Parks Canada
Symbol of the Government of Canada

Common menu bar links

Internal Audit and Evaluation Documents

Horizontal Audit of the Acquisition Cards Process

Final Report

Office of Internal Audit and Evaluation
December, 2012

Report submitted to the Parks Canada Audit Committee: January 17, 2013
Approved by the Agency CEO: February 7, 2013

Table of Contents

Printable Version (PDF: 286 Kb)


Note: To read the PDF version you need Adobe Acrobat Reader on your system.

If the Adobe download site is not accessible to you, you can download Acrobat Reader from an accessible page.

If you choose not to use Acrobat Reader you can have the PDF file converted to HTML or ASCII text by using one of the conversion services offered by Adobe.



Executive Summary

Acquisition cards (AC) are charge cards that provide the Agency with a convenient and practical method of procuring and paying for low dollar value goods and services while maintaining financial control. They simplify the process of procuring and paying for goods and services thereby generating savings in procurement and expenditure processing.

During the course of the 2011–2012 fiscal year more than 2200 cards were in circulation at Parks Canada and 66,500 transactions were recorded for a total value of $15,340,000.

The 2011-12 to 2013-14 Parks Canada (PCA) Multi-year Internal Audit Plan approved by the CEO in July 2011 targets acquisition processes as a medium audit priority in the Agency. After a preliminary assessment, it had been decided to conduct two different audits (e.g. Contracting & Procurement and Acquisition Cards) for efficiency purposes.

The objective of the audit was to provide the assurance to senior management that adequate controls are in place to manage the acquisition card process and to confirm whether due diligence is being exercised in the use of Acquisition Card.

The examination phases was conducted in 24 organisational units across the Agency, which included 6 national office directorates, 3 service centres and 15 field units and was carried out between December 2011 and August 2012.

The audit was planned and conducted in accordance with the internal audit standards of the Government of Canada.

The Audit found that an adequate management framework is in place to mitigate the risk of non-compliance with Policies and Directives. Roles and responsibilities are clearly defined and communicated and appropriate transactional monitoring is done. In general, due diligence is being exercised in the use of Acquisition Card. The risk of fraud or inappropriate use of cards for the Agency is low because appropriate controls are in place and functioning. The audit team noticed a significant improvement in the management of the Agency’s acquisition card processes over the last 10 years, more specifically in the area of transaction compliance and supporting document.

Table 1: Audit Report Rating
Section # Name of Section Rating
8.1 Management Control Framework BLUE – Minor improvements required
8.2 Operational Environment and Controls BLUE – Minor improvements required

1 Background

Acquisition cards (AC) are charge cards that provide the Agency with a convenient and practical method of procuring and paying for low dollar value goods and services while maintaining financial control. Although the use of acquisition cards is not mandatory, Treasury Board (TB) Directive on Acquisition Card strongly encourages this purchasing instrument when it is efficient, economical and operationally feasible to do so. Acquisition cards simplify the process of procuring and paying for goods and services thereby generating savings by reducing or eliminating more costly or burdensome transaction procurement and payment methods such as Receiver General cheques and purchase orders.

In 2009, around the same time as the new Treasury Board Directive on Acquisition Card was introduced, the contract between the Bank of Montreal (BMO) and the Government of Canada was renewed for the use of MasterCard AC. During the course of the 2011–2012 fiscal year more than 2200 cards were in circulation at Parks Canada, mainly MasterCard, and a few Visa cards and 66,500 transactions were recorded for a total value of $15,340,000.

2 Purpose

The 2011-12 to 2013-14 Parks Canada (PCA) Multi-year Internal Audit Plan approved by the CEO in July 2011 identifies acquisition processes as a medium audit priority for the Agency. After a preliminary assessment, it had been decided to conduct two different audits (e.g. Contracting & Procurement and acquisition Cards) for efficiency purposes. To that effect, the national audit of the Acquisition Cards process was conducted between December 2011 and August 2012 and focussed on the use and the management of acquisition cards.

3 Legislative and Policy Framework

For the purpose of this audit, the Treasury Board Directive on Acquisition Card and other related TB and PCA policies, directive and guidelines were reviewed (see Appendix A).

4 Objectives and Scope

The objective of the audit is to provide assurance to senior management that an adequate control framework is in place to mitigate the risk of non-compliance with TB and PCA Policies and Directives and to confirm whether due diligence is being exercised in the management of Acquisition Card.

The scope of this audit is national and includes a review of acquisition card transactions for the period of April 2011 to January 2012.

5 Methodology

The general approach used by the audit included three phases: planning, examination and reporting. The planning phase included:

  • a review of the policies directives and guidelines relative to acquisitions cards;
  • establishing locations and cardholders to be included in the audit sampling based on a proportional representation of transactions volume; and
  • developing a series of tests criteria to be carried out.

The examination phases was conducted between February and August 2012 in 24 organisational units, 12 in Eastern Canada and 12 in Western Canada, each representing 50% of the transactions volume. The 24 units included: 6 national office directorates; 3 service centres; and 15 field units. Although some on-site visits took place, most of the work was conducted from National Office. Tests were performed using a sample set of 364 cardholders (17%) and transactions totaling $1.7M which represents 16% of acquisition card expenditures for the audit period.

Observations and recommendations included in this report are in accordance with the Office of Internal Audit and Evaluation (OIAE) Rating System described in Table 1:

Table 1: Audit Reporting Rating System
RED Unsatisfactory The current controls are not functioning or are nonexistent. Management measures must be taken immediately to rectify the situation.
ORANGE Significant improvements required Controls in place are weak. Several major issues have been noted that could jeopardize the accomplishment of program/operational objectives. Management measures must be taken immediately to correct the deficiencies related to the controls.
YELLOW Moderate improvements required Some controls in place are functioning. However, significant problems, which require attention, were noted. These problems could jeopardize the achievement of program goals or operational objectives.
BLUE Minor improvements required Many of the controls are functioning as intended. However, some minor changes are necessary to improve the efficiency and effectiveness of the control environment.
GREEN Controlled Controls are functioning as intended and no further action is necessary at this time.

6 Statement of Assurance

The present audit was planned and conducted in accordance to the Government of Canada’s standards for internal auditing.

7 Audit Opinion

An adequate management framework is in place to mitigate the risk of non-compliance with Policies and Directives. Roles and responsibilities are clearly defined and communicated and appropriate transactional monitoring is done. In general, due diligence is being exercised in the use of Acquisition Card. The risk of fraud or inappropriate use of cards for the Agency is low because appropriate controls are in place and functioning. The audit team noticed a significant improvement in the management of the Agency’s acquisition card processes over the last 10 years, more specifically in the areas of transaction compliance and supporting document.

8 Observations and Recommendations

8.1 Management Control Framework

BLUE Minor improvements required Many of the controls are functioning as intended. However, some minor changes are necessary to improve the efficiency and effectiveness of the control environment.

The Chief Financial Officer is responsible for establishing risk-based management practices and controls to ensure economical, efficient and secure use of acquisition cards; and establishing the types of items that may be purchased, the dollar limits of purchases, and any limitation on certain types of purchases.

In order to determine whether a management control framework exists and is adequate, the following criteria were used:

  1. Acquisition card guidelines and procedures exist, and are aligned with TB policies and directives.
  2. Role and responsibilities are defined and communicated.
  3. Adequate training and instruction are provided at all level.
  4. Active monitoring of the acquisition card program is done.

The following observations are intended to detail the management control in place and deficiencies that were observed.

8.1.1 Acquisition Card Guidelines and Procedures

The audit found that the Chief Financial Officer has established a governance structure for the management of the acquisition cards program and expenditures. It includes a national acquisition card coordinator position (NACC) and over 50 regional acquisition card coordinators (RACC).

The guiding document used at PCA is the Treasury Board Directive on Acquisition Cards. In addition, PCA has also put in place guidelines to complement this directive and to ensure efficient and secure use of acquisition cards, such as:

  • the role and responsibilities of acquisition card coordinators, managers and cardholders;
  • terms and conditions in the use of acquisition cards;
  • guidance on internet purchases;
  • a list of prescribed and forbidden items that can or cannot be purchased.; and
  • spending authority for a single acquisition and a credit limit by cardholder.

8.1.2 Roles & Responsibilities

Roles and responsibilities of national and regional acquisition card coordinators are defined in a corporate document found on the PCA intranet site. Interviews across the Agency confirm that roles and responsibilities have been communicated to regional coordinators, managers and cardholders.

The national coordinator has the responsibility of managing the departmental acquisition card program, liaising with the acquisition card providers (BMO and VISA) and providing support to regional coordinators.

Each regional coordinator is responsible for carrying out all the following tasks in relation with the administration of acquisition cards in their respective locations:

  • issuance, cancellation and renewal of card;
  • providing training on restrictions and obligations regarding the use of the card;
  • liaison with the national coordinator;
  • monitoring cardholders accounts to ensure payments are made on a timely manner; and
  • monitoring compliance with the Directive on acquisition card.

Cardholder’s responsibilities are communicated through the Acknowledgement Form that the user agrees with in writing. It informs them of security requirements, guidelines and their responsibility of maintaining a monthly log of their acquisitions including valid receipts.

8.1.3 Training Procedures

The audit assessed if a training program was in place to ensure awareness and understanding of the acquisition card procedures and limitation of use. Although no formal card coordinator or cardholder training programs is in place, the various guidelines and roles & responsibilities documents available to PCA staff are adequate to ensure awareness and understanding of rules by cardholders.

Training of card coordinators is typically a one on one debrief with the person leaving a card coordinator position, or is provided by the National Card Coordinator if the person has already left the position.

The RACC has the responsibility of providing each cardholder with a form of Acknowledgement of Responsibilities (a contract binding the employee to the BMO’s contract clauses). In annex to the form is included a list of the type of transactions that can and cannot be performed with the card. The form must be signed by the employee, his/her supervisor and the RACC prior to receiving and activating a new acquisition card. Copies of these forms are kept on file at their respective Finance office.

In conclusion, there is no standard training procedure developed and provided to RACCs for cardholders. However, RACCs rely on roles and responsibilities documents and employee’s acknowledgement form which is considered acceptable.

8.1.4 Active Monitoring

According to the Treasury Board Directive on Acquisition Cards: ‘‘the departmental acquisition card coordinator is responsible for ensuring that the use of acquisition cards is monitored’’.

In order to facilitate this process, BMO provides a web-based application system giving on-line access to card coordinators across the Agency to manage acquisition card user accounts. A review by the audit team confirms that the application has adequate functionality to manage and monitor AC activities such as:

  • definition of RACC accounts and associated cardholders;
  • on-line access to cardholder statements by the RACC;
  • payment history, balance due and interest fees monitoring functions;
  • on-line transactions analysis by cardholder, supplier or type of expenditures;
  • tailored GOC reports, including audit reports for airlines, restaurants, lodging, expenditures; and
  • card status and activity reports (active, deactivated, suspended, inactive since “mm/dd/yy”).

The approach taken by the Chief Financial Officer Directorate (CFOD) to ensure proper monitoring of Acquisition Card transactions was to decentralize the responsibility of carrying out all the various tasks in relation with the administration and monitoring of cardholder’ accounts at the local level.

Site visits confirms that a formal process is in place to monitor individual cardholders account and includes the following steps:

  • issuing a copy of the electronic card statement to each cardholder to avoid mail reception delays;
  • cardholders must submit a complete acquisition log including basic information (i.e.: date, supplier, description , financial coding and amount), supported with receipts of transactions. The log must be signed by the appropriate authority (S.34 FAA);
  • a final review of the signed cardholder log is done by finance for errors and to monitor if some transactions are at risk. When required, issues are escalated to RACC and Responsibility Center (RC) Manager is informed.

Written notes show that questions are raised to managers and cardholders for transactions potentially at risk or non-compliant with the Directive on the use of the acquisition card.

Monitoring of inactive cards and limits are reviewed occasionally by RACCs. The BMO application allows RACC to perform trend analysis reports on use of cards. Adjustments are performed by the RACC based on spending needs or upon request by the RC Manager.

The CFOD is responsible for monitoring of unpaid statements of BMO and VISA and follows up with cardholders accordingly. When issues are raised by the regional card coordinators, the NACC provides assistance and communicates with BMO and VISA when required.

In our opinion, appropriate monitoring is in place and the risk of misappropriation of funds or fraud are low because adequate controls are in place and functioning (e.g., Cardholder log, no cash withdrawal possibility, Section 34 approval, Section 33 financial officer review and spending limit of $5,000 per transaction).

8.2 Operational Environment and Controls

BLUE Minor improvements required Many of the controls are functioning as intended. However, some minor changes are necessary to improve the efficiency and effectiveness of the control environment.

In order to determine if operational controls are adequate to reduce the risk of misuse of acquisition cards, the audit examined transactional documentation gathered from 24 different locations across the Agency. Ten specific tests were conducted on 17% of cardholders and 16% of the total value of AC transactions made by the agency for the audit period of April 1, 2011 to January 31, 2012 using the following audit criteria:

  1. All acquisition card purchases are controlled by the cardholder.
  2. Transactions respect the applications and restrictions set in the Directive on Acquisition Cards.
  3. Certification and reconciliation of account statements are done.
  4. Payment of account statements is made on a timely basis.

The following observations are intended to detail the operational control deficiencies that were observed.

8.2.1 Compliance with the Directive on the use of acquisition cards

Acquisition card purchase are controlled by the cardholder

According to TB Directive on Acquisition Cards cardholders are responsible for:

  • ensuring that the person whose name appears on the card is the only one who can consent to performing AC transactions;
  • safeguarding card information and ensuring that the card is kept in a secure location at all times; and
  • making purchases and payments according to limits established in the departmental delegation of authority document.

RACC relies on existing guiding documents and the duly signed ''Employee Acknowledgement of Responsibilities and Obligations Form Declaration'' to ensure awareness and accountability of the cardholder and his manager. The signed forms are kept on file.

With the available guiding documents, employees are made aware of security aspects and confidentiality of card information. To avoid use of a card by another staff member, the RACC temporally deactivate the card when the cardholder is on extended leave of absence.

The audit was not able to verify that the cardholder was the only person who consented to perform all transactions. The reason is that many transactions are made on-line or invoices often do not carry signature of purchaser. However, since the payment process of a cardholder monthly statement requires 3 levels of approval (e.g. cardholder, RC manager and S.33 FAA), the risk of fraud by an individual other than the cardholder is very limited and would be easy to identify.

Test performed on 750 monthly cardholder statements revealed that only 11 transactions were found in excess of the $5,000 limit on individual transactions. A debrief by the auditor was made to the respective RACC to highlight and to follow up these cases. No statements were found where the card limit had been exceeded.

Use of Acquisition Cards

The TB and PCA directives and guidelines clearly stipulate that acquisition cards shall only be used for the purchases of goods, services and pre-approved hospitality expenditures and cards are not to be used for: most operating and maintenance expenses of fleet vehicles; travel status-related expenses; obtaining cash advances; and interdepartmental or internal transactions within PCA.

The following 3 tests were made on 750 cardholder monthly statements which can contain multiple transactions and related supporting documents to assess if:

  1. Transactions were made only for authorized government business-related purchases.
  2. Transactions were in compliance with the TB and PCA’s application and restrictions in the use of an AC.
  3. Transactions respected contractual guidelines and restrictions (e.g. contract splitting, avoiding standing offers and supply arrangements).

A low number of non-compliant transactions were found. Individual debriefings were held by the auditors to inform RACCs of each individual case of non-compliancy so that, if necessary, actions can be taken to address non-compliant issues.

The audit also noted during the transaction testing that the Agency purchases a number of valuable outdoor gears (e.g. winter jackets & pants, camping gear, clothes other than uniforms). These purchases are done individually by various cardholders and they are not controlled closely (e.g. no inventory, no tracking of the purchase volume, no justification). Purchases are mostly done on-line without any indication of research for quotes or for the best price. PCA may want to consider looking into taking advantage of standing offer discounts or ways to set guidelines so that reasonable pricing ranges information are provided to buyers and increased transparency and accountability.

In conclusion, the associated risk in the use of AC at Parks is low. Test results revealed a low percentage of non-compliance (0.1%, 2.7% and 2.3% related to the 3 tests performed) and the materiality of these occurrences is not significant in the perspective of $15M of acquisitions made annually.

Processing and Reconciliation of BMO Account Statement

According to the TB Directive on Acquisition Cards:

  • cardholders must provide evidence of transactions documentation by completing an acquisition ledger and attaching the original invoice to support the monthly card statement; and
  • RC managers are responsible for reconciling the employee's acquisition card Ledger with the BMO monthly statement and monitoring expenditures by signing Section 34.

A test performed on 750 monthly cardholder logs revealed that in general logs were properly completed with detail transaction information. In matching the logs with the receipts we found 50 transactions where receipts were missing. However, further investigation with finance revealed that some had been filled separately in other historic site buildings. Logs had visual evidence of reconciliation check marks or comments against transactions.

In conclusion, our test results show adequate processing and reconciliation of AC accounts.

8.2.2 Financial Controls

The main level of financial control on acquisitions resides with the RC managers when approving monthly statement under Section 34 of the FAA.

The audit verified all Section 34 signatures against the Specimen Signature Cards provided by Finance and found 7 out of 750 monthly statements were a person without Section 34 delegation of authority had approved some transactions. In most cases, the problem was related to one transaction where the approver did not have the delegation for all cost centers. A few cases were found were a cardholder had approved his own statement; however, all transactions were business related and deemed reasonable.

The audit also noted that the timeliness of the AC payments (Section 33) varies greatly between locations. Field units that have their finance group and cardholders located in the same location show very low percentage of late payments. However, field units that have decentralized cardholders operating in multiple locations are face with a bigger challenge, as more late payments are noted. Tests performed in 24 different locations across the Agency show that field units who have decentralized sites have in average 8 times more late payments than those sites that operate in one single location.

Delays are often due to the process by which monthly account statements have to be forwarded from finance to the cardholder before processing can start and supporting documents are sent back to finance with a duly signed Section 34. This often leaves not much time, especially when the cardholder is involved in remote field work activities (e.g. if receipts are missing the payment is postponed until all documents are submitted back to finance).

Late payments translate for 2011–2012 in annual interest fees of $2,459 for 2,200 MasterCard accounts and $1,054 for 48 VISA accounts.

Appendix A: Applicable Legislations and Policies

Laws and Regulations
Financial Administration Act
Treasury Board Policies, Guidelines and Standards
Directive on Acquisition Cards;
Policy on Internal Control;
Contracting Policy;
Policy on the Application of the Goods and Services Tax and the Harmonized Sales Tax in the Departments and Agencies of the Government of Canada - For FIS compliant Departments and Agencies;
Policy on the Collection and Remittance of Provincial Sales Taxes (Application of Reciprocal Taxation Agreements and Comprehensive Integrated Tax Coordination Agreements);
Directive on Expenditure Initiation and Commitment Control;
Directive on Account Verification; and
Government Security Policy.
PCA Policies, Directives and Guidelines
Directive on Inventory Management for Items Valued at Between $1,000 and $10,000 and Attractive Items Valued at less than $1,000;
Restrictions and Obligations for the use of the Acquisition Cards;
Role of the Acquisition Card Coordinator.