Final Audit Report - Audit of the Key Financial Controls - Year 2

October 2012

Management Response and Action Plan

Table of Contents

• Executive summary
• A - Introduction
  1. Background
  2. Audit objectives
  3. Scope and approach
  4. Statement of assurance
• B - Findings, recommendations and management responses
  1. Progress made on prior year's recommendations
  2. Common key financial controls
     • 2.1 Delegations of financial signing authorities
     • 2.2 Quality assurance process over FAA Section 34 certification
     • 2.3 FAA Section 33 certification
     • 2.4 Management review of expenditures and commitments
     • 2.5 Accrued liabilities at year-end
     • 2.6 System access and segregation of duties
  3. Specific key financial controls
     • 3.1 Grants and contribution agreements
     • 3.2 Salary and wage expenses
     • 3.3 Non-insured health benefits
     • 3.4 Purchase of goods and services
     • 3.5 Acquisition card purchases
     • 3.6 Drug submission and evaluation revenues
     • 3.7 Accounts receivable
     • 3.8 Capital assets
• C - Conclusion
• Appendix A - Lines of enquiry and audit criteria
• Appendix B - Scorecard
• Appendix C - Health Canada's Internal Control over Financial Reporting Framework
• Appendix D - Overview of progress made on prior year's recommendations

Executive summary

In preparation of a control-based audit of departmental financial statements, and in support of the Treasury Board of Canada's Policy on Internal Control, Health Canada's Deputy Minister and Chief Financial Officer (CFO) are required to sign an annual representation letter acknowledging their responsibilities for maintaining an effective system of internal control over financial reporting.

The objectives of this recurring audit, which was part of the departmental Risk-Based Audit Plan for 2012-15, were to provide reasonable assurance that Health Canada's internal controls over financial reporting are operating effectively to mitigate the risk of material misstatement in the Department's financial statements, and to follow-up on the progress achieved in implementing the prior year's audit recommendations. The audit focused on testing the controls that will help Health Canada meet its control objectives and address management's responsibility over the completeness, validity and accuracy of its financial reporting. Two categories of key financial controls were tested as part of the audit: common key controls and specific key controls. Common key controls are prevalent across the organization and/or affect the organization as a whole; for example, the quality assurance over account verification process. Specific key controls affect the Department's financial statements and originate from one specific area such as grants and contributions.

An overview of the effectiveness of key financial controls, and progress made on the prior year's recommendations, are presented in Appendix B and Appendix D respectively.

Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. Based on the audit results, it was concluded that Health Canada's internal controls over financial reporting were generally operating effectively in fiscal year 2011-12 to mitigate the risk of material misstatement. More specifically:

Common key controls

• Delegation of financial signing authorities - Controls over the accuracy and validity of the specimen signature card database are satisfactory.
• Quality assurance process over the Financial Administration Act (FAA) Section 34 certification - The quality assurance process is well designed. Minor improvements are needed to ensure operating effectiveness.
• FAA Section 33 certification - Certification of payments is satisfactorily performed.
• Management review of expenditures and commitments - Management reviews are satisfactorily performed.
• Accrued liabilities at year-end - Payables at year-end are reviewed and challenged by senior finance officers.
• System access and segregation of duties - Access to the departmental financial system and enforcement of segregation of duties requires improvement and monitoring activities need to be carried out on a regular basis.

Specific key controls

• Grants and contributions agreements - The reconciliations to the departmental financial system are conducted and efforts have been made to improve the close-out process. However, improvements are required to ensure that payment advances and holdbacks are consistent with risk tolerance strategies.
• Salary and wage expenses - Pay verification is adequately performed. However, monitoring activities need to be performed and results communicated to provide the CFO with assurance on the adequacy of account verification over the pay process.
• Non-insured health benefits (NIHB) - Controls over the accuracy and validity of NIHB claims are satisfactory.
• Purchase of goods and services - Controls are satisfactorily performed.
• Acquisition card purchases - Controls are satisfactorily performed.
• Drug submission and evaluation revenues - Controls are satisfactorily performed.
• Accounts receivable for grants and contributions - Progress has been made to improve the close-out of contribution agreements, but work is still required to ensure the accuracy of the accounts receivable general ledger account.
• Capital assets - The processing of capital assets is operating effectively. However, improvements can be made to better identify capital assets to their responsible Cost Centre Manager.

The audit report includes two recommendations aimed at addressing the areas of improvements noted above. Management agrees with the recommendations and its response indicates its commitment to take action.

Furthermore, attention is still required for last year's recommendations to strengthen controls and to mitigate the risk of material misstatement.

A - Introduction

1. Background

Government-wide policies were developed in recent years to strengthen public sector financial management and improve the reliability of financial reporting. This includes two important Treasury Board of Canada (TB) policies:

• The Policy on Internal Control requires that the Deputy Head sign an annual departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting; and
• the Policy on Financial Resource Management, Information and Reporting requires that the Deputy Head take measures to ensure that the Department can sustain a control-based audit of its annual financial statements.

In addition, the Deputy Head and the Chief Financial Officer are required to sign an annual letter of representation to the Auditor General and the Deputy Receiver General in support of the Public Accounts of Canada covering their responsibilities for internal control and assertions over the integrity of financial information.

In preparation of a control-based audit of departmental financial statements and in support of the Policy on Internal Control, the Chief Financial Officer Branch (CFOB) developed the Internal Control over Financial Reporting Framework (see Appendix C). The Framework identifies and documents the supporting processes, procedures and related internal controls in place to mitigate financial reporting risks. As part of the Framework, six main classes of processes were identified to ensure reliable financial reporting:

• Management of Parliamentary Appropriations;
• Revenue/Receivables/Receipts;
• Purchasing/Payables/Payments including Transfer Payments;
• Payroll;
• Capital Assets; and
• Financial Statements, Year-End and Reporting.

Furthermore, until recently, regional responsibility for financial management and financial transaction recording was under direct reporting relationship to the regional director generals with a functional leadership to the Chief Financial Officer. As a result of corporate restructuring that took effect in April 2012, these operations now fall directly under the responsibility of CFOB.

This audit engagement was identified in Health Canada's Multi-Year Risk-Based Audit Plan for 2012-15, which was endorsed by the Departmental Audit Committee and approved by the Deputy Minister on April 27, 2012. This audit was conducted as the second year of a recurring (annual) audit aimed at assessing the operating effectiveness of key financial controls. It directly supports the Department's efforts to ensure that the departmental financial statements can sustain a control-based audit and in complying with the requirements of the TB Policy on Internal Control.

2. Audit objectives

The objectives of the audit were to:

• determine whether key controls in support of the departmental financial statements are operating effectively to mitigate the risk of material misstatement in terms of ensuring the validity, completeness and accuracy of the financial transactions reported; and
• follow-up on the progress made in implementing the management action plan that was developed in response to last year's audit recommendations.

3. Scope and approach

Lines of enquiry and audit criteria are presented in Appendix A. Further, the scope and approach of this audit are similar to the prior year's audit.

The scope encompassed an assessment of the operating effectiveness of key financial controls, common or specific, to the following significant classes of transactions:

• Contribution Agreements;
• Salary and Wage Expenses;
• Non-Insured Health Benefits;
• Purchase of Goods and Services;
• Acquisition Card Purchases;
• Drug Submissions and Evaluation Revenues;
• Accounts Receivable; and
• Capital Assets.

Samples were selected from transactions processed between April 1, 2011 and March 31, 2012 (fiscal year 2011-12).

The audit focused on the same significant classes of transactions and key controls that were reviewed and assessed in Year 1. However, approximately 30% of the corresponding control activities identified in Year 1 were superseded by more relevant ones as deemed by the auditors. The audit included a review of the accounting activities and the testing of transactions in the National Capital Region and other regional accounting offices. Control activities for payroll, which fall under the responsibility of the Corporate Services Branch, were also tested.

In order to assess the effectiveness of key financial controls, interviews with Health Canada employees, the review of documentation, the observation of key processes and controls, and the analysis of financial and non-financial data using computer-assisted audit techniques were conducted.

4. Statement of assurance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

B - Findings, recommendations and management responses

1. Progress made on prior year's recommendations

The audit followed-up on the five recommendations issued in the prior year's audit. It was noted that management made progress in delivering on the committed actions. However, the full implementation of the proposed management action plan has yet to occur, as summarized below.

Delegation of financial signing authorities

Management is currently revising the departure process and form which will include verification that specimen signature cards are cancelled when an employee leaves the Department; however, it has not been implemented. Levels of implementation of actions range from 2 (planning stage) to 3 (preparations for implementation).

Quality assurance over the Financial Administration Act (FAA) Section 34 Account Verification

Management updated guidance materials on the Health Canada Statistical Sampling Plan to better assist financial officers in identifying errors. However, logging of errors identified through the quality assurance process on grants and contributions and acquisition card transactions in the departmental financial system have been deferred. Levels of implementation of actions range from 1 (no progress or insignificant progress) to 5 (full implementation).

Health Canada's Statistical Sampling Plan

Management identified and communicated the required levels of analysis and assessments. However, required follow-up actions where the tolerable error rate has been exceeded have yet to be established. Levels of implementation of actions range from 1 (no progress or insignificant progress) to 3 (preparations for implementation).

Salary and wage expenses

Management developed measures to monitor pay actions. However, monitoring activities were not performed during the fiscal year. Levels of implementation of actions stand at 1 (no progress or insignificant progress).

Accounts receivable for grants and contributions

Management progressed towards ensuring all receivables are recorded in SAP, the departmental financial system in a timely and accurate manner. Health Canada's Accounts Receivable Policy and procedures were updated and are currently pending approval. Furthermore, the analysis of assessment status of First Nations and Inuit Health contribution agreements from prior years was completed. However, more work is required to reconcile information contained in the Management of Contract and Contributions System (MCCS) to SAP. Levels of implementation of actions range from 1 (no progress or insignificant progress) to 5 (full implementation).

Appendix D provides detailed information on the progress made in implementing the management action plan developed in response to last year's audit recommendations.

2. Common key financial controls

2.1 Delegations of financial signing authorities

Audit criterion: Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid.

Certification under Section 34 of the FAA requires account verification of all expenditures processed at Health Canada. Such certification aims to provide assurance over the validity and accuracy of transactions by certifying that goods and services were received or that a grant or contribution recipient is eligible for payment.

Financial signing authority is delegated to various management levels throughout the Department, including to the Cost Centre Manager/Administrator level, by the Minister and Deputy Head. These authorities are then granted to employees at various management levels by creating and activating specimen signature cards that are maintained in a Lotus Notes database, which is used to authenticate whether an employee has a valid delegation of financial signing authority. There were approximately 3,000 active signature cards in the database as of March 2012.

Certification under FAA Section 33 (payment authority) ensures that payments are subject to authorized requisitions; are lawful charges against the appropriation and are within the appropriations level. This requires that appropriate processes and controls be in place to verify accounts under FAA Section 34, as stated in the Department's delegation of financial signing authorities document. Section 33 of the FAA relies on the specimen signature cards to substantiate whether an employee has a valid Section 34 delegation of financial signing authority. Consequently, it is essential that the controls over the creation and activation of specimen signature cards operate effectively to comply with the FAA and central agency policy instruments in order to prevent unauthorized expenditures.

Activation of specimen signature cards

Health Canada has well-defined procedures to set-up specimen signature cards. A sample of 14 cards was tested to determine if officers responsible for activating the cards verified their validity (for example: approved by a supervisor with delegated authority, mandatory training was taken and issued to an eligible Health Canada employee). Test results indicated that verifications were adequately conducted. However, in one instance, there was no documented evidence to support the verification prior to the activation of the card.

Termination of specimen signature cards

An employee's specimen signature card may be terminated for two reasons: the responsibility of the employee changed or the employee left the Department. In the first circumstance, the signature card is edited to reflect the new responsibilities provided the employee retains financial signing authority. In the second circumstance, the signature card is simply cancelled.

Since the financial officers rely on the accuracy of the specimen signature card database when conducting FAA Section 33 certification, the termination of signature cards needs to be completed in a timely manner.

In Year 1 of this recurring audit, it was recommended that the Chief Financial Officer ensure that specimen signature cards be terminated on a timely basis. In response, actions were committed as noted in Appendix D, Recommendation 1.

Using computer-assisted audit techniques, auditors assessed the accuracy of the database throughout the year by analysing the timeliness of termination of specimen signature cards for departed employees. The analysis showed that 63% of the cards for terminated employees were not cancelled following the employee's departure. While this rate is high, it represents an improvement over last year.

Overall, controls over the activation of specimen signature cards are adequate. However, improvements are needed to ensure that cards are cancelled in a timely manner thereby ensuring the validity of the corresponding database on which reliance is placed for the purpose FAA Section 33 certification.

2.2 Quality assurance process over FAA Section 34 certification

Audit criterion: Quality assurance is performed over FAA Section 34 certification.

Transactions deemed as high risk undergo full quality assurance prior to payment. This includes verifying whether the back-up documentation provided supports the payment request, whether the financial coding is appropriate, that claimed amounts are in accordance with the contract, and that the procurement document and payment request comply with TB and departmental policies.

Those identified as low risk are paid immediately after minimum quality assurance is performed and are subject to a full quality assurance through quarterly statistical sampling. This process is referred to as the Post-Payment Quality Assurance Process.

Errors identified through quality assurance that put into question the validity of the payment request must be followed-up and corrected, such as inappropriate FAA Section 34 financial signing authority, or an invoice price that is not in accordance with the contract/funding agreement.

Table 1 provides a breakdown by risk profile of the transactions recorded in fiscal year 2011-12. It demonstrates that even though the proportion of high risk transactions was 9% of the total population in terms of number, these transactions represented 89% of the total dollar value.

Source: Departmental Financial System, Fiscal year 2011-12. Figures exclude acquisition card transactions.

Quality assurance over FAA Section 34 account verification encompasses most payment transactions including grants and contributions, account payables, travel claims, honoraria, etc. However, it does not cover salary and wage expenditures as they are subject to a different quality assurance process which is discussed in Section 3.2 of this report.

The main aspects of the quality assurances process include:

• Gating of transactions;
• identification of errors in account verification;
• quality assurance on grants and contributions payments;
• logging of results of quality assurance review; and
• statistical sampling for low risk transactions.

Gating of transactions for the quality assurance process

The gating of transactions is an important aspect of the quality assurance process. It determines whether a transaction is low risk or high risk, thereby determining the level of quality assurance (minimum or full) to be performed prior to payment. As in 2011, this year's audit tests determined that the gating of transactions is working effectively.

Identification of errors in account verification

The quality assurance review entails verification that FAA Section 34 account verification has been performed properly. This process provides evidence on the effectiveness of FAA Section 34 account verification.

The audit tested a random sample of 40 transactions (consisting of 33 transactions for goods and services and seven transactions involving grants and contributions), recorded in fiscal year 2011-12 from four regions (25 in the National Capital Region (NCR), 5 in Ontario, 5 in Manitoba and 5 in Alberta). The results indicated that the quality assurance function was adequately performed and all errors were identified. This represents an improvement over Year 1 where some errors were not identified.

Quality assurance review for payables at year-end (PAYEs) and acquisition cards are discussed later in this report, in sections 2.5 and 3.5 respectively.

Logging of results of quality assurance review

Health Canada's Statistical Sampling Training Guide requires that all errors identified during the quality assurance review for both low and high risk transactions be logged in SAP, the departmental financial system. This is regarded as the most significant output of the quality assurance process as it provides the necessary data required to report on the overall adequacy and reliability of the account verification process, and allows management to develop corrective actions where necessary, in line with the TB Directive on Account Verification.

In Year 1, the audit noted that not all errors were being recorded as required. In response, actions were committed as noted in Appendix D, Recommendation 2. The current audit found that, for the sample of 40 transactions reviewed, all errors were logged in the departmental financial system. However, additional testing was performed by comparing a listing of payment requests returned to cost centre managers for corrective action to information recorded in SAP. This showed that some errors (for example: missing documents) identified on this list are not logged in the departmental financial system.

If not all errors are captured in the departmental financial system, then the reports generated for analysis and review by management may not be accurate and complete; thus, increasing the risk of not taking the necessary remedial actions.

As a result of the issues noted above, it was recommended in 2011 that the quality assurance process be improved with respect to identification and logging of critical errors.

Quality assurance of low risk transactions

As previously mentioned in this report, all low risk transactions undergo minimum quality assurance prior to payment. In addition, a sample of these transactions is selected for each region, on a quarterly basis, to undergo full quality assurance. The analysis of errors and the action plans developed by senior finance officers are reported to the Chief Financial Officer Branch (CFOB).

For this type of testing, the Department has established a tolerable error limit of 8%. That is to say that management considers the FAA Section 34 account verification process to be operating effectively if the error rate from the statistical sample is less than 8%. Where sampling results for a region are greater than 8%, senior finance officers are required to develop an action plan to address any issues identified through an analysis of the errors. The 8% rate was determined by Health Canada as the TB Directive on Account Verification provides no guidance in this area. The Department considers this to be appropriate as it proceeds towards financial statements that can sustain control-based audits and is focused on continuous improvement and enhancing controls. This rate has remained unchanged from 2011.

In Year 1, it was noted that the level of analysis on error rates resulting from statistical sampling was varied. It was recommended that clear guidance be developed on the additional work required when the tolerable error rate has been exceeded in order to demonstrate the adequacy and reliability of account verification. In response, actions were committed as noted in Appendix D, Recommendation 3.

Similarly to the previous year, auditors reviewed the results of the statistical sampling on low risk transactions for the first three quarters of fiscal year 2011-12. At the time of this audit, testing of low risk transactions for the fourth quarter had not been completed. The results indicated that 234 out of 5,992 transactions sampled were identified with critical errors for an overall error rate of 3.9% for the Department; hence, below the tolerable limit (8%). In comparison, in 2011, the overall error rate was 5.2%. This suggests that the FAA Section 34 account verification is working and improving from a departmental perspective. However, the results reviewed also showed variability in the error rates from statistical sampling results among the regions and by remaining quarters. Error rates ranged from 0% to as high as 22% (NCR, accounts payable, 1st quarter of 2011-12). Error rates in excess of the tolerable level for may provide evidence that the FAA Section 34 account verification is not being performed effectively in that region.

It is to be noted that the statistical sampling of low risk transactions and the logging of quality assurance errors became mandatory in 2011. As a result, some variability is to be expected as Accounting Operations in the NCR has yet to complete the identification of areas of concern and the implementation of necessary actions.

In conclusion, the quality assurance process is well designed. In terms of operating effectiveness, although some improvements were made, progress is still needed for low risk transactions.

2.3 FAA Section 33 certification

Audit criterion: Certification under FAA Section 33 is performed and appropriate segregation of duties exists with FAA Section 34 certification.

The authority to request payments in accordance with Section 33 of the FAA is referred to as payment authority. Pursuant to this section, a financial officer with delegated payment authority is responsible to ensure that:

• FAA Section 34 was properly exercised by validating that the Section 34 signatory had a valid delegated authority to authorize the expense and that there is auditable evidence that the quality assurance over the adequacy of the Section 34 account verification has taken place; and
• expenditures are a lawful charge against the appropriation.

The FAA Section 33 payment authorization performed by financial officers is a key control to ensure the accuracy and legality of transactions.

The auditors evaluated the performance of the FAA Section 33 certification using the sample of transactions selected for the quality assurance review and came to the same conclusion as in 2011. Financial officers approving payments under FAA Section 33 had valid delegated authority and were not the same individual certifying under FAA Section 34.

2.4 Management review of expenditures and commitments

Audit criterion: Cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.

Health Canada's Policy on Budget Management, which is part of the departmental Budget Management Framework, requires that cost centre managers be accountable and responsible for their assigned budgets. This includes the effective stewardship and control over budgets and commitments, and the monitoring of surpluses/deficits and forecasts on an ongoing basis.

Cost centre managers, with the support of branch senior financial officers (in the NCR) and regional senior financial officers (in other regions), are required at month-end to review expenses charged to their cost centres through Health Canada's Management Variance Report (MVR) process. The activity entails a review of the validity, accuracy and completeness of expenses. The CFOB is responsible to ensure that the month-end MVR exercise is adequately conducted and documented through a challenge function. This process is considered a key control over financial reporting.

As in 2011, documentation review and interviews with cost centre managers and senior financial officers demonstrated that cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.

2.5 Accrued liabilities at year-end

Audit criterion: Senior financial officers review and challenge the completeness, validity and accuracy of transactions payable at year-end.

As per the TB Policy on Payables at Year-End (PAYEs), departments and agencies must identify and quantify liabilities to outside organizations and individuals resulting from operations up to and including March 31st in each fiscal year. In the absence of certainty, estimates must be used to determine the amounts of liabilities, as long as reasonably accurate values can be assigned.

As per the departmental year-end procedures, cost centre managers and administrators must submit PAYE requests for goods and services of value greater than or equal to $5,000 (except for salary-related items where the minimum threshold is $400 and for grants and contributions where there is no minimum threshold), for which an invoice has not been received or when account payables or payments cannot be recorded by the required cut-off date. In addition, notwithstanding the fact that a PAYE could be established from a reasonable estimate, supporting documentation must be provided for all PAYEs. Where goods are received, a packing slip is sufficient. For consulting services, timesheets and an assessment of the work completed as at March 31^st should be provided. This helps to ensure a sufficient audit trail for follow-up purposes.

In addition, senior finance officers are responsible for reviewing and challenging PAYEs to ensure that the appropriate supporting documentation is present before posting them to the SAP was determined through interviews with senior finance officers that the challenge function has been satisfactorily performed.

For fiscal year 2011-12, PAYEs amounted to $132 million compared to $156 million for fiscal year 2010-11. As per management, this decrease is due to efforts made throughout the Department to improve the accuracy and validity of the PAYEs created.

The audit tested a sample of 34 PAYE transactions to determine whether they were appropriately authorized and supported. Only one error was noted, where the PAYE included amounts relating to records and retention services to be rendered in the new fiscal year.

In conclusion, senior financial officers' review and challenge of PAYEs is operating effectively.

2.6 System access and segregation of duties

Audit criterion: Access to SAP, the departmental financial system, is restricted and the segregation of duties is enforced.

The segregation of duties is a key concept in internal control that mitigates the occurrence of fraud and errors. An example of incompatible duties that must be segregated is the maintenance of vendor master files and the recording of purchase orders. In order to monitor the segregation of duties in the departmental financial system, Health Canada follows tests that have been standardized across the federal government. These tests are based on a matrix of critical functions which rate risk as low, medium or high. Prior to granting or modifying access, CFOB performs these tests to ensure that it does not result in incompatible functions. In addition, on a regular basis, the Corporate Service Branch (CSB) conducts tests to monitor the segregation of duties.

As identified in the 2011 Audit of SAP General Controls, enhancements to the monitoring program are required to detect and address situations involving incompatible duties. At the time of this audit, this enhancement had yet to be made. In addition, CSB monitoring activities were not carried out in fiscal year 2011-12. Using computer-assisted audit techniques, auditors tested additional functions that were not included to determine whether individuals had access to incompatible functions. The results indicated that 15 users had access to incompatible duties, at some point during the fiscal year (for example: the posting of invoices in the departmental financial system and the processing of payments). Out of those 15 users, in a number of instances, six users posted invoices through feeder systems and requested its payment in the financial system. This consists of an inadequate segregation of duties that increase susceptibility to errors and fraud.

In conclusion, the access to the departmental financial system and the enforcement of the segregation of duties requires improvement and monitoring activities need to be carried out on a regular basis.

Recommendation 1

It is recommended that the Chief Financial Officer, in collaboration with the Assistant Deputy Minister of the Corporate Services Branch, ensure that appropriate segregation of duties is enforced; and that monitoring of segregation of duties in the departmental financial system is performed according to the established monitoring schedule.

Management response

3. Specific key financial controls

3.1 Grants and contribution agreements

Audit criterion: Key financial controls specific to the processing of grants and contributions agreements are operating effectively.

Agreement/recipient risk assessments

Since 2010, programs are required to use a risk assessment tool titled "Enterprise Risk Management Agreement/Recipient Risk Assessment Tool" (ERM-ARRAT) designed to assess and manage risks associated with recipients and funding agreements. This tool is to be used to assess risks annually for all funding agreements, as well as to reassess risks for existing multi-year agreements.

The recipient's risk rating profile determines the risk tolerance strategy, which includes risk mitigating activities such as determining the amount of advance payments, establishing applicable holdbacks and monitoring activities. This means that recipients with the highest risk receive pre-payments on a quarterly basis and are subject to a maximum holdback on the final payment, as opposed to recipients with a low risk to which a single pre-payment can be made at the start of the year, with no or a minimum  holdback. Quarterly payments are by far the most common arrangement. 

Prior to approval of the funding agreement and FAA Section 32 spending authority, finance officers are responsible for ensuring that a risk assessment has been conducted and that advance payments and applicable holdbacks are in accordance with the established risk tolerance strategy. However, the audit found that this was not always performed. As a result, they cannot ensure that the advance payments and holdbacks are correct.

Recommendation 2

It is recommended that the Chief Financial Officer ensure that the results of the annual risk assessments are properly reflected in the agreements that are put forward to support grants and contributions payments.

Management response

Reconciliation of commitment and payment transactions between grants and contributions systems and the departmental financial system

Grants and contributions payment requests are initiated in MCCS and in the Lotus Notes Grant and Contribution Database. MCCS is used by the First Nations and Inuit Health Branch (FNIHB) programs and the Lotus Notes database is used by other branches. Reconciliations between these systems and SAP, contribute to providing assurance that grants and contributions agreement expenditures are complete and accurate.

Monthly reconciliations of both MCCS and Lotus Notes Database to SAP are prepared in the NCR by CFOB. The resulting variances are sent to regional/branch senior financial officers for comments and sign-off. The audit analyzed the reconciliation prepared for mid-year and end of fiscal year 2011-12 and found no errors. These monthly reconciliations provide assurance that the transmissions of grants and contributions expenditures were complete and accurate.

Review and close-out of contributions agreements

Review and close-out of contribution agreements are necessary to ensure that all the terms and conditions have been met and that receivables arising from overpayment are recorded in the departmental financial system and collected, as required.

The 2011 Audit of Key Financial Controls found that in some regions, no formal contribution agreement closure process existed, with the risk of having some outstanding receivables not being recorded and collected. A recommendation was made to address this issue. In response to the recommendation, FNIHB distributed an operations and procedures manual to the regions that includes a section on file closure.

Timely close-out and the communication of results to finance are necessary to ensure the completeness and accuracy of the Department's financial information, specifically accounts receivable.

In conclusion, if not for progress that remains on the contribution closure process, key financial controls specific to the processing of grants and contributions agreements are operating effectively.

3.2 Salary and wage expenses

Audit criterion: Key financial controls specific to the processing of salary and wage expenses are operating effectively.

Compensation verifier review of pay registers

According to the TB Directive on Financial Management of Pay Administration and Guideline on Common Financial Management Business Process for Pay Administration, responsibilities for FAA Section 34 certification are to be shared between cost centre managers, compensation advisors and compensation verifiers at different stages of the pay administration cycle.

At Health Canada, compensation advisors and verifiers are part of CSB. Compensation advisors are responsible for the accuracy of pay input through FAA Section 34 certification. Compensation verifiers are responsible to review the payroll registers and individual salary payments as part of a quality assurance process. This review is the final opportunity to confirm the accuracy of payroll transactions.

In 2011, it was recommended that the compensation verifiers appropriately document pay verification, and that CSB continuously monitor the segregation of duties between pay creation and verification. In response, actions were committed as noted in Appendix D, Recommendation 4.

The current audit reviewed a sample of 25 employee pay transactions against payroll registers and other output reports for fiscal year 2011-12 to determine whether verification was performed on the accuracy of payments. No payroll processing errors were identified as a result of this review and the pay verification was appropriately documented by compensation verifiers, including the identification of the verifier which was identified as an issue in 2011. However, four of the payroll transactions were approved by compensation verifiers who did not have an active financial signing authority card with human resource officer authority. All transactions were approved by verifiers responsible for NCR pay registers. Signature cards for compensation verifiers were recently implemented in the NCR and other regions as the result of a recommendation made in the 2010 Audit of Payroll Administration. For this reason, no recommendation is made in this report.

FAA Section 33 quality assurance review

The TB Policy on Internal Control states that the Chief Financial Officer (CFO) is responsible for establishing and maintaining a system of internal control that is monitored, reviewed and that timely corrective measures are taken when issues are identified. This includes a quality assurance review which provides assurance on the adequacy and reliability of the account verification process.

In the context of pay transactions, the current audit reviewed the Compensation Monitoring Framework developed in 2010 by CSB. This framework includes cyclical and on-site monitoring activities that are aimed at providing assurance that controls are effective. It is currently being revised and will include the addition of a sampling strategy using a risk-based approach; however, this strategy has yet to be implemented. Performing this control activity and sharing its results with the CFO is important as it serves to demonstrate whether controls over the pay process are operating effectively and that account verification over pay transactions is adequate. A recommendation was made on this issue in the 2010 Audit of Payroll Administration. For this reason, no recommendation is made in the current report.

In conclusion, pay verifier reviews have been adequately performed and are operating effectively. However, the implementation of monitoring activities would provide greater assurance over the adequacy and effectiveness of account verification over pay transactions.

3.3 Non-insured health benefits

Audit criterion: Key financial controls specific to the processing of non-insured health benefits are operating effectively.

The Non-Insured Health Benefits (NIHB) Program provides eligible First Nations and Inuit populations in Canada with coverage for a limited range of medically necessary health-related goods and services that are not provided through private insurance plans, provincial/territorial health or social programs, or other publicly funded programs. This includes pharmacy, dental, vision, mental health, medical supplies and equipment, medical transportation, provincial health premiums and other health care benefits. During the fiscal year 2011-12, approximately $1.03 billion was spent on NIHB.

Reconciliation of NIHB claims processed in Health Information Claim Processing Systemto funding requests

Dental, pharmacy and medical supplies and equipment claims, which account for a significant part of all NIHB expenditures, are mostly processed and paid by an external service provider through the Health Information Claim Processing System(HICPS). The service provider summarises the claims processed and submits a claim for reimbursement. These claims are analysed and reconciled with information found in HICPS and approved for payment (FAA Section 34). Claims are then forwarded to the CFOB for FAA Section 33 certification and the payment is processed accordingly. These analyses and reconciliations are key controls aimed at ensuring that NIHB expenses are accurately recorded and processed in compliance with FAA requirements. These and other procedures and controls are documented for reference in the NIHB HICPS Financial Control Framework. The audit concluded that the procedures and controls regarding NIHB expenditures processed through HICPS are applied effectively.

Review of the external audit report over HICPS claim processing

Health Canada obtains an annual audit report from the service provider. The corresponding audit is carried out by external auditors and provides assurance that the service provider's controls are appropriately designed and operating effectively in a manner that ensures the validity, completeness and accuracy of the claims processed. As in previous years, an unqualified opinion was issued by the external auditors for the fiscal year 2011-12. NIHB Program management indicated their acceptance of the audit report.

In conclusion, the reconciliation of NIHB expenses with payment requests from the service provider are operating effectively and the service providers' controls over claims processing are operating effectively as evidenced by the external audit report. These provide assurance that controls specific to the processing of NIHB are operating effectively.

3.4 Purchase of goods and services

Audit criterion: Key financial controls specific to the processing of purchase of goods and services are operating effectively.

Review of contracts over $10,000

Under a departmental policy, purchases greater than $10,000, as wells as all contract amendments regardless of dollar value, require approval from one of the Contract Requisition Control Committees (CRCC). These committees are comprised of procurement and contracting officers and financial officers. The work of CRCCs is tracked in Health Canada's Contract Requisition and Reporting System (CRRS).

Approval by CRCCs helps to ensure that contractual documents are in accordance with Government Contracts Regulations, relevant policies, departmental delegation of financial authorities and that an appropriate procurement vehicle is used. The review and approval by the CRCC provides assurance over the validity and accuracy of purchases of goods and services over $10,000.

Auditors used computer-assisted audit techniques to determine whether all purchase orders over $10,000, issued in fiscal year 2011-12, were reviewed by the CRCC. No significant error was found.

In conclusion, key financial controls specific to the purchase of goods and services are operating effectively.

3.5 Acquisition card purchases

Audit criterion: Key financial controls specific to the processing of acquisition card purchases are operating effectively.

Official reconciliation report

Acquisition card purchases are paid prior to the reconciliation of purchases by the cardholder and FAA Section 34 certification, as permitted under the TB Directive on Account Verification. To provide assurance over the accuracy and completeness of acquisition card purchases, cardholders are responsible to complete reconciliations of transactions to their statement of accounts. CFOB monitors these reconciliations to ensure that they are adequately completed on a timely basis. Interviews conducted with CFOB and documentation review provided evidence that this oversight role is adequately fulfilled.

Quality assurance over acquisition cards

In addition to the monitoring of monthly reconciliations, financial officers conduct quality assurance reviews of acquisition card transactions. On a monthly basis, a sample of cardholder reconciliations is selected to undergo a full quality assurance review, similar to statistical sampling for account payable transactions. Through this review, all transactions are examined for appropriate supporting documentation and sign-off. Errors identified through this review are recorded.

The audit tested a sample of 12 monthly reconciliations that included full quality assurance to determine whether it was performed adequately and appropriately. No significant errors were identified as a result of this review.

In conclusion, both the reconciliation of payments to acquisition card transactions and quality assurance review are operating effectively.

3.6 Drug submission and evaluation revenues

Audit criterion: Key financial controls specific to the processing of drug submissions and evaluation revenues are operating effectively.

In fiscal year 2011-12, Health Canada's re-spendable revenue amounted to $94 million ($76 million in 2010-11), with drug submission and evaluation fees accounting for the largest share at $26 million ($17 million in 2010-11).

Drug submission and evaluation fees are tracked in the Drug Submission Tracking System (DSTS) outside of SAP, the departmental financial system. This system is operated by the Health Products and Food Branch (HPFB). As there is currently no interface between DSTS and SAP, DSTS data has to be inputted manually in the financial system. The absence of an interface also requires the regular reconciliations of the amounts recorded in the two systems to ensure accuracy and completeness.

In conclusion, tests conducted on fee revenues did demonstrate that the manual transfers and reconciliation activities are performed adequately. However, these processes are time-consuming. In that respect, CFOB and HPFB are currently working on an automated solution.

3.7 Accounts receivable

Audit criterion: Key financial controls specific to the processing of accounts receivable are operating effectively.

Health Canada's Policy on Receivables Management and Charging Interest on Overdue Accounts requires that all receivable transactions be invoiced, recorded and reported accurately and promptly. Failure to do so can result in receivables not being collected and inaccurate financial reporting. One of the most significant sources of accounts receivable comes from the closing of contributions agreements. As noted in the Section 3.1 of this report, the current close-out process does not ensure that all contribution agreement receivables are recorded in SAP.

MCCS reports were compared to accounts receivable in SAP. Similar to the previous year, it was found that there were receivable amounts in MCCS either not found in SAP or coded to an incorrect accounts receivable general ledger account in SAP. Furthermore, programs do not always notify Accounting Operations in advance for collection of cash receipts. Therefore, they are not made aware of accounts receivable until payments are received.

In Year 1 of this recurring audit, it was recommended that coordination be improved between accounting offices and contribution programs to ensure that all receivables, including those resulting from close-outs of contribution agreements, are recorded in the departmental financial system in an accurate and timely manner. In response, actions were committed as noted in Appendix D, Recommendation 5.

In conclusion, while progress is being made to ensure that receivables resulting from the close-out of contribution agreements are recorded in the departmental financial system, more work is required to ensure the accuracy of the accounts receivable general ledger account.

Monitoring and reconciliation of suspense and clearing accounts

CFOB performs monitoring and reconciliations of various suspense and clearing accounts including deposits, petty cash and interdepartmental settlements.

These reconciliations are generally performed on a monthly basis, but the frequency of the reconciliation may be different depending on the nature of the account or volume of activity. Discrepancies and variances identified through the reconciliation process are raised with cost centres. Regular monitoring and the clearing of suspense accounts help to ensure the accuracy of financial information.

Interviews were conducted and evidence was obtained to support that reconciliations were performed on a regular basis and account balances were verified.

Overall, the monitoring and reconciliations of suspense and clearing accounts worked effectively throughout fiscal year 2011-12.

3.8 Capital assets

Audit criterion: Key financial controls specific to the processing of capital assets are operating effectively.

Health Canada's Asset Management Policy Framework defines capital assets as assets with a useful life greater than one year, and a per-item cost of $10,000 or greater. Health Canada holds a variety of capital assets including buildings, machinery, equipment and vehicles. As per the Department's financial statements, the value of these assets (net of accumulated amortization and impairment losses) amounted to $137 million as at March 31, 2012 ($157 million as at March 31, 2011). Due to the significance of this amount, regular reviews of the capital asset inventory are needed to ensure the accuracy of the information found in the financial statements.

Physical count of capital assets

In 2009, CFOB started to conduct an annual review of its capital asset inventory aimed at ensuring that Health Canada's capital assets are well managed and properly accounted for. Once the review is complete, the necessary changes/adjustments are made in the departmental financial system.

The auditors reviewed the report produced as part of the annual review exercise to ascertain whether appropriate actions were taken to address the issues raised in the report. This review showed that management is making progress in addressing the issues, such as assets with no identification number affixed. However, CFOB faces a challenge in identifying the primary Cost Centre Manager responsible for some assets as the information in the asset accounting module of SAP is not current. As a result, the annual capital asset count is less efficient and the level of stewardship and accountability over capital assets may be reduced.

In conclusion, the controls specific to the processing of capital assets are operating effectively. However, improvements are required in the association of capital assets to their responsible cost centre managers.

C - Conclusion

Based on the results of the audit work, it was determined that in general, Health Canada's internal controls over financial reporting are operating effectively to mitigate the risk of material misstatement. Implementation of action plans to address prior year recommendations is progressing. However, improvements are required in the execution of individual key controls as noted below.

Common key controls

In terms of the common key controls, those found across the most significant classes of transactions, are found to be operating effectively. However, areas of improvement were noted in one (1) of the key common controls: system access and segregation of duties helps to ensure that mutually exclusive roles cannot be assigned to a single user and reduces the Department's exposure to the risk of inappropriate action. Monitoring activities need to be performed on a regular basis.

Specific key controls

These controls supplement the common key controls and help to provide assurance over the completeness and accuracy of financial information. Ten (10) of the eleven (11) specific key controls were determined to be operating effectively. An area of improvement was noted in the specific key controls for grants and contributions agreements, where greater effort is required to ensure advance payments and holdback are in accordance with the risk tolerance strategy.

An overview of the effectiveness of key financial controls and the progress made on the prior year's recommendations are presented in Appendix B and Appendix D respectively.

Appendix A - Lines of enquiry and audit criteria

Appendix B - Scorecard

Appendix C - Health Canada's Internal Control over Financial Reporting Framework

Appendix D - Overview of progress made on prior year's recommendations