
Guidelines and procedures governing acquisition cards exist in the field unit/service centre and comply with TBS and PCA policies and directives.
C2-
Appropriate training and instruction is provided at all levels to ensure that staff are informed of and understand policies and procedures governing acquisition cards.
C3-
An acquisition card coordinator is designated; procedures for issuing and cancelling acquisition cards are in place; and a log is maintained of cards issued and cancelled.
C4-
Acquisition card limits and other restrictions are periodically examined to ensure that the planned use is reasonable.
C5-
Compliance with the policies and procedures governing acquisition cards is monitored.
C6-
Purchases are made by the cardholder only and are within approved operating and credit limits.
C7-
Expenditures are verified for accuracy and compliance with TBS and PCA directives relating to acquisition card use.
C8-
Purchases are reconciled with the acquisition card statement of account each month.
C9-
A person other than the cardholder provides valid S.34 FAA certification.
C10-
Card transactions are processed and paid on time to avoid interest charges.

Observations

There are eighteen acquisition cards issued to employees working in the Strategy and Plans Directorate. Credit limits, ranging from $5,000 to $15,000, were determined on the basis of planned use and approved by the cardholder’s manager.

The acquisition card coordinator role for S&P was transferred to the Corporate Services Manager in December 2009. The audit team was advised that the Corporate Services Manager was trained on the use of the Bank of Montreal acquisition card internet site including its reporting capabilities that are used by the A-Card coordinator for monitoring purposes. The audit found that a formal document outlining the role and responsibilities of the S&P A-Card Coordinator has not been developed to clearly identify the tasks to be performed. This type of document ensures the efficiency and the effectiveness of the transition in case of staff departure by reducing the investment in training and to ensure the continuity of the function.

The issue of a new card to an employee involves the following process which is facilitated by the A-Card coordinator. The employee completes an application which is reviewed and approved by the employees’ manager who has S.34 delegated authorities. The employees’ manager decides the amount of credit limit required for the card based on anticipated usage and estimated financial need. The application is submitted to the A-Card coordinator and a request is made on-line to Bank of Montreal to issue a card to the employee. A card is sent to the A-Card coordinator. The employee is given an Acknowledgement of Obligations Form including a list of authorized and prohibited purchases. The Acknowledgement of Obligations Form is signed by the cardholder and his manager and is returned to the A-Card coordinator. The card is given to the new user only after the acknowledgement of obligations has been signed and returned by the cardholder and his manager. When there is a change to the policy, updates are sent out by e‑mail. In addition, S&P national office administrative staffs are advised on policy changes during their biweekly meetings with the Corporate Service Manager.

The process for the use and payment of acquisition card statements is as follows. The employee makes a purchase using the card, obtains a receipt for the item purchased and records the details of the purchase into a monthly log sheet which is matched to the receipts and statement. Financial coding of the expenditure on the log is done by the administrative staff or manager or the cardholder. The employees’ manager signs S.34 after review of the monthly register including the financial coding and the MasterCard statement with supporting invoices. The completed register with attached MasterCard statement and supporting invoices are sent for payment processing.

The finance officers ensure that all supporting documentation is appended to the monthly statement and that it includes S.34 FAA authorization. They review the financial coding for accuracy and completeness and ensure that the balance of the card has not been paid in the past month. If they find information, such as the financial coding is missing or incorrect, a note is sent to the cardholder to obtain the required information.

Monitoring acquisition card use provides an important control to confirm that cardholders comply with Agency directives. To control the risk of inappropriate card use, the Directorate needs to control access to the cards and the credit limits on them. The audit team was advised that a review is now completed regarding the number of cards issued to S&P staff, the credit limits authorized, and their usage to determine if credit limits and/or the number of cards in circulation are warranted.

The audit team reviewed a total of 24 A-Card statements for completeness for 4 employees. More specifically, the files were reviewed to ensure that they included a completed monthly register signed by both the employee and the employees’ manager (S.34) supported by A-Card statements and invoices. In addition, the statements were reviewed to determine if any interest costs were incurred. All statements were in compliance.

The audit team examined 7 individual transactions that were selected for 6 cardholders. There was only one instance of non-compliance (e.g. 1 transaction where the person signing S.34 was not authorized to do so for the cost centre.

Overall, the controls in place for the issuance, use and payment of A-Card statements are adequate to ensure compliance with the acquisition card policy.

Recommendation

7.
The Chief Administration Officer must ensure that the Acquisition Card coordinator roles and responsibilities are documented to clearly identify the tasks to be completed in executing this role.

Management Response

Agree: The Agency provided a description of the roles of the credit card coordinator and has posted this information on Parks Canada Intranet site March 23, 2010.

6.5 Expenditures on Travel

ORANGE Significant improvements needed Controls in place are weak. Several major issues were noted that could jeopardize the accomplishment of program/operational objectives. Immediate management actions need to be taken to address the control deficiencies noted.

To determine whether due diligence is being exercised in the financial process relating to travel and whether controls in place are adequate to ensure compliance with policies, we have used the following audit criteria:

C1-
Guidelines and procedures governing travel expenses exist in the field unit/service centre and comply with TBS and PCA policies and directives.
C2-
Appropriate training and instruction is provided at all levels to ensure that staff are informed of and understand policies and procedures governing travel.
C3-
Compliance with the policies and procedures governing travel is monitored.
C4-
Travel and travel advances are properly authorized prior to travel (general or individual authorization), with S.34 FAA certification.
C5-
Travel advances are reasonable and not given to travel cardholders, and payment is approved by a person authorized under S.33 FAA.
C6-
Travel claims comply with the TBS Travel Directive, and expenditures are verified for accuracy and eligibility.
C7-
Travel claims include S.34 FAA certification.
C8-
Individual Travel Cards (ITCs) are used only for eligible business travel.

Observations

The use of the AMEX travel card is encouraged and most frequent travellers do use it. There is 76 travel cards issued to employees in S&P. The Amex report provided to the audit team identifies 20 of the cards as inactive. The Amex card listing should be reviewed by S&P management to ensure that only individuals that need a card for travel maintain one. Cards that are not required should be cancelled to reduce the risk of their use for ineligible purchases.

When employees leave the organization, a departure form must be completed and signed by the Travel Card Coordinator, who cancels the card directly on the AMEX Web site. The form is then returned to the supervisor when the employee leaves.

When an employee travel requirement is approved by a cost centre manager, the employee must fill out a Travel Authority and Advance Form, sign it, and obtain the Cost Centre Manager’s signature before making the arrangements for travel. If travel is done by air or by train, a Travel Authorization Number (TAN) is required to be obtained by the employee and used in booking the travel through Amex. TAN numbers are issued by the Travel Authorization Number Coordinator, who records information (e.g. the date, name of the traveller, etc.) about the trip into a Travel Authorization Number Register at the time of issuing the TAN.

An Amex statement is received once a month. The expenses are listed and summarized on a cover sheet and S34 is signed by the Cost Centre Managers. The statement and signed cover sheet are sent for payment processing.

Travel Expense Claim and Record of Travel Expenses forms are prepared supported by necessary receipts, signed and sent to the Cost Centre Manager. Travel Expense Claims are authorized (S.34) by the Cost Centre Manager responsible and then forwarded for payment processing. TAN numbers, claims and Amex charges are reconciled by administrative staff.

The audit team selected a sample of 42 transactions for testing. These transactions included 33 travel claims, 4 Amex statement transactions and 5 journal entries. The sample represents an amount of $107,150 or 29% of the expenditure item for the current fiscal year.

The following instances of non-compliance were found in the review of travel claims:

  • 5 claims where no TAA support the claim;
  • 2 claims were the TAA was approved after the travel had been completed;
  • 3 claims where the TAA was not properly completed;
  • 10 claims where the TAA was approved by managers without appropriate delegated financial authority;
  • 1 claim that did not have supporting receipts;
  • 7 claims that were S.34 approved by an individual without appropriate delegated authority;
  • 4 Amex statement used for purchasing airfares did not have adequate S.34 approval. The audit team was advised that the original travel claims are used as S.34 by the payment processing centre but travel claims were not attached to the Amex statement provided to the audit team for examination.
  • the audit team was unable to verify S.34 signing authority for 9 selected travel claims because specimen signature cards were not provided.

Overall, the audit team found that the controls and financial process in place to ensure compliance with the travel policy and delegated authorities are weak and require strengthening.

Recommendation

8.
The Chief Administration Officer must ensure that:

  • all trips on government business be authorized prior to the traveller’s departure and that all information that is required to be recorded on the TAA form is completed;
  • all documents required to support the travel claim are attached to the claim form;
  • all TAA, travel claim forms and Amex statements are approved by managers with the appropriate delegated financial authority;

Management Response

Agree: The Finance & Administration Manager will undertake a review of travel within the Directorate for December 2010. Information related to non compliance will be communicated to responsible manager and CAO. The Directorate will consider further restrictions of travel authorities.

6.6 Payments to Suppliers

ORANGE Significant improvements needed Controls in place are weak. Several major issues were noted that could jeopardize the accomplishment of program/operational objectives. Immediate management actions need to be taken to address the control deficiencies noted.

To determine if the supplier payment process is exercised with due diligence and if controls in place are adequate to ensure compliance with TBS and PCA policies and practices, we used the following audit criteria:

C1-
Policies, guidelines and procedures regarding the purchase of/payment for goods and services from suppliers exist at the Field Unit/Service Centre and they adhere to TBS and PCA policies.
C2-
Adequate training/instruction is provided at all levels to ensure awareness and understanding of the policies and procedures.
C3-
Adherence to the policies and procedures is monitored.
C4-
Procurement of goods and services is appropriately initiated and authorized, and funds are properly committed in the financial system.
C5-
Goods and services on suppliers’ invoices are matched to PO/contract specifications.
C6-
Price and quantities on invoices are in accordance with POs/contracts.
C7-
A person with the appropriate delegated authority signs S.34 FAA.
C8-
Advances and progress payments are made in accordance with the terms of the contract.

Observations

Suppliers’ invoices are received by mail then they are forwarded to the appropriate managers, who must certify S.34 FAA compliance, authorize the supporting vouchers and assign the financial coding. Once the invoices have been authorized, the invoices and supporting documentation are sent for payment processing.

The Ontario Service Centre (OSC) processes the majority of the payments on behalf of Strategy and Plans. The OSC staff review the completeness of the supporting documentation submitted with invoices before the invoice is paid. More specifically, the following procedures are performed by the OSC finance officers:

  • Invoice documentation is received by mail from S&P and is sorted based on the type of expenditure and the required processing time.
  • Documents are reviewed for: completeness, quantities of goods or services received are in accordance with contract; accuracy of general ledger coding, the appropriate authorized signatures pursuant to s 34 have been obtained to process the payment. If information is missing or coding is incorrect the OSC finance officer calls or e-mails the S&P manager for clarification or to obtain the missing supporting documents. Once satisfied with the accuracy and completeness of the documentation and coding, finance offer transfers the invoice and supporting documents to the S.33 payment officer.
  • The S.33 payment officer also reviews the documentation for accuracy and completeness prior to releasing the payment. This payment batch verification includes: review of coding on items greater than $5000; check vendor address and name; and, the amount to be paid agrees to invoice. The above verification procedures are ticked off on the payment run document which is called the Payment Settlement List.
  • The cheque run is sent to Public Works Government Services (PWGSC) electronically. Once done, the invoices included in the cheque run are stamped “PAID”

The payment officer has a personalized key, which is inserted into the computer hard drive at the officers work station. The key is password protected. However, it occurs that the ‘Key’ stay plugged into the payment officers hard drive at all time. No physical safeguards are taken to secure the key during or after normal business hours. Even though the use of the key is password protected, a risk remains that the ‘Key’ could be used for making improper payments by an unauthorized individual should they became aware of the payment officers’ password. To mitigate such risk and protect the officer, the payment ‘Key’ should be physically locked up when not in use.

The audit team selected a representative sample of 139 transactions processed by the various payment processing centres serving the Strategy and Plans Directorate:

The review of the files identified the following irregularities:

  • 21 invoices where the documentation provided did not show evidence of commitment of funds. However, all irregularities belong to telecommunication and low value expenses. It is a best practice to record soft commitments in the financial system for recurrent low value expenses such as cell phones.
  • 78 invoices were not dated stamped when received;
  • 3 transactions show no evidence of S.34 approval on the documentation;
  • 2 instances where S34 approval was performed after the fact; and,
  • 18 transactions where the individual signing S.34 did not have the appropriate delegated authority.

In addition, the audit team was unable to verify the financial authority signatory on 18 transactions because the Specimen Signature Cards were not provided to the audit team (addressed in section 6.2.1).

Overall, the audit team found that the controls and processes in place to ensure compliance with TBS and PCA policies are weak and require strengthening.

Recommendations

9.
The Chief Administrative Officer must ensure that:

  • commitments are entered into the financial system and evidence of this should be documented on invoices and/or supporting documentation;
  • invoices are date stamped upon receipt;
  • invoices are signed off for S.34 by an individual with the appropriate delegated authority.

Management Response

Partly Agree: When required (not low dollar value and after the fact), commitments are entered into the financial system. Instruction was provided to all administrative staff, in February 2010, to date stamp every invoice upon receipt. Delegation of authorities will be reviewed by July 2010.

6.7 Financial Coding

BLUE Minor improvements needed Many of the controls are functioning as intended. However, some minor changes are necessary to make the control environment more effective and efficient.

To determine if the financial coding process is exercised with due diligence and if controls in place are adequate to ensure compliance with TBS and PCA policies and practices, we used the following audit criteria:

C1-
Coding guidelines and procedures at the Field Unit/Service Center exist.
C2-
Appropriate training and instruction is provided at all levels to ensure awareness and understanding of coding procedures.
C3-
Adherence to chart of account is monitored.
C4-
An individual with proper knowledge does coding.
C5-
Coding is validated when entered in STAR.

Observations

Managers with S.34 FAA spending authority are responsible for financial coding. When invoices are received the financial coding is entered onto the document by either the administrative staff or the manager. The managers review the coding when it has been input by the administrative staff. The chart of accounts and any information necessary to select the appropriate financial codes are available on the Agency intranet under “Financial Policies.” Training on financial coding practices and updates to the chart of accounts are provided throughout the year to S&P national office administrative staff by the Corporate Services Manager during bi-weekly admin meetings and by e-mail.

The finance officers review the general ledger coding for accuracy before processing the payment. If errors are found the finance officer will call or e-mail the S&P manager for clarification. At the OSC the S.33 payment officer also reviews the general ledger coding on all items greater than $5000 prior to releasing the payment.

The audit team examined the financial coding on all transactions selected for testing in the following key process areas: hospitality; acquisition cards; travel; and use of cell phones. In addition, some additional items were selected randomly to supplement the sample. In total 139 transactions were tested.

The audit team has the following observations:

  • 29 transactions did not have the complete financial coding written on the invoice or other supporting documentation provided; and,
  • 7 transactions were coded to an incorrect general ledger account; transactions.

The audit team found that the controls and processes in place for financial coding are adequate to ensure compliance with TBS and PCA policies. The audit team did however find that coding information on invoices or supporting documentation could be strengthened.

Recommendation

10.
The Chief Administrative Officer must ensure that financial coding is documented on invoices or supporting documentation by S&P staff and includes all the elements of the financial coding structure.

Management Response

Agree: In 2009-2010 fiscal year, training and information was provided to all administrative staff located in National Office regarding proper coding and its importance. A memo will be sent, by July 2010, to remind all managers of the coding structure requirements.

6.8 Telecommunication

S&P ORANGE Significant improvements needed Controls in place are weak. Several major issues were noted that could jeopardize the accomplishment of program/operational objectives. Immediate management actions need to be taken to address the control deficiencies noted.
OCIO YELLOW Moderate Improvements Needed Some controls are in place and functioning; however, several major issues were noted that could jeopardize the accomplishment of program/operational objectives.

To ensure fair treatment of the entities audited during the audit cycle, we gave two ratings to the telecommunications section in order to reflect the current situation on the operational side of S&P even if the CIO Office is part of S&P Directorate. The Corporate Service Manager has implemented procedures as directed by or in the absence of direction from the CIO Office. Certain points raised in the “Findings” section concern the Chief Information Officer. Specific recommendations are therefore addressed to the Chief Administration Officer and others, to the Chief Information Officer.

To provide assurance to senior management that processes and controls are in place to reduce the risk of non‑compliance with the Parks Canada Agency’s Policy on the Use of Cellular Phones and Other Wireless Devices and guarantee that the allocated wireless devices are used appropriately. We have used the following audit criteria:

C1-
The designated manager or authority is to document user needs for wireless telecommunications devices and services.
C2-
All requests for procurement, use and service changes are coordinated by the designated administrative authority.
C3-
The procurement process for the devices complies with guidelines.
C4-
Non‑standard requests are submitted at the manager’s recommendation to the Chief Information Officer (CIO) for approval.
C5-
The allocation of the communications devices was authorized by a manager at level A or higher and complies with effective standards (a change in the management level is expected).
C6-
Managers ensure that users under their responsibility are familiar with the Policy on the Use of Wireless Devices and that users agree to comply with the policy before devices are allocated.
C7-
Devices are used in compliance with current policy and guidelines.
C8-
Personal calls are identified and tallied and any resulting charges are reimbursed by the user in accordance with policy provisions.
C-9
Administrative authorities responsible for managing wireless services in field units and service centres have developed internal procedures for this policy.
C10-
Designated managers and authorities regularly review employee usage.
C11-
The CIO performs random audits of the use of wireless devices and services to ensure compliance with effective policies.

Description of the process

Parks Canada’s Policy on the Use of Cellular and Other Mobile Wireless Devices came into force on October 1, 2008. Its purpose is to ensure more cost-effective and appropriate use of wireless devices. To this effect, Public Works and Government Services Canada (PWGSC) has implemented a new procurement process and a new acquisition agreement. In the past, cell phones and other devices were purchased from a large number of suppliers offering a wide range of functions and plan options. Now, only two authorized service providers have been selected. No other service providers are allowed, unless there are zone coverage issues. The policy is available on the Agency’s intranet. The new agreement should enable the Agency to reduce the costs of using such devices. The policy provides guidelines and official procedures for safe and appropriate purchase, management and use of cell phones and other wireless devices.

The policy concerns both acquisition and use of these devices. A person must be designated as the administrative authority for the field units and service centres. Any request for purchase, modification or cancellation must be sent to the designated administrative authority. The acquisition must be made from the suppliers listed in the new PWGSC agreement, unless an exception is made. User needs must be documented in order to allow the designated administrator to recommend an appropriate and adequate service. Further to the recommendations, the user’s manager must approve or cancel the request. The Office of the Chief Information Officer and the user’s manager or supervisor must conduct random checks of how wireless devices are used.

A non-standard request is possible if it is well documented and approved by the Chief Information Officer (CIO). Once the CIO’s approval has been obtained, the designated administrator informs PWGSC and obtains its consent to proceed with acquisition of the device. A non-standard request may occur when the suppliers under the agreement cannot meet the user’s needs (e.g., some regions of Canada are not serviced by the accredited suppliers) or if the requested device is not included in the agreement.

The use of cell phones and wireless devices is also regulated. Devices must be used for the Agency’s activities and services, emergency calls and limited personal use. Personal calls must be controlled and identified by users on their monthly statement. A threshold of $30 per year for personal use is considered reasonable. Data is compiled twice a year, in September and March. However, if the $30 threshold is reached in September, the employee must reimburse all personal use expenses for the first six months and in March must reimburse all personal use expenses for the last six months of the fiscal year. The roles and responsibilities of the employee and his or her manager are set out in the policy. The employee must take all necessary measures to ensure the integrity and security of the Agency’s information when using wireless mobile devices to send information. He or she must also comply with guidelines as well as local, provincial and federal laws on the use of wireless devices. The manager must ensure that the employee is familiar with the Policy on the Use of Cellular and Other Mobile Wireless Devices so that he or she may use the device appropriately. He or she must also use indicators to check for potentially unauthorized or inappropriate use.

6.8.1 Strategy & Plans

ORANGE Significant improvements needed Controls in place are weak. Several major issues were noted that could jeopardize the accomplishment of program/operational objectives. Immediate management actions need to be taken to address the control deficiencies noted.
Observations

The CAO and the Directors reporting within S&P directorate are responsible for determining who in each of their respective groups requires a cell phone or blackberry. An Ordering Coordinator has recently been appointed and is the designated administrative authority for procurement of cell phones or blackberries and service changes to accounts. This individual is located in the CAO’s office.

At the time of the audit, a process has been developed to formalize and communicate to staff the rules to be followed for ordering blackberries or cellular phones and implementing service changes. The key steps of this new process are as follows:

  • All requests for procurement and service changes are to be coordinated by the Ordering Coordinator;
  • A formal request from a manager for the purchase of a new device is sent to the Ordering Coordinator;
  • The Ordering Coordinator send requests to the chosen service provider;
  • The service provider confirms the order with the Manager who initiated the order; and,
  • The device is sent to the Ordering Coordinator by the manager to be activated through Blackberry National Office Support or Blackberry Support outside of National Office.

The audit team found that there is an awareness of the Policy on the Use of Cellular and Other Mobile Wireless Devices among the individuals interviewed. The identification and tracking of personal calls is done in various ways and the $30.00 limit of for personal calls and requirement to reimburse amounts in excess of $30.00 is well understood. In general, employees are asked to identify the personal calls on statements and to track their cumulative total. In some instances, administrative staff input and track personal call information identified on the phone bills into a spreadsheet. These summaries are reviewed by their managers. Overall the process is based on honour.

The audit team selected a sample of 43 phone invoices for testing, which results in the following observations:

  • 31 invoices did not provide any evidence thereon of personal calls being identified or tracked;
  • 34 invoices did not provide any evidence of monitoring by the employees manager; and,
  • 8 invoices were S.34 was approved by an individual without appropriate delegated authority.
  • 3 transactions where the Specimen Signature Cards were not provided to the audit team.

In addition, the audit team found a few instances where wireless device users reimbursed the Agency for extensive personal calls on a monthly basis. The policy allows users to reimbursed personal calls only 2 times a year. Moreover, the Agency intends that cellular phones and other mobile wireless devices are to be used for business purposes. Where circumstances require, users are authorized to use cellular phones and other mobile wireless devices for a reasonable, limited amount of personal use. As a general guideline personal calls should normally be limited to those of an urgent or unavoidable nature.

Notwithstanding the general awareness of the policy by the individuals interviewed and the formalization of the role played by the Ordering Coordinator, based upon the findings, the audit team concludes overall that the state of the implementation of the policy is lacking and that the controls over the usage of cell phones and other mobile wireless devices are weak and require strengthening to improve compliance.

Recommendation
11.
The Chief Administrative Officer must ensure that:

  • personal calls are identified on cell phone and blackberry invoices by the user of the device;
  • monitoring of personal usage by managers is conducted on a periodic basis; and,
  • invoices are approved for payment by individuals with the appropriate delegated authority.
Management Response

Agree: In February 2010, a form to identify personal calls and cumulative amounts on a monthly basis was created and provided to all users of blackberries and wireless devices. The form is submitted by the user of the blackberry with the monthly invoice for ongoing monitoring of usage by managers prior to signing section 34. Delegation of authorities will be reviewed by July 2010.

6.8.2 Office of the Chief Information Officer

YELLOW Moderate Improvements Needed Some controls are in place and functioning; however, several major issues were noted that could jeopardize the accomplishment of program/operational objectives.
Observation

No non-standard device has been requested from S&P for the audited period. Even though, to be consistent with recent audit work done in various field unit and/or directorate, the office of the CIO should reinforce the message that the purchase of non-standard device required the CIO approval prior to order the item.

Using a standard form would ensure that every request is documented as stipulated in the policy, whether the request is standard or non-standard. The form could be used to obtain approval from the CIO for non-standard requests and also make it easier for field units to control the inventory of cell phones and other wireless devices.

Random checks of the acquisition and use of wireless devices should also be done by the Office of the Chief Information Officer. No formal monitoring process is in place. A system will have to be developed to monitor and support the designated managers.

Interviews conducted in previous audits with the CIO and several staff members responsible for telecommunications confirmed the points raised in this section and led to three recommendations being made to the Chief Information Officer.

Recommendations
12.
The Chief Information Officer must ensure that acquisition requests for wireless devices (including cell phones) are standardized so that the required information is properly documented.

Management Response

Agree: The CIO undertakes to create a standard form that will standardize acquisition requests for wireless devices (including cell phones). The form will be implemented Agency-wide starting April 1, 2010.

13.
The Chief Information Officer must ensure that non-standard requests receive the necessary approval by the CIO before proceeding with PWGSC.

Management Response

Agree: The CIO will make changes to the Agency’s policy on the use of cell phones and other wireless devices in order to ensure that it clearly identifies the steps that must be completed to obtain approval of a non-standard request, including the requirement to obtain authorization from the CIO or a person delegated by the CIO before the request is sent to PWGSC. The changes to the policy will be made before April 1, 2010.

14.
The Chief Information Officer must implement a system to monitor the acquisition and use of wireless devices in order to ensure policy compliance by the designated administrators.

Management Response

Agree: The CIO undertakes to analyse a sample of requests twice a year in order to ensure that the designated managers are complying with the policy. Sampling of requests will begin on April 1, 2010.

Conclusion

Notwithstanding the general awareness of the policy by the individuals interviewed and the formalization of the role played by the Ordering Coordinator, processes need to be strengthen by Strategy & Plans as well as the Office of the Chief Information Officer in order to reduce the risk of non-compliance with the Policy on the Use of Cellular Phones and other Wireless Devices. In addition, some clauses in the policy need to be clarified so that they are not misinterpreted.

6.9 Inventory

ORANGE Significant improvements needed Controls in place are weak. Several major issues were noted that could jeopardize the accomplishment of program/operational objectives. Immediate management actions need to be taken to address the control deficiencies noted.

To determine if the inventory process is exercised with due diligence and if controls in place are adequate to ensure compliance with TBS and PCA policies and practices, we used the following audit criteria

C1-
Items listed in the directive, acquired after April 1, 2007, are recorded in the financial system.
C2-
The separation of duties pertaining to the inventory management process is adequate.
C3-
The physical inventory was taken in the past 24 months.
C4-
Measures are in place to ensure that purchased items are entered in the inventory, regardless of the purchasing mechanism used.
C5-
Acquisitions information is recorded in the Asset Management System.
C6-
Acquisitions are entered in the STAR financial system in a timely manner.
C7-
The physical inventory is taken on a regular basis.
C8-
The separation of duties pertaining to the inventory management process (buyer, book entries, record keeping, and availability) is adequate.

Observations

Items valued between $1000 and $10,000 and attractive items valued at less than $1000 are not formally tracked and recorded in the STAR system in S&P. This fact was confirmed during interviews with stakeholders and through review of documentation provided to the audit team. The majority of items that would fall into this category at S&P would be cell phones, blackberries, laptops, and desk top computers.

A print out from the STAR system was obtained. The listing identified inventory in only 5 cost centres within S&P. No assets from national office were included in this report. This confirm that the STAR listing is incomplete and the system is not being used as required by the mandatory Directive on Inventory Management for Items Valued Between $1000 and $10,000 and Attractive Items Valued at less than $1000.

Through the conduct of this audit, the following inventory listings were provided to the audit team by the Corporate Services Manager:

  • a listing of individuals in S&P that have a laptop computer. The listing identifies the laptops CPU speed, CPU type and the location of the individual in S&P. The listing does not include unit costs;
  • a listing of desktop computers. The listing identifies date of commissioning, equipment type, location, PC name (identifier), user, serial number, and asset number. This listing does not show the cost of the assets;
  • a listing of the serial numbers of the laptop computers held by staff of the Office of the Chief Information Officer. This listing identifies the name of individual who has the laptop, make of laptop, and serial number. This listing does not show the cost of the assets; and,
  • a listing of individuals who have a blackberry. This list identifies the S&P area in which the individuals are employed. This listing does not show the cost of the assets.

OCIO is responsible for listing/tracking laptops, blackberries, and desktop computers for their own purposes but the responsibility to comply with the Policy remains to cost centre managers. The CIO stated that he receives no reporting on these inventories for monitoring purposes and that trust is placed with individuals to manage the assets. No regular inventory counts are taken of these assets. The Corporate Services Manager stated that S&P does not have any inventory procedures, rules, and guidelines in place.

The audit team was advised that a training course has been attended by an S&P staff member early 2010 to learn how to use of STAR Plant Maintenance module. This will enable the individual to train the S&P administrative staff on how to input and maintain an inventory of items valued between $1000 and $10,000 and attractive items valued at less than $1000. This will allow the Directorate to enhance compliance to the mandatory Directive on Inventory Management for Items Valued Between $1000 and $10,000 and Attractive Items Valued at less than $1000.

For assets greater than $10,000, the STAR report shows the cumulative value of all assets greater than $10,000. The report identifies the original value of assets purchased and the accumulated depreciation thereon. The type of asset categories shown include: network router components, switches, database software, GIS software, Office Suite, servers, and other informatics equipment. The reported cost of the acquisitions of all these assets was $4,245,484. All asset categories shown have been fully depreciated and are showing a net book value of NIL.

The audit team concludes that the processes and controls related to inventory of items valued between $1000 and $10,000 and attractive items valued at less than $1000 are weak and require strengthening.

Recommendation

15.
The Chief Administrative Officer must ensure that:

  • S&P administrative staff are trained on the use of the STAR Plant Maintenance module;
  • inventory is recorded into STAR;
  • periodic inventory counts are planned, count procedures are established, and counts are executed; and,
  • managers monitor and periodically report on inventory items valued between $1000 and $10,000 and attractive items valued at less than $1000 within their cost centre.

Management Response

Agree: All S&P administrative staff received Plant Maintenance training by May 11, 2010. Most Inventories has been recorded in the financial system by March 2010. The Finance & Administration Manager will ensure that maintenance of the inventories in the financial system is on-going. S&P will give further consideration to conducting periodic inventory counts for low dollar value assets.