PDF version (519 KB)
Executive Summary and Conclusion
This audit report presents the findings of the National Research Council Canada's (NRC) Audit of Acquisition Cards in the Interim Operating Environment.
The objective of the audit was to provide just-in-time independent assurance to NRC Senior Management that controls remain effective in the Interim Operating Environment (IOE) and to allow NRC to make necessary corrections before fiscal year-end.
In July 2014, a cyber-intrusion led to the shutdown of NRC's IT network and systems. NRC then implemented Interim Operating Environment (IOE) controls to enable the organization to continue to deliver services and value to clients and the Canadian public. Four audits of the IOE were approved by the President outside of the NRC 2014-15 to 2016-2017 Risk-Based Internal Audit Plan. These audits in the IOE are: Expenditure Management, Industrial Research Assistance Program (IRAP), Acquisition Cards, and Procurement and Contracting.
Audit findings are presented within the context of a compromised operating environment with interim business continuity measures until which time a new network and steady-state business processes are in place.
Acquisition cards provide a convenient and practical method of procuring and paying for goods and services while maintaining financial control. When used appropriately they are a cost efficient method to execute low-dollar value purchases. During fiscal year 2014-15 NRC executed a total of $18.1 million of acquisition card purchases, 50% of which were under the Interim Operating Environment and subject to this audit. Improper use of acquisition cards carries the risk of circumventing Government of Canada procurement regulations, risk of personal benefit and potential fraud.
Audit Opinion and Conclusion
Within the limitations of the samples drawn and the audit procedures performed, the audit found that interim operating processes were sufficient to demonstrate control and due diligence over purchases through acquisition cards in compliance with Government of Canada standards. Interim processes remained overall effective in management of the risk that acquisition cards are used for unauthorized, disallowed purchases, or for personal benefit. NRC Finance Branch continuously monitors the proper use of acquisition cards and maintains processes to address issues of non-compliance. The audit noted a positive trend of increased use of acquisition cards for purchase of low dollar value and low complexity procurement transactions.
Summary of Recommendations
No recommendations were identified in the course of the audit. At the time that this audit report was prepared, the control environment was improving as NRC moves towards implementing a new, secure network and most systems related to the acquisition card program have returned to normal functionality.
Statement of Conformance
In my professional judgment as the Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the audit opinion and conclusion. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.
Alexandra Dagger, CIA, Chief Audit Executive
NRC Audit Team Members:
Irina Nikolova, FCCA, CIA, CISA, Audit Manager
Jon Byford-Harvey, CPA, CMA, Auditor
Michelle Le, B.Sc, Student Auditor
Milena Gligorovic, BAH, Student Auditor
The 2014-15 Audit of Acquisition Cards in the IOE was approved by the President outside of the NRC 2014-15 to 2016-2017 Risk-Based Internal Audit Plan following a cyber-intrusion that resulted in the shutdown of NRC's IT network and systems.
Acquisition cards are charge cards that provide a convenient and practical method of procuring and paying for goods and services while maintaining financial control. They simplify the process of procuring and paying for goods and services thereby generating savings in procurement and expenditure processing Footnote 1.
The use of acquisition cards is recommended for purchases of day to day expense items for standard maintenance, repair and operational goods and services, excluding large dollar purchases, complex transactions, fleet-related operating expenses, and travel and capital assets. Although the use of an acquisition card is not mandatory, it is strongly encouraged when the purchase is within delegated transaction authority and it is efficient, economical and operationally feasible to do so Footnote 2.
The Use of Acquisition Cards within NRC
NRC uses acquisition cards from MasterCard issued under the Government of Canada service contract with the Bank of Montreal (BMO) with a cash rebate of 1.4%. The NRC acquisition card program is coordinated through NRC Finance Branch (FB) and monitored by the FB's financial monitoring unit. Within NRC, there are two classifications of cards issued. Consolidated 095 billing cards are issued to portfolio employees. Consolidated 041 billing cards are issued to Administrative Services and Property Management (ASPM) procurement officers and, as such, follow somewhat different authorization processes. The majority of acquisition card spending occurs through portfolio use (Figure 1). Use of acquisition cards in the IOE carried a similar spending pattern but resulted in a 50% increase in total spending.
Long description for figure 1.
|IOE Portfolio Spending||$6,732|
|IOE ASPM Spending||$2,308|
Acquisition cards within NRC are generally issued to cardholders with a monthly spending limit of under $25,000 and transactional authorization limit of $5,000 (Table 1). In the interim operating environment, the transactional limit was increased to $10,000 and kept such as of the date of this audit report (Figure 2). Similar to pre-IOE practices, not all cards are used with the same frequency. From the 366 cards active in IOE, only 266, representing 72% were used within the last month (Table 1).
Table 1: IOE Acquisition Card Limits and Use
|$2.5K ‑ 10K||22|
|$15K ‑ 25K||313|
|$40K ‑ 60K||17|
|$75K ‑ 200K||14|
|No Activity since Opened||20|
|150+ Days (09/01/14 and beyond)||28|
|150 Days (09/01/14)||3|
|120 Days (10/01/14)||7|
|90 Days (11/01/14)||7|
|60 Days (12/01/14)||8|
|30 Days (01/01/15)||27|
Long description for figure 2.
NRC benefits from a cash back inventive program offered by the Bank of Montreal based on acquisition card net spending at the negotiated rebate rate of 1.4% on all purchases, with no monthly or annual cap. Rebates are issued quarterly and based on the previous year's actual sales volumes. At year end, an adjusting cheque or invoice is issued to NRC based on the actual spending that occurred during the year. The increased use of acquisition cards in the interim operating environment has resulted in an incremental cash back rebate of $90K (Figure 3).
Long description for figure 3.
Temporary Quarantine of Financial Systems
The cyber-intrusion resulted in the temporary shutdown of NRC's enterprise financial management system (SAP), as well as, in the case of acquisition cards, the financial dashboard, an NRC developed application used to reconcile acquisition card transactions and charge them to their relevant project, internal order, or cost center (for the consolidate 095 cards used in portfolios). Beginning on October 2014, key users were provided access to the financial system through an isolated secure network. Subsequently in December 2014, the financial dashboard was re-activated in NRC's "black" operational zone (temporarily compromised but isolated network) with the same functionalities and interface as pre-cyber intrusion. An element of the interim operating environment was the requirement to transfer information between the two networks and the use of work-around processes.
1.2 About the Audit
The objective of the audit was to provide just-in-time independent assurance to NRC Senior Management that controls remained effective in the Interim Operating Environment (IOE) and to allow NRC to make necessary corrections before fiscal year-end.
The audit scope was defined using a risk-based approach. The audit focused on transactions that occurred during the period of July 29, 2014 to January 31, 2015 (i.e. 13,414 transactions for a total value of $9,040K).
Risk and control areas that the audit examined included expenditure initiation authority, performance certification, financial coding, and policy and directive compliance, use of acquisition cards for personal benefit and possible risk of loss to the Crown or fraud. The risk assessment excluded the following elements from audit scope: issuance and cancellation of credit cards, contract splitting, and application of National Mandatory Standing Offers (NMSO), contract security verification process, and accounts payable verification activities (Section 33 of the Financial Administration Act).
Approach and Methodology
The audit was conducted in accordance with generally accepted professional auditing standards of the Institute of Internal Auditors (the IIA) and the standards and requirements set out in the Treasury Board Policy on Internal Audit. The audit criteria, presented in Appendix A, were primarily derived from the TBS Directive on Acquisition Cards, NRC Directive on Acquisition Cards, NRC Policy on Expenditure Initiation and Commitment Accounting, and NRC Expenditure Initiation Decision Tree. Criteria were discussed with audit management in advance of the audit.
The audit addressed the audit criteria as they existed at the time of examination. A targeted sample of 39 transactions was selected and further analysis of 15 transactions identified through data mining was undertaken to test for adequate management of fraud risk. The audit methodologies were selected to ensure that the root cause of findings was identified. Methodologies are detailed in Table 2 below.
Table 2: Overview of Audit Methodologies
- Reviewing Acquisition Card documentation such as interim operating environment framework documents, policies, guidelines, and process maps.
- Interviews with key NRC and BMO staff
- Reviewing a sample of acquisition card transactions and related supporting documentation.
- Leveraging the BMODetails Online web portal for live transaction monitoring and access to population data for use in data analytics.
2.0 Audit Findings
Overall, we found that the interim operating processes were sufficient to demonstrate control and due diligence over purchases through acquisition cards in compliance with Government of Canada standards. Interim processes remained overall effective in management of the risk that acquisition cards are used for unauthorized, disallowed purchases, or for personal benefit.
While we noted minor issues in relation to use of acquisition cards while on travel status (one employee) and shared credit card authorization process (one employee), they did not materially impact the overall conclusion of the audit.
In support of our conclusion we noted compliance for the following:
- FAA section 32, expenditure initiation ‑ 100%
- FAA Section 34 performance certification approval ‑ 100%
- Appropriate financial coding ‑ 87%
- Compliance with allowed expenditures under the TBS Directive and NRC Policy – 95%
- All appropriate documentation was kept in order and available upon request
Continued efforts to implement a secure network with e-training capabilities and the introduction of new delegated authority management tools are expected to provide increased capacity for the growth of the acquisition card program within NRC.
Expenditure Initiation (FAA, Section 32)
NRC procedures for acquisition card transactions are designed to ensure compliance with Section 32 of the Financial Administration. Modifications are included to consider the type of credit card process used (consolidated 095 portfolio cards vs consolidated 41 cards used by ASPM procurement officers), whether expenses are initiated by cardholders with delegated financial signing authorities, as well as provisions for low-dollar value transactions (i.e. under $5,000).
The audit noted 100% compliance for FAA Section 32 expense initiation authorization. Twenty-nine of 39 transactions were pre-approved in writing in advance in accordance with NRC's documented processes. For 21 of 39 transactions NRC processes allow reliance to be placed on performance certification after the transaction is completed and not necessarily require that a complete pre-authorization be performed (Section 32). We observed that cardholders are not always clear as to the correct pre-authorization procedures to apply and the necessary documentation to prepare and tend to err on the cautious side.
According to Section 6.2 of TBS Policy on Account Verification, individuals who have been delegated authority for performance certification are responsible for confirming and certifying the goods have been supplied, or the services have been rendered. We noted very high compliance rate of 100% for post transaction performance certification.
Two minor issues were noted about legitimate purchases that did not result in any loss to the Crown. In one case, a cardholder used the acquisition card while on travel status for NRC business rather than a travel card and subsequently, appropriately deducted the expenses from his travel reimbursement. In another case, an employee who is not the credit card holder authenticated the expenditure transaction with the vendor when receiving the purchased good. Both cases have been subjected to the administrative procedures of NRC Finance Branch.
External Fraudulent activities
BMO applies specialized monitoring tools to flag possible compromise of the NRC acquisition cards. Three of the transactions identified by this audit through data mining and trend analysis approaches were found to be the result of external to NRC fraud and were reversed by BMO in all cases (100%). We also noted one instance where the cardholder notified BMO that their card was compromised as required by 6.4.12 of TBS Directive on Acquisition Cards.
We found coding to be adequate with the majority of acquisition card transactions being coded to the correct expense accounts. An opportunity to improve the functionality of the financial dashboard to improve coding accuracy exists. We noted few instances where cardholders coded their transactions in batch automatically applying the codes from the last processed transaction. Area for improvement includes coding office supplies, lab supplies, equipment and IT purchases. The results of the audit concluded that there is the ability to improve the financial coding as 13% (5/39) of the legitimate transactions could have been coded more accurately to reflect their true economic substance.
Appendix A: Audit Criteria
- Transactions are pre-approved by budget holder as per their delegated financial signing authority in accordance with NRC policies for acquisition card use
- Expenditures have had their performance certification completed by an individual who has appropriate delegate financial signing authority and the performance certification has been completed by an individual other than the cardholder
- Appropriate documentation is kept in order and available upon request
- Acquisition card transactions are appropriately coded in the financial system
- The expenditure is allowed under the TBS Directive on Acquisition Cards as well as NRC's Policy on Acquisition Cards
- No maintenance of fleet vehicles
- No travel related expenses (pre-conference registration is allowed but never while in travel status)
- No purchase between government departments
- No temporary help services
- No evidence that the card was used by anyone other than the cardholder
- Transaction is not for personal benefit
- Transaction with not a withdrawal of cash or cash equivalent
- No hospitality expenses