Core Control Audit

Office of the Comptroller General - June 2016

Why This Is Important

The Financial Administration Act designates deputy heads as accounting officers for their department or agency. As accounting officers, deputy heads are accountable for ensuring that resources are organized to deliver on departmental objectives in compliance with government policy and procedures.

Core control audits provide deputy heads with assurance regarding the effectiveness of core controls over financial management in their respective organizations. By doing so, core control audits inform deputy heads of their organization's level of compliance with requirements contained in selected financial legislation, policies and directives.

About the Office of the Communications Security Establishment Commissioner

The Office of the Communications Security Establishment Commissioner (OCSEC) was established in 1996. The Commissioner's mandate consists of three functions:

1. Reviewing the activities of the Communications Security Establishment (CSE) to determine whether they comply with the law;

2. Undertaking any investigation the Commissioner deems necessary in response to a written complaint about the CSE; and

3. Informing the Minister of National Defence and the Attorney General of Canada of any CSE activities that the Commissioner believes may not be in compliance with the law.

For Fiscal Year 2014-15, the OCSEC had human resources of 10.5 full-time equivalents.^{Note 1} In addition, the OCSEC had operating expenses of approximately $2.19 million, with salaries and employee benefits of $1.30 million and operating and maintenance (O&M) expenses of $890,000.^{Note 2}

Core Control Audit Objective and Scope

The objective of this audit was to ensure that core controls over financial management^{Note 3} within the OCSEC result in compliance with key requirements contained in the selected financial legislation, policies and directives.

The scope of this audit included financial transactions, records and processes conducted by the OCSEC. Transactions were selected from fiscal year 2014–15. The audit examined a sample of transactions for each of the selected policies and directives.

The Appendix provides a complete list of policies and directives included in the scope of the audit and the overall compliance in the areas tested. The scope of this audit included O&M expenses of approximately $435,000, which excludes accommodation and other rentals and amortization of capital assets. In assessing financial management governance, the audit determined whether: a budget was in place, adequately prepared and regularly updated; the organizational mandate and risks that may affect the organization were considered in the development of the budget; and the budget had been signed by the Chief Financial Officer and the Deputy Head.

Conformance with Professional Standards

This audit engagement conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

Audit Findings and Conclusion

Core controls over financial management regarding the transactions tested within the OCSEC resulted in partial compliance with the key requirements contained in five of the nine policies, directives^{Note 4} and corresponding legislation tested. The OCSEC was not in compliance with key requirements contained in the remaining four policies and directives tested.

Weaknesses were identified in the area of compliance with requirements specific to the Treasury Board Contracting Policy and in the broader compliance areas of documentation and approval for policies and directives tested.

Contracting^{Note 5}

Audit results for contracts issued under the Treasury Board Contracting Policy:

An appropriate procurement vehicle was not always chosen and used in compliance with its terms and conditions. In addition, a copy of each contract or call-up was not always retained on file and contract amendments were not properly justified and substantiated.

Audit results for contracts issued under the special authorities of the OCSEC:

An appropriate procurement vehicle was not always chosen and used in compliance with its terms and conditions. In addition, the individual approving contracts and amendments did not always have the appropriate delegated authority, and proactive disclosures of contracts over $10,000 were not posted on the OCSEC's website.

Documentation

With respect to financial management governance, there was no documented evidence to suggest that risks were considered in establishing the budget. In addition, there was no documented evidence to suggest that delegated authorities were reviewed on an annual basis. For acquisition cards, documentation to support approval, issuance, conditions of use, and cardholder acknowledgement of responsibilities was not retained on file. With respect to accountable advances, documentation was not provided to demonstrate that the appropriate authority had delegated the responsibility of the accountable advance fund to the fund custodian and that the fund custodian had accepted the associated responsibilities. For government travel, accommodations above the city rate limit were sometimes selected, with no justification on file. Furthermore, expenditure initiation was not always supported by complete documentation.

Approval

With respect to financial management governance, the budget was not formally approved by the Chief Financial Officer and the Deputy Head. Weaknesses were identified in the delegation of financial signing authorities, as signature specimen cards were not validated and approved by an appropriate authority and did not have an effective date. For acquisition cards, the cardholder completed the account verification of purchases made, which demonstrates a lack of segregation of duties.

Recommendations

The OCSEC should ensure that:

1. All signature cards are validated and approved by an appropriate authority and have an effective date; and delegated financial authorities undergo a formal, annual review and are updated, if deemed necessary;

2. The budget is signed by the Chief Financial Officer and the Deputy Head at the start of the fiscal year; and there is documented evidence that departmental risks were considered in the establishment of the budget;

3. Documentation is retained on file for acquisition cards to substantiate their issuance, approval, modification and conditions of use, as well as the acknowledgement of responsibilities by the acquisition cardholder;

4. Responsibility for the accountable advance fund is formally delegated by the Fund Centre Manager to the fund custodian, who should acknowledge related responsibilities in writing;

5. Business processes are improved and consistently performed in compliance with the Treasury Board Contracting Policy, and documentation is retained on file;

6. Business processes are improved and consistently performed in compliance with the National Joint Council Travel Directive, and documentation is retained on file;

7. Expenditure initiation is properly documented and commitments are established and entered into the financial system, at the value expected to be incurred; and

8. For acquisition cards, account verification is not performed by the cardholder.

Management Action Plan

The results of the audit and the management action plan have been discussed with the Deputy Head of the OCSEC and with the Small Departments Audit Committee. The Office of the Comptroller General of Canada will follow-up on the implementation of the management action plan.

Appendix: Policies and Directives Tested