Audit of Acquisition Cards (2008-709)

2009-04-22

Table of Contents

• Main Points
• Introduction
• Focus of the Audit
• Observations
  • Management Control Framework
    • The Departmental Policy addresses the key requirements of the TB Policy on Acquisition Cards, but it needs to be updated
    • Roles and responsibilities are clearly defined and documented in the policy and generally well understood
    • Monitoring was done, but not on a consistent basis
    • There is no formal risk assessment process
  • Compliance with Policies and Procedures
    • Acquisition cards are generally being issued and distributed as set by TB and PWGSC policies, but improvements are needed
    • Acquisition card transactions generally comply with policies and procedures
• Conclusions
• Management Response
• Recommendations and Management Action Plan
• About the Audit
• Appendix A - Breakdown of transactions by region for fiscal year 2007/2008

Please note that under the Access to Information Act a limited amount of text within these documents may not be disclosed, and will be shown as [ * ].

Main Points

i. This Main Points is not a stand-alone document and must be read in conjunction with the body of this report.

What was examined

ii. Acquisition cards are credit cards that are made available government-wide through contracts established with acquisition card providers. The cards themselves are MasterCards and are provided through the Bank of Montreal. They enable the Department to purchase and pay for goods and services. While acquisition cards are issued to an employee, the card account remains the responsibility of the Crown with the Department paying the monthly acquisition card invoice.

iii. Public Works and Government Services Canada (PWGSC) has an acquisition card program that encourages the use of the cards for authorized, official government business purchases when it is economical and practical to do so. The cards, when properly used, are a cost-efficient method for making purchases under $10,000. Cards are used to buy such diverse items as computers and software, tools and hardware, equipment and furniture, office and maintenance supplies, training services, fees and subscriptions, storage services, as well as field supplies. According to the Treasury Board (TB) Policy on Acquisition Cards, acquisition cards are not to be used for travel or vehicle operations. Other government credit cards have been established for these purposes. The use of an acquisition card to obtain a cash advance is also prohibited by the TB policy.

iv. In 2007, the Auditor General assessed the role of PWGSC in providing overall direction and guidance on the acquisition card program. The Auditor General found that PWGSC and the Treasury Board Secretariat should monitor developments regarding the evolving practices of acquisition card programs to identify the benefits versus the incremental costs. Therefore, this aspect of the program was not examined as part of this audit.

Why it is important

v. The goal of the Government of Canada's acquisition card program is to provide a convenient, efficient, and cost-effective way to obtain and pay for goods and services. The program has grown rapidly since its implementation in 1991. As of March 31, 2008, PWGSC had 1,394 acquisition cards in circulation resulting in 62,625 transactions totalling $22.5 million during the 2007/2008 fiscal year. The use of acquisition cards has made it difficult to apply traditional financial controls, such as segregation of duties. Essential control cannot be achieved if organizations do not monitor and analyze cards, record and match charges, and carry out periodic audits and verifications of card transactions. It is important to identify trends and patterns to exercise control over cards.

What was found

vi. The acquisition card program has an adequate management control framework in place to reduce the risk that acquisition cards are used improperly or without authorization. The level of compliance with government and departmental policies and procedures for the administration, use, and monitoring of acquisition cards is high. While the results of our audit did not identify any losses or abuse, the following areas were identified as needing improvement:

• The Departmental Policy addresses the key requirements of the TB Policy on Acquisition Cards, but it needs to be updated.
• Monitoring was done, but not on a consistent basis.
• There is no formal risk assessment process.
• Acquisition cards are generally being issued and distributed as set by TB and PWGSC policies, but improvements are needed with regards to the cancellation process and transaction limits appear to be in excess of cardholder needs.
• Acquisition card transactions generally comply with policies and procedures, although there were a few issues relating to travel expenses and transactions over $10,000.

Management Response

Management accepts the findings of the report as being fair and accurate representation of the department of the departmental acquisition card program during the audit period.

Corporate Services, Policy and Communications Branch (CSPCB) will act on the three recommendations identified in the audit by implementing the attached Management Action Plan.

Recommentations and Management Action Plan

Recommendation 1: The ADM, CSPCB should update Departmental Policy 034 on Acquisition Cards and should periodically communicate to stakeholders, and particularly Regional Acquisition Card Coordinators, Responsibility Centre Managers, and cardholders their roles and responsibilities and restrictions imposed on the use of acquisition cards.

Recommendation 2: The ADM, CSPCB should conduct a formal risk assessment on the Department's acquisition card program to assess risk exposure and rank risks so that the highest-priority risks receive the greatest attention.

Recommendation 3: With regards to monitoring, the ADM, CSPCB should

• implement a continuous department-wide risk-based electronic monitoring process using data-mining to identify trends or patterns including questionable vendors, split transactions, or transactions of unusual amounts or relationships; and
• regularly review single purchase limits and monthly credit limits for all acquisition cards in circulation to ensure limits are not in excess of cardholder needs and that inactive cards are cancelled promptly.

Introduction

1. This audit project was approved as part of the 2008/2011 Audit and Evaluation Plan.

2. The Public Works and Government Services Canada (PWGSC) Receiver General function provides overall guidance and direction for the Government of Canada Acquisition Card Program. The Banking Arrangements Directorate, Accounting, Banking and Compensation Branch, tendered and awarded the current acquisitions card contract with the Bank of Montreal. The Directorate also monitors current and evolving practices related to the government's acquisition card program through regular discussions with financial institutions, industry leaders, and other jurisdictions; attendance at conferences and workshops; and review of current periodicals and articles. In 2007, the Auditor General assessed the role of PWGSC in providing overall direction and guidance on the acquisition card program. Therefore, this aspect of the program was not examined as part of this audit.

3. Within PWGSC, the Director, Materiel Management Directorate, Corporate Services, Policy and Communications Branch, as the Departmental Acquisition Card Coordinator, oversees the issuance and control of acquisition cards within the Department. Some of the Director's responsibilities include liaising with the banks and providing expert assistance to the Regional Acquisition Card Coordinators. The Director has delegated these duties to the Manager, Acquisition Card and Taxi Management, who performs these duties on a day-to-day basis. In addition, the Materiel Management Directorate is responsible for providing training and information sessions on Acquisition Card usage and on MILTON - the electronic payment system (replaced by SIGMA on April 1, 2008). The Materiel Management Directorate is also responsible for developing and promulgating Departmental Policy (DP) 034 - Acquisition Cards and for monitoring the acquisition card process by conducting annual verifications throughout the Department.

4. Regional Acquisition Card Coordinators assist the Materiel Management Directorate by performing tasks similar and complementary to those of the Departmental Acquisition Card Coordinator. Individual cardholders are responsible for the proper use of acquisition cards and the account verification process. Responsibility Centre (RC) Managers are responsible for monitoring card use, ensuring adherence to policies, and certifying acquisition card statements under Section 34 of the Financial Administration Act. The Materiel Management Directorate is responsible for providing initial certification prior to requesting payment from Finance Branch. The Directorate reviews the consolidated statement and ensures that it is supported by appropriate transaction documentation totalling the amount requested. Finally, the Finance Branch is responsible for performing payment authority under Section 33 of the Financial Administration Act.

5. Acquisition cards were approved for use in government departments and agencies in late 1991. As of March 31, 2008 there were a total of 1,394 Acquisition Cards in circulation at PWGSC. The combined National Capital Area and regional dollar usage from April 1, 2007 to March 31, 2008 was $22.5 million. This encompasses 62,625 transactions (see Appendix A - Breakdown of transactions by region for fiscal year 2007/2008). While the total number of acquisition cards in circulation is down 9 percent from fiscal year 2006/2007, the total number of transactions made increased by 10 percent and the total dollar value of transactions increased by 17 percent. Of the transactions made during the fiscal year, 43 percent were valued at $100 or less and 26 percent were made at office or stationary supply stores.

Focus of the Audit

6. The objective of this internal audit was twofold:

• To assess the adequacy of the management control framework for the use of acquisition cards; and
• To assess the level of compliance with PWGSC's policy and procedures for the administration, use, and monitoring of acquisition cards, and with the Treasury Board Policy on Acquisition Cards.

7. We examined all aspects related to the use of Bank of Montreal acquisition cards within PWGSC for the 2007/2008 fiscal year. This included the management of acquisition cards, the use of acquisition cards, and the adequacy of the controls exercised over the use of cards (such as spending limits and supervisory review and approval). The audit also examined whether the department could benefit from implementing a continuous monitoring process for acquisition cards.

8. We reviewed a total of 540 transactions from fiscal year 2007/2008. Of these, 144 transactions were selected randomly and 396 transactions were selected based on risk. Detailed testing was performed on 249 transactions to determine the quality of the verification and certification process for acquisition card use. We also verified that the transactions were supported by appropriate documentation. Tests conducted on this sample are referred to as "Detailed Testing" throughout the report. The remaining 291 transactions were chosen for specific tests (see paragraph 64 for more detail). We refer to this throughout the report as "Targeted Testing."

	Sampling		Total
	Random	Risk-based
Detailed Testing	144	105	249
Targeted Testing	0	291	291
Total	144	396	540

9. Appendix A provides a regional breakdown of the transactions reviewed for fiscal year 2007/2008. More information on the objectives, scope, approach and criteria can be found in the section, "About the Audit."

Observations

Management Control Framework

10. Control frameworks are tools that help management in overseeing operations. An effective control framework incorporates systems, processes and controls that are appropriate for the benefits and risks of a given activity. For example, an effective management control framework may include: policies and procedures, defined roles and responsibilities, monitoring and reporting, and risk assessments. The management control framework for acquisition cards should utilize these components to allow the prevention and detection of problems, reduce the risk that cards are not properly authorized or used, and ensure that corrective actions are taken.

The Departmental Policy addresses the key requirements of the TB Policy on Acquisition Cards, but it needs to be updated.

11. A departmental policy on acquisition cards provides guidance on the use of cards, encourages card use, and minimizes inadvertent misuse and card fraud. Policies are important as they inform and guide daily practice and ensure that employees are aware of their roles and responsibilities. We expected to find that PWGSC had developed a Departmental Policy (DP) on acquisition cards that makes reference to the economical, efficient, and secure usage of Departmental cards; that addresses TB requirements for acquisition cards; and that reflects current processes.

12. A comparison was completed between PWGSC DP 034 on Acquisition Cards (2005-10-14) and TB Policy on Acquisition Cards (1998-01-01). While no significant gaps or inconsistencies were identified, some differences were noted. The following TB requirements are not specifically reflected in the PWGSC Policy:

1. The card must not be used to obtain cash advances;
2. The card must not be used for inter-departmental transactions;
3. The acquisition card must not be used after the expiry date indicated on the card; and
4. The card must not be used for vehicle operating and maintenance expenses.

13. Although the first three items were not found to have occurred in our sample, we did find instances where the acquisition card was used for vehicle operating and maintenance expenses (see paragraphs 68 and 69 for more detail).

14. The departmental policy on Acquisition Cards was last updated in October 2005. DP 034 makes reference to the economical, efficient, and secure usage of acquisition cards and it sets guidelines to meet these expectations. The policy needs to be updated to reflect the department's April 1, 2008 migration to SIGMA, its new financial management and materiel management system.

Roles and responsibilities are clearly defined and documented in the policy and generally well understood.

15. To effectively implement policies and procedures it is critical that those responsible for the use, processing, and oversight of acquisition cards are fully aware of their roles and responsibilities. We expected that the Acquisition Card Coordinators, RC Managers, and cardholders received some form of education when they accepted responsibility for their position or received their card.

16. We interviewed the Departmental Acquisition Card Coordinator, the six Regional Acquisition Card Coordinators, 51 cardholders, and 33 RC Managers to determine their understanding of their roles and responsibilities with respect to acquisition cards. We found that they are generally aware of and understand their responsibilities outlined in DP 034. However, in practice, the application of these responsibilities differs between units, branches, and regions.

17. Departmental and Regional Acquisition Card Coordinators indicated that they had no specific training for their roles and responsibilities with respect to the acquisition card program. In regions such as Pacific, where turnover has been especially high for the position of Regional Acquisition Card Coordinator, the need for ongoing training of new incumbents is especially important.

18. As per the Departmental Policy, cardholders are required to read DP 034, which covers their roles and responsibilities, and sign the PWGSC Employee Acknowledgement of Responsibilities and Obligations Form prior to receiving their card. The appropriate Regional Acquisition Card Coordinator keeps original copies of these forms in the cardholder's file. However, coordinators do not review the policy with cardholders to ensure that they understand their responsibilities. Some cardholders mentioned that they would appreciate periodic reminders of their roles and responsibilities and guidelines on what constitutes appropriate card use.

19. We reviewed a total of 540 transactions for compliance to Departmental and TB policies and procedures (see Appendix A - Breakdown of transactions by region for fiscal year 2007/2008 for more detail). Although we found compliance to be high, in cases where there was non-compliance it was essentially a result of improper or inconsistent application of policy requirements pertaining to cardholder and RC Manager roles and responsibilities and restrictions imposed on acquisition cards. Details on observed non-compliance are included under the observation "Compliance with Policies and Procedures."

Monitoring was done, but not on a consistent basis.

20. The goal of monitoring is to assess the functioning and effectiveness of the acquisition card program and to take early and effective action where cases of non-compliance are detected. Ongoing monitoring of acquisition card transactions also allows for the identification of lessons learned and subsequent improvements to the process.

21. With respect to monitoring, we expected to find evidence of analytical reviews being conducted (i.e. patterns of card usage and frequency of card use), testing for inactive cards, detection of questionable purchases and testing of transactions for full compliance with DP 034 including:

• Monitoring, on a monthly basis, compliance with all aspects of the TB and departmental acquisition card policies by verifying that: transactions do not exceed the single $10,000 transaction limit, transactions are properly authorized, action is taken where unauthorized purchases are detected, and periodic verifications and monitoring of the acquisition card process are carried out; and
• Performing a review of financial files.

22. As part of the May 2007 report, the Auditor General conducted an Audit on the Use of Acquisition and Travel Cards. This audit identified best practices related to the control and monitoring of acquisition card transactions and outstanding travel card balances. One of these best practices is data mining - an analytic process that involves searching large volumes of data for trends and patterns (e.g. questionable vendors, split transactions, or transactions of unusual amounts or relationships). Therefore, in addition, we expected that the Departmental Acquisition Card Program would have given consideration to implementing some or all of the best practices recommended by the Auditor General such as data mining.

23. The Bank of Montreal Details Online system allows administrators to manage procurement programs, reconcile purchasing and expense transactions, and obtain detailed, customized reports. Although the system has many features to aid in the analysis of acquisition card usage by PWGSC, it does not track the history of cancelled cards.

24. Monitoring of acquisition card transactions is conducted at three levels within PWGSC - at the National level by the Departmental Acquisition Card Coordinator; the Regional level by the Regional Acquisition Card Coordinators; and by Finance Branch as part of their account verification process.

National Level Monitoring

25. National level monitoring of usage consists of the Departmental Acquisition Card Coordinator reviewing the list of transactions from the BMO system and manually choosing those that are deemed questionable (i.e. those transactions that were made at restaurants, hotels, for vehicle repairs, gas, etc.) An email is sent to the cardholder for an explanation of the selected purchase. No documentation is required to support their response. During fiscal year 2007/2008, there were 490 requests for justification sent by the Departmental Acquisition Card Coordinator. However, there does not appear to be any monitoring for contract splitting, duplicate transactions, or assessments as to whether or not card limits should be lowered or re-assessed based on spending patterns. With respect to monitoring inactive cards, the Departmental Acquisition Card Coordinator pulls a report from the Bank of Montreal's Details Online system once a year. If a card is inactive for one year, the Departmental Acquisition Card Coordinator will e-mail the cardholder to determine if he/she still requires a card.

26. Prior to 2005, yearly "audits" or "100 percent verification" of all cardholder transactions were carried out. This monitoring led to reports being produced that listed every transaction, along with deficiencies found, both by region and by branch (for the National Capital Area). These reports were sent to Regional Director Generals and Assistant Deputy Ministers/Chief Executive Officers for follow-up. Although the information in these reports appeared sufficient and appropriate, it was not consistent from year to year and region to region. Prior to 2005, the Departmental Acquisition Card Coordinator also prepared a comprehensive report that was submitted on a quarterly basis to the Chief Financial Officer.

27. We were informed that the "100 percent verifications" were suspended after fiscal year 2005/2006 in anticipation of SIGMA's implementation, but that there are plans to restart them in the 2009/2010 fiscal year in addition to the current manual monitoring process. Until a risk assessment is conducted, it is unclear as to which monitoring method, if either, is the most efficient and effective one to undertake.

Regional Level Monitoring

28. In addition to the monitoring done by the Departmental Acquisition Card Coordinator, some of the Regional Acquisition Card Coordinators do supplementary monitoring of the transactions that occur in their own regions. This supplementary monitoring involves the Regional Acquisition Card Coordinators manually selecting transactions from the Bank of Montreal system that appear to be questionable. Some of these transactions are ones that have already been selected by the Departmental Acquisition Card Coordinator and as such can result in duplication of efforts. The results of monitoring conducted by the Regional Acquisition Card Coordinators are sent to the Departmental Acquisition Card Coordinator for consolidation. The level of monitoring varies between Regions. As is the case at the national level, there does not appear to be any monitoring for contract splitting, duplicate transactions, or assessments as to whether or not card limits should be lowered to minimize loss in case of theft or loss of the card, or if limits should be assessed based on spending patterns. Until a risk assessment is conducted, it is unclear as to which of the aforementioned monitoring methods are the most efficient and effective ones to undertake. Additionally, to avoid duplication of efforts, it should be determined whether the National or the Regional Acquisition Card Coordinators should be taking on this role.

Finance Branch Monitoring

29. Additionally, the Quality Assurance and Shared Travel Services Initiative Directorate, Finance Branch performs a risk-based post-payment verification. The transactions verified are chosen by random sample and occasionally include acquisition card transactions. One hundred percent verification is done on transactions that are identified as potential critical errors (for example acquisition card transactions over $10,000).

Dealing with Misuse

30. Either the Departmental Acquisition Card Coordinator or the Regional Acquisition Card Coordinators can identify cases of misuse and abuse. There is no consistent manner in which Coordinators deal with these cases. Some Coordinators give verbal warnings, while others provide written ones. Some Regional Acquisition Card Coordinators suspend cards. When a Regional Acquisition Card Coordinator identifies the misuse, they collect data on the card misuse and the corrective actions taken and provide it to the Departmental Acquisition Card Coordinator.

31. In summary, monitoring over the functioning and effectiveness of the acquisition card program is not consistent between regions or year-to-year. In addition, monitoring does not appear to be coordinated at a National level or performed using a risk-based approach that analyzes questionable trends or patterns. A more coordinated and consistent approach for monitoring based on risk analysis would improve the efficiency and effectiveness of the monitoring process.

There is no formal risk assessment process.

32. A risk assessment is an assessment of risk exposure that is measured in terms of the likelihood and impact of the risk occurring. Based on this assessment, risks are ranked so that the highest-priority risks receive the greatest attention. Assessing risks with regards to acquisition cards helps key stakeholders have a better understanding of the types of challenges associated with the use of such cards, and help them develop mitigating strategies to manage these risks. We expected to find a risk assessment process in place at either a national or regional level.

33. We found that risks related to acquisition cards are not formally identified and assessed at a national or regional level. Some RC Managers had identified risks related to the use of acquisition cards, as well as mitigating responses to combat these risks within their directorates. The risks identified included loss and/or theft of card, sharing of the card with colleagues, and use of the card to make unauthorized purchases.

34. As previously mentioned, another way to mitigate risks associated with acquisition cards is to incorporate an ongoing monitoring system to track questionable trends or patterns and high-risk transactions. Monitoring activities should result in bringing all high risk non-compliance cases to the attention of the Acquisition Card Coordinator so that they can remind cardholders of the need to adhere to the policy requirements.

Compliance with Policies and Procedures

35. The use of acquisition cards is subject to the following key policies:

• The Public Works and Government Services Canada (PWGSC) Policy (DP) 034 on Acquisition Cards provides information on the use of acquisition cards, encourages card use, and minimizes inadvertent misuse and card fraud.
• The Treasury Board (TB) Policy on Acquisition Cards established a framework for providing a convenient and less burdensome method of procuring and paying for goods and services while ensuring effective financial control.
• The TB Policy on Acquisition Cards - Internet Transactions amends the TB Policy on Acquisition Cards to remove the previous restriction on using acquisition cards to make purchases on the Internet.
• The TB Policy on Account Verification ensures that accounts for payment and settlement are verified in a cost-effective and efficient manner while maintaining the required level of control.
• The TB Policy on Delegation of Authorities sets out the powers, duties and functions that may be delegated under the Financial Administration Act.

The Treasury Board Secretariat has also issued a guide, which outlines procedures for the use of acquisition cards.

Acquisition cards are generally being issued and distributed as set by TB and PWGSC policies, but improvements are needed.

36. A process must be in place to ensure acquisition cards are being issued, distributed and cancelled in accordance with policy. This includes monitoring the use of active cards and promptly cancelling cards when they are no longer required or a cardholder leaves the department. We expected to find a set process, consistent across all regions, for authorizing, issuing, distributing and cancelling cards.

37. Requesting cards is the responsibility of each individual RC Manager. This process is initiated by filling out PWGSC Form 191 - Acquisition Card Application. The form is then approved by the RC Manager who imposes monthly and/or single purchase transaction limits on the card and signs the form. The applications are forwarded to the appropriate Regional Acquisition Card Coordinator and a request is sent to the Bank of Montreal to issue a card. Prior to receiving their card, cardholders and their RC Manager must read DP 034 and sign the PWGSC Employee Acknowledgement of Responsibilities and Obligations Form and forward it to the appropriate Regional Acquisition Card Coordinator. After the form has been received, the Regional Acquisition Card Coordinator sends the cardholder their card. When a cardholder no longer requires their card, or leaves the Department, the card is returned to the Regional Acquisition Card Coordinator who destroys the card and informs the Departmental Acquisition Card Coordinator that the card is no longer active.

38. The departmental record of all active and cancelled cards was created at the start of the program and is continuously updated. However, it has no dates to indicate when a particular card became active or inactive. This information needs to be recorded because it is not captured in the Bank of Montreal system. It is therefore not possible to determine which employees had active cards as of a particular date or the reason the card was deactivated. In addition, a comparison was performed between the list of active cardholders maintained by the Departmental Acquisition Card Coordinator and the Bank of Montreal Details Online system. Among other minor discrepancies, we found that seven cards that were to have been cancelled in the regions were still shown as active in the Bank of Montreal's Details Online system. 358 cards were cancelled in total for the 2007-2008 fiscal year.

39. As previously noted, the RC Manager can impose monthly and single purchase limits on the cardholder via PWGSC Form 191 - Acquisition Card Application. As these limits are only recorded on the form once, but are changed many times over the years by the Regional Coordinator at the request of the RC Manager, we were not able to verify the correct card limit as of a specified date. Also, in the case of per purchase transaction limits, many of these limits have never been established. This removes the control that helps ensure that cardholders do not exceed the $10,000 single purchase limit imposed by DP 034 on purchases that are not against a standing offer.

40. We also found that once the card has been assigned to the cardholder, the Acquisition Card Coordinators and RC Managers do not review spending patterns from time-to-time to assess the adequacy of the set limits. As a precaution, credit limits should not be unnecessarily high, so as to minimize the cost and time involved in investigative and disciplinary measures in the case of theft or loss of the card. An analysis was done on the 183 cards that had credit limits of $50,000 or more during fiscal year 2007/2008. We found that of these cards, 170 had credit limits much greater than the expenditure pattern of the cardholder; this includes 39 cards that were never used during the fiscal year. For those 170 people, their average spending was equal to 4 percent of their monthly credit limit.

Acquisition card transactions generally comply with policies and procedures.

41. A procedure is a specified series of actions, acts or operations, which have to be executed in the same manner in order to always, obtain the same result under the same circumstances (i.e. compliance with the policies). We expected to find that cardholders follow prescribed procedures to ensure that all purchases made with their acquisition cards comply with both departmental and TB policies.

42. With respect to procedures, regions and business units have adopted their own processes. For example, some cardholders have adopted as a procedure to maintain their own files on site, while others send their files to their manager who works in another city or to an area of Finance Branch.

43. Compliance with policy requirements was assessed by reviewing a total of 540 transactions. The sampling methodology, details of the testing and results found, are as follows.

Sampling Selection

44. Appendix A outlines the breakdown of all departmental acquisition card transactions by region, and shows the dollar value of transactions, the percentage of the total transactions made by region, and the average dollar value of transactions by region for fiscal year 2007/2008.

45. We reviewed a total of 540 transactions. Detailed testing was performed on 249 transactions and targeted testing was performed on 291 transactions. Our findings are as follows.

	Sampling		Total
	Random	Risk-based
Detailed Testing	144	105	249
Targeted Testing	0	291	291
Total	144	396	540

Detailed Testing

46. We conducted detailed testing to determine the quality of the verification and certification process for acquisition card use and whether transactions were supported by appropriate documentation. We reviewed a total of 249 transactions, which comprised of both random and risk-based samples.

• Random Sample
  • Randomly Selected Transactions (144 transactions);
• Risk-based Sample
  • All Transactions over $10,000 (14 transactions); and
  • Two regions (Atlantic and Pacific) had been selected for site visits due to risks identified primarily by the Departmental Acquisition Card Coordinator such as high turnover of Regional Acquisition Card Coordinators and a higher volume of questionable transactions; therefore, additional transactions were chosen for review in these regions (91 transactions).

Adequate Supporting Documentation

47. We found that the method by which cardholders maintain their acquisition card files varies from unit to unit. Most cardholders maintained proper files that are organized by the acquisition card register as prescribed by DP 034 or a similar chart that was developed by the cardholder to better suit their needs and included signed copies, duly authorized under Section 34 of the Financial Administration Act, of their MILTON statement along with all relevant documentation. The results of our testing showed that 247 of the 249 transactions tested had appropriate supporting documentation (invoices, receipts, and/or packing slips) to support the transactions examined. It is important to note that although almost all of the transactions tested had supporting documentation, this did not mean that the transaction itself was compliant with the policy, as discussed below.

48. We found sufficient supporting documentation for all of the training and hospitality transactions that were part of our sample; however, 4 of the 12 training transactions were not supported by the signatures necessary for prior approval and 2 of the 6 hospitality transactions were not properly pre-approved, verified and certified.

Compliance with Departmental and TB Acquisition Card Policies

49. Additionally, we tested to ensure that all 249 transactions complied with all aspects of both departmental and TB policies. Of these transactions, 165 were fully compliant with all aspects of both policies. The remaining 84 were not fully compliant. This was due to a variety of reasons, some of which included the following: PST was charged and not subsequently reimbursed on the purchase, Section 34 was not signed by someone with appropriate delegated authority, the charge was for travel, the charge was for vehicle operating or maintenance expense, the transaction was over $10,000, there was no expenditure initiation (commitment) authority for training and hospitality transactions.

50. We selected 78 cardholders from our transactional samples and verified their signed PWGSC Employee Acknowledgement of Responsibilities and Obligations forms. We found that 74 of the sampled cardholders' forms were maintained on file by the appropriate Regional Acquisition Card Coordinator. The remaining 4 cardholders' forms could not be located. Subsequent to the examination phase, 2 of the 4 missing forms were located by the Departmental Acquisition Card Coordinator. Of the two remaining cardholders, one is no longer a PWGSC employee and the other was asked to submit a signed form.

Transactions over $10,000

51. As the control framework for acquisition cards relies on post-payment verification to ensure the appropriate payment of goods and services, our sample included 100 percent of purchases made that were over $10,000 (14 transactions). DP 034 states, "No one transaction can exceed the single purchase limit of $10,000. In the case of a Standing Offer call-up however, one must refer to the maximum call-up limit of the Standing Offer without exceeding the acquisition card credit limit." Ten individuals made the 14 transactions over $10,000. These transactions represented 1.27 percent of the total dollar value of acquisition card transactions undertaken at PWGSC in 2007/2008.

52. Of the 14 transactions that exceeded $10,000, 3 were against a Standing Offer and did not exceed the maximum call-up limit, thereby making them compliant with DP 034. Two of the 14 transactions occurred when a cardholder used the acquisition card as a payment tool to pay for existing contracts. The remaining 9, although they were legitimate purchases, were in contravention with DP 034.

53. Imposing single purchase limits is an essential control to ensure that purchases do not exceed the $10,000 threshold. Of the 10 cards used to make these 14 transactions, only three had a single purchase limit established. For these cards, the RC Manager called the Materiel Management Directorate at the time of purchase to temporarily remove the single purchase limit to allow the purchase to be made on the acquisition card. One of these cards had the limit removed to make a purchase against a Standing Offer and is not in contravention of the policy. However, by temporarily removing the limits on the two other cards and not establishing limits for the other seven cards, the RC Managers and Materiel Management Directorate removed the control that prevents the transactions from exceeding the $10,000 threshold putting them in contravention with DP 034.

Compliance with the Financial Administration Act

54. Key controls for acquisition cards are primarily based on the Financial Administration Act and associated TB policies. The Financial Administration Act requires that fundamental controls for procuring and paying for goods and services be respected. The processes of procuring, verifying and paying for a purchase involves the application of sections 32, 34, and 33 of the Financial Administration Act. These three certifications normally take place when a purchase is formally requisitioned and approved before being made and before the invoice is paid.

55. The findings specific to Sections 32, 34 and 33 of the Financial Administration Act are described below.

Expenditure Initiation - Section 32 Commitment Authority of the Financial Administration Act

56. Expenditure initiation is aligned with managerial, budgetary and operational responsibilities and is exercised when operational managers make a decision to obtain goods or services that will result in an expenditure of funds that will be charged against their budgets. This authority can only be exercised if sufficient funds are available in the budgets, so that the appropriated authority voted by Parliament is not exceeded. Traditionally this has meant that the RC Manager must pre-authorize each and every purchase that will be charged to his or her budget. As outlined in the Treasury Board Secretariat's Acquisition Cards Program Management Guide, "When using an acquisition card, it is recommended that the cardholder exercise this authority on behalf of the manager with the manager reviewing each transaction on a post purchase basis."

57. Expenditure initiation under Section 32 of the Financial Administration Act was not documented for 186 of the 249 transactions for which detailed transaction testing was conducted, a situation that weakens the management control framework for acquisition cards. Few purchases were supported by source documents such as e-mails or personal notes. Some acquisition card users confirmed to us that the manager gave approval verbally without being subsequently documented. It is important to note that 100 percent of the payments over $10,000 were supported by the necessary authorizations.

Transaction Certification - Section 34 of the Financial Administration Act

58. Account verification and Section 34 certification occurs when a person reviews a transaction to ensure that the goods or services were provided and that the price for the goods or services was the same as promised or expected (verification). A person with delegated financial authority signs the document to confirm that a review has been performed (certification). Together, both of these actions complete the requirement called "Section 34 certification and verification."

59. We found that 197 of the 249 transactions for which detailed transaction testing was conducted were subsequently verified and certified under Section 34 of the Financial Administration Act by individuals with the delegated authority for that particular responsibility centre during the time that the acquisition card purchase was made. The remaining transactions were not properly certified pursuant to Section 34 of the Financial Administration Act. The deviations found were because: the transactions were certified by employees who exercised financial authority that had not been delegated to them on the dates on which they performed the relevant certification; the transactions were not certified under Section 34; or the financial coding was missing which prevented us from verifying the Section 34 certification.

Payment Authorization - Section 33 of the Financial Administration Act

60. Section 33 relates to the need to ensure that a payment is authorised by an appropriate requisition, that it is a lawful charge against the budget, and is within the appropriation level.

61. As PWGSC employs a centralized billing system, the Bank of Montreal is paid before the controls for verifying and certifying transactions are exercised. The TB Policy on Account Verification permits departments to apply the account verification required by Section 34 after the central bill is paid, as long as the departments are satisfied that their preventive and detective controls are stringent enough to reduce or eliminate errors associated with acquisition cards.

62. The Quality Assurance and Shared Travel Services Initiative Directorate is responsible for providing assurance on the Section 34 account verification by conducting post-payment verifications on purchases that are considered:

• High risk - payments of $1 million or more, claims against the crown, ex-gratia payments, hospitality claims of $400 or more, and membership fees are subject to 100 percent post-payment audit;
• Medium risk - transactions of $25K or more are subject to sample post-payment audit; and
• Low risk - transactions not covered in the higher risk strata and all remaining transactions ranging from $1K to $25K are subject to post-payment audit.

While the Directorate does not specifically target acquisition card transactions, they are occasionally included in the sample if they meet the above criteria.

63. Although we did not test Section 33 approval on our sample, the process for Section 33 appears to be adequate. Several transactions that were chosen as part of our sample had been previously reviewed during the Quality Assurance and Shared Travel Services Initiative Directorate, Finance Branch, post-payment verification process (including transactions over $10,000).

Targeted Testing:

64. In addition to the detailed transaction testing, we conducted additional risk based tests. We reviewed a total of 291 transactions from the following risk-based samples:

• Possible Duplicate Payments (6 transactions)
• Possible Payment Splitting (15 transactions)
• Unusual Spending Patterns or Relationships (37 instances)
• Unusual Vendor Names including those that might be for vehicle operating and maintenance expenses (212 transactions)
• Travel Transactions (21 transactions)

The results of these tests are as follows.

Possible Duplicate Payments

65. A sample of six sets of transactions was selected for review because they appeared to be possible duplicate charges; that is, the purchases were made from the same vendor, on the same day, for the same amount by the same cardholder. None of the sets of transactions reviewed approached the $10,000 single purchase limit and all of the instances selected were over $1,000 since this poses a higher risk of loss to the department. After reviewing the transactions' supporting documentation, we determined that all of these instances were actual multiple orders and not duplicate charges to the account.

Possible Payment Splitting

66. A sample of 15 sets of transactions was selected for review because they appeared to be possible instances where payments were split to circumvent the $10,000 single purchase limit. After reviewing the transactions' supporting documentation, we determined that none of the transactions resulted in payment splitting. In these cases, multiple invoices for orders made on different occasions had been received on the same day.

Unusual Spending Patterns or Relationships

67. A sample of 37 cardholders was selected because their transactions indicated an unusual spending pattern when compared with the cardholder's normal spending behaviour. The patterns included: unusually high monthly totals, unusually high transaction totals, unusual period(s) of use, high spending at the end of the fiscal year, and combinations of these observations (e.g. a high spending card user in March whose only card activity is in March). A reasonableness test was applied, and of the 37 transactions we reviewed, none of the cases indicated any misuse or abuse.

Unusual Vendor Names

68. A sample of 212 transactions was selected based on vendor name. For example, names of possible restaurants, intergovernmental transfers, vehicle related, drug stores, jewellers, entertainment or gift stores, dry cleaning etc. were selected. Cardholders were contacted and asked to provide a description of the items purchased from the vendor.

69. Of the 212 transactions, 19 were found to be in direct contravention of departmental and TB policies and procedures. These included:

• Eleven transactions related to travel including hotels and meals while on travel status; and
• Eight purchases related to vehicle operating and maintenance expenses.

Travel Transactions

70. In addition to the sample of 212 transactions selected for unusual vendor names, a sample of 21 transactions was selected based on risk specifically because the vendor's name appeared to be hotels, transportation, or restaurants. Cardholders were asked to provide a description of the purchases made at these establishments. Eight of these transactions were in contravention to DP 034. For one of these transactions, the cardholder had not made the transaction. In this event, the card was compromised, the bank informed and the card cancelled prior to the audit being conducted. The department was not liable for this charge.

Rebates Received for Timely Payment

71. The contract with the Bank of Montreal offers a rebate program, payable directly to the Department. Rebates are based on how quickly the department pays the balance owing and are awarded as a percentage of the total amount paid.

72. PWGSC receives a consolidated statement from the Bank of Montreal that incorporates all the cardholder statements for the department. This combined statement enables PWGSC to make monthly payments to the Bank of Montreal. During the 2007/2008 fiscal year, the Department received a total of [ * ] in monthly rebates. If payments were made consistently within 4 days of the bill date each month, the Department would have received the maximum rebate awarded and therefore would have received an additional [ * ] in rebates for the 2007/2008 fiscal year. It was explained that there had been problems with the MILTON system and that once the new SIGMA system is running smoothly, payments should be made within the 4-day time frame.

Conclusions

73. The acquisition card program has a management control framework in place that relies heavily on post-payment verification and certification to ensure the proper authorization of card transactions.

74. The level of compliance with government and departmental policies and procedures for the administration, use, and monitoring of acquisition cards is high. Non-compliance with the policy appears to stem from a lack of knowledge and inconsistent application of the roles and responsibilities of those responsible for the use, processing, and oversight of acquisition cards as defined in DP 034.

75. As a result of our audit, we did not identify any losses or abuse of acquisition cards. However, as the use of acquisition cards increases, so do the risks that must be managed. Updating the departmental policy to reflect current processes and mitigation strategies would strengthen control over the use of acquisition cards. We found that no formal risk assessments have been conducted to help key stakeholders obtain an understanding of the challenges associated with the use of acquisition cards and develop mitigating strategies to manage these risks. For example, monitoring of usage could be improved by implementing a continuous electronic monitoring process using data-mining. This monitoring process could be used to identify trends or patterns, including questionable vendors, split transactions, or transactions of unusual amounts or relationships. In addition, monitoring could be performed for transactions that exceed the single purchase limit and for credit limits that are in excess of cardholders' needs.

Management Response

Management accepts the findings of the report as being fair and accurate representation of the department of the departmental acquisition card program during the audit period.

Corporate Services, Policy and Communications Branch (CSPCB) will act on the three recommendations identified in the audit by implementing the attached Management Action Plan.

Recommendations and Management Action Plan

Recommendation 1: The ADM, CSPCB should update Departmental Policy 034 on Acquisition Cards and should periodically communicate to stakeholders, and particularly Regional Acquisition Card Coordinators, Responsibility Centre Managers, and cardholders their roles and responsibilities and restrictions imposed on the use of acquisition cards.

Recommendation 2: The ADM, CSPCB should conduct a formal risk assessment on the Department's acquisition card program to assess risk exposure and rank risks so that the highest-priority risks receive the greatest attention.

Recommendation 3: With regards to monitoring, the ADM, CSPCB should

• implement a continuous department-wide risk-based electronic monitoring process using data-mining to identify trends or patterns including questionable vendors, split transactions, or transactions of unusual amounts or relationships; and
• regularly review single purchase limits and monthly credit limits for all acquisition cards in circulation to ensure limits are not in excess of cardholder needs and that inactive cards are cancelled promptly.

About the Audit

Authority

This audit was approved by the Audit and Evaluation Committee of Public Works and Government Services Canada as part of the 2008-2011 Risk-Based Multi-Year Audit and Evaluation Plan.

Objectives

The objective of this internal audit was twofold:

• To assess the adequacy of the management control framework for the use of acquisition cards; and
• To assess the level of compliance with PWGSC's policy and procedures for the administration, use, and monitoring of acquisition cards, and with the Treasury Board Policy on Acquisition Cards.

Scope and Approach

This audit was conducted from April 2008 to September 2008. The scope of the audit covered all aspects related to the use of acquisition cards within PWGSC for the 2007/2008 fiscal year. This included the management of acquisition cards, the transactions carried out, as well as the adequacy of the controls such as spending limits and supervisory review and approval over the use of cards. The audit also determined whether a continuous auditing process should be established for acquisition cards.

In 2007, the Auditor General assessed the role of PWGSC in providing overall direction and guidance on the acquisition card program. Therefore, this aspect of the program was not examined as part of this audit.

The audit was conducted in accordance with the Treasury Board (TB) Policy on Internal Audit and the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

Audit criteria were derived from the Treasury Board Policy on Acquisitions Card (1998-01-01), the Policy on Acquisition Cards-Internet Transactions (2001-04-09), the Policy on Account Verification (1994-10-01), the Policy on Delegation of Authorities (1994-10-01), and the Departmental Policy on Acquisitions Cards (DP 034 2005-10-14).

Pertinent processes and documentation were reviewed, interviews with relevant staff were conducted and detailed transaction testing of acquisition card transactions was completed.

Random sampling was performed on 144 transactions from all PWGSC Branches and Regions. This sample was randomly selected from the Bank of Montreal Details Online Database. The sample was selected from a total population of 62,625 acquisition card transactions from the 2007/2008 fiscal year assuming an expected rate of occurrence of 5 percent or less. Given the rate of occurrence, our results were within ± 4 percent at a confidence level of 95 percent. Detailed testing was performed on all statistically sampled transactions.

A total of 396 transactions were selected using risk-based sampling. These transactions were identified based on a risk analysis and analytical review of the total population of 62,625 acquisition card transactions.

Of the 396 transactions selected, 105 were subject to detailed testing based on risk. Detailed testing was performed on all 14 transactions over $10K and 91 transactions in the Atlantic and Pacific Regions. These regions were chosen for on-site visits because they were identified as having a higher occurrence of non-compliance with DP 034 by the Departmental Acquisition Card Coordinator. Additional cardholders were targeted for interview and review of transactions while on site. The remaining 291 transactions were deemed high risk and therefore subject to targeted testing (e.g. duplicate payments, payment splitting, unusual spending patterns or relationships, unusual vendor names, and travel related transactions).

	Sampling		Total
	Random	Risk-based
Detailed Testing	144	105	249
Targeted Testing	0	291	291
Total	144	396	540

When the targeted sample of transactions for testing was chosen, consideration was given to the: value of individual transactions; the nature of the transactions; and the type of business where the purchases were made.

Criteria

Objective 1: To assess the adequacy of the management control framework for the use of acquisition cards.

Objective 2: To assess the level of compliance with PWGSC's policy and procedures for the administration, use, and monitoring of acquisition cards, and with the Treasury Board Policy on Acquisition Cards.

Audit Work Completed

Audit fieldwork for this audit was substantially completed on September 12, 2008.

Audit Team

The audit was conducted by members of the Office of Audit and Evaluation overseen by the Director of Internal Audit and under the overall direction of the Chief Audit Executive, Office of Audit and Evaluation.

The engagement was reviewed by the Quality Assessment function of the Office of Audit and Evaluation.

Appendix A - Breakdown of transactions by region for fiscal year 2007/2008

Region	Transactions Made During Fiscal Year 2007/2008
	$ Value of Transactions	% of Total $ Value	# of Transactions	% of Total # of Transactions	Average $ Value of Transactions
Atlantic Region	$1,703,334.99	7.55%	6,148	9.82%	$277.06
Quebec Region	$1,948,118.41	8.63%	5,127	8.19%	$379.97
National Capital Area	$14,285,000.74	63.31%	37,615	60.06%	$379.77
Ontario Region	$683,121.06	3.03%	2,400	3.83%	$284.63
Western Region	$2,216,894.04	9.83%	5,821	9.30%	$380.84
Pacific Region	$1,727,170.21	7.65%	5,514	8.80%	$313.23
Total	$22,563,639.45	100%	62,625	100%	$360.30

Region	Transactions Tested for Audit
	# of Randomly Selected Transactions	# of Risk-based Transactions	Total # of Transactions Tested	% of Total # of Transactions Tested
Atlantic Region	16	94	110	20%
Quebec Region	11	2	13	2%
National Capital Area	73	205	278	51%
Ontario Region	8	2	10	2%
Western Region	22	4	26	5%
Pacific Region	14	89	103	19%
Total	144	396	540	100%