Audit of the Purchasing, payables and payments process

Help on accessing alternative formats, such as Portable Document Format (PDF), Microsoft Word and PowerPoint (PPT) files, can be obtained in the alternate format help section.

Final Audit Report
March 2012

Management response and action plan

Table of contents

• Executive summary
• 1. Introduction
  • 1.1 Background
  • 1.2 Audit objective
  • 1.3 Scope and approach
  • 1.4 Statement of assurance
• 2. Findings, recommendations and management responses
  • 2.1 Design of internal controls
    • 2.1.1 Compliance with laws, policies and authorities
    • 2.1.2 Consistency of key controls across the Department
    
    
  • 2.2 Operating effectiveness of key controls
    • 2.2.1 Purchase processing
    • 2.2.2 Payable processing
    • 2.2.3 Payment processing
• 3. Conclusion
• Appendix A - Lines of enquiry and audit criteria
• Appendix B - Scorecard
• Appendix C - Health Canada's Internal control over financial reporting framework
• Appendix D - Health Canada's Purchasing, payable and payments process
• Appendix E - Operating and maintenance and capital expenses

Executive summary

This audit focuses on the Purchasing, Payables and Payments Process at Health Canada. It covers approximately $378.5 million in payments for goods and services acquired in 2010-11. The audit period was from April 2010 to June 2011, and included purchases made in the National Capital Region and the eight regional offices.

This audit was incorporated in the Multi-Year Risk-Based Audit Plan for 2009-12 to complement a series of previous audits aimed at understanding and assessing specific business processes as part of Health Canada's Internal Control Over Financial Reporting Framework (see Appendix C) and in support of the departmental financial statements.

The objective of the audit was to determine whether the key controls over Health Canada's Purchasing, Payables and Payments Process are adequately designed and operating effectively to ensure that the Department complies with the Financial Administration Act (FAA) and key policies issued by the Treasury Board of Canada (TB).

The audit was conducted in accordance with the TB Policy on Internal Audit and the International Standards for the Professional Practices of Internal Auditing. Sufficient and appropriate procedures were performed and evidence gathered to support the audit conclusion.

The Department is responsible for establishing its own internal controls and respecting the Government of Canada's framework governing purchasing activities. Purchasing, payable and payment activities are the responsibility of the Chief Financial Officer Branch (CFOB) and the Regions and Programs Branch (RAPB) which is responsible for regional operations. The Materiel and Assets Management Directorate (MAMD) provides direction for purchasing goods and services, while cost centre managers are responsible for determining their procurement needs.

The audit concluded that Health Canada's key controls over the Purchasing, Payables and Payments Process were:

• adequately designed to ensure compliance with applicable acts, regulations and departmental policies and procedures, and are consistent across the Department. However, areas noted for improvement included:
  • the alignment of the system used for contract review and approval with the revised contract review and approval process; and
  • the revision of the internal control monitoring strategy based on a fulsome risk assessment, including the extent and timing of testing for the Purchasing, Payables and Payments Process.
• operating effectively with an appropriate segregation of duties (application of sections 32, 33 and 34 of the FAA by authorized financial officers; presence of supporting documentation in hard copy; and accuracy of amounts and financial coding). Areas for improvement noted included:
  • using purchase requisitions where required, and putting in place written contracts for the procurement of all mental health services;
  • entering complete and accurate documents and information in the Department's Contract Requisition and Reporting System (CRRS) in a timely manner; and
  • using the confirming orders properly, and the review and approval of purchase requisitions and contract amendments by the appropriate member of the Contract and Requisition Control Committee (CRCC).

The scorecard presented in Appendix B provides details on the conclusion as per the audit criteria and region.

The report includes five recommendations to address areas where improvements are required. Management agrees with the recommendations and its response indicates its commitment to take action.

1. Introduction

1.1 Background

The Government of Canada governs purchasing activities through a framework of legislation and policies, including the Financial Administration Act (FAA), Government Contracts Regulations, and the Treasury Board (TB) Contracting Policy. This framework provides direction to ensure that purchasing activities provide value for money and demonstrate sound stewardship in program delivery.

In January 2011, as part of its Common Financial Management Business Process Initiative, the Office of the Comptroller General issued the draft Guideline on the Common Management Business Process for Managed Procure to Payment that defines the common financial business process from planning for purchases to final payments. This document serves as a framework for the current audit and separates the purchase to payment process into six sub-processes (see Appendix D), as described below:

Purchase processing

• Manage requirements: defining the requirements, determining the corresponding expenditure initiation authority and preparing the requisition for goods and services.
• Control commitments: ensuring that sufficient unencumbered funds are available as well as creating and updating commitments prior to entering/amending a contract.
• Manage contracts: creating and/or amending a contract, and determining and exercising the appropriate transaction authority, as per Section 32 of the FAA.

Payable processing

• Administer contract and deliverables: monitoring the contract, the receipt and acceptance of deliverables (includes a portion of the account verification in support of Section 34 of the FAA), monitoring the financial performance, and resolving vendor issues.
• Manage payables: processing invoices, completing the account verification, and providing certification authority pursuant to Section 34 of the FAA.

Payment processing

• Manage payments: performing quality assurance activities where applicable, certifying payments as per Section 33 of the FAA, completing and submitting payment requisitions, and finalizing payments.

At Health Canada, the purchase of goods and services is an intricate process involving many stakeholders, and has an impact on all aspects of the Department's operations. Responsibilities for the purchasing and payment of goods and services are shared between the following parties:

• Materiel and Assets Management Directorate (MAMD) and the Contract Requisition Control Committees (CRCC), for providing functional direction over purchasing activities. The former is part of the Chief Financial Officer Branch (CFOB) and the latter is a shared responsibility of CFOB and the Regions and Programs Branch (RAPB).
• Cost centre managers, for defining their procurement needs and managing contracts.
• Accounting offices, for payment processing under the shared direction of CFOB and RAPB.

This audit was incorporated in the Multi-Year Risk-Based Audit Plan for 2009-12 to complement a series of previous audits aimed at understanding and assessing specific business processes as part of Health Canada's Internal Control Over Financial Reporting Framework (see Appendix C) and in support of the departmental financial statements.

1.2 Audit objective

The audit objective was to determine whether the key controls over Health Canada's Purchasing, Payables and Payments Process are effective to ensure that the Department complies with the FAA and the key policies issued by the Treasury Board of Canada.

1.3 Scope and approach

The audit examined Health Canada's Purchasing, Payables and Payments Process for fiscal year 2010-11. Expenses subject to this audit represented approximately $378.5 million or 27% of the total operating, maintenance and capital expenses for the Department. An overview of the expense categories is presented in Appendix E.

The controls dealing with system access, as well as value for money and efficiency of the purchasing to payment process were not part of the scope of this audit. Also excluded was the process for defining requirements, a function of the purchase processing mentioned in the section above.

This audit had two lines of enquiry. The first was determining whether the key controls for the Purchasing, Payables and Payments Process are adequately designed, and the second was assessing their operating effectiveness. Corresponding audit criteria are presented in Appendix A and have been vetted with management.

Under the first line of enquiry, the audit methodology was comprised of interviews with Health Canada employees, documentation review (for example, departmental policies and procedures, relevant documentation in support of purchasing activities and financial transactions), and the observation of the key processes and controls. Health Canada's policies and procedures were assessed to determine whether they complied with legislative and policy requirements of the Government of Canada.

As for the second line of enquiry, audit evidence was obtained through transaction testing. An initial random sample of 45 transactions that were recorded from April 1, 2010 to June 30, 2011 was selected across the Department for purchases both over and under $10,000 (as $10,000 is the amount that is the threshold for the CRCC review). This sample was selected based on the significance of payments recorded in each region. Where results indicated that controls were not working as designed, the sample size was increased to confirm the identified issues at the regional level. The total sample included 125 transactions, with the following regional breakdown:

Transaction testing - sample size by region

NCR	Atlantic	Quebec	Ontario	Manitoba	Sask.	Alberta	B.C.	Northern	Total
15	12	17	17	17	17	15	14	1	125

The audit work was conducted between August and December 2011.

1.4 Statement of assurance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

2. Findings, recommendations and management responses

2.1 Design of internal controls

2.1.1 Compliance with laws, policies and authorities

Audit criterion: Key controls over the Purchasing, Payables and Payments Process are adequately designed to ensure compliance with applicable acts and regulations and government and departmental policies and procedures.

Key controls over the Purchasing, Payables and Payments Process are designed to ensure compliance with legislative and policy requirements, which include:

• the Financial Administration Act (FAA);
• the Treasury Board (TB) Contracting Policy;
• the Government Contracts Regulations;
• the TB Directive on Payment Requisitioning and Cheque Control; and
• the TB Directive on Delegation of Financial Authorities for Disbursements.

The key requirements of the FAA include:

• FAA Section 32 (commitment authority) which is the authority to set aside money within a budget towards a given expenditure.
• FAA Section 34 (spending authority) which is the certification that goods have been received, services rendered and that the invoice is free of errors, the price charged is according to the contract terms and conditions, and that the payee is eligible and entitled to the payment.
• FAA Section 33 (payment authority) which prescribes that every requisition for payment must be accompanied by documents and that there is a lawful charge against an appropriation.

Health Canada's management framework includes the Delegation of Financial Signing Authorities document, the Account Verification Policy, the Contracting Guide for Cost Centre Managers and Administrators, and the Guide to Procurement and Contracting. These documents were assessed to verify compliance with legislative and policy requirements of the Government of Canada. It was determined that Health Canada's policies and procedures complied with the key requirements found in TB policies and the FAA.

Contract and Requisition Control Committee review and approval of contracts

Health Canada's CRCCs form the foundation of the Department's contracting review and approval process. These committees are comprised of a procurement officer and a senior finance officer, and subject matter experts when necessary. Given that procurement and financial operations at Health Canada are decentralised, each branch and region has its own review committee. A senior procurement officer from the Procurement and Contracting Division (one per branch in the National Capital Region) or a regional senior financial officer (in each of the eight regions) chairs each committee. Under the direction of MAMD, within CFOB, these committees are responsible for:

• drafting and approving all proposed contract documents for requirements of $10,000 and higher, including determining the appropriate procurement strategy such as the use of a standing offer, request for proposals, or procurement through Public Works and Government Services Canada (PWGSC);
• reviewing contract amendments, regardless of the value;
• ensuring that all contractual documents are in accordance with the Government Contracts Regulations; relevant TB, PWGSC and Health Canada policies; departmental delegation of financial authorities and that mandatory procurement vehicles (standing offers and supply arrangements) are used;
• ensuring that all contract documentation and coding are complete;
• ensuring that procurement records are retained and disposed of in accordance with departmental policy; and
• ensuring that all contract documents are stored in the Contract Requisition and Reporting System (CRRS).

In 2010, the contract review and approval process was re-engineered to ensure greater compliance with government contracting policies. The main change was to involve the CRCCs earlier in the procurement process. More specifically, the responsibility for determining the appropriate procurement strategy and drafting the request for proposal has been transferred from the cost centre managers to the CRCCs. At the time of this audit, this re-engineering exercise had been implemented in the National Capital Region as well as in three regions. The other regions are expected to follow suit shortly.

The audit work consisted of examining departmental contracting flowcharts and internal control matrices that were prepared and maintained by the Internal Control Division (ICD) within CFOB. Walkthroughs were conducted with procurement officers and chairs of the CRCC to observe how and when they conduct their review and approval.

Contract Requisition and Reporting System

The CRCCs' review and approval functions are performed directly in the Contract Requisition and Reporting System (CRRS), which is Health Canada's contracting database and procurement management and approval system. This tool has three main functions:

• a workflow control mechanism, involving automated notifications to ensure review and approval before contracts are awarded;
• a central electronic repository that is accessible by authorized users; and
• a management reporting system.

To be effective, the workflow and automated notifications in the CRRS must mirror the contract review and approval process, so that the appropriate individual is notified at the right time and has the documents required to conduct the review. However, the system has not yet been modified to reflect the re-engineered process. As mentioned previously, the re-engineered process involves the CRCCs earlier on to allow its members to determine the appropriate procurement strategy, based on the statements of work provided by cost centre managers. Currently, the process that directs cost centre managers to provide the required documentation to committee members is not automated in the CRRS. As a result, CRCC members must intervene manually to request the statement of work. This may lead to human error and the circumvention of the CRCC review.

As part of the Department's Application Reduction Initiative, a study published in spring 2011 reported that vendor support is no longer available for the CRRS, and also suggested that its functionalities could be replaced by SAP, the departmental financial system. This proposed replacement is still under review.

Recommendation 1

It is recommended that the Chief Financial Officer ensure that the workflow and automated notifications of the system supporting the work of contract and requisition control committees is aligned with the underlying review process.

Management response

Account verification under Section 34 of the Financial Administration Act (FAA)

Certification under FAA Section 34 requires an account verification of all expenditures processed at Health Canada. Individuals who have been delegated financial authority, namely cost centre managers, must confirm and certify the following: the goods were supplied or the services were rendered; the payee is entitled to the payment; and the contract or agreement terms and conditions have been met including price, quantity and quality. Also, they are to ensure the following: that the payee information is accurate and complete; that the financial coding has been provided and is accurate and complete; and that all relevant statutes, regulations, orders in council, policies and directives and other legal obligations have been complied with.

A review of Health Canada's Account Verification Policy and Account Verification Procedures documents indicates that the requirements and procedures regarding the FAA Section 34 certification and verification have been clearly defined and are consistent with the TB Directive on Account Verification.

Financial Administration Act (FAA) Section 33 quality assurance over account verification

FAA Section 33 quality assurance consists of the review and assessment of the adequacy of the account verification undertaken prior to exercising payment authority pursuant to Section 33 of the FAA.

Financial officers who have delegated payment authority pursuant to FAA Section 33 are responsible for ensuring that^{Footnote 1}:

• there is auditable evidence demonstrating that account verification has taken place and has been certified by an individual with delegated financial signing authority pursuant to Section 34 of the FAA; and
• no payment is made when the payment:
  • is not a lawful charge against the appropriation;
  • will result in an expenditure exceeding the appropriation; or
  • will result in an insufficient balance in the appropriation to meet the commitments charged against it.

In addition to FAA Section 32, 33 and 34 authorization, Health Canada has in place a risk-based quality assurance process over FAA Section 34 account verification. Under this quality assurance process, low risk transactions are reviewed prior to payment to verify the appropriateness of financial coding, the vendor information, and the authority of the individual certifying under FAA Section 34. High risk transactions are subject to additional review prior to payment. This entails ensuring that: the required supporting documentation has been provided by the Cost Centre Manager with proper expenditure initiation authority; the contract has been approved in the CRRS; and the payment is in accordance with the contract terms.

Annual Contract Verification Exercise

Health Canada's Annual Contract Verification Exercise has been conducted by MAMD, within CFOB since 2009. MAMD monitors compliance with federal government contracting policies and regulations, assesses the integrity of the procurement process; determines the reliability of information for reporting and monitoring purposes; and assesses the effectiveness of internal controls.

The scope of the 2011 exercise encompassed a review of 248 service contracts that were awarded between May 15, 2010 and May 15, 2011. The review was performed in summer 2011 and it covered the following areas:

• completeness of files in the CRRS;
• comparison of start date of work with the CRCC's approval;
• perception of contract splitting;
• government-retained intellectual property;
• Federal Contractors Program for employment equity;
• use of mandatory standing offers or supply arrangements; and
• use of sole sourcing and competitive process.

The auditors reviewed the draft report issued in December 2011 and noted numerous strengths in both its scope and approach, and the reporting of results. In terms of scope and approach, the 2011 review had a significant increase in the number of transactions reviewed in comparison to the 2010 review. This allowed for the testing of additional transactions with a value below $10,000 and increased regional coverage. In regards to reporting, audit results are clearly presented by area covered, with total errors noted, including a comparison with the 2010 results. Furthermore, recommendations are made for all areas where significant error rates were noted. Once finalized, the report's findings are to be presented to senior management. In response to the recommendations, MAMD has developed action plans with associated responsibilities and timelines to ensure that progress is being tracked.

Internal Control Division's monitoring activities

CFOB's Internal Control Division (ICD) is responsible for overseeing the design and maintenance of an effective and integrated system of internal controls over financial reporting for all major business processes (including the Purchasing, Payables and Payments Process). In doing so, the Division supports the TB Policy on Internal Control, which requires that the Deputy Minister and the Chief Financial Officer sign an annual departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting. This attestation acknowledges the responsibility of management for monitoring and ensuring compliance with this policy within their organizations, as well as for responding to cases of non-compliance in accordance to TB instruments.

Under ICD's lead, Health Canada's Internal Control Over Financial Reporting Framework was developed. An overview of this framework is provided in Appendix C.

It includes:

• process flowcharts for key business processes for all regions, such as grants and contributions, payroll, and purchasing;
• control matrices for the key business processes (these matrices identify the risks within each business process and control activities to mitigate against these risks); and
• a strategy for updating the process flowcharts and control matrices, and for the testing of operating effectiveness of the controls.

As part of the ICD monitoring strategy, a plan was developed in 2009 to test the operating effectiveness of internal controls for all business processes. As per this plan, a decision was made to test the Purchasing, Payables and Payments Process in 2010-11 and 2011-12. However, this decision was not based on a fulsome assessment of the risks associated with business processes and underlying controls. As a result, all key business processes within the regions were to be tested over a three-year period ending in fiscal year 2011-12, without giving priority to higher areas of risk. Risk-based planning is particularly important given the amount of time invested.

At the time of the audit, ICD was in the process of revalidating the flowcharts and control matrices for the Purchasing, Payables, and Payments Process with all regions. Additionally, CFOB was conducting a review of the Department's Strategy for Internal Control Over Financial Reporting. The review aims to identify areas requiring more attention and is to be used to develop a revised monitoring strategy, including ongoing testing of operating effectiveness. In addition to supporting the statement of management responsibility, these tests will provide valuable information to ensure that internal controls remain reliable over time.

Recommendation 2

It is recommended that the Chief Financial Officer ensure that the revised monitoring strategy is based on a fulsome risk assessment and includes the extent and timing of ongoing testing for the Purchasing, Payables and Payments Process.

Management response

Overall, except for the above, the key controls over the Purchasing, Payables and Payments Process are adequately designed to ensure compliance with applicable acts and regulations and government and departmental policies and procedures.

2.1.2 Consistency of key controls across the Department

Audit criterion: Key controls over the Purchasing, Payables and Payments Process are consistent across the Department.

The consistency of key controls across the Department increases the reliability, effectiveness, and efficiency of operating transactions. It ensures that the recording of transactions conforms to applicable policies, directives and standards, and is carried out in accordance with delegated authorities. Furthermore, from a corporate viewpoint, it facilitates the review of the effectiveness of controls and the provision of oversight and guidance. In short, consistency contributes to strengthening internal controls across the Department.

The key controls for the Purchasing, Payables and Payments Process, as outlined in the previous section, were assessed for consistency between the National Capital Region and the eight other regions. Audit tests on sampled transactions, which are the subject of the next section of this report, were designed around the key controls that were identified.

In conclusion, the key controls over the purchasing, payables and payments are consistent across the Department.

2.2 Operating effectiveness of key controls

2.2.1 Purchase processing

Audit criterion: Contracts and amendments are reviewed for compliance with purchasing policies and appropriate records are maintained in accordance with policies.

The Office of the Comptroller General's draft Guideline on the Common Management Business Process for Managed Procure to Payment outlines a process that begins with the planning of a requirement by a Cost Centre Manager. This is followed by the commitment of funds; the identification of the appropriate procurement strategy (whether the purchase is within the Department's delegated authority, if a mandatory standing offer exists, etc.); and the award of a contract to purchase goods or services.

To test the operating effectiveness of the key controls, the auditors examined a sample of 45 randomly selected transactions. As mentioned in the scope and approach section of this report, the sample was expanded wherever necessary to verify identified issues.

Expenditure initiation and commitment management

The creation of the commitment is one of the first steps in the purchasing process. Section 32 of the FAA requires that sufficient unencumbered funds be available before entering into a contract or providing payment. In addition, it is important to de-commit the excess funds in a timely manner after the contract expiry to ensure that it can be used towards other departmental priorities.

Testing provided evidence that the commitments were correctly entered. In all cases, authorizations were performed by a Cost Centre Manager with appropriate delegated financial signing authority and, where applicable, excess funds were de-committed on a timely basis. Furthermore, procurement vehicles such as call-ups against a standing offer or short form contracts were correctly utilized and purchase orders such as the creation of a formal commitment in SAP were properly created. However, an exception was noted and is mentioned below.

As per departmental guidelines, cost centre managers must ensure that a commitment is created in SAP at the beginning of the procurement process. The general way to do that is by entering a purchase requisition in SAP as this routes the transaction through the CRRS and triggers the CRCC's review. Exceptions to this general rule include purchases made with acquisition cards and petty cash, and legal services acquired from Justice Canada.

Audit tests revealed that in some cases, a purchase requisition was not used when applicable (outside of the above-mentioned exceptions). Further analysis of all payments posted into SAP in fiscal year 2010-11 showed that approximately $1 million in payments greater than $10,000 (the threshold for CRCC reviews) was made without purchase requisitions.

The most significant proportion of payments without purchase requisitions was for mental health services acquired under the First Nations and Inuit Health Branch's Indian Residential School Resolution Health Support Program (IRS). In general, these services are covered under the Non-Insured Health Benefits (NIHB) Program, which means that the Department makes payments to service providers who are engaged by clients. In such cases, the contract is between clients and service providers. However, in contrary to the NIHB Program, the IRS services are engaged by Health Canada. Thus, a written contract must be issued prior to obtaining these services to comply with the FAA Section 32 and to clearly establish the rights and responsibilities of both the Department and the service providers.

Other examples of payments made without purchase requisitions outside of allowed exceptions included nursing services and management consulting services. As mentioned earlier, not having a purchase requisition means that the CRCC review is not completed, which is a key control in ensuring compliance with applicable laws, regulations and policies.

Recommendation 3

It is recommended that the Chief Financial Officer, in collaboration with the assistant deputy ministers of the First Nations and Inuit Health Branch and the Regions and Programs Branch, ensure that:

• purchase requisitions are used when applicable; and
• written contracts are put in place for the procurement of mental health services not covered under the Non-Insured Health Benefits Program.

Management response

Selection of suppliers and contract award

Appropriate supporting documentation is necessary to provide assurance that contracting activities are open, fair, and transparent. To ensure this, the documents required, include:

• a statement of work (for services) or a statement of requirements (for goods);
• a contract evaluation form to document the assessment of the bids received;
• a sole source justification form to ensure that a rationale is provided for the use of a non-competitive process is appropriate (where applicable);
• a signed copy of the contract to ensure that it was authorized by an individual with appropriate delegated financial authority and that all parties have agreed to the terms and conditions of the contract; and
• a contract amendment checklist to ensure that changes to the contract are justified.

In the samples selected, the auditors examined files for evidence that the above-noted documentation was prepared, where applicable; verified that contracts were approved prior to goods or services being ordered; that documentation was available through the CRRS where required; and that the status of contracts had been updated in the CRRS.

Cost centre managers are responsible for uploading the contracting documentation in the CRRS; in turn, one of the CRCCs' responsibilities is to ensure that this is done. The information contained in the CRRS is used to meet archival regulations, proactive disclosure and reporting requirements, and support the CRCC's review process. Furthermore, the integrity and accuracy of the contracting information in the CRRS is vital to effectively support the CRCC's review process to reduce reliance on the use of hard copies, and to ensure that management reports on contracting activities are accurate.

From the sample, 114^{Footnote 2} out of 125 transactions reviewed were associated with a contract, such as a purchase order or a call-up against a standing offer. The auditors found that statements of work and other supporting documentation were prepared and processed in accordance with departmental policies and delegated authorities. However, the following issues were noted for the 114 contracts:

• In 50 instances (NCR: 3; Atlantic: 3; Québec: 15; Ontario: 1; Manitoba: 14; Saskatchewan: 6; Alberta: 6; and British Columbia: 2), either certain or all the supporting documentation was not available in the CRRS (although available in hard copy).
• In 42 instances (NCR: 4; Atlantic: 2; Québec: 11; Manitoba: 11; Saskatchewan: 3; Alberta: 9; and British Columbia: 2), the contract status as per the CRRS was inaccurate because it was not updated after each step in the procurement process.

Similar observations have been reported in MAMD's Annual Contract Verification Exercise since 2009. Adequate use of the CRRS allows for more effective reporting and decision making when the information it contains is accurate and complete.

Recommendation 4

It is recommended that the Chief Financial Officer, in collaboration with the Assistant Deputy Minister of the Regions and Programs Branch, ensure that complete and accurate documents and information are entered in the Department's Contract Requisition and Reporting System.

Management response

In addition, out of 114 samples, the CRCC control did not function as expected in the instances described below:

• In two instances (in Manitoba and Saskatchewan), goods with a value exceeding $10,000 (out of 27 transactions tested within this category) were received in full before the corresponding contract was approved by the CRCC. This is only allowed if a confirming order has been prepared, with a proper justification provided by the Cost Centre Manager and signed-off by Legal Services. Instead of a confirming order, a call-up against a standing offer was used and goods were purchased prior to the CRCC's approval. This is not consistent with Health Canada's purchasing policies and procedures. As for services, tests showed that all contracts were approved prior to the start of work.
• In twelve instances (Atlantic: 1; Ontario: 5; Manitoba: 5; and Saskatchewan: 1) out of 45 purchase requisitions greater than $25,000, approval by the CRCC Chair was required but was performed by a procurement officer. This is not consistent with departmental guidelines stating that the CRCC Chair is responsible for approving purchase requisitions greater than $25,000.
• In five instances (Atlantic: 1; Quebec: 2; Manitoba: 1; and Saskatchewan: 1) out of 36 contract amendments, the CRCC did not review and approve the amended contracts. This is not consistent with Health Canada's policy on the CRCCs' responsibilities. When a contract is amended, the CRCC is responsible for reviewing and approving all amendments, regardless of the dollar value.

One role of the CRCCs is to monitor contracting activities in order to prevent errors. The risk of errors or non-compliance with TB policies or the Health Canada contracting process increases if the CRCCs do not operate as designed.

Recommendation 5

It is recommended that the Chief Financial Officer, in collaboration with the Assistant Deputy Minister of the Regions and Programs Branch, ensure:

• that the confirming orders are used appropriately for the acquisition of goods and services in the absence of a contract; and
• that the requisitions and amendments are approved by the appropriate member of the Contract and Requisition Control Committee.

Management response

In conclusion, except for the observations noted above, contracts and amendments are reviewed for compliance with purchasing policies and appropriate records are maintained in accordance with policies.

2.2.2 Payable processing

Audit criterion: Appropriate review is performed to ensure the validity and accuracy of invoices.

The payable process consists of the activities performed by the Cost Centre Manager and/or delegate to ensure that invoices are valid and accurate. In accordance with FAA Section 34, the Cost Centre Manager with the delegated authority is required to certify that:

• the work has been performed, the goods supplied or the services rendered;
• the payee is entitled to or eligible for the payment;
• relevant contract or agreement terms and conditions have been met including price, quantity and quality; and
• where a payment is made before the completion of work, the delivery of goods or the rendering of services, that such advance payment is required by the contractual terms of the contact.

Test results show that there is evidence of the verification of goods received or service rendered. In addition, the auditors found that individuals certifying under FAA Section 34 had the delegated financial signing authority for their cost centre and were acting within the dollar limits. In addition, the financial coding was correct.

Thus, the audit concluded that an appropriate review is performed to ensure the validity and the accuracy of invoices.

2.2.3 Payment processing

Audit criterion: Payment requisitions are processed in accordance with the established policies.

The authority to request payments in accordance with Section 33 of the FAA is referred to as payment authority. The FAA Section 33 payment authorization performed by financial officers is a key control to ensure the accuracy and legality of transactions. Pursuant to this section of the FAA, a financial officer with delegated responsibility for payment authority is responsible to ensure that:

• FAA Section 34 was properly exercised by validating that the Section 34 signatory had a valid delegated authority to authorize the expense and that there is auditable evidence that the quality assurance over the adequacy of the Section 34 account verification has taken place; and
• expenditures are a lawful charge against the appropriation.

Tests on the application of FAA Section 33 are essential to ensure that an adequate process is in place to verify accounts under FAA Section 34 and the process is being properly and conscientiously followed.

Audit results indicated that all payments were properly certified under FAA Section 33 by authorized financial officers, and that proper segregation of duties existed between invoice entry and payment certification under FAA Section 33, as well as between sections 34 and 33. It also indicated that adequate supporting documentation was provided.

It was determined that interest was applied correctly on late payments as per the TB Directive on Payment Requisitioning and Cheque Control which states that interest are only to be paid on payments made later than the due date (which is usually 30 days after the receipt of the invoice).

In conclusion, payment requisitions are processed in accordance with established policies.

3. Conclusion

The Purchasing, Payables, and Payments Process is governed by an integrated framework of legislation and policies. To ensure compliance to complex policies, acts and regulations, controls need to be adequately designed and must operate effectively.

The audit concludes that Health Canada's key controls over the Purchasing, Payables and Payments Process are:

• adequately designed to ensure compliance with applicable acts, regulations and departmental policies and procedures, and are consistent across the Department. However, areas noted for improvement included:
  • the alignment of the system used for contract review and approval with the revised contract review and approval process; and
  • the revision of the internal control monitoring strategy based on a fulsome risk assessment, including the extent and timing of testing for the Purchasing, Payables and Payments Process.
• operating effectively with appropriate segregation of duties (application of sections 32, 33 and 34 of the FAA by authorized officers; presence of supporting documentation in hard copy; and accuracy of amounts and financial coding). Areas for improvement that have been noted include:
  • using purchase requisitions where required, and putting in place written contracts for the procurement of all mental health services;
  • entering complete and accurate documents and information in the Department's CRRS in a timely manner; and
  • using the confirming orders properly, and the review and approval of requisitions and amendments by the appropriate member of the CRCC.

The scorecard presented in Appendix B provides details on the conclusion as per audit criteria and region.

Appendix A - Lines of enquiry and audit criteria

Audit of the Purchasing, payables and payments process
Audit criteria description

Criteria Title	Audit Criteria
Line of enquiry 1: Internal controls over purchasing, payables and payments are adequately designed.
1.1 Compliance with laws, policies and authorities	Key controls over the Purchasing, Payables and Payments Process are adequately designed to ensure compliance with applicable acts and regulations and government and departmental policies and procedures.
1.2 Consistency of key controls across the Department	Key controls over the Purchasing, Payables and Payments Process are consistent across the Department.
Line of enquiry 2: Internal controls over purchasing, payables and payments are operating effectively.
2.1 Purchase processing	Contracts and amendments are reviewed for compliance with purchasing policies and appropriate records are maintained in accordance with policies.
2.2 Payable processing	Appropriate review is performed to ensure the validity and accuracy of invoices.
2.3 Payment processing	Payment requisitions are processed in accordance with the established policies.

Appendix B - Scorecard

Audit of the Purchasing, payables and payments process

Criterion	Overall Rating	Conclusion	Rec.	Regional Rating
				NCR	Atl	QC	ON	MAN	SASK	ALB	BC	North
Adequate design
Compliance with laws, policies and authorities	NMiI	Subject to areas for improvement, key controls over the Purchasing, Payables and Payments Process are adequately designed to ensure compliance with applicable acts and regulations and government and departmental policies and procedures (Section 2.1.1).	1, 2	NMiI	NMiI	NMiI	NMiI	NMiI	NMiI	NMiI	NMiI	NMiI
Consistency of key controls	S	Key controls over the Purchasing, Payables and Payments Process are consistent across the Department (Section 2.1.2).		S	S	S	S	S	S	S	S	S
Effectiveness of internal controls
Purchase processing	MNoI	Except for areas for improvements, contracts and amendments are reviewed for compliance with purchasing policies and appropriate records are maintained in accordance with policies (Section 2.2.1).	3, 4, 5	NMiI	S	NMoI	S	NMoI	NMoI	NMoI	S	NAA
Payable processing	S	Appropriate review is performed to ensure the validity and accuracy of invoices (Section 2.2.2).	S	S	S	S	S	S	S	S	S	S
Payment processing	S	Payment requisitions are processed in accordance to the established policies (Section 2.2.3).	S	S	S	S	S	S	S	S	S	S

Legend:

S

- Satisfactory

NMiI

- Needs Minor Improvement

NMoI

- Needs Moderate Improvement

NI

- Needs Improvement

Un

- Unsatisfactory

NAA

- Not Applicable/Assessed

Appendix C - Health Canada's Internal control over financial reporting framework

Internal Control over Financial Reporting Framework (ICFR)

Appendix D - Health Canada's Purchasing, payable and payments process

Purchasing, payable and payments process

Appendix E - Operating and maintenance and capital expenses

Operating and maintenance and capital expenses
For fiscal year 2010-11

Expenses Category	Financial Statement Expenses $000)	Excluded Expenses ($000)	Note	Expenses in Audit Scope ($000)
Operating and maintenance (O&M) expenses
Source: Health Canada 2010-2011 departmental financial statements and departmental financial system, SAP Note 1: Non-Insured Health Benefits expenses have been excluded from the scope of this audit since they are subject to distinct procurement/payment processes. Note 2:  These expenses have been excluded from the audit scope as they are subject to distinct procurement/payment processes.
Professional and special services	493,309	293,208	1	200,101
Utilities, materials and supplies	481,571	417,022	1	64,549
Travel for non-insured heath patients	154,014	154,014	1	-
Accommodation	71,549	71,549	2	-
Travel and relocation	38,720	38,720	2	-
Purchase repair and maintenance	34,208	-		34,208
Amortization of tangible capital assets	29,940	29,940	2	-
Information	23,077	-		23,077
Communications	18,437	-		18,437
Rentals	4,132	-		4,132
Other	2,499	2,499	2	-
Bad debts	2,472	2,472	2	-
Total O&M expenses	1,353,928	1,009,424		344,504
Capital expenses (asset acquisitions)	33,960	-		33,960
Total O&M and capital expenses	1,387,888	1,009,424		378,464
Percentage of O&M and capital expenses in scope of the audit				27%