The department’s financial management control framework consists of the organizational structure, the delegation of financial authorities, segregation of duties, departmental polices and guidelines to supplement Treasury Board policies, financial training and support to staff, claim and account verification processes and an oversight function.
Criterion: A current, well designed and documented financial management control framework (including structure, policies, and roles) exists at WD that is communicated for consistent implementation across the department.
WD currently does not have a formally integrated and documented financial management control framework to manage its resources. Some practices and procedures are documented and available on the intranet, but they are not well integrated and consolidated into a single, comprehensive framework. Over time, Regional Finance Managers have developed and implemented their own control processes to help carry out their responsibilities. Regional practices are not always consistent across the department.
WD has developed and communicated financial policies, procedures and guidelines with respect to key areas of financial management. The departmental policies are consistent with the Treasury Board policies and are kept current. Staff can easily access these financial policies on the intranet. WD only writes internal policy to further clarify Treasury Board policies and legislation and links back to the original Treasury Board policies. The department is conducting a policy suite renewal to update existing policies in line with the expected changes to the Treasury Board financial management policy suite.
Corporate Finance is responsible for writing and communicating financial policies and procedures and for providing policy interpretation or expert advice. In the auditor’s opinion, the Branch’s intranet site is well organized, with appropriate policies, references and convenient links to Treasury Board financial policies. However, some of the documents are still in draft form and some links to policies do not work. Both Corporate Finance and regional finance managers provide interpretations on these policies to managers and staff. The regions have implemented various means for communicating financial management policies, such as:
These examples of ad hoc training all contribute to strengthening financial management awareness and capacity in the department. However, WD currently does not have a comprehensive and consistent financial management training strategy similar to the department’s contracting training strategy.
Recommendation #1: The department should develop, implement and communicate an integrated financial management control framework. In doing so, the department should consider the following:
Recommendation #2: The department should develop a comprehensive financial management training strategy.
Criteria: WD has a current approved delegation of authority matrix complete with specimen signature cards. Individuals with the delegated authority have appropriate training and tools to support their discharging of that authority.
Through the Delegation Documents, the Minister delegates the authorities for financial administration to WD managers. WD delegation documents include the Delegated Financial Signing Authorities (Matrix), the Delegation of Financial Signing Authorities Policy and the Specimen Signature Document. WD’s delegation matrix was signed by the Minister for financial and non-financial authority and is current. The policy and procedural guidelines are available to all staff on the intranet. All managers with delegated signing authority have completed the mandatory Authority Delegation Training (ADT).
Regional finance managers maintain specimen signature cards that are issued for appropriate level of authority after completion of mandatory training. When managers are absent, signing authority is not transferred if the acting individual has not completed the training. In one region, one human resource officer and one contracting officer had the section 34 signing authority but these employees had not completed the mandatory training. The regional finance manager indicated that the authority has since been revoked but the signature cards had not been updated at the time of the audit. Currently, the Chief Learning Officer keeps track of mandatory authority training requirements for staff and the training information is forwarded to Finance who creates a specimen signature card after formal training has been completed.
Finance officers frequently conduct quality assurance reviews to ensure that the delegated authority processes are working as intended. However, the department should ensure that all its monitoring and review processes are integrated into a well-defined financial management control framework. To work effectively, ongoing and active monitoring processes should be tailored to the specific elements and key risks inherent in the management control framework (see Recommendation #1).
Criterion: Controls are in place to ensure compliance with sections 32, 33 and 34 are working effectively.
Expenditure management is governed by three specific sections of the Financial Administration Act: Sections 32, 33 and 34.
Section 32 of the FAA: Expenditure Initiation and Commitment Authority It is the authority to enter into contracts or other service arrangements that will result in a charge to the departmental appropriation.
Section 34 of the FAA: Contract Performance Contract performance is the authority to certify the receipt of goods and/or services is in accordance with the terms and conditions of a contract or other relevant arrangement and the availability of funds for payments.
Section 33 of the FAA: Payment Authority Designated finance officers exercise this final approval authority to release payments once they determine that the appropriate section 34 approval has been granted.
The department has some well defined processes in place for approvals of both grants and contributions and operating expenditures.
From a variety of sources, the auditors were able to gain a good understanding of the various processes in place to support ongoing compliance to sections 32, 33 and 34 of the FAA. The auditors conducted a sample of grants and contributions and operating expenditure transactions from two test months in the period covered in the audit. The auditors tested all regions and headquarters.
The auditors selected a random and representative sample of 46 transactions: 26 were operating expenditures and 20 were grants and contributions. The following exceptions were noted:
With the exception of above instances, all other transactions showed evidence of sections 32, 33 and 34 of the FAA being exercised appropriately. All of the instances observed above were of a technical or administrative nature that can be addressed through the combination of improved and consistent processes and staff training and awareness.
Recommendation #3: The department should strengthen and standardize the monitoring and review practices around the approvals of sections 34 and 33 of the Financial Administration Act.
Recommendation #4: The department should ensure that all financial files are well maintained with all supporting and pertinent information on file.
Criteria: Well documented controls are in place to segregate incompatible duties. Staff comply with and understand these controls.
Corporate Finance Branch ensures adequate segregation of duties primarily through the authority delegation matrix and financial system access controls. The department does have a Delegation of Authority Policy that explains principle of segregation of duties and the departmental controls in place to ensure adequate segregation of duties.
Regional Finance Managers in regions are super users of the financial system (i.e., they have access to sections 32, 34 and 33 profiles). The auditors noted that in one transaction, the Regional Finance Manager entered and approved an invoice for payment, batched the claim and initiated the section 33 process. While section 33 sign off is a two stage process that requires final review by Corporate Finance, the financial system should trigger an event requiring executive over-ride and generating an exception report for mandatory review. The Chief Financial Officer should ensure that the segregation of duties system controls are enhanced. Given the structure of the department, the Chief Financial Officer or the Deputy Chief Financial Officer should be the only individuals with that authority to approve the bypassing of segregation of duties in exceptional circumstances.
Recommendation #5: The department should modify its current financial system access controls to build in a formal executive approval process when one individual is approving more than one element of the same transaction.
For the most part, departmental financial system access controls and related security measures are in place and are operating as intended; however, the department can improve some of its processes.
The department recently developed formal procedures to define and maintain access rules or profiles and to delete access rights when a person leaves. The auditors found evidence that this notification of removing system access does not always occur on a timely basis. In some cases, WD’s systems staff only find out through follow-up on inactive accounts long after the employee’s departure date. At times, this control seems to be more passive than active. This practice leaves the department at a risk of inappropriate access to the financial system if there is no documented process to update or review user profiles. This issue is somewhat mitigated by the fact that someone would also need WD network access to gain entry into the financial system through this inactive account.
The department does not have a formal mechanism to monitor user profiles for access violations, change in responsibilities or tracking for incompatible duties because it is not identified as a risk by the department. However, if departures and changes in responsibilities are not reported in a prompt manner, the department is exposed to the risk of inappropriate access to the financial system.
Generally, these system access controls are not documented. The department is at risk of a troublesome succession plan in the event that the three resident experts were to leave the department without adequate knowledge transfer.Recommendation #6: The department should strengthen financial system user account management controls, specifically related to employee departures and periodic reviews of user profiles. All controls should be well documented to allow smooth knowledge transfer and succession planning.
Criterion: Financial management risks are identified, assessed and regularly updated with mitigation strategies developed and communicated to manage residual risks.
Informal financial risk management exists at all levels of the department; however, it tends to be intuitive and not well documented. Generally, the department does not document or formally assess its financial risks. It is difficult for the auditors to assess if any of the department’s mitigation strategies are sufficient to reduce residual risks to adequate levels within management’s tolerance.
The department developed its first Corporate Risk Profile in 2006 and it has not been updated since. In that Corporate Risk Profile, the department identified some financial risks as part of its eight key risks. To date, the Chief Financial Officer has not developed any formal mitigation strategies to deal with those identified risks.
The department performs lots of monitoring and reporting around ongoing financial management. The department’s processes are very sound; however, these actions are not formally linked to the financial risks identified in the Corporate Risk Profile. In addition, in the auditor’s opinion, the Chief Financial Officer needs to update the key financial risks currently facing the department
At the transactional level, risk management for grants and contributions has significantly improved and is integrated into the due diligence and monitoring and payment roles.
Recommendation #7: The Chief Financial Officer should clearly identify key financial risks should at the department level, assess those risks in terms of developing mitigation strategies to manage them effectively, and communicate the risks to senior management and all involved in financial management. The Chief Financial Officer should regularly reassess and update key financial risks to ensure those identified are current.