Audit of acquisition card management - February 2023

Table of contents

Alternate format: Audit of acquisition card management - February 2023 (PDF, 691 KB)

Status: Active

Effective date: October 24, 2022

Prepared by: Office of Audit and Evaluation, National Research Council Canada

Approval: NRC's President

Cat. No.: NR16-409/2023E-PDF

ISBN: 978-0-660-46031-4

Executive summary and conclusion

Background

In response to the COVID-19 pandemic, the majority of the National Research Council of Canada (NRC) employees moved to a remote work environment in April 2020. Since then, the NRC has had to adapt to ensure business continuity. The remote work environment has required adjustments by both employees and the organization. Since then, certain procedures surrounding acquisition card settlement, such as methods of storing supporting documentation for transactions, have been modified which may entail additional risks. Given the significant changes brought on by the remote work environment, this audit aimed to ensure that appropriate governance and oversight are in place and continue to be exercised in alignment with the Financial Administration Act (FAA), the Treasury Board Secretariat Directive on Payments, and the NRC's Acquisition cards policy.

Acquisition cards provide government departments with a convenient, simplified and practical way to procure and pay for low dollar-value goods and services while ensuring effective financial controls. They also offer the potential for savings in procurement and expenditure processing costs. Procurement through acquisition cards is also subject to the requirements of contracting policies and various laws, regulations, trade agreements and comprehensive land claim agreements, as applicable.

Acquisition card expenditures represented 9% of the NRC's operating expenditures in fiscal year (FY) 2018. This percentage increased to 10% in FY2021 and 13% in FY2022. Due to its materiality, there are risks associated with the acquisition card processes and is therefore important that the NRC continue to show good stewardship of public funds.

As part of the 2021-2022 Risk-Based Audit Plan, the NRC's Office of Audit and Evaluation identified the Audit of Key Controls as a high priority. Acquisition cards was one of the components identified as high risk within the key controls.

Audit opinion and conclusion

In my opinion as Chief Audit Executive, key management controls for the use of acquisition cards are in place and generally working as intended. While requirements on the use of acquisition cards are clearly outlined and have been communicated, there is a need to strengthen monitoring and to remind stakeholders on the requirements for compliance given the changes brought on by the remote work environment.

Key takeaways

The NRC has established an Acquisition cards policy, Account verification policy, and an Account verification framework (AVF) that is consistent and aligned with the Financial Administration Act and the Treasury Board Secretariat Directive on Payments and supports the application of required financial controls. The roles and responsibilities of acquisition card stakeholders at the NRC are clearly defined and outlined at a high level in the Acquisition cards policy and procedures documents which have been communicated to stakeholders.

Comprehensive training has been developed and completed by all cardholders in the audit's sample. Financial signing authority (FSA) under Section 34 (performance certification authority) for budget holders is dependent upon successful completion of training requirements for functional specialists, responsibility centre managers (RCM), and other officers with duties requiring delegated authority. In addition to mandatory training, there is a quick reference guide and a "Question & Answer" chat to support cardholders and budget holders with questions on day-to-day transactions.

As part of the audit, we reviewed a sample of high risk transactions identified through risk-based sampling using data analytics. Overall, the transactions reviewed were compliant with the requirements of the Acquisition cards policy, however, certain deviations were noted including cases of contract splitting, inability to provide supporting documentation for purchases and wrong general ledger accounts attributed to a purchase.

In order to provide assurance that monitoring and oversight controls were in place, we reviewed sampling checklists and the reporting to management on the use of acquisition cards in accordance with the AVF. We found that monitoring and oversight mechanisms are in place and well defined within the AVF. However, the quality of the documentation of sampling review to support this function should be improved.

Recommendations

  1. The Vice President, Corporate Services and Chief Financial Officer should remind cardholders and managers of the requirements on the use of acquisition cards as well as the proper information management practices with regards to supporting documentation given the remote working environment.

    [PriorityFootnote 1Moderate]

  2. The Vice President, Corporate Services and Chief Financial Officer should strengthen monitoring for compliance by:
    1. enhancing the use of data analytics for targeted sampling to identify non-compliance issues.
    2. ensuring that the Account verification framework procedures are being applied and their results fully documented.

    [Priority: Moderate]

Statement of conformance

This audit engagement was conducted in conformance with the Institute on Internal Auditors' International Standards for the Professional Practice of Internal Auditing and Code of Ethics, as supported by the results of the NRC Quality Assurance and Improvement Program.

Alexandra Dagger, Certified Internal Auditor, Chief Audit Executive

Acknowledgements

The audit team would like to thank those who collaborated in this effort to highlight the NRC's strengths and opportunities for improvement as they relate to this audit project.

1.0 Introduction

The requirements governing the use of acquisition cards are outlined in Appendix B: Standard on Acquisition Card Payments of the Treasury Board Secretariat Directive on Payments. The objective of the Directive, based on the Treasury Board Policy on Financial Management, is to ensure that financial resources of the Government of Canada are well managed and equipped with controls to manage risk. According to the Directive, the Chief Financial Officer (CFO) has the responsibility to ensure that acquisition cards are used when it is economical and feasible to do so and that management practices and internal controls are established for their proper use.

In alignment with the Directive on Payments, the National Research Council of Canada's (NRC) Finance and Procurement Services branch implemented the Acquisition cards policy in 2003 and was most recently updated in September 2021. It establishes the operational requirements for authorization, use and control of acquisition cards. The Policy recommends the use of acquisition cards for purchasing day to day expense items including maintenance services, lab supplies, office equipment hospitality expenses, and certain IT items with a total dollar value below $500, excluding fleet operating expenses, travel and capital assets. IT purchases listed in the managed IT product list are to be processed through Knowledge, Information and Technology Services through a request form. In addition to establishing the restrictions, the Policy also defines roles and responsibilities of stakeholders, credit and spending limitations, and rules surrounding delegation of authority.

At the NRC, there are 2 types of acquisition cards used, both of which have been included in the sample review for this audit. These are:

  • acquisition cards used within Research Centres, Branches, or IRAP ( CBIs)
  • acquisition cards used by Procurement Officers within the Finance and Procurement Services branch

As of June 2022, there were 593 active acquisition cards within the CBIs and 26 assigned to Procurement Officers.

With the majority of NRC employees shifting to telework in response to the COVID-19 pandemic, the NRC's Office of Audit and Evaluation undertook this audit to ensure that the use of these cards are well managed and that controls are in place to manage risks. This audit focused on internal controls relating to governance, compliance and monitoring of acquisition cards.

Why is this audit important?

April 2020 marked a transition to remote work following restrictions imposed by COVID-19. Since then, procedures surrounding acquisition card settlement, card applications and methods of digital authorization have been modified to accommodate the virtual environment which entails additional risks.

When NRC employees transitioned to working from home, the urgent need to purchase and deliver supplies and equipment to employee residences put pressure on the NRC as a whole in particular on the acquisition card process. This pressure was evidenced by spending patterns at the onset of the pandemic, which notably included more purchases of lower-priced items such as peripheral equipment for computers and subscription-based software.

With respect to the security of acquisition cards, once they are distributed to cardholders, the Acquisition Cards Policy states that cardholders must ensure that the card is kept in a secure location with controlled access when it is not being used. The cardholder must also provide documentation to support the acquisition card statement in accordance with the Account verification policy by saving invoices/receipts and other required documentation. The remote work environment introduced the risk that not all practices would be implemented as intended, in order to restrict access, to ensure the security of and the proper use of acquisition cards.

2.0 About the audit

The audit was included in the NRC's 2021-2022 Risk-Based Audit Plan, approved by the President on June 30, 2021.

Objective

The objective of this audit was to provide the NRC senior management with independent assurance that the key management controls for the use of acquisition cards are working as intended in the current remote work environment.

Scope

Acquisition card transactions that occurred between April 1, 2020 and February 28, 2022 were selected for examination along with an assessment of the internal controls relating to governance, training, monitoring and oversight as well as the level of compliance with policies and procedures.

Figure 1. Acquisition card spending April 2020 to February 2022

Figure 1. Text version follows.
Long description of Figure 1: Acquisition card spending April 2020 to February 2022

The vertical bar graph demonstrates acquisition card spending per month from April 2020 to February 2022.

Acquisition card spending follows a cycle each fiscal year:

  • starting low in April
  • increasing throughout the year
  • typically peaking towards March

The detailed audit criteria can be found in Appendix A.

The following processes were not included in the scope of the audit:

  • issuance
  • replacement
  • cancellation of acquisition cards
  • payments made to the service providers during this period

Approach and methodology

The audit was conducted in accordance with the Institute of Internal Auditors (IIA) Standards and the Internal Auditing Standards for the Government of Canada, as required by the Treasury Board Policy on Internal Audit.

Procedures in the audit program included the following:

  • reviewing relevant documentation including framework documents, policies, directives, guidance, reports, and training material
  • identifying and reviewing key business processes and procedures in place
  • conducting interviews with key stakeholders (i.e. cardholders, budget holders)
  • sampling acquisition card transactions and reviewing supporting documentation
  • interviewing cardholders for validation of results
  • reviewing and analyzing NRC's monitoring methodology
  • reporting findings and recommendations

Risk-based audit procedures and tests were developed and set out within a formal audit program and were used to assess the NRC's practices against legislative requirements and guidelines. A risk-based sampling strategy, leveraging data analytics, was used to perform targeted sampling of high risk acquisition cards transactions. In comparison to a random sampling approach, risk-based sampling targets audit work on high-risk areas and therefore increases the likelihood of identifying cases of non-compliance. It is important to note that targeted sampling does not allow for an extrapolation of the audit results to the entire population of transactions.

3.0 Audit findings and recommendations

Each section below provides a summary of findings supported by detailed observations, a description of the risk and impact, and recommendations to address areas for improvement.

3.1 Governance and training

Summary findings

The NRC has established policies and procedures for the acquisition card program that are consistent and aligned with federal policies and legislation and support the application of required financial controls. The policies and procedures clearly set out cardholder and budget holder accountabilities and responsibilities. Training for cardholders and budget holders is formally provided.

We found that roles and responsibilities of acquisition card stakeholders at the NRC are clearly defined and outlined in policy and procedure documents which have been communicated.

The NRC's Acquisition cards policy outlines the use of these cards for the procurement of goods and non-professional services of low dollar value. The Policy additionally outlines restricted purchases that the acquisition card cannot be used for such as certain IT purchases, NRC vehicle operating and maintenance expenses, and travel-related expenses. Hospitality and membership expenses can be paid with an acquisition card, but they require a pre-authorized form to be signed by a manager with the proper delegated financial authority.

Interviews conducted with cardholders, procurement officers and Finance staff noted that roles and responsibilities for the management and use of acquisition cards have been for the most part, reasonably understood and executed properly. This was later corroborated through a review of a sample of transactions.

Comprehensive training available on the NRC's intranet site is required to be taken prior to receiving an acquisition card and must be re-taken every 5 years. In addition, granting of financial signing authority is dependent upon completion of training requirements for functional specialists, responsibility centre managers, and other officers with duties requiring delegated authority. We noted that all cardholder training was up to date within the sample reviewed. When applying for an acquisition card, the cardholder is required to sign an application form which lists key responsibilities, such as settling statements within 20 days, ensuring that transactions are not split across transactions to avoid limits established for certain types of purchases and advising the acquisition card company should it be lost or stolen.

The NRC's intranet site also contains an NRC acquisition card quick reference guide which covers the majority of day-to-day circumstances and best practices. Detailed guidance for end users is widely shared with cardholders. As just one example, to provide greater support to cardholders in everyday purchases, Finance and Procurement Services has generated a chat for Questions & Answers which is regularly monitored by NRC's acquisition card coordinator.

Recommendation

No recommendation.

3.2 Compliance with acquisition card policies and procedures

Summary findings

Overall, the acquisition card transactions selected for examination were found to be generally compliant with key requirements of the Acquisition cards policy and the Financial Administration Act (FAA). However, certain issues which are discussed below require attention.

Cardholders are required to use their acquisition cards in accordance with the Acquisition cards policy, which includes restrictions on transaction amounts, types of goods and services that can be purchased, and a requirement to obtain and document expenditure initiation approval (as per Section 32 of the FAA) prior to purchasing. In addition, the responsibility centre managers must provide certification of goods or services (as per Section 34 of the FAA) on the Statement of AccountFootnote 2 for acquisition card purchases. On a monthly basis, cardholders are expected to reconcile their credit card statements against the expenditures in a financial dashboard that is generated by the financial system within 20 days of a purchase by sending their statement of account to the Finance and Procurement Services mailbox. The cardholder must save physical and/or electronic copies of all supporting documentation for their transactions in the NRC's official information management repository.

To determine compliance with each of these requirements, the audit team reviewed a sample of 231 acquisition card transactions originating from a population of 57,321 transactions from April 2020 to February 2022. Transactions selected through data analytics were focused on attributes which indicated higher inherent risk of non-compliance, including but not limited to:

  • expenditures related to hospitality
  • items requiring Chief Information Officer approval
  • awards
  • cash advances
  • membership fees
  • training
  • vehicle expenses
  • conference and seminars
  • purchases from unusual vendors
  • potential instances of "transaction splitting" to circumvent the acquisition card individual transaction limits or delegated contracting authority limits

Following a review of the Statement of AccountFootnote 2 for transactions within the sample, a subset of 92 transactions was chosen for additional review. It is important to note that targeted sampling does not allow for an extrapolation of the audit results to the entire population of transactions.

Overall, we found that transactions generally complied with the requirements of the Acquisition cards policy. Within the audit sample, all acquisition card limits were clearly defined for cardholders, and all but 1 transaction examined respected spending limits. All transactions examined that required expenditure initiation, for membership or hospitality transactions, had the necessary supporting documentation.

Budget holders have the responsibility to confirm that the goods have been received or the service has been rendered by signing Section 34 under the FAA. Of the 231 transactions reviewed, we found that 223 transactions had evidence of Section 34 and with most using digital signatures instead of wet signatures, as was implemented through the Directive on digital authorization in April 2020. In addition, all budget holders were confirmed to have proper delegation of financial authority. For all statement of accounts reviewed, there was proper segregation of duties to ensure cardholders were not certifying their own acquisition card purchase.

The Acquisition cards policy and associated training material, identify restricted items which cannot be purchased using an acquisition card. We found that 90 out of 92 transactions examined were in compliance with these restrictions. The 2 restricted purchases required additional scrutiny.

Based on the review of the audit sample and interviews with cardholders, requirements for records management are inconsistently applied across CBIs. During our review of the statement of accounts, only 1 could not be located, preventing verification of Section 34. Cardholders are responsible for providing documentation to support the acquisition card statement pursuant to the Account verification policy and the acquisition card training which states that supporting documentation should be saved to the CBI's digital repository or as a paper copy in the CBI's records management system. While most cardholders were able to retrieve the requested receipts/invoices and pre-approvals (i.e. 85 out of 92 transactions), most of those interviewed did not have a system in place to share their documentation with supervisors or colleagues should they leave the NRC.

We also found that while the majority of transactions examined were coded correctly, certain General Ledger (GL) accounts recorded for purchases did not match their description. There is a risk that if coded incorrectly, the transactions may circumvent monitoring by Accounts Payable.

Recommendation

  1. The Vice President, Corporate Services and Chief Financial Officer should remind cardholders and managers of the requirements on the use of acquisition cards as well as the proper information management practices with regards to supporting documentation given the remote working environment.

    [Priority: Moderate]

3.3 Monitoring and oversight

Summary findings

Monitoring and oversight mechanisms are in place and well defined within the Account Verification Framework (AVF). However, the quality of the documentation supporting the annual random and quarterly targeted sampling review of low-risk transactions conducted by the NRC's Accounts Payable team should be improved.

According to the Acquisition cards policy, acquisition card usage is primarily monitored by the respective responsibility centre managers or budget holders who must approve and confirm the purchases by certifying the cardholders' statements at least monthly and ensuring that Section 34 of the FAA applies correctly. Also, as part of the NRC's oversight function, Accounts Payable (AP) team, in line with its AVF, conducts an annual random and a quarterly targeted sampling review of low-risk transactions, given the volume of transactions over the course of a calendar year.

The NRC's Acquisition cards policy sets a limit of $10,000 per transaction for CBI acquisition cards. In addition to the fact that acquisition cards are only to be used for low value day-to-day purchases, the transaction limit supports the TB Contracting Policy requirement that all contracts greater than $10,000 must be established and proactively disclosed on the Treasury Board Secretariat's website. These controls ensure public transparency and fairness, and facilitate the realization of economic benefits that competitive processes create. We determined that 12 transactions out of the 231 examined were potential contract splitting. Data mining techniques are employed by AP to perform targeted sampling of transactions selected for examination on a post-payment basis. Given the transactions identified under AP's targeted sample examined, we found that current data mining techniques performed by AP are not designed to highlight contract splitting.

The NRC's Account verification policy requires that sampling practices are sufficiently accurate and enable reporting of results to demonstrate the overall adequacy and reliability of the account verification process. As part of the audit, NRC's reporting on sampling results provided to management during fiscal year 2021-22 was examined. We found that the sampling results were consistent with the AVF report. However, the quality of the documentation supporting of the annual random and quarterly targeted sampling review of low-risk transactions conducted by the NRC's AP team was found to be lacking. An appropriate audit trail is required to be maintained by AP staff in order to demonstrate that the complete review of a transaction's history selected as part of the AP sample has been conducted.

The Account verification policy also requires that corrective actions be taken when critical errors are identified. Critical deviations demonstrate weaknesses in the key controls of the expenditure process and therefore follow-up actions should be documented, such as emails sent to cardholders to inform them of their errors in reconciling their transactions, or evidence that the transaction was presented to the financial oversight committee for discussions on actions to be taken. We found that corrective actions were documented for transactions with critical deviations.

Recommendation

  1. The Vice President, Corporate Services and Chief Financial Officer should strengthen monitoring for compliance by:
    1. enhancing the use of data analytics for targeted sampling to identify non-compliance issues.
    2. ensuring that the Account verification framework procedures are being applied and their results fully documented.

    [Priority: Moderate]

Appendix A: Audit criteria

The following criteria were used to evaluate the use of acquisition cards at the NRC:

Line of Enquiry 1 - Governance and training

  1. Roles, responsibilities, and accountabilities are clearly defined and communicated.
  2. Formal training and tools are developed to provide support to cardholders and supervisors.

Line of Enquiry 2 – Controls around initiation, execution and recognition

  1. Transactional and monthly credit limits are defined.
  2. Expense is approved by the appropriate delegated authority prior to the expense being incurred when Section 34 approver is different from budget holder.
  3. Certification authority is performed by the appropriate delegated authority.
  4. Expenses certified are properly supported with proof of execution and cost (e.g. receipt, invoice) and saved in CBI's digital repository or records management system.
  5. Cards are used solely for authorized government business-related purchases of goods and services and compliant with restrictions.

Line of Enquiry 3 - Monitoring and oversight

  1. Effective quality assurance and monitoring mechanisms are in place to identify and address issues of misuse, non-compliance, and fraudulent activity.
  2. Procedures and mechanisms for the issuance, cancellation, loss or theft of acquisition cards have been working as intended.

Appendix B: Management action plan

Definition of priority of recommendations
High Implementation is recommended within 6 months to reduce the risk of potential high likelihood and/or high impact events that may adversely affect the integrity of the NRC's governance, risk management and control processes.
Moderate Implementation is recommended within 1 year to reduce the risk of potential events that may adversely affect the integrity of the NRC's governance, risk management and control processes.
Low Implementation is recommended within 1 year to adopt best practices and/or strengthen the integrity of the NRC's governance, risk management and control processes.
Recommendation Corrective Management Action Plan Expected implementation
date and responsible
NRC contact
  1. The Vice President, Corporate Services and Chief Financial Officer should remind cardholders and managers of the requirements on the use of acquisition cards as well as the proper information management practices with regards to supporting documentation given the remote working environment.

    [Priority: Moderate]

Communications will be sent to all NRC acquisition cardholders and managers to remind them of the requirements on the use of acquisition cards as well as the proper information management practices with regards to supporting documentation given the remote working environment. This will be followed with open forum sessions.

October 31, 2022

Director General, Finance and Procurement Services

  1. The Vice President, Corporate Services and Chief Financial Officer should strengthen monitoring for compliance by:
    1. Enhancing the use of data analytics for targeted sampling to identify non-compliance issues.
    2. Ensuring that the Account verification framework procedures are being applied and their results fully documented.

    [Priority: Moderate]

  1. The FPS AP team will expand and enhance its current use of data analytics for targeted sampling to identify non-compliance issues.
  2. Additional review and reconciliation procedures have been implemented in the FPS AP team which will strengthen the quality of the documentation of the findings as well as the audit trail.
  1. December 31, 2022
  2. Completed

Director, Accounting Operations and
Finance and Procurement Services