Final Audit Report - Audit of the Key Financial Controls - Year 3

September 2013

Table of Contents

Executive summary

In support of the Treasury Board of Canada's Policy on Internal Control, Health Canada's Deputy Minister and Chief Financial Officer (CFO) are required to sign an annual representation letter acknowledging their responsibilities for maintaining an effective system of internal control over financial reporting.

The objectives of this recurring audit, which was part of the departmental Risk-Based Audit Plan for 2012-15, were to provide reasonable assurance that Health Canada's internal controls over financial reporting are operating effectively to mitigate the risk of material misstatement in the Department's financial statements, and to follow-up on the progress achieved in implementing the prior year's audit recommendations. The audit focused on testing the controls that will help Health Canada meet its control objectives and address management's responsibility over the completeness, validity and accuracy of its financial reporting. Select controls from two categories of key financial controls were tested as part of the audit: common key controls and specific key controls. Common key controls are prevalent across the organization and/or affect the organization as a whole; for example, the quality assurance over account verification process. Specific key controls affect the Department's financial statements and originate from one specific area such as grants and contributions.

An overview of the effectiveness of key financial controls and the progress made on the prior year's recommendations are presented in Appendix B and Appendix D respectively.

Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. Based on the audit results, it is concluded that Health Canada's internal controls over financial reporting were generally operating effectively in fiscal year 2012-13 to mitigate the risk of material misstatement. More specifically:

Common key controls

  • Delegation of financial signing authorities - Controls over the accuracy and validity of the specimen signature card database are satisfactory.
  • Quality Assurance Process over the Financial Administration Act (FAA) Section 34 certification - The quality assurance process is progressing well to ensure operating effectiveness.
  • FAA Section 33 certification - Certification of payments is satisfactorily performed.
  • Management review of expenditures and commitments - Management reviews are satisfactorily performed.
  • Accrued liabilities at year-end - Payables at year-end are reviewed and challenged by senior finance officers.
  • System access and segregation of duties - Access to the departmental financial system and enforcement of segregation of duties requires improvement and monitoring activities need to be carried out on a regular basis.
  • Journal entry review - Journal entries are reviewed by a second person and accompanied by appropriate supporting documentation.

Specific key controls

  • Grants and contributions agreements - The reconciliations to the departmental financial system are conducted and efforts have been made to improve the close-out process. However, improvements are required to ensure that payment advances and holdbacks are consistent with risk tolerance strategies.
  • Salary and wage expenses - Pay verification is adequately performed. Monitoring activities related to fiscal year 2012-13 had begun.  The implementation of on-going monitoring activities will provide greater assurance on the adequacy of account verification over the pay process.
  • Non-insured health benefits (NIHB) - Controls over the accuracy and validity of NIHB claims are satisfactory.
  • Purchase of goods and services - Controls are satisfactorily performed.
  • Acquisition card purchases - Controls are satisfactorily performed.
  • Drug submission and evaluation revenues - Controls are satisfactorily performed.
  • Accounts receivable for grants and contributions - Controls are satisfactorily performed.
  • Capital assets - The processing of capital assets is operating effectively. 

The audit report does not include any new recommendations. However, attention is still required for recommendations made in 2011 and 2012 to strengthen controls and to mitigate the risk of material misstatement.

A - Introduction

1. Background

Government wide initiatives, legislative changes and new policy requirements have been developed to strengthen public sector financial management and to improve the reliability of financial reporting. Some of these changes include:

  • The Treasury Board of Canada (TB) Policy on Internal Control requires that the deputy head sign an annual departmental Statement of Management Responsibility Including Internal Control Over Financial Reporting; and
  • The TB Policy on Financial Resource Management, Information and Reporting requires that the deputy head take measures to ensure that the Department can sustain a control-based audit of its annual financial statements.

In addition, deputy heads and chief financial officers are required to sign an annual Letter of Representation to the Auditor General and the Deputy Receiver General in support of the Public Accounts covering their responsibilities for internal control over financial reporting and assertions over the integrity of financial information.

In support of the Policy on Internal Control at Health Canada, the Chief Financial Officer Branch (CFOB) has developed the Internal Control over Financial Reporting (ICFR) Framework (see Appendix C). This framework provides direction for the implementation of the ICFR. It identifies and documents the supporting processes, procedures and related internal controls in place to mitigate financial reporting risks. As part of this framework, six main classes of processes were identified to ensure reliable financial reporting:

  • Management of parliamentary appropriations
  • Revenue/receivable/receipts
  • Purchasing/payable/payments including transfer payments
  • Payroll
  • Capital assets
  • Financial statement, year-end and reporting

Responsibility for financial management and financial transaction recording at Health Canada was dispersed among the regions at the beginning of the year 2012-13. As a result of corporate restructuring in the second quarter of 2012-13, accounting operations and related key financial controls that were previously the responsibility of 14 regional accounting offices are being centralized into two hubs, one for western Canada (Winnipeg) and one for eastern Canada (Ottawa). This initiative is expected to improve the oversight over the control effectiveness.

2. Audit objectives

The objectives of the audit are to:

  • determine whether select key controls in support of the departmental financial statements are operating effectively in order to mitigate the risk of material misstatements in terms of ensuring the validity, completeness and accuracy of the financial transactions reported; and
  • follow-up on the progress made on the implementation of the management action plan developed in response to the previous years' key financial controls internal audit recommendations at Health Canada.

3. Audit scope

The lines of enquiry and audit criteria (presented in Appendix A) are similar to the prior year's audit.

The scope encompassed a review of the operational effectiveness of key financial controls that are either common or specific to the following significant classes of transactions.

  • Contribution agreements
  • Salary and wage expenses
  • Non-insured health benefits
  • Purchase of goods and services
  • Acquisition card purchases
  • Drug submissions and evaluation revenues
  • Accounts receivable
  • Capital assets

The audit covered transaction processing activities for fiscal year 2012-13. The Internal Control Division (ICD) within the Chief Financial Officer Branch (CFOB) has performed and documented testing of Health Canada's processes for part of the year 2012-13. Following an examination and assessment of the methodology and testing documentation performed by ICD, the audit team decided to rely on some of their tests. As a result, samples will be selected from transactions processed for the period that was not covered by ICD testing in order to provide assurance over the control effectiveness for the whole year from April 1, 2012 to March 31, 2013.

The audit coverage will include controls exercised in the National Capital Region and other regions. The controls tested are predominantly within CFOB, but the audit will also review the control activities which fall under the responsibility of the offices of secondary interest.

As with previous key financial control audits, entity level controls (ELCs) and information technology general controls (ITGCs) are excluded from the scope of the audit. These controls focus predominantly on the control framework.

ELCs refer to those controls and practices in place that permeate across the Department and that may have a direct or indirect impact or influence on the integrity of the Department's financial reporting. These include values and ethics, employee learning and awareness, governance and risk management. ITGCs are controls that impact the overall Department wide IT environment such as access to computer programs and data, program changes, program development and computer operations.

The audit focused on the same significant classes of transactions and key controls that were reviewed and assessed in year 2, when applicable.

4. Audit approach

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

The audit included an analysis of financial statement data; the identification of the significant classes of transactions; a review of key business process flowcharts and control matrices; and discussions with management regarding significant changes in business processes.

In assessing the effectiveness of key financial controls, the audit included interviews with Health Canada employees, the review of documentation (for example, departmental policies and procedures, relevant documentation in support of financial transactions), observation of key processes and controls and analysis of financial and non-financial data using computer assisted audit techniques and tools.

Where possible, reliance was placed on work performed by other parties such as CFOB's ICD activities to support the Statement of Management Responsibility Including Internal Controls over Financial Reporting, as well as internal audits recently conducted by the Portfolio Audit and Accountability Bureau, such as the Audit of Internal Controls over Financial Reporting and Financial Statement Readiness tabled at the Health Canada Departmental Audit Committee in June 2013.

We also wish to point out that the Audit of Regional Internal Services was being conducted at the same time as this audit. Although the objective and scope of the audits were different, some audit areas were similar. We have reviewed the findings identified in the Audit of Regional Internal Services and have concluded that none of the findings impacted the scope of this audit.

5. Statement of conformance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

B - Findings, recommendations and management responses

1. Progress made on prior year's recommendations

1.1 Progress made on prior year's recommendations

Audit criterion: Whether progress was made on the prior year's recommendations.

The audit followed-up on the seven recommendations issued in the 2011 and 2012 audits. It was noted that management has made progress in delivering on the committed actions. However, the full implementation of the proposed management action plans related to both audits has yet to occur, as summarized below.

Audit of Key Financial Controls (Year 1)

Delegation of financial signing authorities

Management is currently revising the departure process and form which will include verification that specimen signature cards are cancelled when an employee leaves the Department. However, it has not yet been fully implemented. Levels of implementation for the four action items identified by management range from 3 (preparation for implementation) to 5 (full implementation).

Quality assurance over the Financial Administration Act (FAA) Section 34 account verification

Management updated guidance materials on the Health Canada Statistical Sampling Plan to better assist financial officers in identifying errors. SAP, the Department's financial system, has been updated to expand the logging of errors identified through the quality assurance process on grants and contributions and acquisition card transactions in the departmental financial system. Management's actionplan for this recommendation has been fully implemented.

Health Canada's Statistical Sampling Plan

Management identified and communicated the required levels of analysis and assessments, including follow-up actions where the tolerable error rate has exceeded the desirable threshold. Management's action plan for this recommendation has been fully implemented.

Salary and wage expenses

Management developed measures to monitor pay actions and monitoring activities related to fiscal year 2012-13 had begun.  Management's action plan for this recommendation has been fully implemented.

Accounts receivable for grants and contributions

Management progressed towards ensuring all receivables are recorded in SAP in a timely and accurate manner. The analysis of assessment status of First Nations and Inuit health contribution agreements from prior years was completed and information contained in the Management of Contract and Contributions System (MCCS) was reconciled to SAP. Health Canada's Accounts Receivable Policy was updated and it was approved in September 2013. The Chief Financial Officer Branch (CFOB) is currently clarifying the roles and responsibilities to update the Accounts Receivable procedures. Once this is completed, First Nations and Inuit Health Branch (FNIHB) procedure and guideline documents will be updated. Management had identified six actions to address this recommendation, of which three have been fully implemented while the remaining three items have been classified as having either insignificant progress (2 action items) or being in the planning stage (1 action item).

Audit of Key Financial Controls (Year 2)

System access and segregation of duties

Management has implemented interim measures to ensure that proper segregation of duties exists for financial transactions between the MCCS and SAP. On a quarterly basis, CFOB will perform a reconciliation of users with access to both MCCS and SAP. Following year-end, enhancements to the monitoring program had begun and management indicated that this remaining action will be fully implemented by December 2013.

Risk assessment for grants and contributions

Since 2010, programs are required to use a risk assessment tool titled "Enterprise Risk Management Agreement/Recipient Risk Assessment Tool" (ERM-ARRAT) designed to assess and manage the risks associated with recipients and funding agreements. This tool is to be used to assess risks annually for all funding agreements, as well as to reassess risks for existing multi-year agreements. Following discussion with certain regional senior financial officers (RSFOs), management is currently in the process of determining the next steps required to ensure that finance officers are ensuring that risk assessments have been conducted and that advance payments and applicable holdbacks are in accordance with the established risk tolerance strategy. Management has yet to make any significant progress on the implementation of the three action items they had identified to address this issue.

2. Select key financial controls common to all classes of transactions

2.1 Delegation of financial signing authorities

Audit criterion: Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid.

Certification under Section 34 of the FAA requires account verification of all expenditures processed at Health Canada. Such certification aims to provide assurance over the validity and accuracy of transactions by certifying that goods and services were received or that a grant or contribution recipient is eligible for payment.

Financial signing authority is delegated to various management levels throughout the Department, including to the Cost Centre Manager/Administrator level, by the Minister and Deputy Head. These authorities are then granted to employees at various management levels by creating and activating specimen signature cards that are maintained in a Lotus Notes database, which is used to authenticate whether an employee has a valid delegation of financial signing authority. There were approximately 3,000Footnote 1 active signature cards in the database as of March 2013.

Certification under FAA Section 33 (payment authority) ensures that payments are subject to authorized requisitions; are lawful charges against the appropriation and are within the appropriations level. This requires that appropriate processes and controls be in place to verify accounts under FAA Section 34, as stated in the Department's delegation of financial signing authorities document. Section 33 of the FAA relies on the specimen signature cards to substantiate whether an employee has a valid Section 34 delegation of financial signing authority. Consequently, it is essential that the controls over the creation and activation of specimen signature cards operate effectively to comply with the FAA and central agency policy instruments in order to prevent unauthorized expenditures.

Activation of specimen signature cards

Health Canada has well defined procedures to set up specimen signature cards. A sample of 15 cards was tested to determine if the officers responsible for activating the cards verified their validity (for example: approved by a supervisor with delegated authority, mandatory training has been taken and issued to an eligible Health Canada employee). Test results indicated that verifications were adequately conducted.

Termination of specimen signature cards

An employee's specimen signature card may be terminated for two reasons: the responsibility of the employee changed, or the employee left the Department. In the first circumstance, the signature card is edited to reflect the new responsibilities provided the employee retains financial signing authority. In the second circumstance, the signature card is simply cancelled.

Since the financial officers rely on the accuracy of the specimen signature card database when conducting FAA Section 33 certification, the termination of signature cards needs to be completed in a timely manner.

In year 1 of this recurring audit, it was recommended that the Chief Financial Officer ensure that specimen signature cards be terminated on a timely basis. In response, actions were committed as noted in Appendix D, recommendation 1.

Using computer-assisted audit techniques, auditors assessed the accuracy of the database throughout the year by analysing the timeliness of termination of specimen signature cards for departed employees. The analysis showed that 69% of the cards for terminated employees were not cancelled at the employee's departure. This rate is high and it is slightly worse than last year. Furthermore, as in 2011, approximately 37% of the cards had not been terminated 90 days after the employees' departure dates.

Overall, controls over the activation of specimen signature cards are adequate. However, improvements are still required to ensure that cards are cancelled in a timely manner thereby ensuring the validity of the corresponding database on which reliance is placed for the purpose of FAA Section 33 certification.

2.2 Quality assurance process over FAA Section 34 certification

Audit criterion: Quality assurance is performed over the Financial Administration Act Section 34 certification.

Under the Section 34 of the FAA, managers are required to certify that:

  • goods were supplied or the service rendered;
  • the price charged is in accordance with the contract;
  • supporting documentation is complete;
  • the financial coding is correct; and
  • the payee is eligible and entitled to the payment.

In accordance with the Treasury Board (TB) Directive on Account Verification, Health Canada employs a risk-based approach in performing the quality assurance review over FAA Section 34 account verification process. A well-functioning quality assurance process ensures that a high standard of integrity and accountability is maintained in the spending of public money and supports sound stewardship of financial resources.

The quality assurance process aims at ensuring that the FAA Section 34 certification is properly and consistently performed. This provides assurance that transactions are valid, accurate and properly authorized. For high risk transactions, it acts as a main control to ensure that the transactions are accurate and valid, and that errors (if detected) are corrected prior to payment. For low risk transactions, the quarterly sampling results provide insight into the effectiveness of the FAA Section 34 certification and, if necessary, action plans can be developed. For both types of transactions, errors are corrected where deemed necessary.

As illustrated below in Diagram 1, all transactions undergo a minimum quality assurance which focuses on verifying the appropriateness of: FAA Section 34 authorization, the financial coding and vendor information. A risk profile (low or high) is then assigned based on the nature and value of the transactions through a "gating" process.

Diagram 1: Quality Assurance Review Process

figure

Text description

This is a flow chart showing the Quality Assurance Review Process.

Start - Transactions

Step 1: Minimum Quality Assurance

Step 2: Data Entry

Step 3: Sorting High Risk vs. Low Risk (gating); this step can have two different outcomes:

  • High Risk OR
  • Low Risk

If high risk: the next step is: Full Quality Assurance

The last step after Full Quality Assurance is: Payment Process

If Low Risk: the next step is: Payment Process

The last step after Payment Process is: Sample of Low Risk Transactions is sent for Full Quality Assurance (Post-Payment Quality Assurance Process)

Source: Health Canada Statistical Sampling Training Guide (2009-10)

Transactions deemed as high risk undergo full quality assurance prior to payment. This includes verifying whether the backup documentation provided supports the payment request, whether the financial coding is appropriate, that claimed amounts are in accordance with the corresponding contract or funding agreement, and that procurement documents and payment requests comply with TB and departmental policies.

Those identified as low risk are paid immediately after the minimum quality assurance is performed and are subject to a full quality assurance through quarterly statistical sampling. This process is referred to as the Post-Payment Quality Assurance Process.

Errors identified through quality assurance that put into question the validity of the payment request must be followed-up and corrected, such as inappropriate FAA Section 34 financial signing authority, or an invoice price that is not in accordance with the contract/funding agreement.

Table 1 provides a breakdown by risk profile of the transactions recorded in fiscal year 2012-13. It demonstrates that even though the proportion of high risk transactions was 6% of the total population in terms of number, these transactions represented 88% of the total dollar value.

Table 1: Transactions by risk profile, fiscal year 2012-13
Risk Profile No. of Transactions Value
('000) (%) ($ M) (%)
High 23  6 2,518 88
Low 389 94 352 12
Total 412 100 2,870 100

Source: Departmental financial system, fiscal year 2012-13.

Quality assurance over FAA Section 34 account verification encompasses most payment transactions including grants and contributions, account payables, travel claims, honoraria, acquisition cards etc. However, it does not cover salary and wage expenditures as they are subject to a different quality assurance process which is discussed in Section 3.2 of this report.

The main aspects of the quality assurance process include:

  • the gating of transactions;
  • the identification of errors in account verification;
  • quality assurance on grants and contributions payments;
  • the logging of results of quality assurance review; and
  • the statistical sampling for low risk transactions.

Gating of transactions for the quality assurance process

The gating of transactions is an important aspect of the quality assurance process. It determines whether a transaction is low risk or high risk, thereby determining the level of quality assurance (minimum or full) to be performed prior to payment. As in 2011 and 2012, this year's audit tests determined that the gating of transactions is working effectively.

Identification of errors in account verification

The quality assurance review entails verification that FAA Section 34 account verification has been performed properly. This process provides evidence on the effectiveness of FAA Section 34 account verification.

The audit tested a random sample of 25 transactions, recorded in fiscal year 2012-13 from six regions (National Capital Region, Ontario, Manitoba, Pacific, Saskatchewan and Alberta). The results indicated that the quality assurance function was adequately performed and that all errors were identified. This finding is consistent with year 2.

Logging of results of quality assurance review

Health Canada's Statistical Sampling Training Guide requires that all errors identified during the quality assurance review for both low and high risk transactions be logged in SAP. This is regarded as the most significant output of the quality assurance process as it provides the necessary data to report on the overall adequacy and reliability of the account verification process, and allows management to develop corrective actions where necessary, in line with the TB Directive on Account Verification.

In year 1, the audit noted that not all errors were being recorded, as required.  In response, actions were committed as noted in Appendix D, recommendation 2. The current audit found that, for the sample of 25 transactions reviewed, all errors had been logged in SAP.

Quality assurance of low risk transactions

As previously mentioned, all low risk transactions undergo minimum quality assurance prior to payment. In addition, a sample of these transactions is selected on a quarterly basis, to undergo full quality assurance. CFOB analyses errors and develops the action plans. For this type of testing, the Department has established a tolerable error limit of 8%. That is to say that management considers the FAA Section 34 account verification process to be operating effectively if the error rate from the statistical sample is less than 8%. Where sampling results for a region are greater than 8%, senior finance officers are required to develop an action plan to address any issues identified through an analysis of the errors. The 8% rate was determined by Health Canada as the TB Directive on Account Verification provides no guidance in this area. The Department considers this to be appropriate as it aims to achieve operating effectiveness of internal controls over financial reporting and focuses on continuous improvement and enhancing controls. This rate has remained unchanged since 2012.

In year 1, it was noted that the level of analysis on error rates resulting from statistical sampling was varied. It was recommended that clear guidance be developed on the additional work required when the tolerable error rate has been exceeded in order to demonstrate the adequacy and reliability of account verification. In response, management has developed and implemented an action plan as noted in Appendix D, recommendation 3.

Similarly to the previous year, auditors reviewed the results of the statistical sampling on low risk transactions. In the current year, the review included all four quarters of fiscal year 2012-13. The results indicated that 525 out of 8,605 transactions sampled were identified with critical errors for a weighted error rate of 3.3% for the Department; hence, below the tolerable limit (8%). In comparison, in 2012 and 2011, the overall error rates were 3.9% and 5.2% respectively. This suggests that the FAA Section 34 account verification process is making progress from a departmental perspective. However, the results reviewed also showed variability in the error rates from statistical sampling results among the regions, and by quarter. It was noted that regions with error rates in excess of the tolerable limit had prepared management action plans to address the issues identified.

In conclusion, select key financial controls related to quality assurance over FAA Section 34 certification are operating effectively.

2.3 FAA Section 33 certification

Audit criterion: Certification under Financial Administration Act Section 33 is performed and appropriate segregation of duties exists with Financial Administration Act Section 34 certification.

The authority to request payments in accordance with Section 33 of the FAA is referred to as payment authority. Pursuant to this section, a financial officer with delegated payment authority must ensure that:

  • FAA Section 34 was properly exercised by validating that the Section 34 signatory had a valid delegated authority to authorize the expense and that there is auditable evidence that the quality assurance over the adequacy of the Section 34 account verification has taken place; and
  • expenditures are a lawful charge against the appropriation.

The FAA Section 33 payment authorization performed by financial officers is a key control to ensure the accuracy and legality of transactions.

The auditors evaluated the performance of the FAA Section 33 certification using the sample of transactions selected for the quality assurance review and came to the same conclusion as in 2011 and 2012. Financial officers approving payments under FAA Section 33 had valid delegated authority and were not the same individual certifying under FAA Section 34.

2.4 Management review of expenditures and commitments

Audit criterion: Cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.

Health Canada's Policy on Budget Management, which is part of the departmental Budget Management Framework, requires that cost centre managers be accountable and responsible for their assigned budgets. This includes the effective stewardship and control over budgets and commitments and the monitoring of surpluses/deficits and forecasts on an ongoing basis.

Cost centre managers, with the support of branch senior financial officers (in the National Capital Region) and regional senior financial officers (in other regions), are required at month-end to review expenses charged to their cost centres through Health Canada's management variance reporting (MVR) process. The activity entails a review of the validity, accuracy and completeness of expenses. CFOB is responsible to ensure that the month-end MVR exercise is adequately conducted and documented through a challenge function. This process is considered a key control over financial reporting.

As with the past two audits, our documentation review and interviews demonstrated that cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.

2.5 Accrued liabilities at year-end

Audit criterion: Senior financial officers review and challenge the completeness, validity and accuracy of transactions payable at year-end.

As per the TB Policy on Payables at Year-End (PAYEs) departments and agencies must identify and quantify liabilities to outside organizations and individuals resulting from operations up to and including March 31st in each fiscal year. In the absence of certainty, estimates must be used to determine the amounts of liabilities, as long as reasonably accurate values can be assigned.

As per the departmental year-end procedures, cost centre managers and administrators must submit PAYE requests for goods and services of value greater than or equal to $1,000 (except for salary related items where the minimum threshold is $400, for interdepartmental settlements where there is no threshold and for grants and contributions where there is no minimum threshold), for which an invoice has not been received or when account payables or payments cannot be recorded by the required cut-off date.

In addition, senior finance officers are responsible for reviewing and challenging PAYEs to ensure that the appropriate supporting documentation is present before posting them to the SAP.

For fiscal year 2012-13, PAYEs amounted to $153 million compared to $132 million for fiscal year 2011-12.

The audit tested the review and challenge function exercised over both PAYEs related to the previous fiscal year that had yet to be cleared and PAYEs recorded as part of the 2012-13 year-end procedures. For both types of transactions, sufficient evidence was provided to demonstrate adequate management oversight. Our review demonstrated that financial officers review and challenge the completeness, validity and accuracy of transactions payable at year end.

2.6 System access and segregation of duties

Audit criterion: Access to SAP is restricted and the segregation of duties is enforced.

The segregation of duties is a key concept in internal control that mitigates the occurrence of fraud and errors. An example of incompatible duties that must be segregated is the maintenance of vendor master files and the recording of purchase orders. In order to monitor the segregation of duties in the departmental financial system, Health Canada follows tests that have been standardized across the federal government. These tests are based on a matrix of critical functions which rate risk as low, medium or high. Prior to granting or modifying access, CFOB performs these tests to ensure that it does not result in incompatible functions. In addition, on a regular basis, the Corporate Service Branch (CSB) conducts tests to monitor the segregation of duties.

As identified in the 2011 Audit of SAP General Controls, enhancements to the monitoring program are required to detect and address situations involving incompatible duties. Following year-end, enhancements had begun. Using computer-assisted audit techniques, auditors tested additional functions that were not included to determine whether individuals had access to incompatible functions. The results indicated that 17 users had access to incompatible duties at some point during the fiscal year (for example: the posting of invoices in the departmental financial system and the processing of payments). Out of those 17 users tested, it was noted that three users in a number of instances, had posted invoices through feeder systems and also requested its payment in the financial system. This consists of an inadequate segregation of duties that increase susceptibility to errors and fraud.

In 2012, the key financial controls year 2 audit recommended that the Chief Financial Officer, in collaboration with the assistant deputy minister of CSB, ensure that appropriate segregation of duties be enforced; and that the monitoring of segregation of duties in SAP be performed according to the established monitoring schedule. In response, actions were committed and interim measures were implemented as noted in Appendix D, recommendation 1.

In conclusion, although progress has been made towards the access to the departmental financial system and the enforcement of the segregation of duties, some improvements are still required.

2.7 Journal entry review

Audit criterion: Journal entries are reviewed by a second person and accompanied by appropriate supporting documentation.

At the time of the audit, there was no policy incorporating journal voucher requirements. However, the Financial Operations Directorate (FOD) issued a publication on March 22, 2013 advising of the requirement for more stringent verification controls for routine and non-routine journal vouchers. At that time, it was also indicated that a policy on journal vouchers would be forthcoming shortly.

In its publication, FOD indicated that:

"...Journal Vouchers (JVs) are one of the methods of making adjustments to accounts in SAP, and must be properly controlled to ensure that financial information accurately reflects the activities of the department. As part of the ongoing testing of financial processes, gaps in controls have been identified. These gaps must be successfully addressed in order to have auditable Financial Statements. One of the deficiencies noted has been in the area of verification controls for routine and non-routine journal vouchers.

A JV request must include:

  • The journal voucher request form;
  • a source document such as a copy or screen-print of the SAP Detailed Expenditure (100) Report and/or other supporting documentation;
  • a description / reason for the JV; and
  • approval by the responsible financial manager(s)."

As part of the audit, and as it was also identified by the Internal Control Division (ICD) through its effectiveness testing of the internal controls over financial reporting, we found inconsistent documentation and review procedures in place for the processing of JVs. Journal voucher forms are rarely used and we found many occasions where there were no signs of review by a second person, that is to say the responsible financial manager.

The weaknesses in the internal controls surrounding JVs could lead to potential material misstatement. The MVR process is a compensating control but it is still expected that JVs be entered, reviewed and documented appropriately.

However, the initiatives taken by FOD through its recent publication and intention to adopt a formal policy is a key step in strengthening the internal controls over JVs. For this reason, no recommendation is being proposed at this time.

3. Select key financial controls specific to classes of transactions

3.1 Grants and contribution agreements

Audit criterion: Select key financial controls specific to the processing of grants and contributions agreements are operating effectively.

Agreement/Recipient risk assessments

Since 2010, programs are required to use the ERM-ARRAT which is designed to assess and manage the risks associated with recipients and funding agreements. This tool is to be used to assess risks annually for all funding agreements, as well as to reassess risks for existing multi-year agreements.

The recipient's risk rating profile determines the risk tolerance strategy, which includes risk mitigating activities such as determining the amount of advance payments, establishing applicable holdbacks, and monitoring activities. This means that recipients with the highest risk are subject to a lower advance payment, a maximum holdback on the final payment and an increase in reporting requirements. Conversely, recipients with a low risk can benefit from a higher advance payment, are subject to a minimum holdback and to a decrease in reporting requirements.

Prior to the approval of the funding agreement and FAA Section 32 spending authority, program officers are responsible for ensuring that a risk assessment has been conducted and that advance payments and applicable holdbacks are in accordance with the established risk tolerance strategy. However, the audit found that this was not always performed. As a result, they cannot ensure that the advance payments and holdbacks are correct.

In 2012, the Audit of Key Financial Controls-Year 2 recommended that that the CFO ensure that the results of the annual risk assessments be properly reflected in the agreements that are put forward to support grants and contributions payments. In response, actions were committed as noted in Appendix D, recommendation 2.

Reconciliation of payment transactions between grants and contributions systems and the departmental financial system

Grants and contributions payment requests are initiated in MCCS and the Lotus Notes Grant and Contribution Database. MCCS is used by the FNIHB programs and the Lotus Notes database is used by other branches. Reconciliations between these systems and SAP contribute to providing assurance that grants and contributions agreement expenditures are complete and accurate.

Monthly reconciliations of both MCCS and Lotus Notes database to SAP are prepared in the National Capital Region by CFOB. The resulting variances are sent to regional/branch senior financial officers for comments and sign-off. These monthly reconciliations provide assurance that the transmissions of grants and contributions expenditures are complete and accurate.

The audit reviewed two months of fiscal year 2012-13 and found that the reconciliations had been prepared and reviewed for both systems.

Review and close-out of contributions agreements

The review and close-out of contribution agreements are necessary to ensure that all the terms and conditions have been met and that receivables arising from overpayment are recorded in the departmental financial system and collected, as required.

The 2011 Audit of Key Financial Controls found that in some regions, no formal contribution agreement closure process existed, with the risk of having some outstanding receivables not being recorded and collected. A recommendation was made to address this issue.

The timely close-out and the communication of results to Finance are necessary to ensure the completeness and accuracy of the Department's financial information, specifically accounts receivable.

The audit reviewed a sample of six contribution agreements closed in the fiscal year. It was found that in all instances a close-out checklist was completed and receivable amounts were properly recorded in SAP.

In conclusion, except for the contribution closing process (where some progress has been made as reported in section 1.1 under Accounts receivable for grants and contributions), key financial controls specific to the processing of grants and contributions agreements are operating effectively.

3.2 Salary and wage expenses

Audit criterion: Select key financial controls specific to the processing of salary and wage expenses are operating effectively.

Compensation verifier review of pay registers

According to the TB Directive on Financial Management of Pay Administration and Guideline on Common Financial Management Business Process for Pay Administration, responsibilities for FAA Section 34 certification are to be shared between cost centre managers, compensation advisors and compensation verifiers at different stages of the pay administration cycle.

At Health Canada, compensation advisors and verifiers are part of CSB. Compensation advisors are responsible for the accuracy of pay input through FAA Section 34 certification. Compensation verifiers are responsible to review the payroll registers and individual salary payments as part of a quality assurance process. This review is the final opportunity to confirm the accuracy of payroll transactions.

In 2011, it was recommended that the compensation verifiers appropriately document pay verification, and that CSB continuously monitor the segregation of duties between pay creation and verification. In response, actions were committed as noted in Appendix D, recommendation 4.

The current audit reviewed a sample of 10 employee pay transactions against payroll registers and other output reports for fiscal year 2012-13 to determine whether verification was performed on the accuracy of payments. No payroll processing errors were identified as a result of this review and the pay verification was appropriately documented by compensation verifiers.

FAA Section 33 quality assurance review

The TB Policy on Internal Control states that the CFO is responsible for establishing and maintaining a system of internal control that is monitored, reviewed, and that timely corrective measure are taken when issues are identified. This includes a quality assurance review which provides assurance on the adequacy and reliability of the account verification process.

In the context of pay transactions, the current audit reviewed the Compensation Monitoring Framework developed in 2010 by CSB. This framework includes cyclical and on-site monitoring activities that are aimed at providing assurance that controls are effective. The latest draft framework was revised in June 2013, however monitoring had yet to be implemented during fiscal year 2012-13. Following year-end, the monitoring activities related to fiscal year 2012-13 had begun. As a result of this activity, a draft report has been prepared for the first three quarters with fourth quarter testing expected to be completed in October. Performing this control activity and sharing its results with the CFO is important as it serves to demonstrate whether controls over the pay process are operating effectively, and that account verification over pay transactions are adequate. A recommendation was made on this issue in the 2010 Audit of Payroll Administration and the monitoring function is now operational. For this reason, no additional recommendation is being proposed in this report.

In conclusion, pay verifier reviews have been adequately performed and are operating effectively. The implementation of on-going monitoring activities in fiscal year 2013-14 will provide greater assurance over the adequacy and effectiveness of account verification over pay transactions.

3.3 Non-insured health benefits

Audit criterion: Select key financial controls specific to the processing of non-insured health benefits are operating effectively.

The Non-Insured Health Benefits (NIHB) Program provides eligible First Nations and Inuit populations in Canada with coverage for a limited range of medically necessary health-related goods and services that are not provided through private insurance plans, provincial/territorial health or social programs, or other publicly funded programs. This includes pharmacy, dental, vision, mental health, medical supplies and equipment, medical transportation, provincial health premiums and other health care benefits. During the fiscal year 2012-13, approximately $1.09 billion was spent on NIHBs.

Reconciliation of NIHB claims processed in the Health Information Claims Processing Systemwith funding requests

Dental, pharmacy and medical supplies and equipment claims, which account for a significant part of all NIHB expenditures, are mostly processed and paid by an external service provider through the Health Information Claim Processing System(HICPS). The service provider summarises the claims processed and submits a claim for reimbursement. These claims are analysed and reconciled with information found in the HICPS and approved for payment (FAA Section 34). Claims are then forwarded to CFOB for FAA Section 33 certification and the payment is processed accordingly. These analyses and reconciliations are key controls aimed at ensuring that NIHB expenses are accurately recorded and processed in compliance with FAA requirements. These and other procedures and controls are documented for reference in the NIHB HICPS financial control framework. The audit concluded that the procedures and controls regarding NIHB expenditures processed through HICPS are applied effectively.

Review of the external audit report over HICPS claim processing

Health Canada obtains an annual audit report from the service provider. The corresponding audit is carried out by external auditors and provides assurance that the service provider's controls are appropriately designed and operating effectively in a manner that ensures the validity, completeness and accuracy of the claims processed. As in previous years, an unqualified opinion was issued by the external auditors for fiscal year 2012-13. NIHB Program management indicated their acceptance of the audit report.

In conclusion, the reconciliation of NIHB expenses with payment requests from the service provider are operating effectively and the service providers' controls over claims processing are operating effectively as evidenced by the external audit report. These provide assurance that controls specific to the processing of NIHBs are operating effectively.

3.4 Purchase of goods and services

Audit criterion: Select key financial controls specific to the processing of purchase of goods and services are operating effectively.

Review of contracts over $10,000

Up until February 2013, the departmental policy required that all purchases greater than $10,000, as well as all contract amendments regardless of dollar value, be approved by one of the contract and requisition control committees (CRCC). These committees were comprised of procurement and contracting officers and financial officers. The work of CRCCs was tracked in Health Canada's Contract Requisition and Reporting System (CRRS).

Approval by CRCCs helped to ensure that contractual documents are in accordance with Government Contracts Regulations, relevant policies, departmental delegation of financial authorities, and that an appropriate procurement vehicle is used. In addition to the review being conducted by the procurement officers, the review and approval by the CRCC provides assurance over the validity and accuracy of purchases of goods and services over $10,000.

In February 2013, the Department implemented a procurement service delivery model which includes the implementation of new SAP Procure-to-Pay (P2P) technology. In the new process, the CRRS is no longer in use and the Department is now using the P2P in SAP. The procurement and contracting functions are now centralized in the two hubs, Winnipeg and Ottawa.

As part of the new process, the majority of contracting and procurement transactions are approved by the Cost Centre Manager (CCM) and by the Procurement Specialist (PG classification).

Some high complexity/high sensitivity requirements will require approval by departmental review committee based on a two-tier governance model:

  • Tier I - New CRCC model.
    • Chaired by the responsible PG-05 managers and supported by subject matter experts, on an 'as needed' basis, such as a financial resource, legal and human resources expert.
  • Tier II - the Shared Services Contract Review Committee (SS CRC) providing oversight.
    • Chaired by senior management at the Department.
    • To complement and support Tier I, the SS CRC will review and recommend for approval any contracts that are particularly complex or deviating from policies and regulations.

In addition to the review of 25 tests performed by ICD, auditors tested a random computer-generated sample of 15 contracts to determine whether all purchase orders over $10,000, issued in fiscal year 2012-13, were reviewed appropriately. No significant errors were found.

In conclusion, select key financial controls specific to the purchase of goods and services are operating effectively.

3.5 Acquisition card purchases

Audit criterion: Select key financial controls specific to the processing of acquisition card purchases are operating effectively.

Official reconciliation report

Acquisition card purchases are paid prior to the reconciliation of purchases by the cardholder and FAA Section 34 certification, as permitted under the TB Directive on Account Verification. To provide assurance over the accuracy and completeness of acquisition card purchases, cardholders are responsible to complete transaction reconciliations to their statement of accounts. CFOB monitors these reconciliations to ensure that they are adequately completed. Interviews conducted with CFOB and documentation review provided evidence that this oversight role is adequately fulfilled.

Quality assurance over acquisition cards

In addition to the monitoring of monthly reconciliations, financial officers conduct quality assurance reviews of acquisition card transactions. All transactions are subject to a minimal quality assurance procedure to ensure that all items included on a statement are reconciled in SAP and that FAA section 34 is appropriately documented. High risk transactions undergo a full quality assurance review while lower risk transactions are subject to a full quality assurance on a sample basis. Since July 2012, the sample of lower risk transactions has been included as part of the statistical sampling exercise through the use of SAP as is the case for accounts payable transactions. Through this review, selected transactions are examined for appropriate supporting documentation and sign-off. Errors identified through this review are recorded.

The audit tested a sample of monthly statements which included transactions that underwent a full quality assurance to determine whether it was performed adequately and appropriately. No significant errors were identified as a result of this review. However, we have noted that the full quality assurance exercise consistently identifies errors related to the treatment of taxes (Goods and Services Tax, Harmonized Sales Tax or Provincial Sales Tax) made by the cardholders when reconciling their statement. The Department may wish to improve the way taxes are being automatically calculated by the system.

Furthermore, although we have found that the quality assurance is being exercised effectively, some of the errors identified through this control require that the cardholder make necessary changes (coding or tax errors). The current error tracking function does not allow for proper follow-up on the required correction and as such, there is little oversight as to whether or not these errors are actually being corrected.

In conclusion, areas of improvement have been noted, and both the reconciliation of payments to acquisition card transactions, and quality assurance review are operating effectively.

3.6 Drug submissions and evaluation revenues

Audit criterion: Select key financial controls specific to the processing of drug submissions and evaluation revenues are operating effectively.

In fiscal year 2012-13, Health Canada's respendable revenue amounted to $108 million ($94 million in 2011-12), with drug submission and evaluation fees accounting for the largest share at $36 million ($26 million in 2011-12).

Drug submission and evaluation fees are tracked in the Drug Submission Tracking System (DSTS) that is operated by the Health Products and Food Branch (HPFB), and outside of SAP there is currently no interface between DSTS and SAP, DSTS data has to be inputted manually in the financial system. The absence of an interface also requires the regular reconciliations of the amounts recorded in the two systems to ensure accuracy and completeness.

On a monthly basis, the designated individual in the program area reconciles invoiced amounts in their invoicing system (DSTS) against SAP to ensure the completeness and accuracy of the revenues recorded in SAP. In the current year, a sample of reconciliations was tested and it was found that the reconciliations performed were adequately designed and operating effectively.

In conclusion, tests conducted on fee revenues did demonstrate that the manual transfers and reconciliation activities are performed adequately.

3.7 Accounts receivable

Audit criterion: Select key financial controls specific to the processing of accounts receivable are operating effectively.

Health Canada's Policy on Receivables Management and Charging Interest on Overdue Accounts requires that all receivable transactions be invoiced, recorded and reported accurately and promptly. Failure to do so can result in receivables not being collected and inaccurate financial reporting. One of the most significant sources of accounts receivable comes from the closing of contribution agreements.

MCCS reports are compared to accounts receivable in SAP. In the current year, it was found that all receivable amounts tested in MCCS were found in SAP. However, we noted that there is no process in place for programs to notify Accounting Operations in advance of the collection of cash receipts related to non-FNIHB contributions and that there is no way for Accounting Operations to identify receivables using the Lotus Notes Grant and Contribution database as this information is not captured. Therefore, accounting operations may not be made aware of accounts receivable until payments are received subsequent to year-end.

In year 1 of this recurring audit, it was recommended that coordination be improved between accounting offices and contribution programs to ensure that all receivables, including those resulting from close-outs of contribution agreements, be recorded in the departmental financial system in an accurate and timely manner. In response, actions were committed as noted in Appendix D, recommendation 5. The key action items related to this recommendation have been implemented and no errors were noted in this year's testing.

In conclusion, while progress is being made to ensure that receivables resulting from the close-out of contribution agreements are recorded in the departmental financial system, more work is required to ensure the accuracy of the accounts receivable general ledger account.

Monitoring and reconciliation of suspense and clearing accounts

CFOB performs the monitoring and reconciliations of various suspense and clearing accounts including deposits, petty cash and interdepartmental settlements.

These reconciliations are generally performed on a monthly basis, but the frequency of the reconciliation may be different depending on the nature of the account or the volume of activity. Discrepancies and variances identified through the reconciliation process are raised with cost centres. Regular monitoring and the clearing of suspense accounts help to ensure the accuracy of financial information.

Evidence was obtained to support that reconciliations were performed on a regular basis and that account balances were verified.

Overall, the monitoring and reconciliations of suspense and clearing accounts worked effectively throughout fiscal year 2012-13.

3.8 Capital assets

Audit criterion: Select key financial controls specific to the processing of capital assets are operating effectively.

Health Canada's Asset Management Policy Framework defines capital assets as assets with a useful life greater than one year, and a per-item cost of $10,000 or greater. Health Canada holds a variety of capital assets including buildings, machinery, equipment and vehicles. As per the Department's financial statements, the value of these assets (net of accumulated amortization and impairment losses) amounted to $137 million as at March 31, 2012 and $140 million as at March 31, 2013.Due to the significance of this amount, regular reviews of the capital asset inventory are needed to ensure the accuracy of the information found in the financial statements.

Physical count of capital assets

In 2009, CFOB started to conduct an annual review of its capital asset inventory aimed at ensuring that Health Canada's capital assets are well managed and properly accounted for. Once the review is complete, the necessary changes/adjustments are made in the departmental financial system. In 2012, in addition to the CCMs being asked to verify asset existence and completeness, the Materiel and Assets Management Division also performed physical count verification procedures on all high dollar value items and a sample of other assets for quality assurance.

The auditors reviewed the reports produced as part of the annual review exercise and quality assurance procedures to ascertain whether appropriate actions were taken to address the issues raised in the reports. The review showed that management is making progress in addressing the issues, such as assets with inaccurate cost centre number/cost centre manager name information.

In conclusion, the select key controls specific to the processing of capital assets are operating effectively.

C - Conclusion

Based on the results of the audit work, it was determined that in general, Health Canada's internal controls over financial reporting are operating effectively in mitigating the risk of material misstatement.

While no new recommendations have been made in this audit, we have noted that work remains on several of the recommendations made in prior years. The implementation of management action plans to address prior year recommendations must continue to progress.

An overview of the effectiveness of key financial controls, and progress made on the prior year's recommendations are presented in Appendix B and Appendix D respectively.

Appendix A - Specific lines of enquiry and criteria

Specific lines of enquiry and criteria
Criteria title Audit criteria
Line of enquiry 1: Whether progress was made on prior year's recommendations
Line of enquiry 2: Select key financial controls common to all classes of transactions are operating effectively to ensure completeness, validity and accuracy of transactions.
2.1 Delegation of financial signing authorities Controls over the maintenance of specimen signature cards ensure that delegations of financial signing authorities are valid.
2.2 Quality assurance process over the Financial Administration Act (FAA) Section 34 certification Quality assurance is performed over FAA Section 34 certification.
2.3 FAA Section 33 certification Certification under FAA Section 33 is performed and appropriate segregation of duties exists with FAA Section 34 certification.
2.4 Management review of expenditures and commitments Cost centre managers review commitments and expenditures recorded in SAP for completeness, validity and accuracy.
2.5 Accrued liabilities at year-end Senior financial officers review and challenge the completeness, validity and accuracy of transactions payable at year end.
2.6 System access and segregation of duties Access to SAP is restricted and the segregation of duties is enforced.
2.7 Journal entry review Journal entries are reviewed by a second person and accompanied by appropriate supporting documentation.
Line of enquiry 3: Select key financial controls specific to classes of transactions are operating effectively to ensure completeness, validity and accuracy of transactions.
3.1 Grants and contribution agreements Select key financial controls specific to the processing of grants and contributions agreements are operating effectively. 
3.2 Salary and wage expenses Select key financial controls specific to the processing of salary and wage expenses are operating effectively. 
3.3 Non-insured health benefits Select key financial controls specific to the processing of non-insured health benefits are operating effectively. 
3.4 Purchase of goods and services Select key financial controls specific to the processing of purchase of goods and services are operating effectively. 
3.5 Acquisition card purchases Select key financial controls specific to the processing of acquisition card purchases are operating effectively. 
3.6 Drug submissions and evaluation revenues Select key financial controls specific to the processing of drug submissions and evaluation revenues are operating effectively. 
3.7 Accounts receivable Select key financial controls specific to the processing of accounts receivable are operating effectively. 
3.8 Capital assets Select key financial controls specific to the processing of capital assets are operating effectively. 

Appendix B - Scorecard

Scorecard
Line of enquiry 1: Prior years' recommendations 2011 Recs 2012 Recs 2013 Recs  
Progress made on prior year's recommendations       CNMO
Line of enquiry 2: Select key common controls        
1. Delegation of financial signing authorities 1     CNMI
2. Quality assurance over the Financial Administration Act (FAA) Section 34 certification 2,3     COE
3. FAA Section 33 certification 2,3     COE
4. Management review of expenditures and commitments (Management variance reporting exercise)       COE
5. Accrued liabilities at year-end       COE
6. System accesses and segregation of duties   1   CNMO
7. Journal entry review       CMNI
Line of enquiry 3: Select key specific controls
  Statement of Operations Balance Sheet
Contribution Agreement Salaries and Wages Non-Insured Health Benefits (NIHB) Purchase of Goods and Services Acquisition Card Purchases Drug Submissions and Evaluation Revenues Account Receivables Capital Assets
1a. Review of recipient risk assessments   2   CNMO              
1b. Reconcialition of commitments and payments transactions between contribution systems and SAP       COE              
1c. Review and close-out of contributions agreements 5     CNMI              
2. Quality assurance over payroll (peer verification) 4       CNMI            
3a. Review of 3416 type report over non-insured health benefit (NIHB) claim processing           COE          
3b. Reconciliation of NIHB claims processed in Health Information Claim Processing System (HICPS) with payments in SAP           COE          
4. Review of contracts over $10,000             COE        
5. Reconciliations of card statements of account               CNMI      
6. Reconciliation of the drug submission database with SAP                 COE    
7. Monitoring and reconciliation of suspense and clearing accounts                   COE  
8. Physical count of capital assets                     COE

COE Controls operating effectively

CNMI Controls need minor improvement

CNMO Controls need moderate improvement

CNI Controls need improvement

CNO Controls not operating

CNC Controls not covered within the audit scope

Appendix C - Health Canada's internal control over financial reporting framework

Health Canada's internal control over financial reporting framework
Control Environment Financial Risk Assessment & Financial Risk Management Monitoring
  • Public Service Values
  • Learning, Innovation and Change Management
  • Policy and Programs
  • People
  • Citizen-Focused Service
  • Risk Management
  • Stewardship
  • Accountability
  • Governance and Strategic Directions
  • Results and Performance
Health Canada's internal control over financial reporting framework
Control Environment Financial Risk Assessment & Financial Risk Management Monitoring
  • Public Service Values
  • Learning, Innovation and Change Management
  • Policy and Programs
  • People
  • Citizen-Focused Service
  • Risk Management
  • Stewardship
  • Accountability
  • Governance and  Strategic Directions
  • Results and Performance
  • Financial Operating Objectives
  • Financial Reporting Risks
  • Fraud Risk
  • Ongoing and Separate Monitoring and Assessment
  • Reporting and Deficiencies
Control Activities

For each business process below: 1) cost effective control activities 2) integration with assessment of risks over financial reporting 3) supporting policies and procedure assessment, and 4) management of information (e.g. IT Applications Controls and Database and Records Management controls)

Management of Parliamentary Appropriations
  • Budgeting
  • Management Variance Reporting
  • Funding and Resource Allocation (TB Submissions)
Revenue/
Respendable/
Receipts
  • Revenues
  • Accounts Receivable
  • Cash Receipts
  • Interdepartmen-tal Settlements
Purchasing/
Payables/
Payments
  • Transfer Payment
  • Vendor Master Data
  • Purchase Order - Purchase Requisition - Contracting
  • Acquisition Card - Hospitality
  • Travel Card - Receipt of Goods
  • Invoice Postings
  • Petty Cash - Asset Management
  • Programs
  • Interdepartmental Settlements
  • Payments
Payroll
  • Employee Data
  • Processing of Payment
  • Advance/Over Payment
  • Reconciliation
  • Period End Close
Capital Assets
  • Asset Management
Financial Statements, Year-End and Reporting
  • General Ledger Maintenance
  • Non-Recurring Transactions
  • Period Close
  • Consolidations
  • Financial Statements Preparation
  • Accruals and Management Estimates
Financial Reporting Information Internal Communication Internal Control Information
External Communication

Appendix D - Overview of progress made on prior year's recommendations

Audit of Key Financial Controls (Year 1)
Recommendation 1 Accountability
Ensure that specimen signature cards are terminated through the year on a timely basis.  Chief Financial Officer Branch (CFOB)
Actions Initial Date Management's Suggested Expectation Date Status (*)
1. Revise and approve departure form and process. 2012-03-30 2013-11-30 3
2. Prepare and implement communication strategy for mandatory usage of new departure form and process. 2012-03-30 2013-11-30 3
3. Communicate to all staff via Health Canada Broadcast News. 2011-11-30 2013-11-30 3
4. Implement periodic monitoring tool. 2012-09-28 2013-01-05 5
Recommendation 2 Accountability
Ensure that the quality assurance process is improved in the identification and logging of critical errors and in the reporting of results, specifically with grants and contributions transactions and acquisition card transactions. CFOB
Actions Initial Date Management's Suggested Expectation Date Status (*)
1. Update Health Canada Statistical Sampling Plan. 2011-12-23 2012-05-16 5
2. Communicate enhancements and updates by conducting information session(s) with accounting offices. 2012-01-13 2012-06-30 5
3. Monitor the implementation of procedures by following-up on sample of transactions reviewed. 2012-10-31 2013-05-01 5
4. Report results of acquisition card transaction quality assurance. 2012-03-30 2013-01-30 5
Recommendation 3 Accountability
Develop clear guidance on the additional work required when the tolerable error rate has been exceeded in order to demonstrate the adequacy and reliability of account verification. CFOB
Actions Initial Date Management's Suggested Expectation Date Status (*)
1. Update Health Canada Statistical Sampling Plan. 2011-12-23 2013-05-01 5
2. Communicate enhancements and updates by conducting information session(s) with accounting offices. 2012-01-31 2013-05-01 5
3. Review error reports provided by the accounting offices on a quarterly basis and verify that the required level of analysis was performed and that the follow-up actions are appropriate. 2012-04-30 2012-10-26 5
Recommendation 4 Accountability
Ensure that the pay verification is appropriately documented by compensation verifiers and that the segregation of duties is continuously monitored between pay creation and verification in the online pay system. Corporate Services Branch (CSB)
Actions Initial Date Management's Suggested Expectation Date Status (*)
1. Remind all Health Canada compensation units of the mandatory requirement to utilize the verification stamp for all pay actions. 2011-11-30 2012-07-03 5
2. Monitor usage of the verification stamp. 2012-03-31 2013-08-22 5
Recommendation 5 Accountability
Ensure that coordination is improved between accounting offices and contribution programs to ensure that all receivables, including those resulting from close-out of contribution agreements, are recorded in the departmental financial system in an accurate and timely manner. CFOB,
First Nations and Inuit Health Branch (FNIHB).
Regions and Programs Bureau
Actions Initial Date Management's Suggested Expectation Date Status (*)
1. Summarize analysis on the assessment status of First Nations and Inuit health contribution agreement reports from the current year and prior years. 2011-11-30 N/A 5
2. Reconcile financial information between the Department's financial system with the Management of Contracts and Contributions System (MCCS) and record accounting adjustments. 2011-12-30 2013-05-01 5
3. Update Health Canada Accounts Receivable Policy and procedures. 2012-03-30 2013-10-31 2
4. Communicate enhancements and updates via Health Canada Broadcast News. 2012-04-30 2013-10-31 1
5. Update FNIHB procedure and guideline in line with the Accounts Receivable Policy and procedures. 2012-08-31 2014-02-28 1
6. Prepare monthly status report on all FNIHB contribution agreements to monitor the status of file review and to record financial information in the Department's financial system to enhance the accuracy of the Departmental Financial Statements. 2011-12-30 2012-11-08 5

* Status Description

1 No progress or insignificant progress

2 Planning stage

3 Preparations for implementation

4 Substantial implementation

5 Full implementation

Audit of Key Financial Controls (Year 2)
Recommendation 1 Accountability
Ensure that appropriate segregation of duties is enforced; and that monitoring of segregation of duties in the departmental financial system is performed according to the established monitoring schedule. CFOB
Actions Initial Date Management's Suggested Expectation Date Status (*)
1. As an interim solution, under the current decentralised environment, CFOB will perform, on a quarterly basis, a reconciliation of users with access to both MCCS and SAP to ensure appropriate segregation of duties exists. 2012-12-31 2013-01-30 5
2. On a longer term basis, under a hub service delivery structure, CFOB will maintain the segregation of duties by ensuring that segregation exists on a functional basis. 2013-12-31 N/A 3
Recommendation 2 Accountability
Ensure that, results of the annual risk assessments are properly reflected in the agreements that are put forward to support grants and contribution payments CFOB
Actions Initial Date Management's Suggested Expectation Date Status (*)
1. The current policies, procedures and guidelines will be amended to prescribe the alignment of risk assessments with the financial components of transfer payment agreements. 2013-09-30 2014-04-01 1
2. The transfer payment approval routing process will be revised to include the requirement for reviewing and approving the alignment of the annual risk assessments with the financial components of the transfer payment agreements by the appropriate Branch or Regional Senior Finance Officer (B/RSFO). 2013-09-30 2014-04-01 1
3. The revised policies, procedures and guidelines, and corresponding routing process, will be communicated to B/RSFOs and programs. 2013-09-30 2014-04-01 1

* Status Description

1 No progress or insignificant progress

2 Planning stage

3 Preparations for implementation

4 Substantial implementation

5 Full implementation

Page details

Date modified: